The Securities and Exchange Commission (SEC) requires broker-dealers to
adhere to numerous regulations, including SEC Rule 17a-4, which details
stringent requirements on how electronic data is stored. Broker-dealers are
required by the rule to retain a designated third party who can independently
download electronically stored information for the SEC’s review.
This requirement enables independent access to this data for any reason, but
most importantly it eliminates the disruptions that can be caused by personnel
changes and obsolete technology. It also makes data available to be used as
evidence in court should a broker-dealer face prosecution.
You know that your organization needs to be compliant, but you may not know
how you can easily demonstrate compliance. And compliance means you’re
prepared if you face an SEC audit.
SEC Rule 17a-4 states that
broker-dealers must archive
their data and routinely
review the archiving process.
How This Affects You
- You don’t want your company to be front-page news for the wrong reasons.
- Your customers only want to work with broker-dealers they can trust.
- You need to show compliance with SEC Rule 17a-4.
- Increasingly, SEC auditors are asking for proof that broker-dealers have
established this important designated third-party relationship.
What If You Could…
- Have documented procedures for accessing data in your system, including
types of data that are subject to regulations?
- Create a system configuration plan for each system?
- Have a qualified and experienced systems analyst review and validate your
system configuration plan?
- Enjoy the credibility of partnering with the only Fortune 1000 provider of
designated third-party services?
- Have the security of a partner with the longevity and stability you need to
ensure that the designated third-party services are there when needed?
Four of the nation’s top five
bank holding companies
depend on the Iron Mountain
Designated Third Party
Minimize Your Exposure With Iron Mountain
When you need third-party compliance, we’ll be there.
Since 1993, Iron Mountain has been helping financial
services firms achieve SEC compliance. We were the very
first to develop a set of best practices and to file a thirdparty
undertaking in accordance with SEC Rule 17a-4.
SEC Rule 17a-4 is part of the U.S. Securities
Exchange Act of 1934 which outlines requirements
for data retention, indexing, and accessibility for
companies which deal in the trade or brokering of
financial securities such as stocks, bonds, and
futures. According to the rule, records of numerous
types of transactions must be retained and indexed
on indelible media with immediate accessibility for
a period of six months, and with non-immediate
access for a period of at least two years. Duplicate
records must also be kept within the same time
frame at an offsite location.
In the last five years, the Financial Industry Regulatory
Authority (FINRA), the primary self-regulatory
organization for broker-dealers, has focused on prioritizing
designated third-party compliance. To you help meet this
requirement, Iron Mountain offers its Designated Third
Party (D3P) Compliance service.
Our comprehensive D3P service is available for all types of
electronic records, including COLD (Computer Output to
Laser Disk), back office, imaged, and transactional, as well
as email and messaging communications. It offers
compliance for an extraordinarily broad range of document
management applications, including client-server to
mainframe systems. Records can be stored in-house or
offsite and on any type of WORM (Write Once, Read Many)
media. Equally important, the Iron Mountain Designated
Third Party Compliance service offers options so you can
choose the best solution to fit your needs:
Online — enables remote access by Iron Mountain to your
archive systems for electronic records.
Onsite — brings Iron Mountain’s compliance experts to
your facility to retrieve records from archive electronic
storage media (ESM).
The Deliverables: Analysis, Vali Dation , And
Peace Of Mind
With a strong knowledge of SEC regulations and proven
best practices in providing designated third-party services,
Iron Mountain will provide your compliance organization
with tremendous insight into your systems, along with a
host of other valuable services. As part of Iron Mountain’s
service, you receive:
- A system configuration plan (SCP) explaining access
- Two opportunities to update your SCP each year to
reflect changes in your IT infrastructure
- An annual test and test report to show compliance
- All the necessary documents to file with the Securities
and Exchange Commission, self-regulatory
organizations, and the Commodity Futures Trading
Commission via the Electronic Data Gathering Analysis
and Retrieval (EDGAR) system
With the detailed audit and test reports and system
configuration plan from Iron Mountain in hand, you can
face your next SEC audit with confidence. You’ll be working
with the most experienced designated third party in the
business and will have peace of mind knowing that your
designated third-party requirement is met.
