FINRA recently released Regulatory Notice 21-29 regarding a broker-dealer’s obligation to supervise certain activities and functions of third-party vendors. This is nothing new, but we are seeing a big increase in utilizing outsourced vendors, including CRMs, Electronic Storage, Work Flow software, and IT vendors. Although the following is based on FINRA guidance for BDs, RIAs have similar responsibilities for supervising vendors, so we hope that RIA firms will glean some valuable information from this guidance as well.
The level of supervision can vary depending on the vendor, access, and the critical nature of their service. Firms are encouraged to pull out their list of vendors, consider each one with a critical eye, and review NTM 05-48 and their procedures. Do you need to update your procedures? Do you need to increase supervision with any vendor in order to reasonably achieve compliance with your regulatory obligation?
Consider the following:
- Have you evaluated or tested a vendor’s cybersecurity controls?
- Do you have a plan to manage vendor access from the start to the end of the relationship?
- Does your vendor have the capability to maintain your books and records appropriately to fulfill the requirements for electronic storage?
For more detailed information, refer to the following notices from FINRA: Regulatory Notice 21-29 and Notice To Members 05-48.
Also, check out some of our other blogs:
- Material Changes to Form ADV
- 5 W’s of the SAR Narrative
- Exclusions from the Definition of Investment Advisor
MasterCompliance provides expert consulting, outsourcing, and implementation tools in planning and budgeting for your firm’s compliance responsibilities. If you have any questions regarding supervising vendors, please contact us.