Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers

GUIDANCE

Outsourcing

Executive Summary

NASD is aware that members are increasingly contracting with third-party service providers to perform certain activities and functions related to their business operations and regulatory responsibilities that members would otherwise perform themselves—a practice commonly referred to as outsourcing. NASD is issuing this Notice to remind members that, in general, any parties conducting activities or functions that require registration under NASD rules will be considered associated persons of the member, absent the service provider separately being registered as a broker-dealer and such arrangements being contemplated by NASD rules (such as in the case of clearing arrangements), MSRB rules, or applicable federal securities laws or regulations. In addition, outsourcing an activity or function to a third party does not relieve members of their ultimate responsibility for compliance with all applicable federal securities laws and regulations and NASD and MSRB rules regarding the outsourced activity or function. As such, members may need to adjust their supervisory structure to ensure that an appropriately qualified person monitors the arrangement. This includes conducting a due diligence analysis of the third-party service provider.

Questions/Further Information

Questions or comments concerning this Notice may be directed to Patricia Albrecht, Assistant General Counsel, Office of General Counsel, Regulatory Policy and Oversight, at (202) 728-8026.

Background

The practice of contracting with third-party service providers/vendors to perform certain activities and functions on a continuing basis (outsourcing) is not new to the securities industry. For example, NASD Rule 3230 (Clearing Agreements) has long permitted members that are introducing broker-dealers to enter into contracts with registered clearing broker-dealers that allocate certain functions and responsibilities, such as providing execution services, custody, and margin; maintaining books and records; and receiving, delivering, and safeguarding funds. Over the years, however, members' outsourcing activities have grown beyond the use of clearing agreements. Now, members regularly enter into outsourcing arrangements with entities other than broker-dealers. These entities may be unregulated, such as providers of data services, or regulated, such as transfer agents. Additionally, members increasingly are outsourcing activities other than those traditionally performed pursuant to clearing agreements.

To better understand their members' outsourcing activities, NASD and the New York Stock Exchange (NYSE) conducted a joint survey in October 2004 of a select number of broker-dealers. The survey sought to determine whether broker-dealers had procedures in place to determine the proficiency of service providers, whether outsourced business functions were properly monitored, and whether broker-dealers were in compliance with applicable regulations pertaining to the privacy of customer information in connection with such outsourcing arrangements. The survey found that, in many instances, there was a lack of written procedures to monitor the outsourcing of services, a lack of business continuity plans on the part of service providers and members with respect to outsourced services, and a lack of formalized due diligence processes to screen service providers for proficiency. However, while not always in the form of written procedures, most participants reported that they did have methods that they used to monitor and assess a third-party vendor's own procedures and performance and the accuracy and quality of the work product produced on a continuing basis. These methods included (1) using programmatic checks through business operations; (2) including the procedures in the contracts with the vendors; (3) requiring status reports and periodic meetings; and (4) testing and reviewing the third parties' procedures.

The survey results also provided a snapshot of the type and range of activities being outsourced and the nature of the third-party service providers being used. Survey participants frequently outsourced functions associated with accounting/finance (payroll, expense account reporting, etc.), legal and compliance, information technology (IT), operations functions (e.g., statement production, disaster recovery services, etc.), and administration functions (e.g., human resources, internal audits, etc.). Approximately two-thirds of the third-party vendors used by survey participants were regulated entities, subject to the jurisdiction of the Securities and Exchange Commission, NASD, NYSE, the Board of Governors of the Federal Reserve System, and/or the Office of the Comptroller of the Currency. The remaining third-party vendors were unregulated entities—both foreign and domestic. Survey participants indicated that they used foreign third-party vendors most often when outsourcing IT and communications activities.¹

Discussion

Given the growing trend among members to outsource an increasing number of activities and functions to outside entities—both regulated and unregulated—and the lack of uniformity in members' procedures regarding members' use of outsourcing NASD is issuing this Notice to provide guidance on requirements that pertain to the outsourcing of activities and functions that, if performed directly by members, would be required to be the subject of a supervisory system and written supervisory procedures pursuant to Rule 3010 (covered activities).² In addition, members are reminded that, in the absence of specific NASD rules, MSRB rules, or federal securities laws or regulations that contemplate an arrangement between members and other registered broker-dealers with respect to such activities or functions (e.g., clearing agreements executed pursuant to NASD Rule 3230), any third-party service providers conducting activities or functions that require registration and qualification under NASD rules will generally be considered associated persons of the member and be required to have all necessary registrations and qualifications.

I. Accountability and Supervisory Responsibility for Outsourced Functions

Rule 3010 requires NASD members to design a supervisory system and corresponding written supervisory procedures that are appropriately tailored to each member's business structure.³ If a member, as part of its business structure, outsources covered activities, the member's supervisory system and written supervisory procedures must include procedures regarding its outsourcing practices to ensure compliance with applicable securities laws and regulations and NASD rules. The procedures should include, without limitation, a due diligence analysis of all of its current or prospective third-party service providers to determine whether they are capable of performing the outsourced activities.⁴

After the member has selected a third-party service provider, the member has a continuing responsibility to oversee, supervise, and monitor the service provider's performance of covered activities. This requires the member to have in place specific policies and procedures that will monitor the service providers' compliance with the terms of any agreements and assess the service provider's continued fitness and ability to perform the covered activities being outsourced. Additionally, the member should ensure that NASD and all other applicable regulators have the same complete access to the service provider's work product for the member, as would be the case if the covered activities had been performed directly by the member.

