The Financial Industry Regulatory Authority, Inc. (FINRA) is a private corporation that regulates brokerage firms and exchange markets. It’s subject to the authority of the Securities and Exchange Commission, which regulates the entire securities industry in the United States. SEC rule 17a-4 deals with the retention, storage and access of electronic records related to brokerages and securities. This rule creates challenges for a small business that must comply with FINRA requirements, since it typically lacks the budget traditionally required for this task. This post discusses the ways in which small firms can comply with SEC rule 17a-4 when storing and sharing FINRA data electronically.
Small businesses may not know what FINRA auditors want because they often ask for different things when requesting electronic records. Auditors may request anything from complete electronic records to just a sample of historical emails. They may also want a current copy of the business’s books on disk. Furthermore, some FINRA auditors may want to review the firm’s disaster recovery procedures. These variations are due to factors such as differences in aptitudes between individual auditors and each state’s approach to regulatory compliance.
SEC rule 17a-4 specifies the retention period for each type of record needed for FINRA compliance. For example, trade blotters must be retained for three years, while asset and liability ledgers have a retention period of four years. Other records such as order tickets and trade confirmations need to be retained for seven years. However, small businesses are often better off retaining all records for the maximum retention period of seven years. This retention policy is typically less costly than selecting the specific retention period for each type of record, especially when a business first joins FINRA.
FINRA generally doesn’t care where data is stored, as long as member firms can automatically transfer data to a 17a-4 designated third party (D3P). Small businesses should therefore rely on off-premise servers to store their FINRA records in most cases, which typically requires less overhead than storing them on site. Firms that only require simple data storage and sharing capabilities should use solutions such as Dropbox and Google Drive, since they don’t need additional connectors to remain compliant with FINRA regulations. A company that needs advanced capabilities such as database access or enterprise software should use a cloud server such as Amazon or Azure.
Compliance officers want to access archived data easily when an auditor asks for it. Difficulty in performing this task tells the auditor that the compliance officer hasn’t been supervising the storage of electronic records regularly. Any storage solution from a D3P should therefore include a complete 17a-4 supervisory interface, which is typically a secure website.
CSCi provides a range of remote and on-site services for small and medium businesses in the San Diego area. We provide professional IT solutions for our clients by partnering with companies like Cisco, HP and Microsoft. Contact us today to see how we can meet your FINRA compliance needs.