Page 277 - Using MIS

P. 277

Case Study 6 245

CaSe Study 6

FinQloud Forever . . . Well, at Least for the Required Interval . . .

In 1937, the Securities and Exchange Commission (SEC) set erased. Such systems—which may use software applications to
out rules that stipulated records retention requirements for protect electronic records, such as authentication and approval
policies, passwords or other extrinsic security controls—do not
securities brokers and dealers. The SEC’s concern was (and
maintain the records in a manner that is non-rewriteable and non-
is) that records of financial transactions not be altered after
erasable. The external measures used by these other systems do
the fact, that they be retained for a stipulated period of time, not prevent a record from being changed or deleted. For example,
and that indexes be created so that the records can be readily they might limit access to records through the use of passwords.
searched. Additionally, they might create a “finger print” of the record based
In 1937, the rules assumed that such records were recorded on its content. If the record is changed, the fingerprint will indicate
that it was altered (but the original record would not be preserved).
on paper media. With the rise of information systems storage,
The ability to overwrite or erase records stored on these systems
in 1997 the SEC updated the rules by stating that such records makes them non-compliant with Rule 17a-4(f). 14
can be kept electronically, provided that the storage devices
are write once, read many times (WORM) devices. This rule Notice the SEC specifically excludes extrinsic controls such
was readily accepted by the financial services industry because as authentication, passwords, and manual procedures because
the first CDs and DVDs were WORM devices. it believes it would be possible for such systems to be readily
However, as technology developed, broker-dealers and misused to overwrite records. The SEC is striking a fine line in
other financial institutions wanted to store records using regu- this ruling; if, for example, someone were to tamper with the
lar disk storage and petitioned the SEC for guidance on how storage systems’ software, it would be possible to overwrite
they might do that. In May 2003, the SEC interpreted the rule data. Apparently, the SEC assumes such tampering would be
to enable the storage of such records on read-write media, illegal and so rare as to not be a concern.
provided that the storage mechanism included software that Given this ruling, organizations began to develop systems
would prohibit data alteration: in compliance. The NASDAQ OMX Group, a multinational cor-
poration that owns and operates the NASDAQ stock market as
A broker-dealer would not violate the requirement in paragraph
(f)(2)(ii)(A) of the rule if it used an electronic storage system that well as eight European exchanges, began to develop FinQloud,
prevents the overwriting, erasing or otherwise altering of a record a cloud-based storage system that was developed to be com-
during its required retention period through the use of integrated pliant with the SEC’s (and other regulating organizations’)
hardware and software control codes. Rule 17a-4 requires broker- rulings. NASDAQ OMX operates in 70 different markets, in 50
dealers to retain records for specified lengths of time. Therefore, countries worldwide, and claims that it processes one out of 10
it follows that the non-erasable and non-rewriteable aspect of 15
their storage need not continue beyond that period. stock transactions worldwide.
The Commission’s interpretation does not include storage sys- Figure 6-25 shows the fundamental structure of
tems that only mitigate the risk a record will be overwritten or the FinQloud system. On the back end, it uses Amazon’s

FinQloud

Brokers & FinQloud Amazon AWS
Brokers &
Dealers Servers
Brokers &
Dealers
Computing Encryption
Financial
Dealers
Computing
Institutions’
Infrastructure Processing&
Computing
Infrastructure Processing&
Computing
Infrastructure Encryption
Processing&
Processing &
Infrastructure Encryption
Encryption
Encryption S3 S3 S3 S3
Figure 6-25
Components of the FinQloud
System
14 U.S. Securities and Exchange Commission, “SEC Interpretation: Electronic Storage of Broker-Dealer Records,” last modified May 5, 2003, www.sec.gov/
rules/interp/34-47806.htm.
15 NASDAQ OMX, “NASDAQ OMX FinQloud,” accessed May 2013, www.nasdaqomx.com/technology/yourbusiness/finqloud/.

272 273 274 275 276 277 278 279 280 281 282