The Financial Industry Regulatory Authority (FINRA) recently issued a regulatory notice reminding firms of their obligation to implement procedures to supervise activities performed by third-party vendors in an effort to comply with applicable federal securities laws, regulations and FINRA rules. The Notice does not create any new legal or regulatory requirements but is intended to provide information that firms have requested regarding risk-based approaches to vendor management. FINRA also urges firms to review proposed guidance recently published by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency designed to help banking organizations manage risks posed by third parties.
The Notice provides a summary of regulatory obligations on various topics including vendor supervision, registration requirements, cybersecurity programs and controls, and business continuity planning. The Notice also provides a description of common compliance deficiencies that firms’ encounter in the areas of cybersecurity and technology governance and the maintenance of books and records. In addition, FINRA suggests that outsourcing process should occur in four phases – the initial decision to outsource an activity, the evaluation of prospective vendors, the onboarding of vendors, and the supervision of outsourced activities – and provides factors that firms should consider at each phase in the process.