FINRA Compliant Cloud Storage: How to Pick (Complete Guide)

As a leading secure cloud storage provider, FirmRoom has put together this guide to help you choose cloud storage and become FINRA compliant.

What is FINRA Compliance?

FINRA, the Financial Industry Regulatory Authority, is a government-authorized, not-for-profit organization, that oversees U.S. broker-dealers.

Their purpose is to protect investors by ensuring that the broker-dealer industry operates fairly and honestly, by ensuring that every investor receives basic protections; anyone who sells a securities product has been tested, qualified, and licensed; every securities product advertisement used is truthful and not misleading; any securities product sold to an investor is suitable for that investor’s needs; investors receive complete disclosure about the investment product before purchase.

FINRA compliance relates to the requirements of financial institutions to retain electronic correspondence, prevent data loss and theft, ensure ease of access and provide redundant storage to protect data integrity.

To be FINRA compliant means to adhere to the standards above.

How does this help with SEC Compliance?

The SEC, or Securities and Exchange Commission, is a government organization meant to protect investors and ensure the integrity of the securities market.

The SEC oversees FINRA. While they oversee different sectors of the market, compliance with FINRA is a large part of SEC compliance, as part of the securities market is the broker-dealer industry, and investors will be protected if brokers comply with the specific laws and requirements set in place in order to operate in the securities market.

Becoming FINRA Compliant - Understanding theRules

There are several regulatory implications that firms may wish to consider when establishing a presence in the cloud. It is important to keep in mind that although a firm may shift its technology infrastructure to a cloud environment, all of the regulatory requirements that are applicable in an on-prem environment continue to apply.

However, cloud-based applications may contain some unique features that securities market participants may wish to consider as they explore and adopt related technology tools.

1. Cybersecurity

‍The party performing threat detection, incident response, and patching/updating must be identified. It is also beneficial to monitor for vulnerabilities such as misconfigurations and poor access controls. ‍

2. Data Privacy

‍Regulation S-P requires firms to have written policies and procedures that address safeguards for the protection of customer records and information. If cloud adoption leads to changes in the collection, storage, or analysis of customer data, the firm will need to update its policies and procedures related to data privacy, and obtain appropriate consent.

3. Outsourcing/VendorManagement

‍Firms are encouraged to conduct appropriate due diligence and testing of cloud service providers to determine whether a cloud vendor has undergone operational and financial audits or has had third-party assessments or certifications to prove function ability.

4. Business Continuity

‍FINRA requires firms to create, maintain, annually review, and update written business continuity plans relating to an emergency or significant business disruption.

5. Record keeping

‍FINRA and SEC rules require firms to preserve specified records for certain periods in a non-rewritable and non-erasable format.

SEC Compliance Rules for Data

SEC rules and recommendations are similar to the compliance rules of FINRA. Both are aimed at keeping firms and organizations accountable for the information they are trusted with to protect the interests of those working with them, as well as the general public.   

Public Disclosure

‍This regulates the organization of companies and requires them to disclose their financial condition and investment policies to investors when stock is initially sold and subsequently on a regular basis.

Investment Adviser Registration

‍Firms or sole practitioners compensated for advising others about securities investments must register with the SEC and conform to regulations designed to protect investors.

Trust Indentures

‍Debt securities such as debentures, bonds, and notes can be registered under the Securities Act, but cannot be offered for sale.

‍Conflicts of Interest

‍Companies are required to regularly disclose their operations and structure, investment objectives and policies, and financial condition to avoid conflicts of interest, both inside and outside of companies.

Some information that the SEC may ask for includes:

• Client lists with account types and asset values
• Chronological lists of trades
• Copies of purchases and sales journals
• Lists of newly opened or terminated accounts within a certain period
• Pricing and quotation service lists

This should all be easily and readily accessible if an investigation were to take place.

Does FINRA Compliance Apply to Your Business?

FINRA regulates broker-dealers, capital acquisition brokers, and funding portals.

Broker-dealers are in the business of buying or selling securities on behalf of their customers or their own account or both. A capital acquisition broker is a broker-dealer subject to a narrower rule book.

A funding portal is a crowdfunding intermediary. Essentially, any organization handling the financial livelihood of others or involved in the data transfer of sensitive information has to be FINRA compliant. Data stored in the cloud is still subject to the owner’s responsibility, hence the importance of the vendor’s FINRA compliance.

