Does your firm know who its key outsourced vendors are? Does your firm perform ongoing due diligence that includes an assessment of risks? The answers to both questions may involve a huge undertaking for small firms that have limited resources.
Outsourcing by financial services companies has unique risks compared to those faced by companies in other sectors. Oversights related to privacy, safeguarding client information, cybersecurity, and confidentiality can have greater consequences compared to errors made in other industries. Generally speaking, these consequences can include substantial financial losses and regulatory enforcement actions. Considering these risks, firms with outsourced vendors should consider best practices when engaging with outside vendors.
Engaging Key Outsourced Vendors
When searching for a third-party vendor, firms should consider the following actions:
- Perform reasonable due diligence when selecting a service provider;
- Ensure confidentiality and privacy provisions are contained in each outsourcing agreement; and
- Assess the legal and regulatory requirements arising from each outsourcing arrangement.
Maintaining Relationships with Vendors
Once a firm has established a relationship with an outsourced vendor, the work is not done yet. Firms should consider the following actions to limit risks associated with outsourcing:
- Create a ranking of risk or assessment tool to aid in identifying high-risk vendors, including those who may have access to clients’ personal information;
- Maintain an updated list of your outsourcing vendors with services provided to the firm;
- Actively supervise and monitor each service provider;
- Maintain books and records related to initial and ongoing reviews of outsourcing vendors; and
- Make appropriate updates to the firm’s business continuity plan.
With respect to each outsourcing arrangement, firms need to account for the regulatory and risk environment in which they operate. To that end, firms should have procedures related to outsourcing arrangements, including the arrangements entered by a firm’s branches or its associated persons. Additionally, if your firm decides to have support by using third-party vendors, it is vital that the firm conducts extensive due diligence and oversight, utilizing adequate controls to ensure compliance with the firm’s policies and regulatory mandates. FINRA provides additional guidance on this in its NTM 05-48 while discussing member firms’ responsibilities when outsourcing to third-party service providers.
MasterCompliance provides expert consulting, outsourcing, and implementation tools to support firms in their compliance responsibilities related to outsourcing vendors. If there are any areas where you would like to explore additional assistance or services, please contact us.