SEC rule 17a-4 is very specific when it comes to electronic records retention and FINRA members who miss the mark risk audit failure and large fines. For small firms with virtually no IT staff, it’s impossible to do this in-house, so they need to hire an outside vendor to outsource the archiving of data and emails.
"We have designed our solution specifically for the needs of small financial firms that require a simple, inexpensive option for remote storage of books and records, other documents as well as the archiving of emails and other communication", said Allan Lonz, President of AdvisorVault. "Small firms simply don't have the budgets of large companies and need to find an outside vendor to help them, especially with their data compliance. At the same time, they need a provider who fully understands their unique needs, this is where AdvisorVault comes in," Lonz added.
There are three key requirements FINRA members need to look for in a vendor to help them with the long-term archiving of data for SEC rule 17a-4.
1. Archiving of Various Data Types
When selecting a vendor to outsource the long-term archiving of electronic records, small financial firms need a provider that can backup and retain a wide range of data types. Further, to meet the requirements outline in SEC/FINRA rule 17a-3, they must take into account data contained in the Books and records, systems configuration, and all communications such as email, instant messaging and social media. In addition, the vendor must be able to retain the original data formats so that historical records can be accessed by compliance officers and auditors at any time.
Essentially, when a member of FINRA seeks a vendor to help them with the long-term archiving of data, it’s important that the provider fully understands that current and historical data must be accessed using old legacy systems so that is can be downloaded. This is not only important for on-going compliance reviews, but during audits. So, firms will find it beneficial to be able to provide auditors with archiving data in formats that can be easily read, and in essence will speed up the auditing process and ensure FINRA staff are out the door quickly.
2. Retention of Data in Non-rewriteable Format
Second, it’s important to know that FINRA amended SEC rule 17a-4 to allow the use of non-worm disk to retain electronic records. This means that as of 2003, firms can use systems that have software features built into them to prevent the deleting or modifying of data.
This amendment to 17a-4 is important because firms can now outsource the archiving of data to third parties who can set retention rules on data. These retention rules can be set to delete data after a period of time, usually three to seven years, thus freeing up space to be used for current data. As a result, archiving sets are as small as possible. This keeps data storage costs low while satisfying the 17a-4 electronic records retention requirement.
3. Quick Recoverability
It is important that FINRA members select a vendor that can recover all current and archived data within a timely manner, within 48 hrs. This is an important aspect of FINRA Business Continuity Planning (BCP) process and should be a feature included with the vendor's service. Often, archiving vendors will have several methods to allow for the recoverably of customers data, depending on the severity of the failure.
For example, if systems are temporarily down due to a minor disaster, the vendor should offer a web access to archived data so customers can still access data in the interim while the systems are being recovered; in the event of a major disaster, the vendor should be able to make a full copy of its customer's data on a removable drive and drop ship it to any location so the customer can fully recover all data at a secondary disaster site.
The Business Continuity Planning (BCP) requirement is closely connect to the long-term archiving of data. Ensuring the same vendor who is performing the long-term archiving of data can also recover the data in the event of a disaster is key to simplifying the data compliance strategy, it will also help to keep the cost down and speed up the auditing process.
Small financial firms need to outsource the long-term archiving of electronic records for compliance. They need to find a vendor who understands their need and can retain the data in the proper format and make it readily available in the event of a disaster or during audits. Choosing the right provider is critical to keeping the cost down and simplifying the process, failing to assign the proper third party can be costly and result in audit failure, large fines and untimely impact customer confidence.
AdvisorVault (advisorvault.org) is the only third-party provider that has created a complete solution to achieve compliance within the demands of SEC rule 17a-4. The product includes software to remotely archive data contained in books and records, emails, and any other records needed for disaster recovery. In addition, AdvisorVault provides all the tools necessary to supervise and download archived records, which keep compliance officers and auditors happy in order to ensure the highest level of client confidence at all times.