Jump to

SEC (US)

The Securities and Exchange Commission (SEC) is an independent agency responsible for overseeing the securities industry in the United States. The SEC’s mission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.

Google Cloud’s products and policies can help to address SEC requirements. We have documentation for both Google Cloud and Google Workspace to help you understand how we can support you in meeting the SEC’s requirements.

SEC Compliance Offerings

Learn more about key regulations and guidelines prescribed by the SEC.

SEC Rule 17a-4(f)(2)(i) contains technical requirements for electronic recordkeeping for broker-dealers. SEC Rule 18a-6(e)(2)(i) contains similar requirements for security-based swap dealers (SBSD) and major security-based swap participants (MSBSP) that aren’t registered as a broker-dealer (SBS Entities).

Changes to the WORM Requirement and the Audit-Trail Alternative

As of January 2023, the SEC modified the previous “write once, read many” (WORM) format requirement and added a new audit-trail option as an alternative for maintaining and preserving electronic records. Regulated entities now have two options:

WORM requirement: Maintain and preserve electronic records in a non-rewriteable, non-erasable format; or

Audit-Trail requirement: Use an electronic recordkeeping system that maintains and preserves electronic records in a manner that permits the recreation of an original record if it is modified or deleted.

For more information about this change see the SEC Final Rule - Electronic Recordkeeping Requirements for Broker-Dealers, Security-Based Swap Dealers, and Major Security-Based Swap Participants.

Google Cloud’s support of the WORM requirement

Google Cloud helps our customers in their assessment of Google Cloud Storage and the WORM requirement by engaging with Cohasset Associates, Inc. to perform an independent assessment.

Cohasset determined that Google Cloud Storage, meets the WORM requirement when properly configured and used with the Retention Policy feature in locked mode. Please note, Cohasset’s assessment does not address the Audit-Trail alternative.

No Longer Required: Representations / Attestations about Electronic Storage Medium

As of January 2023, the SEC removed the representation requirement (“Letter of Attestation”) that previously stated the broker-dealer, the electronic storage medium provider, or another third party had to provide an attestation that the electronic storage medium met the WORM requirement. Google Cloud no longer provides this letter because it is no longer required.

For more information about this change see the SEC Final Rule - Electronic Recordkeeping Requirements for Broker-Dealers, Security-Based Swap Dealers, and Major Security-Based Swap Participants

Note, Rule 18a-6 does not contain a representation requirement for SBS Entities. Also, the now eliminated representation requirement is different from the requirement for a Third Party Undertaking under SEC Rule 17a-4(i)(1)(ii)(A) and SEC Rule 18a-6(f)(1)(ii)(A).

SEC Rule 17a-4(i)(1)(ii)(A) contains a requirement for a third party who prepares or maintains the regulatory records of a broker-dealer (regardless of whether the records are in paper or electronic form) to file a written undertaking with the SEC.

Since January 2023, the SEC introduced an alternative version of the third party undertaking specifically for cloud service providers like Google Cloud, referred to as “Alternative Undertaking”. Previously, there was only one version of third party undertaking referred to as “Traditional Undertaking”.

Traditional Undertaking: Requires the third party to agree, among other things, to permit examination of the records by the relevant authority as well as to promptly furnish to the relevant authority true, correct, complete, and current hard copies of such records.

Alternative Undertaking: Tailored to how cloud service providers hold electronic records for regulated entities and can be used instead of the Traditional Undertaking.

SEC Rule 18a-6(f)(1)(ii)(A) contains a similar requirement for SBS Entities.

Google Cloud’s support of the Alternative Undertaking requirement

To address the requirement for the Alternative Undertaking, Google offers customers a SEC 17a-4(i) Addendum or SEC 18a-6(f) Addendum for Google Cloud and Google Workspace. Our sales team or your Google Cloud representative can help provide access to this documentation. Customers will need to provide your registrant name and registrant number. Once a customer has signed the Addendum, Google will be able to sign the Alternative Undertaking and share it with the customer to be submitted to the relevant authority.

For more information about how to submit the Alternative Undertaking to your relevant authority see:

The SEC Staff Guidance for Filing Broker-Dealer Notices, Statements, Undertakings and Reports

The SEC Staff Statement on Submitting Notices, Statements, Applications, and Reports for SBS Entities

For more information about the Alternative Undertaking see page 56 of the SEC Final Rule - Electronic Recordkeeping Requirements for Broker-Dealers, Security-Based Swap Dealers, and Major Security-Based Swap Participants. See pages 137 and 145 for the exact wording of the Alternative Undertaking for broker-dealers and SBS Entities, respectively.

The differences between Traditional Undertaking, Alternative Undertaking, and Designated Third Party Undertaking

The Traditional Undertaking and the Alternative Undertaking are different from the Designated Third Party Undertaking under SEC Rule 17a-4(f)(3)(v)(A) and Rule 18a-6(e)(3)(v)(A). A Designated Third Party or “D3P” is a third party that a regulated entity retains specifically to access electronic records for the relevant authority’s review. This is not a service that Google Cloud provides. If needed, regulated entities may procure a D3P service and the D3P Undertaking from an independent provider.

Regulation SCI was adopted by the SEC to address the risks posed by technological changes transforming the US securities markets. In an effort to strengthen the markets’ technology infrastructure, Regulation SCI requires certain self-regulatory organizations, alternative trading systems, plan processors and exempt clearing agencies to:

1. Ensure their systems have sufficient capacity, integrity, resiliency, availability, and security to maintain operational capability

2. Conduct testing of their business continuity and disaster recovery plans

3. Take corrective action with respect to systems disruptions, systems compliance issues and systems intrusions and notify the Commission and affected parties when they occur; and

4. Conduct regular system reviews

As an outsourced service provider, Google Cloud’s mapping to the guidelines and whitepaper help customers understanding how we can support them  in meeting their Regulation SCI requirements.

The Sarbanes-Oxley Act is a US law that aims to improve the accuracy and reliability of corporate disclosures. As part of SOX requirements, section 404 of the Sarbanes Oxley Act establishes requirements for all US public companies to publicly report on management’s responsibility for establishing and maintaining an adequate internal control structure, including controls over financial reporting, and the results of management's assessment of the effectiveness of internal control over financial reporting.

SOX obligations include establishing and monitoring internal controls, including those maintained by a third party, such as a cloud service provider. Any organization that processes accounting or financial information on Google Cloud or Google Workspace must make its own judgment regarding whether specific Google Cloud or Google Workspace services are in scope for meeting its SOX obligations.

If you would like further information about Google Cloud or Google Workspace, the Service Organization Control (SOC) 1 Type 2 report provides Google‘s descriptions of Google Cloud and Google Workspace systems and controls, and independent auditor opinion on the accuracy of the organization’s description and the appropriateness and effectiveness of the controls described in meeting the stated objectives. SOC 1 Type 2 reports can be requested via the Compliance Reports Manager, for Google Cloud and Google Workspace.