FINRA Compliance

    Encyro helps you comply with FINRA cyber-security requirements is the following ways:

    1. Encyro maintains the confidentiality and integrity of data as required by FINRA.
      • Encyro uses US federal standards compliant (NIST FIPS 140) encryption technologies.
      • To maintain data integrity, Encyro maintains encrypted data backups at multiple data centers, separated by hundreds of miles.
    2. Encyro maintains organizational data security procedures and policies consistent with FINRA, HIPAA and GDPR requirements.
    3. We provide you with audit logs (activity logs) of all account activity. These logs are maintained for all Encyro accounts and are available to you from the Settings page if you have an Encyro Pro (including the Encyro pro trial) account. Since all data and activity logs are retained and easily available, it helps you comply with data retention and FINRA audit requirements with ease.
    4. We make it easy for customers to send you encrypted messages and files (through the use of your Encyro upload page) – so they are less likely to fall back to email and put you at risk.

    See the list of Encyro’s data security and privacy safeguards here: /blog/multiple-layers-of-security/

    Since Encyro is not a broker, dealer, or investment company registered with the SEC, we cannot claim to be FINRA compliant ourselves. Rather, using our online service for your data security needs can help you become FINRA compliant.

    FINRA Checklist

    The FINRA Small Firm Security Checklist (worksheet titled Section 3), recommended by FINRA here, asks you the following question related to your use of 3rd party services for your data: Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive information by a third party?

    To help you fill out your checklist, please see the suggested responses below for the items under that section:

    FINRA Section 3 QuestionSuggested Response
    Name of Third-Party OrganizationEncyro Inc
    PII orFirm Sensitive Data transmitted to Third-Party Organization (Y/N)?Y
    Risk Severity LevelHigh (see note below)
    Is it necessary for the Third-Party Organization to access the data transmitted(Y/N)?Y (to provide secure data sharing with clients)
    Have you assessed the Third-Party Organization to ensure that they have effective security practices (Y/N)?Y (See security safeguards and privacy policy)
    Arethere controls in place to isolate Third-Party Connections from your criticalassets (Y/N)?Y (Logout of and close the browser. At that point, no Encyro software runs on your computer or mobile device.)
    Remediation Needed? (Y/N)N
    Remediation StepsN/A
    Remediation StatusN/A

    Risk Severity level: This describes the risk associated with the data you store/share using Encyro. We have filled in “High” assuming you would share sensitive financial data that you and your customers want to keep completely confidential.

    Related articles

    • IRS Publication 4557 provides seven checklists for tax preparers to help protect tax clients' tax data. The safeguards also protect your business from a da...

    • The GLB Act of 1999 and the Safeguards Rule of 2002 require all financial service providers to protect their customer's financial privacy and is enforced b...

    • PCI-DSS requires safeguarding credit card data that you receive. Email is not a secure way to ask a customer to provide their credit card information to se...

    • The SEC Regulation  Title 17: Chapter II, Part 248, Subpart A: §248.30 requires every broker, dealer, and investment company, and every investment adviser ...

    • Can I use Encyro for HIPAA compliance? Can I store and send patient information using Encyro? Encyro complies with Health Insurance Portability and Account...

    • National Institue of Standards and technology (NIST) Special Publication 800-171 or NIST-SP800-171, specifies requirements for non-Federal computer systems...

    • Can I use Encyro to store data subject to Defense Federal Acquisition Regulation Supplement (DFARS) compliance, or data security regulations subject to def...