The Facts About 17a-4 Cloud Compliance

An important thing I’ve learned working with small FINRA firms over the past 15 years is their need to continually find ways to keep technology spending as low as possible yet keep regulators happy, i.e., pass the 17a-4 electronic records request.

It’s not a simple task since there are lots of ways to store data and also lots of ways to trip up when FINRA comes in to request a sample set from the archive.

I can’t count the number of times customers have asked me if they can use the cloud. I tell them yes,  the cloud is a great way to simplify tech spending; it’s a completely outsourced option for email and data storage that enables sharing with collaboration among employees and partners. Further, there’s no ongoing hardware or software costs, only one pay-as-you-go monthly fee. For instance, a popular choice is Office 365 which is a complete virtual option in the cloud suited for small FINRA firms.

The downside to the cloud is that it’s not 17a-4 compliant. In other words, data stored there can be deleted or modified by anyone at any time. Also, records aren’t retained for seven years, and cloud providers won’t act as the FINRA D3P – they simply won’t guarantee data will be retained as per rule 17a-4, anyway, they’ll refuse to even provide the two 17a-4 attestation letters FINRA is going to need to complete the compliance registration that allows the use of any electronic storage platform.  Therefore, firms who want to use the cloud need to understand a few important things, particularly about SEC rule 17a-4, to make sure they use the cloud compliantly:

The Facts about 17a-4 Cloud Compliance

First, it’s important to know that FINRA amended SEC rule 17a-4 to allow the use of non-worm disk to retain electronic records. This means that as of 2003, firms can use systems that have software features built into them to prevent the deleting or modifying of data. This amendment to 17a-4 is important because firms can now outsource the archiving of data to third parties who can set retention rules on data using software without the need for special disks. These retention rules can be set to delete data after a period of time, usually three to seven years, thus freeing up space to be used for current data. As a result, archiving sets are as small as possible. This keeps data storage costs low while satisfying the 17a-4 electronic records retention requirement.

Second, FINRA doesn’t care where data is stored; their only concern is that firms make copies of it for 17a-4. For small firms who also outsource data archiving, this means using an automated method to transfer current data in the cloud to the D3P. Thankfully it’s not difficult.

For instance, AdvisorVault has built in connectors to G Suite and Office 365 to automatically capture all data on these Cloud systems to transfer it over to our 17a-4 compliant platform to retain this data for 7 years in its original format. In addition, AdvisorVault makes this cloud data available for retrieval by customers at anytime if they are audited and asked for an electronic records request. Also, this achieves the ongoing supervision of cloud electronic records and emails as required by 17a-4 and FINRA audits. The AdvisorVault Cloud Connect can be setup in minutes to give FINRA firms an instant compliant option for all cloud data.

Third, FINRA likes it when firms consolidate their entire archive with one third-party, as it makes the 17a-4 electronic requests easier. One way to do this is to choose a Consolidated D3P. This kind of D3P will retain all data within the cloud such as full email accounts with contacts/calendar/complete profile, books, and records (Word docs, scanned data, and customer databases). In addition, the D3P will backup data for disaster recovery with documentation included for FINRA to assign the provider as the designated storage provider, who also will be willing to act as the downloader if requested by FINRA.

AdvisorVault’s Consolidated D3P is the Answer

Before using the cloud to run their office, small FINRA firms need to understand a few important things about 17a-4 to be compliant. Such as current amendments to the rule, how to choose a provider with a direct 17a-4 connector to G Suite and Office 365, finally its important to have a Consolidated D3P service to make sure electronic records, full email accounts and the D3P service is included.  This will help them keep the cost of technology as low as possible and ensure regulators are kept happy. AdvisorVault’s consolidated D3P is the answer for small firms when they move their office to the cloud.