Overview

Global Relay is the Message Archiving Vendor in FINRA's Compliance Resource Provider Program.

Today Global Relay provides compliance archiving solutions to over 1,200 Broker-Dealers worldwide.

In today's financial world, SEC and FINRA Regulators have no tolerance for inadequate recordkeeping and supervision of electronic communications. To address the explosive growth of email and instant messaging as critical business communication tools, SEC Rule 17a-4, NASD Rules 3010, 3110 and FINRA Rule 3130 require Broker-Dealers to implement a compliance archiving & monitoring solution to archive and supervise all electronic communications such as email, attachments, Instant Messaging (AOL, MSN, Yahoo, Google Talk etc.), Bloomberg®, Thomson Reuters, BlackBerry, Social Media and more.

Global Relay Archive, and Compliance Reviewer, are specifically engineered to provide a total archiving solution for Broker-Dealers subject to the compliance requirements of the SEC, FINRA and the various Exchanges in connection with electronic business communications.

For more information on Global Relay as the Message Archiving Vendor in FINRA's Compliance Resource Provider Program click here.

FINRA is a registered trademark of the Financial Industry Regulatory Authority, Inc.

Recordkeeping (SEC 17a-4)

Global Relay Archive, Global Relay's message archiving and compliance system, captures and archives an authentic and complete record of all electronic business communications in a secure but easily accessible offsite storage system. Compliance features include:

• Message Capture of email, attachments, Instant Messaging (AOL, MSN, Yahoo, GoogleTalk, etc.), Bloomberg®, Thomson Reuters, BlackBerry, Social Media and more.
• Archives messages for 3 to 6 year SEC term (or as defined by deletion policies)
• Access includes web-based instant access for all employees to their messages
• Tamperproof protection of data on dedicated WORM (Write Once, Read Many)
• Offsite, mirrored, single instance storage in East/West Coast Data Centers
• Indexes & serializes messages, Bcc & Distribution Lists, metadata & audit trails
• Search & retrieval of any message in seconds
• Security & encryption of systems, networks & messages
• Migration of legacy data (.pst files, backup tapes) to archive
• SEC Third Party Downloader engagement for independent SEC and FINRA mandated access
• SEC Filings & annual audit reviews by Global Relay's in-house compliance lawyers
• Retention Term flexibility for Litigation Holds & SEC investigations

How does Global Relay Archive work? All email, attachments, Instant Messaging (AOL, MSN, Yahoo, Google Talk etc.), Bloomberg®, Thomson Reuters, BlackBerry, Social Media, etc. are securely captured and centrally unified together with imported legacy email and .pst files, in Global Relay Archive for rapid online search, retrieval & monitoring. With secure web-based access and real-time indexing powered by search engine technology, every employee and Compliance Officer has the ability to find any current or historical message in seconds. Read More »

Supervision (NASD Rule 3010, FINRA Rule 3013)

The Compliance Reviewer, Global Relay's monitoring system, provides Broker-Dealers with a turn-key, flexible, online supervisory system with advanced monitoring, filtering and eDiscovery features enabling enforcement of your firm's email & IM policies for compliance, proper usage and corporate governance. Compliance features include:

• Scan & Monitor email, attachments, Instant Messaging (AOL, MSN, Yahoo, Google Talk etc.), Bloomberg®, Thomson Reuters, BlackBerry, Social Media and more from Global Relay Archive
• Content Filtering with company-defined rules to identify prohibited content
• Advanced Analysis with Boolean logic, criteria lists, proximities & action alerts
• Random Sampling of each rep's messages customized by percentage & user
• Keyword Search results are highlighted within the message for quick discovery
• Full Review of messages & attachments, or bulk review of headers only
• Reviewer approval, rejection, escalation based on action icons & defined notes
• Multi-tiered Review structure for review escalation to Super Reviewers
• Wizard Commands for pre-defined, single-click compliance using folders, flags, priorities & labels
• Exclude Words, phrases or email accounts (e.g. disclaimers, attorney-client privileged mail, newsletters) from Flagging Rules
• Access Rights of authorized Reviewers governed by customized security rules
• Notifications of compliance violations by email
• Audit Trail with detailed time history of reviews and related actions taken
• Web-based Control Center to modify surveillance & monitoring procedures
• Compliance Dashboard and reporting tools

