FINRA notice outlines key areas for supervising third parties

FINRA focused on three areas of vendor relationships where compliance weaknesses were found: cyber-security, books and records, and supervision. The notice did not create any new requirements for firms, but instead highlighted where companies were falling short during examinations and for what failures they were disciplined.

“FINRA encourages firms that use—or are contemplating using—vendors to review the following obligations and assess whether their supervisory procedures and controls for outsourced activities or functions are sufficient to maintain compliance with applicable rules,” the notice said.

Tightening up of vendor controls for cyber-security remains top-of-mind for many compliance professionals. News reports on breaches and hacks at financial institutions appear on a regular basis, with the root of many stemming from deficiencies in vendor relationships.

Compliance deficiencies identified in this area during examinations include:

• Insufficient procedures to evaluate and test vendors’ cyber-security practices throughout the lifecycle of their relationship;
• Failure to implement adequate controls that grant vendors access to data only when necessary and requiring multi-factor authentication for vendors and contractors;
• Inadequate change management supervision during upgrades, modifications, or integration of member firm or vendor systems;
• Inadequate testing of system changes and capacity; and
• Inadequate data loss prevention programs, like encryption of sensitive data stored at vendors or in transit between firms and vendors.

Compliance deficiencies by firms regarding FINRA’s books and records requirements include:

• Failing to perform due diligence on vendors’ ability to adhere to FINRA’s recordkeeping requirements;
• Failing to confirm service contracts and agreements meet FINRA’s notification requirements; and
• Failing to confirm vendors comply with contractual and regulatory requirements to maintain (and not delete, unless otherwise permitted) firms’ books and records.

Some of the actions FINRA took against firms for books and records deficiencies included those whose vendors experienced system malfunctions; data purges by vendors whose relationship with the firm was terminated; vendors that failed to correct default retention periods, resulting in loss of data required to be saved; vendors that made emails unrecoverable after 30 days; and firms that failed to establish an audit system to account for vendors’ preservation of emails.

Firms were also found to have deficiencies in supervising the performance of their vendors, including:

• Failure to review, correct, or verify vendor-provided expense ratio and historical performance information for numerous investment options in defined contribution plans (retirement plans);
• Failure to oversee, monitor, and evaluate changes and upgrades to automated rebalancing and fee allocation functions outsourced to a vendor for wealth management accounts custodied at the firm;
• Failure to review, test, or verify the accuracy and completeness of data feeds from vendors that failed to identify the firm’s prior role in transactions for issuers covered by firm research reports; and
• Failure to confirm the accuracy and completeness of information provided by vendors to regulators, including FINRA, both in response to specific requests and as part of regular trade and other reporting obligations.

As part of the notice, FINRA also reissued advice for firms on conducting due diligence, onboarding, and supervision of vendors.