The financial industry remains one of the largest and most highly scrutinized and regulated industry’s in the world. In the U.S. alone FINRA, a not-for-profit organization authorized by Congress to protect America’s investors, keeps watch over 632,740 brokers representing over 3,800 broker-dealer firms. In 2016, FINRA referred 785 cases to the SEC and other agencies for prosecution, and levied more than $204.2M in fines and restitution. So, its easy to see why from the datacentre, to the regulations compliance and legal departments, to the boardroom, data management – especially the storage of electronic records – has remained at the top of everyone’s priority list.
To meet SEC Rule 17 a-4 requirements*, the financial industry has long been forced into buying extremely expensive (overpriced), management-intensive, on-premise storage software and hardware technology. Then came high-priced cloud archives, where you were locked-into the platform, with ridiculously high penalties should you have the gall to want to leave.
So, what do I mean by cloud solutions that lock you in? Many financial services companies that store content in proprietary cloud-based archives for SEC requirements are stunned by their cloud vendor’s one-way attitudes – it’s low cost or even free to move huge amounts of data into their cloud-based archives, however, it’s another story when they want to move it out again. Whether you need to export a large data set in response to an eDiscovery request or, heaven forbid, you’ve grown dissatisfied with the cloud vendor and want to move your data elsewhere (even back in-house), the cost to extract your data skyrockets, in many cases to absurd levels such as $50 per GB. Depending on your data set size, that could mean hundreds of thousands of dollars, if not millions to do so.
So how do these cloud bandits get away with charging so much? One reason we oftentimes hear is that, “We have to convert it back to its original format so it’s usable…” This raises a couple of questions: why was it converted in the first place, and does it really cost 30-50x to convert it back? In realty, it’s a tactic intended to try to stop you from leaving.
Then, there are those cloud vendors that will put into writing how inexpensive it will be to move your data into or out of their environment. Of course, what the fine print points out is that the cloud vendor will limit the amount of data you can pull out of their cloud to some outrageously small amount such as 100 GB per week. Imagine how long it would take to move your 10 PB of archived data to another solution, and how much you will continue to pay the cloud vendor over that period of time?
Back to the requirements… The Write Once Read Many (WORM) SEC requirements were originally developed for financial services organizations because all regulatory storage was by necessity on premise (cloud storage didn’t exist yet). A major SEC requirement involved the immediate capture of broker-dealer communications and then ensuring those communications (emails/attachments) could not be altered or deleted. This was because the SEC wanted to ensure that broker-dealer communications were available to review in an unaltered state if complaints were later raised/filed against the financial services organization or individual broker-dealer. And again, because all storage was local, the SEC had to ensure that records were original and unaltered.
However again, while WORM-compliant storage has enabled financial organizations to meet SEC Rule 17 a-4, it has presented seemingly unavoidable drawbacks:
a) The technology, both hardware and software, remains expensive and complicated to manage
b) The cost to provide security for this sensitive data continues to escalate exponentially
So, lets circle back to cloud service providers. For years now, they have marketed cloud-based email storage solutions targeted specifically at financial services organizations to meet SEC Rule 17 a-3/a-4 requirements. For example, one of the key requirements is that the financial services organisation cannot have access to the “regulated data” under any circumstances, including administrator privileges, for the length of the compliance retention period. And, while they say they meet this and all SEC Rule 17 a-3/a-4 requirements for WORM storage and information management requirements, do they really? It’s often impossible to find any kind of explanation or evidence on their websites or sales collateral.
One great suggestion I have read and heard touted at conferences and in one-on-one conversations with professionals, is that any technology solutions provider in this space would do well to engage a respected third party law firm to review their solution and then provide a legally defensible opinion that it does indeed meet set forth standards. The good news is that some vendors/service providers have already done so, and others are also already moving in this direction. Until this is a ubiquitous offering though, you as the technology purchase decision influencer or maker should add this to your list of check-off boxes. In fact, here is a list of check-off boxes that will help ensure you engage the most efficient and cost effective solution to ensure SEC compliance – get them in writing:
a) A legal opinion from a respected third party law firm confirming the solution’s ability to meet applicable SEC rules
b) Pricing to move data into, store, and move data out of the cloud vendor’s environment
c) Performance guarantees regarding the amount and speed at which you can move data into and out of the cloud vendor’s environment
d) Service level agreement (SLA) guarantees (i.e., security, availability, scalability and performance)
e) Listing of all types of data that can be accepted (i.e., can the vendor directly or via a partner enable you to find, collect, sort, migrate and manage other data/file types – not just email)
f) Native format assurance (i.e., the vendor should capture/manage all information and metadata in its native format, so conversions are never necessary)
With this evidence in hand, you can sleep soundly knowing that your financial data is in capable, legally defensible hands.
*The U.S. Securities and Exchange Commission, pursuant to its regulatory authority under the US Securities Exchange Act of 1934, outlines requirements for broker-dealers and others to store records in electronic form. Under Rules 17a-3 and 17a-4, electronic records must be preserved exclusively in a non-rewritable and non-erasable format (WORM). Rules 17a-3 and 17a-4 further mandate that financial services organizations employ a storage system that prevents alteration or erasure of records for different retention periods. (Learn more here: https://www.sec.gov/rules/interp/34-47806.htm)