Backup and archiving suggestions for small broker-dealers

In this week’s Tech Update column: “Before disaster strikes, test your recovery plan,” I discussed the need for advisers to take a fresh look at their thinking when it comes to preparing their offices for the worst.
Part of that means thinking outside the box and asking questions of some of your providers. Questions like whether, amidst the various backups you already are doing, you have settings for your Exchange server or other servers and do you have the applications you might need loaded on your home PC or laptop that will allow you to take care of your clients from an alternate location?
Part of what made me think of this as a topic for a column in the first place was a conversation I had recently with Allan Lonz of AdvisorVault.
In preparing the column I asked him to come up with a list of things that his potential clients (small broker-dealers) should be asking their backup and archiving providers prior to signing on the dotted line. I couldn’t get that into the column so I am posting it here.
I’m not endorsing it or passing judgment other than to say that I think his suggestions are worth mulling over and can also be good food for thought for RIAs and planners as well.

Allan Lonz of AdvisorVault: “A small broker dealer should look for the following in a data compliance partner:

1. The provider’s software should be pre-installed on a self-contained appliance. Most providers will install their software on one of the broker-dealer’s existing computers or servers, this is not compliant because employees will have access to the software and can modify backups. For example prior to an audit a rep could delete historical data to cover his tracks. Or cancel backups.

2. Two tiers of storage. A provider should have an area for current backup data for quick restores and a second tier for archived data which is kept on non-rewriteable media.

3. Access to data in standard formats. Current and historical data should be retrievable in a standard format that can be read by staff and auditors. For example, if an SEC auditor needs to see a broker-dealer’s email, the best way is to copy the data to a CD/DVD in pst file format and ship that media to the auditor, he can then open that pst file on his computer with outlook and do searches on it. Mailboxes on an Exchange server can easily be extracted and archived to pst files. The same thing applies to office documents — they should be restorable in their native format. This might sound strange but most providers backup a customer’s data in a format that is only readable with their software, so if a broker-dealer changes backup providers, old backups are not accessible.

4. Broker-dealers should look for a provider that has an understanding of the third-party storage requirement contained in rule 17a-4. Two letters must be created, one with the provider’s letter head and the other with the broker-dealer’s letter head and submitted to FINRA. Basically, these state that the SEC can rely on the provider to access to data if the broker-dealer fails to provide it

5. The provider should be geographically in another area.

6. In the event of a disaster the provider should be able to recover all data within 48 hours.

7. License-free software is important for small broker-dealers. With this, the broker-dealer can install the software at the head office and at remote- or home-offices and for travelling users without having to keep track of licensing costs. The cost should only be based on the amount of data stored with the provider — from all locations and systems.

8. Agentless software. It is beneficial if the provider’s software is agentless, so no additional software needs to be installed on the servers or PCs to be backed up.

9. Automatic alerts and reporting. The provider’s software should send automatic e-mails/reports to technical and compliance staff for regular reporting and auditing review process

10. Self-managed. The provider should remotely manage their software and address any issues as they arise.”