Across the country, a variety of commercial, government and nonprofit entities regularly outsource tasks to third parties. Whether to cut the costs of having employees do the work or to subscribe to the idea that cheaper is always better, when broker-dealer firms contract with third-party vendors to carry out their legal responsibilities, those broker-dealers must take on significant vendor (and sub-vendor) supervisory duties.
FINRA Regulatory Notice 21-29
On Aug. 13, 2021, the Financial Industry Regulatory Authority (FINRA) issued a regulatory notice entitled, “FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors.” Broker-dealer failure to comply with vendor oversight rules may result in FINRA discipline.
FINRA says in the notice that it is not establishing any new third-party vendor oversight obligations, rather it is reviewing firm duties that already exist for “covered” activities and functions. For example, a member firm must “maintain a supervisory system, including written supervisory procedures (WSPs), for any activities or functions performed … by vendors … reasonably designed to achieve compliance with applicable securities laws and regulations and with applicable FINRA rules.”
Retaining a vendor to perform a function for the broker-dealer does not relieve the firm of “ultimate responsibility” for adhering to securities laws and FINRA rules, so firms should use due diligence when carefully selecting vendors. Vendor contracts should specify expectations in detail, including vendor self-assessment and reporting responsibilities as well as the firm’s right to observe or test vendor operations onsite.
Areas of vendor oversight
Vendor responsibilities on behalf of a broker-dealer that may require supervision include:
- Cybersecurity and data integrity to keep customer information confidential, including systems testing, use of encryption and restrictions on vendor access to firm technology and data
- Recordkeeping
- Business continuity planning for vendor emergencies or vendor business interruption that allow the firm’s obligations to continue to be met
- Registration and qualification of any vendor that takes on firm functions for which FINRA requires it
FINRA notes that a firm should flexibly design a vendor supervisory system that accommodates the unique features of the broker-dealer like its size, structure and needs.
Finally, when investor-customer complaints to the firm could indicate vendor deficiencies, the broker-dealer should take corrective action so as not to allow harm to its customers.
At our law firm, we represent investors in allegations that because broker-dealers failed to adequately supervise third-party agents hired to handle the firms’ legal responsibilities, the investors suffered financial losses. Our attorneys also advise a variety of parties involved in issuing, selling or investing in securities.