How does the Compliance Reviewer work? Using powerful search engines, the Compliance Reviewer is able to retrieve your firm's messages from Global Relay Archive and apply easy-to-use, company-defined filters and Wizard Commands for efficient review and monitoring of all archived email, IM, and Bloomberg messages. Messages of any user are analyzed on import and flagged for review if violations are detected as follows:

1. Real time filtering for keyword or phrase violations (start-up list provided)
2. Specific query using flexible search criteria
3. Advanced rule-based keyword & phrase proximity analysis
4. Random sampling (by User, User Group, or firm-wide, using percentages).

Audits & Investigations

Global Relay Archive & Compliance Reviewer Audit Tools are designed to facilitate efficient responses to regulatory Audits and evidentiary requests. Global Relay has successfully assisted hundreds of SEC-regulated firms during their Audits and regulatory investigations. Currently, Global Relay participates in approximately 4 to 6 customer Audits, examinations or subpoenas per day.

• Search and retrieve any message in seconds using Google-like search engine
• Audit Request response within minutes using online search and eDiscovery tools
• Statistics & reporting on Compliance Officer reviews & related actions taken
• Retention Term flexibility for Litigation Holds & anticipated investigations by SROs (self-regulatory organizations)
• Legal Compliance in-house specialists to assist during Audits
• Case Management via folder system with shared folders (e.g. external attorney review)

How do Global Relay's Audit Tools assist with an Audit? Global Relay provides flexible and efficient methods to produce records according to the specific criteria of the Audit request. Messages are made readily available for examination either by:

1. Online review of messages via an "Auditor account" in Global Relay Archive
   • Create online access based on Audit request, restricted access to the exact scope of the Audit (by date, user, subject etc.)
   • Assign Auditors temporary online review privileges
   • Block Attorney-Client privileged, personal or restricted messages
2. Compilation of data for delivery to SEC/FINRA
   • Professional Team can be engaged to assist with complex discoveries
   • Fast discovery, consolidation and organization of data for export & delivery
   • PST file export capability
   • Compile requested information on regulator-qualified media such as disc, FTPS or portable hard drive

SEC/FINRA Filings (SEC Rule 17a-4(f)(2) Documentation)

What Legal Documentation needs to be filed with the SEC/FINRA? As part of your Broker-Dealer compliance solution, you may request Global Relay to prepare the SEC-mandated filings. Additionally, your firm has the option to engage Global Relay as your Third Party Downloader and Global Relay's in-house compliance lawyers will assist you with filing the required Third Party Downloader Undertaking with the SEC/FINRA.

SEC Rule 17a-4 Message Archiving Compliance Notice & Filings

As part of your compliance archiving process in connection with SEC Rule 17a-4, upon request, the following Broker-Dealer Legal Compliance Documentation will be prepared by our in-house compliance lawyers:

SEC Rule 17a-4(f) Letter to SEC/FINRA — this is a customized legal letter, prepared by Global Relay and sent to the SEC and electronically filed with FINRA relating to:

(see below for further detail on each compliance requirement)

1. Electronic Storage Media Notification (SEC Rule 17a-4(f)(2)(i)) — notice that your firm is implementing Global Relay Archive service to meet the Books & Records requirements for electronically stored information;
2. Attestation to Electronic Storage Media Compliance (SEC Rule 17a-4(f)(2)(i)(A)-(D)) — Global Relay will attest that the Global Relay Archive, as your firm's outsourced electronic archival service, meets the SEC and FINRA compliance requirements including:
   • SEC Rule 17a-4(f)(2)(ii)A - WORM Storage Media
   • SEC Rule 17a-4(f)(2)(ii)B - Message Write Quality & Accuracy Verification
   • SEC Rule 17a-4(f)(2)(ii)C - Message Serialization of Original & Duplicates
   • SEC Rule 17a-4(f)(2)(ii)D - Index & Record Downloading.

