Skip to main content
Regulatory Notice 11-14

FINRA Requests Comment on Proposed New FINRA Rule 3190 to Clarify the Scope of a Firm's Obligations and Supervisory Responsibilities for Functions or Activities Outsourced to a Third-Party Service Provider

Published Date:
Comment Period Expires: May 13, 2011

Third-Party Service Providers

Regulatory Notice
Notice Type

Request for Comment
Suggested Routing

Compliance
Legal
Operations
Risk
Senior Management
Key Topics

Clearing and Carrying Activities
Due Diligence
Outsourcing
Supervisory Responsibilities
Third-Party Service Providers
Referenced Rules & Notices

FINRA Rule 4311
FINRA Rule 8210
Incorporated NYSE Rule 382
NTM 99-45
NTM 03-73
NTM 05-48
NASD Rule 3010
NASD Rule 3230
SEA Rule 17a-4

Executive Summary

FINRA is requesting comment on a proposed new rule to clarify a member firm's obligations and supervisory responsibilities regarding outsourcing arrangements. Specifically, proposed FINRA Rule 3190 (Use of Third-Party Service Providers) makes clear that:

•   when a member firm outsources a function or activity related to its business as a regulated broker-dealer to a third-party service provider, it does not relieve the firm of its obligation to comply with applicable securities laws and regulations and FINRA and Municipal Securities Rulemaking Board (MSRB) rules; and
•   the firm cannot delegate its responsibilities for, or control over, any outsourced functions or activities.

The proposal also requires a member firm to have supervisory procedures, including due diligence measures, to ensure that its arrangements with third-party service providers are reasonably designed to achieve compliance with applicable securities laws and regulations and FINRA and MSRB rules. Further, the proposed rule imposes additional restrictions and obligations that apply solely to a clearing and carrying member firm and its third-party service provider arrangements.

The text of the proposed rule is set forth in Attachment A.

Questions concerning this Notice should be directed to Patricia Albrecht, Associate General Counsel, Office of General Counsel, at (202) 728-8026.

Action Requested

FINRA encourages all interested parties to comment on the proposal. Comments must be received by May 13, 2011.

Member firms and other interested parties can submit their comments using the following methods:

•   Emailing comments to [email protected]; or
•   Mailing comments in hard copy to:

Marcia E. Asquith
Office of the Corporate Secretary
FINRA
1735 K Street, NW
Washington, DC 20006-1506

To help FINRA process and review comments more efficiently, persons should use only one method to comment on the proposal.

Important Notes: The only comments that FINRA will consider are those submitted pursuant to the methods described above. All comments received in response to this Notice will be made available to the public on the FINRA website. Generally, FINRA will post comments on its site one week after the end of the comment period.1

Before becoming effective, a proposed rule change must be authorized for filing with the SEC by the FINRA Board of Governors, and then must be approved by the SEC, following publication for public comment in the Federal Register.2

Background and Discussion

Recognizing member firms' increasing use of outside entities—both regulated and unregulated—to perform certain activities and functions related to their business operations and the compliance risks that can accompany the use of such outside entities, FINRA has provided substantial guidance regarding member firms' responsibilities when outsourcing activities to third-party service providers.3 However, FINRA has continued to receive inquiries regarding outsourcing and the scope of the guidance, including, among other things, requests to identify specific functions that a clearing or carrying member firm may outsource to a third-party service provider and the appropriateness of any member firm outsourcing activities to a third-party service provider that is not registered as a broker-dealer.

In view of these questions and continued concerns regarding the risks related to outsourcing, FINRA is proposing new Rule 3190 to clarify a member firm's obligations and supervisory responsibilities regarding its outsourcing arrangements, including imposing additional restrictions and obligations that would apply solely to a clearing and carrying member firm and its third-party service provider arrangements.

