Key Components Specific to FINRA and SEC 17a-4
SEC and FINRA enforce security guidelines protecting personal information using regulation rule 17a-4: Privacy of Consumer Financial Information. A key component of this regulation is working with a cloud provider that offers the guidance and guarantees to ensure using their cloud hosting services meet these stringent IT requirements. Here are some items to consider when choosing a SEC and FINRA compliant cloud provider.
Is the cloud storage system you’ve chosen secure?
- Do you have documented internal IT security policies and procedures in place governing the steps you’ve taken in order to protect client information?
- Can you ensure the security and confidentiality of customer records and information?
- Do you protect against any anticipated threats or hazards to the security or integrity of customer records and information?
- Can you protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer?
- Have you considered encrypting the documents before storing them in the cloud?
Intellectual Property Rights
Who owns the intellectual property rights of the data a financial services provider intends to store in the cloud? Read the fine print: The “Terms of Service” for the different cloud storage providers vary quite a bit. You may own your data, but the cloud storage provider has possession and may even have legal rights to use it for its benefit. It may even lack export options for you to get it back. Typically they even lack the obligation to permanently erase your data when you terminate your account with them. Ensure your cloud provider service level agreement meets SEC and FINRA basic standards.
Here is a simplified list of requirements, which includes the policies that firms must enact or technologies they must implement:
- Have written and enforceable data retention policies
- Store data on non-erasable, non-rewriteable media
- Maintain a searchable index of all stored data
- Have readily retrievable and viewable data
- Maintain backup storage of data offsite
You must also be able to, on demand, produce all:
- Ledgers of assets and liabilities, income, expense and capital accounts
- Order, purchase and sale memos
- Put, call, spread and straddle records
- Employees’ original job applications and fingerprints
- Written records of customer complaints
- Accounts payable and receivable records
- Electronic communications
Have a question of your own about Diverse Technology Solutions’ dedication to SEC and FINRA compliance? Contact us today.