In an increasingly digital world, banks and capital markets recognize that the new world of banking, powered by tech-savvy employees, brings opportunities to impact business at an exponential rate. Microsoft's Office 365 delivers the capabilities banks need to capitalize on emerging digital trends, helping boost employee engagement and agility, while continuing to meet industry security and compliance requirements. For financial services organizations, the efficacy of transforming “business as usual” with technology and becoming valuable partners in an ever-growing interdependent network that cross business and industry boundaries will define its success.
The modern workplace today requires an engaged workforce with people connecting from anywhere and anytime to collaborate using their own devices and social tools to enhance the value of work. With these emerging trends, the focus on regulatory compliance is at an all-time high. While the banking industry has always adapted to regulatory and technological shifts, the pace of change has accelerated dramatically within the past half-century.
Regulations such as The Securities and Exchange Commission (SEC) Rule 17a-4 stipulate minimum requirements for the maintaining of records that brokers and dealers must adhere to, how long those records and other documents relating to a broker-dealer’s business must be stored, and in what format they may be stored.1 “The SEC has required that broker-dealers create and maintain certain records so that, among other things, the Commission, self-regulatory organizations (SROs), and State Securities Regulators (collectively "securities regulatory authorities") may conduct effective examinations of broker-dealers.” Financial Industry Regulatory Authority (FINRA) is responsible for compliance by its associates and members with the SEC books and records rules applicable to broker and dealers.
Given the SEC 17a-4 rule, there is an ever-growing need to address fitment of the Office 365 solution for financial services firms. Below is our point of view on how Office 365 can address the critical requirements under this rule:
1. Requirement - Preserves the documents and records entirely in a non-rewritable non-erasable format
Office 365 Retention and Preservation policies help meet this requirement.
Specifically:
When a content is subject to a retention policy, people can continue to edit and work with the content as if nothing has changed because the content is retained in place, in its original location. But if someone edits or deletes content that’s subject to the policy, a copy is saved to a secure location where it’s retained while the policy is in effect. For websites, a copy of the original content is retained in the Preservation Hold library when users edit or delete it; for email and public folders, the copy is retained in the Recoverable Items folder. These secure locations and the retained content are not visible to the users. With a retention policy, people do not even need to know that their content is subject to the policy.
Timestamps are included in the metadata for each item and are used in the retention duration calculation. When a new item is received or created, the timestamp is applied and later cannot be modified or removed from the metadata.
The Preservation lock feature in Office 365 ensures that after a policy has been locked, no one, including the administrator, can turn off the policy or make it less restrictive.
2. Requirement - Automatically verifies the quality and accuracy of the storage media and recording process
This prerequisite would imply that the electronic media used for storage must not just record and hold information; it additionally should perform checks to confirm that the information is recorded and retained appropriately and precisely in the electronic storage system. Each of the critical workloads in Office 365, to be specific, Exchange Online, SharePoint Online, OneDrive for Business, and Skype for Business, contains highlights that naturally confirm the quality and exactness of the recording media and process. For things that should be recorded, Exchange Online approves each recording operation and logs accordingly. Communications (e.g., messages, files shared in a Skype session) using Skype for Business are filed in Exchange Online infrastructure and furthermore use the "MessageID" to distinguish everything recorded. A comparable unique identifier, "DocumentID," is utilized as a part of SharePoint Online and OneDrive for Business to recognize each recorded item and its integrity while recording.
3. Requirement - Serializes the original and duplicate units, if applicable, of the storage media and time-dates the information for the required retention period
The key workloads in the Office 365 suite rely on unique identifiers during recording. For example, Exchange Online uses a universally unique identifier (i.e., MessageID) to classify each recorded item. Exchange Online MessageIDs can be used to retrieve a specific object without timestamps to improve the speed of retrieval. Skype for Business uses the same MessageID to identify recorded items. Similarly, SharePoint Online uses DocumentID for recording as well as retrieving data.
4. Requirement – Should have the ability to promptly download the saved records and files to any medium accepted under SEA Rule 17a-4(f) as required by the SEC or SROs of which the broker-dealer is a part.
