How It Works — FINRA Rule 3110 & SEC 17a-4 Audit Trail

Controls aren't a layer on top. They're how the system works.

Maker-checker enforcement, WORM (Write Once, Read Many) audit trail, and role-scoped access are structural properties of Devancore's event stream — not a compliance module added after the fact.

In legacy post-trade systems, controls are implemented as access restrictions on a mutable database. Someone has permission to change a record, or they don't. The audit trail, if one exists, is a separate log maintained alongside the data it's supposed to protect.

Devancore's architecture makes this separation unnecessary. Every state change is an immutable lifecycle event. There is no "edit" operation: only new events that supersede previous ones. The audit trail is not a log of what changed; it is the record that everything else is built from. As a matter of architectural design, every event is intended to carry actor attribution, a source, and a timestamp. Every material action is intended to require a second authorized actor before it takes effect.

Maker-checker enforcement, role-scoped access, and WORM logging are not features added to a working system. They are how the working system functions. The implication for a FINRA or SEC examination: supervisory evidence is not produced by running a report the night before a review. It is generated as a byproduct of normal daily operations.

Maker-checker enforcement: written supervisory procedures as a workflow output

Every material action in Devancore, trade amendment, settlement instruction override, position adjustment, compliance rule change, requires a second authorized user to review and approve it before it takes effect. The action does not execute until the checker approves. Every maker submission and every checker decision is a lifecycle event with actor ID, timestamp, IP, device, and the full state of the record at the time of the action.
  • FINRA Rule 3110 alignment

    This is the operational design intent behind FINRA Rule 3110 supervisory review requirements. The rule requires documented written supervisory procedures and evidence of review. Devancore's event stream is designed to generate that evidence as a byproduct of the operations workflow, not as a separate reporting task. A compliance examiner reviewing supervision does not need to ask "was this reviewed?" The event stream provides an answer: here is the maker event, here is the checker decision, here is the elapsed time between them, here is who both actors were. The supervisory record produces itself.

  • Break-glass scenario

    In fast-moving market conditions, operations teams need the ability to act quickly. Devancore handles this through a designated escalated-access role for time-critical actions. Emergency actions taken under that role are still subject to the 4-eyes principle, a second authorized actor must confirm, and every step is logged in real time. Speed is preserved. Supervisory evidence is not suspended.

WORM audit trail: broker-dealer audit trail software built on the event stream

Devancore's event log is designed to be append-only. Events are written and, as a structural property of the architecture, are not subject to modification or deletion through normal system operations. This is the Write Once, Read Many (WORM) design principle at the center of SEC Rule 17a-4(f)'s electronic records requirements.
  • Every event carries five attributes

    Who: actor type (user, system, or service) and actor ID, including the specific integration or automated workflow if the actor is not a human. What: action and subject: what was done and to what entity. When: the timestamp of when the event occurred, not just when it was ingested. Where: IP address and device. Source: FIX message, UI action, API call, or autonomous system transition.

  • Rule 17a-4(f) scope

    Rule 17a-4(f) requires more than non-rewritable storage: it also requires indexing, access controls, the ability to produce records promptly to regulators, and written undertakings where a third-party vendor provides the storage. Devancore's event log is designed to support these requirements; the firm's compliance function and legal counsel determine adequacy of the full 17a-4 implementation, including any third-party storage arrangements.

  • The Examiner's View

    Because the event stream is queryable by entity, actor, time range, event type, or source, an examiner inquiry does not require operations staff to manually reconstruct a sequence of events. The log is the sequence. Query parameters define the scope; the record is produced directly. This is the operational difference between an audit trail that exists and an audit trail that is exam-ready. For digital asset operations: an on-chain settlement instruction and a DTC settlement instruction are both lifecycle events in the same log, with identical attribution, design properties, and retrieval path. On-chain and off-chain do not have separate audit trails.

Zero-trust operations: enforcing the principle of least privilege

In Devancore, access is scoped to what a role's function requires: no broader. A front office user who can capture trades cannot touch settlement instructions. An operations user who can manage settlement exceptions cannot modify compliance rules. A compliance officer who can view the full audit trail cannot create trades.
  • Role model, not permission list

    This is not a per-user permission list to maintain. It is a role model structured around the principle of least privilege: each role carries only the capabilities its function requires, and nothing additional. The organizational design principle that the person who creates a record should not be the person who approves it, and the person who approves it should not be the person who monitors it, is expressed as a system property rather than a policy document.

  • Operational consequence

    A settlement instruction cannot be self-approved. A trade amendment cannot be self-checked. A position adjustment cannot be hidden from the compliance monitor. Access boundaries are enforced by the system structure, not by the assumption that people follow the policy. Devancore's access layer is designed for AES-256 encryption in transit and at rest, MFA-enforced role authentication, and SOC 2-aligned access workflows.

Segregation of duties: enforced, not documented

Legacy systems implement segregation of duties through access control lists: user A has permission X, user B has permission Y. When a permission is added to the wrong account during an operational emergency, the segregation breaks silently. The system has no structural awareness of the breach.
  • Structural segregation

    In Devancore, segregation is structural. The maker-checker workflow is designed so that a single user cannot complete both sides of a material action: the system requires a second actor in the checker role before the action executes. The role model is designed so that a user cannot hold capabilities from functionally separate roles simultaneously; changing a role's capability scope is itself a recorded, supervised event. Segregation of duties is enforced by the shape of the workflow, not by access lists that require periodic auditing to remain intact. The practical difference: in a compliance examination, the question is not "did the access control list reflect your segregation policy?" It is "show me a material action where a single user completed both sides." The event log answers that question structurally.

Comprehensive financial audit trail: every action attributed, including system and on-chain actors

Devancore distinguishes between three categories of actor: human users, system processes (automated workflows, reconciliation engines, scheduled tasks), and services (API integrations, external system connections). All three categories generate attributed events. As a matter of design intent, every event in the log is associated with an actor: there is no event category for which attribution is structurally absent.
  • Attribution across actor types

    An automated reconciliation engine that opens a break is a system event attributed to the reconciliation workflow. An API integration that updates a position is a service event attributed to the integration. For digital asset operations: whether the actor is a human trader, a FIX engine, or a blockchain oracle triggering a smart contract execution, the attribution model is the same. On-chain events, a token transfer, a smart contract finalization, are ingested as attributed lifecycle events alongside traditional settlement events, in the same log.

  • No unattributed changes

    A position change that happened "because the system did it" still carries an actor, a trigger, and a timestamp. An examiner asking "why did this position change?" receives an answer from the event record, not a reconstruction from memory by the operations team.

Controls are only as strong as the architecture underneath them. The reason Devancore's maker-checker enforcement is structural rather than policy-based is that the event stream makes every action a recorded fact at the moment it occurs. The reason the audit trail carries WORM design properties is that append-only event sourcing leaves no normal-operations path for after-the-fact modification. The controls are the architecture.

Regulatory grounding

Security baseline

Infrastructure controls and publication note.
  • Infrastructure controls

    Cloud-agnostic deployment with AES-256 encryption in transit and at rest. MFA-enforced role access. SOC 2-aligned operational workflows. Architecture designed to support SEC Rule 17a-4 electronic records requirements and FINRA Rule 3110 supervisory evidence standards. See implementer guidance regarding publication-readiness of these claims.