SYSC 9 and the Principle of Supervisory Sufficiency
The FCA Handbook, particularly the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook, establishes the principles that govern how financial firms must manage their records. While these principles often avoid prescribing specific technologies, an examination reveals a clear path leading to requiring data immutability.
The cornerstone of the FCA’s record‑keeping regime is found in SYSC 9.1. This rule mandates that a firm “must arrange for orderly records to be kept of its business and internal organisation… which must be sufficient to enable the FCA to monitor the firm’s compliance with the requirements under the regulatory system”. This language establishes that records are maintained primarily to facilitate regulatory supervision and enforcement.
SYSC 9.1.1AR states that records must be sufficient to enable the FCA to “fulfil its supervisory tasks and to perform the enforcement actions under the regulatory system, including MiFID, MiFIR and the Market Abuse Regulation”. This directly links the quality of a firm’s record‑keeping to the FCA’s ability to investigate and penalise misconduct.
Why Not Just State “WORM” and be Done with It?
The UK’s regulatory framework under the FCA is intentionally principles‑based rather than rules‑based. Instead of prescribing a specific technology, it sets out high‑level desired outcomes. Records must allow for “unchanged reproduction”. This compels firms to think critically about the spirit and objective of the regulation rather than simply finding a way to tick a box. This approach is seen as more robust and less susceptible to "creative compliance", where firms meet the letter of the law but not its intent.
The FCA's regulatory strategy also has a commitment to maintaining a technology-neutral stance. The regulator's focus is firmly on the outcome a firm achieves, not the specific technology it uses to get there. Mandating a single technology like WORM would contradict this core policy, stifle innovation by preventing firms from adopting newer solutions, and risk becoming quickly outdated as technology evolves. WORM is the standard now, but if a newer technology emerges tomorrow, with greater capabilities, the FCA would be left rewriting rules and managing the informational cascade to all regulated entities.
By defining the required characteristics of the storage medium through the "durable medium" principle, rather than naming the technology itself, the FCA creates a more resilient and future-proof regulation. The term "durable medium" acts as a functional definition, compelling firms to guarantee the "unchanged reproduction" of their records. This approach cleverly places the burden of proof squarely on the regulated firm to demonstrate that its chosen system can technically guarantee the integrity and immutability of the record over its entire lifecycle.
So, what kind of WORM?
So, assuming you're capturing all of your business records, what kinds of storage mediums are available to you, and how do they stack up vs. the regulators' expectations and requirements?
Option 1: Attestation
This is when your vendor provides a contractual promise not to delete your data, relying on procedure rather than a technical control.
This option is where your vendor does not use WORM, but makes a contractual commitment not to delete any of your data for the retention period of your choosing. Effectively, this approach relies on a procedural/contractual commitment rather than a technical control.
This option is hard to defend under FCA rules. An attestation fails to meet the "unchanged reproduction" standard of a durable medium, as it provides no technical guarantee against modification or deletion. It offers no technical protection against accidental deletion by an employee, data destruction by a malicious insider, or a ransomware attack that encrypts or deletes the primary data store.
Option 2: WORM with No Defined Retention Policy
This option uses technology to lock your data in an unchangeable state forever, without a defined end date for disposal.
This option represents a direct and robust solution to the core regulatory mandate for data immutability. By using a technology that places data in a true WORM state, it directly aligns with the FCA's 'durable medium' principle and the explicit requirements of MiFID II. These technologies have often been independently assessed as meeting the stringent requirements of global regulators (including SEC Rule 17a-4), lending them significant credibility.
However, the implementation is critical. Most modern WORM solutions offer different modes. A "Governance Mode" might protect data from most users but allow specially authorised individuals to alter settings, which is insufficient for full regulatory compliance. The definitive standard is a "Compliance Mode," which ensures that once a record is locked, it cannot be overwritten or deleted by any user—including the most privileged system administrators. While this approach meets the core immutability requirement, it is a blunt instrument, as it lacks a data lifecycle strategy and can lead to keeping data (and paying for its storage) indefinitely.
Option 3: WORM with a Defined Retention Policy
This is the most advanced approach, using technology to make data unchangeable for a specific, pre-defined period.
This option represents the gold standard, the most strategically sound and mature approach that evolves from simple compliance to comprehensive data governance. It not only meets all the core immutability requirements of Option 2 but also demonstrates a sophisticated data governance framework.
By applying specific, automated retention periods to data based on its type (e.g., five years for MiFID communications, seven for CASS records), a firm proves to the regulator that it has considered the entire data lifecycle. This proactive management carries significant strategic advantages:
-
It automates the data disposal process, mitigating the operational risk and storage costs associated with keeping data forever.
-
It helps manage risks related to data privacy regulations like GDPR by ensuring data is not retained for longer than legally required.
This intelligent, risk-based approach is the hallmark of a well-controlled firm and creates the most holistic and defensible compliance posture.
Comparative Analysis of Record-Keeping Approaches: Regulatory and Risk Implications
Approaches to regulatory record-keeping vary significantly in their technical sophistication and control posture, often reflecting differing levels of maturity in compliance strategy.
While some firms continue to rely on process-driven attestations to meet retention requirements, others have adopted more robust, technology-led solutions such as WORM storage and policy-enforced retention. Each option carries distinct implications not only for compliance with mandates such as MiFID II and SYSC but also for broader data governance, operational risk, and regulatory scrutiny.
The following table provides a comparative summary of these approaches across key regulatory and risk dimensions and can be downloaded using the form below.
Common WORM Terminology
As you discuss these requirements with your IT teams or technology vendors, it's helpful to be familiar with the terminology used by the major cloud providers. While the names differ slightly, the core WORM functionality is a standard feature across all platforms.
-
On Amazon Web Services (AWS), the feature is called S3 Object Lock, which is applied to data held in their Simple Storage Service (S3).
-
On Microsoft Azure, the equivalent is Immutable storage for Azure Blob Storage, where you apply time-based retention policies.
-
On Google Cloud Platform (GCP), the service is known as Bucket Lock, which is used to apply a retention policy to their Google Cloud Storage.
Conclusion
Ultimately, the conversation about record-keeping must be reframed. A robust, immutable, and well-governed data archive should not be viewed as a mere cost centre or a reluctant concession to regulatory pressure.
It is a strategic asset of immense value. It is the bedrock of trust with clients and regulators. It is the ultimate evidentiary defence in the event of a dispute or investigation. It is the final line of defence against catastrophic data loss from cyberattacks or internal errors. By ensuring that a firm's most critical data (the record of its business) is preserved with absolute integrity, a comprehensive record-keeping solution enables that firm to navigate a complex and demanding landscape with confidence and resilience. This is the fundamental value that a modern RegTech platform must deliver.
Cut Through WORM Storage Confusion with SteelEye
SteelEye’s fully compliant archive empowers you to meet global record‑keeping requirements with ease. With a choice of storage mediums, you can select the record-keeping model that best aligns with your risk profile and budget.
Gain complete visibility and control over your records, streamline audits, and rest assured you’re always inspection‑ready.
Book your demo today. ⬇️
.png)
