Outsourcing and Vendor Management Thursday, November 9 11 ... · Outsourcing and Vendor Management...

© 2017 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Outsourcing and Vendor Management Thursday, November 9 11:30 a.m. – 12:30 p.m.

While outsourcing is an activity or function that a third-party service provider performs to assist an organization, an outsourcing arrangement does not relieve firms of their ultimate responsibility for compliance with all applicable laws and security regulations. During this session, FINRA staff and industry members address the use of third-party service providers. Panelists also discuss policies, procedures, and resources to effectively analyze new and existing vendors, how to oversee third-party providers and their services, and what to do when you terminate a vendor relationship.

Moderator: Lance Burkett District Director FINRA Denver District Office Panelists: Paige Pierce Management Consultant Larimer Capital Corporation Joanne Salisbury Chief Compliance Officer E.K. Riley Investments, LLC Harry Striplin Chief Compliance Officer Umpqua Investments, Inc.


Outsourcing and Vendor Management Panelist Bios: Moderator:

Lance Burkett is District Director of the FINRA Denver District office. Mr. Burkett began his securities industry career in 1993 as a Securities Fraud Investigator for the State of Arizona Securities Division, working exclusively on fraud cases involving broker-dealers. Later, at a FINRA member firm, he was responsible for supervising Producing Branch Managers and Field Representatives as the Field Compliance Director. Throughout his tenure with FINRA, Mr. Burkett has held positions ranging from Compliance Examiner, responsible for examining FINRA member firms for general compliance, to District Director, responsible for the management and oversight of the regulatory programs within the Denver District office. In addition to his regulatory responsibilities, Mr. Burkett earned his Certified Regulatory and Compliance Professional™ designation through the FINRA Institute at Wharton and has developed content and presented at several FINRA Institute class offerings.

Panelists: Paige W. Pierce, of Larimer Capital, brings more than 25 years of senior level investment industry experience with small firms and major corporate entities in the North American capital markets to her corporate position and board work. She specializes in start-ups and turn-around operations in fast paced environments, as well as regulatory and legislative affairs in the investment and banking industries. Driven by purpose and the desire to make a difference, while consistently and strategically innovating to drive performance, she challenges norms and conventions to forge new paths and create value at every level. Ms. Pierce has significant regulatory and legislative experience working with and lobbying members of U.S. Congress, staff, the Federal Reserve, and industry regulators for the interests of SMEs and retail investors in the investment industry. She has vast Executive Committee experience serving on numerous corporate, regulatory and industry association boards, committees, and councils. Ms. Pierce was the first Interdealer Broker executive to be elected to represent the interests of Small Firms on both the Financial Industry Regulatory Authority (FINRA) Small Firms Advisory Board (Chair 2017) and FINRA's National Adjudicatory Council, the appellate body for regulatory actions brought by FINRA against members and member firms within the investment industry, as well as membership application appeals. She was elected in 2008 and 2015 to serve 3-year terms on the FINRA District 3 Committee (Chair 2010) and was honored to have been the first IDB chosen for the FINRA Fixed Income Committee. She was a co-founder of the PSA Women in the Investment Industry group, the SIFMA Municipal Securities Broker's Broker Committee, the Bond Dealers of America Small Firm Division, and the Municipal Bond Information System. In 2008, Ms. Pierce was appointed by the United States Air Force 388th Fighter Wing as Honorary Commander and Falcon at Hill Air Force Base in Utah, and serves to this day with pride. She is an alumnus of the London Business School having completed the 5-year YPO LBS Executive Education Program May 2017. Following graduation, Ms. Pierce was named Chair of the YPO London Business School Executive Education Program (2018-2020). Joanne M. Salisbury, FLMI, AIRC, is a progressive and proven leader who in the past 35 years has held executive positions as President, Chief Compliance Officer, Chief Financial Officer and Chief Operating Officer at a variety firms including full-service, online, self-clearing, fully-disclosed and insurance-affiliated BDs and RIAs. She currently serves as Chief Compliance Officer of E.K. Riley Investments, LLC. and operates Salisbury Consulting, a compliance and risk-management consulting firm for financial and legal professionals. Ms. Salisbury believes that organizational strategies must be effective and adaptable and that they must be applied with a common sense that allows representatives, advisors and staff to do their jobs. Ms. Salisbury enjoys driving business value and achieving results while promoting efficiency, developing and delivering education and, designing surveillance and support programs that really work. Ms. Salisbury has been a member of the Financial Services Institute, the Wood’s Creek Executive Peer Group and NACHA. She served on FINRA’s District 3 Committee in 2016, was past-president of the Northwest Securities Management Association and sat on Broker/Dealer Committee for LIMRA/LOMA. Ms. Salisbury currently participates in the Seattle RIA CCO Roundtable, speaks on compliance matters at a variety of venues and is an active volunteer with ArtsFund (formerly Puget Sound Council of the Arts) and Hopelink. Over the years she has attained multiple securities designations, such as the series 4, 7, 24, 27, 53, 55, 63, 65 and 99.


