Six Characteristics of a Consolidated D3P 17a-4: A Guide for Small Businesses FINRA

Posted by admin Business

Introduction

FINRA small businesses cannot spend thousands of dollars a year trying to comply with SEC rule 17a-4; they must continually find ways to keep this cost as low as possible, and one way is to use a Consolidated D3P (Third Party Designated) service.

All too often, however, broker-dealers, RIAs, and investment banks are forced to use multiple vendors to help them meet all the requirements of 17a-4. For example, they should hire one provider for email archiving, one to back up their books and records, and another to act as their D3P and provide disaster recovery. Because of this, they eventually end up paying too much and making the entire fulfillment process more complex than it should be.

A Consolidated Designated Third Party or D3P is a solution offered by a single provider, with a fixed monthly price that contains everything necessary to achieve all of the electronic records archiving rule 17a-4. This means that the D3P chosen by the FINRA firm, such as a stockbroker, performs the actual data backup and archiving and performs all other necessary functions as the designated third-party download service. By using this type of provider, the entire compliance process is simplified, making it easier to pass audits with a huge reduction in the cost of compliance. However, when looking for this type of provider, FINRA companies must ensure that six key features are included.

Six characteristics of a consolidated D3P service 17a-4:

1. Email Archive. First, Consolidated D3P will do the email archiving. This is important because during the FINRA electronic records request, it is the first thing auditors will want to see as part of the 17a-4 electronic records monitoring process. However, the current problem is that email is widely dispersed; companies now use cloud services, internal email systems, and mobile devices to access their messages, so as part of the D3P service, a provider must be able to connect to all of these various systems, take a copy of the messages and store them in a compatible way.

In addition, it is important that the provider doing the email archiving can also offer advanced email hosting features to customers. For example, D3P’s email service must also include virus/spam filtering, encryption, mobile device coverage, and full web-based search capability with hosted Microsoft Exchange included.

2. Archive of Books and Records. Once a full email archiving process is in place, FINRA members must ensure that the data contained in the books and records is properly archived with the D3P. The difficulty here is that books and records data is contained across the enterprise in many different formats, such as Office documents, scanned files, databases, and branch or uploaded to the cloud. The key here is also to make sure that all of this data is easily stored in an SEC format that is compliant with SEC 17a-4 electronic record-keeping rules.

So the D3P must have an automatic method of connecting to all of these various systems, making a copy of the data stored on them so that it can be transferred to 17a-4 compliant storage. In addition, the D3P also has to offer the FINRA firm some additional features to achieve the current supervisory rule of 17a4:

  • Alerts and daily reports. Compliance officers and key personnel should receive regular reports of the data archiving process performed by the D3P. The reports, as well as regular emails showing what data has been archived, will form a critical part of the monitoring process for FINRA companies so that they can be proven to regulators during an audit.
  • Sample data sets. Similar to email, regulators will request a sample data set contained in companies’ books and records. FINRA companies, such as broker-dealers, will be asked to provide a sample of the data that is filed with the D3P, this should be a simple process that compliance officers perform themselves during an audit.
  • Secure consolidated access. The D3P should also have a secure consolidated web interface that compliance officers and other key personnel can use to search for and download sample data sets to their computers so that they can make copies of this data on DVDs that can be given to auditors. when they request it.

3. Disaster recovery. Because the D3P performs backup and archiving of critical systems and other electronic records, it must also perform disaster recovery as required by FINRA company business continuity plan regulation. However, because they need to fully outsource their disaster recovery, FINRA small businesses need to ensure that the D3P disaster recovery process contains a few key elements.

For example, critical systems and data must be available 48 hours after a disaster. Additionally, as part of the company’s business continuity planning process, FINRA will want three main areas covered. First, the system health of critical systems must be protected. Systems State enables full system restore so that applications and their settings can be easily transferred to new servers if current ones are completely destroyed. Second, any records on servers, PCs on mobile devices or in the cloud must be retrievable at any time. And finally, the D3P must have a process in place to make emails available during a disaster, either via direct download or secondary web access.

4. Supervision of Electronic Records. To ensure full compliance with SEC Rule 17a-4, FINRA firms must have a tool to perform continuous monitoring of electronic records and be able to access their data file during an audit. Therefore, the D3P should include a secure web interface that gives compliance officers and other key employees the ability to access and download electronic records to their hard drives so that sample copies of the data can be made for regulators in the act. In addition, this monitoring tool must have built-in automatic indexing so that searches can be performed quickly and all data is included to provide full access to the data for seven years, as required by SEC rule 17a-4 for the compliance with FINRA’s electronic records retention.

5. The third-party downloader 17a-4. As part of their service, the D3P must be able to access the FINRA company data file. In addition, they need to download any data in a format readable by auditors. This is critical because archiving data as required by SEC rule 17a-4 can be a complex technical task that auditors don’t want companies to miss out on, so they must rely on a secondary third party who has the technology. provide FINRA companies, such as broker-dealers, with the ability to appropriately outsource the archiving of electronic records so that they are preserved and accessible in their original format.

6. Literature. As a final obligation, the D3P must provide four compliance documents to its clients, they must create: (1) A service level agreement(2) the third party storage provider letter 17a-4(3) the stockbroker letter 17a-4 and (4) and a document describing your disaster recovery procedures.

Summary

Choosing a provider that offers a consolidated D3P service is one of the best ways for small FINRA businesses to simplify and keep the cost of achieving SEC Rule 17a-4 as low as possible. However, it is important that they understand the key requirements that need to be included in the solution because, in the end, the goal is to pass FINRA audits effectively and avoid unnecessary fines, thus maintaining the highest level of customer trust at all times. .

November 16, 2014

Leave a Reply

Your email address will not be published. Required fields are marked *