FINRA firms such as broker-dealers and registered investment advisors choose AdvisorVault for the remote archiving of their electronic records. Today, the specific demands of SEC rules 17a-3 and 17a-4 put extra pressure on FINRA firms, especially smaller ones that don’t have the budget to perform data archiving in-house. Therefore, they need to find a provider that can offer an inexpensive solution yet achieve the stringent demands from the SEC and FINRA.
So it’s important they choose a third party provider that can offer an inexpensive yet compliant solution for the remote archiving of data. “The challenge for small FINRA firms is to find a provider that can offer a consolidated solution to make sure all electronic records are properly archived as outlined by the SEC and FINRA”, Said Allan Lonz President of AdvisorVault, www.advisorvault.org ”This means they need one provider that can remotely archive data contained in books and records as well as email so the will have one designated third party (D3P) provider for audit supervision to achieve rules 17a-3 and 17a-4”, Added Lonz.
Also, it’s critical especially for broker-dealers and FINRA registered investment advisors that all data at all locations is easily captured, transferred offsite and made readily available for ongoing audit supervision. However, with all the choices out there, it can be hard for them to find the right provider who understands their specific demands. But at the same time it is critical they properly outsource the archiving of data to achieve the demands of rule SEC 17a-3 and 17a-4 and its stringent long-term electronic records archiving requirements as FINRA members.
Nonetheless, to keep cost as low as possible FINRA firms should look for several key features when choosing a third-party provider for the remote archiving of electronic records as per SEC 17a-3 and 17a-4:
Pay-as-you Grow Pricing Model: the third party provider should offer a solution based on the amount of data. So in the beginning when firms don’t have much data to archive, the cost is low and increases only as the firm grows.
License Free Software: By choosing a provider that does not charge licensing, Firms will be able to backup data on an unlimited number of systems at multiple locations. This will allow for protection of data residing on all computers or servers head office, on laptops at branch locations and home offices
Designated Third Party (D3P) Service Included: The provider should not charge extra to perform the D3P service. Because this service is so critical for audits, FINRA firms should choose a provider that will be able to perform the D3P requirement at any time, and at no extra cost.
Because it is important for small FINRA firms such as broker-dealer and investment advisors to keep costs as low as possible, it is very important they choose the right third party provider for remote data archiving. At the same time, it is important they look for the above key features to make sure they continually achieve the demands of SEC rules 17a-3 and 17a-4 and its long term electronic records archiving rules. This is critical to ensure regular data supervision is performed and audits will be successfully passed.
AdvisorVault’s remote data archiving solution is designed specifically for FINRA firms who want to outsource the archiving of their electronic records to ensure today’s data compliance rules are met. By choosing AdvisorVault financial firms are confident that all data is remotely archived and made readily available during audits to maintain the highest level of customer confidence at all times.
Allan Lonz, President
Toll free 1-866-925-1941 ex 1
As part of the auditing process, FINRA will want to know who has been selected as the designated third party storage provider (D3P). This means, they want to know which independent company has been hired to taka a copy of the firm’s electronic records and reproduce them for future audits. This regulation has serious consequences for FINRA firms and should form the basis of their data compliance strategy because the D3P should also act as the remote backup provider to archive electronic records in accordance with FINRA rules 17a-3 and 17a-4. This way several key rules are simultaneously met.
However, for small firms such as broker-dealers, finding this kind of provider can difficult because data is often dispersed throughout the whole organization on servers, desktop computers, laptops at branch locations or in the cloud. In addition, this data is stored in various formats such as emails, social media posts, office documents or scanned electronic records. Therefore, it is hard for small firms with limited budgets to find the ideal solution to effectively store this diverse information and at the same time satisfy the important D3P obligation.
CHOOSING THE D3P
Thankfully FINRA gives its smaller member’s some flexibility when choosing the D3P and firms have a certain amount of control over who they assign this task. Surely, they will want to choose a provider that offers a comprehensive yet inexpensive solution, but at the same time meets all the important demands for regulators.
To achieve this regulation, small firms must understand that they need a provider who can capture a multitude of different data formats from various systems, consolidate it into one easily accessible platform, and make it readily available to compliance officers at any time. In addition, they need a provider who allows them to control the cost of the service as they grow; small firms surely can’t spend thousands of dollars a year archiving data to simply keep auditors happy.
Nonetheless, a small firm should look for three important features in a D3P:
1. Remote Data Archiving. The best way for small firms to achieve the D3P requirement is to choose a provider that offers remote data archiving. This means the provider uses an automated method to remotely transfer data from critical systems each night. It will then keep this data archived in a secondary location for the required amount of time. This type of service is
perfect of small firms because it is a readymade solution which can be put in place very quickly to instantly ensure data is transferred offsite, from every location and put in the possession of a third party provider for FINRA compliance and long term electronic records archiving.
