The Financial Industry Regulatory Authority (FINRA) is the government-authorized agency for overseeing U.S. broker-dealers to ensure that investors are protected and that their needs are served fairly. As a part of their mandate, FINRA has adopted a set of rules and standards for the proper use, storage and retrieval of financial documents. These rules are a combination of those set by FINRA, as well as those mandated by the U.S. Securities and Exchange Commission (SEC).
Cloud Storage of Documents
FINRA and SEC rules apply to all storage methods for client and client-related data, from names and addresses to email, transaction records and credit card information. It is the financial services company’s responsibility to abide by these requirements, whether the data is stored on paper, on a USB drive, on an office server, or on a laptop.
Today, an increasing amount of data is stored on “the cloud,” which is the term for servers that can be accessed from practically any device, from any location over the internet. While cloud storage solutions come in all sorts of forms, they can be divided into four categories, as follows:
- Public clouds: These are offered by a service provider and shared among clients, like Google Drive, One Drive and Dropbox.
- Private clouds: These are developed and run in-house on a firm’s own servers, or on a dedicated server that is not shared with other companies, such as solutions offered by cloud services providers like Amazon.
- Hybrid clouds: These are any combination of public and private clouds used together.
- Virtual data rooms (VDRs): These are a secure data vault designed specifically for storing, tracking and sharing confidential files.
Are Cloud Services FINRA-Compliant?
Public cloud services, like Google Drive, One Drive or Dropbox, are not FINRA-compliant out of the box, nor do they make claims to be so. It is possible to use these services and still be FINRA-compliant; however, this usually entails using a third party to integrate these storage services into a solution that does meet the requirements.
Private clouds may be FINRA-compliant, if they are configured to be used for such purposes. Reputable VDRs, on the other hand, are generally FINRA-compliant, since they were designed to adhere to the same types of security and auditing requirements mandated by FINRA.
FINRA Compliance Can’t Be Taken for Granted
As FINRA itself explains, outsourcing any activity or function to an outside company, like a cloud service provider, does not relieve a company of its responsibilities of being compliant to applicable laws, securities regulations, or FINRA rules. In short, your client’s data is your responsibility, whether you keep it yourself or hand it to another company for safekeeping.
Unfortunately, many firms have overlooked this fact. In its 2021 report on examination and risk monitoring, FINRA revealed that too many firms are adopting cloud storage without performing due diligence to verify the vendor’s ability to comply with FINRA requirements.
This can be a costly oversight. Penalties for non-compliance can result in substantial multi-million dollar fines and can even result in expulsion from FINRA membership.
FINRA Rules 3190 and 4511
Under Rule 3190, responsibility for ensuring FINRA compliance is on the firm using the service, not the service provider. This must be done before you begin using the service.
FINRA recommends three effective practices when dealing with any cloud storage provider, as follows:
- Contract review: This entails reviewing vendor contracts and agreements to determine if they comply with FINRA books and records Rules, ESM standards, and ESM notification requirements.
- Testing and verification: This entails testing the cloud service to ensure that it fulfills regulatory obligations by simulating a regulator’s exams, like requesting records or having a third-party consultant confirm compliance.
- Attestation verification: This entails confirming with the cloud service provider that they will provide third-party attestation.
Rule 4511 details the FINRA record retention requirements, including the retention of all account-related and client-related documentation for a period of no less than six years after the account has been closed.
SEC Rules for Data
The Securities and Exchange Act of 1934 includes two sets of rules that relate to the storage, backup and archiving of electronic records: 17a-3 and 17a-4. These have also been adopted by FINRA.
As RSI Security explains, this means that financial and security firms need to address cybersecurity based on their own specific risk profiles, identify risks and institute programs and procedures to address those risks. This amounts to six best practices, as follows:
- Encrypt all confidential data not meant to be available to the public.
- Address cybersecurity risks at the branch office level.
- Implement robust access controls for all confidential data.
- Ensure vendors, like cloud storage providers, also have appropriate security measures in place.
- Train all employees on cybersecurity threats and their personal responsibilities.
- Perform regular internal security audits to ensure compliance.
A Detailed Information Security Program
Your storage system must have controls in place to prevent unauthorized access to the files, with protocols in place for detecting intrusion, not just to prevent people from accessing the files, but to prevent them from adding to, altering, or deleting your records. All of this information needs to be documented.
VDRs and FINRA Compliance
Virtual data vaults, like those offered by Caplinked, are designed to help you comply with FINRA requirements, as well as the requirements of other regulatory bodies that require specific safeguards for the storage, tracking and retrieval of confidential or sensitive files.
Caplinked VDRs and FINRA-Approved Cloud Storage
Caplinked’s VDR is designed to be FINRA-compliant out of the box. (Although it is up to each customer to ensure that the VDR tools are used properly.)
Data is encrypted from the moment you upload it to your data vault, using 256-bit Advanced Encryption Standard (AES 256). When a file in the VDR is opened or downloaded, it can’t be intercepted, because it’s encrypted again using SSL/TLS-encrypted endpoints employing current-grade TLS v 1.2 cipher suites.
In addition to this, your VDR administrator is given the tools you need to secure permissions, ensuring that only those who need access to specific files and folders will have access. If an employee is terminated or otherwise doesn’t require access, then access can be terminated immediately. Even their access to downloaded documents will be revoked, thanks to the DRM technology embedded in each document.
Digital watermarks on each downloaded document ensure that if a document is shared improperly, it can be immediately tracked to the source, based on the person’s email address and IP address.
Working Together toward Compliance
To explore Caplinked’s security features and its user-friendly interface, register today for a free trial. Alternatively, if you want to know more about how Caplinked will work with you to ensure that your financial services firm will maintain SEC- and FINRA-compliant, including information on third-party attestation, contact us today.
RSI Security: FINRA Compliance Requirements 101
FINRA: SEA Rule 17a-3
FINRA: SEA Rule 17a-4