Discussions on regulatory requirements generally focus on substance. Less often highlighted is how the nuts and bolts of compliance and daily operations are actually carried out—often by third-party service providers. FINRA recognizes the role third-party service providers play and even hosts the Compliance Vendor Directory. We discuss FINRA's guidelines for the use of third-party service providers below using examples relating to technology governance, cybersecurity and anti-money laundering ("AML") programs. These topics were included in the FINRA 2018 Regulatory and Examination Priorities Letter and were chosen to highlight the role of outsourcing across various focus areas.

Third-party service providers are commonly used for a range of activities including compliance, operations, administration and information technology services, but there is a limit to what third parties may do. Any activity that requires qualification and registration cannot be outsourced. Any person performing such an activity will be deemed to be an associated person of the applicable member even if such person is not registered with the member (though there is a limited exception for registered broker-dealers providing certain specified services, such as clearing). FINRA's analysis regarding the appropriateness of delegation is impact-focused; members should consider the financial, reputational, operational, legal or other potential effects of a third party's failure to perform before delegating any task. In the cybersecurity context, for example, members are responsible for understanding a vendor's cybersecurity systems and standards, and FINRA has described a sliding scale of diligence procedures from vendor questionnaires to on-site security reviews based on the level of potential vendor risk.

Once the determination that an activity is appropriate for outsourcing is made, there is still work to be done. The member firm must create a supervisory system including written procedures appropriately tailored to its business and the outsourced activities and conduct initial and ongoing due diligence reviews of all third-party service providers. For example, FINRA has chastised firms for failure to appropriately tailor "off-the-shelf" vendor AML systems based on individual risks. Firms must also supervise and monitor any third-party service provider for ongoing fitness, compliance with both the terms of service agreement and applicable laws and the accessibility of the third-party service provider's work product. All third-party work product must be accessible both to the member and to all applicable regulators to the same extent as if the work had been performed by such member. In December 2016, 12 firms were fined a total of $14.4 million for recordkeeping violations related to vendor failures to preserve records in write once read many (commonly referred to as "WORM") format. The disciplinary records discuss the firm's liability on both the basis of procedural and supervisory failures with respect to the third-party service provider and as a result of the firm's ultimate liability for regulatory compliance.

As evidenced by the December 2016 disciplinary actions, delegation of a particular task or function by a firm does not correspond to a delegation of responsibility. In addition to the ongoing responsibility to oversee the third party's activities, the member retains ultimate responsibility for legal and regulatory compliance. Outsourcing an activity neither absolves a member of liability nor lessens a member's responsibility for either the performance of the task or the resulting work product's compliance with applicable laws and regulations.

Because outsourcing is the means through which a firm's many operations and compliance obligations are performed, it is essential to regularly revisit existing outsourcing arrangements and to properly review new ones to ensure that the expectations of all parties, including the regulators, continue to be met.

FINRA's outsourcing guidance should be considered as structured products market participants look to electronic platforms. To the extent that electronic platforms provide educational materials and training materials, member firms should consider how they will use or rely on these materials. Will the member firm provide its own educational and training materials? Will it rely on the platform's materials? If so, has it made a determination regarding the sufficiency and adequacy of the platform's materials? Does the platform's materials use terminology that's consistent with the member firm's own terminology in the context of its offering materials? Is the educational and training material offered by the platform fair and balanced? Readers may recall that the Commission's Division of Enforcement took action against a brokerdealer whose training materials were inconsistent with the offering materials for the same products. Setting aside educational materials, for transactions that take place over a platform, who owns the trade tickets and all the transaction records? These are just a few of the questions that should be asked.

Originally published in REVERSEinquiries: Volume 1, Issue 5.
Click here to read further articles from this latest edition.

Originally published August 14, 2018

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.