Harry Striplin is Chief Compliance Officer for Umpqua Investments, Inc., a small firm headquartered in Portland, Oregon. He has been with Umpqua Investments for six years. Mr. Striplin has more than 33 years of experience working at small firms and more than 23 years serving as a Chief Compliance Officer in the small firm environment. He has served as a member of FINRA’s District 3 Committee, the Securities Industry Regulatory Council on Continuing Education and has been a panelist at FINRA securities conferences. Mr. Striplin has been a member of the Securities Industry Continuing Education Content Committee for over 17 years. Mr. Striplin serves as an arbitrator for FINRA Dispute Resolutions and has achieved his Certified Regulatory and Compliance Professional™ (CRCP™) certification through the FINRA Institute at Wharton.

2017 Small Firm Conference

November 8 – 9 | Santa Monica, CA

Outsourcing and Vendor Management

FINRA Small Firm Conference | © 2017 FINRA. All rights reserved.

Moderator

Lance Burkett, District Director, FINRA Denver District Office

Panelists

Paige Pierce, Management Consultant, Larimer Capital Corporation

Joanne Salisbury, Chief Compliance Officer, E.K. Riley Investments, LLC

Harry Striplin, Chief Compliance Officer, Umpqua Investments, Inc.

1

Panelists


Under the “Schedule” icon on the home screen,

Select the day,

Choose the Outsourcing and Vendor Management

session,

Click on the polling icon:

2

To Access Polling


1. How many of you have a documented vendor

management program?

a. Yes

b. No

c. N/A

3

Polling Question 1


2. How many outsourcing and vendor management

arrangements does your firm (or its branch offices)

utilize?

a. Don’t know

b. None

c. 1-3

d. 4-9

e. 10 or more

4

Polling Question 2

of 5

This questionnaire has been issued by __________________ (name of firm) to satisfy certain supervision and monitoring requirements.

Table of Contents:

Section 1 General Information Section 3 Contracted Services Section 4 Technology Section 5 Marketing Section 6 Financial Health Section 7 Third-party Audit Section 8 Certification

Please return this questionnaire and/or direct any questions to: Name: ___________________________________________ Title: _______________________________________ Email: ___________________________________________ Phone: ______________________________________ Mailing Address: _______________________________________________________________________________ ______________________________________________________________________________________________

Sample Vendor Annual Questionnaire To be completed by the Vendor

of 5

Section 1 | General Information

Full business name (as listed on your state license(s), no abbreviations)

Primary address where services for the firm are performed

City

State

Zip

Mailing address

Same Different:

City

State

Zip

Do you have other locations at which services for The firm are performed?

Yes No

If yes, please indicate the purpose of each location and its address:

Web site address

Federal tax ID #

In the event we have questions regarding

the completion of this summary, whom

should we contact?

Name:

Email:

Phone Number:

Additional contact information:

Section 2 | Contracted Services. (Customize/expand this section as appropriate to the contracted services – some examples below)

Please describe the general services you perform on behalf of the firm:

Who is responsible for overseeing services on behalf of the firm?

What is the total number of staff dedicated to the services?

What experience is required of new staff?

Please describe the new staff training program.

of 5

Please describe your process for ____________________

What is your turnaround time (goal and actual) for ___________________?

What are your quality control procedures for ____________________?

What is your accuracy rate standard or the SLA applicable to the firm contract?

