FINRA reminded firms of their obligation to maintain a sufficient supervisory system for activities outsourced to third-party vendors. FINRA highlighted exam findings and examples of disciplinary actions arising from supervisory lapses.

FINRA encouraged firms to review:

  • their supervisory obligation for outsourced activities, which if performed directly by a member would be subject to FINRA Rule 3110 ("Supervision");
  • whether vendors meet registration requirements under FINRA Rule 1220 ("Registration Categories");
  • that their cybersecurity programs and controls are consistent with SEC Regulation S-P Rule 30 ("Procedures to safeguard customer records and information; disposal of consumer report information"); and
  • the elements of their business continuity plans addressing use of vendors as set out under FINRA Rule 4370 ("Business Continuity Plans and Emergency Contact Information").

FINRA shared the following examples of compliance deficiencies, pointing to disciplinary actions stemming from firms' vendor relationships:

  • With regard to cybersecurity and technology governance, FINRA observed that firms failed to (i) test vendors' cybersecurity controls or manage the lifecycle of their engagement with vendors, (ii) institute "policy of least privilege" controls or multi-factor authentication, (iii) perform oversight of vendors' technology changes impacting firm business and (iv) detect underlying malfunctions due to inadequate systems testing. Further, FINRA found that vendors did not encrypt stored confidential data. FINRA warned that firms would be disciplined when the confidentiality of customers' nonpublic personal information was compromised due to vendor failings.
  • With regard to books and records, FINRA observed that firms did not have processes to evaluate the selection of Consolidated Account Reports vendors and failed to test that vendors identified the correct prevailing market price to calculate mark-ups and mark-downs. FINRA explained that firms were disciplined for failing to preserve and produce business-related electronic communications due to vendors' systems malfunctioning, vendors purging data after a terminated engagement, and firms failing to establish an audit system for vendors' preservation of emails.

FINRA also posed questions to help firms evaluate the efficacy of their vendor management supervisory system. FINRA wants firms to consider the lifecycle of the relationship with the vendor, including: (i) the decision to outsource; (ii) the due diligence approach, conflicts of interest and cybersecurity; (iii) vendor contracts and the default settings of vendor tools; and (iv) supervision.

Commentary by Steven Lofchie

As the securities business becomes more dependent on complex technology, firms become more dependent on outsourced providers. The securities regulators take the view that firms are fully as responsible for the work of outsourced providers as firms are for work performed in house. This means that firms must consider, as to each of their outsourced providers, how they can supervise the relevant activity and what they can do if something goes wrong at the provider.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.