Broker-Dealers Third-Party Risk Management Regulatory Requirements

Broker-dealers must comply with strict standards when servicing their clients, according to agencies like the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA). These standards cover key areas, such as recommending securities transactions or investment strategies, safeguarding client information, and preventing disruptions to critical operations.

Third-party risk management (TPRM) is another important standard for broker-dealers in recent years. Regulations on data breach notifications, cybersecurity, and business continuity planning have all addressed the need for broker-dealers to implement TPRM practices within their operations.

As broker-dealers continue to rely on third-party vendors to support business activities, it’s essential to understand the regulatory expectations on TPRM. Here’s an overview of key TPRM regulatory requirements and best practices so your brokerage firm remains compliant. 

Third-Party Risk Management Regulatory Requirements for Broker-Dealers

Many TPRM regulations share a common theme — the importance of proper third-party oversight. Regulators expect broker-dealers to supervise third parties to ensure outsourced activities are performed safely.

Noncompliance can lead to negative consequences, such as reputational damage, legal fees, or regulatory fines. It’s essential for broker-dealers to carefully read and understand their regulatory obligations and work to comply.

Here are 4 TPRM regulations and standards relevant for broker-dealers: 

1. Financial Industry Regulatory Authority (FINRA) – Regulatory Notice 21-29 was released in 2021 as a reminder for broker-dealers of their obligations related to outsourcing. The notice outlines four categories of obligations — supervision, registration, cybersecurity, and business continuity planning.
   • Supervision refers to establishing and maintaining a system and written procedures to oversee third-party activities and ensure compliance.
   • Registration obligates broker-dealers to determine whether their third parties fall under the requirements of Rule 1220, which outlines registration categories for individuals associated with brokerage firms.
   • Cybersecurity refers to establishing written policies and procedures that safeguard client records, which should include vendor management.
   • Business continuity plans (BCPs )is the requirement for broker-dealers to create BCPs that include use of third parties. 
2. Securities and Exchange Commission (SEC) – The SEC regularly includes TPRM in its annual Examination Priorities — the 2024 report focused on critical third parties and concentration risk. The SEC also has the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule. 
   
   The rule provides guidance on how broker-dealers and other covered entities should investigate and disclose cybersecurity incidents — including third-party incidents. The rule also requires covered entities to describe any processes in place for overseeing, identifying, and mitigating third-party cybersecurity risks. 
   
3. Digital Operational Resilience Act (DORA) – All financial institutions in the EU or doing business in the EU must comply with DORA. A key objective is to manage third-party information communication technology (ICT) risk within the financial industry. 
   
   Broker-dealers must follow TPRM principles like completing pre-contract risk assessments and due diligence, establishing certain contract provisions and exit plans, and creating an oversight framework. DORA also describes criteria for required contract termination and considerations for criticality classification.
4. Investment Industry Regulatory Organization of Canada (IIROC) – Broker-dealers can learn how to build operational resilience from the IIROC guide Fundamentals of Technology Risk Management. 
   
   Section 6.6 of the guide covers due diligence, onboarding, and monitoring vendor risk and performance. The guide highlights the importance of including vendors in business continuity planning and how to safely terminate vendor relationships. 
   
   Broker-dealers can see a list of baseline controls to implement for each TPRM concept, such as obtaining a contract that describes ownership of information and technology and reviewing performance compared to established metrics.

Best Practices for Third-Party Risk Management Broker-Dealer Compliance

Although the regulatory environment for broker-dealers can often fluctuate, it's still wise to understand the requirements and seek to follow them. TPRM is ultimately a good business protect that protects broker-dealers and their clients.

Broker-dealers can establish and maintain compliance by following these TPRM best practices: 

• Establish TPRM governance documents – Most regulators expect documentation related to TPRM processes and procedures. Developing and maintaining governance documents like a policy, program, and procedures sets clear and consistent standards for your TPRM practices. 
  
  • A policy is high level and describes the scope, roles and responsibilities, and minimum requirements of your TPRM program. 
  • A program document should be instructive to senior management and other stakeholders, which tells them how to meet the policy requirements. 
  • Procedures are the step-by-step guides for executing a process, such as completing a risk assessment or negotiating and approving a vendor contract.
• Determine criticality – Maintaining operational resilience is a common theme in TPRM regulations and vendor criticality plays an important role. Create a standard that can be used across your third-party inventory. The recommended standards may vary depending on the regulation, but critical third parties generally share these characteristics:
  
  • Would cause the broker-deal to face significant risk if the vendor failed to meet expectations
  • Would have a significant impact on customers  
  • Would have a significant impact on the broker-dealer's financial condition or operations 

• Perform risk-based due diligence – Regulators set guidelines on third-party relationships but recognize that not every third party requires the same level of oversight. Through risk-based due diligence, the amount and types of inherent risks in a vendor engagement determines the scope and frequency of due diligence. Vendors with high levels of risks, such as compliance, cybersecurity, and business continuity, are evaluated and monitored with more scrutiny. 
• Include relevant contract provisions – A third-party contract is one of the most effective risk management tools because it sets the standards for the relationship. Consult with your legal team to determine which provisions need included to ensure TPRM compliance. Depending on the third-party relationship, include provisions on data breach notifications, a right to audit, required security controls, and minimum performance standards. 

Staying on top of TPRM regulations and following these best practices takes some, but broker-dealers have a lot to gain by implementing a compliant program. Aside from meeting regulatory requirements, broker-dealers will have an effective strategy for keeping their firms and clients protected against third-party risks and minimizing operational disruptions.