Retention policy in Office 365 fulfills this requirement by making the information downloadable and accessible using eDiscovery in standard industry formats such as EDRML and PST.
5. Requirement - The broker-dealer must store a duplicate copy of the original record separately. The duplicate copy can be stored in any of the three formats or media acceptable under SEA Rule 17a-4 - paper form, micrographic media, or electronic storage media. The duplicate copy must be stored for the same duration as the original record.
Retention policy in Office 365 uses the high-capacity standards built into the Office 365 cloud infrastructure; redundancy is a key attribute of the Office 365 cloud infrastructure. Redundancy is built at the disk/card (electronic storage media) level physically within servers, within a data center at the server level, and the service level across geographically distributed data centers. Each data center has facilities and power redundancy, with multiple data centers serving every geographical region. Redundancy at the data level is achieved by having recorded data replicated continuously across geographically distributed data centers. The primary goal is to maintain multiple copies of data in transit or at rest and failover capabilities to enable rapid recovery.
6. Requirement - Regional data requirements and data protection laws
In highly regulated industries, clients will know exactly where the data is stored, in compliance with the regulatory data requirements of the region, such as the European Union (EU). To that end, Microsoft maintains and continues to expand its network of regional data centers across the globe to meet such requirements, in compliance with global international data protection laws. In case of a major data center outage or disaster, the customer data will be available as it can be replicated within a selected geographic area for enhanced data durability. In cases where the data is replicated, the multiple copies of actual data in rest always remain across multiple data centers within the same geographical region. For example, US data will be replicated within the United States and EU data will be replicated between data centers in the EU region.
7. Requirement - The broker and dealer must have an audit system, which identifies the original and duplicate records input on to the storage device and any changes made onto the existing records.
Moreover, the SRO and SEC teams must be able to inspect the results of such audit system, and the financial consultant must retain the audit results for the amount of time required for the audited records.
Audit logging is part of the Retention policy feature in Office 365, which logs all activities performed to modify data and also includes the actual command used to make any retention policy configuration changes, permission changes for different roles, and eDiscovery searches.
Audit entries such as these include information on:
In Office 365, audit logging can be customized to store audit log entries for the span of the retention period and available for offline analysis and examination. Through retention and logging in Office 365, users are allowed to maintain a comprehensive audit trail of instructions that can be run directly via inbuilt command tools as well as operations performed using the Office 365 admin portal.
Hence, the Retention and Preservation policy features in Office 365 provide a robust solution for regulated customers to help store and manage a variety of information like email, documents, messages, voicemail, and third-party data if any with the ability to comply with the requirements under SEC Rule 17a-4.
Wipro as a partner in Office 365 implementations
Wipro itself runs on Office 365 across the enterprise of 125,000+ employees since 2014. This was the fastest global implementation of Office 365, where we moved 125,000 mailboxes within a record time of 18 weeks with no disruption and full compliance to all security and regulatory requirements.
Wipro has enabled Office 365 for more than 50 clients, covering a user base of 1.2 million. Wipro has developed multiple tools and accelerators that facilitate safer and faster adoption of Office 365. Wipro’s Cloud Access Security Broker (CASB) solution addresses business needs relating to monitoring electronic communications and ensuring the privacy. Wipro’s Workplace Transformation Platform (WTP) accelerates the content migration to Office 365, while our Conversational Assistant - an intelligent assistant - helps automate the end-user support during the migration.
Snapshot of Wipro success stories in Office 365 implementations across financial services organizations
To know more about our full-service offering in Office 365 implementation, please contact ask.microsoft@wipro.com
Aji Mathews, Microsoft Azure Architect, Wipro Ltd.- He has 15 years of experience in the IT industry. He has played varied roles across IT Consulting & Practice management for a range of industries such as Banking, Retail, Energy and Utilities and Healthcare. He currently leads Microsoft Azure Solutions for Microsoft Practice.
Ajit Nair, Practice Head and Business Architect, Wipro Ltd.- He has over 17 years of experience in the securities and capital markets space. He has been focused on new ways of working and has been instrumental in initiating and maturing the business transformation program for large financial services firms.