Here are six things to look for in a D3P to help you make the cloud 17a-4 compliant.

1. Direct connector to the cloud:

The first thing businesses need in a D3P cloud provider is a connector built into their software that directly logs into all popular cloud services and data files. Also, this connector will seamlessly copy data to your system, automatically every night instead of using a sync tool to access the cloud. The sync tool is a problem because it adds an extra step to the cloud file process that can end up causing gaps.

Similarly, when choosing a cloud provider, avoid less popular ones like ShareFile, SugarSync, or iCloud because they are proprietary and do not allow direct connections to cloud file services. Instead, use Office 365, Dropbox, Google Suite, or OneDrive. However, for small businesses, I do not recommend SharePoint for file storage because it is too complex. The best cloud storage combinations are email hosted in Office 365 with OneDrive or email from G Suite, including electronic records stored on Google personal drives or team drives.

2. Automatic detection of new data in the cloud

Additionally, the D3P software should automatically detect new cloud data sets as they are created. For example, as the company adds new users to the Office 365, SharePoint, or OneDrive sites, it is automatically added to file 17a-4. This also applies to G Suite, where user accounts are added frequently, including their personal or team drives. If the D3P is autodiscovered, they don’t need to be notified every time new employees are added to the cloud.

3. Retention of electronic records

After the provider has transferred the data from the cloud to your system, they must retain it properly per 17a-4. Now this is where it gets dangerous because if you have actually read the rule, you will find a long list of withholding stipulations too complicated. For example, the rule establishes that exception reports must be kept at least 18 months, order tickets 3 years, records related to customer accounts (the first two years in an easily accessible place); for 6 years or a default retention period of 6 years for those FINRA books and records that do not otherwise have a specific retention period.

My advice: ignore the rule here and just make sure the D3P applies a general 7-year retention rule to ALL business-related data. With this policy, you no longer separate the different types of data and then try to apply a single retention policy to each set, which is impossible to maintain, especially for a small business without an IT department.

4. Data download:

At the end of the day, the reason you hire a D3P is to access email records or archived emails when needed. Aside from disaster recovery, the main reason you need a D3P is during the electronic records request when FINRA requests a sample data set that can go back seven years.

First, it is important that the D3P has a secure web portal to access data file 17a-4. The key here is that the data needs to be downloadable in a format that regulators can read, especially when they’re breathing down your neck during the audit. Here are the guidelines: Emails must be downloadable in pst format, Office documents in their native format, and customer databases must be exported in accessible file formats such as csv or text. Finally, these electronic record downloads from File 17a-4 need to be instantly copied to DVD so that the regulator can bring it to their office for review.

Second, the D3P must retain cloud data for users who have been deleted and keep it in an archive state so that it can be recovered. This includes Office 365 mailboxes or G suite users that have been deleted and OneDrive sites or Dropbox accounts that are deleted. Keeping electronic records of users who have been removed from the cloud will also help with compliance, as old employee data is often requested during audits.

5. Security:

Of course, security is something companies need to worry about whenever they make a change to their technology, and the compliance officer will surely be called in if data is compromised. But, security breaches rarely happen at the D3P end. This is because they host their systems in secure data centers that are locked down, protected by firewalls, and closely monitored. Instead, most hackers launch their attacks from the end user’s PC. What this means is that compliance officers concerned with protecting electronic records to comply with 17a-4 need to understand that hackers will attempt to exploit systems from inside the office. Therefore, the best defense against security threats is strong passwords, understanding how to limit administrator rights to cloud systems, lock or log off computers that have access to the cloud, and keep programs up-to-date. virus to prevent people from downloading malicious malware that it will hack. in cloud systems.

6. Prices:

Finally, when choosing a D3P to archive your data in the cloud, it is important that your pricing structure is based on raw data, not by user license. You want to find one that uses raw data pricing because it will be cheaper to archive backup sets of data in the cloud, as products like Dropbox, G Suite, and Office 365 rely on individual user accounts that can increase exponentially as the company grows, but they contain little data. . Having prices based on amounts of raw data will average the cost of all cloud users no matter how many you add, therefore the price will only increase as more data is added. Thus, it gives your business more flexibility to control data archiving costs as it grows.

Summary:

Since cloud providers do not meet 17a-4 as a compliance officer for a FINRA company, you need to outsource to a designated third party (D3P) who can make the cloud compliant before you start storing emails and emails there. . There are six things to look for in a D3P that will ensure that there are no gaps in the data archiving process, that electronic records are accessible during an audit, and that costs are kept as low as possible.

About AdvisorVault:

AdvisorVault is the only D3P that has designed its software to help FINRA small businesses archive data to the cloud to meet 17a-4; Focusing on solving this unique problem, our consolidated solution provides businesses with a vendor to help meet today’s demands around data archiving and monitoring. We have created a centralized archiving option that captures data and emails no matter where they are stored, internally or in the cloud – complete peace of mind, out of the box.

AdvisorVault Contact:

[email protected]

www.advisorvault.org

Direct: 416-985-0310

Toll Free: 1-866-732-1407 ex 1