Proofpoint and FINRA

Given the tumultuous state of global financial markets in the past five years, financial services organizations have long moved past the view of information archiving as a tactical requirement for regulatory compliance. Whether those regulatory requirements are well defined within SEC 17a-4, FINRA 3110 or Gramm-Leach-Bliley - or rapidly evolving under the Dodd-Frank Wall Street Reform Act - it is clear that firms increasingly view email archiving technology as a strategic investment for the entire enterprise. For organizations involved in the sale of financial securities, it all starts with FINRA.

What is FINRA?

FINRA is the Financial Industry Regulatory Authority, which provides oversight to brokerage firms and exchange markets. FINRA functions as a self-regulatory organization (SRO), and provides the fist line compliance oversight for 4,540 brokerage firms, 164,000 branch offices and over 600,000 registered securities representatives. FINRA was formed in 2007 by the consolidation of the National Association of Securities Dealers (NASD) and the regulatory arm of the New York Stock Exchange, with objective of improving the efficiency and consistency of regulation of securities firms. The Securities and Exchange Commission (SEC) provides oversight to FINRA.

What information management actions must be fulfilled to address FINRA regulations and requirements?

Organizations subject to SEC and FINRA requirements must implement and enforce effective electronic recordkeeping, supervision and data protection policies for compliance with FINRA record retention rules and to fulfill SEC obligations for electronic message broker dealer compliance. Several key FINRA regulations and requirements are outlined below:

FINRA 3110: Requires each firm to preserve accounts, records, and correspondence in adherence with applicable laws and FINRA rules, regulations and policy statements, as well as those prescribed by SEC Rule 17a-3.

FINRA 3010: Requires firms to maintain a system to supervise transactions and correspondence with their users. Companies should establish and maintain a supervisory system with written procedures, reviewing incoming and outgoing electronic correspondence on a regular basis.

SEC 17a-3-4: Require that firms maintain written, enforceable retention policies, searchable indexes of all data stored, provide viewable and readily retrievable data, and securely manage data offsite in tamper-proof storage media.

How does Proofpoint help organizations address FINRA regulations and requirements?

Proofpoint Enterprise Archive makes it easy to meet even the most stringent FINRA regulatory compliance demands by archiving email messages according to SEC-compliant policies and regulations. Supervisory review capabilities ensure that broker-dealer communications are monitored and managed to assist in meeting requirements of FINRA Rules 3110 and 3010, as well as SEC Rules 17a 3-4.

FINRA regulated firms leverage the power of Proofpoint Enterprise Archive’s robust supervision review features significantly improves the efficiency of the compliance audit process, thus enabling greater productivity of compliance staff and improving effectiveness in identifying and routing potential policy violations that require further review or escalation.

Proofpoint Enterprise Archive also provides a secure, tamper-proof email archiving storage infrastructure comprised of geographically distributed data centers, which ensures that information is available in the event of service disruption to either location.

Proofpoint Enterprise Archive helps organizations to meet specific SEC and FINRA regulations and requirements as follows:

The Rules and What They Require for Email Does Proofpoint Enterprise Archive Address This?
SEC 17a 3-4
Retain email for three to six years (depending on the type of record), the first two years in a readily available location.	YES
Preserve all electronic records in a non-rewritable and non-erasable format	YES – Proofpoint stores multiple copies of messages and indexes on SEC 17a-4 compliant storage
Automatically verify the quality and accuracy of the storage media recording process.	YES – Proofpoint checks the digital fingerprint of messages to verify quality and accuracy of the recording process
Store a duplicate copy of records separately from the original for the specified retention period.	YES – Proofpoint stores multiple copies of each message on different equipment within the primary data center. An additional copy is stored at a secondary data center.
Organize and index all original and duplicate copies of records.	YES
Put in place an audit system providing for accountability regarding inputting of any changes made to every original and duplicate record maintained and preserved.	YES – Proofpoint maintains an audit trail of all system and user activities, including policy changes and archive events
Have ready to produce upon request all information needed to access records and indexes.	YES
Ensure a third-party has access to and the ability to download a firm’s records.	YES – Upon request, Proofpoint can serve as the Designated Third Party downloader. In the event that the SEC requests copies of their archived data, Proofpoint presents proof of the SEC request to the key escrow service provider who releases copies of the encryption keys to Proofpoint. Requested data is then exported to the SEC.
FINRA Rules & Guidelines
Establish supervision procedures to review any correspondence with the public related to investment banking or securities business.	YES – Proofpoint provides a flexible supervision workflow that can easily address a variety of scenarios.
Monitor and test supervision procedures	YES
Retain all email correspondence relating to investment banking or securities business according to SEC rules, to be made readily available to FISMA upon request.	YES – Email is kept according to granular, policy-driven retention rules and can be easily searched and downloaded for audit purposes
Retain copies of draft or final versions of research reports for three years (any written or electronic communication that includes equity securities analysis).	YES
FINRA members must ensure that their use of IM and social media is consistent with their basic supervisory and recordkeeping obligations.	YES – Proofpoint supports the capture and archiving of instant messages (IMs) through the use of third-party instant message proxy server software. IMs are treated in the same way as email messages.
Provide employees with quick and easy access to electronic communication policies and procedures and timely notification of updates to policies.	YES – Policies can be downloaded or printed in PDF format, and circulated to all your employees.
Enable lexicon-based reviews of electronic correspondence.	YES
Enable random review of electronic correspondence.	YES
Enable a combination of lexicon-based and random review of electronic correspondence.	YES

In summary, Proofpoint allows organizations to automate regulatory compliance processes, thus improving the organization's ability to meet SEC, FINRA and other evolving financial services regulatory requirements.