The Securities and Exchange Commission (“SEC”) and Financial Industry Regulatory Authority (“FINRA”) recently issued guidance in connection with firms’ relationships with third-party service providers. These publications serve as a reminder that while vendors often provide services away from the firm, the firm nonetheless maintains responsibility to ensure customer data is handled appropriately and all activity is subject to mandatory controls.
Cybersecurity and Vendor Management
On January 27, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released its Cybersecurity and Resiliency Observations report to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency. Though couched as “findings,” the report really is a list of best practices and procedures in seven key areas: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resilience, training, and vendor management.
Vendor management has always been a critical exam area for the SEC. The SEC confirmed that it will continue to focus on third-party service provider and network solutions oversight practices, including those leveraging cloud-based storage, as a 2020 examination priority. OCIE’s report highlighted three vendor management practices that it expects to see in robust cyber security programs:
(1) Establishing a vendor management program: The OCIE found that firms established programs to ensure vendors meet security requirements and implement appropriate safeguards. To that end, firms leveraged questionnaires based on industry information security control standards (e.g., SOC 2 and SSAE 19) and independent audits, and established procedures for terminating or replacing vendors.
(2) Understanding vendor relationships: The report noted efforts by firms to understand vendor relationships by reviewing contract terms to ensure all parties understood how risk and security was to be addressed.
(3) Vendor monitoring and testing: The OCIE observed firms monitoring and testing vendors’ service and staff changes, as well as their compliance with security commitments.
Market Access and Vendor Management
FINRA also issued its own 2020 Risk Monitoring and Examination Priorities Letter last month, highlighting another important aspect of vendor management: compliance with Exchange Act Rule 15c3-5 (the “Market Access Rule”). Pursuant to the Market Access Rule, broker-dealers with market access, or that provide a customer or any other person with market access, must establish, document, maintain, and regularly review the effectiveness of a system of risk management controls and supervisory procedures reasonably designed to manage the risks associated with this business activity. One area of vendor management in which the Market Access Rule is directly implicated is the use of a third-party alternative trading system (“ATS”).
FINRA previously addressed this topic in its 2017 Report on Examination Findings, when it explained that firms may rely on an outside vendor’s tools, including those of an ATS, to effect their financial controls, “but they must have direct and exclusive control over the mechanisms that have been established and remain responsible for compliance.” However, FINRA found that firms were deficient in this regard. For example, FINRA observed firms allowing ATSs to set capital thresholds for fixed income orders instead of establishing their own thresholds without any means to monitor for compliance during the trading day. Other firms failed to understand how their vendors’ controls worked and could not explain them to FINRA.
FINRA settlements in the past year demonstrate how broker-dealers might run afoul of the Market Access Rule when utilizing an external ATS’s services. In one instance, a firm relied on the financial risk management controls maintained by external ATSs, but failed to establish, document, and maintain its own financial risk management controls. For example, the firm lacked controls designed to prevent the entry of orders that exceeded pre-set capital thresholds, and to systemically limit the aggregate financial exposure resulting from market access across different external ATSs.
In another case, the firm established trading limits for its individual traders, but did not impose hard stop trading limits on any of the firm’s trading accounts prior to submitting them to external ATSs. This lapse in control allowed traders to exceed their individual limits in bids placed with ATSs. FINRA also found insufficient supervisory procedures designed to ensure compliance with the Market Access Rule when utilizing ATSs, such as establishing an aggregate trading limit for daily buys and sells.
* * * *
The SEC and FINRA have made clear that market participants retain accountability for certain activities carried out on the platforms of external vendors and should not rely on vendors’ controls to satisfy the firm’s own obligations. To avoid the pitfalls of such third-party arrangements, firms should incorporate these relationships into their regular risk assessments. Where deficiencies are identified, firms should establish a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory, and other risks of this business activity. Critically, Firms must implement and practice meaningful management oversight of vendor relationships, with clear escalation lines.