Summary:
In the broker-dealer industry, third-party vendors are commonly used to conduct many tasks on behalf of the organization. These may include some or all of the following: IT services, office cleaning services, quote providers, AML/OFAC screening, back office compliance/operations, and order management services. It is important to understand the firm’s responsibilities when engaging in relationships with third parties.
Regulations:
NASD Rule 3010 requires members to design a supervisory system tailored to the firm’s business structure. Additionally, FINRA Notice to Members 05-48 addresses members’ responsibilities when outsourcing activities to third-party service providers.
The member's supervisory system and written supervisory procedures must include procedures regarding its outsourcing practices, to ensure compliance with applicable securities laws and regulations and FINRA rules. The procedures should include initial and ongoing due diligence analysis of current and prospective third-party providers to determine if they are capable of performing the outsourced activities. Procedures should also include how the firm will determine if outsourcing is appropriate for a particular function. Finally, customer information must be protected and the firm must develop and maintain procedures to address safeguarding of customer information and sharing information with third parties.
Recommendations:
Most firms have an internal process when selecting a third-party service provider. This process should be documented and maintained in a file with other vendor information such as a contract and confidentiality agreement. Some firms choose to consider the following when conducting due diligence on a new service provider: features of the services provided (and how closely they match the firm’s or client’s needs), firm reputation, length of time in business, results from a negative news search, type of technology used, user friendliness of systems, results of independent reviews/audits, and the provider’s business continuity plan. The process chosen by your firm should be reasonable given the function being outsourced and the potential operational, legal, and reputational risk to your firm should the function not be completed properly or in a timely manner.
On an ongoing basis, someone at the firm should re-evaluate all service providers to ensure they meet the firm’s needs. Some questions you may ask when going through this process include:
- How have our firm’s needs changed?
- Is this service provider still meeting our needs?
- Has the provider or service changed? (management, systems, service features, etc.)
- Are there other providers that offer a higher level of service, or provide more features that are important to our clients or firm?
After going through this initial and ongoing due diligence process, the firm should create and retain a record to document the person conducting this review, date(s) of review, factors considered, and any other relevant information. Finally, as a supervisory control, firms should designate someone to ensure these procedures are being followed on an ongoing basis and to periodically test adherence to the policies.
Conclusion:
By having written procedures that address outsourcing activities, and maintaining detailed books and records to evidence initial and ongoing due diligence, your firm should greatly reduce the chances of this subject becoming an issue during your next FINRA examination.
Regulatory Compliance, LLC is dedicated to partnering with our clients and providing the most up-to-date information on the current regulatory environment. For questions about your firm’s obligations regarding third-party outsourcing, please contact your Compliance Partners account manager at 603-434-3594.
Back to top
Back to Newsletter
|