3. Third Party Downloader Undertaking (SEC Rule 17a-4(f)(3)(vii)) — Global Relay will provide a legally binding statutory Undertaking to the SEC and FINRA as your firm's appointed Third Party Downloader, that identifies Global Relay as being your firm's Third Party Downloader in connection all your electronic communications that are archived in the Global Relay Archive.

   In order for Global Relay to prepare the foregoing letter, your firm must first provide us with the full legal name of your FINRA registered entity, together with the following Direction that our in-house compliance lawyers will send to you for execution:

4. Legal Direction and Authorization for Third Party Downloader (SEC Rule 17a-4(f)(3)(vii)) - this legal document appoints Global Relay as your impartial Third Party Downloader that has independent access to, and the ability to download the archived electronic records of your firm, if required upon request by the SEC or FINRA under SEC Rule 17a-4.

SEC Rule 17a-4(f)(2)(ii)(A)-(D) — Global Relay's Technical Solution

The following describes how Global Relay Archive in fact meets the technology compliance requirements to being compliant with the Attestation that must be provided to the SEC and FINRA described in item #2 above:

Worm Storage Media (f)(2)(ii)(A)

Rule: Preserve the records exclusively in a non-rewriteable, non-erasable format

Global Relay Archive archives a permanent copy of all messages, including attachments, to near-online storage (NOS) using dedicated WORM (write once, read many) drives, eliminating the risks associated with lost, modified or deleted data.

Message Write Verification (f)(2)(ii)(B)

Rule: Verify automatically the quality and accuracy of the storage media recording process

Global Relay Archive automatically verifies the quality and accuracy of the storage media recording process as messages and attachments are written to Global Relay Archive primary and secondary file storage systems. The quality and accuracy of the write-verification recording processes is ensured through data comparison. As messages are processed, Global Relay Archive automatically compares the post-processed message with the original message before the original email is deleted. Global Relay Archive also provides automated 7 day external storage as an added level of redundancy in the write-verification process.

Message Serialization (f)(2)(ii)(C)

Rule: Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media.

Global Relay Archive ensures that all messages are serialized and duplicated with identical copies written to both the primary online storage and secondary near-online storage (NOS) for the Retention Period in our mirrored SSAE 16 Type II certified Data Centers. Also, each serialized message is time-dated to ensure compliance with specified retention schedules and for eDiscovery purposes. Any message can be retrieved within seconds by serial number.

Index Download (f)(2)(ii)(D)

Rule: Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.

Global Relay Archive automatically preserves all messages indexes and messages, and is able to make such data readily available for online access and viewing by authorized Users (such as the SEC/FINRA). Also, indexes and messages may be downloaded as files, forwarded by email or printed directly from any secure web browser connected to the Internet or downloaded to DVD.

Questions relating to the Broker-Dealer Legal Compliance Documentation may be directed to legal@globalrelay.net.

Frequently Asked Questions

What are the electronic messaging compliance requirements for Broker-Dealers?

Recordkeeping & Audits:

• SEC Rule 17a-3 & 17a-4
  • preserve electronic records of transactions and general securities business (incoming, internal, outgoing)
  • store on non-rewriteable and non-erasable media, the quality of which must be verifiable
  • store original and duplicate copies in separate locations
  • create and store indexes of the electronic records
  • have an auditing system in place and store audit results for all electronic records
  • retain for retention periods (3 to 6 years), the first two years in an easily accessible place
  • enable all records to be "readily available" for inspection by the SEC/FINRA
  • enable independent third party access in order to download a firm's electronic records upon SEC request
• NASD Rule 3110
  • preserve all electronic communications between firm and customers
  • preserve such messages in compliance with NASD rules and with SEC Rules 17a-3 and 17a-4
  • note, that NASD Rule 2210 includes "electronic" sales literature, advertisements and correspondence in their requirements regarding communications with the public

Supervision:

