As we detailed here, the current situation has created significant challenges and uncertainties for businesses of all sizes. For financial services companies in particular, the impact has been significant. Over 55% of wealth and asset management executives expect a severe impact to their business’ profitability and margins.
Still, with any challenge comes opportunity. The closing of local branches and offices may actually accelerate initiatives that had previously been put aside, including a larger investment in digital approaches when it comes to customers’ banking and financial planning options.
While investing in digital strategies related to the customer experience are critical, financial services companies must also “digitize” when dealing with how data from those interactions is being stored and accessed. Under SEC 17a-4, the permissible medium of storage has evolved with technology, which now allows financial institutions to preserve records on electronic storage media, including CRM systems like Salesforce.
But like all customers in the industry, Salesforce customers within financial services are subject to strict audit and storage requirements that could confuse even the saviest IT and compliance professionals. These include SEC 17a-4, the Financial Industry Regulation Authority (FINRA) and the Sarbanes-Oxley Act (SOX).
In this post, we’ll cover some of the requirements specified by these regulations and how OwnBackup enables Salesforce customers to meet these requirements.
1. Preserve Records Exclusively in a Non-Rewritable, Non-Erasable Format
This requirement, part of SEC 17a-4, is designed to ensure that electronic records are capable of being accurately reproduced for later reference by maintaining the records in an unalterable form.
For additional guidance, FINRA Rule 4511(c) specifies that “all books and records required to be made pursuant to the FINRA rules shall be preserved in a format and media that complies with SEA (Securities Exchange Act) Rule 17a-4.” FINRA Rule 4511(c) also requires firms to preserve for a period of at least six years those books and records for which there is no specified retention period under applicable FINRA or SEA rules.
To help customers satisfy this requirement, OwnBackup Blockchain Verify backs up, indexes, and stores customer data with an immutable lock. This prevents customer data from being technically overwritten, updated, or altered by any process or any OwnBackup user activity. OwnBackup also defaults to FINRA’s required 6-year retention period, which is customizable to align with the retention period of the customer’s specific corporate requirements.
Another relevant regulation is Sarbanes-Oxley Act (SOX) which stipulates how long certain audit records should be kept. For example, receivable or payable ledgers and tax returns must be kept for seven years, while customer invoices must be retained for five years.
While organizations must remain compliant with these regulations, storing all of this information in Salesforce for this length of time can become costly and cumbersome. To help customers avoid paying for additional storage space or having to delete records they shouldn’t, OwnBackup Archiver is another way financial services companies can keep their records compliant and secure.
2. Automatically Verify the Quality and Accuracy of the Storage Media Recording Process
In addition to setting standards for records themselves, SEC Rule 17a-4 also requires that companies “verify automatically the quality and accuracy of the storage media records process.” This means that you must preserve data integrity and quality for examination from auditors.
To enable this, Blockchain Verify compares an algorithmic, computational hash of the file before and after it has been written to storage in order to validate the backup and match it to the source. Furthermore, OwnBackup stores the backup in a compressed form, which has built-in cyclic redundancy checks (CRC) to provide error-detection and integrity verification. Industry standard security protocols of Transport Layer Security (TLS 1.2) are utilized when uploading data, reducing the risk of network-level errors during transmission.
3. Serialize and Time-Date For the Required Retention Period
SEC 17a-4 further requests that financial services companies serialize their electronic storage media and time-date this media for its required retention period. This makes it easy for auditors to identify records and establish a timeline for each record as it goes through its lifecycle.
To assist customers in fulfilling this request, OwnBackup ensures metadata has been created for each backup, including an index, unique ID, backup hash, and a serialized timestamp. Additionally, our solution collects data points about the backup, including when it started and completed, warnings, errors, size, records count, and record IDs.
4. Have the Capacity to Readily Download Indexes and Records
To comply with SEC 17a-4, a firm’s electronic storage media must “have the capacity to readily download indexes and any records preserved on the storage media to any medium acceptable.” This means that the records management solution you choose needs to make its records downloadable in an accessible format.
Blockchain Verify provides customers and authorized auditors with multiple capabilities for downloading and exporting the data:
Export full indexes of all backups over specific periods of time.
Export specific files and metadata from within a backup into .CSV or industry standard MySQL format.
Export indexes, timestamps, and associated hashes to validate that the data’s integrity has been maintained throughout the data lifecycle.
5. Store Separate, Duplicate Copies of All Retained Data
Under SEC 17a-4, financial services companies must “store a duplicate copy of the record, separately from the original, on any medium acceptable” under § 240.17a-4 for the time required. The intent of this requirement is to provide an alternate storage source for accessing the records, should the primary source be lost or damaged.
OwnBackup creates and replicates encrypted snapshots across two separate storage systems, in multiple zones within the customer’s storage region. OwnBackup then ensures the replicated data’s integrity is maintained throughout the data lifecycle across multiple zones.
Get An Additional Layer Of Security And Compliance With OwnBackup Governance Plus
To this point, we’ve focused on how OwnBackup Blockchain Verify helps financial services companies meet compliance requirements for electronic storage, record-keeping, and integrity of salesforce records. But Blockchain Verify is just one feature of OwnBackup Governance Plus, which was designed for larger enterprises with enhanced security and compliance requirements.
In addition to everything included in the Unlimited version of our plan, Governance Plus also includes:
SEC Regulatory Compliance Letter: If asked, OwnBackup can provide a letter confirming that a customer is compliant with SEC 17a-4 specific to electronic storage requirements.
Legal Hold: OwnBackup enables customers to find and label relevant “legal hold” backups in their backup history to preserve relevant data when litigation is reasonably anticipated.
Advanced Key Management / Bring Your Own Key Management System: OwnBackup Advanced Key Management provides additional security controls over the keys used to encrypt and decrypt data stored on OwnBackup. Or, organizations can use their own encryption keys for data encryption at the bucket level.
Interested in learning more? To request a demo and learn more about OwnBackup Governance Plus and its solutions, click below. In support of local restaurants, we're giving away $20 eGiftCards for every demo request that comes in through our website.