FINRA Reminds Firms of Supervisory Obligations Related to Outsourcing to Third-Party Vendors

The Financial Industry Regulatory Authority (FINRA) recently issued Regulatory Notice 21-29 ("Notice”). The Notice reiterates applicable regulatory obligations; summarizes recent trends in examination findings, observations, and disciplinary actions; and provides questions member firms may consider when evaluating their systems, procedures, and controls relating to vendor management. Prompted by the securities industry’s growing use of third-party vendors and outsourced arrangements, FINRA intended to expand on Notice to Members 05-48. The Notice also provides guidance regarding conducting diligence, onboarding the vendor, and supervision of the vendor's activities.

FINRA highlighted four categories of regulatory obligations in the Notice that member firms face when assessing their supervisory procedures of vendor management: Supervision, Registration, Cybersecurity, and Business Continuity Planning (“BCP”). FINRA Rule 3110 requires member firms to establish a supervisory system and supervisory procedures that address the firms’ activities. The supervisory obligation in FINRA Rule 3110 extends to the outsourcing of certain “covered activities,” that is, actions or functions that, if performed directly by a member firm, would be monitored by the firms’ supervisory systems and addressed in their written supervisory procedures (“WSPs”). For vendors or outsourced personnel who conduct any of the “covered activities,” members must assess whether the vendors or personnel should be registered under FINRA Rule 1220. For example, an outsourced chief compliance officer or financial and operations principal might need to be registered, as might third-party vendors or affiliates that provide back office, financial, or anti-money laundering assistance. FINRA also expects member firms to develop reasonably designed cybersecurity programs and controls consistent with their risk profiles, business models, and scale of operations. In addition, FINRA reminds member firms to update their BCP as required by FINRA Rule 4370 when changes occur in their operations, structures, businesses, or locations that the vendor may impact.

Also in the Notice, FINRA recapped some of the examination findings and observations published in the 2021 Report on FINRA’s Examination and Risk Monitoring Program. In particular, it highlighted cybersecurity and technology governance and books and records disciplinary actions. FINRA disciplined member firms, for instance, for alleged deficiencies in cases where vendors allegedly exposed customers’ nonpublic personal information to the internet and where foreign hackers gained access to a vendor’s account applications due to lack of encryption on cloud-based servers. FINRA also noted that vendors that store books and records in electronic format should be reviewed to ensure their systems preserve such books and records for the required timeframe under Securities Exchange Act of 1934 Rules 17a-3 and 17a-4. FINRA cited several member firms for alleged violations of these rules.

The Notice’s final section lays out questions for member firms to consider in evaluating whether their supervisory control systems and procedures adequately address issues and risks relating to vendor management. This is followed by guidance on how to approach due diligence for new vendors and effective ways to onboard such vendors. In addition, member firms have a continuing responsibility to oversee, supervise, and monitor their vendors’ performance of outsourced activities or functions. The firms’ WSPs should address the frequency of these supervisory activities and documentation of reviews. At minimum, they should address the initial due diligence of a vendor and periodic reviews, as well as designate a registered principal to be responsible for overseeing vendor performance.

ACA guidance

Firms should review their management of third-party vendors to ensure they meet the obligations mentioned in this notice.

• Review WSPs of third-party vendors and to confirm they meet the requirements of FINRA Rule 3110.
• Confirm that any vendors who conduct "covered activities" are registered.
• Review contracts with third-party vendors to make sure they include appropriate cybersecurity provisions for protecting customer information. Firms should also review their own compliance programs to confirm appropriate checks are being done on the vendor's cybersecurity protections.
• Revisit the firm's BCP and confirm it is consistent with the firm's size, complexity, and business activities. Consider the scenarios outlined in the plan and confirm they cover all foreseeable instances that could disrupt daily operations.

How we help

ACA is prepared to support our clients in answering any questions they have pertaining to this notice and in updating their relevant policies and procedures. We have a number of resources to help your firm meet the obligations listed in the Notice:

• GRC Solutions for Broker-Dealers
• Vendor Due Diligence and Management Services
• Operational Resilience Services
• Download our Business Continuity Activation Checklist

Please reach out to your ACA consultant or contact us if your firm has any questions or needs support.