Whitepaper
How WealthNavigator captures, hashes, and retains every advisor-client communication so your broker-dealer can satisfy electronic record-keeping requirements without a separate vendor. Written for compliance officers, not marketers.
This document describes how the WealthNavigator platform supports practices aligned with SEC Rule 17a-4 and FINRA's adoption of it. No software product is “FINRA approved.” Final designation of storage media and adoption of the Rule 17a-4(f)(2)(ii) procedures is the responsibility of the broker-dealer.
Section 1
The text of the rule is short. Most of the work is in the operational procedures that satisfy each clause. Below: the six subsections that matter for an electronic communication archive, paraphrased into the language a procurement reviewer can act on, with citations so you can check the original.
17a-4(f)(2)(ii)(A)Records must be preserved exclusively in a non-rewriteable, non-erasable format — historically called WORM (Write-Once, Read-Many). Modern interpretations accept audit-trail systems that prevent alteration and deletion of original records.
17a-4(f)(2)(ii)(B)The system must verify automatically that the recording process is functioning. WealthNavigator surfaces a daily integrity check that re-hashes the chain head and reports drift.
17a-4(f)(2)(ii)(C)Each record must carry the date and time it was originally created and stored, plus the required retention period. Stamps are written into the same hash-protected envelope as the record itself.
17a-4(f)(2)(ii)(D)The original and any duplicate records must be serialized and time-date-stamped, with an index that allows them to be located. WealthNavigator maintains a per-message UUID, monotonically increasing sequence number, and a full-text index keyed to both.
17a-4(b)(4)Communications received and sent by the firm relating to its business as a broker-dealer must be preserved for at least three years, the first two in an easily accessible place. WealthNavigator retains for seven years by default to align with most state and SEC overlays; configurable per firm.
17a-4(f)(3)(vii)A designated third party must have access and the ability to download records from the firm in a readable form. WealthNavigator provides a per-firm read-only auditor account scoped to indexed exports.
A “FINRA approved” archive does not exist. What exists is a procedure, audited annually, that demonstrates the system is operating in a way the rule contemplates. WealthNavigator is built to make that procedure short.
Section 2
The platform doesn't ask you to trust us — it asks you to verify a hash. Here is what that means in practice.
Each archived record is wrapped in a small JSON envelope before being written to storage. The envelope contains the record body, a UTC timestamp from a trusted time source, the monotonically increasing sequence number for the tenant, and — critically — the SHA-256 hash of the previous record's envelope.
This produces a hash chain. To alter any record after the fact you would have to alter every record after it as well, and the tampering would still be visible because the published Merkle root from the day of capture would no longer match.
A daily Merkle root is computed across all records written that
day and published to a public transparency log at transparency.wealthnavigator.com. Auditors verify
the chain by recomputing it from the export and comparing to the
published root. The verification is a single command,
documented in the export bundle.
sha256(01),
invalidating the prev_hash reference inside record 02, and
every record after it — up to and including the daily Merkle root.
That root is what we publish in our transparency log.If WealthNavigator quietly altered or deleted a single message, anyone with last week's export could prove it — without our cooperation.
Section 3
Default retention is seven years from the date of capture, the practical ceiling for SEC and most state overlays on top of FINRA's three-year minimum under Rule 17a-4(b)(4). Firms with longer in-house policies can extend per-tenant; we don't shorten below seven without a written direction from the firm.
Section 4
Rule 17a-4(f)(2)(ii)(A) requires records to be preserved in a non-rewriteable, non-erasable format. The historical reading was a physical WORM device. The modern reading, accepted in a 2003 SEC interpretive release and reaffirmed in 2022 amendments, allows electronic storage systems that achieve the same outcome through configuration.
WealthNavigator stores archived records in an Amazon S3 bucket configured with Object Lock in compliance mode, scoped to the configured retention period. Object Lock in compliance mode prevents the object from being modified, overwritten, or deleted by any principal — including the AWS account root user and WealthNavigator operators — until the retention timer expires. There is no “break-glass” bypass.
The bucket also has versioning enabled, MFA delete required for the bucket-level configuration, and a written designation of the storage medium on file with our SOC 2 auditor. A copy of that designation is available on request to firms under NDA.
