Designated Third Party Provider Compliance (D3P)

Face Your Next SEC Audit With Confidence

Business Challenge

The Securities and Exchange Commission (SEC) requires broker-dealers to adhere to numerous regulations, including SEC Rule 17a-4, which details stringent requirements on how electronic data is stored. Broker-dealers are required by the rule to retain a designated third party who can independently download electronically stored information for the SEC’s review.

This requirement enables independent access to this data for any reason, but most importantly it eliminates the disruptions that can be caused by personnel changes and obsolete technology. It also makes data available to be used as evidence in court should a broker-dealer face prosecution.

You know that your organization needs to be compliant, but you may not know how you can easily demonstrate compliance. And compliance means you’re prepared if you face an SEC audit.

How This Affects You

• You don’t want your company to be front-page news for the wrong reasons.
• Your customers only want to work with broker-dealers they can trust.
• You need to show compliance with SEC Rule 17a-4.
• Increasingly, SEC auditors are asking for proof that broker-dealers have established this important designated third-party relationship

Minimize Your Exposure With Iron Mountain

When you need third-party compliance, we’ll be there. Since 1993, Iron Mountain has been helping financial services firms achieve SEC compliance. We were the very first to develop a set of best practices and to file a third-party undertaking in accordance with SEC Rule 17a-4.

In the last five years, the Financial Industry Regulatory Authority (FINRA), the primary self-regulatory organization for broker-dealers, has focused on prioritizing designated third-party compliance. To you help meet this requirement, Iron Mountain offers its Designated Third Party (D3P) Compliance service.

Our comprehensive D3P service is available for all types of electronic records, including COLD (Computer Output to Laser Disk), back office, imaged, and transactional, as well as email and messaging communications. It offers compliance for an extraordinarily broad range of document management applications, including client-server to mainframe systems. Records can be stored in-house or offsite and on any type of WORM (Write Once, Read Many) media. Equally important, the Iron Mountain Designated Third Party Compliance service offers options so you can choose the best solution to fit your needs:

• Online — enables remote access by Iron Mountain to your archive systems for electronic records.
• Onsite — brings Iron Mountain’s compliance experts to your facility to retrieve records from archive electronic storage media (ESM).

The Deliverables: Analysis, Validation, and Peace of Mind

With a strong knowledge of SEC regulations and proven best practices in providing designated third-party services, Iron Mountain will provide your compliance organization with tremendous insight into your systems, along with a host of other valuable services. As part of Iron Mountain’s service, you receive:

• A system configuration plan (SCP) explaining access to records
• Two opportunities to update your SCP each year to reflect changes in your IT infrastructure
• An annual test and test report to show compliance
• All the necessary documents to file with the Securities and Exchange Commission, self-regulatory organizations, and the Commodity Futures Trading Commission via the Electronic Data Gathering Analysis and Retrieval (EDGAR) system

With the detailed audit and test reports and system configuration plan from Iron Mountain in hand, you can face your next SEC audit with confidence. You’ll be working with the most experienced designated third party in the business and will have peace of mind knowing that your designated third-party requirement is met.

Value Beyond Compliance

While the threat of penalties may be the motivating force behind designating an independent third party, the benefits extend far beyond compliance. You’ll work with Iron Mountain to prepare a system configuration plan, which is a detailed analysis of your IT environment and the record archiving and retrieval procedures. In addition to providing an indispensable overview of the current compliance status, this process inevitably uncovers previously hidden problems or issues that can be successfully addressed prior to an SEC audit. The system configuration plan also goes a long way in helping to solve other compliance requirements for electronic records.

As part of our Designated Third Party Compliance process, the knowledge within your IT and compliance organizations is captured and retained by Iron Mountain. This eliminates the knowledge gaps that can plague your organization when key individuals leave, a merger occurs, technology is upgraded, or other significant events cause institutional knowledge to drift away.

Safe, Secure, and Cost-Effective

Iron Mountain built its reputation on data security, and it remains true to that mission with its Designated Third Party Compliance service. All tests are conducted in Iron Mountain’s secure facilities or at your site and then archived in Iron Mountain’s electronic media vaults, which are constructed specifically for storing digital media.

We’ll work with you to implement cost-effective and operationally sound processes that meet your firm’s needs, while complying with applicable regulatory requirements.

As a Designated Third Party Compliance services provider, Iron Mountain is uniquely positioned to assist broker-dealers. Iron Mountain is a world leader in information management services, and our Designated Third Party Compliance service gives you a simple, trusted way to create, test, and maintain a system configuration plan that documents access to the archive and demonstrates compliance with SEC regulations.