Increasingly, organizations are using third parties to perform core business functions, and regulators are taking notice. The Financial Industry Regulatory Authority (FINRA) recently released Notice 21-29 to member organizations, reinforcing the need to closely supervise third-party vendors and sub-vendors. Outsourcing within the financial industry requires increased diligence and carries regulatory implications that differ from other industries.This blog will take a high-level overview of this notice, look at the four categories of specific regulatory obligations and provide examples of recent violations that have resulted in disciplinary action.
Four Mandatory Categories to Assess
FINRA's notice outlines these four categories to review within third-party relationships:
- Supervision: This category refers to FINRA Rule 3110, which states that organizations need to establish and maintain a system to supervise their third parties' activities to ensure they comply with federal laws and regulations. Member organizations must develop supervisory systems that are appropriate to their business model and size of operations, with specific attention to risks related to technology governance.
- Registration: Organizations are required to determine if their third-party vendors meet registration requirements under Rule 1220. This category also details the need to consider if the organizations' employees are "Covered Persons" under the Operations Professional category due to "Covered Functions" supervision.
- Cybersecurity: Guidelines for cybersecurity policies and procedures are outlined in SEC Regulation S-P Rule 30 and require organizations to develop a program and set of appropriate controls for their risk profile, business model and extent of operations.
- Business continuity planning (BCP): This final category refers to FINRA Rule 4370 and requires that organizations create and maintain a written business continuity plan with emergency contact information, enabling them to meet obligations to various parties, including their customers, counterparties and other broker-dealers. The plans may be flexible to the organization's size and needs, but must be reviewed and updated when necessary.
Deficiencies Found During Exams
The notice also calls out several deficient areas regarding third parties found in recent examinations, identified in the 2021 Report on FINRA's Exam and Risk Monitoring Program. There are violations in three main categories:
- Technical Controls: Organizations were disciplined when their third-party vendors failed to implement specific controls that were needed to protect customers' nonpublic personal information. An example related to the public exposure of an organizations' purchase and sales blotters, and another resulting from a cloud-based server misconfiguration.
- Books and Records: FINRA also took disciplinary action for Books and Records violations. Instances included where an organization's third parties failed to preserve and produce electronic communications such as emails, social media and instant messages. These failures resulted from system malfunctions, data purges after contract termination and system misconfiguration that didn't allow the recovery of deleted emails after 30 days.
- Vendor Supervision: Disciplined organizations failed to properly supervise their vendor's expense ratios and historical performance or any changes and upgrades to the functions of automated rebalancing and fee allocation. There were also disciplinary actions for organizations that didn't test or verify the accuracy and completeness of vendor data feeds.
Outsourcing Details to Consider
Many organizations will likely find this last section helpful, as it provides specific questions to consider during each stage of the outsourcing process. These are divided into four stages:
- Deciding to outsource: Before any other activity can begin, the organization must establish a process for determining if proper supervision of the activity will be available. The organization should also answer questions regarding its practice of identifying the risks associated with the outsourced activity and engaging with internal stakeholders who can assess the decision.
- Performing due diligence: After deciding to outsource, the organization should review its process of evaluating and selecting a third party, for example, noting whether the organization takes a risk-based approach to due diligence and if the outsourced function is subject to regulatory requirements. The organization should also review conflicts of interest and cybersecurity.
- Onboarding the vendor: The notice details several areas to consider within the vendor contract, such as non-disclosure information, notification about cybersecurity incidents and business continuity planning practices and testing. Default settings of vendor tools are also an area of focus.
- Supervising the vendor: A critical, but often overlooked, step in the vendor relationship is ongoing performance monitoring. Monitoring might include activities such as onsite testing or observation and investigating any customer complaints that show issues with the vendor. The organization should also review how it monitors its third party's supervisory control system, business continuity planning and cybersecurity controls.
While this notice doesn't introduce any new requirements, it's an important reminder for organizations to maintain adequate supervision practices around their third-party vendors. Failure to implement a consistent and effective supervisory process can not only put your organization at greater risk for cybersecurity incidents, but also create operational delays and potentially severe disciplinary actions.
.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
