Here are six things to look for in a D3P to help you make the cloud 17a-4 compliant.

1. Direct Cloud Connector:

The first thing businesses need in a D3P cloud provider is a connector built into their software that directly logs into all popular cloud services and archives data. Also, this connector will seamlessly copy data to your system, automatically every night instead of using a sync tool to access the cloud. The sync tool is a problem because it adds an extra step to the cloud archiving process that can end up causing gaps.

Similarly, when choosing a cloud provider, avoid less popular ones like ShareFile, SugarSync, or iCloud, as they are proprietary and don’t allow direct connections to cloud file services. Instead, use Office 365, Dropbox, Google Suite, or OneDrive. However, for small businesses I don’t recommend SharePoint for file storage because it’s too complex. The best cloud storage combinations are Office 365 hosted email with OneDrive or G Suite email, including electronic records stored in personal drives or Google team drives.

2. Automatic detection of new data in the cloud

Additionally, D3P software should automatically detect new cloud data sets as they are created. For example, as the company adds new users to Office 365, SharePoint, or OneDrive sites, it is automatically added to the 17a-4 file. This also applies to G Suite, where user accounts are added frequently, including their personal or team drives. If the D3P has automatic detection, they do not need to be notified every time new employees are added to the cloud.

3. Electronic record keeping

Once the provider has transferred the data from the cloud to their system, they must properly maintain it according to 17a-4. Now, this is where it gets dicey because if you’ve really read the rule, you’ll find an overly complicated list of withholding stipulations. For example, the rule states that exception reports must be kept for at least 18 months, order tickets 3 years, records related to customer accounts (the first two years in an easily accessible place); for 6 years or a default retention period of 6 years for those FINRA books and records that do not otherwise have a specific retention period.

My advice: Ignore the rule here and just make sure the D3P applies a general 7-year retention rule to ALL business-related data. With this policy, you are done separating different types of data and then trying to apply a unique retention policy to each set, which is impossible to maintain, especially for a small company without an IT department.

4. Data download:

At the end of the day, the reason you hire a D3P is to access electronic records or archived emails when needed. Other than disaster recovery, the main reason you need a D3P is during the electronic records request when FINRA requests a sample data set that can go back seven years.

First, it is important that D3P have a secure web portal to access the 17a-4 data file. What is key here is that the data needs to be downloadable in a format that regulators can read, especially when they are breathing you down during the audit. Here are the guidelines: Emails should be downloadable in pst format, Office documents in their native format, and customer databases should be exported in accessible file formats such as csv or text. Finally, these electronic records downloads of the 17a-4 file must be instantly copied to a DVD so that the regulator can take it to their office for review.

Second, the D3P must preserve user cloud data that has been deleted and keep it in an archival state so it can be recovered. This includes deleted Office 365 or G Suite users mailboxes and deleted OneDrive sites or Dropbox accounts. Keeping electronic records of users who have been removed from the cloud will also help with compliance, as data from former employees is often requested during audits.

5.Security:

Of course, security is something companies need to worry about any time they make a change to their technology, and the compliance officer will surely be called if data is compromised. However, security breaches rarely happen on the D3P end. This is because they host their systems in secure data centers that are locked down, protected by firewalls, and closely monitored. Instead, most hackers launch their attacks from the end user’s PC. What this means is that compliance officers concerned with protecting electronic records to comply with 17a-4 need to understand that hackers will try to exploit systems from inside the office. Therefore, the best defense against security threats is strong passwords, understanding how to limit administrator rights to cloud systems, locking or logging off computers that have access to the cloud, and maintaining antivirus programs. Updated to prevent people from downloading malicious malware that hack into cloud systems.

6. Prices:

Finally, when choosing a D3P to archive your data in the cloud, it is important that your pricing structure is based on raw data, not per user license. You want to find one that uses raw data pricing only because it will be cheaper to archive data backup sets in the cloud as products like Dropbox, G Suite and Office 365 rely on individual user accounts which can add up exponentially to as the company grows, but contain little data. . Having prices based on amounts of raw data will average the cost across all cloud users no matter how many you add, therefore the price will only increase as more data is added. Therefore, it gives your business more flexibility to control data archiving costs as it grows.

Summary:

Since cloud providers do not comply with 17a-4 as a FINRA company compliance officer, you should outsource to a designated third party (D3P) who can make the cloud compliant before you start storing electronic records and emails electronics there. There are six things to look for in a D3P that will ensure that no loopholes appear in the data filing process, that electronic records are accessible during an audit, and that costs are kept as low as possible.

About AdvisorVault:

AdvisorVault is the only D3P that has designed its software to help FINRA small businesses archive data in the cloud for 17a-4 compliance. Our consolidated solution focuses on solving this unique problem and provides businesses with one provider to help meet today’s demands for data archiving and monitoring. We have created a centralized archiving option that captures data and emails no matter where they are stored: internally or in the cloud – total peace of mind, out of the box.

AdvisorVault Contact:

[email protected]

www.advisorvault.org

Direct: 416-985-0310

Toll Free: 1-866-732-1407 ex 1