Title Image

FINRA Compliance Backup

Home  /  Compliance e Sicurezza  /  FINRA Compliance Backup

Are Your Clients Adequately Covered?
If you are one of the banking institutions or securities firms covered by FINRA (the Financial Industry Regulatory Authority), you already know that addressing its myriad of listed and implied rules can be quite perplexing. The agency sets high industry standards to ensure regulators and investors have greater access to critical information, while putting security safeguards around the company’s infrastructure and confidential data. Every banking institution and securities dealer that is not regulated by another SRO (Self-Regulatory Organization), such as the Municipal Securities Rulemaking Board (MSRB), is required to adhere to FINRA.

These standards were designed not only to protect the clients and other financial firm stakeholders, but the institutions themselves as well as their contractors and suppliers. FINRA rules serve as a guide for the financial industry, detailing the specific policies that its members need to follow and the information they need to collect, maintain and protect.

Noncompliance with FINRA rules have resulted in massive fines, while the regulatory group is only pushing these penalties higher. Whereas the Authority fined Citigroup $500,000 for violating the guidelines in 2011, Merrill Lynch was fined $8 million for a violation in June 2014 for failing to waive mutual fund charges 1. For simply failing to provide accurate Blue Sheet Data, FINRA fined Barclays, Goldman Sachs and Merrill Lynch $1 million each in June 2014 as well2.

The Solution Provider Role (and Accountability)
FINRA Rule 3190 (Use of Third-Party Service Providers) went into effect on July 2012. It makes clear that “when a member firm outsources a function or activity related to its business as a regulated broker-dealer to a third-party service provider, it does not relieve the firm of its obligation to comply with applicable securities laws and regulations and FINRA and Municipal Securities Rulemaking Board (MSRB) rules. The firm cannot delegate its responsibilities for, or control over, any outsourced functions or activities.”

That rule also requires a member firm to follow specific supervisory procedures, including due diligence measures, to ensure that its work with third-party service providers doesn’t jeopardize FINRA compliance. Contracts and SLAs must be designed to ensure that applicable securities laws and regulations (including FINRA and MSRB rules) are followed, regardless of who completes the tasks.
Solution providers have a responsibility to not only follow the measures prescribed by these rules, but to properly communicate and document the steps they’ve taken with their financial services customers.

FINRA Rule 3190 places the compliance burden on the financial firm, requiring you to examine the qualifications and competencies of its third-party suppliers thoroughly.

This latest FINRA addition not only clarifies the record-keeping responsibilities for financial institutions, but spells out the obligations that IT service providers and their vendor/supplier partners have in the process. Each assumes liability when prescribed standards aren’t properly followed and, though the consequences of a security breach or process failure may be somewhat murky, the damages from related lawsuits and securities-agency fines could be substantial.

FINRA Coverage
There are numerous types of business and client records that firms need to create, maintain and preserve to be compliant with FINRA (and SEC) rules. In 2001, amendments were adopted to Rules 17a- 3 and 17a-4 under the Securities Exchange Act of 1934 to clarify and increase record-keeping requirements related to purchase and sale documents, customer records, associated person records, customer complaint records, and other financial information. These modifications require firms to maintain or swiftly produce certain records at the office with which they’re associated.

Use a Complete Compliance Solution
As with most of today’s regulations, it’s not enough to simply save and store each file; financial institutions must properly archive the prescribed records and be able to retrieve them in a certain timeframe. Data storage system failures and improper filing procedures are real
business liabilities, whether intentional or by accident. To comply with all FINRA rules, financial institutions must develop a plan for the proper storage and retrieval of all financial and accountspecific documents—and implement procedures and systems that meet the authority’s standards. No plan is complete without periodic audits, ensuring each part of the firm’s records strategy has been implemented properly and functions as prescribed.

Data Backup and Recovery Plays a Key Role
FINRA rules 17a-3 & 17a-4 address data backup and clearly mandate remote backup and storage of electronic records in an alternate location from the original copies. Financial institutions and brokerage firms must adhere closely to these recommendations and ensure that complete record (data) backups occur each night.

As detailed in the list above, each firm must properly archive, back up and retrieve a multitude of documents and financial information over the course of the business’ lifespan. Books, records, databases, email, voice recording and other communications (such as IMs and texts from all devices) must be backed up and stored in a remote, secondary location.

The typical components of a preferred remote backup solution include:

Remote backup software (online or cloud) to replicate and store the records financial firms need to fulfill 17a-3 requirements.
Electronic record archiving for long-term retention (to meet the requirements of rule 17a-4).
A disaster recovery module. FINRA/NASD 3510 requires a DR plan with periodic audits.
Configuration services. Scheduling of backups and implementing retention policies.
Compliance consultation and documentation services.
Managed services and onsite support to ensure proper system performance.

