split CD


Write Once Read Many (WORM) in the Cloud

Focus on five

Can WORM be achieved in the cloud? Find out how a financial services firm can take advantage of cloud solutions to meet its regulatory storage requirements.

Can WORM be achieved in the cloud?

In this context, we define a “cloud solution” to mean the firm’s use of a cloud provider’s physical computing and/or storage infrastructure in lieu of the firm’s own infrastructure, with the management and maintenance of the physical infrastructure performed by the cloud provider. Under this definition, there are two ways in which firms can (and in some cases, already do) use cloud solutions for regulated record storage.

The most prevalent solution is a software-as-a-service (SaaS) cloud solution wherein a firm engages a cloud provider to supply an application service. The firm then configures its existing business technology systems to archive regulated records to the provider’s system rather than its own internal system. The solution includes an application, usually web-based, which the firm can use to gain access to its regulated record archives.

An emerging alternative to SaaS is an infrastructure-as-a-service (IaaS) cloud solution wherein a firm engages a cloud provider to supply infrastructure services onto which its regulated records are written and retained. The firm itself is responsible for providing and maintaining its own records management application, either custom-developed or off-the-shelf, that runs on additional IaaS resources purchased from the provider.

There are multiple SaaS and IaaS providers in the marketplace that advertise services that purport to comply with Securities Exchange Act (SEA) Rule 17a-4(f) and similar regulations that require WORM; however the use of such services does not relieve the firm of their obligations pursuant to Financial Industry Regulatory Authority (FINRA) Rule 3110.

Making the move to cloud

Typically, the first steps in implementing any regulated record storage system, whether cloud–based or on–premises, are to identify the applicable regulatory requirements, define the firm’s interpretation of those requirements, and translate those requirements into functional and technical requirements that can be used to drive the implementation of the system. It is crucial to make this a joint effort among key stakeholders from legal, risk, compliance, operations, and technology departments. Many firms also engage outside counsel to provide objective legal advice on the soundness of their regulated records programs.

Once these functional and technical requirements are developed, the firm should consider whether to go down the road of implementing an IaaS or a SaaS cloud solution. This is a strategic choice based on several factors, including the firm’s overall technology strategy, appetite for technology implementation and management, and the degree to which the functional requirements can be met by SaaS vs. IaaS solutions.

cotton ball

Sustaining the program

One key to sustaining an effective cloud-based record storage program is the establishment of a governance model that lays out key program processes such as change management, audits, internal controls, record transmission reconciliation, and mechanisms to adapt to a changing regulatory environment.

This model is typically achieved by the appointment of a qualified “product manager” for the cloud solution and the specific regulated records management services it provides to the firm. This resource should manage the relationship with the provider; have a full understanding of the compliance, business, and technical requirements of the system; own the process of periodic auditing of the system for continued conformance to the requirements; and keep abreast of any changes the cloud provider might make to the solution that could affect the solution’s ability to meet the firm’s needs.

blue cotton ball

Contact us

Bart Siegel
Managing director
Deloitte Risk and Financial Advisory | Deloitte Transactions and Business Analytics LLP
+1 212 436 4134
Paul Yackinous
Senior manager
Deloitte Risk and Financial Advisory | Deloitte Transactions and Business Analytics LLP
+1 212 313 2931
Josh Uhl
Senior manager
Deloitte Risk and Financial Advisory | Deloitte & Touche LLP
+1 212 436 4326

Did you find this useful?