The Financial Industry Regulatory Authority (FINRA) published in
January a 16-page list of regulatory and examination priorities for
2012.
Of particular note for FINRA member firms interested in
outsourcing, offshoring or third-party relationships, there are
three particularly important priorities:
- Integrity of Supervision and Internal Controls;
- Information Technology and Cybersecurity; and
- Outsourcing
Integrity of Supervision and Internal Controls is the foundation
for any compliance program. Effective internal controls are the
result of a broker-dealer's reflective analysis of its
business, operations and technology, and the risks associated with
opening the doors every day.
The Cybersecurity priority in conjunction with the Outsourcing
priority introduce a new slant on a company's approach to
preparing for the annual FINRA exam this year. A company's risk
assessment with regard to cybersecurity must take into account both
its own internal cybersecurity risks and those cybersecurity risks
that may derive from any third-party contracts (outsourcing and
offshoring). It is important to note that considering third-party
cybersecurity risks must address explicitly the third party's
ability to fulfill its contractual obligations, and also assess
risks to the third party's ability to continue in business in
the face of cybersecurity threats.
Consistent with and in addition to the company's regulatory
compliance obligations, making sure that those third parties are
themselves secure in cyberspace is an important task in the
supervision and governance of third parties. In preparation for a
FINRA examination, the assessment of the company's own systems
and procedures and those of any third parties must then be
integrated into the overarching Supervision and Internal Controls
program. In March 2011, FINRA requested comment from its members on
Rule 3190 governing outsourcing. While SEC approval is still
pending, it would appear that contractual relationships with third
parties will nevertheless be an examination priority in 2012.
Finally, with regard to outsourcing, Proposed Rule 3190 requires
ongoing due diligence to ensure that third-party service providers
are and continue to be capable of performing the outsourced
function(s). Accordingly, procedures will need to be established
for the continuous monitoring requirements. Also, revisit your
existing contract terms and make sure that they comply with
3190's requirements. If they don't comply, start your
"to do" lists for renegotiation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.