Everything You Ever Wanted to Know About Rule 17a-4 (But Didn’t Even Know You Should Ask)

A 15-year-old SEC ruling that governs electronic records is exercising its powers well into the Digital Age.

Since the turn of the century, you’ve been parking your car in front of your house without a problem. But this morning you got a $65 ticket. What’s up with that? Ah, yes, that “No Parking” sign behind the big tree.

Such is the plight of broker-dealers now facing Securities and Exchange Commission (SEC) Rule 17a-4. This rule was issued in 1997, when electronic communications systems were just gaining traction as a serious medium in the financial services workplace. And though from the start 17a-4 has required firms to store their systems’ electronic records with a designated third party (D3P) services provider for potential SEC review, few took that edict seriously.

Everything changed in 2007, when the Financial Institution Regulatory Authority (FINRA) began to ask for proof of a firm’s compliance with the D3P regulation. Now, contracting with a D3P data services provider has become a requisite business task.

What Stays and What Goes?

When you start working with a D3P, its staff will first analyze your company’s storage and archive systems—including server configurations, hardware, software, passwords and encryption—and pinpoint any gaps you can fix before the SEC audit. This phase also identifies redundant records prime for deletion.

Identifying what you need to save may be the hardest part of Rule 17a-4 compliance. Bear in mind that aside from all written agreements, you must also be able to, on demand, produce all:

• Ledgers of assets and liabilities, income, expense and capital accounts
• Order, purchase and sale memos
• Put, call, spread and straddle records
• Employees’ original job applications and fingerprints
• Written records of customer complaints
• Accounts payable and receivable records
• Electronic communications

Your D3P services provider will also drill down into the data to develop a precise log of what you’ll be keeping. A subsequent written list of this information can be updated and used for audits.

Forging the Connection

Once you establish what information you’ll be saving, you’ll want to determine how your D3P services provider accesses it for proper storage. Your options:

• Independent access lets your provider retrieve records directly from your WORM (“write once, read many” times) storage media.
• Online access lets your provider access electronic records through your virtual private network (VPN).
• Onsite access requires your provider’s team to visit your offices, where they will search for and retrieve the electronic records.

If you’ve ever undergone an SEC audit, you know the drill: A call from your legal or compliance officer with the list of documents you need to produce in two hours triggers the ulcer waiting to happen. And failure is not an option.

Unfortunately, the right D3P services provider can’t stop you from getting those surprise parking tickets. But the right service provider can set you up with the highest level of Rule 17a-4 compliance and facilitate less painful audits. It can also help your firm maintain compliant, efficient records management best practices. Much easier on the stomach, isn’t it?

Do you have questions about software escrow services? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s consulting services team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.

Related Content:

Let Software Escrow Seal the Deal

The Many Faces of Technology Escrow

Software Escrow: A Best Practice Against Business Interruptions