AdvisorVault the only FINRA designated third party (D3P) designed for small firms, makes Microsoft 365 17a-4 Compliant, by Allan Lonz, President. AdvisorVault.org
Since FINRA has given firms the green light to use the cloud, the big question then becomes: can a cloud platform like Microsoft 365, using its built-in compliance tools meet 17a-4? In other words, can you configure it to prevent the deleting and modifying of emails on exchange, data on OneDrive/SharePoint, Teams chats, then retain it for 7 yrs., and finally will Microsoft act as the FINRA D3P, supply the two attestation letters and perform the required functions as a D3P?
Microsoft 365 Retention Policies Don’t Meet 17a-4
According to a popular white paper by Cohasset Associates, FINRA firms can use the built in Microsoft 365 retention policies (when properly configured and carefully applied and managed) to meet SEC rule 17a-4. But what actually happens to your data when you apply a 365 retention policy to it? You’ll be surprised to find out that Microsoft – despite what you read – has completely missed the mark on 17a-4 compliance.
Top iTechnology Cloud News: Rescale and Riken Sign Partnership for using RIKEN and “Fugaku” World’s Most Powerful Supercomputer
“I tested an exchange on-line retention policy in Microsoft 365 to retain my emails for 17a-4 and immediately noticed that it doesn’t actually store data in a non-rewritable format, it just moved my messages to the archive items in Outlook, which I could delete, this isn’t going to fly with FINRA.” Said Allan Lonz, President of AdvisorVault. “Also, I had to take an extra step and apply a PowerShell command to my 17a-4 retention policy to set a preservation lock on it, otherwise I could simply delete it which made it no longer compliant” Lonz added.
But, even if you do properly configure the retention policies, you’ll also need to get the two FINRA D3P attestation letters from Microsoft. Good luck: there’s no one at Microsoft to call about the D3P letters, and if you google “Microsoft FINRA 17a-4 D3P letters” you get a very strange document explaining the capability of Microsoft 365 to support organisations in meeting their obligations under the New Zealand Public Records Act 2005. More google searches on this directs you to The Microsoft Trust Center Resources which links to a Microsoft site, but the 17a-4 attestation letters are nowhere to be found.
In the end, FINRA firms have unique needs which can’t be met with a generic cloud solution. More importantly, they don’t have the in-house expertise to “configure and carefully apply and manage” the built-in tools that Microsoft is selling as 17a-4 compliant. Further, FINRA needs specific compliance documentation and commitments from vendors to be fully compliant, which Microsoft is not willing to provide or even openly address.
Top iTechnology AIOps News: US Air Force Research Laboratory Expands Zenoss Deployment
[To share your insights with us, please write to sghosh@martechseries.com]
