On August 13, 2021, the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 21-29, collecting guidance on outsourcing and vendor management. The Notice was prompted by increased reliance on outsourcing (especially during COVID), some enforcement actions involving vendor-management issues, and similar proposed inter-agency guidance by banking regulators.
The Notice reminds firms that while they can outsource task or functions, they cannot outsource-away their regulatory compliance obligations. In turn, that means the outsourcing process itself must comply with those regulatory obligations. It also means that firms cannot “set it and forget it.” Broadly, they are:
Supervision – Firms must supervise, and have the ability to use supervisory controls over, the outsourced functions, and must memorialize that in their written supervisory procedures and in vendor contracts.
Business Continuity Plans – Vendors (and the functions they perform) must be addressed in firms’ business continuity plans.
Books and Records – The records maintained by vendors in connection with their work for member firms must be kept as prescribed by rule, subject to inspection by the firm (and regulators), and retained as required, with accompanying attestations.
Registration - Depending on the functions outsourced, vendors and/or their personnel may require FINRA registration.
Cybersecurity – Controls, access management, change management, testing and data loss prevention must comply with SEC Reg. SP.
Drawing on examination findings and some previous enforcement actions, the Notice provides some best-practices in the form of questions to ask in each phase of outsourcing and vendor management. Summarized, they are:
Outsourcing Decisions:
- Develop a robust and formal process;
- Address it the firm’s Written Supervisory Procedures;
- Include a formal risk assessment;
- Involve all appropriate internal stakeholders in each decision.
Due Diligence:
- Conduct systematic and substantive due diligence;
- Make it risk-based;
- Investigate vendor systems;
- Make sure your due-diligence investigators are qualified in the subject investigated;
- Be alert to, and manage to overcome, conflicts.
Onboarding:
- Ensure contracts address, and enable compliance with, all regulatory requirements;
- Double-check and adjust features and default settings as necessary;
- Have off-boarding processes in place to avoid regulatory non-compliance.
Supervising:
- Contracts must address and permit;
- Require attestations;
- Require monitoring, including access and procedures;
- Allow investigation and follow up to any red flags;
- Have supervisory testing and controls in place.
The Notice expressly mentions similar Proposed Guidance and the request for comment by the Federal Reserve Board of Governors, the FDIC and the OCC, issued July 13, 2021, here:
https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20210713a1.pdf FINRA says it will monitor that Proposal and will harmonize its Rules as appropriate.
FINRA Regulatory Notice 21-29 is here: https://www.finra.org/sites/default/files/2021-08/Regulatory-Notice-21-29.pdf
Thomas K. Potter, III (tpotter@burr.com) is a partner in the Securities Litigation Practice Group at Burr & Forman, LLP. Tom is licensed in Tennessee, Texas, and Louisiana. He has over 35 years of experience representing financial institutions in litigation, regulatory, and compliance matters. See attorney profile.
- Partner
Tom Potter is a Partner in the firm's Nashville office, and his practice focuses on securities, corporate disputes, and appellate litigation. Tom has over 35 years of experience representing business interests.
Tom represents ...