Achieve 17a-4 in Three Steps: A Guide for Small FINRA Firms

Let’s go over three simple things you can do that’ll help your firm reduce tech spending while at the same time meet the demands of rule 17a-4: a really important thing these days, especially if you’re a small FINRA firm with a limited budget and no in-house IT staff.  (And want to keep it that way.)

Microsoft 365: A Complete Cloud Solution for FINRA Firms

The first thing you must do if you want to get IT spending under control (and make sure you have data compliance in order) is get everyone on a complete cloud platform. The best cloud platform for small FINRA firms is Microsoft 365 because for one flat monthly fee each employee gets everything needed to do their job. For instance, each person gets a full Exchange email account with all the bells and whistles, company wide data storge on Sharepoint, individual data storage on OneDrive, Teams for collaboration with a centralized portal to monitor everything.

Then once everyone is on Microsoft 365, its important to fully migrate all data and email onto it; you don’t want to have information stored all over the place like on people’s PCs, various cloud systems or in-house disk because that will leave gaps.  Ultimately, it’s the firm’s compliance officer who should push to consolidate everyone’s data on Microsoft 365 because as part of FINRA rule 17a-4 electronic records and email should be consolidated onto one platform so that the long-term archiving and retention of data is done centrally – you surely don’t want to be caught with your pants down during the 17a-4 electronic records request when the auditor comes in and you can’t reproduce a sample data set from your archive.

Your IT Policy: Simplify the 17a-4 Electronic Records Request

Often firms ask me, what do we need to archive for 17a-4? In other words when the auditor comes in, what electronic records will they potentially ask us to reproduce? And I tell them that’s defined in your IT policy. Therefore the next step to simplify data compliance is to create an IT policy telling everyone what technology they should use. Its important to have the compliance officer sign off on this as well since it will help with FINRA data compliance for 17a-4 by stating what technology employees will use to communicate with customers. Naturally, once you’re on Microsoft 365 reps will only use email or Teams.  Also, books and records created by anyone will be stored on SharePoint or on people’s OneDrive. Then you’ll know exactly which electronic records and communications your firm needs to retain for compliance

Choose a Consolidated FINRA D3P to Make Microsoft 365 17a-4 Compliant

Ok, now the whole office is on Microsoft 365, you’ve managed to migrate everyone’s data there, and you also created an IT policy telling every employee to use only the Microsoft email, Teams, Sharepoint or OneDrive to communicate with customer or partners.  The final step is to choose a 17a-4 consolidated D3P (Designated Third Party) such as the AdvisorVault’s consolidated D3P service.  Our consolidated 17a-4 D3P will do everything a FINRA firm needs to meet data compliance, such as archiving, retention of data for 7 yrs. in its original, non-modified format, provide the two third party 17a-4 attestation letters and finally will make the firms data available to FINRA if they request it during an audit.

For instance, our consolidated D3P service plugs right into the Microsoft 365 cloud and archives everything stored there to meet 17a-4. This means all users emails (including their complete Outlook profile with contact, calendar), all documents saved in Sharepoint, OneDrive including Team chats is automatically transferred to our 17a-4 compliant archiving system.


To keep data compliance spending low as possible and also meet FINRA rule 17a-4, there are three simple things  a firm can do: (1) Move everything to a complete cloud platform such as Microsoft 365, (2) create a clear IT policy telling employees to use only Microsoft email, Teams, Sharepoint and OneDrive, and (3) choose a consolidated 17a-4 D3P to make Microsoft 365 compliant.