In the broker-dealer industry, firms are always looking for ways to increase efficiencies while reducing budget constraints. One way that this is accomplished is through outsourcing certain functionalities to third-party service providers. What areas do firms commonly outsource? It runs the gamut – everything from IT services and website development, office cleaning and maintenance services, accounting/payroll activities, order management services and quote providers, AML/OFAC screening and technologies, to legal services and back-office compliance and operations. In viewing such outsourced relationships and arrangements, it is important to understand a firm’s responsibilities with respect to such third-party vendors.
FINRA Exam Priorities
In recent years, FINRA has included outsourcing to third-party vendors as a key area of review during its member firm examinations and highlighted the same in its annual exam priorities letter.
In 2015, FINRA said:
As firms continue to outsource key operational functions to reduce expenses and focus on core business activities, FINRA reminds firms that outsourcing covered activities in no way diminishes a broker-dealer’s responsibility for 1) full compliance with all applicable federal securities laws and regulations, and FINRA and MSRB rules, and 2) supervising a service provider’s performance. Outsourcing will be a priority area of review during 2015 examinations, and will include an analysis of the due diligence and risk assessment firms perform on potential providers, as well as the supervision they implement for the outsourced activities and functions.
Again, in 2016, the Exam Priority letter indicated:
Firms continue to look for opportunities to reduce costs by outsourcing key operational functions. FINRA will review firms’ due diligence and risk assessment of providers of outsourced services and their supervision of those services. FINRA reminds firms that while certain tasks can be performed by a third-party provider, the responsibility to supervise covered activities for compliance with applicable federal securities laws and regulations, as well as self-regulatory organization rules, remains with the broker-dealer. Moreover, firms must avoid outsourcing functions that are required to be performed by qualified registered persons. It is essential that broker-dealers appropriately supervise outsourced activities and that firms conduct adequate initial and ongoing due diligence of outsourced providers. This concern is also applicable to employees of affiliates conducting certain functions on behalf of the broker-dealer. (Emphasis added).
So, if a firm is considering, or currently is, outsourcing functionalities to a third-party service provider, what should you do? Conducting a Google search and picking the sponsored ad is likely not the industry “best practice” to be considered.
In 2005, the NASD released Notice to Members 05-48. In this NTM, the NASD outlined some shortcomings it discovered during a review of select broker-dealers alongside the NYSE. The NASD also provided guidance into responsibilities of member firms and activities which cannot be outsourced.
This survey found that there was often a lack of implemented procedures to monitor the outsourcing of services, a lack of business continuity plans on the part of the third-party service providers and member firms with respect to such outsourced services, and a lack of formalized due diligence processes to screen service providers for proficiency. However, while not always in the form of written procedures, most participants reported that they did have methods that they used to monitor and assess a third-party vendor’s own procedures and performance and the accuracy and quality of the work product produced on a continuing basis. These methods included (1) using programmatic checks through business operations; (2) including the procedures in the contracts with the vendors; (3) requiring status reports and periodic meetings; and (4) testing and reviewing the third parties’ procedures.
The NTM and NASD Rule 3010 (now FINRA Rule 3110), hold that all member firms must establish, maintain, and enforce written procedures to supervise the types of business in which they engage. This includes procedures related to a firm’s outsourcing functions, which should include a due diligence analysis of its third-party vendors.
So, what exactly does this mean?
Firms have an initial obligation to determine whether certain activities are appropriate for outsourcing. If the decision to outsource to a third-party vendor is made, firms must conduct an initial due diligence review of all potential vendors to determine if they are capable of performing the outsourced activities. Firms also have a continuing obligation to oversee, supervise and monitor any activities that are decided to be outsourced to third-parties.
It is important that firms maintain documentation of all such reviews – both initial and on-going. If you cannot substantiate that a review was conducted, it wasn’t. Firms should create and retain a record to document the person conducting this review, date(s) of review, factors considered, and any other relevant information.
Procedures should also include how the firm will determine if outsourcing is appropriate for a particular functionality. Firms are advised not to outsource activities that require registration or to delegate their responsibilities for, or control over, any functions or activities performed by a third-party vendor.
Over the past several years, FINRA has brought multiple enforcement actions for firms’ failures to properly supervise and oversee their outsourced activities. A few case worth noting follow:
- a firm agreed to a fine of $175,000 as part of an AWC in which it neither admitted nor denied that after learning that its third-party vendor failed to properly verify customers’ identities for AML purposes, it failed to go back and verify the customer information not previously subjected to the verification process
- a firm was fined $7.5 million for failing to ensure that corrections were made to its website when the firm learned that its third-party vendor was underreporting certain trade information using erroneous data
- a firm was fined $1 million for failing to deliver prospectuses in a timely manner despite reports from its third-party vendor that it was unable to procure sufficient paper copies of prospectuses from certain fund families
Conclusion & Recommendations
Firms must develop and implement written supervisory procedures and systems to monitor the performance of third-party vendors to which the firm outsources any of its functionalities. Moreover, firms should ensure that they designate someone to verify that these procedures are being adhered to and to periodically test compliance with not only the policies, but also securities industry rules and regulations, as well.
Failure to do so can be extremely costly – which clearly does not follow the mindset that outsourcing can save your firm money!