NEW YORK, Jan. 14, 2017 /PRNewswire/ --
By Allan Lonz, president. AdvisorVault, www.advisorvault.org
In previous articles I talked extensively about the unique challenges small FINRA firms face due to SEC rule 17a-4 and the demands it places on compliance officers and IT staff since they do not have the same budgets as large firms. I highlighted that outsourcing the archiving of electronic records to the right designated third party is key, particularly to one which offers a consolidated solution that can store and archive data contained in books and records, emails, and other critical systems for disaster recovery. Finally, I discussed how many small firms would like to take advantage of the latest technology, such as cloud or mobile computing, but are afraid to because of the risk of failing an SEC audit.
In this article, I'm going to discuss ways small FINRA firms, particularly broker-dealers and registered investment advisors (RIAs), can solve that problem and the best ways they can store and share data electronically while ensuring compliance to 17a-4.
Rule 17a-4 and the FINRA Audit
The problem begins when the firm doesn't know exactly what auditors want. Lately, I've seen a lot of this: different FINRA auditors ask for different things and there is no consistency in their electronic records requests. For instance, sometimes during a FINRA audit they'll make a full request for electronic records, sometimes not; other times they are adamant about sampling historical emails while other times they ask for a current copy of the firm's books and records downloaded to disk. They may also want a detailed disaster recovery procedure. In addition, each state had different ideas about compliance, and the regulators within each state have varying technical aptitudes.
While everyone refers to rule 17a-4, I haven't met anyone who truly understands it. Some even believe that worm disk is still the only way to store books and records (in fact, it's not; this was changed by an amendment to 17a-4 in 2003). That's because SEC rule 17a-4 is over 65 pages long, with dozens of revisions and updates. Don't worry though; I'm not going to regurgitate every line in 17a-4, and this isn't the spot where I cut and paste huge sections of the rule to distract you from the fact I don't fully understand it either. Follow along though, and I'll share the basics of what's needed for compliance.
17a-4 Simplified in Three Steps:
The first thing I tell my customers when we discuss 17a-4 compliance is: ARCHIVE EVERYTHING FOR SEVEN YEARS. Ignore the long list 17a-4 gives you about archiving only trade blotters for 3ys, asset and liability ledgers 4yrs, order tickets, trade confirmations and trial balances 7yrs, etc. Because trying to select individual retention policies specific to separate data sets is too complicated in the beginning. This approach may sound expensive, but don't worry about data amounts or retention periods initially or the cost of storage as unnecessary files can be purged later. Also, I'm not saying to backup all data off every server or PC; important data should be organized into a folder structure that can selected and archived.
Small FINRA firms who use AdvisorVault's remote archiving software can purge "garbage" data after everything has been uploaded, which, is key to keeping the data archive as small as possible. When I refer to "garbage" data, I mean videos, TMP files, pictures and dancing elves (especially those found in the fully downloaded second season of Game of Thrones, inadvertently stored where it shouldn't be)[CH1] . Furthermore, AdvisorVault's software was designed specifically for small broker-dealers and RIAs who can't afford to pay thousands of dollars a year to maintain 17a-4 compliance. AdvisorVault gives firms the flexibility to select certain data and exclude file types that would never appear in a firm's books and records. In fact, we have seen a 20-person broker-dealer firm whittle their 17a-4 data archive to under 20 GB with our software.
Secondly, don't use on premise servers to store data; use the cloud. Small FINRA firms who only need simple file storage and sharing should use Dropbox, Google Drive, or Office 365. SharePoint or ShareFile can also be used, but I don't recommend either because an additional connector is needed in order to access this data to make it compliant.
If a firm needs more than file sharing, such as an enterprise software or database access, they can use a cloud virtual server from Azure or Amazon.
I have seen a lot of firms scrap their in-house servers to migrate to a virtual server lately, and I love it because a virtual server hosted in the cloud is now accessing the internet at gigabit speeds direct on the internet backbone. Firms don't need to worry about the jabber around making the cloud 17a-4 compliant, because it's not that hard. The reality is, FINRA doesn't care where data is stored, just as long as firms have a way to make copies of it and store it on 17a-4 compliant data - i.e. they have an automated method to transfer any data in the could to a 17a-4 designated third party.
The last piece of advice I give my customer is: know how to access the 17a-4 data archive. This is important because no compliance officer wants to fumble around searching their archive while the auditor is staring over their shoulder; at this point FINRA will immediately know they haven't been doing regular electronic records supervision either. Therefore, a complete 17a-4 supervisory interface must be included in the D3P's solution. This interface is essentially a secure web site that will be used to access the archive, AFTER the D3P has uploaded the data, this web site needs three things to keep auditors happy:
One: The first thing a FINRA compliant supervisory web interface needs is to allow access to all data. Data needs to be index (index simply means it's search able and any new data is added as well). Also, the web interface should give compliance officers access to all data contained in books and records, databases, and emails, as well as systems data for disaster recovery.
Two: Secondly, its important that firms perform regular electronic records supervision. Ideally, the 17a-4 supervisory interface will have search able access to the whole archive so advanced searches can be done, emails can be flagged as supervised, compliant, or non-compliant and can be forwarded to the compliance officer or other key employees for full review. It's also critical that the web interface is able to take a sample of data and allow the compliance officer to download it so they can copy it to a disk in an encrypted zip format for the regulator to take back with them.[CH2]
Three: Finally, firms need to perform the FINRA electronic records request. During the regular FINRA audit, an electronic records request will be done. This request is a sample of data from the firms 17a-4 data archive, usually a sample of a particular data from a specific person. Therefore, the compliance officer needs to have the search capability to do this. It's also critical that the web interface is able to take a sample of data and allow the compliance officer to download it so they can copy it to a disk in an encrypted zip format for the regulator to take back with them.
The way small firms choose to store data has a huge impact on data compliance, particularly how they decide to store electronic records. It is also important that firms understand the basics of SEC rule 17a-4, specifically what data should be archived for how long and how to access this data. Ultimately the end result is satisfied auditors and get them out the door faster.
AdvisorVault is the only FINRA designated third party provider that has created an SEC compliant archiving solution designed specifically for small FINRA firms to achieve all the demands of rule 17a-4. The solution was created to remotely archive all required electronic data and consolidate it into a secure, web based platform that is readily accessible for audit and ongoing compliance supervision. The AdvisorVault solution archives data and email residing in the cloud, on internal systems and, laptops, as well as mobile devices and branch offices.
This content was issued through the press release distribution service at Newswire.com. For more info visit: http://www.newswire.com/.
To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/advisorvaults-best-practice-for-sec-rule-17a-4-a-guide-for-small-finra-firms-300391115.html