Guest Post from REVERSE Inquires by Mayer Brown, VOLUME 01, ISSUE 05 | August 14, 2018
Discussions on regulatory requirements generally focus on substance. Less often highlighted is how the nuts and bolts of compliance and daily operations are actually carried out—often by third-party service providers. FINRA recognizes the role third-party service providers play and even hosts the Compliance Vendor Directory. We discuss FINRA’s guidelines for the use of third-party service providers below using examples relating to technology governance, cybersecurity and anti-money laundering (“AML”) programs. These topics were included in the FINRA 2018 Regulatory and Examination Priorities Letter and were chosen to highlight the role of outsourcing across various focus areas.
Third-party service providers are commonly used for a range of activities including compliance, operations, administration and information technology services, but there is a limit to what third parties may do. Any activity that requires qualification and registration cannot be outsourced. Any person performing such an activity will be deemed to be an associated person of the applicable member even if such person is not registered with the member (though there is a limited exception for registered broker-dealers providing certain specified services, such as clearing). FINRA’s analysis regarding the appropriateness of delegation is impact-focused; members should consider the financial, reputational, operational, legal or other potential effects of a third party’s failure to perform before delegating any task. In the cybersecurity context, for example, members are responsible for understanding a vendor’s cybersecurity systems and standards, and FINRA has described a sliding scale of diligence procedures from vendor questionnaires to on-site security reviews based on the level of potential vendor risk.
Once the determination that an activity is appropriate for outsourcing is made, there is still work to be done. The member firm must create a supervisory system including written procedures appropriately tailored to its business and the outsourced activities and conduct initial and ongoing due diligence reviews of all third-party service providers. For example, FINRA has chastised firms for failure to appropriately tailor “off-the-shelf” vendor AML systems based on individual risks. Firms must also supervise and monitor any third-party service provider for ongoing fitness, compliance with both the terms of service agreement and applicable laws and the accessibility of the third-party service provider’s work product. All third-party work product must be accessible both to the member and to all applicable regulators to the same extent as if the work had been performed by such member. In December 2016, 12 firms were fined a total of $14.4 million for recordkeeping violations related to vendor failures to preserve records in write once read many (commonly referred to as “WORM”) format. The disciplinary records discuss the firm’s liability on both the basis of procedural and supervisory failures with respect to the third-party service provider and as a result of the firm’s ultimate liability for regulatory compliance.
As evidenced by the December 2016 disciplinary actions, delegation of a particular task or function by a firm does not correspond to a delegation of responsibility. In addition to the ongoing responsibility to oversee the third party’s activities, the member retains ultimate responsibility for legal and regulatory compliance. Outsourcing an activity neither absolves a member of liability nor lessens a member’s responsibility for either the performance of the task or the resulting work product’s compliance with applicable laws and regulations.
Because outsourcing is the means through which a firm’s many operations and compliance obligations are performed, it is essential to regularly revisit existing outsourcing arrangements and to properly review new ones to ensure that the expectations of all parties, including the regulators, continue to be met.
FINRA’s outsourcing guidance should be considered as structured products market participants look to electronic platforms. To the extent that electronic platforms provide educational materials and training materials, member firms should consider how they will use or rely on these materials. Will the member firm provide its own educational and training materials? Will it rely on the platform’s materials? If so, has it made a determination regarding the sufficiency and adequacy of the platform’s materials? Does the platform’s materials use terminology that’s consistent with the member firm’s own terminology in the context of its offering materials? Is the educational and training material offered by the platform fair and balanced? Readers may recall that the Commission’s Division of Enforcement took action against a broker- dealer whose training materials were inconsistent with the offering materials for the same products. Setting aside educational materials, for transactions that take place over a platform, who owns the trade tickets and all the transaction records? These are just a few of the questions that should be asked.
Bradley Berman, Counsel
Anna Pinedo, Partner
Remmelt Reigersman, Partner
David Goett, Associate
Marla Matusic, Associate
Mingli Wu, Staff Attorney
Mayer Brown is a global legal services provider advising many of the world’s largest companies, including a significant portion of Fortune 100, FTSE 100, CAC 40, DAX, Hang Seng and Nikkei index companies and more than half of the world’s largest banks. Its legal services include banking and finance; corporate and securities; litigation and dispute resolution; antitrust and competition; U.S. Supreme Court and appellate matters; employment and benefits; environmental; financial services regulatory and enforcement; government and global trade; intellectual property; real estate; tax; restructuring, bankruptcy and insolvency; and private clients, trusts and estates.
Please visit www.mayerbrown.com for comprehensive contact information for all Mayer Brown offices.