Six Features a D3P Needs to Make the Cloud 17a-4 Compliant

Here are six things to look for in a D3P to help you make the cloud 17a-4 compliant.

1. Direct Cloud Connector:

The first thing businesses need in a D3P cloud provider is a connector built into their software that logs directly into all popular cloud services and archives data. Also, this connector will seamlessly copy data to your system, automatically every night instead of using a sync tool to access the cloud. The sync tool is a problem because it adds an extra step to the cloud archiving process that can end up causing gaps.

Similarly, when choosing a cloud provider, avoid less popular ones like ShareFile, SugarSync, or iCloud, as they are proprietary and don’t allow direct connections to cloud file services. Instead, use Office 365, Dropbox, Google Suite, or OneDrive. However, for small businesses I don’t recommend SharePoint for file storage because it’s too complex. The best cloud storage combinations are Office 365 hosted email with OneDrive or G Suite email, including electronic records stored on Google Personal Drives or Team Drives.

2. Automatic detection of new data in the cloud

Additionally, D3P’s software should automatically detect new data sets in the cloud as they are created. For example, as the company adds new users on Office 365, SharePoint, or OneDrive sites, it is automatically added to the 17a-4 file. This also applies to G Suite, where user accounts are frequently added, including your personal or team drives. If the D3P has automatic detection, they do not need to be notified every time new employees are added to the cloud.

3. Retention of electronic records

Once the provider has transferred the data from the cloud to its system, it must maintain it correctly according to 17a-4. Now, this is where it gets risky because if you’ve really read the rule, you’ll find an overly complicated list of withholding provisions. For example, the rule states that exception reports must be kept for at least 18 months, order tickets for 3 years, records related to customer accounts (the first two years in an easily accessible place); for 6 years or a default retention period of 6 years for those FINRA books and records that do not otherwise have a specific retention period.

My advice: Ignore the rule here and just make sure the D3P applies a general 7-year retention rule to ALL business-related data. With this policy, you are done separating different types of data and then trying to apply a unique retention policy to each set, which is impossible to maintain, especially for a small business without an IT department.

4. Data Download:

At the end of the day, the reason you hire a D3P is to access electronic records or archived emails when needed. Aside from disaster recovery, the main reason you need a D3P is during the electronic records request when FINRA requests a sample data set that can go back seven years.

First, it is important that D3P have a secure web portal to access the 17a-4 data file. What’s key here is that the data needs to be downloadable in a format that regulators can read, especially when they’re breathing it down during the audit. Here are the guidelines: emails should be downloadable in pst format, Office documents in their native format, and customer databases should be exported in accessible file formats such as csv or text. Finally, these 17a-4 file electronic log downloads should be instantly copied to a DVD so that the regulator can bring it to your office for review.

Second, D3P must preserve the cloud data of users that have been deleted and keep it in an archival state so that it can be recovered. This includes deleted Office 365 mailboxes or G Suite users, and deleted OneDrive sites or Dropbox accounts. Keeping electronic records of users who have been removed from the cloud will also help with compliance, as data from former employees is often requested during audits.

5.Security:

Of course, security is something businesses need to worry about whenever they make a change to their technology, and the compliance officer will surely be called if data is compromised. However, security breaches rarely occur on the D3P endpoint. This is because they host their systems in secure data centers that are locked down, protected by firewalls, and closely monitored. Instead, most hackers launch their attacks from the end user’s PC. What this means is that compliance officers concerned with protecting electronic records for 17a-4 compliance must understand that hackers will attempt to exploit systems from within the office. Therefore, the best defense against security threats is strong passwords, understanding how to limit administrator rights to cloud systems, locking or disconnecting computers that have access to the cloud, and keeping virus programs up to date to prevent people from downloading malicious malware that you can hack. in cloud systems.

6. Prices:

Finally, when choosing a D3P to archive your data in the cloud, it is important that your pricing structure is based on raw data, not per user license. You want to find one that uses raw data pricing only because it will be cheaper to archive data backup sets in the cloud, as products like Dropbox, G Suite, and Office 365 rely on individual user accounts which can add up exponentially to as the company grows, but contain little data. . Having prices based on amounts of raw data will average the cost across all cloud users no matter how many you add, therefore the price will only increase as more data is added. Therefore, it gives your business more flexibility to control data archiving costs as it grows.

Resume:

Since cloud providers are not 17a-4 compliant as a FINRA company compliance officer, you must outsource to a Designated Third Party (D3P) who can make the cloud compliant before you start storing electronic records and mail electronics there. There are six things to look for in a D3P that will ensure that no gaps appear in the data archiving process, that electronic records can be accessed during an audit, and that costs are kept as low as possible.

About AdvisorVault:

AdvisorVault is the only D3P that has designed its software to help small FINRA companies archive data in the cloud for 17a-4 compliance. Focusing on solving this unique problem, our consolidated solution provides businesses with a provider to help meet today’s demands around data archiving and monitoring. We’ve created a centralized archiving option that captures data and emails no matter where they’re stored – internally or in the cloud – complete peace of mind, right out of the box.

AdvisorVault Contact:

[email protected]

www.advisorvault.org

Direct: 416-985-0310

Toll Free: 1-866-732-1407 ex 1

Leave a Reply

Your email address will not be published. Required fields are marked *