Six Features of a 17a-4 Consolidated D3P – A Guide for Small FINRA Firms
Introduction
Small FINRA firms can’t spend thousands of dollars a year trying to keep compliant with SEC rule 17a-4; they must continually find ways to keep this cost low as possible, and one way is to use a Consolidated D3P (Designated Third Party) service.
Too often, however broker-dealers RIA’s and investment banks are forced to use several vendors to help them achieve all the requirements of 17a-4. For example, they must hire one provider for email archiving, one to backup their books and records and another to act as their D3P as well as provide disaster recovery. Because of this, they eventually end up paying too much and making the whole compliance process more complex than it has to be.
A Consolidated Designated Third Party or D3P is a solution offered by a single provider, priced at one flat monthly fee that contains everything needed to achieve all the electronic records archiving rule 17a-4. This means the D3P chosen by the FINRA firm, such as a broker-dealer does the actual data backup and archiving and performs all the other functions needed as the designated third party downloader service. By using this kind of provider, the whole compliance process is simplified, thus, making audits easier to pass with a large reduction in the cost of compliance. However, when searching for this kind of provider, FINRA firms need to ensure six key features are included.
Six Features of a 17a-4 Consolidated D3P Service:
1. Email Archiving. Firstly, the Consolidated D3P will perform the archiving of email. This is important because during the FINRA electronic records request, it is the first thing auditors will want to see as part of the 17a-4 electronic records supervision process. However, the problem today is that email is so dispersed; firms now use cloud services, in-house emails systems and mobile devices to access their messages, therefore, as part of the D3P service a provider needs to be able to connect to all these various systems, take a copy of messages and store them compliantly.
Additionally, it’s important that the provider performing the email archiving can also offer advanced email hosting features to clients. For example, the D3P’s email service should also include virus/spam filtering, encryption, mobile device coverage, and full web based search capability with hosted Microsoft Exchange included.
2. Books and Records Archiving. Once a full email archiving process is in place, FINRA members need to make sure data contained in the books and records is properly archived with the D3P. The difficulty here is that books and records data is contained though out the firm in many different formats such as Office documents, scanned files, data bases, and branch offices or uploaded to the cloud. The key here also is to make sure all this data is easily stored in an SEC format compliant with the electronic records archiving rules of SEC 17a-4.
Therefore, the D3P has to have an automate method to connect to all these various systems, make a copy of the data stored on them so it can be transferred to 17a-4 compliant storage. In addition, the D3P also has to offer the FINRA firm a few added features to achieve the ongoing supervisory rule of 17a4:
- Daily Alerts and Reporting. Compliance officers and key personnel need to receive regular reports of the data archiving process done by the D3P. Reports as well as regular emails showing what data has been archived will form a critical part of the FINRA firms’ supervisory process so it can be proven to regulators during an audit
- Sample Data Sets. Similarly to email, regulators will ask for a sample data set contained in the firms Books and records. FINRA firms, such as broker-dealers will be asked to provide a sample of data being archived with the D3P, this should be a simple process that compliance officers perform themselves during an audit.
- Secure Consolidated Access. The D3P should also have a secure consolidated web interface that compliance offers and other key personnel can use to search as well as download sample data sets to their computes so they can make copies of this data to DVD which can be given to auditors when requested.
3. Disaster Recovery. Because the D3P is performing the backup and archiving of critical systems and other electronic records, they should also perform disaster recovery as required by FINRA firm’s business continuity plan regulation. However, because they need to fully outsourcing their disaster recovery, small FINRA firms have to make sure the D3P’s disaster recovery process contains a few key elements.
For example, critical systems and data must be made available 48 hrs following a disaster. In addition, as part of the firm’s business continuity planning process, FINRA will want three main areas covered. Firstly, the systems state of critical systems must be protected. The systems state allows for bare metal restore of systems so that applications and their configuration can easily be transferred to new servers if the current ones are completely destroyed. Secondly, any records on servers, PC on mobile devices or in the cloud must be recoverable at any time. And lastly, the D3P needs to have a process in place to make emails available during a disaster, either through direct download or using a secondary web access.
4. Electronic Records Supervision. To ensure full compliance with SEC rule 17a-4 FINRA firms must have a tool to perform the ongoing supervision of electronic records, and to be able to access their data archive during an audit. Therefore, the D3P should include a secure web interface which provides compliance officers and other key employees the ability to access and download electronic records to their hard drives so that sample copies of data can be made for regulators on the spot. In addition, this supervisory tool needs to have automatic indexing built into it so that searches can be done quickly and all data is included to provide full seven year access to data as required by SEC rule 17a-4 for FINRA electronic records retention compliance.
5. The 17a-4 Third Party Downloader. As part of their service, the D3P must be able to access the FINRA firm’s data archive. In addition, they need to download any data in a format readable by auditors. This is critical because archiving data as required by SEC rule 17a-4 can be a complex technical undertaking that auditors don’t want firms to miss the mark on, so as a result they need to rely on a secondary third party that has the technology to offer FINRA firms such as broker-dealers the ability to properly outsource the archiving of electronic records so they are retained and accessible in their original format.
6. Documentation. As their final obligation, the D3P must provide four compliance documents to their customers, they need to create: (1) A Service Level Agreement, (2) the 17a-4 3rd Party Storage Provider Letter, (3) the 17a-4 Broker Dealer Letter and (4) and a document outlining their disaster recovery procedures.
Summary
Choosing a vendor that offers a consolidate D3P service is one of the best ways for small FINRA firms to simplify and keep the cost of achieving SEC rule 17a-4 low as possible. However, it’s important that they understand the key requirements which must be included in the solution because in the end the goal is to pass FINRA audits effectively while avoiding unnecessary fines, therefore maintaining the highest level of customer confidence at all times.
Nov 16, 2014
Source by Allan Lonz