Who Needs to Know
FINRA member firms.

Why It Matters
On August 13, the Financial Industry Regulatory Authority released a regulatory notice to member firms, clarifying their existing obligations on the supervision of third-party vendors. The Notice details four categories of regulatory obligations associated with third-party vendor relationships: (1) supervision, (2) registration, (3) cybersecurity, and (4) business continuity planning (BCP). The Notice should serve as a reminder to FINRA member firms that a decision to outsource carries regulatory implications not present in other industries. By focusing on the deliberative process rather than substantive outcomes, FINRA is sending a message that member firms should exercise increased diligence.

On August 13, the Financial Industry Regulatory Authority (FINRA) released a regulatory notice (Notice) to member firms, clarifying their existing obligations on the supervision of third-party vendors. [1] The Notice "does not create new legal or regulatory requirements or new interpretations of existing requirements," but instead "reiterates applicable regulatory obligations" and provides member firms with guidance on key factors to consider when evaluating a third-party vendor. [2]

The Notice details four categories of regulatory obligations associated with third-party vendor relationships: (1) supervision, (2) registration, (3) cybersecurity, and (4) business continuity planning (BCP). The Notice provides a corresponding summary of regulatory obligations applicable to FINRA member firms as to each category. In the supervision category, the Notice reminds firms about their obligation to supervise the activities of third-party vendors and that outsourcing tasks to those vendors "does not relieve members of their ultimate responsibility for compliance." [3] Regarding registration, the Notice reiterates that third-party vendors conducting activities that require FINRA registration will be "considered associated persons of the member and be required to have all necessary registrations and qualifications." [4] In both the cybersecurity and the BCP categories, the Notice reminds member firms that their affirmative obligations to protect client data and maintain a continuity plan extend to third-party vendors engaged by member firms.

In outlining these regulatory categories, the Notice also highlights several areas of deficiency arising from member firms' relationships with third-party vendors. These deficiencies were found in recent examinations and identified in the 2021 Report on FINRA's Exam and Risk Monitoring Program, which you can learn more about in our previous client alert. The Notice highlights cybersecurity and books, as well as records compliance issues, all stemming from member firms' failures to monitor and supervise the practices of third-party vendors.

The Notice outlines four outsourcing stages and their regulatory obligations of which member firms should be mindful: (1) deciding to outsource a function; (2) conducting due diligence on third-party vendors; (3) onboarding third-party vendors; and (4) continuing supervision of third-party vendors. In each case, the suggested questions provided in the Notice seek to establish whether a given third-party vendor relationship will negatively impact the member firm's ability to uphold its regulatory obligations. Being predominantly process-focused, these questions advise member firms to critically evaluate their practices and the practices of outside vendors. As stated in the Notice, "there is no one-size-fits-all approach to Vendor management and related compliance obligation." [5] The suggested questions are not designed to identify specific conduct that is preclusive to a particular third-party vendor relationship. Instead, the questions prompt member firms to think carefully about their supervisory processes before outsourcing functions.

The Notice ties FINRA's increased focus on third-party vendor relationships to the COVID-19 pandemic and the resulting changes to traditional workflows, as "member firms have continued to expand the scope and depth of their use of technology and have increasingly leveraged Vendors to perform risk management functions and to assist in supervising sales and trading activity and customer communications." [6] The Notice is not FINRA's first statement about the pandemic's impact on its regulatory landscape. In December 2020, FINRA sought public comments concerning the impact of the pandemic, including whether FINRA "should consider changes to its rules, operations or administrative processes" to address short- and long-term impacts of the pandemic. [7]

The reasoning set forth by FINRA in the Notice and other regulatory materials suggests that FINRA is concerned about the rapid changes to traditional workplace functions caused by the pandemic. As employees transitioned to remote work, companies increasingly looked to third-party vendors to fill roles previously occurring in the office. The Notice should serve as a reminder to FINRA member firms that a decision to outsource carries regulatory implications not present in other industries. By focusing on the deliberative process rather than substantive outcomes, FINRA is sending a message that member firms should exercise increased diligence. Firms facing potential discipline on outsourcing arrangements should likewise seek to demonstrate a careful deliberative process as outlined in the Notice. Please do not hesitate to contact Troutman Pepper's Securities Investigations and Enforcement team with any questions regarding supervision of third-party vendors or other related issues.

[1] Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors).

[2] Id.at 1.

[3] Id. at 3.

[4] Id. at 4.

[5] Id. at 1.

[6] Id. at 2.

[7] Regulatory Notice 20-42 (FINRA Seeks Comment on Lessons From the COVID-19 Pandemic).