FINRA Rule 17a-4 / 4511 — Books & Records Retention (WORM)
FINRA Rule 17a-4 and Rule 4511 require broker-dealers to preserve originals of communications, use non-rewriteable storage, maintain indexes, and sustain a complete audit trail. Ledgix evidences these via signed retention attestations of the underlying S3 Object Lock configuration plus the append-only ledger and inclusion-proof index.
Status: Full — every control resolves to an artifact Ledgix produces today following the Phase 6 retention-attestation module shipping.
Scope
Rule 17a-4 applies to brokers and dealers subject to SEC jurisdiction and FINRA membership. It requires preservation of originals of communications for three years (the first two in an easily accessible place), non-rewriteable/non-erasable electronic storage, duplicate records, an accurate index, and a third-party downloading service. Rule 4511 sets the general retention period and cross-references 17a-4 formats.
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| FINRA-17a-4(b)(4)-ORIG-COMMS | events_jsonl / checkpoint_chain / retention_attestations | Originals of All Communications Received and Sent | Per-communication receipts, Merkle chain, and signed WORM attestations. |
| FINRA-17a-4(f)-WORM | retention_attestations / proof_index / checkpoint_chain / signatures / key_history | Electronic Storage Media Requirements | Signed Object Lock attestations, inclusion-proof index, checkpoint chain, manifest signatures, and key custody. |
| FINRA-4511-GEN-RETENTION | retention_policies / retention_attestations | General Records Retention Period | Approved retention policies per data category plus periodic attestations. |
| FINRA-17a-4(j)-AUDIT-TRAIL | events_jsonl / policy_snapshots / proof_index | Audit System Supplier Information / Complete Audit Trail | Full audit trail with cryptographic attribution plus policy versions and inclusion proofs. |
Evidence types referenced
- events_jsonl — per-communication receipts with signed temporal binding.
- checkpoint_chain — Merkle chain demonstrating ordered preservation.
- retention_attestations — signed S3 Object Lock configuration attestations.
- retention_policies — approved retention policies covering the export window.
- proof_index — inclusion-proof index satisfying the accurate-index requirement.
- signatures — manifest signature for the exported record set.
- key_history — key custody history required for long-term verification.
- policy_snapshots — policy versions referenced by audit records.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today. The third-party downloading service requirement is satisfied by the evidence-export download interface producing standalone signed packages.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting FINRA Rule 17a-4 / 4511 — Books & Records Retention (WORM) and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/finra_17a4.json - Canonical source: FINRA Rule 4511 — finra.org and SEC Rule 17a-4 — sec.gov