I’ve noticed lots of confusion these days about data compliance, I don’t know whose fault it is – could be the regulators, or the compliance officers, could be the consultants; I suspect it’s the big IT vendors trying to up-sell us (you know who I’m talking about) but the problem is no one is coming up with clear answers about this since we’re still seeing so many fines lately for firms “failing to retain electronic records.” However, I am going to try my best here to clear up a few important things you need to know. But my advice for now: don’t hop in bed with the wrong experts and end up doing the walk of shame.

All this misunderstanding though starts with technology. (Sorry, I have to geek out on you now) but fact is, you’re getting confused so you’re not doing backups properly. I’m talking about confusion surrounding the different data types your firm creates on a daily basis such as dynamic and static data: OK, I know, your eyes are probably glazing over right now, and you’re getting sleepy just thinking about it, but I simply mean your emails and files contained in books and records, and how they must be treated differently. Which is really important for a FINRA firm because the auditor is surely going to request this type of data when they show up.

Have a Clear IT Policy, FINRA’s Out the Door Faster

However, the first trick to make this whole issue about failing to retain electronic records easier is creating a clearly defined IT policy, then have the compliance officer and everyone else in the firm sign off on it. (Especially when it comes to FINRA rule 17a-4) because your policy says your firm will only use certain systems to communicate with customers and partners and only certain storage for books and records.

For example, you IT policy says email will be your primary communication tool, and my other suggestion is getting your firm on the cloud and then define cloud storage as where you will store your books and records i.e., OneDrive and SharePoint, you can also add Teams as another way you’ll communicate. You won’t define anything else in your policy such as databases, chats, text, or social media therefore FINRA won’t care about it during the 17a-4 electronic records requests, and you won’t need to archive it.

Email Journaling:  The Key to 17a-4 Compliance

 

Since you’ve already defined in your IT policy that your firm will be using email primarily to communicate with customers and partners, FINRA will surely want to see that during their electronic records request, so we’ll focus on this first.

Main point here is that emails are dynamic data, unlike documents which are static data (but we will get into the problems of file archiving later) emails come in constantly, randomly, they are also moved around a lot, deleted, re-arranged, forwarded, blocked, exported – email is a moving target and if not treated properly, you’ll miss some in your archive. That’s why to meet rule 17a-4 and make sure you properly archive messages you must do more than backup; you need to use email journaling to properly be compliant, which is very simple to do especially if you’re on Microsoft 365 or Google Workspace.

Email journaling is really easy to setup, especially if your firm is on Microsoft 365 or Google Workspace, its one click and it sits right on top of the regular email backup you have running already. Journaling is very important to have in addition to email backups, because it does real-time archiving of emails before they get to employees’ inboxes

In fact, if you choose AdvisorVault’s 17a-4 Cloud Plug-in you don’t have to do anything if you are already running your email on Microsoft 365, when you sign up with our Cloud Plug-in, journaling is enabled instantly, Google Workspace is a different story; you have to manually add a journaling entry that’ll send email to our 17a-4 archive.

Benefits of Email Journaling

When you enable email journaling, you get a few really important benefits that will help with FINRA data compliance:

  • IT’S REAL TIME: Unlike backups that run a few times a day, journaling runs in real time synchronization

  • AUTOMATIC FORWARD: Journaling forwards email to the 17a-4 archive before they reach employee’s inbox

  • IMPOSSIBLE TO DELETE EMAILS: Guaranteed full protect, since employees cannot delete emails

  • COMPLIMENTS REGULAR EMAIL BACKUP: Integrated into regular email backups for full protection

Proper Email Supervision and Retention

Next thing, after you get everyone’s email journaling, you’ll need to ensure messages are sent to a proper offsite archive. In fact, you can journal to any system you want, but its important you choose the right one because your compliance officer will need to do their on-going 17a-4 supervision, also you’ll need to keep FINRA happy when they show up for the audit, this simply means :

  • Emails are retained for 7 yrs.

  • Can’t be deleted or modified

  • Can do advanced searches

  • Manually flag emails as compliant, non-compliant, reviewed

  • Dynamically flag emails based on keywords as they come in and alert the compliance officer

  • Download sample sets of email in PST file format for regulators

  • Give FINRA auditors their own login to the archive where the can do electronic records request

Getting on the Cloud Can Clean up Your Data Mess

Alright your company emails are being backed up and journaled to a 17a-4 compliant email archiving system, we need to take care of your data files now. By this I mean documents people create relating to the firm’s books and records, such as office docs, PDF’s, saved attachments, exports from databases, and downloads. However, journaling won’t help you with 17a-4 archiving this since we have a different problem here: documents are usually scattered all over the place on people’s PC’s, USB drives somewhere…a server in-house, maybe everyone has gone off and setup their own private cloud storage account like Dropbox where they are storing data too.

The trick here is to be sure you do a full migration to the cloud, i.e., Microsoft 365 or Google Workspace, you don’t want to run any kind of hybrid scenario where you have some data in-house and some in the cloud, that would be a big compliance no-no.

For example, if you move your company to Microsoft 365, you will get everyone setup on OneDrive and move their personal data there, then be sure to change their default save to their OneDrive account moving forward. Then take care of any server data with a company SharePoint site where you’ll move shared folders to. This way you will have one central storage, and one central backup. Again, our 17a-4 Cloud Backup Plug-in automatically archives all your user data stored in the cloud in one fell swoop.

Summary

There’s lots of confusion today about data compliance, none of the experts have clear answers about this since we’re still seeing so many fines lately for firms “failing to retain electronic records” for FINRA rule 17a-4, mainly caused by the confusion surrounding data types firms create such as dynamic and static data. Moving to Microsoft 365 or Google Workspace is key since journaling can be enable and a direct cloud plug-in can be used to centralize the archiving of electronic records, giving full data compliance.

About AdvisorVault

AdvisorVault is the only FINRA D3P with a Consolidated 17a-4 Service, designed to give small firms everything needed to meet today’s data compliance demands. Our turn-key approach performs the archiving, retention, and supervision of electronic records no matter where they are stored – in-house or in the cloud. Including the FINRA third party letters with all the required documentation. For one flat monthly fee it’s the only fully 17a-4 compliant option – Complete data compliance peace of mind, out-of-the-box.

Allan Lonz, President
alonz@advisorvault.org
direct: 416-985-0310
Toll free: 1-866-732-1407 ex 1