Not all organizations may be aware that they must be FINRA compliant. This can result in a variety of penalties, including fines and exclusion from the market. For example, Emerson Equity LLC was issued a fine of $60,000 and ordered to pay $1,641,929.94, plus interest, in restitution to customers.

Baldini was fined $5,000 and suspended from association with any FINRA member in any principal capacity for 20 business days. This was for a lack of establishment, maintenance, and enforcement of a supervisory system.

Another example is that of Citigroup Global Markets Inc., which was fined $375,000 for failing to conduct a sufficient inquiry to determine if the underlying event triggering garnishment orders involved a disclosable event that should have been reported on the representative’s Form U4.

How Do You Ensure Your Cloud Storage is FINRA Compliant?

Not all cloud providers are FINRA and SEC approved.

Tools such as Dropbox, OneDrive, Dropbox, or Box are not compliant. In order to ensure that your cloud storage is FINRA compliant, here is a list of cloud storage features that are and are not FINRA compliant for your reference.

Cloud Features That ARE FINRA Compliant

ISO 27081 Compliance. ISO compliance refers to the guidelines set in place to protect personal information in the storage clouds. ISO 27081 is considered to be the top security choice.

File Backups. This refers to the provision of disaster recovery with repeated failover capabilities and data center recovery testing so that customer data can be fully recovered in the event of hardware failure.

Secure Operation and File Maintenance. This refers to comprehensive document permission and views restriction settings, even within the team, with features such as two-factor authentication and “view only” settings.

Strong Encryption Methods. This refers to the encryption of documents themselves, rather than just the data moving to and from the server.

Allows for Digital Watermarking. This is essential to stop illegal data copying. It can be used on text, video, and audio to track who is downloading and printing information, as well as sharing it. Look for dynamic and static watermarking.

IP monitoring. This refers to the ability of the admin to access the IP address, type of device, and users that log in, with email notifications for detected suspicious activity.

Single Sign On Integration. This allows users to enter one set of login credentials and access multiple applications with those credentials.

Inclusive Reporting. Comprehensive audit reports and analytics should be available within your VDR.

Record Retention. Broker dealers, banks, securities firms, and other financial services entities must preserve business and transaction records in an accessible manner.

Immutable Data Backup. The electronic format of the records of firms cannot allow alterations or deletions.

Searchable Database. Every file must be indexed and searchable, providing easy access controls for the firm to respond to requests from regulators.

Duplicate Copies. Storing a duplicate copy of the original file in a physically separate location.

Third-Party Access. SEC rules also require a Designated Third Party (D3P) when using electronic data storage. This independent entity can access the electronic records in the event of an official request, such as a regulatory audit or court order if the firm is unable or unwilling to do so.

An Audit Trail. Firms must have an audit process to show they are meeting the record storage requirements and documenting any changes to original files.

CloudFeatures That ARE NOT FINRA Compliant

• Publicly exposed cloud data and resources
• Unrestricted access to outbound/inbound traffic
• Lack of data encryption
• Weak authentication methods
• Inviting and sharing of documents between users without specific permissions
• Offline access

Relevant Rules  

FINRA rule 3190 states that when a member firm outsources a function or activity related to its business as a regulated broker-dealer to a third-party service provider, it does not relieve the firm of its obligation to comply with applicable securities laws and regulations, and FINRA and Municipal Securities Rulemaking Board rules.

It also states that the firm cannot delegate its responsibilities for, or control over, any outsourced functions or activities. It also requires a member firm to have supervisory procedures, including due diligence measures to ensure that its arrangements with third-party service providers are reasonably designed to achieve compliance.

FINRA rule 4511 requires members to make and preserve books and records as required under the FINRA rules, the Exchange Act, and the applicable Exchange Act rules. It also requires that these FINRA books and records be preserved for a period of at least six years. These must be preserved in a format and media compliant with SEA Rule 17a-4.

How FirmRoom Smoothens FINRA Compliance

Virtual Data Rooms are designed to meet security compliance while facilitating the secure sharing of data. FirmRoom, having been designed for the M&A industry, is a leading example of a VDR that is FINRA compliant.

FirmRoom offers smart redaction to ensure that personal-identifiable information and business documents are protected, as well as SOC 2 Type 2 certified security. FirmRoom also offers 4-level access with customizable document permissions such as view only, view with watermarks, original access, and edit, and allows the option for NDAs.

Further, FirmRoom offers a detailed audit log to record and view every action in the data room, and shows group and user activity. These features help users become fully FINRA and SEC compliant according to the outlined standards above, and are beneficial to any organization.