• Overview

Broker-dealers, like most companies, rely on third-party vendors for a wide variety of functions. This common practice of outsourcing does not relieve a broker-dealer of its regulatory compliance and supervision obligations over the outsourced functions. Accordingly, management and supervision of third-party vendors present important issues that merit careful attention from regulatory, compliance, and legal departments within a broker-dealer.

On Friday, August 13, the Financial Industry Regulatory Authority issued Regulatory Notice 21-29 (the “Notice”), a timely reminder that summarizes and reiterates firms’ supervisory obligations when outsourcing to third-party vendors. Recognizing that firms are increasingly outsourcing a variety of “core business and regulatory oversight functions” to vendors, the Notice is an important reminder to firms that outsourcing does not dispense with the firm’s compliance and supervision obligations. While the Notice does not announce new regulatory requirements or reinterpret any existing requirements, it serves to consolidate previously issued examination deficiencies in the areas of cybersecurity and technology governance and books and records, as well as enforcement cases, that resulted from failures to oversee vendors. As FINRA notes at the outset, firms have taken on additional risks in these areas as they continue to expand their use of technology and outside vendors to comply with regulatory obligations, particularly during the expanded work-from-home realities in response to the pandemic.

  • FINRA’s History with Third-Party Vendor Compliance and Supervision

FINRA’s supervision of firms’ relationships with third-party vendors is nothing new. In a 2005 Notice to Members, FINRA identified common activities that firms were frequently outsourcing to vendors, including accounting and finance, legal and compliance, information technology, operations functions (e.g. statement production, disaster recovery services, etc.) and administrative functions. The evolution of technology and the market since 2005 has unsurprisingly led to firms leveraging vendors for an even broader set of functions, including risk management, sales supervision, trading activity, and customer communications.

Later, in 2011 FINRA proposed Rule 3190(a)(1), to “Clarify the Scope of a Firm’s Obligations and Supervisory Responsibilities for Functions or Activities Outsources to a Third-Party Service Provider.” Although the Rule was never adopted, it paralleled FINRA’s published guidance (including the new Notice) in asserting that outsourcing to a third-party vendor does not relieve a firm of its compliance and supervisory obligations. The Rule would have specifically required firms to have supervisory procedures including due diligence measures to ensure third-party relationships were reasonably designed to achieve regulatory compliance. While the Rule was never formally adopted, FINRA’s enforcement actions (and the most recent Notice) have clearly asserted that firms are nonetheless obligated to ensure that activities outsourced to vendors meet regulatory compliance and supervisory obligations under current rules.

For example, FINRA has increasingly focused their enforcement efforts on the use of vendors in issuing consolidated financial account reports to customers. The inherent information management and communication challenges with issuing consolidated reports have led firms to rely on vendors for performing this function. In turn, compliance and supervision gaps have formed where firms are not adequately aware of their vendor’s processes for carrying out delegated functions, especially as relationships exist over long periods of time and processes change. FINRA has actively scrutinized these vendor relationship gaps and held firms responsible for the resulting failures in compliance and supervision.

  • Notice 21-29

In the recently issued Notice, FINRA now offers an important reminder that activities outsourced to third-party vendors are nonetheless the firms’ regulatory obligation. FINRA breaks down the applicable regulatory obligations and organizes them into four topical categories: supervision, registration, cybersecurity, and business continuity planning.

The Notice also provides tangible examples of how a firm’s relationship with vendors creates enforcement exposure. FINRA detailed findings from recent exams which identified multiple compliance deficiencies arising from firms’ vendor relationships. Among other examples provided, FINRA noted that when outsourcing to vendors, firms failed to: implement cyber security testing procedures, supervise technology changes, detect malfunctions, ensure confidential information encryption, confirm the maintenance of adequate books and records, and confirm proper retention of books and records.

Considering FINRA’s focus on vendor relationships, firms should think critically about how outsourcing to a vendor both will benefit the firm and alter the firm’s enforcement exposure. Conveniently, the Notice also details a list of in-depth questions that may help firms when deciding to outsource, conducting due diligence on vendors, onboarding vendors, and overseeing or supervising outsourced activities.

When it comes down to it, outsourcing activities to vendors does not dispense with a firm’s regulatory obligations; rather, it adds the vendor to a firm’s scope of compliance and supervision management. Said differently, when a firm decides to outsource to a vendor, that vendor, its processes, and the potential regulatory gaps the vendor creates, all become a part of the firm’s risk management calculation. The Notice thus serves as an important, and timely, reminder to firms of the need to take careful stock of their vendor relationships.