The Financial Industry Regulatory Authority (FINRA) published in January a 16-page list of regulatory and examination priorities for 2012.

Of particular note for FINRA member firms interested in outsourcing, offshoring or third-party relationships, there are three particularly important priorities:

  • Integrity of Supervision and Internal Controls;
  • Information Technology and Cybersecurity; and
  • Outsourcing

Integrity of Supervision and Internal Controls is the foundation for any compliance program. Effective internal controls are the result of a broker-dealer's reflective analysis of its business, operations and technology, and the risks associated with opening the doors every day.

The Cybersecurity priority in conjunction with the Outsourcing priority introduce a new slant on a company's approach to preparing for the annual FINRA exam this year. A company's risk assessment with regard to cybersecurity must take into account both its own internal cybersecurity risks and those cybersecurity risks that may derive from any third-party contracts (outsourcing and offshoring). It is important to note that considering third-party cybersecurity risks must address explicitly the third party's ability to fulfill its contractual obligations, and also assess risks to the third party's ability to continue in business in the face of cybersecurity threats.

Consistent with and in addition to the company's regulatory compliance obligations, making sure that those third parties are themselves secure in cyberspace is an important task in the supervision and governance of third parties. In preparation for a FINRA examination, the assessment of the company's own systems and procedures and those of any third parties must then be integrated into the overarching Supervision and Internal Controls program. In March 2011, FINRA requested comment from its members on Rule 3190 governing outsourcing. While SEC approval is still pending, it would appear that contractual relationships with third parties will nevertheless be an examination priority in 2012.

Finally, with regard to outsourcing, Proposed Rule 3190 requires ongoing due diligence to ensure that third-party service providers are and continue to be capable of performing the outsourced function(s). Accordingly, procedures will need to be established for the continuous monitoring requirements. Also, revisit your existing contract terms and make sure that they comply with 3190's requirements. If they don't comply, start your "to do" lists for renegotiation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.