Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2021-cropped
State of Third-Party Risk Management 2021

Venminder’s State of Third-Party Risk Management 2021 survey provides insight into how organizations are managing third-party risk management in today’s increasing regulatory and risky climate.

DOWNLOAD NOW

FINRA Regulatory Notice 21-29: What Vendor Risk Managers Need to Know

4 min read
Featured Image

Increasingly, organizations are using third parties to perform core business functions, and regulators are taking notice. The Financial Industry Regulatory Authority (FINRA) recently released Notice 21-29 to member organizations, reinforcing the need to closely supervise third-party vendors and sub-vendors. Outsourcing within the financial industry requires increased diligence and carries regulatory implications that differ from other industries.This blog will take a high-level overview of this notice, look at the four categories of specific regulatory obligations and provide examples of recent violations that have resulted in disciplinary action.

Four Mandatory Categories to Assess

FINRA's notice outlines these four categories to review within third-party relationships:

  1. Supervision: This category refers to FINRA Rule 3110, which states that organizations need to establish and maintain a system to supervise their third parties' activities to ensure they comply with federal laws and regulations. Member organizations must develop supervisory systems that are appropriate to their business model and size of operations, with specific attention to risks related to technology governance.
  2. Registration: Organizations are required to determine if their third-party vendors meet registration requirements under Rule 1220. This category also details the need to consider if the organizations' employees are "Covered Persons" under the Operations Professional category due to "Covered Functions" supervision.
  3. Cybersecurity: Guidelines for cybersecurity policies and procedures are outlined in SEC Regulation S-P Rule 30 and require organizations to develop a program and set of appropriate controls for their risk profile, business model and extent of operations.
  4. Business continuity planning (BCP): This final category refers to FINRA Rule 4370 and requires that organizations create and maintain a written business continuity plan with emergency contact information, enabling them to meet obligations to various parties, including their customers, counterparties and other broker-dealers. The plans may be flexible to the organization's size and needs, but must be reviewed and updated when necessary.

Deficiencies Found During Exams

The notice also calls out several deficient areas regarding third parties found in recent examinations, identified in the 2021 Report on FINRA's Exam and Risk Monitoring Program. There are violations in three main categories:

  • Technical Controls: Organizations were disciplined when their third-party vendors failed to implement specific controls that were needed to protect customers' nonpublic personal information. An example related to the public exposure of an organizations' purchase and sales blotters, and another resulting from a cloud-based server misconfiguration.
  • Books and Records: FINRA also took disciplinary action for Books and Records violations. Instances included where an organization's third parties failed to preserve and produce electronic communications such as emails, social media and instant messages. These failures resulted from system malfunctions, data purges after contract termination and system misconfiguration that didn't allow the recovery of deleted emails after 30 days.
  • Vendor Supervision: Disciplined organizations failed to properly supervise their vendor's expense ratios and historical performance or any changes and upgrades to the functions of automated rebalancing and fee allocation. There were also disciplinary actions for organizations that didn't test or verify the accuracy and completeness of vendor data feeds.

Outsourcing Details to Consider

Many organizations will likely find this last section helpful, as it provides specific questions to consider during each stage of the outsourcing process. These are divided into four stages:

  1. Deciding to outsource: Before any other activity can begin, the organization must establish a process for determining if proper supervision of the activity will be available. The organization should also answer questions regarding its practice of identifying the risks associated with the outsourced activity and engaging with internal stakeholders who can assess the decision.
  2. Performing due diligence: After deciding to outsource, the organization should review its process of evaluating and selecting a third party, for example, noting whether the organization takes a risk-based approach to due diligence and if the outsourced function is subject to regulatory requirements. The organization should also review conflicts of interest and cybersecurity.
  3. Onboarding the vendor: The notice details several areas to consider within the vendor contract, such as non-disclosure information, notification about cybersecurity incidents and business continuity planning practices and testing. Default settings of vendor tools are also an area of focus.
  4. Supervising the vendor: A critical, but often overlooked, step in the vendor relationship is ongoing performance monitoring. Monitoring might include activities such as onsite testing or observation and investigating any customer complaints that show issues with the vendor. The organization should also review how it monitors its third party's supervisory control system, business continuity planning and cybersecurity controls.

While this notice doesn't introduce any new requirements, it's an important reminder for organizations to maintain adequate supervision practices around their third-party vendors. Failure to implement a consistent and effective supervisory process can not only put your organization at greater risk for cybersecurity incidents, but also create operational delays and potentially severe disciplinary actions.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo