13 Aug FINRA – Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors
Summary of Regulatory Obligations: FINRA Rule 3110 (supervision) requires firms to have system to supervise activities of associated persons for compliance with federal securities laws and regulation. Notice 05-48 reminds firms outsourcing activity or function to vendor does not relieve them of ultimate responsibility for compliance with all applicable laws and regulations. If outsource certain activities, supervisory system and written supervisory procedures (WSPs) must include procedures on outsourcing practices to ensure compliance with securities laws and FINRA rules.
FINRA expects firms to develop reasonably designed supervisory systems appropriate to business model, scale of operations that address technology governance-related risks. Failure to do so can expose firms to operational failures that compromise ability serve customers or comply with rules, including FINRA Rule 4370 [business continuity planning (BCP) and emergency contact].
On registration, 3rd-party service providers conducting activities requiring registration under FINRA rules are generally considered associated persons (APs) and are required to have necessary registrations. Must review if vendors or personnel meet registration requirements under FINRA Rule 1220, and if employees are covered persons under operations professional category. Due to supervision of covered functions executed by vendor, because authorized, have discretion materially to commit firm’s capital in direct furtherance of covered function.
FINRA expects firms to develop reasonably designed cybersecurity programs, controls that are consistent with their risk profile, business model and scale of operations. Reminder to review core principles, effective practices for developing such programs and controls, including vendor management, from reports on cybersecurity practices. Elements of firm’s BCP, including use of vendors, can be flexible, tailored to size, needs of firm, minimum enumerated elements are addressed; must review, update BCPs in light of changes to member firms’ operations, structure, business or location.
Exam Findings and Observations: Firms violated Reg S-P Rule 30, Rule 3110, FINRA Rule 2010 for not having adequate procedures for supervisory oversight to protect confidentiality of customer NPI. For example, where vendor exposed to public internet firms’ purchase, sales blotters, included customer nonpublic personal information (names, account numbers, SSNs). Additionally, where vendor did not configure cloud-based server correctly, antivirus software, implement encryption for account applications, brokerage records with customer NPI. Foreign hackers successfully accessed cloud-based server, exposed customer’s NPI. Firms disciplined for books and records violations, supervisory obligations with vendor. Included failing to preserve and produce business-related electronic communications (emails, social media, texts, instant messages, app-based messages, and video content). Due to vendor system malfunctions, as well as data purges after terminating relationship with firm. Vendors failing to correctly configure default retention periods, resulting in the inadvertent deletions of firm electronic communication for certain time periods. Vendors failing to provide non-rewritable, non-erasable storage, and firms failing to establish an audit system to account for vendors’ preservation of emails.
Questions for Consideration: Provided questions to help firms evaluate if supervisory control system, including WSPs, adequately addresses issues and risks relating to vendor management. If vendor will be handling sensitive firm or customer non-public information. Extent of potential damage if security breach (number of customers impacted). Once member firm decides to outsource activity or function, may want to consider questions on due diligence and conflicts in evaluating, selecting potential vendors.
For more information, visit www.finra.org.