By Allan Lonz, President of AdvisorVault
March 16, 2018

Cloud Backup Expert Tips: Three Truths about Making the Cloud 17a-4 Compliant

An important thing I’ve learned working with small FINRA firms over the past 12 years is their need to continually find ways to keep technology spending as low as possible yet keep regulators happy, i.e., pass the 17a-4 electronic records request. It’s not a simple task since there are lots of ways to store data and also lots of ways to trip up when FIRNA comes in to request a sample set from the archive.

I can’t count the number of times customers have asked me if they can use the cloud. I tell them that the cloud is a great way to simplify tech spending; it’s a completely outsourced option for email and data storage that enables sharing with collaboration among employees and partners. Further, there are no ongoing hardware or software costs, only one pay-as-you go monthly fee. For instance, a popular combination is Gmail to host email with Google drive to store books and records or Office 365 for email in combination with Dropbox for storage.

The downside to the cloud is that it’s not 17a-4 compliant. In other words, data stored there can be deleted or modified by anyone at any time. Also, records aren’t retained for seven years and cloud providers won’t act as the FINRA D3P. Therefore, FINRA firms who want to use the cloud need to understand a few important things, particularly about SEC rule 17a-4, to make sure they use the cloud compliantly:

First, it’s important to know that FINRA amended SEC rule 17a-4 to allow the use of non-worm disk to retain electronic records. This means that as of 2003, firms can use systems that have software features built into them to prevent the deleting or modifying of data.

This amendment to 17a-4 is important because firms can now outsource the archiving of data to third parties who can set retention rules on data. These retention rules can be set to delete data after a period of time, usually three to seven years, thus freeing up space to be used for current data. As a result, archiving sets are as small as possible. This keeps data storage costs low while satisfying the 17a-4 electronic records retention requirement.

Second, FINRA doesn’t care where data is stored; their only concern is that firms make copies of it for 17a-4. For small firms who also outsource data archiving, this means using an automated method to transfer current data on the cloud to the D3P. Thankfully it’s not difficult.

For instance, Gmail and Office 365 have built-in options to automatically forward email to a D3P using what’s called a smart host or journaling, which sends all incoming and outgoing messages to a third-party’s email archiving system. This makes it possible to keep all copies of email compliant for 17a-4 retention and supervision. These forwarding options can be setup in two minutes.

Similarly, Dropbox’s sync tool copies data to local disk to archive with a D3P. Firms simply need to choose a provider who has an automated method to capture this data to their 17a-4 compliant systems.

Third, FINRA likes it when firms consolidate their entire archive with one third party, as it makes the 17a-4 electronic requests easier. One way to do this is to choose a Consolidated D3P. This kind of D3P will capture all data within the cloud such as emails, books, and records (Word docs, scanned data, and customer databases). In addition, the D3P will backup data for disaster recovery as well provide the documentation needed for FINRA.

When choosing a consolidated D3P, firms need built-in tools to access the archive, such as a secure web interface, which allows the compliance officer to do their regular supervision, download data for the FINRA electronic records request, or recover data if it gets lost.

Summary:
Before using the cloud to run their office, small FINRA firms need to understand a few important things about 17a-4 to be compliant. Such as current amendments to the rule, how to forward data from the cloud to a third-party storage provider, and the Consolidated D3P option. This will help them keep the cost of technology as low as possible and ensure regulators are kept happy.

About AdvisorVault
AdvisorVault is the only third-party provider that has created a complete solution to achieve compliance within the demands of SEC rule 17a-4. The product includes software to remotely archive data contained in books and records, emails, and any other records needed for disaster recovery. In addition, AdvisorVault provides all the tools necessary to supervise and download archived records, which keep compliance officers and auditors happy in order to ensure the highest level of client confidence at all times.

To request a demo of the AdvisorVault solution, click on the link below: www.advisorvault.org/free-trial-offer

AdvisorVault Contact
Allan Lonz
President, AdvisorVault
alonz@advisorvault.org
www.advisorvault.org
direct: 416-985-0310
Toll free 1-866-732-1407 ex 1

Source: AdvisorVault

 

 

Tags: , ,