I. Member Firms' Responsibilities for Activities Outsourced to Third-Party Service Providers and Activities Requiring Registration and Qualification

Proposed FINRA Rule 3190(a)(1) clarifies that a member firm's use of a third-party service provider (including any sub-vendor) to perform functions or activities related to the member firm's business as a regulated broker-dealer does not relieve the firm of its obligation to comply with applicable securities laws and regulations and with applicable FINRA and MSRB rules. Proposed Supplementary Material .01 (Scope of Third-Party Service Provider) clarifies that the term "third-party service provider (including any sub-vendor)" shall include any person controlling, controlled by or under common control with a member firm, unless otherwise determined by FINRA.4 The proposed provision also prohibits a member firm from delegating its responsibilities for, or control over, any functions or activities performed by a third-party service provider. Proposed FINRA Rule 3190(a)(1) is consistent with FINRA's current guidance that a member firm's use of a third-party service provider for such activities does not relieve the firm of its ultimate responsibility to achieve compliance with all applicable securities laws and regulations and FINRA and MSRB rules, and that the ultimate responsibility for supervision of outsourced activities lies with the firm.5

Additionally, FINRA Rule 3190(a)(3) clarifies that nothing in the proposed rule's provisions shall be construed to permit any person to engage in activities that require registration and qualification under FINRA rules without obtaining the necessary registrations and qualifications.
II. Member Firms' Supervision and Due Diligence Analysis of Third-Party Service Providers

Proposed FINRA Rule 3190(a)(2) requires each member firm, pursuant to its obligations under FINRA rules, to establish and maintain a supervisory system and written procedures for any functions or activities performed by a third-party service provider that are reasonably designed to achieve compliance with applicable securities laws and regulations and applicable FINRA and MSRB rules.

Additionally, proposed FINRA Rule 3190(b) requires that a member firm include in these supervisory procedures an ongoing due diligence analysis of each current or prospective third-party service provider to determine, at a minimum, whether: (1) the third-party service provider is capable of performing the activities being outsourced; and (2) with respect to any activities being outsourced, the member firm can achieve compliance with applicable securities laws and regulations and applicable FINRA and MSRB rules. These provisions are consistent with existing guidance noting that, if a member firm outsources activities, its supervisory system and written supervisory procedures required by NASD Rule 3010 (Supervision) must include supervisory procedures for its outsourcing practices to ensure such compliance and that those procedures should include, without limitation, conducting a due diligence analysis of all of its current or prospective third-party service providers to determine whether they are capable of performing the outsourced activities.6
III. Clearing or Carrying Member Firms' Restrictions and Obligations Regarding Outsourced Activities

In addition to the requirements discussed above in proposed FINRA Rule 3190(a) and (b), the proposed rule imposes certain heightened requirements on a clearing or carrying member firm's outsourcing arrangements. Given the additional responsibilities of a clearing or carrying member firm to protect customer funds and securities, these heightened requirements are designed to address concerns regarding the great potential harm that could result from its third-party service providers' non-compliance (either accidental or intentional) with the federal securities laws and FINRA and MSRB rules. The involvement by improperly authorized or inadequately supervised persons may cause systemic risk and undermine investor confidence in the securities industry. As detailed further below, FINRA believes these concerns can be mitigated by requiring a clearing or carrying member firm to limit certain enumerated activities to persons directly subject to the control and supervision of the member firm, have additional supervisory procedures to oversee third-party service providers and notify FINRA of its outsourcing arrangements.
A. Restrictions Applicable to Certain Clearing or Carrying Member Firms' Activities

Specifically, proposed FINRA Rule 3190(c) requires a clearing or carrying member firm to vest an associated person of the firm with the authority and responsibility for the following activities:
(1) the movement of customer or proprietary cash or securities;
(2) the preparation of net capital or reserve formula computations; and
(3) the adoption or execution of compliance or risk management systems.
However, pursuant to proposed FINRA Rule 3190(a)(3), the clearing or carrying member firm would have to vest authority and responsibility for any functions related to these activities that would require registration and qualification under FINRA rules with an associated person of the firm who has the necessary registrations and qualifications.