How is evidence of __________________________ maintained?

Family Batch Other (please describe):

How is any backlog managed?

How is missing or incorrect information handled?

How are non-standard _______________________ handled?

How are OFAC reviews handled?

Do you work with contractors during the _____________ process?

Yes No

If yes, how many:

Have there been any complaints, whether accepted or denied, regarding the services?

Yes No If yes, please describe:

Is there a formal procedure for tracking complaints and their resolution?


Do you maintain and conduct fraud detection procedures?

Yes No

If yes, how are suspect situations flagged and tracked?

Are there any exceptions to the processes noted above?

Yes No

If yes, please describe:

Section 3 | Technology

Please comment on the software or systems used to support services performed under contract with the firm and the

give a brief description of the activity supported by the software or system.

Software/System name: Used to:

of 5

Is your IT department in-house or are these responsibilities outsourced?

If outsourced, please provide the full name of the outsource party:

Do you have a formal program for protecting confidential and sensitive information?

Yes No

If yes, please describe or attach a copy of the program:

What security measures are in place to monitor system overrides?

Is there a person or department responsible for this function?

Yes No

Do you review for duplicate entries?

Yes No

Please describe your records retention schedule:

What type of media are the records stored on?

Please attach a copy of your disaster recovery program.

Has the disaster recovery program been tested within the last 12 months?

Yes No If no, please provide date that the next test will be performed:

Section 4 | Marketing

Please describe your marketing approach:

Do you concentrate marketing efforts on any specific industries?


What is your average client size based on value of services handled?

How many clients did you add in the past 12 months?

How many clients did you cease services for in the past 12 months?

Are you currently aware of any negative press that is pending about your company?

Yes No

Section 5 | Financial Health

of 5

Are you subject to a third-party financial audit?

Yes No

If yes, when was your last third-party financial audit completed?

If no, please attach a copy of your latest balance sheet.

Section 6 | Third-party Audit

Have the services contracted for the firm been subjected to a SSAE16 audit in the last 12 months?

Yes No

If yes, please attach copy of the latest audit report with this questionnaire.

If yes, were there any unresolved findings?

Yes No

If yes, please note each finding and the expected date for resolution:

Section 7 | Certification

I, the undersigned representative of the business identified in Section 1 of this questionnaire, certify that the information contained herein is correct to the best of my knowledge. _________________________________ Signature Date ______ _________________________________ Printed Name Title

This template was created to guide ___________’s staff as they perform on-site audits of vendors to satisfy certain monitoring and supervision requirements.

Table of Contents:

Section 1 General Information Section 2 Pre-Audit Checklist Section 3 Vendor Interview Section 4 Performance Audit Section 5 Records Audit Section 6 Certification

Section 1 | General Information

Full Business Name of the vendor

Is vendor a Division or Subsidiary of Another Business? If yes, Name of Parent:

Audited Location Address

City

State

Zip

Vendor Contact Name

Nature of Vendor’s General Business

Audit done for (The firm function or division)

Auditor name

Date(s) audit conducted

Sample Vendor On-Site Audit Template To be completed by firm.

of 6

Section 2 | Pre-Visit Planning Sheet

Notes from Review of Service Agreement or Contract

Notes from Review Annual Questionnaire Responses

Amount of Business YTD ($ or pieces processed by vendor, for the firm)

Has business flowing through this vendor increased, decreased or stayed the same year-over-year?

Any concerns from the firm’s business area that works with this vendor?

Any negative press or public concerns about this vendor? (e.g. Google the vendor)

Applicable Service Level Agreements (SLA), if any

SLA Test Plan (outline your general plan to review SLAs based on SLA assurance reports received from the vendor

and/or the SLAs outlined in the written agreement or contract with the vendor.)

List the records you anticipate reviewing while on-site

of 6

Section 3 On-site Audit Interview (In addition to the question below, identify the purpose for your visit and the

records you anticipate reviewing)

Audit interview (with a principal or other key contact at the vendor) Name Title

Services & Staffing:

Ask vendor to describe the activities they conduct for your firm (i.e. do they match your expectations and the written

contract?)

Is the vendor handling any activities for the firm that are outside of the scope of its contract/agreement?

