How often should advisors review their vendors or third-party service providers?
It's a critical question that firms of all sizes are grappling with in order to protect their data, prevent reputational harm or financial ruin, and stay in good standing with regulators.
In a live survey conducted by FINRA during its conference this month, more than 70% of attendees in the break-out room (an audience of approximately 100 people) said they performed vendor due diligence on their most critical vendors annually. Roughly 12% said they reviewed their vendors more often; about 9% said they had no regular schedule.
The figures highlight industry-wide inconsistencies in conducting frequent vendor due diligence, despite current and pending regulations on vendor oversight.
FINRA, for example, has a rule that requires broker-dealer firms to have "reasonably designed" written supervisory procedures governing how they oversee the activities of associated persons and businesses they engage.
"But what does that mean, really? It's kind of this imperial concept, and it's vexing and liberating to firms for the same reasons, in that there are no bright-line definitions," Sarah Kwak, associate general counsel within FINRA's office of general counsel, said May 14 during the self-regulator's annual conference. Kwak was speaking on a panel about mitigating risks throughout the vendor lifecycle.
READ MORE:
Kwak said the term "reasonably designed" is meant to recognize that a supervisory system cannot guarantee firm-wide compliance to all rules and regulations.
"It's got to be tailored to what makes your firm unique. And so, at the end of the day, all supervisory roads lead back to the firm," she said. "It can't just outsource away or contract away, from its direct control, its supervisor and compliance obligation."
However, Kwak added that "doesn't mean that a firm can't seek help from others in designing and crafting a reasonably planned system," but "the firm would have to undergo due diligence and assess whether it would work for the firm."
Firms' responsibility to assess and oversee vendors has ramped up in recent years, especially as new technologies and more virtual currencies enter the market.
On May 16, the U.S. Securities and Exchange Commission (SEC) finalized an amendment that places more responsibility on financial firms to notify investors when they experience a data privacy breach. The rule, called Reg S-P, deals with consumer data protection and applies to broker-dealers, investment companies, registered investment advisors and transfer agents. The latest amendment to Reg S-P is meant "to address the expanded use of technology and corresponding risks that have emerged since" the rule was first adopted in 2020, the SEC said.
READ MORE:
This follows a long-pending proposal in which the SEC is considering making
"Whether it's a $100 piece of software or it's a $10 million enterprise payment, risk is risk," Carmi Moser, senior principal risk specialist in FINRA's cyber and analytics unit, said at the conference. "It is important for the firms to continuously assess the criticality of those software services that they're procuring from … and make sure that they bake that into their business impact analysis, business content in the process or even in their incident response process."
Brian Carter, vice president of technology at Sigma Financial, said they go through a multi-tiered, multi-department review of vendors when choosing to onboard a software program or third-party relationship. This includes questionnaires, public and financial record reviews, assessment of the potential for a cyberattack and mitigation steps, and a dive into how and where data will be stored as well as how any software program will be used within the company.
"We do phone interviews. We request cybersecurity documentation. … We're looking for penetration-testing results, looking for their business copywriting plans," Carter said during FINRA's vendor risk mitigation panel. "We also think: Do we need to update our business in case this vendor is going to be or has become critical to our business, if that platform becomes unavailable."
Even for technology platforms like Flourish, which work with RIAs, the vendor partner must also stay in constant contact with their client advisors. The team at Flourish has learned that they need to check how their data flows appear externally with third-party providers used by their clients, such as Envestnet, Orion and Black Diamond.
READ MORE:
"Every interaction your RIA has with anything to do with you — you're responsible for it," Flourish CEO Max Lane told Financial Planning on May 28. "It's a lot of crawling over broken glass. … We need to make sure we go on the other side, make sure we understand deeply when we send the data across, what does it look like on the other end?"