The promise we make to your CCO is not “we won't delete your records.” The promise is that we cannot, and the configuration that prevents it is auditable from your auditor's seat.
Per-tenant configuration on file
Section 5
Most broker-dealer supervision platforms expect .eml for
email and a structured JSON manifest for everything else. WealthNavigator
emits both, plus a per-conversation rendered PDF for non-email channels
so the message looks the same in your supervision review queue as it did
to the recipient.
EML (RFC 5322)
Original wire format. Headers, body parts, attachments preserved
byte-for-byte. Compatible with Smarsh, Global Relay, Proofpoint, and
any tool that reads .eml archives.
LinkedIn DMs & scheduling
JSON + PDF bundle
One JSON file per conversation thread with full message metadata, plus a PDF rendering of the thread as it was last seen. Bundled into a zip per export window.
Whole-firm audit
Manifest + chain proof
Single JSON manifest indexes every record in the export window, with the Merkle chain proof at the bottom for end-to-end tamper-evidence verification.
Abbreviated for the page. Full JSON Schema is published at schemas.wealthnavigator.com/archive-export/v1. The chain_proof block is what an auditor verifies against the
daily transparency log.
{
"schema_version": "1.0",
"tenant_id": "wn_acme_advisors",
"exported_at": "2026-04-26T14:22:00Z",
"exported_by": "auditor:cco@acme.com",
"range": {
"from": "2026-01-01T00:00:00Z",
"to": "2026-03-31T23:59:59Z"
},
"records": [
{
"id": "rec_01HX9...",
"seq": 142,
"channel": "linkedin.dm",
"direction": "outbound",
"advisor_id": "adv_42",
"counterparty": { "linkedin_urn": "urn:li:person:..." },
"captured_at": "2026-01-04T15:18:32Z",
"stored_at": "2026-01-04T15:18:33Z",
"retention_until": "2033-01-04T15:18:33Z",
"body_ref": "blob/rec_01HX9.../body.txt",
"rendered_pdf": "blob/rec_01HX9.../thread.pdf",
"attachments": [],
"prev_hash": "0000000000000000000000000000000000000000000000000000000000000000",
"sha256": "a3f8b2...c91d",
"merkle_root": "9b4cf1...20ab"
}
],
"chain_proof": {
"head_seq": 144,
"head_hash": "e2105a...8ff2",
"merkle_root": "9b4cf1...20ab",
"published_at": "2026-04-26T00:00:00Z",
"published_to": "transparency.wealthnavigator.com/log/2026-04-26"
}
}Section 6
A two-person rule on placement and release, in-place freezing of records, and a chain-verifiable export bundle. Designed to satisfy the e-discovery expectations a litigation-hold notice triggers.
A user with the Compliance role opens the Hold panel and selects targets: a specific contact, a thread, an entire counterparty domain, or a date range. A note describing the matter is required.
WealthNavigator writes a per-record legal_hold flag without moving the data. The Object Lock retention period for affected records is extended to indefinite. New messages matching the hold criteria are flagged automatically as they arrive.
Even if the standard 7-year retention timer expires, held records are not eligible for purge. The hold takes precedence.
A scoped export bundle — manifest, EML, PDF renderings — can be generated against the held set on demand. The bundle carries its own chain proof so opposing counsel can verify completeness.
A second user with the Compliance role must approve the release. The release event itself is written into the chain. Affected records resume their original retention timer (not from the release date).
Section 7
Every party that touches advisor-client records is named, contracted under a Data Processing Addendum, and disclosed below. The full subprocessor list, including SOC 2 report references, is updated within ten business days of any change.
Section 8
If you've read this far and still have questions, the right next step is a 20-minute call with the person who built it. No sales pitch — bring your most awkward 17a-4 question.
Book a walkthrough
Bring your most awkward Rule 17a-4 question. We'll walk through the chain, the export, and your firm's specific designation procedure.
Calendar pending setup
The booking widget loads here once PUBLIC_BOOKING_PUBLIC_ID and PUBLIC_BOOKING_BASE_URL are set in .env. In the meantime, write
to us directly.