What does a Cloud Provider need to be a FINRA D3P?

Posted on by Allan Lonz

FINRA and 17a-4 Cloud Storage:

I’ve notice there’s lots of talk these days about 17a-4 and choosing a cloud provider. Specifically, the problem surrounding the FINRA Designated Third-Party Provider or the 17a-4 D3P.

For example, a FINRA firm such as a broker-dealer-  if the compliance officer has done their homework,  will want to know a few things up front before scrapping their in-house systems and moving everything to the cloud. First, they will want to know if the cloud provider will act as the D3P. Next, they have to be sure the cloud provider will retain the data as per 17a-4. But most importantly, what is FINRA going to think about the cloud provider you’re using when they come in for the audit?

These are important questions to answer, especially for broker-dealers who are thinking about using popular cloud services from Microsoft, Amazon or Google. I don’t mean to be the devil’s advocate here, but when I look closer at their offerings, the answers aren’t clear to me. I mean when you read recent documents published by the big three cloud providers, you may believe they can act as the FINRA D3P. But when you dig deeper it gets real fuzzy.

Lock Policies Aren’t Enough to be a FINRA 17a-4 D3P

Microsoft, for example, has their Azure Immutable Blob Storage with the Policy Lock option that they claim meets all the demands of 17a-4. However, Microsoft states in its Terms of Service: “We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you have stored. We recommend that you regularly backup Your Content and Data that you store on our Services with Third-Party Apps and Services”.

And according to Amazon, they have their Vault Lock which apparently allows you to easily deploy and enforce compliance controls on individual Glacier vaults via a lockable policy. Once locked, the Vault Lock policy becomes immutable, and Glacier will enforce the prescribed controls to help achieve your compliance objectives. But they add that Amazon Web services is not a FINRA designated third party (D3P) and advises customers to select a proper provider and include this information in their notification to their “Designated Examining Authority (DEA)” when using Amazon for electronic records storage archiving.

Same with Google’s cloud storage. For compliance, they have  added its bucket lock feature, yet Google states clearly – if you read further on this feature: Google Cloud Storage, when properly configured and used with the Bucket Lock feature, MAY help users address U.S. record retention regulations, such as: SEC Rule 17a-4, but in the article here:

https://cloud.google.com/security/compliance/offerings#/regions=USA

You will find it interesting that Google does not claim to be a FINRA 17a-4 D3P (and if you contact them as a broker-dealer, they will not give you the two 17a-4 attestation letter required by FINRA) also, you will have to “obtain an independent and objective assessment of Google Cloud Storage’s compliance capabilities.” In other words,  you will need to hire a FINRA D3P in addition to using Google storage.

The FINRA Rule 17a-4 Check List for Compliance

But simply putting locks on data isn’t enough for FINRA – 17a-4 is more complex than that. For example, what about what about multiple versions? Is data indexed and searchable? Can you perform proper email supervision as required by 17a-4? Will they act as the D3P and provide the FINRA attestation letters, do they even know what their responsibility as the D3P is? Will they allow you to perform a destruction request, how about during the 17a-4 electronic records request, will they be there for you when the auditor shows up asking for a sample data set? Do they understand the kind of format the regulator will want the data in: that email must be downloaded in pst format. Will they be there during the audit, is that an extra cost? Will you be able to get a hold of someone at Google or Microsoft during the audit if you need help accessing your archive and downloading a sample data set?

Choosing an experienced FINRA D3P such as AdvisorVault as an add on to your cloud provider is the only way to ensure compliance with rule 17a-4, ultimately though, the goal is to get the regulator out the door faster when they come in for their audit: an out-of-the-box solution from AdvisorVault gives this peace of mind.