To make sure data is properly protected for full compliance, it is important to understand the difference between the two main data types – static and dynamic; each requires a different approach to ensure full protection. Static data consist of things such as word documents, scanned records, PDFs and client databases. However, because static data does not change often, a proper backup solution is designed to regularly pull this data off existing disk stored in-house or in the cloud. The key is to ensure no one is accessing these files when they are being backed up for full compliance with the demands of SEC rule 17a-4. For example, it is important that users are fully logged out of programs or not accessing documents during the backup process, this way data is not in a locked state. Or if users cannot disconnect from the system, the backup software must be selected that has the intelligence to recognize locked files to make copies of them when they are in use.
On the other hand, dynamic data includes emails, text messages, social media and other files that change constantly. An effective archiving solution will take copies of dynamic data before it is entered into the system by using a forward and store method. This method essentially captures data before it enters the customer’s system, places it in the archive and then forwards it on to its final destination. Therefore, ensuring it is not modified when it enters the customers’ system. This way the long-term data archiving retention requirements of SEC rule 17a-4 are met because files are kept in their original state at all times in a secondary location with a designated third party (D3P).
Understanding the difference between static and dynamic data types is important for FINRA firms to achieve 17a-4. In particular, they need to make sure these two different data formats are properly backed up and archived, concepts such as unlocking and forwarding data to third party providers is key to achieving this.
A proper data backup and archiving solution to meet SEC rule 17a-4 needs the following features:
Rule 17a-4 stipulates that a firms must protect and keep available the books and records relating to its business. This must include data such as email residing on internal servers or PCs and other records such as word documents, PDFs, scanned files and key user’s databases on users’ hard drives or in the cloud.
The backup and archiving process should be fully managed by the provider who will completely administer the process to ensure no gaps appear in a firm’s data compliance strategy.
The third party provider’s backup and archiving software should have the ability to automatic send email reports to compliance officers for review. This will be part of the firms’ supervisory duties and a key component of their regular compliance reporting and auditing procedures. Indexing of Data:
A compliant supervisory tool automatically indexes data added to the archive. Indexing means data can be retrieved properly so searches are faster and any new information is quickly searchable in the archive.
Ideally, the archive will be accessed from a secure web interface. This allows compliance officers and other key staff to easily share the electronic records supervisory duties.
Compliance officers need to make copies of electronic records for auditors. And a proper supervisory solution will centralize the downloading of all data such as emails, word documents, scanned records and key client databases. In addition, any data that is needed by regulators during the electronic records request must be downloaded in an encrypted zip file format.
When it comes to satisfying today’s data compliance regulation such as SEC 17a-4, the big question FINRA firms have to ask themselves is, “What is the difference between regular data backup and data archiving?” This is important to answer, especially for small firms such as Broker-Dealers and Registered Investment Advisors because they have to outsource this process to a designated third party. Therefore, it is critical they choose the right provider, because in the end it’s their responsibility to ensure data is properly protected to allow full disaster recovery and audit supervision.
What is Data Backup vs. Data Archiving?
First of all, regular data backup is a process designed specifically for disaster recovery and is performed every night, or several time throughout the day for data that changes frequently. Furthermore, to keep the cost of compliance low, this type of backup does not retain data for long periods of time and purges it after a certain period, usually 30 days.
Also, an effective data backup plan contains extra information that is not includes in data archiving. For example, it should include the systems state configuration of critical servers so that programs and other information can be restored for a bare metal recovery of the whole system. Finally, testing restores of data backups should be done differently than data archiving. It is performed on a regular a basis and needs to be tested for restoring data back to their original location or to a secondary disaster recovery site.
Data archiving on the other hand is designed specifically for compliance supervision. It is an extra step applied to the regular daily backups which contains only electronic records related to the books and records as well as any communication between registered reps and clients, as defined by SEC rule 17a-4. Also, an effective data archiving strategy includes a supervisory interface that allows compliance officers to review the archive at any time for regular audit supervision or when requested by regulators. Testing of data archiving process is also done differently and is performed only as a sample test of certain data for a specific time period to pass audits or for regular supervisory activities. Therefore, an additional supervisory interface is required that has specific advanced features built into it.
The electronic records retention requirements of SEC rule 17a-4 or the SEC Books and Records rule, defines the following types of data must be retained:
Emails and other communications
Asset and Liability Ledgers
Trial Balances and various other related documents
Systems Configuration data for recovery of critical systems and data
The problem today, especially for small firms is that this data is often contained in so many different format, in word, excel, PDFs scanned records or contact databases. Also, FINRA firms want to take advantage of the cloud to store this data, its not just saved on PCs or servers in head office anymore. Therefore, the important thing needed now is an automated method to capture all this dispersed data, transfer it to the designated D3P for retention as required by SEC rule 17a-4.
The FINRA books and records rule or SEC 17a-4 outlines three main responsibilities for FINRA firms:
One: It outlines which electronic records must be retained by Broker-Dealers, i.e. data relating to the business and other communications such as emails and other communications they have allowed as defined in their communications policy. For example, if the communications policy allows Facebook to be used by reps when communicating with clients, then this data need to be retained as per 17a-4.
Two: SEC Rule 17a-4 defines how long electronic records must be retained, the best practice for Broker-Dealers and RIAs is 7 years.
Three: And finally, the books and records archiving rule directs FINRA members on what method they must use to store their electronic records. Essentially, Broker-Dealers, as of 2003 are no longer limited to using only optical, worm disk, CD-ROMs or DVDs or similar physical media to retain their electronic records. They can now use software which has the features built into it to specify an expiry or retention period for data storage. Then, after this expiry period or retention date the records are automatically deleted, freeing disk space for reuse thus saving costs.
