In light of the fact that many member firms are increasingly using third-party vendors to perform a variety of core business functions, FINRA recently published Regulatory Notice 21-29, “FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors.”
Regulatory Notice 21-29 reminds member firms of their obligation to establish and maintain a supervisory system for all activities, including those performed by third-party vendors. The Notice also addressed common compliance deficiencies arising from the use of third-party vendors by member firms. For instance, in the past, many firms have failed to document or implement procedures to manage the onboarding and offboarding of third-party vendors, including defining how to dispose of customer non-public information. Many firms also failed to perform sufficient supervisory oversight of vendor application and technology changes such as upgrades, modifications to or integration of member firm or vendor systems.
Regulatory Notice 21-29 also provided guidance on factors that should impact a member firms’ decision to outsource to a third-party vendor. According to FINRA, a decision to outsource an activity or function may depend, in part, on whether the firm has an adequate process to make that determination and then to supervise that outsourced activity or function. Moreover, once a member firm decides to outsource an activity, it may further consider whether a vendor’s financial condition, experience and reputation; familiarity with regulatory requirements, fee structure and incentives; the background of the vendor’s principals, risk management programs, information security controls, and resilience.
We encourage our broker dealer clients to review Regulatory Notice 21-29 and to take prompt steps to ensure their policies, procedures, and practices reflect regulatory expectations addressed in the notice.