FINRA changed rule 17a-4 last year, adding an audit trail option (supposedly attempting to ease the pain of WORM disk). I honestly don’t know how an audit trail will help my customers meet data compliance, so I decided to setup a lunch with my tech guru last week to pick his brain – I paid for the beers – here’s how it went:

Talking About FINRA's Update to Rule 17a-4

Me: Thanks for meeting today, I wanted to ask you, since FINRA is telling firms they can now use an audit trail to meet the electronic records retention demands of SEC/FINRA rule 17a-4 instead of WORM disk, how will an audit trail help a firm with data compliance today?

Guru: What do you mean an audit trail? Do you mean an audit log, like turning on logging for everyone’s activities on the system?

Me: I suppose that's what FINRA means by an audit trail, so it's the same as logging? Like tracking what people do on the system like changes to files, deletions, updates, permissions, and so on...

Guru: Yes, exactly, but using an audit log to meet FINRA’s electronic records retention demands doesn’t make sense: do you know how big an audit log will be? Even when it’s turned on after a few weeks, and not just that - it’ll be impossible to search for compliance reviews, I mean if the regulator came in for the audit and wanted to find something related to the firm’s business in the audit log, the data will be garbled; it won’t be in a format the regulator could read anyways.

Essentially, there are three options to achieve rule 17a-4 today:

Me: Wow, really? I had no idea. But FINRA says firms can now use an audit trail instead of WORM storage for data compliance.” (I showed Guru a link to the SEC site, where Chair Gary Genser claims their decision to add the audit trail gives firms more flexibility with electronic records retention. In addition, Genser says firms will have more protection, authenticity, and reliability of original records.)

Guru: Ok, sure, but I don’t think Mr. Genser or anyone at FINRA has ever setup audit logging or even seen one up close & personal, but let’s take a real-world example - you have customers running on what kind of systems now?

Me: Essentially, I have three types of customers. Some using in-house systems, some on Google Workspace, but the majority are on Microsoft 365.

Guru: I see, well, forget about audit logging your customers using in-house systems to store their electronic records, it would be a nightmare for the typical FINRA firm trying to audit log everyone’s PCs or servers, even if they did, it would be impossible to track: they’d have audit logs all over the place. And Google Workspace is no-go too – their audit logging for compliance is severely limited and FINRA wouldn’t be impressed with that. But let’s go with enabling an audit trail/logging on Microsoft 365 to meet the new 17a-4 rule - for shits and giggles.

Me: Ok, lets do that, just for shits and giggles.

Guru: Ok then let's google "enable audit logging on Microsoft 365" . The first result will be a big, long complicated document where you'll find out by default, audit logging is enabled on Microsoft 365, HOWEVER, the log is only retained for 180 days – a huge problem with FINRA since they’ll want firms to keep records seven years to meet the retention demands of 17a-4. Next, you will notice that if a firm wants to retain logs longer, they’ll need to pay more, according to Microsoft: To keep the audit log longer than 180 days everyone needs the Microsoft 365 E5 Compliance with eDiscovery and Audit add-on license for $60 more per user. But remember you’ll also need to learn how to apply a retention rule making sure the audit logs are retained, like you need to run PowerShell commands - but here’s the real kicker, the audit log retention rules can be removed at anytime by someone with the right permission, like let’s say a new admin is hired who starts poking around the system one day and says to himself, we don’t need this audit log retention thing, turns it off, and Boom! Your customer is now non-compliant.

Me: I am really trying to wrap my head around this: why would FINRA add an audit trail to replace WORM disk storage as another option to meet the long-term electronic records retention requirements if its so hard to configure, expensive and can be simply turned off?

Guru: Good question, but honestly, a typical FINRA firm should stay with archiving records off site with a D3P provider – I wouldn’t enable audit logging if I was them. I mean, a good FINRA 17a-4 D3P will have everything built into their software anyway, with indexing. Also, with a 17a-4 D3P firms are getting secondary copies of records offsite for disaster recovery or if some nasty virus hits so people can recover or worse, they get ransomware – how does enabling an audit trail help solve these problems?

Me: These are all good questions, but its clear to me that the typical FINRA firm can’t use the audit trail option to meet rule 17a-4. I mean even if they are fully running their office on Microsoft 365, it’ll take too much expertise to configure, will cost extra – and anyway – it can simply be turned off! Thanks for your expertise today.

In reality, using an audit log or trail to meet 17a-4 is a nightmare for the typical FINRA firm: logging everyone’s PCs or servers, would be impossible to track, they’d have audit logs all over the place and trying this on the cloud is complicated and expensive, nonetheless, if the regulator came in wanting to find something related to the firm’s business in the audit log, the data will be garbled; it won’t be in a format the regulator could read anyways.”

Summary

FINRA changed rule 17a-4 last year, adding an audit trail option supposedly giving more protection of electronic records. However, this won't work: for firms with in-house systems, audit logging would be a nightmare, Google Workspace is no-go too and Microsoft 365 is complicated to audit- by default their logs are retained only 180 days but FINRA's wants a seven year retention, but to retain logs longer Microsoft 365 must be upgraded to E5 for an additional $60 per user, honestly, firms should continue archiving records off-site using a 17a-4 D3P provider because the audit trail is built-in with indexing, also secondary copies of records will be offsite for disaster recovery and protection against other threats.

About AdvisorVault

AdvisorVault is the only FINRA D3P with a Consolidated 17a-4 Service, designed to give small firms everything needed to meet today’s data compliance demands. Our turn-key approach performs the archiving, retention, and supervision of electronic records no matter where they are stored – in-house or in the cloud. Including the FINRA third party letters with all the required documentation. For one flat monthly fee it’s the only fully 17a-4 compliant option - Complete data compliance peace of mind, out-of-the-box.

Allan Lonz, President
alonz@advisorvault.com
direct: 416-985-0310
Toll free: 1-866-732-1407 ex 1