RIA IT Compliance Requirements Checklist

RIA IT Compliance Requirements Checklist

Financial services are among the most heavily regulated industries, with plenty of laws and policies to ensure everyone operates legally and fairly. Consequently, there are many procedures and guidelines to help financial service providers, including registered investment advisors (RIAs), stay in compliance with the law.

The U.S. Securities and Exchange Commission (SEC) is the main overseer of this industry and proposes as well as supervises the regulation of the security industry. RIAs have to abide by SEC’s Rule 17a-4(f), which defines the requirements and standards for storing books and records electronically in order to be IT compliant. 

IT Compliance With Microsoft

IT compliance can be quite a challenge to maintain. Using Microsoft tools such as Azure and Office 365 can make it easier to improve and maintain compliance with these regulations. For example, Microsoft Azure Immutable Blob Storage with Policy Lock and Microsoft Office 365 with Preservation Lock can help RIAs and financial advisors maintain non-rewritable and non-erasable data.

Immutable storage for Azure Blob storage allows users to store data in a write once read many (WORM) format, ensuring that data cannot be modified once stored. Additionally, the data cannot be deleted for a specified period, enabling users to meet SEC’s record retention policies. 

Microsoft can also help with the 90-day notice required before you employ electronic record storage. Customers can get the Attestation of Electronic Storage Media Services letter by sending a support ticket on the Azure portal. The required assurances and compliance representation are also offered alongside the 90-day notification. 

Microsoft 365 also has archiving features that enable customers to retain data such as emails, documents, and third-party data. Customers can also set archival policies that define what data to store, the data storage period, and keep the archive non-rewriteable and non-erasable. 


IT Compliance Requirements Checklist

Record requirements

The SEC has plenty of regulations to monitor how you store your data. Some of these requirements include:

Non-Rewriteable, Non-Erasable Record Format

Your records must be stored in a non-rewriteable, non-erasable format. The rule is designed to guarantee that should the data be required later, you can accurately reproduce it without changes. You should store the records for the required retention period as well as beyond, in case it is required for special circumstances like external investigations and legal matters. 

Accurate Recording Process

The records on your system should be precisely the same as the ones recorded during the transaction. This requirement demands that the quality and accuracy of your data capture and storage processes be verified. 

Duplicate Copy of the Records Stored Separately

You’ll need to store a duplicate copy of your records in a separate medium from your original, in case something happens to the original copy. This requirement is important to maintain access to accurate information even when the primary copy is lost or damaged. 

Serialize the Original and Duplicate Units of Storage Media 

While storing your data, you’ll also need to capture the order in which they are saved. Serializing both the original and duplicate records ensures their accuracy and improves accessibility. If you know the order in which your records were stored, you can easily locate specific records. Records stored in their proper order also helps you make sure that your storage process works as intended.

Index Requirements

An index is a unique identifier that differentiates records from each other. The SEC’s requirements for these indexes include:

Organization and Accuracy of Indexes 

You are required to organize all your data, both original and duplicate copies, and assign indexes to them appropriately. By doing this you make sure that all records can be uniquely identified, searched, and retrieved easily. 

Duplicate Copy of the Index Stored Separately 

Just as with the records, the SEC also requires that you store a duplicate copy of the index separately from the original. By doing so, you ensure that the index can still be accessed should the original be lost or damaged. 

Preservation of Indexes

Since the SEC requires that records be kept for a specified period, the original and duplicate indexes should also be available during this period. When you comply, you ensure that as long as the records are stored, they can be searched and accessed using the index. 

Availability of Indexes for Examination

In addition to keeping these indexes, you need also to make your indexes available to the SEC or other regulatory organization upon request. Electronic copies of the index may also be needed and should be available for examination. 

Capacity to Download Indexes and Records

Besides accessing your records and indexes, the SEC or other regulatory organizations may sometimes need to get a copy of them. Your system must be able to download records and indexes in the specified format whenever needed. 

Production of Information

Production of Images for Examination.

Images are the electronic records as they are stored on your system. Some of the formats data is stored include CSV, JSON, and XML. Since they cannot be directly read in these formats, you are required to provide a human-readable form or reproduction of your records through a website, an application or any other available method. 

Reproduction of Images Provided to Regulators

This requirement stipulates that the SEC or other regulatory body should have access to your records in paper or any other format or medium as needed. It’s important that if requested, you’re able to locate and retrieve those records.  

Availability of Information to Access Records and Indexes

This requirement stipulates that you maintain current information on the system required to access records and indexes and provide it on request from the SEC or other regulatory body. 

Audit System 

This requirement specifies that you must have an audit system to ensure accountability in your record input process. The audit system ensures that data such as the time, staff member, and any action taken on the system are recorded to track both the inputs and any changes made on the records. 

Availability of Audit System for Examination 

This provision ensures that your audit system and its results are available for examination whenever requested by the SEC or other regulatory organizations. You also need to store the results of your system audit for as long as you’re keeping the records. 

90-Day Notification and Compliance Representation

You’ll need to inform the relevant regulatory organizations at least 90 days before you begin storing records electronically. You must also prove that your selected storage system complies with SEC policies. You can do this yourself, or your storage medium vendor or any other qualified third party can represent you. 

Designated Third Party Requirement

You’ll need to have at least one third party, also known as the undersigned, who has access to and can download all the data on your electronic system. This requirement makes sure that the regulatory body can still access the records and indexes should you be unavailable. 


IT compliance is essential to any RIA firm, ensuring that it operates within the law while offering clients the confidence that all transactions are appropriately regulated. No matter the size of your firm, there is no escaping the regulations and policies that govern the industry. With this RIA compliance requirements checklist, you’re on your way to understanding what you need to do to maintain compliance with the SEC. 

At RIA WorkSpace, we understand that IT compliance can be a challenge alongside all the daily operations that you have going. Most RIA firms have to deal with plenty of IT compliance issues, from handling SEC interactions to being compliant with financial advice. Compliance doesn’t have to be a daily headache, however. RIA WorkSpace can take care of IT  compliance for you. 

Using the RIA WorkSpace platform, powered by Microsoft, gives you the peace of mind that your IT compliance is taken care of, freeing you to focus on your key business priorities. Data retention and archiving functionalities are built into the system, so that compliance standards are met. RIA WorkSpace provides admin access to and control of your data, as well as the comprehensive reports required in case of an SEC audit. 

Talk to our team today to discover how you can benefit from the RIA WorkSpace IT compliance solution.