A recent FINRA regulatory notice recasts existing obligations regarding outsourcing as a procedural roadmap for broker-dealers to “consider” when using third-party vendors.
The Financial Industry Regulatory Authority, Inc. (FINRA) published Regulatory Notice 21-29 (RN 21-29)[1] on August 13 to “remind” broker-dealers regarding the various obligations to which they are subject when outsourcing functions to third-party vendors. RN 21-29 comes one month after the federal banking agencies[2] published a request for comment on proposed risk management guidance for third-party relationships.[3] While FINRA styles RN 21-29 as only reiterating existing legal and regulatory requirements and interpretations of existing requirements, FINRA’s 2005 Notice-to-Members 05-48 (NTM 05-48)[4] provided limited general guidance regarding firm responsibilities for outsourcing activities to third-party service providers. Similar to guidance now provided by other regulatory authorities, including in the United Kingdom and Singapore, RN-21-29 provides more detailed guidance to specific aspects of the outsourcing process, including a series of “questions” for member firms to consider when outsourcing functions to third-party vendors. These questions present as a roadmap for how FINRA expects firms to approach:
RN 21-29 references historical guidance regarding outsourcing as it builds toward the framework that FINRA appears to expect firms to consider when outsourcing functions to third-party vendors, including outsourcing of (i) accounting/finance (payroll, expense account reporting, etc.); (ii) legal and compliance; (iii) information technology; (iv) operations functions (e.g., statement production, disaster recovery services, etc.); and (v) administration functions (e.g., human resources, internal audits, etc.). As part of that background, FINRA provides a summary of regulatory obligations of which firms must be mindful when outsourcing functions, including:
In a further lead up to the procedural roadmap, FINRA summarizes a number of exam findings and observations to highlight some of the issues it has uncovered.[8] FINRA generally notes the following areas:
As mentioned above, while FINRA stated that RN 21-29 does not impose new legal or regulatory obligations or interpretations, it does provide a procedural framework that FINRA suggests broker-dealers consider when assessing their outsourcing practices. In this respect, FINRA framed this procedural framework as consisting of four phases:
1. The decision to outsource an activity or function
2. Conducting due diligence on prospective vendors
3. Onboarding vendors
4. Overseeing or supervising outsourced activities or functions
Deciding to Outsource: With respect to outsourcing decisions, RN 21-29 reflects a view that firms should have a process for making an outsourcing determination. To this end, FINRA suggests that firms consider the following questions:
Due Diligence: With respect to due diligence of a potential vendor, FINRA suggests that firms consider the following:
Vendor Onboarding: After completing due diligence and selecting a vendor, FINRA recommend that firms consider putting in place a written contract with vendors that outlines roles and responsibilities.
Supervision: Once a vendor is onboarded, FINRA recommends steps that firms can take to supervise the vendor’s performance, including:
Further to this, FINRA recommends that firms consider the following specific aspects of their supervisory systems:
Process and Documentation: Although FINRA states that RN 21-29 does not impose new regulatory, legal, or interpretive requirements, it provides a roadmap on how firms should consider the decision to outsource certain functions and evaluate potential vendors. In this respect, FINRA may expect that firms document an outsourcing framework consistent with that outlined in RN 21-29 in order for firms to evidence that they have complied with various obligations outlined in NTM 05-48 and related guidance. While many firms currently have a process in place, it also may be beneficial for firms to review their standard vendor due diligence and onboarding procedures and related documentation in light of RN 21-29, which can also serve as a record of compliance for regulatory purposes.
Existing Arrangements: To the extent firms have not done so already, they should consider evaluating their vendor arrangements and surrounding documentation to determine whether those existing relationships are consistent with the approach outlined in RN 21-29. As existing vendor contracts near the end of their terms, firms may want to consider documenting due diligence and supervisory procedure as part of any renewals or new relationships. Although FINRA did not distinguish affiliated and nonaffiliated vendors, it may be prudent for firms to apply this new procedural framework to all vendor relationships.
Supervisory Procedures: In addition, it may be prudent for firms to consider revising their WSPs to include controls around the vendor onboarding process consistent with RN 21-29. FINRA will expect firms to create a supervisory program to oversee, supervise, and monitor a vendor’s performance of the outsourced function during the life of the agreement.
Interplay with Banking Agency Proposal: In many ways, the Banking Agency Proposal covers the same ground as RN 21-29 as both:
Some variations in subject matter discussion may relate to the particular priorities of regulators, for example, FINRA’s heightened scrutiny of cybersecurity risks. Other distinctions may be the results of market behavior, for example the sharing of data by banking organizations with vendors, leading the Banking Agency Proposal to focus on such concerns. In addition, while RN 21-29 does not specifically call out the fintech industry as was done in the Banking Agency Proposal, firms may consider reviewing that proposal to supplement any efforts undertaken to develop a due diligence, onboarding, supervision framework.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Washington DC
Amy Natterson Kroll
Ivan P. Harris
Ignacio A. Sandoval
Steve W. Stone
Kyle D. Whitehead
Karin Khominsky
Boston
David C. Boch
London
Mike Pierides
New York
Martin Hirschprung
Philadelphia
Barbara M. Melby
Michael L. Pillion
Pittsburgh
Peter M. Watt-Morse
[1] Vendor Management and Outsourcing, FINRA Regulatory Notice 21-29 (Aug. 13, 2021).
[2] That is the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency.
[3] For more information about that proposal, please see our blog post on the matter (“Banking Agency Proposal”).
[4] Outsourcing, NASD Notice to Members 05-48 (July 2005).
[5] Of note, RN 21-29 does not distinguish between vendors that are affiliates and those which are not.
[6] Among other things, FINRA noted Rules 4370 (Business Continuity Plans and Emergency Contact Information); (ii) 3110 (Supervision); and (iii) books and records requirements under 4511 (General Requirements), as well as Securities Exchange Act of 1934 (Exchange Act) Rules 17a-3 and 17a-4.
[7] While FINRA reiterated its stance regarding registration of individuals for certain covered functions, it did not provide any guidance on who would be deemed an “associated person” in circumstances where registration is not required to perform a particular function.