Vendors, Intelligence Sharing and FINRA’s Mission

By Greg Ruppert, Executive Vice President, Member Supervision, FINRA1

As a self-regulatory organization, FINRA is uniquely positioned to engage with member firms to understand their business models and provide them with timely, actionable insights and information. As part of FINRA Forward, FINRA is working to enhance how we support member firm compliance to better protect investors and safeguard markets, including strengthening the constructive feedback loop from FINRA’s regulatory programs to our member firms. Sharing information gathered through our regulatory programs can help member firms improve the efficiency and effectiveness of their compliance capabilities, understand how their compliance programs compare to other firms, and potentially avoid issues that might otherwise develop into compliance failures.

As part of FINRA’s engagement with member firms, FINRA has observed third-party vendors playing an increasingly important role in the financial industry with member firms gradually expanding their use of third-party vendors to perform a wide range of critical activities and functions.2 In response, FINRA gathers information on member firms’ third-party vendors to understand their role and the potential risks to firms and the markets. FINRA then uses this information to proactively contact member firms regarding events impacting their third-party vendors. This information sharing represents the constructive feedback loop from FINRA’s regulatory program to our member firms, and the related benefits for member firms, the markets and FINRA.

FINRA’s Third-Party Vendor Surveys to Member Firms

In November 2023, FINRA issued an initial Vendor Questionnaire to our member firms to request information about the third-party vendors they engage with, particularly those related to “mission critical” systems and bank accounts.3 The responses to the questionnaire helped deepen our understanding of our member firms’ use of third-party vendors and the risks that may impact specific member firms and the broader industry. This enhanced understanding has enabled FINRA to engage in targeted outreach to member firms to share information about potential issues and risks related to their vendors, allowing member firms to take action to protect themselves and their customers.

Examples of FINRA’s Proactive Outreach to Member Firms

FINRA’s Risk Monitoring Program has leveraged information from member firm questionnaire responses to proactively conduct targeted member firm outreach related to events impacting their third-party vendors. In particular, this information has allowed FINRA to:

  • identify which member firms reported using certain third-party vendors (and areas of potential concentration risk in the industry);
  • quickly notify member firms when critical events or issues occur at certain third-party vendors;
  • position FINRA staff to assist member firms impacted by third-party vendor events; and
  • provide mitigation tactics, guidance or next steps to aid member firms navigating these events.

In several instances, FINRA Risk Monitoring staff were able to contact member firms to alert them to an issue or event impacting a specific third-party vendor before the member firms had become aware of the issue through other channels.

The following are several recent examples of how FINRA has used information from the Vendor Questionnaire responses to provide timely alerts and guidance to member firms when issues arose with their third-party vendors:

  • MOVEit (June 2024) – FINRA notified potentially impacted member firms of a vulnerability that could allow an unauthorized user to bypass the authentication process to gain access, and shared steps member firms could take to mitigate the vulnerability.
  • Crowdstrike (July 2024) – FINRA kept potentially impacted member firms apprised of updated intelligence related to impacts of a service disruption on the industry, and alerted member firms to reports of bad actors attempting to leverage the incident to conduct social engineering and phishing attacks.
  • Ivanti (February 2025) – FINRA conducted targeted outreach to potentially impacted member firms to share information about vulnerabilities and assess the potential impact on member firms’ operations.
  • Oracle (March 2025) – In response to an alleged large-scale data breach possibly affecting Oracle Cloud services, FINRA notified potentially impacted member firms, including firms that had previously informed FINRA of their use of Oracle products and services, as well as others whose data the threat actor claimed to have obtained.

FINRA also provides broader guidance to member firms on an ongoing basis to ensure awareness and help member firms address potential third-party risks and challenges. The Third-Party Risk Landscape section of our 2025 FINRA Annual Regulatory Oversight Report—our comprehensive annual resource for member firms to help strengthen their compliance programs—includes observations and effective practices FINRA has encountered through our Regulatory Operations Programs’ touchpoints with member firms related to their use of third-party vendors.

Next Steps

FINRA recognizes that member firms’ relationships with third-party vendors continue to evolve. To allow us to keep our information current and accurate, and to continue to provide timely insights, we issued the 2025 Third-Party Vendor Request in January 2025, asking member firms to submit up-to-date information related to their critical third-party vendors and banks, including all third-party providers that are essential to member firms’ operations, processes or functions. Our outreach goal remains the same: to use this information to better target our intelligence-sharing efforts so we can work together with our member firms toward our shared goals of customer protection and market integrity. We look forward to providing insights from this latest questionnaire iteration at a later date.

FINRA encourages member firms to contact their Risk Monitoring Analyst on an ongoing basis to report changes to third-party vendors that support their critical activities, or as cybersecurity events at these third-party vendors arise. If you need help identifying your Risk Monitoring Analyst, or have entitlement or technical questions, please contact the FINRA Support Center at (800) 321-6273 or [email protected].

1 FINRA is a not-for-profit membership organization dedicated to investor protection and market integrity. It is registered with the SEC as a national securities association.
2 See, e.g., Notice to Members 05-48 (Members’ Responsibilities When Outsourcing Activities to Third-Party Service Providers)and Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors).
3 Per FINRA Rule 4370(g)(1), “Mission Critical” means any system that is necessary, depending on the nature of a member's business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.