How can a financial services firm comply with SEC 17a3-4 using Office 365?

April 18, 2014
Robert Cruz

A. Hold Everything

I received a number of follow-up questions to the post focused on Office 365 and its ability to address complex regulatory and eDiscovery needs--several focused on the following:

“First, a simple question – do you work for a financial services provider? If yes, stop here. Office 365 and Exchange 2013 do not address requirements outlined by SEC 17a3-4 that outline how data must be stored immutably, or supervisory review requirements under FINRA. You should be engaging with archiving or data storage providers to address these requirements.”

It was pointed out to me that there is a way to achieve immutability (as required under 17a3-4) - simply use the Rolling Hold feature and place the entire organization on hold. Yes that's right, the entire organization and all of their data. Call me old fashioned, but this approach takes me back to the good ol' days when organizations did not need to be concerned about the unbounded data growth, when information was easy to find, and FRCP, FINRA, FFIEC were meaningless acronyms. Ah, the good ol' days!

There is a long list of reasons that this is neither an effective information governance nor compliance strategy, but let me attempt to summarize the Top 5 Reasons why financial services organizations should consider other strategies.

1. Information is doubling every 2-3 years, resulting in a gynormous volume of preserved data over time. Office 365 can partially address the storage cost explosion (although it would be interesting to see how this approach would impact licensing cost), but the task of searching and retrieving specific information amongst a large volume of information that should not be preserved grows exponentially. This will not bode well for timely response to a regulatory inquiry.

2. Preservation obligations are not uniform - multinational corporations must deal with a patchwork of data privacy and eDisclosure frameworks, so it is unclear how preserving all information from Germany-based users, as example, would work. Additionally, many legal teams have a well developed posture regarding risk stemming from over-preservation. This will not be an easy sell with many.

3. Financial service mandated retention rules are complex, granular, and evolving - With over 250 new rule sets mandated under Dodd-Frank, plus new rules issued by FINRA and FFIEC, regulatory complexity has never been higher. Consequently, most firms have multiple policies, and those policies are likely be change in the not too distant future. Simply attaining 'immutability' by preserving everything will only further complicate compliance processes that are already stretched to keep up.

4. Disposition complexity - information that reaches the end of its retention period, say 6 years, would need to be manually removed from rolling holds, unless they were subject to any other legitimate preservation order. For financial organization with an average of 20 active litigations per year, this would be an incredibly complex task to manage, even if Microsoft eventually develops some command line scripts to help manage this task.

5. SEC 17a-3-4 is only the beginning. Holding everything is a simple, brute force method to address some very specific provisions of 17a3-4 (http://www.sec.gov/rules/final/34-44992.htm) - for example, use of spinning media, processes to maintain integral data values, separation of primary and secondary data copies, etc.). Ultimately, only a financial regulator can determine if the “hold everything” approach is adequate. But it is just one set of requirements. Broker dealers need to provide capabilities for supervisory review under FINRA, firms using social media need to preserve that content under guidelines established by FFIEC... the list goes on and on. Immutable storage is one verse of the financial services compliance ballad.

All of which lead to the conclusion that financial services are better served by using technology in conjunction with Office 365 that was designed to deliver to these rigorous regulatory and legal demands. It's time to move past the good ol' days of Hold Everything and ensure that your compliance teams are active participants in the evaluation of new communication platforms.