Which Records do Financial Institutions Have to Maintain?
The complexity with FINRA and SEC compliance isn’t solely in the volume of information and documents that financial firms need to create and update on a continual basis, but in tracking the diverse retention requirements for each type of record.

The first step in addressing FINRA compliance is to understand the records the agency requires members to create and maintain, as well as the specific length of time each document or file must be archived. The following list contains basic details of each rule (including the source of the information), which solution providers can use as a reference when selling to financial institutions:

1. Memoranda of Brokerage Orders and Dealer Transactions
Each brokerage order ticket must be retained, including the terms and conditions of the transaction, any modifications or cancellations, account numbers, associated persons (all involved with the transaction) and a notation indicating if the customer entered the order electronically.
Record retention period: Three years, the first two years in an easily accessible location
Source: Securities Exchange Act of 1934, SEC Rel. No. 34-47910

2. Associated Person Location and Identification Number Records
A record must be created and maintained for each person associated with the firm. The associated file must contain a list of every office where they regularly conduct business, their CRD number and all internal identification numbers or assigned codes assigned to that person.
Record retention period: Three years after the associated person has terminated employment and all other connections with the firm.
Source: Rule 17a-3(a)(12)(ii).

3. Associated Person Compensation Records
A record must be created and maintained for each purchase and sale of a security attributable to an associated person for compensation purposes. It must contain the amount of compensation attributable to each purchase or sale, a description of the payment (even if it’s non-monetary) and all relationship agreements between the parties.
Record retention period: Three years, the first two years in an easily accessible place.
Source: Rule 17a-3(a)(19).

4. Associated Person Complaint Records
There must be a record of each written customer complaint that a firm receives concerning an associated person. It must contain the complainant’s name, address, and account number; the date the complaint was received; the name of any other associated person identified in the
complaint; a description of the nature of the complaint; and the disposition of the complaint.
Record retention period: Three years, the first two years in an easily accessible place
Source: Rule 17a-3(a)(18)(i).

5. Customer Account Records
The following information must be kept (in record form) for each account associated with a real person (not a corporation or business entity):

name
tax identification number
address
telephone number(s)
date of birth
employment status
annual income
net worth (excluding value of a primary residence)
account investment objectives
signature verifying account information
if a discretionary account, a dated signature of each customer or owner granting authority
a dated signature of each person to whom discretionary authority was granted
Record retention period: Six years after the account is closed or from the date when information was replaced or updated (whichever is earlier).
Source: Rule 17a-3(a)(17).

6. Related Account Record Rules
For each account with a real person as a customer or owner (not a corporation or trust), there must be a record of the firm furnishing each customer who opens an account (on or after May 2, 2003) with SEC regulated account information. That must take place within 30 days of the opening of the account, and at least every 36 months thereafter.
Record retention period: Six years after the account is closed or from the date when information was replaced or updated (whichever is earlier).
Source: Rules 17a-3(a)(17), 17a-3(a)(18).

7. Communications Supervision Records
Each firm must record and document the firm’s compliance, including its policies, with applicable federal and SRO requirements. This includes the organization’s approval of advertisements, sales literature or other communications with the public.
Record retention period: Three years, the first two years in an easily accessible place.
Source: Rule 17a-3(a)(20).

8. Contact Person Records
Each office must keep a record of all individuals (by name and title) who can promptly explain the types of records maintained in that location and the nature of the information they contain.
Record retention period: Six years, the first two years in an easily accessible place.
Source: Rule 17a-3(a)(21).

9. Responsible Principal Records
Financial institutions must maintain a record of each principal responsible for establishing policies and procedures that ensure compliance with applicable federal requirements or standards set by self-regulatory organizations.
Record retention period: Six years, the first two years in an easily accessible place.
Source: Rule 17a-3(a)(22).

10. Office Records
Each firm must create and maintain certain books and records specific to each of its offices.
That includes all records listed above and any additional reports required by FINRA or the SEC.
Record retention period: For the most recent two year period.
Source: Rules 17a-3(g), 17a-3(h), 17a-4(k).

Which Records do Financial Institutions Need to Preserve?
While banks, credit unions and other financial institutions are responsible for creating and maintaining the long list of records above, you must also preserve other company documents and communications to comply with FINRA rules. The following list contains basic details of each rule and the source of the information:

1. Communications with the Public
Original versions of all received communications and copies of all sent communications (and all approvals) must be retained by the firm. This includes inter-office memoranda and messages relating to the firm’s business, as well as all public communications listed above.
Record retention period: Three years, the first two years in an easily accessible place.
Source: Rule 17a-4(b)(4).

2. Organizational Documents
The firm must preserve all partnership documentation, articles of incorporation, corporate charters, minute records, stock certificate books and other organizational documents. Licenses and registrations with any securities regulatory authority also need to be properly archived and maintained.
Record retention period: Life of the enterprise and of any successor company.
Source: Rule 17a-4(d).

