Xtiva launches Xtiva Vault to provide enhanced long-term data retention options
New service will provide SEC Rule 17a-4 compliant deep storage solution for investment firms to enhance long-term data retention and protection.
SEC Rule 17a-4 is one of two SEC rules (the other being 17a-3 if you’re curious) that defines the what, the how and the how long for member firms with regards to preservation and maintenance of records.
As background, we recommend you review this 14-page document about SEC Rule 17a-4 on the FINRA website (you can read it here). Let’s break down some of the key need-to-know items about 17a-4.
The main requirement of Rule 17a-4 is about ensuring firms retain important records for an appropriate period and in a reliable way. The preservation timeframe varies depending on the data type. However, in general, a good rule of thumb for most record types (both company and customer) is that they are to be preserved for a period of not less than six years; the first two years in an easily accessible place after their last regular use.
Let’s look at what constitutes the records, how they should be preserved and how that can be assured.
The scope of information that constitutes the Books and Records of firms is substantial, far beyond the common ‘trade and bookkeeping file’ view. The language around this is voluminous in detail – there are over a dozen categories of information, many with a significant number of sub-categories, warranting careful analysis by firms. We’ve highlighted seven items that we often discuss with our customers:
In addition to transaction journals, these seven categories are all typical forms of books and records information that Xtiva is involved with in supporting our customers. If you are unsure whether a single record type in your possession should be preserved under the standards of Rule 17a-4, consult the rule text or contact your designated FINRA Coordinator.
Pursuant to the Rule, the standard method of preserving each record should be in a non-erasable, non-rewriteable format known as WORM (Write Once Read Many). Firms are required to preserve these records in this way, in case of a hack or data compromise. Both the original record and the duplicate, WORM compliant copy must be stored for the same amount of time as defined in the SEC rules. In additional to WORM type preservation, the electronic retention system should:
If you are seeking to implement a new system for data retention, you must notify your examining authority 90 days prior to putting it in place. The same is required for establishing an auditing system; all broker-dealers must have in place a broad system that monitors the storage of original and duplicate records and allows the SROs to examine the system to determine compliance standards.
An expectation under the Rule is that firms maintain an appropriate audit system with respect to retaining and preserving electronic records. Additionally, firms must maintain and enforce written supervisory rules that can reasonably be expected to achieve compliance with 17a-4 and related Rules. In practicality, the audit and supervision programs are most likely to be successful when they are handled in a collaborative fashion between the information security team, compliance and third-party technology partners. Firms should look to their technology partners for guidance where possible and strive to embrace practices recommended by their partners.
Where a member firm exclusively uses electronic storage for at least some portion of its records retention related to 17a-4, a specialist – the Designated 3rd party (D3P) – serves as technical expert with respect to the specific records under retention, and where required, enables access to those records in a medium acceptable to the Regulator(s). The D3P may also support your firm through any audits or information request from regulatory authorities with your ongoing compliance readiness. The D3P can also be a strong support for an effective supervision process. A Designated 3rd Party is required to file a Letter of Undertaking with the appropriate Regulator or examining authority for the member firm acknowledging their acceptance of the responsibilities and obligations of a Designated 3rd Party.
While maintaining accurate books and records simply for the effective operation of your business is important, it cannot be understated how substantially the Regulators are increasing their focus on appropriate records retention. In an increasingly digital, complex and risky business environment, this can only be expected to continue. This makes it imperative for every firm to ensure they commit adequate resources to defining and operating an effective records retention program, inclusive of: regular operational procedures; ongoing compliance analyses; a periodic refresh of their data management; and retention roadmaps to ensure alignment with the regulatory environment.