Financial services firms are coming to understand that the efficiency, resiliency, reliability, and scalability of cloud storage services are not enough by themselves. Firms also need cloud document storage that can help them comply with regulations from the Financial Industry Regulatory Authority (FINRA) and U.S. Securities and Exchange Commission (SEC).

Yet not all cloud vendors offer FINRA and SEC compliance capabilities. Choosing the wrong cloud vendor forces firms to work with multiple services, increasing the costs and complexity of their information governance programs.

Additionally, firms need enhanced physical and cybersecurity measures. Their success depends on data protection and securing their clients’ information in the face of growing ransomware attacks and cyberthreats. Between February and April 2020, attacks against the global financial sector increased 238%, according to VMware Carbon Black. As of April 2020, 80% of financial institutions surveyed reported increased cyberattacks over the previous 12 months.

Essential FINRA Requirements

FINRA and the SEC allow financial services firms to use electronic documents and cloud storage. But there are numerous requirements. A prominent rule is that firms have to maintain their books per SEC § 240.17a.

SEC rules require:

Record Retention (§ 240.17a-4)

Broker-dealers, banks, securities firms, and other financial services entities must preserve business and transaction records in an accessible manner. Under 17a-4(a), firms must keep records for three years and make them immediately accessible for the first two years. Under 17a-4(b) and (c), firms have to preserve certain materials for at least six years, and again, ensure they’re immediately accessible for the first two, and under (d) organizational documents must be retained for the life of the enterprise.

Immutable Data Backup (§ 240.17a-4)(f)(2)(ii)(A)

During the retention period, section 17a-4(f)(2)(ii)(A) requires that firms can’t edit or delete any of these electronic records. But the rule is not about the firm’s and its employees’ behavior. The record’s electronic format itself can’t allow alterations or deletion.

A Searchable Database (§ 240.17a-4(f)(2)(ii)(C) and(D))

Every file must be indexed and searchable, providing easy access controls for the firm to respond to requests from regulators. Using a service that includes a robust search facilitates immediate, easy accessibility.

Duplicate Copies (§ 240.17a-4(f)(3)(iii))

Storing a duplicate copy of the original file in a physically separate location.

Third-Party Access (§ 240.17a-4(f)(3)(vii))

SEC rules also require a Designated Third Party (D3P) when using electronic data storage. This independent entity can access the electronic records in the event of an official request, such as a regulatory audit or court order if the firm is unable or unwilling to do so. Any firm setting up electronic storage must comply with the D3P rule and present a Letter of Undertaking to the SEC and FINRA, along with a copy of the vendor contract to demonstrate the vendor’s ability to comply with this requirement.

An Audit Trail (§ 240.17a-4(f)(3)(v))

Firms must have an audit process to show they are meeting the record storage requirements of §§ 240.17a-3 and240.17a-4 and documenting any changes to original files.

Cloud Storage with FINRA Compliance Features

Financial services firms can efficiently comply with FINRA’s rules provided they choose the right cloud document storage vendor. However, not all cloud providers have the functionality and real-time security, firms need to abide by FINRA and SEC rules. That’s why firms are increasingly turning to NetDocuments, the leading FINRA compliant document management service. NetDocuments provides the tools, features, and services firms need to comply with all of the FINRA and SEC electronic data retention requirements in §§ 240.17a-3 and 240.17a-4.

NetDocuments offers:

Custom Retention Periods

NetDocuments enables users to customize various records’ lifecycles, which means firms have the power to establish FINRA-compliant retention policies.

Write Once, Read Many (WORM) Repositories

To ensure each saved document remains unchanged during its retention period, users set up WORM cabinets. Once users place designated files in their WORM cabinet and choose a document’s retention period, users with permission can access and read files saved in these spaces but never change them, and they can’t alter, delete, or shorten the file’s life.

Document Search

A core component of the NetDocuments document management system (DMS) is a robust search feature. An authorized user’s search will return accurate and immediate results. The search feature returns results based on the user’s access rights, keeping in line with internal security measures. Users only see the documents they are authorized to access.

Redundant Data

NetDocuments uses state-of-the-art object store technology to protect and retain firm documents, which also happens to fully meet SEC regulations for data duplication. After being encrypted, small files (60kb or less in size) are automatically replicated five times across three geographically separate, highly secure data centers, with each data center having at least one, but no more than two, copies of each small file.  After being encrypted, larger files are erasure encoded, which mathematically divides each file into eighteen shards. Six shards are randomly saved in each of the three data centers. The Service only needs any ten of the eighteen shards to perfectly recreate the original document. Under both scenarios, NetDocuments could have any one of its data centers completely fail and customer data would still be safe, secure, and available.

Third-Party Access

Firms can also use the NetDocuments DMS to meet SEC D3P requirements. They simply turn the feature on and notify the SEC that NetDocuments is the firm’s designated third party downloader. Then, if required by a subpoena, NetDocuments can search and retrieve the firm’s data.

Multiple Audit Trails

The NetDocuments DMS provides three primary sources of audit information. First, the service automatically creates a detailed history for each file that records document-specific activity information. Second, the service logs administrative actions within the system. Third, it also generates a data-centric consolidated activity log, documenting all data-focused activity within the service.

Cloud Storage with Robust Security Measures

NetDocuments has a loyal following of financial services firms because of its security infrastructure. As noted earlier, the service utilizes three separate data centers, each at least 300 miles apart. NetDocuments chose each facility based, in part, on each data center being in geographically stable environments with low instances of earthquakes, tornadoes, flooding, or hurricanes.

Another benefit of the NetDocuments storage system is to ensure that, in the almost unimaginable scenario of someone gaining unlawful access to a data center, the intruder can’t find any files. The service object store uses a non-enumerated filing protocol that randomly stores files across one million logical directories, and each file only has a numerical label with no owner or descriptive details. The hapless intruder has no ability to search or browse for files or sensitive information.

Multiple levels of encryption and authentication provide additional protection against internal and external threats. NetDocuments encrypts each file as it comes into the service with a unique Object Encryption Key (OEK) when a user hits “save.” The service then automatically encrypts each OEK using a Master Encryption Key stored in NetDocuments’ hardware security modules, giving each file two layers of encryption.

Want another layer of encryption? No problem. Users can further encrypt each OEK using a Customer Managed Encryption Key (CMEK). All three layers of encryption in the NetDocuments’ service all use Advanced Encryption Standard 256 (AES-256) encryption.

A One-Stop-Shop for FINRA-Compliant Cloud Storage

At first glance, financial services firms can choose from many cloud service providers. But on closer inspection, few vendors offer the safeguards and functionalities firms need for efficient FINRA compliance. Once you understand FINRA and SEC requirements for electronic document storage, file sharing, and archiving your choice for a DMS partner becomes easy. NetDocuments is your single best solution for meeting your firm’s electronic data retention requirements.

Firms ready to partner with a FINRA-focused DMS can access the NetDocuments guide to Finding the Right DMS for Your Firm.