Outsourcing is not just about cost savings any longer. Rather, it has become a business tool that allows firms to improve efficiency and streamline their compliance programs. Many firms have increased their use of technology and leveraged outsourced service providers to complement and enhance their compliance programs. As the trend continues, FINRA, in their recently published Regulatory Notice (“RN”) 21-29, reminds firms of their supervisory obligations related to outsourcing to third-party vendors.
In the broadest terms, any task, function, or service that is contracted to be performed by a third-party is an extension of your firm. As such, firms need to ensure that any outsourced service is appropriately evaluated, overseen, and supervised.
Firms have an obligation to ensure that their compliance programs and procedures are reasonably designed to achieve compliance with applicable securities regulations based on the activities of their firm, including complying with supervisory, registration, cybersecurity and business continuity obligations when leveraging a third-party.
FINRA RN 21-29 highlights staff observations and exam findings and reiterates that outsourcing does not provide an exception for compliance. The RN does not introduce any new supervisory obligations, rather it provides guidance and considerations to avoid potential operational, compliance, and regulatory pitfalls and suggests a risk-based, phased approach to outsourcing, which is summarized below.
The RN does not provide any hard and fast rules about what should or should not be outsourced, but reminds firms of their need to understand: 1) what is being outsourced; 2) what the benefits are; and 3) what the risks are.
If a decision is made to outsource, firms must identify prospective vendors and conduct due diligence. This assessment will vary based on several factors including: 1) the scope of the functions or tasks; 2) the type of information vendors will have access to; and 3) the regulatory landscape applicable to the function or task being outsourced. Vigilant due diligence is prudent to mitigate potential pitfalls and should be aligned with the level of regulatory, cyber, and reputational risk the outsourced function brings to the firm.
Once a vendor has been selected, contracts and agreements must clearly outline the relationship. It is critical to ensure that representations align with regulatory requirements. For example, does the vendor’s default retention period align with your regulatory time frames? What are the notification requirements for a cyber related matter or system malfunction?
Outsourcing does not eliminate compliance and regulatory obligations; firms cannot outsource and then not supervise. It is imperative to establish reasonable supervision and vendor oversight. This exercise may include receiving periodic audit reports, exception reports, and conducting onsite visits.
Vendor due diligence is not a one and done exercise. Ongoing third-party oversight typically consists of some of the original elements of review, and imposes obligations on firms to reassess the vendor relationship in light of any changes to the firm’s business or business needs, and to ensure that the vendor is continually able to provide the contracted services.
Firms must adopt a supervisory framework within their written supervisory procedures and supervisory controls that is designed to mitigate the risks of outsourcing and achieve compliance with applicable regulatory requirements.
Outsourcing, if not appropriately vetted and supervised, can pose significant risk to your firm. This is evidenced in recent sanctions on several firms for failures in their cybersecurity policies and procedures that resulted in email account takeovers where thousands of clients’ personal information was exposed. Keep in mind that tasks, functions, and services can be outsourced, but supervision and compliance obligations cannot.