I’ve notice there’s lots of talk these days about data compliance and the cloud, specifically the problem surrounding the FINRA Designated Third-Party Provider or 17a-4 D3P. What I’m talking about here is a FINRA firm such as a broker-dealer and the compliance officer, who, if they’ve done their homework, will need to fully understand a few things up front before scrapping their in-house systems and moving everything to the cloud, and then if they don’t do it right – get soaked!

First, they’ll need to know if the cloud provider will act as the D3P. Next, they need to ensure the cloud provider will retain their data as per 17a-4. But more importantly, what’s FINRA going to think about the cloud provider they’re using when they come in for the audit?

These are important questions to answer, especially for a small FINRA firm who is thinking about using a popular cloud service from one of the main ones: Microsoft 365, Amazon, or Google. I don’t intend to be the devil’s advocate here, but when I look closer at their offerings, the answers aren’t clear to me. I mean when you read recent documents published by the big three cloud providers, you may believe they can act as the FINRA D3P but when you dig deeper it gets fuzzy real quick.

Let’s take Microsoft, for example (since they are the best option today for a small FINRA firm) where they have their Azure Immutable Blob Storage with the Policy Lock option which they claim meets all the demands of 17a-4. However, Microsoft states in their Terms of Service: “We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you have stored. We recommend that you regularly backup your content and data that you store on our services with third-party apps and services.”

And according to Amazon, they have their Vault Lock which apparently allows you to easily deploy and enforce compliance controls on individual Glacier vaults via a lockable policy. Once locked, they claim, the Vault Lock policy becomes immutable, and Glacier will enforce the prescribed controls to help achieve your compliance objectives. But they add that Amazon Web services is not a FINRA designated third party (D3P) and advises customers to select a proper provider and include this information in their notification to their “Designated Examining Authority (DEA)” when using Amazon for electronic records storage archiving.

Same with Google’s cloud storage. For compliance, they have added their bucket lock feature, yet Google states clearly (if you investigate further) that on this feature called Google Cloud Storage, when properly configured and used with the Bucket Lock feature, MAY help users address U.S. record retention regulations, such as: SEC Rule 17a-4, but in the article here: https://cloud.google.com/security/compliance/offerings#/regions=USA

What you’ll find it interesting that Google doesn’t claim to be a FINRA 17a-4 D3P (and if you contact them as a broker-dealer, the FINRA 17a-4 attestation are no where to be found). Also, you will have to “obtain an independent and objective assessment of Google Cloud Storage’s compliance capabilities.” In other words, you will need to hire a FINRA D3P in addition to using Google storage if you’re a FINRA firm.

But simply putting locks on data isn’t enough for FINRA – 17a-4 is more complex than that and there’s a whole check list of items a firm needs to know about, a 17a-4 D3P also must: