Unfortunately, FINRA keeps changing the rules when it comes to data compliance, for instance, they just adopted an audit trail option supposedly helping meet the demands of SEC rule 17a-4. But an audit trail doesn’t make sense: the reality is, firms still need to assign a FINRA Designated Third Party (D3P) to archive data offsite for the electronic retention requirements of the rule and to be compliant with today’s cybersecurity demands.

Despite this bizarre change FINRA has made, the best way forward for firms is clear direction. That’s what AdvisorVault does by getting customers on Microsoft 365 properly (an approach we take specifically by partnering with Compliant Workspace) then using our 17a-4 Cloud Plugin to get compliant on the cloud, no need trying to figure out how to setup an audit trail. I solve this riddle in my blog.

eliminate gaps in 17a-4 archive

Amidst all this confusion, I still take the same approach to compliance that’s been working for years - since FINRA continually fails to give clear direction – my focus is helping customers meet the long-term retention demands of rule 17a-4. For example, when a firm calls (often in desperation) needing to meet 17a-4, I start by asking a few questions: First, I ask where is the firm’s data stored? Where is email hosted? What’s used for teleconferencing/messaging? How many 17a-4 D3Ps are there? With this information, I can immediately find gaps in their electronic records retention with the goal of ensuring they pass the 17a-4 audit when the FINRA regulator shows up and asks for a sample set of data from their archive.

What I usually find is firms have gaps in their 17a-4 archive because they’re running a “hybrid” environment. What I mean by hybrid is there’s data scattered all over the place. For instance, there’s records stored in-house, on peoples’ PCs, on servers there’s also data on the cloud like Dropbox/ShareDrive, with various cloud services used within the same company, such as some employees on Microsoft 365 and others on Google Workspace, in other words a compliance nightmare waiting to happen. Using an audit trail at this point to meet 17a-4 would be absurd because the logs would be all over the place making it impossible to track come audit time. Firms end up with:

  • Records saved in-house, on peoples’ PCs and Servers

  • Data stored on multiple cloud systems like Dropbox/ShareDrive,

  • More than one cloud platform used and employees on Microsoft 365 & Google Workspace

This nightmare is amplified when a firm has data all over the place because their 17a-4 archive isn’t consolidated on one platform, and when FINRA shows up requesting data going back seven yrs., records are missing: compliance officers surely don’t want the regulator breathing down their neck during the audit! Also, compliance officers can’t do their regular supervisory duties properly since there isn’t a centralized interface which creates more gaps – a huge problem when the auditor also wants proof that emails for all registered reps at the firm are being reviewed & flagged, at least weekly.

This hybrid setup (unfortunately most firms find themselves in) where data and systems are scattered all over the place, also creates cybersecurity holes. Usually there’s an old server running an end-of-life OS like Microsoft Windows 2012 that can’t be patched anymore and the PCs are wide open too, data stored on them is totally at risk, not locked down or secured lacking proper updated virus protection. In addition, there’s various cloud services that aren’t managed properly and no one knows how to protect them either. They are usually setup with weak passwords on the admin accounts.

Then there’s an "outdated email service" without encryption nor multi-factor authentication to speak of - and management can’t monitor users from a central interface, finally, small firms don’t have IT staff in-house, they surely don't have a dedicated cybersecurity expert assigned the role, but the biggest problem is firms can't detect suspicious activities, can't track simple changes, like users being created, data or email accounts added, nor aware of in-coming attacks or stolen data - no way they’ll meet the new FINRA cybersecurity rules of 2023 with this setup.

Moving to the Microsoft 365 Cloud Properly

Nonetheless, the solution for small FINRA firms needing to close gaps in their 17a-4 data archive and getting cybersecure is moving to the Microsoft 365 Cloud properly. With this, their technology will be consolidated on one cloud platform including data storage, email hosting, teleconferencing, cybersecurity, user management AND electronic records archiving/retention/supervision/audit requests will be centralized.

But what does it mean: “Getting on Microsoft 365 properly to meet 17a-4 compliance?” First, it means fully migrating everything to avoid gaps in electronic records retention. Fully migrating means specifically moving all users’ personal data off their PCs to individual OneDrive accounts; migrating in-house data stored on servers to company SharePoint sites; email accounts fully migrated to Exchange Online and private/group chats on Teams configured – ready to go for archiving with the 17a-4 D3P long-term retention off the cloud.

Problem is, Microsoft is no help getting companies on to their cloud platform – especially small firms – in fact, they offer very little support, for example, they won’t help customers migrate existing in-house data or email accounts to their cloud. I mean they’ll send oodles of instructions, that’s all, I don’t even think the average firm can call Microsoft support directly for help if they are having problems migrating to their cloud, they’ll create a ticket online and respond when a support rep is free. And forget about the security and protection of data when the migration is finished- firms are on their own here as well.

Using a Consolidated 365 Service

Getting on Microsoft 365 17a-4 compliant means getting on the cloud properly. In other words, choosing a Cloud Provider with a complete service that includes: (1) a clear path for migrating to the cloud, (2) a plugin application included to secure and monitor the Cloud, and (3) a plugin application to archive records off Microsoft 365 to meet the FINRA 17a-4 electronic records retention demands.

That’s why AdvisorVault has partnered with Compliant Workspace ensuring customers get on the Microsoft Cloud properly, Compliant Workspace, unlike Microsoft or other generic Cloud Providers who simply sell basic subscriptions, includes everything needed ensuring full 17a-4 compliance on the Microsoft Cloud - built in, out-of-the-box, designed for companies needing a higher level of service on the cloud.

Meeting FINRA Cybersecurity

It's important to understand security on the cloud has a different meaning for FINRA firms, especially small ones without in-house IT staff, and who need to outsource to a third party that’ll take care of it completely. While they must ensure the same basic protection as other companies, i.e., prevent phishing, ransomware, malware, and spoofing attacks, they now must meet the new FINRA’s cybersecurity demands as of March 2023. For instance, FINRA wants more monitoring and response to threats. Specifically, firms now need to demonstrate their policies, procedures, and controls for security are robust enough and “reasonably designed.” They’ll also need to prove they can directly respond to and recover from cyber incidents and make the required notifications to impacted individuals.

Here Microsoft is also lacking what FINRA firms need, in fact by default advanced security is not enabled on their Cloud – I assume they don’t want firms shooting themselves in the foot off the bat. Therefore, a FINRA firm must add a plugin to the Microsoft Cloud to meet these new cybersecurity demands (Microsoft won’t suggest this either – firms need to find one). Compliant Workspace includes a FINRA approved cybersecurity plugin with 24/7 email alerts, that detects changes in security policies, sign-in from unusual locations, unknown devices or IPs, suspicious mailbox activities, administrator abuse threat protection, with deployment of best practice security options. In addition, settings include file and mailbox audit logs always-on, enable MFA for admin/all users, with set inbound spam notifications. All the features needed to make Microsoft 365 fully compliant with the new FINRA cybersecurity demands, out-of-the-box.

17a-4 Plugin, Next step to Cloud Compliance

Once a firm is fully on Microsoft 365, with all gaps in their archiving fixed and security/monitoring setup to meet today’s cybersecurity demands, next step is installing AdvisorVault’s 17a-4 Cloud Archiving Plugin. Yes, that’s right, firms must add an archiving plugin to Microsoft 365 to meet 17a-4, since like security and monitoring, Microsoft- doesn’t backup or retain customers data on their cloud – surely not as per FINRA (actually by default, users and all their data and emails can easily deleted - a big no-no for FINRA) therefore, an additional step is needed for firms who have migrated their business to the Microsoft Cloud.

AdvisorVault’s 17a-4 Cloud Archiving Plugin is added to the Microsoft Cloud meeting FINRA compliance. This means our Plugin ensures the retention of electronic records stored on the cloud, for instance we archive emails, data stored on OneDrive and SharePoint including Teams chats; in addition, our 17a-4 Cloud Plugin for Microsoft 365 does granular protection of data with the ability to restore individual emails, files, contacts, calendar items and Teams chats - critical for audits when a firm needs reproduce electronic records. Also, our 17a-4 Plugin automatically detects, & archives data on the cloud as users create it, finally records are transferred off the Microsoft Cloud to a separate system that’s 17a-4 compliant, giving further protection against ransomware attacks.

The FINRA D3P. A Final Step in 17a-4 Compliance

Finally, since we archive customer’s records off Microsoft 365 we act as their FINRA 17a-4 D3P as well, having our customers data archived (everyone’s, emails, OneDrive, their company SharePoint sites, and Teams chats to our 17a-4 compliant system) means we help meet the final step of 17a-4 compliance, and this is critical for rule 17a-4 because FINRA wants firms to choose a 3rd party with independent access to their electronic records archive & who will reproduce data if the firm fails to do so. Often FINRA will contact the D3P directly during an audit, and the third party must be able to respond within a 48 hr., period.

In addition, our 17a-4 D3P service includes all the features auditors need for their request and compliance officers use during the regular audit supervision, such as a full featured Web interface to access the Microsoft 365 archive for FINRA electronic records requests, where they can create sample sets of data, do customers searches and download records for FINRA auditors when they arrive and the two FINRA D3P attestation letters are sent when customers sign up with AdvisorVault.

Summary

Despite the recent confusion from FINRA telling firms they can use an audit trail to archive data, the solution for small firms needing to close gaps in their 17a-4 data archive is getting on the Microsoft 365 Cloud properly. In other words, using a Consolidated 365 Cloud Service provider that’ll get them fully on the cloud with a Cybersecurity Add-on and then use a 17a-4 Cloud Archiving Plugin to make the Microsoft Cloud compliant with FINRA 17a-4, finally the D3P service is added - by using these steps to make the cloud compliant there’s no need to use and audit trail.

About AdvisorVault

AdvisorVault is the only FINRA D3P with a Consolidated 17a-4 Service, designed to give small firms everything needed to meet today’s data compliance demands. Our turn-key approach performs the archiving, retention, and supervision of electronic records no matter where they are stored – in-house or in the cloud. Including the FINRA third party letters with all the required documentation. For one flat monthly fee it’s the only fully 17a-4 compliant option - Complete data compliance peace of mind, out-of-the-box.

Allan Lonz, President
alonz@advisorvault.com
direct: 416-985-0310
Toll free: 1-866-732-1407 ex 1