The Security and Exchange Commission (SEC) 17A is a federal mandate which covers overall record keeping for the financial services industry. Rule 17a-3 covers document retention requirements, specifically which documents must be retained and for how long, and Rule 17a-4 contains regulations for how these documents must be retained. When combined, these two rules require the preservation of records in an easily accessible manner.1
Under SEC 17A, penalties for non-compliance can be quite severe, and can include not only high fines but also the revocations and suspension of licenses.
The SEC fined five of the largest investment banks in the world over $8 million for having inadequate procedures and systems in place for the retrieval of email as defined by SEC 17a-4 — Goldman, Sachs & Co., Salomon Smith Barney, Deutsche Back Securities Inc., Piper Jaffrey, and Morgan Stanley & Co.
For advisors or firms that are dually registered with FINRA, document management requirements are identical to SEC requirements. If you are already compliant with FINRA requirements, then you will also have taken care of your SEC 17A obligations. FINRA does have an additional requirement to submit a copy of your firm’s imaging procedures, along with a notification letter.
|SEC Requires...||SmartVault Responds...|
|Board level oversight of information security||Protecting your information and the information of your customer is something we take very seriously and at the highest level at SmartVault. Our Board of Directors has chartered our information security program and is actively engaged with our leadership to ensure that SmartVault takes every reasonable precaution safe guard its user’s data.|
|Comprehensive written Information Security Program||SmartVault’s information security program is clearly documented, with supporting policies and procedures for all aspects of safeguarding your information, and it is reviewed on an annual basis to ensure it is still meeting the needs of the changing business landscape.|
|Risk Assessment and Remediation||On an annual basis, we at SmartVault evaluate not only our own internal processes and controls, but also those of our data center providers.|
|Administrative Safeguards||As part of the administrative safeguards in place at SmartVault, each and every employee has clearly defined roles and responsibilities for protecting our customer’s data. We provide training on information security to all new hires, and on an annual basis to all employees and contractors.
We also have clearly documented processes and procedures for every aspect of our services and ensure that our staff understand and operate by those procedures.
|Technical Safeguards||Industry Standard SSL encryption for documents in transit – protecting your documents, passwords and interactions with SmartVault from eavesdropping|
|Granular access – ability to grant access to specific folders|
|Activity Logs – complete audit history of who accessed and/or modified documents stored in SmartVault|
|Document access via authenticated login – files are only accessible to users of the service (no anonymous sharing of files)|
|Physical Safeguards||Physical access to our data centers is strictly controlled. Only those employees and contractors with a demonstrated need are permitted access and that access is controlled through a series of technical controls such as badge readers on the doors, biometric locks on the data center and physically keyed or combination locks on cabinets and safes.
|An ongoing process to determine whether the Security Program is effective||At SmartVault, we are constantly seeking to improve our services and security is no exception. We continuously gather and analyze new information regarding threats and vulnerabilities, adjusting our security controls to ensure their effectiveness in the face of these changes. And we update our security strategy, the administrative, technical and physical safeguards to ensure we are providing our customers with the most comprehensive protection that we can.|
Keep in mind that SEC compliance is a financial services obligation, not a technical specification. So when we say that SmartVault supports an SEC compliant workflow, what we mean is that our service gives you the tools that financial services firms need in order to work in an SEC-compliant fashion.
While we are not a SEC compliance consulting firm, we are happy to assist you in getting pointed in the right direction. Feel free to contact us at firstname.lastname@example.org for more insight.
SmartVault adds value to your financial services workflow by giving you the ability to store all of your files securely online, access documents when you need them, and safely share files with the right people. It’s easy for you to use with features specifically designed for financial services companies to automate workflow and meet compliance mandates.