Designated Third Party Financial Services Support

Technology evolved the ways we all store records. As such, the SEC knew it had to adapt its 17a-1 records storage policy. In 1997, an amendment was made which became the 17a-4 rule factoring in electronic storage options.

Per the SEC’s website, here is the 17a-4 rule:

Broker-dealers are allowed to preserve records on “electronic storage media.” Rule 17a-4 defines that term as “any digital storage medium or system.” Paragraph (f)(2)(ii)(A) of Rule 17a-4 requires that the electronic storage media preserve the records exclusively in a non-rewritable and non-erasable format.

Given the strict nature of this rule, the SEC put in place a subsection known as SEC 17a-4(f)(3)(vii), the Designated Third Party for Broker Dealers. This part of the policy says any broker-dealer who does decide to electronically store their records must hire at least one independent third party with access to download files. To be clear, this is not a subsidiary or a sister company but a completely impartial vendor. In the event the broker-dealer is unwilling to comply with sharing their records, the SEC can rely on this designated third party (D3P) for access.

Of note, the third party must be an independent organization and is not required to have 24/7 access. Your D3P partner is there to assist the regulatory body as needed.

Our comprehensive D3P compliance service is available for all types of electronic records, including computer output to laser disc (COLD), back-office, imaged, cloud, voice recording and transactional records, as well as SaaS programs, email and messaging communications.

We work with WORM (write once, read many) storage and applications, regardless of whether the files are on-premises or in the cloud. Iron Mountain will work with your technical team to develop a System Configuration Plan (SCP) to guide us through your network and access the systems and records we have been asked to cover.

Iron Mountain’s core D3P customers include banks, financial firms, insurance agencies, and investment advisors. If your organization falls into one of these categories and is registered with the SEC or FINRA as a Broker-Dealer, the 17a-4 rule applies to you.

Since 1993, Iron Mountain has been a valued D3P partner for many institutions and has set the industry operational standards adopted by many others today.

Our D3P service includes:

• A Letter of Intent to regulators informing them that you contracted a Designated Third-Party Provider
• A System Configuration Plan (SCP) explaining access to your records.
• An annual test and report to show continual compliance while your technology goes through upgrades
• A letter of Undertaking to file with the SEC and self-regulating organizations
• Two D3P status reviews each year to validate accountability
• Peace of mind knowing that you are fully compliant with the SEC 17a-4 rule.

Iron Mountain offers these access options:

• Online: For secure remote access to your archived systems
• Onsite: Our compliance experts retrieve records from archive Electronic Storage Media (ESM) at your facility.

Here, we’ve outlined what the SEC requires from broker-dealer’s D3P partners and how our services provide that fulfillment:

• Blotters itemizing a daily record of all purchases and sales of securities
• Ledgers reflecting all assets and liabilities and income, expense, and capital accounts
• Ledger accounts
• Memorandums of each brokerage order, purchase, and sale
• Copies of confirmations of all purchases and sales of securities
• Record of all puts, calls, spreads, straddles, and other options
• Employment applications
• Record of the proof of money balances of all ledger accounts for three years following termination
• Fingerprints of personnel
• Record of customers with access to an internal broker-deal system
• Written customer complaints
• Advertisements, sales literature, or communications
• Listings of people responsible for establishing compliance policies and procedures
• Checkbooks, bank statements, cancelled checks, and cash reconciliations
• All bills receivable or payable
• Originals of all communications received
• Copies of all communications
• All guarantees of accounts and all powers of attorney
• All written agreements

Although this is an SEC rule, FINRA is often the one to enforce it.

Every few years, broker-dealers are audited by FINRA and as part of their Books and Records review they ask to see D3P proof. Here is where the D3P provides its Letter of Undertaking, which is filed with FINRA and the SEC through their online tool, EDGAR. This letter remains on file for as long as the financial institution and its D3P are working together.

To legally define the working relationship, a 90-day Letter of Intent provided by the broker-dealer in conjunction with a Letter of Attestation is mandatory prior to the start date. In this notice, it must be clearly stated that the broker-dealer has the WORM archival requirement (which prevents any alterations or deletions of data) that meets the SEC’s storage requirements for electronic data as stated in its 17a-4 rule.

While D3P providers like Iron Mountain are representatives for the broker-dealer, they are not responsible for filing the necessary documentation with FINRA or the SEC. The document filing falls on the broker-dealer.

With regulations, there comes penalties depending on the situation for those not in following the 17a-4 rule. Although these reprimands can come in the form of fines, negative press or criminal charges, first time offenders are generally given a set amount of time to correct their compliance.

If it’s not a first-time offense, the likelihood of a harsher punishment from the SEC and FINRA are higher. We’ve seen companies being fined from a few thousand all the way up to $3 million and beyond. This of course all depends on the size of the organization and the severity of its violations.