Members should also include specific policies and procedures to determine whether any covered activities that the member is contemplating outsourcing is appropriate for outsourcing. To determine the appropriateness of outsourcing a particular activity, firms may want to consider certain factors, such as the financial, reputational, and operational impact on the member firm if the third-party service provider fails to perform; the potential impact of outsourcing on the member's provision of adequate services to its customers; and the impact of outsourcing the activity on the ability and capacity of the member to conform with regulatory requirements and changes in requirements.⁵ These factors, however, are not meant to illustrate all of the factors a member may want to consider and are not meant to be an exclusive or exhaustive list of factors a member may need to consider.

In addition, members are reminded that outsourcing covered activities in no way diminishes a member's responsibility for either its performance or its full compliance with all applicable federal securities laws and regulations, and NASD and MSRB rules.

II. Activities and Functions that are Prohibited from being Outsourced

A. Activities and Functions Requiring Registration and Qualification

It is NASD's view that the performance of covered activities, which require qualification and registration, cannot be deemed to have been outsourced because the person performing the activity is an associated person of the member irrespective of whether such person is registered with the member. An exception would be where a third-party service provider is separately registered as a broker-dealer and the contracted arrangement between the member and the service provider is contemplated by NASD rules, MSRB rules, or applicable federal securities laws or regulations.⁶ An example of such an exception would be a clearing agreement executed pursuant to NASD Rule 3230 between a member and a clearing broker-dealer.⁷

B. Supervisory and Compliance Activities

NASD has noted in previous guidance that the ultimate responsibility for supervision lies with the member.⁸ Accordingly, a member may never contract its supervisory and compliance activities away from its direct control. This prohibition, however, does not preclude a member from outsourcing certain activities that support the performance of its supervisory and compliance responsibilities. For example, a member may implement a supervisory system designed by another party, which could include a computer software program that detects excessive trading in customer accounts. However, if a member chooses to implement such a system, it must make its own determination that the system implemented is current and reasonably designed to achieve compliance as required under Rule 3010. This may include, for example, monitoring the system to ensure that it functions as designed and that such design is of an adequate nature and breadth.⁹

¹ A February 2005 joint report by the Joint Forum of the Basel Committee on Banking Supervision found similar trends in the use of outsourcing by financial firms. See Outsourcing in Financial Services, The Joint Forum of the Basel Committee on Banking Supervision (February 2005). The Joint Forum was established in 1996 under the aegis of the Basel Committee on Banking Supervision (Basel Committee), the International Organization of Securities Commissions (IOSCO), and the International Association of Insurance Supervisors (IAIS) to address issues common to the banking, securities, and insurance sectors, including the regulation of financial conglomerates. The Joint Forum is composed of an equal number of senior bank, insurance, and securities supervisors representing each supervisory constituency.

² Examples of covered activities include, without limitation, order taking, handling of customer funds and securities, and supervisory responsibilities under Rules 3010 and 3012.

³See Rule 3010(a) and (b); Notice to Members (NTM) 99-45 (June 1999).

⁴Rule 3012 also requires a member firm to have a written supervisory control system that will, among other things, test and verify that the member's supervisory policies and procedures are reasonably designed to achieve compliance with the applicable securities laws and regulations and NASD rules. Members are reminded that this requirement includes the testing and verification of their supervisory procedures regarding their outsourcing practices, including testing and verifying that any due diligence procedures meet the "reasonably designed to achieve compliance" standard. See NTM 99-45 (June 1999) (providing guidance on the meaning of the term "reasonably designed to achieve compliance"). Such testing and verifying will help firms to ensure that their due diligence analyses of third-party service providers remain current and relevant.

⁵ Members may also want to consult a February 2005 IOSCO report for more factors that they should consider in connection with outsourcing. See Principles of Outsourcing of Financial Services for Market Intermediaries, IOSCO Technical Committee (February 2005). Another resource members may want to consider is the previously mentioned report by the Joint Forum of the Basel Committee on Banking Supervision. Outsourcing in Financial Services, supra note 1.

⁶ NASD does not view a third-party vendor as an associated person of the member if it solely provides services such as a trade execution and reporting system or automated data services in connection with back-office functions that, in turn, are utilized by registered or other associated persons of the member.

⁷See Rule 3230(a)(1). Some members also enter into secondary or sub-clearing (sometimes referred to as "piggyback clearing") arrangements for clearing services with an intermediary firm that has an existing contract with a clearing firm instead of contracting directly with the clearing firm. Because intermediary firms do not always identify to clearing firms which accounts belong to the piggybacking firms, NASD has filed with the SEC a proposed rule change to Rule 3230 and Rule 3150 (Reporting Requirements for Clearing Firms) that would require intermediary firms to identify the accounts belonging to the piggybacking firms and that would require clearing firms to distinguish the data belonging to intermediary firms from the data belonging to the piggybacking firms.

⁸See NTM 99-45 (June 1999).

⁹See id.