With respect to the movement of customer or proprietary cash or securities, FINRA has found this area to be subject to additional risk for errors, fraud or other violative conduct. The involvement of improperly authorized persons could, in certain circumstances, cause systemic risk and undermine investor confidence in the securities industry. FINRA believes these concerns would be mitigated by expressly limiting authority and responsibility for this activity to an associated person directly subject to the clearing or carrying member firm's supervision and control. Accordingly, the proposed rule would require that persons responsible for the handling, transfer or disposition of cash or securities as they enter and flow from the firm be associated persons of the member firm.

Proposed Supplementary Material .02 (Posting to Books and Records) clarifies that the restriction regarding the movement of funds or securities would not preclude a designated third-party service provider from posting items to a clearing or carrying member firm's books or records, provided the firm reviews each posting prior to the close of the business day following the posting. In this regard, FINRA generally would permit the prompt supervisory review required by proposed Supplementary Material .02 to be performed by substantiation of financial balances and spot-check reviews of individual entries, rather than an actual sign off on each individual entry. FINRA believes that the proposed approach balances the need to protect the integrity of the clearing or carrying member firm's books and records with the efficiencies of having the work performed by a third-party service provider.7

FINRA also has concerns about the use of third-party service providers in the preparation of net capital or reserve formula computations. The execution of the SEC's financial responsibility rules8 enables firm management and regulators to ascertain the financial state of a firm and helps to ensure protection of customer assets. Accordingly, FINRA believes that a properly registered associated person of the clearing or carrying member firm should be directly responsible for this function. For purposes of proposed FINRA Rule 3190(c), FINRA would consider the performance of calculations in aid of the preparation of these computations to be ministerial functions that could be performed by a third-party service provider; however, the review and understanding of the computations and the ability to explain the mechanics and rationale of the computations to FINRA staff would reside with the firm's properly registered associated person vested with authority and responsibility for this function.

With respect to the adoption or execution of compliance or risk management systems, the proposed rule does not prohibit a firm from using a third-party service provider or its systems as part of the member firm's compliance and risk management solutions, provided the member firm adopts such services and systems in a manner consistent with the regulatory requirements as they apply in light of the firm's size, businesses and business model, retains control over their implementation and use within the firm, and independently determines that they achieve compliance with the applicable securities laws and FINRA and MSRB rules. Further, basic calculations, logging or maintaining lists that are preparatory to creating related books and records and review of output from these systems could be performed by a third-party service provider; however, any analysis or conclusions based upon the data would have to be performed by an associated person of the firm.
B. Oversight of Third-Party Service Providers by Clearing or Carrying Member Firms

Proposed FINRA Rule 3190(d) requires that a clearing or carrying member firm include additional supervisory procedures that would: (1) enable the firm to take prompt corrective action where necessary to achieve compliance with applicable securities laws and regulations and with applicable FINRA and MSRB rules; and (2) require the firm to approve any transfer of duties by a third-party service provider to a sub-vendor. As with the restrictions in proposed FINRA Rule 3190(c), FINRA believes that these supplementary procedures will help prevent potential harm that could result from possible non-compliance by a clearing or carrying member firm's third-party service provider with the federal securities laws and FINRA and MSRB rules.
C. Notifications by Clearing or Carrying Member Firms

Proposed FINRA Rule 3190(e) requires a clearing or carrying member firm to notify FINRA within 30 calendar days after entering into any outsourcing agreement with a third-party service provider to perform any functions or activities related to the firm's business as a regulated broker-dealer that is permitted to be outsourced pursuant to the proposed rule.9 Pursuant to proposed FINRA Rule 3190, a clearing or carrying member firm's notification must include:
(1) the function(s) being performed by the third-party service provider;
(2) the identity and location of the third-party service provider;
(3) the identity of the third-party service provider's regulator (if any); and
(4) a description of any affiliation between the firm and the third-party service provider.
The clearing or carrying member firm also would be required to maintain a copy of each notification and any underlying written agreement(s) with the third-party service provider, in accordance with SEA Rule 17a-4(b).10

