NewswireTODAY - /newswire/ -
Toronto, Ontario, Canada, 2021/12/13 - AdvisorVault the only FINRA designated third party (D3P) designed for small firms, makes Microsoft 365 17a-4 Compliant, Allan Lonz President, AdvisorVault.org.
Since FINRA has given firms the green light to use the cloud, the big question then becomes: can a cloud platform like Microsoft 365, using its built-in compliance tools meet 17a-4? In other words, can you configure it to prevent the deleting and modifying of emails on exchange, data on OneDrive/SharePoint, Teams chats, then retain it for 7 yrs., and finally will Microsoft act as the FINRA D3P, supply the two attestation letters and perform the required functions as a D3P?
Exchange On-line Retention Policies Don’t Meet 17a-4
According to a popular white paper by Cohasset Associates, FINRA firms can use the built in Microsoft 365 retention policies (when properly configured and carefully applied and managed) to meet SEC rule 17a-4. But what actually happens to your data when you apply a 365 retention policy to it? You’ll be surprised to find out that Microsoft despite what you read - has completely missed the mark on 17a-4 compliance.
“I tested it myself and configured an exchange on-line retention policy in Microsoft 365 to retain my emails for 17a-4 and immediately noticed that it doesn’t actually store them in a non-rewritable format, it just moved my messages to the archive items in Outlook, which I could delete, this isn’t going to fly with FINRA.” Said Allan Lonz, President of AdvisorVault.
“Also, I had to take an extra step and apply a PowerShell command to my 17a-4 retention policy to set a preservation lock on it, otherwise I could simply delete that too and I was no longer compliant” Lonz added
Even if you do properly configure the retention policies, you’ll also need to get the two FINRA D3P attestation letters from Microsoft. Good luck with that: you can’t call anyone at Microsoft and ask for the D3P letters, and if you google “Microsoft FINRA 17a-4 D3P letters” you get a document explaining the capability of Microsoft 365 to support organisations in meeting their obligations under the New Zealand Public Records Act 2005.
More google searches on this subject direct you to The Microsoft Trust Center Resources. This links to a Microsoft site, but the 17a-4 attestation letters are nowhere to be found, and it surely didn’t have other links to download a FINRA attestation letters.
Its understandable that Microsoft wants to have a finger in every pie; to be everything to everybody, but small FINRA firms have unique needs which can’t be met with a generic cloud solution. More importantly, they don’t have the in-house expertise to “configure and carefully apply and manage” the built-in tools that Microsoft is selling as 17a-4 compliant. Further, FINRA needs specific compliance documentation and commitments from vendors to be fully compliant, which Microsoft is not willing to provide or even openly address.
To learn more about AdvisorVault’s Microsoft 365 17a-4 compliant solution, contact us talk to sales.