Value Beyond Compliance
While the threat of penalties may be the motivating force
behind designating an independent third party, the benefits
extend far beyond compliance. You’ll work with Iron
Mountain to prepare a system configuration plan, which is
a detailed analysis of your IT environment and the record
archiving and retrieval procedures. In addition to providing
an indispensable overview of the current compliance
status, this process inevitably uncovers previously hidden
problems or issues that can be successfully addressed
prior to an SEC audit. The system configuration plan also
goes a long way in helping to solve other compliance
requirements for electronic records.
As part of our Designated Third Party Compliance process,
the knowledge within your IT and compliance organizations
is captured and retained by Iron Mountain. This eliminates
the knowledge gaps that can plague your organization
when key individuals leave, a merger occurs, technology is
upgraded, or other significant events cause institutional
knowledge to drift away.
“The regulators are moving towards a
zero tolerance policy with respect to
noncompliance with the rule, especially
in connection with the retention of
— Jeffrey Plotkin, Partner, Day Pitney LLP
Former Assistant Regional Administrator for the Securities and Exchange
Commission, Division of Broker-Dealer Enforcement
What Records Are Covered By
Broker-dealers are required to retain, and be able to
produce on demand, a wide variety of records
spanning all aspects of their business operations.
Here is a partial list:
- Blotters itemizing a daily record of all purchases and
sales of securities
- Ledgers reflecting all assets and liabilities and
income, expense, and capital accounts
- Ledger accounts>
Memorandums of each brokerage order, purchase,
- Copies of confirmations of all purchases and sales
- Record of all puts, calls, spreads, straddles, and
- Employment applications
- Record of the proof of money balances of all ledger
accounts for three years following termination
- Fingerprints of personnel
- Record of customers with access to an internal
- Written customer complaints
- Advertisements, sales literature, or communications
- Listings of people responsible for establishing
compliance policies and procedures
- Checkbooks, bank statements, cancelled checks,
and cash reconciliations
- All bills receivable or payable
- Originals of all communications received
- Copies of all communications
- All guarantees of accounts and all powers
- All written agreements
Safe, Secure, And Cost-Effective
Iron Mountain built its reputation on data security, and it
remains true to that mission with its Designated Third
Party Compliance service. All tests are conducted in Iron
Mountain’s secure facilities or at your site and then
archived in Iron Mountain’s electronic media vaults, which
are constructed specifically for storing digital media.
We’ll work with you to implement cost-effective and
operationally sound processes that meet your firm’s needs,
while complying with applicable regulatory requirements.
What You Gain…
- A letter of intent from Iron Mountain indicating that
we’ve been contracted to provide services to facilitate
your compliance with this rule
- Tested and validated written procedures for accessing
your company’s storage and archive systems, which
enables you to proactively address any gaps in your
systems before an SEC audit
- The benefit of a full-level test to show that your
recordkeeping practices are sound
- A letter of undertaking — once all tests are complete —
to meet your compliance requirements
As a Designated Third Party Compliance services provider,
Iron Mountain is uniquely positioned to assist brokerdealers.
Iron Mountain is a world leader in information
management services, and our Designated Third Party
Compliance service gives you a simple, trusted way to
create, test, and maintain a system configuration plan that
documents access to the archive and demonstrates
compliance with SEC regulations.
About Iron Mountain
Iron Mountain Incorporated (NYSE: IRM) provides information
management services that help organizations lower the costs, risks and inefficiencies of managing
their physical and digital data. Founded in 1951, Iron Mountain manages billions of information
assets, including backup and archival data, electronic records, document imaging, business records,
secure shredding, and more, for organizations around the world. Visit the company Web site at
www.ironmountain.com for more information.