Face Your Next SEC Audit With Confidence

Topics: Govern Information

Download PDF

Business Challenge

The Securities and Exchange Commission (SEC) requires broker-dealers to adhere to numerous regulations, including SEC Rule 17a-4, which details stringent requirements on how electronic data is stored. Broker-dealers are required by the rule to retain a designated third party who can independently download electronically stored information for the SEC’s review.

This requirement enables independent access to this data for any reason, but most importantly it eliminates the disruptions that can be caused by personnel changes and obsolete technology. It also makes data available to be used as evidence in court should a broker-dealer face prosecution.

You know that your organization needs to be compliant, but you may not know how you can easily demonstrate compliance. And compliance means you’re prepared if you face an SEC audit.

Industry Fact

SEC Rule 17a-4 states that broker-dealers must archive their data and routinely review the archiving process.

How This Affects You

  • You don’t want your company to be front-page news for the wrong reasons.
  • Your customers only want to work with broker-dealers they can trust.
  • You need to show compliance with SEC Rule 17a-4.
  • Increasingly, SEC auditors are asking for proof that broker-dealers have established this important designated third-party relationship.

What If You Could…

  • Have documented procedures for accessing data in your system, including types of data that are subject to regulations?
  • Create a system configuration plan for each system?
  • Have a qualified and experienced systems analyst review and validate your system configuration plan?
  • Enjoy the credibility of partnering with the only Fortune 1000 provider of designated third-party services?
  • Have the security of a partner with the longevity and stability you need to ensure that the designated third-party services are there when needed?

Four of the nation’s top five bank holding companies depend on the Iron Mountain Designated Third Party Compliance service.

Minimize Your Exposure With Iron Mountain

When you need third-party compliance, we’ll be there. Since 1993, Iron Mountain has been helping financial services firms achieve SEC compliance. We were the very first to develop a set of best practices and to file a thirdparty undertaking in accordance with SEC Rule 17a-4.

SEC Rule 17a-4 is part of the U.S. Securities Exchange Act of 1934 which outlines requirements for data retention, indexing, and accessibility for companies which deal in the trade or brokering of financial securities such as stocks, bonds, and futures. According to the rule, records of numerous types of transactions must be retained and indexed on indelible media with immediate accessibility for a period of six months, and with non-immediate access for a period of at least two years. Duplicate records must also be kept within the same time frame at an offsite location.

In the last five years, the Financial Industry Regulatory Authority (FINRA), the primary self-regulatory organization for broker-dealers, has focused on prioritizing designated third-party compliance. To you help meet this requirement, Iron Mountain offers its Designated Third Party (D3P) Compliance service.

Our comprehensive D3P service is available for all types of electronic records, including COLD (Computer Output to Laser Disk), back office, imaged, and transactional, as well as email and messaging communications. It offers compliance for an extraordinarily broad range of document management applications, including client-server to mainframe systems. Records can be stored in-house or offsite and on any type of WORM (Write Once, Read Many) media. Equally important, the Iron Mountain Designated Third Party Compliance service offers options so you can choose the best solution to fit your needs: Online — enables remote access by Iron Mountain to your archive systems for electronic records. Onsite — brings Iron Mountain’s compliance experts to your facility to retrieve records from archive electronic storage media (ESM).

The Deliverables: Analysis, Vali Dation , And Peace Of Mind

With a strong knowledge of SEC regulations and proven best practices in providing designated third-party services, Iron Mountain will provide your compliance organization with tremendous insight into your systems, along with a host of other valuable services. As part of Iron Mountain’s service, you receive:

  • A system configuration plan (SCP) explaining access to records
  • Two opportunities to update your SCP each year to reflect changes in your IT infrastructure
  • An annual test and test report to show compliance
  • All the necessary documents to file with the Securities and Exchange Commission, self-regulatory organizations, and the Commodity Futures Trading Commission via the Electronic Data Gathering Analysis and Retrieval (EDGAR) system

With the detailed audit and test reports and system configuration plan from Iron Mountain in hand, you can face your next SEC audit with confidence. You’ll be working with the most experienced designated third party in the business and will have peace of mind knowing that your designated third-party requirement is met.

