Designated 3rd Party Services (Rule 17a-4(f)(3)(vii))
17a-4 provides Letters of Notification (SEC Rule 17a-4(f)(2)(ii)), Letters of Undertaking (SEC Rule 17a-4(f)(3)(vii)) and CFTC Letters under 17 CFR 1.31.
As required by the Securities & Exchange Act of 1934 (Rule 17a-4(f)(3)(vii), broker dealers are required to retain a Designated Third Party for each electronic records archive who can access and assist a regulator with the production of regulatory records.
Since 2000, 17a-4, llc has worked with the SEC being retained as an expert witness for e-messaging retention matters and broker dealer clients to ensure;
- Regulatory archives and document management systems comply with the requirements of SEC Rule 17a-3, 17a-4, 204-2 and other regulatory requirements
- File the appropriate letters including the Letter of Notification (Representation)(SEC Rule 17a-4(f)(2)(i) or CFTC 1.31 and the Letter of Undertaking (SEC Rule 17a-4(f)(3)(vii))
- Review compliance archives annually and run test audits for retained data
- Provide compliance advice with respect to regulatory records best practices
When called upon by a regulator, 17a-4 will provide evidence of the request to our client and arrange for either recorded WebEx or on premise access to assist in the production of the requested records.
17a-4’s Annual Review
Included in 17a-4’s Designated Third Party Services is 17a-4’s Designated Third Party Questionnaire and 17a-4’s Annual Review which include:
- Test audits of retained data in the electronic archive
- Review of procedures to separate broker dealer records from other institutional records
- Assessment of current policy to cull privileged emails for efficient productions
- Review of steps to facilitate access to records
- Disposition recommendations and best practices
- Periodic calls to discuss Rule 17a-4 options and best practices
The Annual Review brings IT and Compliance together to review compliance requirements, current guidance and completion of 17a-4’s Designated Third Party Questionnaire. This process encourages a meeting of the minds as to how IT is supporting Compliance. Questions as, when and how are email records disposed and how does a firm manage emails that may be in user’s email accounts but disposed from the archive?
Documentation from the Annual Reviews can be incorporated into the more thorough annual compliance review required by SEC Rule 206(4)-7 and FINRA Rule 3130.
Unlike many other Designated Third Parties, 17a-4 combines a high level of knowledge with respect to both technology and compliance. Moreover, a large client base enables a deep understanding of the architecture of SharePoint, OpenText, Schwab Compliance, Sungard, SQL databases, Microsoft’s Office 365, Amazon’s AWS, Salesforce, Symphony, Bloomberg and the other platforms in use by financial institutions. SharePoint, for instance, can be difficult to make Rule 17a-4 compliant. 17a-4 provides an understanding of industry tools available to capture and control SharePoint content.
Microsoft’s Office 365 has developed the necessary infrastructure and procedures to comply with financial industry regulations. However, users need to set-up the appropriate settings, such as In-place Hold and Retention policies so that all records are preserved. 17a-4, llc has worked with Microsoft and clients currently using Office 365 for compliance.
17a-4 works with virtually all of the major on premise archive vendors including EnterpriseVault, EMC’s SourceOne, OpenText and CommVault.
Finding an acceptable access procedure is often challenging with large financial institutions. Regulators continue to press institutions to make their systems more secure from hacking or intrusion yet still require a Designated Third Party to access. 17a-4 has developed many options for clients to balance these two requirements.