3 Steps to Compliant Data Archiving

A Guide for Small Financial Firms, By Allan Lonz, AdvisorVault

The long-term archiving of data for compliance is probably the biggest challenge facing small financial firms today.  SEC rule 17a-4 lays out some very specific guidelines surrounding the retention of electronic records and FINRA members who fail to keep critical data and communication for the required amount of time risk audit failure and large fines. But small financial firms such as broker-dealers, independent financial advisors and boutique wealth management companies do not have the manpower to manage this process in-house, to effectively ensure they meet SEC and FINRA rules surrounding the long-term of retention of data, they need to hire an outside vendor.

However, they need to select a vendor that understands their unique needs, while keeping the overall cost of compliance down. There are three key requirements FINRA members need to look for in a vendor to help them outsource the long-term archiving of data in compliance with SEC rules.

1.  Archiving of Various Data Types

When selecting a vendor to outsource the long-term archiving of electronic records, small financial firms need a provider that can backup and retain a wide range of data types. Ensuring they meet the requirements outline in SEC/FINRA rule 17a-3 in conjunction with rule 17-4, they must take into account data contained in the Books and Records, systems configuration, and all communications such as email, instant messaging and social media. In addition, the vendor must be able to retain the original data formats so that historical records can be accessed by compliance officers and auditors at any time.

Essentially, when a member of FINRA seeks a vendor to help them with the long-term archiving of data, it is important that the provider fully understand the specific requirents: ie. That current and historical data must be accessed used old legacy systems. This is not only important for on-going compliance reviews, but also during audits.  So firms will find it beneficial to be able to provide auditors with archiving data in formats that can be easily read, and in essence, this will speed up the auditing process and ensure FINRA staff are out the door quickly.

2. Retention of data in a non-rewritable format

Once the proper formats of data are being archived and made accessible to auditors and compliance offices, FINRA firms need to be sure the data is stored on non-rewriteable media, also known as Worm storage. This is hard disk used by the provider that is storing the historical data on disk technology prevents the deleting or overwriting of data. This is a critical component of SEC data retention rules, and FINRA members must ensure they are using a provider that has implemented WORM disk to store their data.

3. Quick Recoverability

It is important that FINRA members select a vendor that can recover all current and archived data within a timely manner, usually within 48 hrs. This is an important aspect of FINRA Business Continuity Planning (BCP) process and should be a feature included with the vendor’s service. Often, archiving vendors will have several methods to allow for the recoverably of customers data, depending on the severity of the failure. For example, if systems are temporarily down due to a minor disaster, the vendor should offer a web interface access to archived data so customers can still view data in the interim while the systems are being recovered; in the event of a major disaster, the vendor should be able to make a full copy of its customer’s data on a removable drive and drop ship it to any location so the customers can fully recovery at a secondary disaster site.

The Business Continuity Planning (BCP) requirement is closely connect to the long-term archiving of data. Ensuring the same vendor who is performing the long-term archiving of data can also quickly recover critical systems in the event of a disaster is key to simplifying the data compliance strategy, it will also help to keep the overall costs of compliance down and speed up the auditing process.

Summary
Small financial firms need to outsource the long-term archiving of electronic records for compliance. Because of the lack of in-house expertise, they need to find a vendor who understands their unique requirements and can retain the data in the proper format and make it readily available in the event of a disaster or during audits. Choosing the right provider is critical to keeping the cost down and simplifying the process, failing to assign the proper third party can be costly and result in audit failure, large fines and untimely impact customer confidence.

Allan Lonz is President and CEO of AdvisorVault, www.advisorvault.org, the only remote backup provider specifically designed to help small broker-dealer firms achieve today’s stringent data compliance requirements. With their designated third-party status (D3P) they help small firms achieve all the required data compliance rules defined in 17a-3 & 17a-4, as well as the supervisory and disaster recovery demands contained in FINRA rules 3510 and 3010.

Tags: , , , , , ,

Category: Articles, Compliance, Noteworthy