A recent FINRA regulatory notice recasts existing obligations regarding outsourcing as a procedural roadmap for broker-dealers to “consider” when using third-party vendors.
The Financial Industry Regulatory Authority, Inc. (FINRA) published Regulatory Notice 21-29 (RN 21-29)[1] on August 13 to “remind” broker-dealers regarding the various obligations to which they are subject when outsourcing functions to third-party vendors. RN 21-29 comes one month after the federal banking agencies[2] published a request for comment on proposed risk management guidance for third-party relationships.[3] While FINRA styles RN 21-29 as only reiterating existing legal and regulatory requirements and interpretations of existing requirements, FINRA’s 2005 Notice-to-Members 05-48 (NTM 05-48)[4] provided limited general guidance regarding firm responsibilities for outsourcing activities to third-party service providers. Similar to guidance now provided by other regulatory authorities, including in the United Kingdom and Singapore, RN-21-29 provides more detailed guidance to specific aspects of the outsourcing process, including a series of “questions” for member firms to consider when outsourcing functions to third-party vendors. These questions present as a roadmap for how FINRA expects firms to approach:
- the decision to outsource;
- due diligence on vendors;
- vendor onboarding; and
- supervision of outsourced functions.[5]
BACKGROUND
RN 21-29 references historical guidance regarding outsourcing as it builds toward the framework that FINRA appears to expect firms to consider when outsourcing functions to third-party vendors, including outsourcing of (i) accounting/finance (payroll, expense account reporting, etc.); (ii) legal and compliance; (iii) information technology; (iv) operations functions (e.g., statement production, disaster recovery services, etc.); and (v) administration functions (e.g., human resources, internal audits, etc.). As part of that background, FINRA provides a summary of regulatory obligations of which firms must be mindful when outsourcing functions, including:
- Supervision: FINRA reminds firms that pursuant to FINRA Rule 3110 (Supervision) firms must develop reasonably designed supervisory systems appropriate to their business model and scale of operations, including, if applicable, outsourcing.[6]
- Registration: FINRA reiterates that firms should be mindful of FINRA registration rules as some outsourced functions could require that the persons performing the functions be appropriately registered with the firm, even though performing the function outside the firm itself.[7]
- Cybersecurity: FINRA highlights Rule 30 of Regulation S-P and its requirement that broker-dealers develop written policies and procedures that are reasonably designed to protect and maintain the integrity of customer records or information.
- Business Continuity Planning (BCP): FINRA also refers to Rule 4370 (Business Continuity Plans and Emergency Contact Information), which requires broker-dealers to create and maintain written BCPs with procedures that are reasonably designed to enable member firms to meet their existing obligations to customers, counterparties and other broker-dealers during an emergency or significant business disruption.
EXAM FINDINGS AND FINRA OBSERVATIONS
In a further lead up to the procedural roadmap, FINRA summarizes a number of exam findings and observations to highlight some of the issues it has uncovered.[8] FINRA generally notes the following areas:
- Cybersecurity and Technology Governance: In particular, FINRA notes issues with respect to (1) vendor controls, in particular, the failure to consider cybersecurity controls and lifecycle management; (2) managing the types of access that vendors have to broker-dealer systems; (3) supervision and oversight of vendor technology changes; (4) testing of vendor systems for adequate functioning; and (5) inadequate vendor data loss prevention programs.
- Books and Records: FINRA notes general books and record concerns in connection with vendor undertakings and obligations under the recordkeeping rules. In addition, FINRA more specifically notes concerns over the use of consolidated account reports and how vendors account for mark-ups and mark-downs in fixed income transactions.
QUESTIONS FOR CONSIDERATION
As mentioned above, while FINRA stated that RN 21-29 does not impose new legal or regulatory obligations or interpretations, it does provide a procedural framework that FINRA suggests broker-dealers consider when assessing their outsourcing practices. In this respect, FINRA framed this procedural framework as consisting of four phases:
1. The decision to outsource an activity or function
2. Conducting due diligence on prospective vendors
3. Onboarding vendors
4. Overseeing or supervising outsourced activities or functions
Deciding to Outsource: With respect to outsourcing decisions, RN 21-29 reflects a view that firms should have a process for making an outsourcing determination. To this end, FINRA suggests that firms consider the following questions:
- Does your firm have a process for its decision-making on outsourcing, including the selection of vendors?
- Does your firm’s supervisory control system address your firm’s outsourcing practices, including your firm’s approach to vendor due diligence?
- Does your firm identify risks that may arise from outsourcing a particular activity or function and consider the impact of such outsourcing on its ability to comply with federal securities laws and regulations, and FINRA rules?
- Does your firm engage key internal stakeholders (e.g., Compliance, Legal, IT, or Risk Management) relevant to, and with the requisite experience to assess, the outsourcing decision?
Due Diligence: With respect to due diligence of a potential vendor, FINRA suggests that firms consider the following:
- Due Diligence Approach: FINRA recommends that firms consider assessing a vendor by considering such things as:
- financial condition, experience, and reputation;
- familiarity with regulatory requirements, fee structure and incentives;
- the background of a vendor’s principals, risk management programs, information security controls, and resilience;
- ability to comply with applicable regulatory requirements and undertakings (e.g., book and records rules);
- reviewing audit-type reports (e.g., SSAE 18, Type II, SOC 2);
- risk-based approaches to vendors;
- customer impacts in the event of a vendor’s failure;
- ovendor BCPs;
- ovendor registration requirements;
- a vendor’s subcontractor due diligence;
- the qualifications of persons conducting vendor due diligence; and
- documenting due diligence findings.
- Conflicts of Interests: FINRA recommends that firms have controls in place to mitigate potential conflicts of interest in the vendor selection process, such as disclosure requirements regarding personal relationships with vendors, and controls regarding gifts and entertainment.
- Cybersecurity: FINRA recommends that firms assess a vendor’s ability to protect sensitive firm and customer nonpublic information and data such as through reviews of SSAE 18 Type II, SOC 2 reports, and by having qualified personnel involved in the due diligence.
Vendor Onboarding: After completing due diligence and selecting a vendor, FINRA recommend that firms consider putting in place a written contract with vendors that outlines roles and responsibilities.
- Vendor Contracts: In addition to having contracts in place, FINRA recommends that those contracts document and/or address the following:
- Evidence regarding compliance with federal and state securities laws and regulations and FINRA rules
- Nondisclosure and confidentiality of information
- Protection of nonpublic, confidential, and sensitive firm and customer information
- Ownership and disposition of firm and customer data at the end of the vendor relationship
- Notification to the firm of cybersecurity events and the vendor’s efforts to remediate those events, as well as notification of data integrity and service failure issues
- Vendor BCP practices and participation in a broker-dealer’s BCP testing, including frequency and availability of test results
- Disclosure of relevant pending or ongoing litigation
- Relationships between vendors, subcontractors and other third parties
- Firm and regulator access to books and records
- Timely notification by a vendor to the broker-dealer of application or system changes that will materially affect your firm
- Features and Default Settings of Vendor Tools: FINRA also directs that the contracts with vendors address the roles, responsibilities, and performance expectations for the outsourced function, and specifically recommends that firms review, and adjust as appropriate, vendor tool default features and settings, such as recording communications for supervisory review, to assure that these meet a firm’s business needs and applicable regulatory obligations.
Supervision: Once a vendor is onboarded, FINRA recommends steps that firms can take to supervise the vendor’s performance, including:
- Obtaining representations from vendors in a contract that they are conducting self-assessments and undertaking the specific responsibilities identified
- Requiring vendors to provide attestations or certifications that they have fulfilled certain reviews or obligations
- Going onsite at a regular interval to conduct testing or observation of the vendor, depending on the firm’s familiarity with the vendor or other risk-based factors
- Monitoring and assessing the accuracy and quality of the vendor’s work product
- Remaining aware of news of vendor deficiencies and investigating whether they are indicative of a problem with an activity or function the vendor is performing for the firm
- Investigating customer complaints that may be indicative of issues with a vendor and exploring whether there are further-reaching impacts
- Training staff to address and escalate red flags at the firm that a vendor may not be performing an activity or function adequately, such as not receiving confirmation that a vendor task was completed
Further to this, FINRA recommends that firms consider the following specific aspects of their supervisory systems:
- Supervisory Control System: Updating written supervisory procedures (WSPs) to monitor vendors and document results, with allocation of these responsibilities to specific personnel and updating of WSPs as appropriate.
- Business Continuity Planning: Having BCPs include vendor testing, contingency plans in the event of interruptions with vendors, and assessing vendor staffing in the event of a disaster.
- Cybersecurity and Technology Change Controls: These include (i) assessing vendor experience in addressing cybersecurity events and data breaches, (ii) assessing vendor access to confidential information and customer data, (iii) use of multifactor authentication, and (iv) testing and evaluating changes that vendors make to the systems they use.
OBSERVATIONS
Process and Documentation: Although FINRA states that RN 21-29 does not impose new regulatory, legal, or interpretive requirements, it provides a roadmap on how firms should consider the decision to outsource certain functions and evaluate potential vendors. In this respect, FINRA may expect that firms document an outsourcing framework consistent with that outlined in RN 21-29 in order for firms to evidence that they have complied with various obligations outlined in NTM 05-48 and related guidance. While many firms currently have a process in place, it also may be beneficial for firms to review their standard vendor due diligence and onboarding procedures and related documentation in light of RN 21-29, which can also serve as a record of compliance for regulatory purposes.
Existing Arrangements: To the extent firms have not done so already, they should consider evaluating their vendor arrangements and surrounding documentation to determine whether those existing relationships are consistent with the approach outlined in RN 21-29. As existing vendor contracts near the end of their terms, firms may want to consider documenting due diligence and supervisory procedure as part of any renewals or new relationships. Although FINRA did not distinguish affiliated and nonaffiliated vendors, it may be prudent for firms to apply this new procedural framework to all vendor relationships.
Supervisory Procedures: In addition, it may be prudent for firms to consider revising their WSPs to include controls around the vendor onboarding process consistent with RN 21-29. FINRA will expect firms to create a supervisory program to oversee, supervise, and monitor a vendor’s performance of the outsourced function during the life of the agreement.
Interplay with Banking Agency Proposal: In many ways, the Banking Agency Proposal covers the same ground as RN 21-29 as both:
- stress that the use of a third party does not diminish a firm’s responsibility to perform an activity in a safe and sound manner;
- ·note the importance of having a risk management process; and
- contain guidance for managing each stage of the life cycle of the vendor relationship.
Some variations in subject matter discussion may relate to the particular priorities of regulators, for example, FINRA’s heightened scrutiny of cybersecurity risks. Other distinctions may be the results of market behavior, for example the sharing of data by banking organizations with vendors, leading the Banking Agency Proposal to focus on such concerns. In addition, while RN 21-29 does not specifically call out the fintech industry as was done in the Banking Agency Proposal, firms may consider reviewing that proposal to supplement any efforts undertaken to develop a due diligence, onboarding, supervision framework.
Contacts
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Washington DC
Amy Natterson Kroll
Ivan P. Harris
Steve W. Stone
Kyle D. Whitehead
London
Mike Pierides
New York
Martin Hirschprung
Philadelphia
Barbara M. Melby
Pittsburgh
Peter M. Watt-Morse
[2] That is the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency.
[5] Of note, RN 21-29 does not distinguish between vendors that are affiliates and those which are not.
[6] Among other things, FINRA noted Rules 4370 (Business Continuity Plans and Emergency Contact Information); (ii) 3110 (Supervision); and (iii) books and records requirements under 4511 (General Requirements), as well as Securities Exchange Act of 1934 (Exchange Act) Rules 17a-3 and 17a-4.
[7] While FINRA reiterated its stance regarding registration of individuals for certain covered functions, it did not provide any guidance on who would be deemed an “associated person” in circumstances where registration is not required to perform a particular function.
[8] FINRA specifically noted exam and risk monitoring program report from 2017, 2018, 2019 and 2021.