AdvisorVault Data Protection Guide for FINRA members

Nov. 8, 2011 - PRLog -- The SEC is increasingly clamping down on securities firms who fail to properly protect critical data at all locations. Specifically when it comes to data compliance rules surrounding the protection and long-term archiving of data. In particular, rules such 17a-4 and the designated third party (D3P) requirement are important when creating a data compliance strategy or during audits. So, how can small firms who are facing pressure from regulators ensure critical information is effectively protected, while keeping the overall cost of compliance under control?

The Two Critical Rules:

17a-4 and the Designated Third Party (D3P) requirement should form the backbone of a firm’s data compliance strategy.  

Regulation 17a-4 basically mandates three things. (1) Copies of critical electronic records must be made, (2) these copies must be kept separate from the originals and (3) this data must be retained for at least seven years. Ensuring all systems at all locations meet these requirements is huge task, especially for small firms. In addition, the typical broker-dealer firm attempting to manage and put in place their own systems to accomplish this would face a huge burden.

In addition, the D3P requirement states that a third party must have access to copies of this data so it can be reproduced during audit to ensure the SEC will not find gaps and can prove or disprove litigation. Essentially, an outsourced solution must form the basis of this strategy.

Using a Remote Backup Provider:
For small firms who are members of FINRA regulated under the SEC, the best way to achieve this required level of compliance across the entire operation is with a remote backup provider.  this  gives firms a compliant, ready-made option to remotely transfer all data from all locations to a secondary location, and at the same time act as their designated third party to make sure regulars have a secondary point of contact to access historical data.

However, remote backup providers are not created equal . Extra steps must be taken by the provider to ensure these rules are met.

For example, when a financial firm chooses a remote backup provider, they must ensure all data is properly backed up and archived and that the unique requirement of SEC’s D3P rules is met. Few backup providers understand this rule fully. It means that in event of an audit the provider must be able to reproduce current and historical data in a timely manner, and in a format that is readable by auditors. The right remote backup provider can also be a huge asset to securities firms. They can essentially solve several difficult data compliance challenges in one-step, usually, for a small monthly fee.

A Unique Approach designed for small firms

Small firms are continually searching for ways to reduce the cost of data compliance, but also to ensure they fulfill the 17a-4 and the D3P requirements. As such, they need to choose a specific type of remote backup provider that has the following features built into their service:

1. Support for various data types. Rule 17a-4 covers a wide range of data, for firms this means emails, Word, Excel, PowerPoint and all other documents. The provider’s software must have the built-in ability to easily backup this data

2. Agentless Software. Because a typical small firm may have data residing on several systems at various locations, a provider should be chosen that does not charge software licensing. A cost structure only based on the raw amount of data only will simplify  management and billing of the service

3. Automatic Reporting. Because the reporting and monitoring of the data compliance process is so critical, the remote backup provider should be able to setup automatic monitoring and reporting of the backup process. This will become part of the broker’s data compliance audit procedure

4. Recovery of Data. In the event of a disaster, a remote backup provider must be able to recover a firm’s data within 48 hours, either back to the original location or to an alternate fail over site. The FINRA business continuity planning (BCP) is a guide. But just as importantly is the ability of the provider to be able to reproduce current and historical data in a format readable by SEC auditors

Answering the Big Questions about the Designated Third Party (D3P)

In addition to selecting the right remote backup provider for electronic records, FINRA members must fully understand the D3P requirement, essentially they are as follows:

1. What is the firms’ responsibility in choosing a data compliance partner as their D3P?
•It is critical that the broker-dealer establish a relationship with a third party that has the ability to provide the SEC (or other securities regulators) with independent access to their retained electronic records and information.

2. What are the third party’s responsibilities?
• Notify the SEC (or other designated securities regulators) in writing of their intention to fulfill the third-party access and download function for the broker-dealer
• Provide securities regulators with the information they need to download electronic records from the firm’s systems at the regulators request
• Provide securities regulators with access to records and information stored on the firm’s systems independently of the broker-dealer, even if the broker-dealer is not cooperating with the regulator
• Preserve records in a non-rewriteable, non-erasable format or one that prevents their overwriting, erasing, or otherwise altering during its required retention period through the use of integrated hardware and software codes
• Verify automatically the quality of the backup process and index records preserved on the storage media

The D3P prerequisite is essentially designed to ensure the firm’s electronic records are kept for the required amount of time and can be successfully retrieved in the event of an audit or during regular compliance reviews.
Further Benefits of the D3P
Aside from simply ensuring rules 17a-3 & 17a-4 are met and increasing confidence during SEC audits, the D3P provides several additional benefits:
• The D3P prevents records from being overwritten, erased or altered. Thus give firm’s built-in long-term archiving for historical data retrieval
• The D3P ensures that if key IT personnel retire or leave, the D3P can always access current or archived data, thus the D3P becomes an integral part of the firm’s compliance audit process
• The D3P maintains compatibility with legacy systems. In the case where a firm merges, has been acquired or takes over another company that uses different systems, the D3P will retain the information in a standard format compatible with new systems
• Most importantly, in the event of a disaster where a firm has lost all their systems or data, the D3P ensures current and historical data will be made available for restoration back to the original location or to an alternate disaster recovery site
The Designated Third Party puts extra responsibility on firms and it is designed to ensure an amount of long-term stability is built into their data compliance strategy.
About AdvisorVault


AdvisorVault, http://www.advisorvault.org, is the only remote backup provider specifically designed to help small broker-dealer firms achieve today’s stringent data compliance requirements.
With our designated third party status (D3P) we help small firms achieve all the required data compliance rules defined in 17a-3 & 17a-4, as well as the supervisory and disaster recovery demands contained in FINRA rules 3510 and 3010.

AdvisorVault contact:
Allan Lonz, President and CEO
alonz@advisorvault.org
Direct: 416-985-0310
Toll Free: 1-866-925-1941
http://www.advisorvault.org

# # #

AdvisorVault - A FINRA designated storage provider that helps small broker-dealer firms achieve the requirements of 17a-3 & 17a-4, simply and inexpensively. The TURNKEY solution includes secure remote backup, long-term archiving and disaster recovery.