FINRA firms – especially broker-dealers, want to use Amazon Web Services (AWS) for storing trade & transaction data for their business applications. Unfortunately, there’s lots of confusion when it comes to 17a-4 compliance on Amazon: rightly so – there is no clear answers if it’ll meet the long-term retention demands of 17a-4, firms are afraid to take advantage of it, however, AdvisorVault has solved the problem with fours steps getting FINRA happy with firms on Amazon.

Making FINRA Happy on AWS

 

FINRA firms, including broker-dealers surely want to use Amazon Web Services, its arguably the best option to instantly create a hosted backend on the cloud to store application data such as trades & transactions. It also gives firms a hosted platform with zero maintenance, high availability, security built-in, totally scalable, cheap: pay as you go, fully supported by Amazon, best of all, using AWS means there’s one less technology for firms to worry about, especially small ones with no in-house staff who want to keep the cost of tech under control.

Unfortunately, few firms take advantage of Amazon to run their backend storage. Truth is, they’re afraid of using AWS for fear of failing 17a-4, specifically they’re worried about electronic records retention – and rightly so, Amazon AWS by default its not 17a-4 compliant, surely not WORM compliant. I mean, like all cloud platforms, including Microsoft 365, Amazon doesn’t meet FINRA’s long-term electronic retention demands out-of-the-box, firms need to understand modifications must be made. Also, Amazon & Microsoft (and google by the way), won’t act as the FINRA D3P nor will they give firms the two required attestation letters FINRA will need, but like all technology, in-house or the cloud, FINRA doesn’t care how firms decide to store electronic records, long as they take the right steps to meet the requirements of 17a-4.

However, there are four steps FINRA firms can take to make Amazon 17a-4 compliant and keep FINRA happy at the same time.

Amazon Won’t Act as FINRA 17a-4 D3P

 

When a FINRA firm decides to use Amazon to store data (especially a FINRA broker-dealer wanting to use it to store trade and transaction data), they need to know that by default its not 17a-4 compliant; there’s lots of confusion on this point, even Amazon won’t give a clear answer, so to put it to rest, I called Amazon myself, (pardon me I did a web chat), you can’t call anyone at Amazon – what was I thinking, however I got a hold of Andrew, one of their sales support pros, and I asked him if he knew anything about the FINRA 17a-4 D3P requirement and after a long pause with the chat window blinking, he sent a link (I assume he just googled it himself since I’d read it already): https://aws.amazon.com/compliance/secrule17a-4f/

Basically, Amazon’s says this about them acting as the FINRA 17a-4 D3P: AWS will file a letter of undertaking with the SEC, however in the same paragraph Amazon says they WILL NOT act as a Designated FINRA Third Party (D3P) nor will they file undertakings pursuant to section 17a-4. Huh? Confused…and that’s exactly what Amazon has on their site to-date. I then ask Andrew straight out, “ok, so Amazon won’t act as the FINRA 17a-4 D3P?” Andrew promptly replied, “from that document no – it appears not, but have a great day!”

I had a same conversation with Curtis, a Senior Program Manager from Microsoft (however, Microsoft has an email address you can reach them at about this) and he replied, “Microsoft supports compliance with 17a-4, but doesn’t offer the FINRA 17a-4 D3P service” and he also sent me a link – I am sure he just googled too: https://learn.microsoft.com/en-us/compliance/regulatory/offering-SEC-docs#designated-executive-officer-or-third-party-undertaking

Microsoft says this about them acting as the FINRA 17a-4 D3P: SEC Rule 17a-4 requires the broker-dealer or FINRA firm to designate either an executive officer or an unaffiliated third-party to submit a required undertaking to FINRA and Microsoft doesn’t provide Third-Party Undertaking letters or services. Broker-dealer & FINRA members are responsible for submitting the undertaking to its designated examining authority themselves.

Point is, FIRA firms honestly don’t want to go through hoops trying to understand if AWS is 17a-4 compliant: nor waste time with Amazon trying to figure it out instead they want to take advantage of the best technology to run their business.

AdvisorVault: Getting Customers 17a-4 Compliant on Amazon

AdvisorVault has created a four step solution – priced at a flat monthly fee getting, FINRA firms 17a-4 compliant on Amazon Web Services:

  • One. S3 Object Lock On Amazon: First step when a FINRA firm wants to use Amazon Web Services is make it WORM compliant. It’s done by Setting an S3 Object Lock on an Amazon bucket. meeting the immutable storage requirement of 17a-4. Firms deploy a compliance control on an Object Lock set up “Write Once Read Many” (WORM) and time-based records retention for seven years as per 17a-4 requirements. Once locked, the Vault Lock policy becomes immutable and AWS records cannot be deleted or altered until there are no more archives to protect on AWS
  • Two. Connection to AWS: Once the Object Lock is applied to the AWS bucket making it WORM compliant as per FINRA rule 17a-4 , a connection is made using a cloud app, this is a persistent access made for  verification, because using a FINRA D3P with AWS proof is needed that a designated 3rd party has access to a firms WORM compliant system. For AdvisorVault to securely connect to the customer’s AWS S3 bucket, we request that the customer create a read-only access key with the necessary permissions for the specific bucket from the Identity and Access Management (IAM) option, this also keeps FINRA happy surrounding the access & security on AWS

  • Three. FINRA Compliance Reporting: FINRA Compliance Reporting: When a firm, such as a broker-dealer intends to use Amazon to store records FINRA needs proof of a few things: verifies automatically the quality and accuracy of the storage media used; serializes the original and, with time-date for the required period of retention on the electronic storage media; AdvisorVault meets these demands through our connection using our cloud app to the customers Amazon Bucket with weekly reports to compliance officer verifying the D3P connection to Amazon from and access for on-going 17a-4 compliance auditing.

  • Four. 17a-4 D3P Service: Finally, we provide the FINRA 17a-4 D3P service including attestation letters with access to AWS if requested by regulators when a FINRA firm, intends to use Amazon to store trade or transaction data, they need to notify FINRA, its essentially optical disk and an independent third party D3P must be assigned who has the capacity to readily download records providing them to auditors into a readable format and after reasonable notice specifically if a firm fails to respond to FINRA during an electronic records request
17a-4 compliant amazon

Summary

FINRA firms, including broker-dealers surely want to use Amazon Web Services to store data, its arguably the best option to instantly create a hosted backend on the cloud to store application data such as trades & transactions. Unfortunately, few firms take advantage of it. Truth is, they’re afraid of using AWS for fear of failing 17a-4, but AdvisorVault has created a four-step solution getting FINRA firms 17a-4 compliant on Amazon Web Services.

About AdvisorVault

AdvisorVault is the only FINRA D3P with a Consolidated 17a-4 Service, designed to give small firms everything needed to meet today’s data compliance demands. Our turn-key approach performs the archiving, retention, and supervision of electronic records no matter where they are stored – in-house or in the cloud. Including the FINRA third party letters with all the required documentation. For one flat monthly fee it’s the only fully 17a-4 compliant option – Complete data compliance peace of mind, out-of-the-box.

Allan Lonz, President
alonz@advisorvault.com
direct: 416-985-0310
Toll free: 1-866-732-1407 ex 1