How many of the vendor’s staff conduct activities for the firm?

How many staff in total does the vendor have assigned to similar activities?

Are subcontractors used for any of the firm’s activities?

Does the vendor anticipate reorganizing any staff that conduct activities for the firm?

Are all services for the firm handled at this location? If no, where are other activities conducted?

Are there written job descriptions that define responsibilities for the individuals conducting activities for the firm?

Does the vendor have change management controls in place to ensure any changes in procedures are documented

and approved?

What qualifications are required of staff that conduct activities for the firm?

Is there a written training program for new staff?

Is completed training reviewed and evaluated?

of 6

Records:

Area all records related to The firm activities archived (or readily accessible) from this location? If no, where are records

archived?

How long does the vendor retain records related to its activities for the firm?

Has the vendor received any requests from anyone other than the firm for records related to its activities for the firm?

(e.g. state examiner). If yes, note who, when, what was requested.

Other:

Is the vendor aware of any pending matters that may affect its ability to conduct activities for The firm in the next 18

months?

Has the vendor had any security breaches – physical or electronic – in the past 18 months? If yes, describe:

Additional Interview Notes:

of 6

Section 5 Performance Audit

Based on the firm’s sampling criteria and the services provided by this vendor, conduct an independent assessment of

whether the vendor is meeting their SLAs for timeliness and quality control. Include additional documents as needed to

support your review. Redact any customer PII from your notes.

of 6

Section 5 Records Audit

Based on your pre-audit planning in Section 2 of this document, note the records you reviewed while on-site and describe any concerns you had regarding the 1) availability of the records, 2) the content of the records or 3) your ability to review the records in a timely manner.

Section 6 | Certification

I certify that I visited this vendor on the dates indicated and that the information contained herein is correct to the best of my knowledge. _________________________________ Signature Date ______ _________________________________________________ Printed Name Email Phone Number

of 2

Vendor Management Considerations Do you have a comprehensive, current list of your vendors and who manages and/or supervises (as needed) each relationship? Is the vendor:

1. Performing services under a written agreement or contract with your firm? 2. In direct contact with consumers or customers? (e.g. answering questions from customers) 3. Making substantive decisions or otherwise using discretion in their work for you?

Have you done a risk assessment of each vendor? Risk considerations include but are not limited to:

Contractual Risk

o Contract should contain a thorough description of services to be provided by the vendor including what

services the vendor cannot or will not provide, to enable clear expectations for both the vendor and

your firm.

Strategic Fit and Business Value Risk

o Ensure the vendor’s ongoing alignment with your firm’s needs and strategy.

Business Continuity Risk

o Assess the possibility of service disruptions due to factors within the vendor’s scope of control.

Physical Security Risk

o Assess the vendor’s approach to granting and managing physical access to the vendor’s location(s) of

operations and your firm’s assets.

Information Security Risk

o Assess the vendor’s processes for ensuring the confidentiality, integrity and availability of your firm’s

data, issuance of breach notifications etc.

Technology Risk

o Assess the viability of tools and systems used by the vendor.

Financial and Credit Risk

o Consider the vendor’s ability to provide services to your firm if they suffer financial distress.

Risk of Insufficient Insurance Coverage

o Consider the vendor’s insurance coverage and/or coverage under your insurance.

Legal or Regulatory Risk

o Assess the vendor’s ability to comply with applicable laws and regulations.

Reputation Risk

o Assess the impact of a significant reputational event involving the vendor.

Concentration Risk

o Understand and possibly limit and/or reduce exposure to a single vendor.

Termination Risk

o Assess the risk of contract termination whether initiated by your firm or the vendor. Vendor Supervision & Monitoring Considerations: Policies and procedures may take into account general considerations such as:

Compliance with the written contract

Operations

Management

Regulatory or Litigation Issues

Complaint Handling & Volume

Information Security Procedures

Privacy Breaches

Staffing/Resources

Books and Records

Annual Questionnaire Responses

Onsite Audit Findings

Quality or Timeliness Concerns

of 2

Policies and procedures may also include targeted review activities specific to a vendor’s contracted services, including but not limited to:

Prior concerns or audit findings

Changes in your firm’s related procedures

Background or other required checks of personnel

Compliance with established regulations or guidelines

Compliance with contracted or published response and turnaround times (SLAs)

Accuracy of monetary calculations (as applicable) related to the contracted service(s)

Accuracy of time stamps

Accuracy of written process documentation Reviews should be of a frequency adequate to determine that the contracted services are being delivered by the vendor in a competent and compliant manner. As deemed appropriate, reviews of vendors may include:

Information gleaned from reports from the vendor, such as an SSAE16 Audit Report on Controls (or equivalent).