2. At Flight and At Rest Data Encryption. Because a financial firm’s electronic records are so sensitive, auditors will want firms to choose a D3P that offers at Flight and At Rest Data Encryption. Essentially, this technology will be built into the providers software and encrypts the data before it leaves the customer’s site and while it is stored on the providers servers. This way even the technicians working for the provider cannot access the data
3. “Pay-As-You-Grow” Pricing Model. Small FINRA firms such as broker-dealers will want a provider that offers a Pay-As-You-Grow pricing model. By doing this, they are able to control the cost of data compliance because in the beginning they are only paying for data that needs archiving, and as data increases the cost goes up. This way, the initial cost is low and as they grow, they can pay more for protection to keep the overall cost of the service under control over time.
Because FINRA performs regular audits of its members and data compliance is such an important part of this, choosing the D3P is a very important decision for FINRA firms, especially for small firms. The D3P will ensure data is properly accessible for review from auditors, also the right provider will also remotely backup and archive data to a remote location, also making sure the electronic records and archiving demands of rules 17a-3 and 17a-4 are also achieved. Moreover, by choosing a provider that offers the above key features firms will be able keep the cost of data compliance under control and ensure they achieve several critical data compliance rules at once.
The long-term archiving of data for compliance is probably the biggest challenge facing small financial firms today. SEC rule 17a-4 lays out some very specific guidelines surrounding the retention of electronic records and FINRA members who fail to keep critical data and communication for the required amount of time risk audit failure and large fines. But small financial firms such as broker-dealers, independent financial advisors and boutique wealth management companies do not have the manpower to manage this process in-house, to effectively ensure they meet SEC and FINRA rules surrounding the long-term of retention of data, they need to hire an outside vendor.
However, they need to select a vendor that understands their unique needs, while keeping the overall cost of compliance down. There are three key requirements FINRA members need to look for in a vendor to help them outsource the long-term archiving of data in compliance with SEC rules.
1. Archiving of Various Data Types
When selecting a vendor to outsource the long-term archiving of electronic records, small financial firms need a provider that can backup and retain a wide range of data types. Ensuring they meet the requirements outline in SEC/FINRA rule 17a-3 in conjunction with rule 17-4, they must take into account data contained in the Books and Records, systems configuration, and all communications such as email, instant messaging and social media. In addition, the vendor must be able to retain the original data formats so that historical records can be accessed by compliance officers and auditors at any time.
Essentially, when a member of FINRA seeks a vendor to help them with the long-term archiving of data, it is important that the provider fully understand the specific requirents: ie. That current and historical data must be accessed used old legacy systems. This is not only important for on-going compliance reviews, but also during audits. So firms will find it beneficial to be able to provide auditors with archiving data in formats that can be easily read, and in essence, this will speed up the auditing process and ensure FINRA staff are out the door quickly.
2. Retention of data in a non-rewritable format
Once the proper formats of data are being archived and made accessible to auditors and compliance offices, FINRA firms need to be sure the data is stored on non-rewriteable media, also known as Worm storage. This is hard disk used by the provider that is storing the historical data on disk technology prevents the deleting or overwriting of data. This is a critical component of SEC data retention rules, and FINRA members must ensure they are using a provider that has implemented WORM disk to store their data.
3. Quick Recoverability
It is important that FINRA members select a vendor that can recover all current and archived data within a timely manner, usually within 48 hrs. This is an important aspect of FINRA Business Continuity Planning (BCP) process and should be a feature included with the vendor’s service. Often, archiving vendors will have several methods to allow for the recoverably of customers data, depending on the severity of the failure. For example, if systems are temporarily down due to a minor disaster, the vendor should offer a web interface access to archived data so customers can still view data in the interim while the systems are being recovered; in the event of a major disaster, the vendor should be able to make a full copy of its customer’s data on a removable drive and drop ship it to any location so the customers can fully recovery at a secondary disaster site.
The Business Continuity Planning (BCP) requirement is closely connect to the long-term archiving of data. Ensuring the same vendor who is performing the long-term archiving of data can also quickly recover critical systems in the event of a disaster is key to simplifying the data compliance strategy, it will also help to keep the overall costs of compliance down and speed up the auditing process.
Small financial firms need to outsource the long-term archiving of electronic records for compliance. Because of the lack of in-house expertise, they need to find a vendor who understands their unique requirements and can retain the data in the proper format and make it readily available in the event of a disaster or during audits. Choosing the right provider is critical to keeping the cost down and simplifying the process, failing to assign the proper third party can be costly and result in audit failure, large fines and untimely impact customer confidence.
AdvisorVault, http://www.advisorvault.org, is the only remote backup provider specifically designed to help small broker-dealer firms achieve today’s stringent data compliance requirements. With our designated third-party status (D3P) we help small firms achieve all the required data compliance rules defined in 17a-3 & 17a-4, as well as the supervisory and disaster recovery demands contained in FINRA rules 3510 and 3010
By far the most confusing aspect of FINRA’s audit process deals with data compliance, and in particular the long-term archiving and supervisions of data such as books and records and emails in accordance with SEC and FINRA rule 17a-4. This is especially difficult for small financial firms such as broker-dealers, investment advisors and wealth management firms who don’t have large budgets to hire full time IT staff to manage this process themselves.
