Bates Research | 09-15-21

FINRA Issues Updated Vendor Supervision Guidance, Seeks Feedback on Cloud Computing; Warns of New Phishing Scam

FINRA remained busy through the end of Summer with several important regulatory actions. New actions included issuing updated guidance on supervision of third-party vendors, requesting feedback on a report by the Office of Financial Innovation (“OFI”) concerning broker-dealer approaches to cloud computing, and raising additional alarms about a phishing campaign using fraudulent FINRA email domains. The actions reinforce important compliance objectives as new technology-related products and services designed to help firms adapt to a changing business environment come online. Here’s a brief recap.

FINRA Provides Guidance on Supervision of Third-Party Vendors

The prevalent use of third-party vendors used in performing core business and regulatory oversight functions was the focus of a recent FINRA notice to broker-dealers on August 13, 2021. The new notice updates previous guidance on the responsibilities of members when outsourcing activities.

The new guidance carries the same general message as the old guidance concerning obligations for maintaining a sufficient supervisory system—this time, however, with an emphasis on written supervisory procedures—for any activities or functions that third-party vendors perform. The guidance also adds third-party vendor functions concerning risk management, cybersecurity, business continuity, sales and trading activity and customer communications. The previous guidance covered certain third parties performing administrative functions, accounting and finance activities, legal and compliance matters, information technology, and operations.

In its new notice, FINRA highlights examination findings and disciplinary actions arising out of a firm’s vendor relationships. On cybersecurity, for example, FINRA observed that firms often failed to test cybersecurity controls of vendors, failed to perform oversight of technology changes vendors make that affect the firm’s business, and failed to detect underlying malfunctions as a result of inadequate systems testing. FINRA also shares in the notice that vendor deficiencies occurred with respect to multifactor authentications and storage of confidential data. Additionally, the regulator notes the presence of book and record issues, including firms failing to test outsourced vendors calculating mark-ups and mark-downs. Further, FINRA disciplined firms for failing to catch vendor systems malfunctions, vendor failures to preserve and produce business-related electronic communications, and firm failures for establishing an audit system for a vendor’s preservation of emails.

Recognizing that there is not a “one-size-fits-all approach to vendor management and related compliance obligations,” FINRA posed questions that firms might use when evaluating “their systems, procedures and controls relating to vendor management.” The questions are straightforward and cover the entire lifecycle of a firm’s relationship with a vendor, including (i) the decision to outsource; (ii) the due diligence approach to vendor conflicts of interest and cybersecurity; (iii) vendor contracting (as well as vendor on-boarding) and default settings on vendor tools; and generally, (iv) supervision. In so doing, the notice lists applicable rule obligations—on supervision, registration, cybersecurity, and business continuity planning—for helping firms assess whether supervisory procedures for outsourced functions are sufficient to maintain compliance.

FINRA Wants Feedback on OFI Report on Cloud Computing

In FINRA’s OFI report, “Cloud Computing in the Securities Industry,” FINRA highlights the regulatory implications of a technology that provides immediate availability and computing power for users without any direct active management. Broker-dealer firms are increasingly dependent on cloud computing to handle operational, business, and regulatory compliance issues.

The report is the product of OFI’s review of cloud computing from the perspective of broker-dealers, service providers, industry analysts, and technology consultants. In its review, OFI considered the risks and challenges of the technology on (i) cybersecurity management; (ii) data privacy for client records; (iii) outsourcing to, and relationship management with, service cloud providers; (iv) business continuity; and (v) recordkeeping.

OFI drew several conclusions. On so-called “Software as a Service” products (“SaaS”), OFI found that firms tended to purchase off-the-shelf SaaS products when migrating data to the cloud. Firms also tended to be cautious in migrating data and functionality to the cloud, using “targeted, incremental and iterative rollouts” or “pilot programs” before a full launch. Such a cautious approach, OFI states in its report, acknowledges “the need for project modifications, specialized skills and training, and measuring financial impact.” OFI also notes that firms expended significant resources developing governance, training, and security policies related to cloud computing and found that cloud adoption required organizational and cultural changes for ensuring “responsiveness to business needs and enhanced time-to-market capabilities.” That includes assessments of technology expertise, acquiring cloud computing expertise, and retraining. Finally, OFI states in its findings that firms coordinated data migrations with software enhancements to—in the words of the head of the OFI—seek “to explore how these technologies can be used to personalize customer experiences, analyze larger amounts of data faster and increase their competitiveness in areas of rapid innovation.”

OFI seeks feedback on the report, including any additional guidance or modifications to FINRA rules that support firm movement toward cloud computing. Comments are due by October 16, 2021.

FINRA Issues Alert on Warning Against Phishing Campaign Using Imposter FINRA Domain Names

On August 13, 2021, FINRA warned members about another (see previous Bates post,) phishing campaign using emails with the imposter FINRA domain names @finrar-reporting.org, @Finpro-finrar.org, and @gateway2-finra.org. As in the previous warning, FINRA asks recipients of any of these emails not to click on a link in the email to “view request” or provide information. For those who may have responded, FINRA recommends notifying appropriate individuals within their firm of the incident.

Conclusion

FINRA’s latest guidance on supervising third-party vendors and OFI requests for feedback about its observations on various approaches to cloud computing, reinforce the necessity of keeping pace with the admonitions of the regulator. Those actions are increasingly challenging. Reliance on third-party vendors and use of advanced technology is growing. FINRA makes clear that firms are responsible for the work of outsourced providers. As a result, the burden on firms to figure out how to integrate technology effectively and how to supervise outside expertise and systems successfully is growing. By contrast, the warning on phishing is a reminder of how vulnerable complex systems can be to some simple tactics used by fraudsters.

Bates will continue to monitor developments.

Please follow the links below to Bates Group's practice pages:

Consulting and Expert Testimony

Retail Litigation and Consulting

Regulatory and Internal Investigations

Bates Compliance

Bates AML and Financial Crimes

Institutional and Complex Litigation

For FINRA arbitration and litigation matters, please see:

Litigation Services and Damages Analyses

Search for a Quantitative or Substantive Consultant or Testifying Expert

Virtual Hearing and Mediation Services