Financial firms are increasingly using third-party vendors to carry out their business and regulatory oversight functions, FINRA said in its notice. Even if these activities are outsourced, FINRA said, firms have a duty to ensure that they have systems in place to supervise the outsourced work and that those systems are sufficient and compliant with FINRA rules and regulations.
FINRA encouraged firms to review their supervisory obligations for outsourced activities, look at whether vendors meet FINRA registration requirements, and ensure that vendors’ cybersecurity programs are compliant with SEC regulations.
To ensure the efficacy of the third-party vendors, FINRA also encouraged firms to review the following about their relationship with the vendors:
- the rationale behind the decision to outsource certain activities
- the due diligence approach, conflicts of interest, and cybersecurity measures in place for the third-party vendor
- vendor contracts and the default settings of vendor tools
- the maintenance of written procedures to supervise the types of business in which it engages and the activities of its associated persons
FINRA also emphasized various disciplinary violations from vendors that have resulted in regulatory action, including system malfunctions, data purges after the relationship with firms end, vendors failing to provide non-rewriteable and non-erasable storage, and others.
The notice doesn’t create new legal or regulatory requirements, nor does it bring new interpretations of existing requirements into play, according to FINRA. The information in the notice simply reflects what firms have previously told FINRA they find useful in their vendor management practices.