7/25/2010 - The Designated Third Party


Designated Third Party (D3P)
Your Key to SEC Audit Success and Customer Confidence 

Ensuring Success 

The FINRA Designated Third Party (D3P) requirement as outlined in rule 17a-3 &17a-4 is hands-down the most confusing aspect of data compliance. But it is critical that broker-dealer firms address this key mandate and make it a part of their data compliance strategy. In reality though, it is usually the last step taken once a firm has chosen a remote backup provider for their electronic records.

For small broker-dealer firms with limited time and budgets, finding the best partner to assist them with their D3P needs can be a daunting task. They need to choose a provider that can help them achieve these requirements effectively - choosing the wrong D3P can cause unnecessary burden and quickly increase the overall cost of data compliance. But more importantly failing to assign a D3P can result in SEC audit failure or cause serious damage to a firm’s reputation.

Answering the Big Questions about the Designated Third Party (D3P)

1. What is the broker-dealer’s responsibility in choosing a data compliance partner as their D3P?

  • It is critical that the broker-dealer establish a relationship with a third party that has the ability to provide the SEC (or other securities regulators) with independent access to their retained electronic records and information.  

2. What are the third party’s responsibilities?

  • Notify the SEC (or other designated securities regulators) in writing of their intention to fulfill the third-party access and download function for the broker-dealer
  • Provide securities regulators with the information they need to download electronic records from the broker-dealer’s systems at the regulators request
  • Provide securities regulators with access to records and information stored on the broker-dealer’s systems independently of the broker-dealer, even if the broker-dealer is not cooperating with the regulator
  • Preserve records in a non-rewriteable, non-erasable format or one that prevents their overwriting, erasing, or otherwise altering during its required retention period through the use of integrated hardware and software codes
  • Verify automatically the quality of the backup process and index records preserved on the storage media

The D3P is prerequisite isessentially designed to ensure broker-dealer electronic records are kept for the required amount of time and can be successfully retrieved in the event of an audit or during regular compliance reviews. 

Further Benefits of the D3P:

Aside from simply ensuring rules 17a-3 & 17a-4 are met and increasing confidence during SEC audits, the D3P provides several other benefits:

  • The D3P prevents records from being overwritten, erased or altered. This giving broker-dealers built-in long-term archiving for historical data retrieval

  • The D3P ensures that if key IT personnel retire or leave, the D3P can always access current or archived data, thus the D3P becomes an integral part of the broker-dealers compliance audit process

  • The D3P maintains compatibility with legacy systems. In the case where a broker-dealer merges, has been acquired or takes over another company that uses different systems, the D3P will retain the information in a standard format compatible with new systems

  • Most importantly, in the event of a disaster where a broker-dealer has lost all their systems or data, the D3P ensures current and historical data will be made available for restoration back to the original location or to an alternate disaster recovery site

The Designated Third Party puts extra responsibility on broker-dealer's firm and it is designed to ensure an amount of long-term stability is built into their data compliance strategy. By choosing the right D3P, not only do firms gain greater confidence during SEC audits, they will also have greater chance of gaining long-term customer confidence regarding electronic records retrieval and supervision.

AdvisorVault, http://www.advisorvault.org, is the only remote backup provider specifically designed to help small broker-dealer firms achieve today’s stringent data compliance requirements. With our designated third party status (D3P) we help small firms achieve all the required data compliance rules defined in 17a-3 & 17a-4, as well as the supervisory and disaster recovery demands contained in FINRA rules 3510 and 3010.

The fully managed solution includes all the hardware and software and instantly plugs into the office network to remotely protect emails and all documents relating to Books and Records. Remote, home and travelling employees are instantly added to the solution at no additional cost. The turn-key product is priced to fit the budget of small firms and provides remote backup, long-term archiving and disaster recovery in accordance with all current SEC and FINRA rules. Experience total data compliance – Out of the Box with AdvisorVault.

 ------------------------------------------------------------------------------------------------------------------------------------------------

7/25/2010 - Choosing a Backup Provider


Six Things Broker-Dealers Should Consider when Choosing a Remote Backup Provider

Meeting Today's Demanding Requirements

With their continuing advancements in technology, remote backup providers are now being used by small broker-dealer firms to achieve today's demanding data compliance requirements. Such as the rules outlined in SEC 17a-3, 17a-4 and  the business continuity and electronic records supervision regulations contained in 3510 and 3010 from FINRA. By using these third party providers to remotely store their critical records, broker-dealers now have a ready-made option to quickly and inexpensively transfer data from all systems across the entire operation to a remote location.