Naturally, the increased complexity of technology today has also compounded the problem; especially the explosion of mobile workers who now have critical data spread across the entire organization on laptops and handheld devices. Attempting to apply specific SEC and FINRA rules to ensure the long-term archiving and supervision of this dispersed data is a huge task and demands a deep understand of technology...
The Truth about Remote Backup
Broker-dealer firms should look for the following features in a remote backup provider:
Rule 17a-4 stipulates that a broker-dealer must protect and keep available the books and records relating to its business. This often covers a wide range of electronic records and it is vital that a remote backup provider is selected that can protect these various data formats. This must include data such as email residing on internal servers and on individual PCs such as PST files saved on users hard drives. Other documents that hold client information created with Microsoft Office Word, Excel, PDF reports and customer data imputed into databases should easily be supported. The software should be configured to initially capture a full backup of this data and then be set to run every night and backup the daily incremental changes from then on.
In addition to regular protection of this user data, a provider should have the built in ability to perform full-system state backups of critical systems to enable “bare metal” restored to alternate hardware. This will allow the quick recover of servers and their associated operating systems and programs in the case of complete failure.
2. Licensing Free Software
In choosing a remote backup provider, small-broker dealers should select a provider that does not charge software licensing. A cost based only on the amount of data stored eases administration and allows branch offices, remote and home users to be added easily to the data compliance process.
3. Completely Self Managed
Small broker-dealer firms can't spend valuable time managing backups. They should choose a provider who will completely administer the backup process and offer the ability to remotely connect to their software and immediately addresses problems when they arise. This should be included as part of the provider’s service to ensure missed backups do not leave gaps in a broker-dealers data compliance strategy.
4. Built-in Archiving
SEC rule 17a-4 poses particular challenges for small broker-dealers firms because of the specific technology required to achieve the long-term retention requirements of this mandate. In choosing a remote backup provider, it is critical that a firm understands the difference between backup and archiving. By default, to keep cost low, remote backup providers only store customer’s data on a limited retention basis using quick access hard disk. This will be set within their software to overwrite files that change frequently and keep only 10 to 30 versions of changes.
Unfortunately, this is not compliant and data that changes frequently will be overwritten. Therefore, older copies of files may not be available during an audit or in the event of a disaster. An additional archiving process must be added in this case to perform regular full “snap-shots” of data at least monthly and moved to non-rewriteable optical disks. This will then be stored securely for at least 6 years. Non-rewriteable DVDs are a perfect technology for this because of their capacity, durability and low cost.
A provider’s backup software should have the ability to send automatic email reports to compliance officers for review. This will be part of the broker-dealer's supervisory duties and a key component of their regular compliance reporting and auditing procedures.
6. Ease of recovery
In the event of a disaster it should be easy for broker-dealers to restore data back to its original location or to alternate systems. Also, during SEC audits broker-dealers may be requested to reproduce current or archived data on separate media such as USB drives, CDs or DVDs so it can easily be reviewed by auditors. Ensuring a provider can easily restore this data to common file formats on alternate media will ease the audit review process. In addition, providers should be able to integrate seamlessly with FINRA’s Small Firm Emergency Partner Program and allow data to be immediately restored to a pre-designated partner firm at a geographically separate location.
Additional articles from AdvisorVault:
Disaster Recovery (DR) for Small Firms
As a backup provider to independent securities firms, I often ask customers, “If your office burned down to ashes, what would you do?” desperate stares aside, this particular question is aimed to get the DR juices flowing and help paint a complete picture of the worst case scenario. In reality though, answering this question is not easy, but it’s critical that broker-dealer firms have a strategy to recovery from a major disaster. More importantly, as members of FINRA regulated under the SEC they must create a Business Continuity Plan describing in detail how they will respond to events that significantly disrupt their business.
For larger brokerages, this is not a problem and a clear method exists for them: assign the proper resources to build a secondary DR site that replicates critical systems and at the main office. Then in the event of a disaster simply failover to this pre-configured infrastructure and continue operations as normal.
To read the full article click the link below:
Designated Third Party (D3P)
Your Key to SEC Audit Success and Customer Confidence
The FINRA Designated Third Party (D3P) requirement as outlined in rule 17a-3 &17a-4 is hands-down the most confusing aspect of data compliance. But it is critical that broker-dealer firms address this key mandate and make it a part of their data compliance strategy. In reality though, it is usually the last step taken once a firm has chosen a remote backup provider for their electronic records.
For small broker-dealer firms with limited time and budgets, finding the best partner to assist them with their D3P needs can be a daunting task. They need to choose a provider that can help them achieve these requirements effectively - choosing the wrong D3P can cause unnecessary burden and quickly increase the overall cost of data compliance. But more importantly failing to assign a D3P can result in SEC audit failure or cause serious damage to a firm’s reputation.
To read the full article click the link below: