Choosing a vendor that offers a consolidated FINRA designated third party (D3P) service is one of the best ways for small FINRA firms to simplify and keep the cost of achieving compliance with rule 17a-4 low as possible.
AdvisorVault understands that small FINRA firms can’t spend thousands of dollars a year trying to keep compliant with FINRA rule 17a-4; they must continually find ways to keep this cost low as possible, that’s why we created the only Consolidated Designated Third Party (D3P) service to solve this unique problem.
A Consolidated 17a-4 D3P is Key for Small FINRA Firms
What often happens today when it comes to electronic data retention for FINRA, broker-dealers, RIA’s and investment banks are forced to use several vendors to help them achieve all the requirements of 17a-4. For example, they must hire one provider for email archiving, one to backup their books and records and another to act as their D3P as well as provide disaster recovery. Because of this, they eventually end up paying too much and making the whole compliance process more complex than it has to be.
AdvisorVault’s Consolidated D3P service is a complete solution that solves this problem, priced at one flat monthly fee the service contains everything needed to achieve all the electronic records archiving demands of SEC rule 17a-4. Essentially, as the D3P chosen for FINRA compliance AdvisorVault does the actual data backup and archiving and performs all the other functions needed as the designated third-party downloader service. By using AdvisorVault, the whole compliance process is simplified, thus, making audits easier to pass with a large reduction in the cost of compliance. Further, these key features are included in the AdvisorVault consolidated 17a-4 D3P service.
Features of AdvisorVault’s 17a-4 Consolidated D3P Service:
1.Email Archiving: Firstly, the Consolidated D3P will perform the archiving of email. This is important because during the FINRA electronic records request, it is the first thing auditors will want to see as part of the 17a-4 electronic records supervision process. However, the problem today is that email is so dispersed; firms now use cloud services, in-house emails systems and mobile devices to access their messages, therefore, as part of the D3P service a provider needs to be able to connect to all these various systems, take a copy of messages and store them compliantly. Also, it’s important that the provider performing the email archiving can also offer full cloud email archiving to clients. For example, the D3P’s email archiving service should connect seamlessly into cloud email and transfer it to 17a-4 compliant storage.
2.Books and Records Archiving: Once a full email archiving process is in place, FINRA members need to make sure data contained in the books and records is properly archived with the D3P. The difficulty here is that books and records data is contained throughout the firm in many different formats such as Office documents, scanned files, data bases, and branch offices or uploaded to the cloud. The key here also is to make sure all this data is easily stored in an SEC format compliant with the electronic records archiving rules of SEC 17a-4. Therefore, the D3P must have an automated method to connect to all these various systems, make a copy of the data stored on them so it can be transferred to 17a-4 compliant storage. In addition, the D3P also has to offer the FINRA firm a few added features to achieve the ongoing supervisory rule of 17a-4:
- Daily Alerts and Reporting. Compliance officers and key personnel need to receive regular reports of the data archiving process done by the D3P as part of 17a-4. Reports as well as regular emails showing what data has been archived will form a critical part of the FINRA firms’ supervisory process so it can be proven to regulators during an audit.
- Sample Data Sets. Similarly, to email, regulators will ask for a sample data set contained in the firms Books and records. FINRA firms, such as broker-dealers will be asked to provide a sample of data being archived with the D3P, this should be a simple process that compliance officers perform themselves during an audit.
- Secure Consolidated Access. The D3P should also have a secure consolidated web interface that compliance officers and other key personnel can use to search as well as download sample data sets to their computers so they can make copies of this data to DVDs which can be given to auditors when requested.
- Electronic Records Supervision: To ensure full compliance with SEC rule 17a-4 FINRA firms must have a tool to perform the ongoing supervision of electronic records, and to be able to access their data archive during an audit. Therefore, the D3P should include a secure web interface which provides compliance officers and other key employees the ability to access and download electronic records to their hard drives so that sample copies of data can be made for regulators on the spot. In addition, this supervisory tool needs to have automatic indexing built into it so that searches can be done quickly, and all data is included to provide full seven-year access to data as required by SEC rule 17a-4 for FINRA electronic records retention compliance.
4. The 17a-4 Third Party Downloader: As part of their service, the D3P must be able to access the FINRA firm’s data archive. In addition, they need to download any data in a format readable by auditors. This is critical because archiving data as required by SEC rule 17a-4 can be a complex technical undertaking that auditors don’t want firms to miss the mark on, so as a result they need to rely on a secondary third party that has the technology to offer FINRA firms such as broker-dealers the ability to properly outsource the archiving of electronic records, so they are retained and accessible in their original format.
5.Documentation: As their final obligation, the D3P must provide four compliance documents to their customers, they need to create: (1) A Service Level Agreement, (2) the 17a-4 3rd Party Storage Provider Letter, (3) the 17a-4 Broker Dealer Letter and (4) and a document outlining their disaster recovery procedures.