For instance, AdvisorVault has built in connectors to G Suite and Office 365 to automatically capture all data on these Cloud systems to transfer it over to our 17a-4 compliant platform to retain this data for 7 years in its original format. In addition, AdvisorVault makes this cloud data available for retrieval by customers at anytime if they are audited and asked for an electronic records request. Also, this achieves the ongoing supervision of cloud electronic records and emails as required by 17a-4 and FINRA audits. The AdvisorVault Cloud Connect can be setup in minutes to give FINRA firms and instant compliant option for all cloud data.
Broker-Dealers are no longer restricted to using only worm disk to store electronic records to satisfy rule 17a-4. This used to be the case but was changed by the SEC in 2003. Because of the increase in data amount and new technology, 17a-4 was amended to allow Broker-Dealers who are FINRA members to store electronic records in a non-rewriteable, no-erasable format by the use of software codes which prevents erasing, and not through the use of worm disk.
This has a huge impact of small FINRA firms because they can now easily outsource their data archiving to third party providers that offer software which has the features built into their solution and can simply specify an expiry or retention period for data storage. Then after this expiry period or retention date the records are automatically deleted freeing disk space for reuse thus saving costs.
Here is essentially three things FINRA will demand during an audit:
One: Reproduce the communications made from registered reps to clients. The key here, especially for small firms is to first clearly define through a communications policy what method reps will use to work with client. For example, if the policy defines email and Facebook, then only electronic records stored on these systems need to be supplied to auditors.
Two: Reproduce data relating to Books and Records. This data can be in any format depending on the systems used by the firm, but will be contained in:
Asset and Liability Ledgers
Trial Balances and various other related documents
Many of the records, including communications that relate to the broker-dealer’s business as such, must be retained for three years; certain other records must be retained for longer periods
Three: Documentation. And finally, firms will need to provide the following documentation to FINRA in order to satisfy SEC Rule 17a-4: The Two FINRA third party storage notification letters from the FINRA designated third party provider (D3P), the agreement from the D3P and the firm, and a business continuity plan outlining how the firm will recovery from a minor or major disaster.
During an audit, FINRA will surely perform an electronic records request. This request is a sample data set from the firms archive. For instance, the auditor will request historical emails from one or more registered reps, from a certain time data in PST format, they will also ask for a sample of the books and records in their native format, usually word, excel or PDF, or however the firm as decided to store their records.
Therefore, small firms must make sure the provider they have chosen as their D3P has the tools to quickly perform these requests so that historical data can be stored immediately for the FINRA rep. Ideally, these restores will be done from one centralized, secure web interface that the compliance officer can log into anytime, then down the requested data and save it to a password protected zip file which can be supplied to auditors on the spot.
The cloud surely is a viable option for small FINRA firms to store data. Broker-Dealers for example can effectively use it to share documents among employees, partners and customers. However, they need to understand that storing data in the cloud by default is not 17a-4 compliant simply because data can be modified at any time by anyone. Therefore extra steps need to be taken, however each cloud service has a different method to make it compliant.
For example, Dropbox creates a synchronized local folder on each PC its installed on. So it is a simple matter of transferring this data to a FINRA designated provider. ShareFile on the other hand requires that customers install a tool to connect to its cloud and synchronize data to a local folder. This tool is free and can be scheduled to run constantly and make secondary copies of cloud data for compliance.
Microsoft Office 365 on the other hand requires customers to purchase a third party tool to synchronize their data, while other cloud providers, like Livedrive simply don’t have a method to make compliant copies of data stored with them.
No matter what cloud provider FINRA firms choose to store electronic records, their data is not protected nor is it properly archived, they have to understand a couple take extra steps are needed: make secondary copies of cloud data, then choose a D3P that can properly archive this data so it is retained on 17a-4 compliant storage.
Since FINRA realizes small FINRA firms don’t have the IT budgets to perform the archiving of electronic records themselves, they are allowed to outsource this to a designated third party, however before doing so, firms, especially broker-dealers need to understand a few important features of SEC rule 17a-4.
Firstly, 17a-4 requires that firms keep secondary copies of data in a geographically separate location. It doesn’t matter if this data resides on systems at head office, on mobile devices or in the cloud, an automated process needs to be put in place to properly protect electronic records and communications. The best method for small broker-dealers and registered investment advisors is to use a provider that offers Remote Data Archiving.
Secondly, rule 17a-4 demands that firms archive email as well as other communications, similarly to data contained in books and records, this needs to be kept for 7 years in its original format. For small firms, the Store and Forward is the best way to make sure this information is kept compliant. The Store and Forward method, captures communications before they reach a firms’ systems, whether it’s Stored on corporate systems, mobile devices or in the cloud.
And lastly, rule 17a-4 asks firms to put in place a disaster recovery plan. This is critical, particularly for small broker-dealer firms and as such its ideal they use the same provider who is acting as the D3P and the electronic records archiving provider to help with recovery of data or systems. Therefore , they need to make sure the provider has the features in their software to perform a full backup image of server and pc disk drives and save them remotely with the ability to perform incremental snapshots thereafter for point-in-time full restores back to original hardware or dissimilar systems.
SEC rule 17a-4 directs FINRA firms to maintain and keep books and records for 3 yrs., certain records for longer. Best practice for Broker-Dealers and Registered Investment Advisors is to keep their electronic records for 7 years.
Let’s work together
GET A FREE DEMO TODAY AND “TICK ALL THE BOXES” OF FINRA’S CYBERSECURITY CHECKLIST