3. Special Reports
Each financial firm must preserve any report a securities regulatory authority requests or requires them to create and submit. These documents are typically related to a specific order or settlement.
Record retention period: Three years after the date of the report.
Source: Rule 17a-4(e)(6).

4. Compliance, Supervisory & Procedures Manuals
Each company must retain all compliance, supervisory, and procedures manuals— including any updates, modifications and revisions.
Record retention period: Three years after the termination of use of manual.
Source: Rule 17a-4(e)(7).

5. Exception Reports
Financial firms must retain all reports of irregularities, such as conflicting information in new account applications and customer account records reflecting suspicious transfers of funds between unrelated accounts.
Record retention period: Eighteen months after the date the report was generated.
Source: Rule 17a-4(e)(8).

FINRA Compliance with Eagle Networks 7d Backup Family Overview
We can help organizations meet FINRA requirements. We offer a cloud backup, archiving and recovery solution that automates the processes of securely backing up electronic data and file recovery. It was created with government regulations like FINRA in mind to satisfy the need for a safe, reliable and costeffective method of backing up data offsite and allowing full file restoration at any time from any authorized location. We provide a hybrid solution for local and cloud backup and an online management portal, supporting FINRA’s remote backup software requirement. Data that is moved to the cloud is stored in redundant, SSAE 16 Type 2 compliant data centers, located thousands of miles apart from each other. Each data center has 24/7 onsite monitoring, advanced security technology such as biometric access controls, backup generators and redundant connections to the Internet.
Information may be recovered from the cloud remotely using the management portal, which is built to support disaster recovery planning.

Our backup solution ensures that financial and related information, including account data, company communications and policies, are fully protected when backed up and stored. It encrypts all data and stores the information in military-grade facilities. Furthermore, in the event of a natural disaster or system failure, the data will be recoverable.

Data Retention and Archiving
Our software features the most robust data retention and archiving settings in the industry, enabling a FINRA compliant-ready solution. The solution configures to fit the needs of different file types, number of revisions needed and required length of storage time so the right historical data is retained for the right period of time. Once stored, data is never accessible without a private encryption key, mitigating the risk of unauthorized data access.

Data Backup, Recovery and Testing
FINRA regulations require our services team to have the ability to test and restore customer data. This process must be easy and reliable to ensure compliance. With our software, we can restore data directly back to your server, guaranteeing that data is recovered quickly and accurately, without the need to connect to the computer remotely or be onsite at your place of business.

Data Security
Our solution also provides ample security standards for how data is secured to meet FINRA requirements. During a backup, all data will be encrypted before leaving your device and is never accessible without your encryption key. This encryption key is stored only on your system and never transmitted over the Internet. Only the encryption key holder maintains control of the data, eliminating the threat of unauthorized access.

Data is encrypted using a 256-bit Advanced Encryption Standard (AES) encryption technology.
Using this secure technology, data is initially encrypted during the first backup and then encrypted once again during the Internet transfer, to and from our servers. For added security, each encrypted file is sent over the Internet via a secure channel using Secure Sockets Layer (SSL) technology. The same Internet transmission technology is used for online banking and
credit card applications.

Complementary Solutions and Services
In addition to data backup and archiving solutions, FINRA compliance touches a number of other systems within a financial institution.
Any system that handles account data, company communications (internal or external) or policies could be considered a potential FINRA risk. That includes:

Email management/encryption services
Document management
Website development/hosting
Social Media consultation
CRM
ERP
VoIP

Summary
Compliance with FINRA and SEC rules isn’t an option for banks, credit unions and other financial services organizations. Its recommended procedures and requirements are extensive and affect almost every facet of their members’ businesses, starting with the time an account application is submitted to several years after that account is closed.

Over that timeframe, each financial institution must maintain and store a multitude of records relating
to its actions and policies, as well as the basic information. Any change must be properly documented, tracked and be available for review (on demand) by auditors and other authorized parties.

The complex variables relating to FINRA make it a challenge to comply, but our team has the technology and expertise to help you meet regulatory standards. We understand FINRA’s data retention requirements and have the software and services you need to store your data in a fashion that satisfies regulations.

Please note that nothing in this white paper is intended to constitute legal advice. For more information about FINRA and compliance with FINRA requirements please consult your legal counsel.

For more information on FINRA rules, go to:
www.finra.org
www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p123398.pdf
www.finra.org/web/groups/industry/@ip/@issues/@br/documents/industry/p006378.pdf
www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p123398.pdf

Soluzioni di backup

HIPAA

Finra

PCI-DSS

Tutte le nostre soluzioni di backup ottemperano pienamente alle normative di riservatezza delle informazioni stabilite dal  GDPR