However, not all remote backup providers are created equal. Small broker-dealer firms need to be careful in selecting the right provider to help them achieve today’s stringent data compliance regulation. They should look for the following features when choosing a provider to outsource their remote storage.

What to look for in a remote backup provider:

1. Comprehensive

Rule 17a-3 stipulates that a broker-dealer must protect and keep available the books and records relating to its business. This often covers a wide range of electronic records and it is vital that a remote backup provider is selected that can protect these various data formats. This must include data such as email residing on internal servers and on individual PCs such as PST files saved on users hard drives. Other documents that hold client information created with Microsoft Office Word, Excel, PDF reports and customer data imputed into databases should easily be supported. The software should be configured to initially capture a full backup of this data and then be set to run every night and backup the daily incremental changes from then on. 


In addition to regular protection of this user data, a provider should have the built in ability to perform full-system state backups of critical systems to enable “bare metal” restored to alternate hardware. This will allow the quick recover of servers and their associated operating systems and programs in the case of complete failure. 

2. Licensing Free Software
In choosing a remote backup provider, small-broker dealers should select a provider that does not charge software licensing.  A cost based only on the amount of data stored eases administration and allows branch offices, remote and home users to be added easily to the data compliance process.

3. Completely Self Managed
Small broker-dealer firms can't spend valuable time managing backups. They should choose a provider who will completely administer the backup process and offer the ability to remotely connect to their software and immediately addresses problems when they arise.  This should be included as part of the provider’s service to ensure missed backups do not leave gaps in a broker-dealers data compliance strategy.

4. Built-in Archiving
SEC rule 17a-4 poses particular challenges for small broker-dealers firms because of the specific technology required to achieve the long-term retention requirements of this mandate. In choosing a remote backup provider, it is critical that a small broker-dealer firm understand the difference between backup and archiving. By default, to keep cost low, remote backup providers only store customer’s data on a limited retention basis using quick access hard disk. This will be set within their software to overwrite files that change frequently and keep only 10 to 30 versions of changes.

Unfortunately, this is not compliant and data that changes frequently will be overwritten. Therefore, older copies of files may not be available during an audit or in the event of a disaster.  An additional archiving process must be added in this case to perform regular full “snap-shots” of data at least monthly and moved to non-rewriteable optical disks. This will then be stored securely for at least 6 years. Non-rewriteable DVDs are a perfect technology for this because of their capacity, durability and low cost.


5. Reporting
A provider’s backup software should have the ability to send automatic email reports to compliance officers for review. This will be part of the broker-dealer's supervisory duties and a key component of their regular compliance reporting and auditing procedures.

6. Ease of Recovery

In the event of a disaster it should be easy for broker-dealers to restore data back to its original location or to an alternate site. Also, during SEC audits broker-dealers may be requested to reproduce current or archived data on separate media such as USB drives, CDs or DVDs so it can easily be reviewed by auditors. Ensuring a provider can easily restore this data to common file formats on alternate media will ease the audit review process. In addition, providers should be able to integrate seamlessly with FINRA’s Small Firm Emergency Partner Program and allow data to be immediately restored to a pre-designated partner firm at a geographically separate location.

Summary

Small broker-dealer firms must identify critical vulnerabilities in their data compliance strategy. Due to their lack of internal staff or budgets they must look to third party providers to help them build data compliant systems. Remote backup providers are now well suited as an option for these companies to achieve today’s complex data compliance requirements.

These six things to consider in a remote backup provider have been presented to help small broker-dealer firms successfully choose between the many providers that exist today.  In following the above guidelines they will have more success in choosing the correct provider. Essentially the goal is to ensure SEC audit success and quick recovery of critical records in the event of a disaster.

AdvisorVault is the only remote backup provider specifically designed to help small broker-dealer firms achieve today’s stringent data compliance requirements. With our designated third party status (D3P) we help small firms achieve all the required data compliance rules defined in 17a-3, 17a-4, 3510 and 3010. Our fully managed solution includes all the hardware and software and instantly plugs into the office network to remotely protect emails and all documents relating to Books and Records. Remote, home and travelling employees are instantly added to the solution at no additional cost. The turn-key product is priced to fit the budget of small firms and provides remote backup, long-term archiving and disaster recovery in accordance with all current SEC and FINRA rules. Experience total data compliance – Out of the Box with AdvisorVault.