Thursday, January 3, 2008

Electronic Storage

In my ever diligent attempt to clarify FINRA’s expectations regarding electronic storage of records, I learned the new spin yesterday. A contact of mine at FINRA is the e-storage guru. He’s a nice man who shares insights with me from time to time. Yesterday we discussed, again, notification requirements—remember those? Firms have to make representations, or have their 3rd party vendors represent, that their e-storage conforms to SEC Rule 17a-4(f)(2)—that is, WORM format, quality/accuracy of media is verifiable, serialized/time-stamped, and indexed/downloadable. Also, a third party has to represent, under 17a-4(f)(3)(vii), that it can access the records and provide to regulatory authorities when requested. This is not news to you and me, although to many BD firms it’s still a mystery.

What is new is this: in the past, for instance, at FINRA conferences, panelists have discussed the issue of how long data sits on a server (in non-compliant format—i.e., it is rewritable/erasable) before it is downloaded to a compliant format for storage. There was an expectation out there that—of course—information would necessarily have to be in non-compliant format for a little while (a day for some firms, a week for others, etc.). Yesterday, my contact stated emphatically that the SEC allows for no such ‘gap.’ The information, from the moment of its creation, should conform to the standards in 17a-4(f)(2).

FINRA understands the difficulty of enforcing SEC Rules and admits that flexibility is required. But they also don’t stray from preaching the letter of the law. I can’t say whether this hard-line stance will be adopted universally by FINRA examiners—we can never really predict their preferences for findings—but it is worth noting.

One more thing: Third party storage vendors charge a lot of money, and there is the perception among some regulators that they’re ripping off BD’s—basically, they’re riding on firm paranoia and overcharging for the SEC representation letters. Some of these vendors use storage software provided by a company called EMC. It may be worth cutting out the middle man—that is, a BD may want to maintain, backup and protect its own records using EMC products, rather than relying on a third party to do it. This may be more cost effective in the end. And the good news is, the EMC product ensures instantaneous compliance--from the moment of record creation (i.e., no gap). In this case, the firm itself makes the required (f)(2) representations and gets any old 3rd party to make the (f)(3) –access—representation (an easy rep to make). We may see a movement towards this self-storage model.




Update: Talked to Iron Mountain just now. They do not consider the (f)(3)(vii) representation easy to make. They will NOT make the (f)(3)(vii) reps for their storage clients. That is, for clients who use them only to store their records--not their 'digital clients' for whom they create and maintain the records in compliant format--they will not issue a letter stating that they will provide access to those records when requested by authorities. Reason? They don't want the responsibility of producing records over which they have no control...legal cya. Their representative told me that they have some 1/2 million of those customers...when I noted that there are only little over 5,000 BD's, and that making such representations wouldn't expose them too heavily, she had no comment. Also, she admits that they never have requests from FINRA and the only federal requests are subpoenas in large-scale investigations of wrongdoing...in other words, (f)(3)(vii) is never really invoked. Which is exactly what my FINRA contact said: 99.9% of the time, these 3rd party vendors will never have to do what they're jacking their prices for.

Link to EMC, fyi:
http://www.emc.com/solutions/index.jsp?tab4

No comments: