Broker-dealers, like most companies, rely on third-party vendors for a wide variety of functions. This common practice of outsourcing does not relieve a broker-dealer of its regulatory compliance and supervision obligations over the outsourced functions. Accordingly, management and supervision of third-party vendors present important issues that merit careful attention from regulatory, compliance, and legal departments within a broker-dealer.
On Friday, August 13, the Financial Industry Regulatory Authority issued Regulatory Notice 21-29 (the “Notice”), a timely reminder that summarizes and reiterates firms’ supervisory obligations when outsourcing to third-party vendors. Recognizing that firms are increasingly outsourcing a variety of “core business and regulatory oversight functions” to vendors, the Notice is an important reminder to firms that outsourcing does not dispense with the firm’s compliance and supervision obligations. While the Notice does not announce new regulatory requirements or reinterpret any existing requirements, it serves to consolidate previously issued examination deficiencies in the areas of cybersecurity and technology governance and books and records, as well as enforcement cases, that resulted from failures to oversee vendors. As FINRA notes at the outset, firms have taken on additional risks in these areas as they continue to expand their use of technology and outside vendors to comply with regulatory obligations, particularly during the expanded work-from-home realities in response to the pandemic.
- FINRA’s History with Third-Party Vendor Compliance and Supervision
FINRA’s supervision of firms’ relationships with third-party vendors is nothing new. In a 2005 Notice to Members, FINRA identified common activities that firms were frequently outsourcing to vendors, including accounting and finance, legal and compliance, information technology, operations functions (e.g. statement production, disaster recovery services, etc.) and administrative functions. The evolution of technology and the market since 2005 has unsurprisingly led to firms leveraging vendors for an even broader set of functions, including risk management, sales supervision, trading activity, and customer communications.
Later, in 2011 FINRA proposed Rule 3190(a)(1), to “Clarify the Scope of a Firm’s Obligations and Supervisory Responsibilities for Functions or Activities Outsources to a Third-Party Service Provider.” Although the Rule was never adopted, it paralleled FINRA’s published guidance (including the new Notice) in asserting that outsourcing to a third-party vendor does not relieve a firm of its compliance and supervisory obligations. The Rule would have specifically required firms to have supervisory procedures including due diligence measures to ensure third-party relationships were reasonably designed to achieve regulatory compliance. While the Rule was never formally adopted, FINRA’s enforcement actions (and the most recent Notice) have clearly asserted that firms are nonetheless obligated to ensure that activities outsourced to vendors meet regulatory compliance and supervisory obligations under current rules.
For example, FINRA has increasingly focused their enforcement efforts on the use of vendors in issuing consolidated financial account reports to customers. The inherent information management and communication challenges with issuing consolidated reports have led firms to rely on vendors for performing this function. In turn, compliance and supervision gaps have formed where firms are not adequately aware of their vendor’s processes for carrying out delegated functions, especially as relationships exist over long periods of time and processes change. FINRA has actively scrutinized these vendor relationship gaps and held firms responsible for the resulting failures in compliance and supervision.
- Notice 21-29
In the recently issued Notice, FINRA now offers an important reminder that activities outsourced to third-party vendors are nonetheless the firms’ regulatory obligation. FINRA breaks down the applicable regulatory obligations and organizes them into four topical categories: supervision, registration, cybersecurity, and business continuity planning.
The Notice also provides tangible examples of how a firm’s relationship with vendors creates enforcement exposure. FINRA detailed findings from recent exams which identified multiple compliance deficiencies arising from firms’ vendor relationships. Among other examples provided, FINRA noted that when outsourcing to vendors, firms failed to: implement cyber security testing procedures, supervise technology changes, detect malfunctions, ensure confidential information encryption, confirm the maintenance of adequate books and records, and confirm proper retention of books and records.
Considering FINRA’s focus on vendor relationships, firms should think critically about how outsourcing to a vendor both will benefit the firm and alter the firm’s enforcement exposure. Conveniently, the Notice also details a list of in-depth questions that may help firms when deciding to outsource, conducting due diligence on vendors, onboarding vendors, and overseeing or supervising outsourced activities.
When it comes down to it, outsourcing activities to vendors does not dispense with a firm’s regulatory obligations; rather, it adds the vendor to a firm’s scope of compliance and supervision management. Said differently, when a firm decides to outsource to a vendor, that vendor, its processes, and the potential regulatory gaps the vendor creates, all become a part of the firm’s risk management calculation. The Notice thus serves as an important, and timely, reminder to firms of the need to take careful stock of their vendor relationships.
About McGuireWoods’ Securities Enforcement and Litigation Team
Our Securities Enforcement and Litigation Team is part of our elite Government Investigations and White Collar Litigation Department includes members of our nationally-recognized Financial Services Litigation Department and former senior SEC and FINRA enforcement attorneys and litigators, as well as high-level federal prosecutors. Our Team also leverages the deep experience of the Firm’s Securities and Capital Markets and Public Finance Departments to counsel clients on the full spectrum of regulatory, compliance, and business issues arising from a government examination, investigation, and litigation. Together, we routinely conduct internal investigations and audits, and advise clients on strengthening corporate compliance and supervisory programs to stay current with the regulators on examination and enforcement priorities and to prevent recurrence of potential securities laws violations. By working collaboratively, we ensure our clients receive well-tailored advice and a comprehensive defense team to handle the many complex issues presented in government inquiries.
Securities & Compliance
McGuireWoods’ securities and compliance team assists private and public companies in capital-raising efforts through private and public offerings, and assists public companies with their reporting obligations under the Securities Exchange Act of 1934, including forms 10-K, 10-Q and 8-K, Section 16 reports and DEF 14A (proxy statements), as well as with Regulation FD and Regulation G compliance. We prepare insider-trading policies, develop training programs and assist with other aspects of securities transactions engaged in by company officers, directors and significant security holders, including 10b5-1 plans and Rule 144 compliance.