Onsite audits (see sample template)

Periodic questionnaires (see sample questionnaire) Other considerations for vendor management include:

Does assigned staff have adequate experience to supervise the vendor?

Are monitoring activities following a set schedule?

What documentation should be retained as evidence of reviews?

SUGGESTED ROUTING

JULY 2005 GUIDANCE

KEY TOPICS

Outsourcing Members’ Responsibilities When Outsourcing Activities

to Third-Party Service Providers

Executive Summary

NASD is aware that members are increasingly contracting with third-party service providers to perform certain activities and functionsrelated to their business operations and regulatory responsibilitiesthat members would otherwise perform themselves—a practicecommonly referred to as outsourcing. NASD is issuing this Notice toremind members that, in general, any parties conducting activitiesor functions that require registration under NASD rules will beconsidered associated persons of the member, absent the serviceprovider separately being registered as a broker-dealer and sucharrangements being contemplated by NASD rules (such as in thecase of clearing arrangements), MSRB rules, or applicable federalsecurities laws or regulations. In addition, outsourcing an activity orfunction to a third party does not relieve members of their ultimateresponsibility for compliance with all applicable federal securitieslaws and regulations and NASD and MSRB rules regarding theoutsourced activity or function. As such, members may need toadjust their supervisory structure to ensure that an appropriatelyqualified person monitors the arrangement. This includesconducting a due diligence analysis of the third-party serviceprovider.

Questions/Further Information

Questions or comments concerning this Notice may be directed toPatricia Albrecht, Assistant General Counsel, Office of GeneralCounsel, Regulatory Policy and Oversight, at (202) 728-8026.

Legal and Compliance

Operations

Senior Management

Due Diligence

Outsourcing

Supervisory Responsibilities

Third-Party Service Providers

Notice to Members

NASD NTM JULY 2005 105-48

Background

The practice of contracting with third-party service providers/vendors to perform certainactivities and functions on a continuing basis (outsourcing) is not new to the securitiesindustry. For example, NASD Rule 3230 (Clearing Agreements) has long permittedmembers that are introducing broker-dealers to enter into contracts with registeredclearing broker-dealers that allocate certain functions and responsibilities, such asproviding execution services, custody, and margin; maintaining books and records; andreceiving, delivering, and safeguarding funds. Over the years, however, members’outsourcing activities have grown beyond the use of clearing agreements. Now,members regularly enter into outsourcing arrangements with entities other thanbroker-dealers. These entities may be unregulated, such as providers of data services, orregulated, such as transfer agents. Additionally, members increasingly are outsourcingactivities other than those traditionally performed pursuant to clearing agreements.

To better understand their members’ outsourcing activities, NASD and the New YorkStock Exchange (NYSE) conducted a joint survey in October 2004 of a select number ofbroker-dealers. The survey sought to determine whether broker-dealers had proceduresin place to determine the proficiency of service providers, whether outsourced businessfunctions were properly monitored, and whether broker-dealers were in compliancewith applicable regulations pertaining to the privacy of customer information inconnection with such outsourcing arrangements. The survey found that, in manyinstances, there was a lack of written procedures to monitor the outsourcing ofservices, a lack of business continuity plans on the part of service providers andmembers with respect to outsourced services, and a lack of formalized due diligenceprocesses to screen service providers for proficiency. However, while not always in theform of written procedures, most participants reported that they did have methodsthat they used to monitor and assess a third-party vendor’s own procedures andperformance and the accuracy and quality of the work product produced on acontinuing basis. These methods included (1) using programmatic checks throughbusiness operations; (2) including the procedures in the contracts with the vendors; (3) requiring status reports and periodic meetings; and (4) testing and reviewing thethird parties’ procedures.

The survey results also provided a snapshot of the type and range of activities beingoutsourced and the nature of the third-party service providers being used. Surveyparticipants frequently outsourced functions associated with accounting/finance(payroll, expense account reporting, etc.), legal and compliance, informationtechnology (IT), operations functions (e.g., statement production, disaster recoveryservices, etc.), and administration functions (e.g., human resources, internal audits, etc.). Approximately two-thirds of the third-party vendors used by survey participantswere regulated entities, subject to the jurisdiction of the Securities and ExchangeCommission, NASD, NYSE, the Board of Governors of the Federal Reserve System, and/orthe Office of the Comptroller of the Currency. The remaining third-party vendors wereunregulated entities—both foreign and domestic. Survey participants indicated thatthey used foreign third-party vendors most often when outsourcing IT andcommunications activities.1


Discussion

Given the growing trend among members to outsource an increasing number ofactivities and functions to outside entities—both regulated and unregulated—and thelack of uniformity in members’ procedures regarding members’ use of outsourcing,NASD is issuing this Notice to provide guidance on requirements that pertain to theoutsourcing of activities and functions that, if performed directly by members, wouldbe required to be the subject of a supervisory system and written supervisoryprocedures pursuant to Rule 3010 (covered activities).2 In addition, members arereminded that, in the absence of specific NASD rules, MSRB rules, or federal securitieslaws or regulations that contemplate an arrangement between members and otherregistered broker-dealers with respect to such activities or functions (e.g., clearingagreements executed pursuant to NASD Rule 3230), any third-party service providersconducting activities or functions that require registration and qualification underNASD rules will generally be considered associated persons of the member and berequired to have all necessary registrations and qualifications.

I. Accountability and Supervisory Responsibility for Outsourced Functions

Rule 3010 requires NASD members to design a supervisory system and correspondingwritten supervisory procedures that are appropriately tailored to each member’sbusiness structure.3 If a member, as part of its business structure, outsources coveredactivities, the member’s supervisory system and written supervisory procedures mustinclude procedures regarding its outsourcing practices to ensure compliance withapplicable securities laws and regulations and NASD rules. The procedures shouldinclude, without limitation, a due diligence analysis of all of its current or prospectivethird-party service providers to determine whether they are capable of performing theoutsourced activities.4

After the member has selected a third-party service provider, the member has acontinuing responsibility to oversee, supervise, and monitor the service provider’sperformance of covered activities. This requires the member to have in place specificpolicies and procedures that will monitor the service providers’ compliance with theterms of any agreements and assess the service provider’s continued fitness and abilityto perform the covered activities being outsourced. Additionally, the member shouldensure that NASD and all other applicable regulators have the same complete access tothe service provider’s work product for the member, as would be the case if the coveredactivities had been performed directly by the member.



Members should also include specific policies and procedures to determine whether any covered activities that the member is contemplating outsourcing are appropriate for outsourcing. To determine the appropriateness of outsourcing a particular activity,firms may want to consider certain factors, such as the financial, reputational, andoperational impact on the member firm if the third-party service provider fails toperform; the potential impact of outsourcing on the member’s provision of adequateservices to its customers; and the impact of outsourcing the activity on the ability andcapacity of the member to conform with regulatory requirements and changes inrequirements.5 These factors, however, are not meant to illustrate all of the factors amember may want to consider and are not meant to be an exclusive or exhaustive listof factors a member may need to consider.

In addition, members are reminded that outsourcing covered activities in no waydiminishes a member’s responsibility for either its performance or its full compliancewith all applicable federal securities laws and regulations, and NASD and MSRB rules.