Value Beyond Compliance

While the threat of penalties may be the motivating force behind designating an independent third party, the benefits extend far beyond compliance. You’ll work with Iron Mountain to prepare a system configuration plan, which is a detailed analysis of your IT environment and the record archiving and retrieval procedures. In addition to providing an indispensable overview of the current compliance status, this process inevitably uncovers previously hidden problems or issues that can be successfully addressed prior to an SEC audit. The system configuration plan also goes a long way in helping to solve other compliance requirements for electronic records.

As part of our Designated Third Party Compliance process, the knowledge within your IT and compliance organizations is captured and retained by Iron Mountain. This eliminates the knowledge gaps that can plague your organization when key individuals leave, a merger occurs, technology is upgraded, or other significant events cause institutional knowledge to drift away.

Why Now

“The regulators are moving towards a zero tolerance policy with respect to noncompliance with the rule, especially in connection with the retention of e-mails.”

— Jeffrey Plotkin, Partner, Day Pitney LLP Former Assistant Regional Administrator for the Securities and Exchange Commission, Division of Broker-Dealer Enforcement

What Records Are Covered By Rule 17a-4?

Broker-dealers are required to retain, and be able to produce on demand, a wide variety of records spanning all aspects of their business operations. Here is a partial list:

  • Blotters itemizing a daily record of all purchases and sales of securities
  • Ledgers reflecting all assets and liabilities and income, expense, and capital accounts
  • Ledger accounts>
  • Memorandums of each brokerage order, purchase, and sale
  • Copies of confirmations of all purchases and sales of securities
  • Record of all puts, calls, spreads, straddles, and other options
  • Employment applications
  • Record of the proof of money balances of all ledger accounts for three years following termination
  • Fingerprints of personnel
  • Record of customers with access to an internal broker-dealer system
  • Written customer complaints
  • Advertisements, sales literature, or communications
  • Listings of people responsible for establishing compliance policies and procedures
  • Checkbooks, bank statements, cancelled checks, and cash reconciliations
  • All bills receivable or payable
  • Originals of all communications received
  • Copies of all communications
  • All guarantees of accounts and all powers of attorney
  • All written agreements

Safe, Secure, And Cost-Effective

Iron Mountain built its reputation on data security, and it remains true to that mission with its Designated Third Party Compliance service. All tests are conducted in Iron Mountain’s secure facilities or at your site and then archived in Iron Mountain’s electronic media vaults, which are constructed specifically for storing digital media.

We’ll work with you to implement cost-effective and operationally sound processes that meet your firm’s needs, while complying with applicable regulatory requirements.

What You Gain…

  • A letter of intent from Iron Mountain indicating that we’ve been contracted to provide services to facilitate your compliance with this rule
  • Tested and validated written procedures for accessing your company’s storage and archive systems, which enables you to proactively address any gaps in your systems before an SEC audit
  • The benefit of a full-level test to show that your recordkeeping practices are sound
  • A letter of undertaking — once all tests are complete — to meet your compliance requirements

As a Designated Third Party Compliance services provider, Iron Mountain is uniquely positioned to assist brokerdealers. Iron Mountain is a world leader in information management services, and our Designated Third Party Compliance service gives you a simple, trusted way to create, test, and maintain a system configuration plan that documents access to the archive and demonstrates compliance with SEC regulations.

About Iron Mountain

Iron Mountain Incorporated (NYSE: IRM) provides information management services that help organizations lower the costs, risks and inefficiencies of managing their physical and digital data. Founded in 1951, Iron Mountain manages billions of information assets, including backup and archival data, electronic records, document imaging, business records, secure shredding, and more, for organizations around the world. Visit the company Web site at www.ironmountain.com for more information.

Click to Download Full Report


Software Escrow Service Workflow
Software Escrow Service Workflow

Topics: Technology Escrow

Mission-critical technology is everywhere, and you depend on it every day. Failing to protect mission-critical technology puts your business at risk... you can’t afford not to safeguard your reliance on it.

Escrow Verification Services
Escrow Verification Services

Topics: Technology Escrow

By taking the step to establish an escrow arrangement, you have recognized that your licensed mission critical technology is an important aspect of your organization’s business operations. Complementing your escrow arrangement with verification services will help to mitigate potential risks by providing complete intellectual property protection and management, and ensuring a more rapid recovery for your organization should circumstances require it.