FINRA Vendor-Management Guidance: You Can’t Outsource Responsibility

Thomas Potter, III
Burr & Forman
Contact
LinkedIn
Facebook
X
Send
Embed

Burr & Forman

On August 13, 2021, the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 21-29, collecting guidance on outsourcing and vendor management.  The Notice was prompted by increased reliance on outsourcing (especially during COVID), some enforcement actions involving vendor-management issues, and similar proposed inter-agency guidance by banking regulators.

The Notice reminds firms that while they can outsource task or functions, they cannot outsource-away their regulatory compliance obligations.  In turn, that means the outsourcing process itself must comply with those regulatory obligations.  It also means that firms cannot “set it and forget it.”  Broadly, they are:

Supervision – Firms must supervise, and have the ability to use supervisory controls over, the outsourced functions, and must memorialize that in their written supervisory procedures and in vendor contracts.

Business Continuity Plans – Vendors (and the functions they perform) must be addressed in firms’ business continuity plans.

Books and Records – The records maintained by vendors in connection with their work for member firms must be kept as prescribed by rule, subject to inspection by the firm (and regulators), and retained as required, with accompanying attestations.

Registration – Depending on the functions outsourced, vendors and/or their personnel may require FINRA registration.

Cybersecurity – Controls, access management, change management, testing and data loss prevention must comply with SEC Reg. SP.

Drawing on examination findings and some previous enforcement actions, the Notice provides some best-practices in the form of questions to ask in each phase of outsourcing and vendor management.  Summarized, they are:

Outsourcing Decisions:

  • Develop a robust and formal process;
  • Address it the firm’s Written Supervisory Procedures;
  • Include a formal risk assessment;
  • Involve all appropriate internal stakeholders in each decision.

Due Diligence:

  • Conduct systematic and substantive due diligence;
  • Make it risk-based;
  • Investigate vendor systems;
  • Make sure your due-diligence investigators are qualified in the subject investigated;
  • Be alert to, and manage to overcome, conflicts.

Onboarding:

  • Ensure contracts address, and enable compliance with, all regulatory requirements;
  • Double-check and adjust features and default settings as necessary;
  • Have off-boarding processes in place to avoid regulatory non-compliance.

Supervising:

  • Contracts must address and permit;
  • Require attestations;
  • Require monitoring, including access and procedures;
  • Allow investigation and follow up to any red flags;
  • Have supervisory testing and controls in place.

The Notice expressly mentions similar Proposed Guidance and the request for comment by the Federal Reserve Board of Governors, the FDIC and the OCC, issued July 13, 2021, here:

https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20210713a1.pdf  FINRA says it will monitor that Proposal and will harmonize its Rules as appropriate.

FINRA Regulatory Notice 21-29 is here:  https://www.finra.org/sites/default/files/2021-08/Regulatory-Notice-21-29.pdf

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Burr & Forman | Attorney Advertising

Written by:

Burr & Forman
Burr & Forman
Contact
more
less

Burr & Forman on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide