The United States Congress first authorized the Financial Industry Regulatory Authority (FINRA) to protect American investors and oversee the broker-dealer industry in 2007. FINRA is an independent regulatory organization that upholds its obligation and ensures a fair market by establishing rules to regulate business activities and improve the security of member firms and other market participants. With few exceptions, most broker-dealer firms must register with FINRA.
In August 2021, FINRA published Regulatory Notice 21-29, reminding member firms about their obligation to supervise the activities of their third-party vendors and ensure their vendors comply with applicable securities laws and regulations developed by FINRA and the U.S. Securities and Exchange Commission (SEC). Published shortly after the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) proposed a new third-party risk management regulation for community banks, Regulatory Notice 21-29 emphasizes the need for brokerage firms to establish comprehensive TPRM programs.
This blog will analyze the obligations and rules listed in Regulatory Notice 21-29, partner these obligations with appropriate TPRM strategies, and suggest a cybersecurity roadmap to establish a TPRM program and comply with FINRA’s rules.
Discover the world’s #1 TPRM solution: UpGuard Vendor Risk>
Regulatory Notice 21-29
FINRA published Regulatory Notice 21-29 alongside its Cloud Computing in the Securities Industry report. Both publications acknowledge that third-party vendors, spurred by the COVID-19 pandemic and the expansion of digital supply chains, have become increasingly common in the finance industry in recent years.
Member firms should draw four key takeaways from the notice:
- FINRA is committed to establishing the need for robust TPRM in the financial sector (and the FDIC, OCC, and other institutions are likewise committed).
- FINRA believes vendor management is a critical component of its established rules and subsequent amendments.
- The obligations listed throughout the FINRA manual apply to member firms and their third-party vendors.
- FINRA will hold member firms accountable for the actions of their third-party vendors when the vendors breach compliance.
In addition to these four takeaways, brokerage firms should also note that Regulatory Notice 21-29 includes an appendix detailing the disciplinary actions that FINRA has levied against members who failed to implement technical controls in the past, events that may have been prevented with a carefully strategized Vendor Risk Management program. These enforcement actions included considerable monetary fines and formal censures, consequences that significantly outweigh the costs of implementing a TPRM program.
What Rules Did FINRA Identify in Regulatory Notice 21-29?
By publishing Regulatory Notice 21-29, FINRA aimed to remind members of their regulatory obligation to establish a supervisory system, develop risk management programs, and otherwise oversee and monitor their third-party relationships. The FINRA notice highlights four main rules and obligations members are required to comply with:
- FINRA Rule 3110: Supervision
- FINRA Rule 1220: Registration Categories
- SEC Regulation S-P Rule 30
- FINRA Rule 4370: Business Continuity Plans
SEC Regulation S-P Rule 30 includes the strictest cybersecurity requirements of these four obligations. However, Rule 3110 and Rule 4370 also draw upon TPRM strategies, requiring member firms to develop supervisory controls related to cyber risk and information technology.
Keep reading for a summary of each TPRM-related rule identified by Regulatory Notice 21-29.
FINRA Rule 3110
FINRA Rule 3110 requires brokerage firms to adopt effective risk management practices. This rule necessitates that member firms develop comprehensive systems to identify, monitor, and mitigate risks associated with their third-party ecosystems and day-to-day business operations.
This rule requires every firm to adhere to the following requirements:
- Develop a set of written supervisory procedures.
- Designate registered principals to supervise specific business activities.
- Designate supervisors to review and process customer complaints.
- Document all customer correspondence through approved firm channels.
- Establish supervisory systems to identify fraudulent transactions.
- Preserve and produce business-related electronic communications (including emails, social media, texts, instant messages, app-based messages, and video content).
Your organization can incorporate these requirements into its TPRM business plan to ensure satisfactory compliance with FINRA Rule 3110.
SEC Regulation S-P Rule 30
SEC Regulation S-P Rule 30 aims to ensure the security and confidentiality of customer records (sensitive data and non-public information), protect these records against anticipated threats and cybersecurity hazards, and ensure unauthorized access to these records does not occur. The rule requires broker-dealers to develop written policies and procedures that address their installed safeguards (including retention periods and protecting customer information).
Learn more about the cybersecurity requirements of S-P Rule 30.
FINRA Rule 4370
FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) requires member firms to draft and maintain a written business continuity plan (BCP). This BCP must feature procedures that enable the member firm to meet its existing obligations when faced with an emergency or significant disruption.
The exact elements FINRA requires member firms to incorporate into their BCP are flexible, and firms can tailor their BCP to their specific size and business model. However, at a minimum, FINRA requires member firms to include the following elements in its BCP:
- Data backup and recovery procedures
- List of mission-critical systems
- Financial and operational assessments
- Alternate communications between customers and the firms
- Alternate physical location of employees
- Critical impacts to business constituents, banks, and counterparties
- Regulatory reporting
- Communications with regulators
Keep reading to learn how developing a comprehensive TPRM program can help your organization comply with the business continuity requirements of FINRA Rule 4370.
TPRM Strategies For FINRA Compliance
Brokerage firms can streamline operations by outsourcing business duties (from recordkeeping to human resource tasks) to third-party service providers. However, partnering with third-party vendors expands an organization’s attack surface by exposing the organization to additional third-party risks. FINRA’s supervisory obligations require members to identify, monitor, and mitigate risks across their third-party portfolio.
TPRM programs include risk management strategies for every stage of the vendor lifecycle. Brokerage firms can use the following TPRM strategies to establish a risk-based approach to vendor management that complies with FINRA’s rules:
- Vendor due diligence
- Vendor risk assessments
- Continuous security monitoring
- Business continuity planning
This article continues with methods your organization can use to establish a TPRM program that meets FINRA expectations.
Vendor Due Diligence
Brokerage firms can use vendor due diligence to evaluate the security posture of third-party vendors during procurement and vendor selection. A successful vendor due diligence program will identify vendor risks before onboarding, gathering information and incentives to either remove the vendor from consideration or justify the vendor's impact on the business.
To collect information for vendor due diligence, use security questionnaires. Vendor security questionnaires are strategic sets of questions for identifying and evaluating the security risks of a specific vendor.
With vendor due diligence questionnaires, your organization can better comply with SEC Regulation S-P and FINRA Rule 3110 to identify the following risks:
- Historical data breaches
- Negligent practices
- Failed regulatory requirements
- Compliance errors
- Poor cyber threat defenses
- Exposed attack vectors
- Conflicts of interest
By identifying potential risk exposure during the due diligence process, your organization can make informed decisions about working with third-party service providers.
Vendor Risk Assessments
FINRA Rule 3110 and SEC Reg. S-P require brokerage firms to maintain ongoing surveillance over their third-party vendors. Financial organizations can monitor their third-party ecosystem by conducting a periodic risk assessment on specific service providers.
While your organization will want to develop a risk assessment cadence that suits your specific needs and vendor risks, consider implementing assessments at the following stages in the vendor lifecycle:
- During vendor procurement to shortlist or remove vendors from consideration
- During onboarding to measure inherent risk among low and high-risk vendors
- During regular business to evaluate performance and comply with regulations
- During offboarding to ensure access termination for vendors
- During incident response to determine impact and breach severity
When your organization is developing its risk assessment cadence, it’s essential to remember vendor risk assessments are not all equal. Many organizations still rely on spreadsheet-based risk assessments that require manual data entry and significant time investment. Your organization can streamline the vendor risk assessment process with a TPRM solution like UpGuard Vendor Risk, which empowers organizations with customizable and flexible assessment templates. Automated solutions also offer continuous monitoring alongside assessment features.
Learn more about UpGuard’s robust vendor risk assessments>
Continuous Security Monitoring
To meet the ongoing supervisory obligations of FINRA Rule 3110, financial institutions need to complement their risk assessment cadence with continuous security monitoring (CSM). CSM is a threat intelligence approach that automates ongoing monitoring of security controls, vulnerabilities, and potential cyber threats.
Once your financial institution installs CSM into its TPRM program, you can coordinate reports with your registered principals to meet the requirements of Rule 3110’s supervisory, WSP, and recordkeeping conditions.
Business Continuity Planning
The requirements of FINRA Rule 4370 are precise. Financial service organizations must develop a written BCP that enables them to meet their existing obligations when faced with an emergency or significant disruption.
By aligning your BCP with your TPRM program, your organization can predict risk scenarios, develop actionable remediation workflows, improve the allocation of responsibilities and compliance obligations to appropriate stakeholders, and update your internal plans as you onboard new vendors.
The three TPRM strategies previously discussed (due diligence, risk assessments, and continuous security monitoring) are critical when developing a holistic BCP that considers third-party risk. Here’s how the TPRM strategies previously discussed can improve your BCP:
- Vendor due diligence: Identify specific vendor risks, predict risk scenarios, and mitigate risks before onboarding.
- Vendor risk assessments: Identify ongoing vendor risks, predict ongoing risk scenarios, coordinate remediation plans with stakeholders, tier vendors based on risk criticality, and install practical updates as you identify new risks.
- Continuous security monitoring: Identify ongoing vendor risks, predict ongoing risk scenarios, and install enhancements as a vendor’s security posture changes.
How UpGuard Helps Financial Institutions with TPRM
UpGuard has helped organizations in the finance sector, like this multinational financial services provider, turbocharge their third-party risk management programs. UpGuard Vendor Risk empowers organizations to assess, remediate, and manage vendors across their vendor ecosystem by combining continuous vendor monitoring with vendor risk assessments.
The TPRM features included in UpGuard Vendor Risk also help financial institutions comply with industry frameworks (ISO 27001, PCI, etc.), improve their internal reporting, and meet the requirements of FINRA Rules 3110 and 4370 and SEC Regulation S-P.
Powerful features in UpGuard Vendor Risk include:
- Vendor Risk Assessments: Fast, accurate, and comprehensive view of your vendors’ security posture
- Third-Party Security Ratings: Objective, data-driven measurements of an organization’s cyber hygiene
- Vendor Security Questionnaires: Flexible questionnaires that accelerate the assessment process and provide deep insights into a vendor’s security
- Stakeholder Reports Library: Tailor-made templates that support security performance communication to executive-level stakeholders
- Remediation and Mitigation Workflows: Comprehensive workflows to streamline risk management processes and improve overall security posture
- Integrations: Application integrations for Jira, Slack, ServiceNow, and over 4,000 additional apps with Zapier, plus customizable API calls
- 24/7 Continuous Monitoring: Real-time notifications and risk updates using accurate supplier data
- Intuitive Design: Easy-to-use first-party dashboards
- World-Class Customer Service: Plan-based access to professional cybersecurity personnel that can help you get the most out of UpGuard