Creating a Compliant Distributed Paperless Office

It's a shame that financial firms are still afraid to take advantage of the latest technology simply because of outdated compliance regulation. These days, the most confusion is caused by rule 17a-4 with its archaic worm disk retention requirements.

​​By Allan Lonz, President, AdvisorVault.org

Introduction
These days, most the confusion is caused by rule 17a-4 with its archaic worm disk retention requirements, which not only puzzles regulators but makes firms hesitant to take advantage of some great new services that can give them a huge competitive advantage.

One such service is the distributed paperless office, which basically means converting all documents to electronic, uploading them to the cloud, sharing them among clients, employees and partners for access to data anytime from anywhere.  This is very attractive to small firms because it instantly gives them an enterprise wide document sharing solution without having to invest in any hardware or software.

However, the true impediment to the distributed paperless office is not actually security; this is solved at the user level through strong passwords and secure web sites. In fact, the big challenge is that cloud data must be stored in accordance with SEC rules but, by default, cloud providers are not compliant. Therefore, before going fully paperless, a few important questions have to be answered.

For example, when documents are initially scanned, where should they be stored? And once uploaded to the cloud, how can they be kept in their original format? And lastly, how will they be index so that they can be easily searched and retrieved if requested by auditors? These questions must be answered before going paperless.

Making the Cloud 17a-4 Compliant
The answer, especially for small firms, is fully understanding how to make secondary, SEC compliant copies of cloud data so it can be effectively transferred to a FINRA Designated Third Party (D3P) provider, surely they don’t want to attempt to this process themselves; they must outsource it. However, they must understand that there are four categories of cloud providers and each has a different method to accomplish this:


1. Dropbox. This is probably the most popular cloud solution used by small firms and its actually quite easy to make this compliant because during installation creates a local folder on each PC which can then be backed up to a third party’s SEC compliant storage. It simply requires a user who has elevated privileges to the Dropbox folder structure

2. Google Docs. Is another useful cloud solution suited to FINRA firms.  However, to make Google Docs compliant an extra step is needed.  The Google Drive is free and needs to be installed on a least one PC to get direct access to records uploaded to Google Docs, then essentially a regular backup of this can be done for archiving. Also, Google Docs can host corporate email to provide a platform to include this in the archive

3. Microsoft Office 365.  Is also a popular choice for FINRA firms to integrate into their paperless office strategy, however to make it compliant an extra third party software must be purchased to allow secondary copies of data to be made. This is an extra cost of up to $500.00 per year. Also, Office 365 can host email and documents like Google for a fully hosted document storage solution

4. ShareFile. This requires an extra add-in to make compliant. The ShareFile Sync application needs to be installed on a dedicated PC and configured to regularly make copies of data which can then be archived as per 17a-4

Ongoing Supervision of Cloud Data:
Once a process is in place to make secondary 17a-4 copies of cloud data, firms need to ensure they can properly supervise this data. Ideally, the same D3P that is performing the archiving of cloud data will also offer a supervisory interface which can access this data. However, this supervisory tool needs to have several key features to fully satisfy rule 17a-4:

  • Indexing of Data.  A method is needed to index cloud data once it’s stored with the D3P provider.  This is important to make searches faster and to ensure all info is included in the archive
     
  • Secure Access. Ideally, the archive will be accessed from one secure web interface. This allows compliance officers and other staff to easily share the supervisory responsibilities
     
  • Downloading Data. Compliance officers need to make copies of electronic records for auditors. And a proper supervisory tool will centralize the downloading of all data stored in the cloud such as emails, office documents, scanned records and key client databases

    Summary
    Implementing a fully compliant, distributed paperless office depends a great deal on which cloud provider is selected. It is important to understand how each allows copies of data to be made so that it can be easily transferred to an SEC compliant D3P service. Also, it’s important that a supervisory tool is included; ideally the same provider that does the archiving will offer this. Firms need to understand this and choose the cloud provider that offers the best method to seamlessly automate this process for ongoing records archiving and supervision as per 17a-4.

    About AdvisorVault
    AdvisorVault is the only remote backup provider that helps small financial firms achieve today’s stringent data compliance requirements surrounding electronic records archiving and supervision. With our designated third-party status (D3P) we help our customers with rules 17a-3 & 17a-4, as well as the supervisory and disaster recovery demands contained in FINRA rules 3510 and 3010. For one flat monthly fee the service includes everything needed to ensure today’s audits are successfully passed. 

AdvisorVault Contact:
Allan Lonz, President
alonz@advisorvault.org
www.advisorvault.org
Direct: 416-985-0310
Toll free 1-866-732-1407
To watch a 3 minute presentation of the product click below:
http://www.advisorvault.org/presentation/index.html