2 pathways. One architecture. The regulator's question takes one query, not 3 weeks.
For 2 decades the only acceptable answer to FINRA 17a-4 and SEC 17a-4 was WORM storage — write-once, read-many physical or virtual media. The 2022 audit-trail amendment changed that. Cryptographic equivalence is now an explicit alternative pathway, and the regulator's tooling will verify it directly.
That matters because most broker-dealers were architecting around WORM constraints — separate archive systems, separate retention engines, separate audit trails — that don't compose with modern AI, modern eDiscovery, or modern records-of-record discipline. The cryptographic-equivalence pathway is the architectural exit from that legacy.
TeamSync runs both pathways. Same platform, same audit chain, same regulator-acceptable evidence pack — your choice on which is the right model for your specific examination history and your firm's risk posture.
Talk to the FSI compliance team · Read the FSI vertical hub · Read the tamper-evident audit pillar
What 17a-4 actually requires.
The rule covers broker-dealer books and records. The requirements that drive most architectural decisions:
| Requirement | What it actually says |
|---|---|
| Retention period | 6 years for most records; lifetime-of-firm-plus-three-years for some categories |
| Immutability | Records cannot be altered or deleted during the retention period |
| Accessibility | Must be promptly producible to the regulator (FINRA / SEC examination, subpoena) |
| Indexing | Records must be indexed for efficient retrieval |
| Off-site storage | Duplicate copy at a separate location |
| Audit trail | Complete log of all access and any (legitimate) modifications |
| Designated third party (D3P) | A third party with the ability to provide the records to the regulator if the firm fails to |
The 2022 amendment introduces the cryptographic-equivalence alternative for the immutability requirement.
Pathway 1 — WORM storage.
The classical pathway. Records written to immutable media; the immutability is a property of the storage layer.
| Element | TeamSync's WORM-pathway implementation |
|---|---|
| Storage layer | Immutable object storage with write-once enforcement; supports physical WORM, S3 Object Lock in Compliance mode, and equivalent |
| Retention enforcement | Per-document-type retention rules, applied at the storage layer |
| Audit trail | Native, on the platform; same chain as the cryptographic-pathway records |
| D3P | Configurable; we work with the major D3P providers your firm uses |
| Examination evidence | Generated artifact; regulator-acceptable format |
For firms with established WORM infrastructure that's working, this pathway is incremental.
Pathway 2 — Cryptographic equivalence (the 2022 amendment).
The new pathway. Records stored in modern, mutable media; the immutability is a property of the cryptographic audit chain.
| Element | TeamSync's cryptographic-pathway implementation |
|---|---|
| Storage layer | Modern object storage with replication and durability; mutable at the storage layer |
| Immutability mechanism | Merkle hash chain anchored to external timestamp authority; modification is mathematically detectable |
| Retention enforcement | Same platform-level rules; not dependent on storage immutability |
| Audit trail | Native; the cryptographic chain is the trail |
| D3P | Cryptographic chain anchors are themselves third-party verifiable; D3P arrangements supported additionally |
| Examination evidence | Generated artifact with cryptographic proof of immutability |
For firms exiting WORM infrastructure or designing greenfield deployments, this is the modern pathway.
What composes onto the platform.
Most 17a-4 implementations are recordkeeping-only. The architectural advantage of TeamSync is that the recordkeeping platform composes with the rest of the platform — AI copilot, eDiscovery, surveillance evidence — without leaving the regulator-acceptance perimeter.
| Capability | What it does inside the 17a-4 perimeter |
|---|---|
| Intelligent Repository | The records platform; covers both pathways |
| DocuTalk | AI grounded in the recordkeeping corpus; permissions-aware; audit-anchored |
| Semantic Search | Federated search across the recordkeeping estate |
| eDiscovery | Hold and collection at the recordkeeping source |
| Agentic AI Workflow | Surveillance agents whose actions are anchored |
| Audit ledger | The chain every event writes to |
The composition is what makes the 17a-4 program future-proof against the next examination cycle's expectations.
What the FINRA / SEC examination actually looks like.
The examination pattern that's emerging post-2022:
| Examination request | What you produce |
|---|---|
| "Show us the complete recordkeeping for accounts X, Y, Z over period A–B" | Generated package with cryptographic chain of custody |
| "Show us the audit trail for any access to those records" | Same chain; access events are queryable |
| "Show us how you'd respond to a tamper claim" | Cryptographic proof from the chain anchor |
| "Show us the records of any AI interactions involving those accounts" | AI audit-chain segment for the same accounts |
| "Show us the surveillance evidence for any flagged communications" | Surveillance audit pack with explainability |
Each of these used to be a multi-day reconstruction. Each is now a query.
What changes for the compliance and surveillance teams.
| Activity | Before | With TeamSync |
|---|---|---|
| Recordkeeping evidence assembly | Multi-week project | Generated artifact |
| Surveillance audit defensibility | Procedural narrative | Cryptographic chain |
| AI-on-recordkeeping CISO sign-off | Multi-quarter process | Architectural answer |
| Cross-system reconciliation for examination | Reconciliation spreadsheet | One query |
| 2022 amendment migration path | Engineering project | Configuration choice |
How customers compare TeamSync for 17a-4.
The 17a-4 evaluation usually compares against:
- OpenText InfoArchive — strong on archival immutability; the modern AI copilot and the per-cluster pricing model are weaker
- Smarsh / Global Relay — strong on communications archiving; the broader books-and-records story is narrower
- Microsoft Purview / Compliance Manager — strong inside M365; the cross-source 17a-4 perimeter is weaker
- In-house WORM + GRC stitching — most flexible; the cryptographic-pathway story is on you to build
For specific comparisons: - TeamSync vs OpenText - TeamSync vs SharePoint + M365
Read further.
- FSI vertical hub — the broader FSI story
- Why TeamSync — tamper-evident audit — the cryptographic foundation
- Chief Compliance Officer page — the executive conversation
- Trade Surveillance Lead page — the surveillance-specific application