• NASD Rule 3010
  • establish supervisory policies and procedures for all business-related electronic communications with the public (e.g.: methods for reviewing and sampling each RR's message capabilities for distinguishing types of correspondence, time frames for conducting reviews, and methods of addressing prohibited email & IM uses)
  • educate, train and log employees on procedures governing public electronic correspondence
  • monitor electronic correspondence of each registered representative regarding customer recommendations and any customer complaints
  • maintain an audit trail and record of supervisory reviews, including the identities of authors and reviewers
  • monitor and evaluate supervisory procedures to ensure compliance
• NASD Rule 3012
  • designate a chief compliance officer (CCO) that together with the CEO, must certify annually to having a process in place to establish, maintain, review, modify, and test supervisory control policies and procedures reasonably designed to achieve compliance with applicable rules and laws of the SEC and FINRA.

Outsourcing:

• FINRA Notice to Members 05-08
  • conduct due diligence on your service vendor before outsourcing
  • determine and ensure that your outsourced service provider's systems fully meet compliance standards

What is the significance of these SEC/NASD rules?

Regulators have no tolerance for inadequate recordkeeping and supervision of a firm's electronic communications. In recognition of the explosive growth of email and IM as the principle business communication tools, the SEC adopted stringent amendments to SEC Rules 17a-3 and 17a-4 in connection with the preservation and retention of all electronic correspondence related to business, and NASD Conduct Rules 3010 and 3012 in connection with the supervisory review requirements on firms for the monitoring of electronic communications with the public. These requirements are designed to protect investors from misrepresentation and fraud via electronic communications and to prevent record tampering. Additionally, revised NASD Conduct Rule 3110 cross-references SEC Rule 17a-4 regarding electronic record format, medium and retention periods.

Who must comply?

Generally, these Rules are applicable to all persons engaged in trading securities or acting as a broker, including Broker-Dealer firms and registered representatives that are subject to SEC and FINRA jurisdictions. Note, that SEC Rule 17a-4(b)(4) requires preservation of all correspondence of a Broker-Dealer "relating to his business as such", which should include the preservation of all email of a firm's registered representatives, as well as all associated persons to the business.

What are the repercussions of non-compliance?

Increasingly, SEC investigations focus on electronic business records, and on stricter enforcement of these Rules. Firms cannot afford to have a casual attitude toward electronic messaging compliance, as the repercussions of non-compliance include internal and/or regulatory disciplinary actions, civil liability, costly penalties, damaged corporate reputation and loss of goodwill. The imposition of fines for email recordkeeping violations can range into the millions.

Where can this Legislation be found?

• SEC Rule 17a-4
• SEC Final Rule Release No. 34-44992
• NASD Rule 3110
• NASD Conduct Rule 3010
• FINRA Regulatory Notice 10-06 (Guidance on Blogs and Social Networking Web Sites)

KPMG Report

Performing comprehensive due diligence on Software-as-a-Service vendors is a responsibility and a best practice for Broker-Dealers.

For FINRA member firms, guidance on this topic is provided in Notice to Members 05-48: Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers. The Notice states that FINRA members must perform a due diligence analysis of vendors who provide outsourced services.

Global Relay can assist with the due diligence process. Global Relay's internal controls are verified by KPMG in a document entitled, "KPMG Report on Global Relay's Business, Operational & Security Controls". The report provides assurances and transparency into the high standards of Global Relay's internal controls, and how these truly differentiate Global Relay.

Specifically, the KPMG Report provides unique and extensive validation of Global Relay's security, business and operational controls related to:

• Physical Security - and safeguards governing data protection and data center controls.
• Change Management - Frameworks for guiding software development releases, operations and change control.
• Network Security & Availability - System architecture, redundancy, access and security.
• Global Relay Archive & Compliance Reviewer - Inbound message processing, secure storage, data center replication and end-user access.
• Data Import, Extraction & Destruction - Policies, procedures and methodologies for securely handling customer data.
• Security Policies & Standards – Policies & standards governing privacy and confidentiality.
• Personnel Policies & Procedures - Employee life-cycle management.

To learn more about this report and how Global Relay can assist your firm with due diligence, contact us today.