II. Activities and Functions that are Prohibited from being Outsourced

A. Activities and Functions Requiring Registration and Qualification

It is NASD’s view that the performance of covered activities, which require qualificationand registration, cannot be deemed to have been outsourced because the personperforming the activity is an associated person of the member irrespective of whethersuch person is registered with the member. An exception would be where a third-partyservice provider is separately registered as a broker-dealer and the contractedarrangement between the member and the service provider is contemplated by NASDrules, MSRB rules, or applicable federal securities laws or regulations.6 An example ofsuch an exception would be a clearing agreement executed pursuant to NASD Rule3230 between a member and a clearing broker-dealer.7

B. Supervisory and Compliance Activities

NASD has noted in previous guidance that the ultimate responsibility for supervisionlies with the member.8 Accordingly, a member may never contract its supervisory andcompliance activities away from its direct control. This prohibition, however, does notpreclude a member from outsourcing certain activities that support the performance ofits supervisory and compliance responsibilities. For example, a member may implementa supervisory system designed by another party, which could include a computersoftware program that detects excessive trading in customer accounts. However, if amember chooses to implement such a system, it must make its own determination thatthe system implemented is current and reasonably designed to achieve compliance asrequired under Rule 3010. This may include, for example, monitoring the system toensure that it functions as designed and that such design is of an adequate nature and breadth.9


©2005. NASD. All rights reserved. Notices to Members attempt to present information to readers in a format that iseasily understandable. However, please be aware that, in case of any misunderstanding, the rule language prevails.

Endnotes

1 A February 2005 joint report by the Joint Forumof the Basel Committee on Banking Supervisionfound similar trends in the use of outsourcingby financial firms. See Outsourcing in FinancialServices, The Joint Forum of the BaselCommittee on Banking Supervision (February2005). The Joint Forum was established in 1996under the aegis of the Basel Committee onBanking Supervision (Basel Committee), theInternational Organization of SecuritiesCommissions (IOSCO), and the InternationalAssociation of Insurance Supervisors (IAIS) toaddress issues common to the banking,securities, and insurance sectors, including theregulation of financial conglomerates. The JointForum is composed of an equal number ofsenior bank, insurance, and securities supervisorsrepresenting each supervisory constituency.

2 Examples of covered activities include, withoutlimitation, order taking, handling of customerfunds and securities, and supervisoryresponsibilities under Rules 3010 and 3012.

3 See Rule 3010(a) and (b); Notice to Members(NTM) 99-45 (June 1999).

4 Rule 3012 also requires a member firm to have awritten supervisory control system that will,among other things, test and verify that themember’s supervisory policies and proceduresare reasonably designed to achieve compliancewith the applicable securities laws andregulations and NASD rules. Members arereminded that this requirement includes thetesting and verification of their supervisoryprocedures regarding their outsourcingpractices, including testing and verifying thatany due diligence procedures meet the“reasonably designed to achieve compliance”standard. See NTM 99-45 (June 1999) (providingguidance on the meaning of the term“reasonably designed to achieve compliance”).Such testing and verifying will help firms to

ensure that their due diligence analyses of third-party service providers remain current and relevant.

5 Members may also want to consult a February2005 IOSCO report for more factors that theyshould consider in connection with outsourcing.See Principles of Outsourcing of FinancialServices for Market Intermediaries, IOSCOTechnical Committee (February 2005). Anotherresource members may want to consider is thepreviously mentioned report by the Joint Forumof the Basel Committee on Banking Supervision.Outsourcing in Financial Services, supra note 1.

6 NASD does not view a third-party vendor as anassociated person of the member if it solelyprovides services such as a trade execution andreporting system or automated data services inconnection with back-office functions that, inturn, are utilized by registered or otherassociated persons of the member.

7 See Rule 3230(a)(1). Some members also enter into secondary or sub-clearing (sometimes referred to as “piggyback clearing”)arrangements for clearing services with anintermediary firm that has an existing contractwith a clearing firm instead of contractingdirectly with the clearing firm. Becauseintermediary firms do not always identify toclearing firms which accounts belong to thepiggybacking firms, NASD has filed with the SEC a proposed rule change to Rule 3230 andRule 3150 (Reporting Requirements for ClearingFirms) that would require intermediary firms to identify the accounts belonging to thepiggybacking firms and that would requireclearing firms to distinguish the data belongingto intermediary firms from the data belongingto the piggybacking firms.

8 See NTM 99-45 (June 1999).

9 See id.

Outsourcing and Vendor Management Thursday, November 9 11 ... · Outsourcing and Vendor Management...

Documents

Transcript of Outsourcing and Vendor Management Thursday, November 9 11 ... · Outsourcing and Vendor Management...