FINRA now permits member corporations to use the cloud to shop digital information and email messages, on the other hand cloud companies will not act as your specified third occasion (D3P). For that reason, if you are a FINRA agency, this sort of as a broker-dealer, RIA or any other registered agency and want to use the cloud you require to find a D3P that will join into it and make it 17a-4 compliant.

Press Release

up-to-date: Jan 25, 2021 09:00 EST

FINRA now allows member corporations to use the cloud to keep electronic data and emails, nonetheless, if you are a compliance officer and have completed your homework, you have recognized that cloud providers will not act as your specified 3rd social gathering (D3P). Reason remaining, they are unable to ensure information stored with them will be retained for 7 decades. In other words and phrases, they cannot protect against any person from deleting anything at all from their cloud account at any time – a significant no-no for regulators. Especially when they display up for the digital documents request in the course of the audit and see enormous gaps in your knowledge archive. Consequently, if you are a FINRA business, these as a broker-supplier, RIA or any other registered firm and want to use the cloud you want to locate a D3P that will connect into it and make it 17a-4 compliant.

Below are 6 matters you must look for in a D3P to assist you make the cloud 17a-4 compliant.

1. Immediate Cloud Connector:

The initially thing corporations require in a cloud D3P company is a connector created into their software program that logs specifically into all common cloud solutions and archives details. Moreover, this connector will duplicate knowledge seamlessly to their program, routinely each and every evening as opposed to applying a sync software to access the cloud. The sync device is a problem simply because it adds an further move to the cloud archiving course of action which may well end up triggering gaps.

Equally, when choosing a cloud service provider steer clear of the fewer well-liked kinds this kind of as ShareFile, SugarSync or iCloud because they are proprietary and don’t enable immediate connections with cloud archiving providers. Alternatively use Office environment 365,  Dropbox, Google Suite or OneDrive. Having said that, for small corporations I you should not endorse SharePoint for file storage because it can be way too sophisticated. The best cloud storage combinations are Workplace 365 hosted electronic mail with OneDrive or the G Suite email like electronic records saved in google individual drives or crew drives.

2. Computerized Detection of New Cloud Data

Also, the D3P’s software package must routinely detect new cloud details sets as they are made. For case in point, as the agency adds new consumers in Business office 365, SharePoint, or OneDrive websites, its automatically additional to the 17a-4 archive. This applies to G Suite as perfectly the place person accounts are commonly added like their personal or team drives. If the D3P has computerized detection, they don’t need to have to be notified every time new staff are included to the cloud.

3. Electronic Information Retention

When the service provider has the cloud data transferred to their process, it need to be retained properly as for every 17a-4. Now, listed here is where it receives dicey simply because if you’ve got actually read the rule, you can find an overly complex laundry record of retention stipulations. For illustration, the rule states that exception stories must be stored at the very least 18 months, order tickets 3 several years, documents relating to customer accounts (1st two several years in an very easily accessible position) for 6 many years or default 6-12 months retention period of time for those FINRA books and records that will not otherwise have a specified retention period.

My tips: Disregard the rule here and merely be certain the D3P applies a 7-yr blanket retention rule to ALL info relating to the small business. With this plan, you might be performed separating distinctive information styles then striving to utilize a exceptional retention coverage to every single set, which is difficult to sustain, primarily for a tiny business without an IT dept.

4. Downloading Info:

At the conclusion of the working day, the purpose you seek the services of a D3P at all is to entry archived digital information or emails when necessary. Aside from catastrophe restoration, the main rationale you will need a D3P is in the course of the digital documents request when FINRA asks for a sample info established that can go back again 7 several years.  

To start with, its critical the D3P has a protected Website portal to obtain the 17a-4 information archive. What’s critical here is details must be downloadable in a structure regulators can examine, specifically when they are respiration down your neck throughout the audit. Right here are the suggestions: e-mails will have to be downloadable in pst format, office docs in their indigenous structure, and purchaser knowledge bases ought to be exported in file formats that can be accessed these types of as csv or textual content. Eventually, these electronic record downloads from the 17a-4 archive will have to be copied right away to a DVD so the regulator can choose it again to their workplace for overview.

Next, the D3P will have to retain cloud knowledge for buyers that have been taken off and continue to keep them in an archive point out so they can be retrieved. This features Business office 365 mailboxes or G suite people that have been removed and OneDrive sites or Dropbox accounts that get deleted. Keeping digital data from people that have been eliminated from the cloud will also assist with compliance because aged staff info is usually asked for throughout audits.

5. Security:

Of study course, security is a thing firms require to worry about each individual time they make a modify in their technologies, and the compliance officer will definitely get known as in if facts is compromised. But, safety breaches rarely occur on the D3P’s conclude. This is mainly because they host their methods in secure knowledge centres that are locked down, guarded by firewalls, and monitored intently. As an alternative, most hackers launch their attacks from the end user’s Pc. What this indicates is compliance officers that are anxious with protecting electronic documents to satisfy 17a-4 need to realize that hackers will try to exploit methods from inside the workplace. As a result, the most effective defence towards stability threats is powerful passwords, comprehending how to limit administrator rights to cloud units, locking or logging off computer systems that have accessibility to the cloud and retaining virus applications up to day to reduce folks from downloading malicious malware that will hack into cloud techniques.

6. Pricing:

Last but not least, when picking out a D3P to archive your cloud details, it is really essential their cost construction is based mostly on uncooked data, not for each user license. You want to find one particular that takes advantage of uncooked info only pricing mainly because it will be less expensive to archive cloud details backup sets due to the fact merchandise like Dropbox, G Suite and Office environment 365 are based on personal consumer accounts that can raise exponentially as the firm grows but have tiny info. Acquiring pricing centered on uncooked details quantities will normal out the cost across all cloud customers no make any difference how many you insert, for that reason the price will only raise as extra knowledge is included. So, providing your company extra overall flexibility to management details archiving prices as you improve.


Considering the fact that cloud providers are not 17a-4 compliant as a compliance officer for a FINRA company you will need to outsource to a designated 3rd celebration (D3P) that can make the cloud compliant ahead of you commence storing electronic data and e-mail there. There are six items you have to have to seem for in a D3P that will guarantee no gaps look in the knowledge archiving course of action, that digital information can be accessed for the duration of an audit, and prices are retained lower as doable.

About AdvisorVault:

AdvisorVault is the only D3P that has built their program to assist small FINRA companies archive cloud details to meet 17a-4  – focusing on resolving this special challenge, our consolidated answer gives firms a person seller to enable them fulfill modern needs encompassing facts archiving and supervision. We have established a centralized archiving alternative that captures facts and email messages no subject where by they are stored – in-residence or in the cloud: complete peace of intellect – out of the box.

AdvisorVault Speak to:
Allan Lonz, President
[email protected]
Direct: 416-985-0310
Toll-absolutely free: 1-866-732-1407 ex 1

Supply: AdvisorVault