New Guidance from FINRA on Third-Party Risk Management (TPRM): What You Need to Know

Blog post Zachary Jarvinen 2021-11-02

FINRA

Third-party risk is a hot topic these days.

Several financial industry regulators have issued guidance suggesting that market participants exercise appropriate due diligence when integrating technology suppliers that act as a critical component to their day-to-day operations.

The Financial Industry Regulatory Authority (FINRA), specifically, recently published guidelines advising regulated businesses to ensure that their information security and compliance obligations are fulfilled when third-party contractors are handling systems and procedures.

What Does FINRAs New Guidance Suggest?

FINRA’s Notice follows on the heels of an aggregate proposed regulation published by:

  • The Board of Governors of the Federal Reserve System (FRB),
  • The Federal Deposit Insurance Corporation (FDIC), and
  • The Office of the Comptroller of Currency (OCC).

It addresses potential cybersecurity hazards linked with third-party relationships and recommends that regulated firms take steps to verify that third-party vendors are meeting the necessary risk management standards to protect confidential customer data and information technology (IT) systems.

If implemented, it would replace the Federal Reserve’s 2013 guidance, the FDIC’s 2008 guidance, and the OCC’s 2013 guidance and FAQs with a consistent framework that banks may use to meet federal regulatory obligations.

Both FINRA and the banking agency’s guidance are an indication of how financial authorities have responded to the growing use of technology in basic areas of banking operations.

In conjunction with their notice, FINRA also released their examination findings in the Cloud Computing in the Securities Industry report. It discusses the rapid adoption of cloud-based computing services by financial institutions particularly in the wake of the COVID-19 pandemic.

What Outsourced Services Are Discussed in the FINRA Guidance?

These services include critical IT functions such as networking, software applications, and data storage, as well as other business activities such as bank processing, accounting, loan servicing, compliance, and human resources.

Outsourcing these core responsibilities is allowed, but poses numerous hazards for market participants in fulfilling regulatory requirements, including consumer protection, recordkeeping, and business continuity obligations.

Key Takeaways From The FINRA Notice 21-29

Regulatory Notice 21-29 has three core objectives:

  1. To reiterate existing applicable regulatory obligations;
  2. Examine results, observations, and disciplinary actions that have taken place recently; and
  3. Provide questions that FINRA member firms may use when evaluating their third-party vendor management systems, supervisory procedures, and controls.

To that end, the following are the most critical takeaways from the document.

Failure to Implement TPRM Will Likely Have Negative Repercussions

Should organizations fail to take appropriate measures to guarantee that third-party vendors comply with regulations, they face negative repercussions.

Regulatory actions will be taken against registered companies for failures caused solely or in part by their outsourcing to a third-party vendor.

For example, FINRA fined member firms for lacking sufficient processes and performing adequate oversight, per their supervisory obligations, to prevent the data loss of their clients’ non-public information. This was in violation of FINRA Rules 3110 and 2010, as well as SEC Regulation S-P Rule 30.

The U.S. Securities and Exchange Commission (SEC) has also announced enforcement actions linked to similar securities law breaches.

The Guidance isn’t New, Rather Echos Long-Held Advice

Both the FINRA Notice and recent legislation represent ideas that have previously been expressed in regulatory statements or staff guidance.

As a result, they are unlikely to impose significant new compliance obligations on supervised firms.

That said, for banking organizations, in particular, adopting the proposed guidance would standardize and clarify existing standards while also reducing supervision costs.

The Guidance is Not Legally Enforceable, But Strongly Encouraged

Neither the FINRA Notice nor the proposed legislation has legal force.

However, they both underscore regulators’ continued focus on third-party risk management (TPRM) practices and emphasize the need to devote resources and attention to compliance programs.

Regulated businesses and market participants should carefully evaluate whether current and future third-party arrangements fulfill both their contractual obligations and agreed-upon service level objectives.

Who Does FINRA’s New Guidance Apply To?

It applies to the entire spectrum of third-party connections that a bank may have, whether with FinTech third parties (vendors) or corporate affiliates employed to provide particular services.

Because it is risk-based, the proposed guidance notes that an institution’s program for oversight and management of third-party relationships should be proportionate to its size, complexity, and risk profile as well as the degree of risk and number of its third-party connections.

Furthermore, the banking regulators point out that not all third-party connections are created equal, and that more thorough and comprehensive oversight and management should be reserved for activities supporting vital operations rather than less-risky ones.

TPRM Best Practices for Regulated Firms

We’ve compiled our list of general, recommended best practices for organizations either starting or re-evaluating their third-party risk programs.

Do Your Due Diligence

The FINRA notice includes a list of questions for companies to consider when evaluating whether their supervisory controls and policies and procedures are sufficient in addressing potential risks posed by third-party vendor relationships.

FINRA encourages firms to take a “risk-based approach” to third-party risk management and evaluate the outsourced activities for their sensitivity and intricacy.

With regard to company, operational, and compliance tools, not all suppliers are equal. When onboarding third-party technology service providers, it is recommended that regulated businesses conduct significant and thorough research.

If the third-party technology provider is unfamiliar with financial service regulatory standards, regulated businesses should consider it when making their selection.

Establish a Robust TPRM Strategy That Can Be Communicated to Vendors

To monitor and surveil the third-party service providers’ performance and compliance with the agreement(s), regulated financial institutions must have written agreements with them.

These agreements should contain both contractual terms and monitoring, surveillance, reporting, auditing, enforcement, and other provisions.

For example, FINRA Rule 4370, requires firms to maintain written business continuity plans and emergency contact information designed to enable member firms to meet their existing obligations during an emergency or significant business disruption.

Implement Ongoing Monitoring of Third-Party Risk

These contracts should not be rigid, but rather adaptable as facts, situations, and technology change.

Regulated companies should have biannual meetings with their service providers as a component of their risk monitoring program and updating procedures at the very least.

This echoes FINRA Rule 3110, published in 1996, which requires member companies to establish and maintain supervisory systems designed to assure third-party vendor relationships maintain compliance with securities laws and requirements.

How CENTRL Can Help You Get Started With TPRM

The proposed guidelines would provide much-needed coordination in an area that, thus far, has been characterized by competing and overlapping regulatory statements that create compliance difficulties for banks subject to oversight by more than one regulator.

Still, implementing these guidelines in a comprehensive way can represent a heavy burden for organizations that still rely on manual reporting protocols such as spreadsheets.

Vendor360 is a vendor risk management platform that keeps track of the third-party ecosystem, including building risk profiles for each vendor and tracking the whole vendor lifecycle.

Our solution addresses the issues of vendor management overwhelm, questionnaire templates, recurring assessment scheduling, auto-assigning to business users, alerts, and notifications for our clients.

Clients and vendors can save a significant amount of time thanks to automation and customizability that simplify and streamline their workflows.

Furthermore, by providing enhanced third-party risk assessment insights, actionable intelligence, and analytics that empower stakeholder business decisions, we help our clients take their third-party risk management program to the next level.

Ready to learn more? Schedule a free demo of Vendor360 today.