An important thing I’ve learned working with small FINRA firms over the past 20 years is their need to continually find ways to keep technology spending as low as possible yet keep regulators happy, i.e., pass the 17a-4 electronic records request. It’s not a simple task since there are lots of ways to store data, also lots of ways to trip up when FINRA comes in to request a sample set from the archive. But I must quote my favorite cop at this point, Sgt. Joe Friday, when were talking about data compliance, “Just the facts Mam’ma.“

FINRA likes it when firms consolidate their data archive with one third-party making the 17a-4 electronic requests easier and the best option is choosing a Consolidated D3P. This kind of D3P will retain all data within the cloud such as full email accounts with contacts/calendar/complete profile, books, and electronic records (Word docs, scanned data, and customer databases). In addition, the D3P will include the documentation FINRA needs to assign the provider as the D3P and finally the provider will act as the third-party downloader at any time requested by FINRA within 48 hrs.

I can’t count the number of times customers asked me if they can use the cloud to run their business, and I tell them yes, the cloud is a great way to simplify tech spending; it’s a completely outsourced option for email and data storage enabling sharing with collaboration among employees and partners. Further, there’s no ongoing hardware or software costs, only one pay-as-you-go monthly fee. For instance, a popular choice is Microsoft 365 which is a complete virtual option in the cloud suited for small FINRA firms.

However, the cloud (by default) isn’t 17a-4 compliant. In other words company data stored there can be deleted or modified by anyone at any time, worst of all, compliant copies of data isn’t sent offsite. Also, records aren’t retained for seven years, and cloud providers won’t act as the FINRA D3P – they simply won’t guarantee data will be retained as per rule 17a-4. Anyway, they also won’t provide the two 17a-4 attestation letters FINRA needs to complete the compliance registration allowing the use of their electronic storage platform. Therefore, firms who want to use the cloud need to understand a few important things, particularly about SEC rule 17a-4, to make sure they use the cloud compliantly.

First, it’s important to understand FINRA amended rule 17a-4 in 2003 allowing members to use non-worm disk for retain electronic records. This means that as of 2003, firms can use systems with software features built into preventing the deleting or modifying of data. This amendment to 17a-4 is important because firms can now outsource the archiving of data to third parties who can set retention rules on data using software without the need for WORM disks. These retention rules can be set to delete data after a period of time, usually three to seven years, thus freeing up space to be used for current data. As a result, archiving sets are as small as possible, keeping data storage costs low while satisfying the 17a-4 electronic records retention requirement.

Second, FINRA doesn’t care where data is stored; their only concern is firms make copies of it for 17a-4. For small firms who also outsource data archiving, this means using an automated method to transfer current data in the cloud to the D3P. Thankfully it’s not difficult.

For instance, AdvisorVault has built in connectors to Google Workspace and Microsoft 365 to automatically capture all data on these Cloud systems, transfer it over to our 17a-4 compliant platform and retain this data for 7 years in its original format (the basics of 17a-4). In addition, AdvisorVault makes this cloud data available for retrieval by customers at any time if they are audited and asked for an electronic records request. Also, this achieves the ongoing supervision of cloud electronic records and emails as required by 17a-4 and FINRA audits. The AdvisorVault Cloud Connect can be setup in minutes – giving FINRA firms an instant compliant option for all cloud data.

FINRA likes it when a firm consolidates their entire archive with one third-party, making the 17a-4 electronic requests easier. One way to do this is to choose a Consolidated D3P. This kind of D3P will retain all data within the cloud such as full email accounts with contacts/calendar/complete profile, books, and records (Word docs, scanned data, and customer databases). In addition, the D3P will include the documentation FINRA needs to assign the provider as the D3P and finally the provider will act as the third-party downloader at any time requested by FINRA (within 48 hrs).

Before using the cloud to run their office, small FINRA firms need to understand a few important things about 17a-4 to be compliant. Such as current amendments to the rule, how to choose a provider with a direct 17a-4 connector to G Suite and Office 365, finally it’s important to have a Consolidated D3P service to make sure electronic records, full email accounts and the D3P service is included. This will help them keep the cost of technology as low as possible and ensure regulators are kept happy. AdvisorVault’s Consolidated D3P Service is the answer for small firms wanting to move their office to the cloud, yet be compliant.