FINRA notes that proposed FINRA Rule 3190 and its heightened requirements for clearing or carrying member firms does not necessarily require a clearing or carrying member firm to alter any contracts with its third-party service providers. Nonetheless, a clearing or carrying member firm remains responsible for maintaining control over any outsourced activity and effecting any necessary changes to achieve compliance with the proposed rule's requirements. Consequently, upon approval of proposed FINRA Rule 3190, FINRA would expect each clearing or carrying member firm to consider whether amendments or addendums to any such contracts would be necessary to comply with the rule's requirements.11
IV. Exceptions to Proposed FINRA Rule 3190's Requirements

Proposed FINRA Rule 3190 excepts from its requirements ministerial activities performed on behalf of a member firm, unless otherwise prohibited by applicable securities laws and regulations or applicable FINRA and MSRB rules, and clarifies that its provisions would not restrict activities performed pursuant to a carrying agreement approved under FINRA Rule 4311 (Carrying Agreements).12

1 FINRA will not edit personal identifying information, such as names or email addresses, from submissions. Persons should submit only information that they wish to make publicly available. See Notice to Members (NTM) 03-73 (November 2003) (NASD Announces Online Availability of Comments) for more information.

2 Section 19 of the Securities Exchange Act of (SEA or Exchange Act) permits certain limited types of proposed rule changes to take effect upon filing with the SEC. The SEC has the authority to summarily temporarily suspend these types of rule changes within 60 days of filing. If the SEC takes such action, the SEC shall institute proceedings to determine whether the proposed rule should be approved or disapproved. See Exchange Act Section 19 and rules thereunder.

3See NTM 05-48 (April 2005) (Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers); see also FINRA Office of General Counsel Interpretive Memorandum, dated August 15, 2006 (A Member's Responsibilities Regarding the Outsourcing of Certain Activities). Among other things, the guidance notes that parties conducting activities or functions requiring registration under FINRA rules generally will be considered associated persons of the member firm, absent the service provider separately being registered as a broker-dealer and such arrangement being contemplated by FINRA rules (such as in the case of carrying arrangements), MSRB rules or applicable federal securities laws or regulations. See NTM 05-48 (April 2005).

4 Although proposed FINRA Rule 3190 uses "third-party service provider (including any sub-vendor)" throughout the rule text, for readability, this Notice generally uses the term "third-party service provider" without the reference "including any sub-vendor."

5See NTM 05-48 (April 2005); see also NTM 99-45 (June 1999).

6See NTM 05-48 (April 2005).

7 Member firms are reminded that SEA Rule 17f-2 (Fingerprinting of Securities Industry Personnel) mandates that persons with regular access to the keeping, handling or processing of securities, money or original books and records relating to securities or money must be fingerprinted and have those fingerprints submitted to the U.S. Attorney General or its designee for identification and appropriate processing.

8See, e.g., SEA Rule 15c3-1 (Net Capital Requirements for Brokers or Dealers) and SEA Rule 15c3-3 (Customer Protection — Reserves and Custody of Securities).

9 The proposed rule also requires that, within three months of the effective date of the rule, a clearing or carrying member firm must notify FINRA of all outsourcing arrangements related to the firm's business as a regulated broker-dealer in effect as of that effective date.

10See generally SEA Rule 17a-4(b) (requiring a member firm to preserve certain enumerated records for a period of not less than three years, the first two years in an easily accessible place). Additionally, as with all member firm books and records, such notifications and underlying written agreements would be subject to inspection by or production under FINRA Rule 8210 (Provision of Information and Testimony and Inspection and Copying of Books).

11 Additionally, although not required by proposed FINRA Rule 3190, a clearing or carrying member firm may want to consider submitting prospective outsourcing arrangements for FINRA for review prior to entering into such outsourcing arrangements.

12 FINRA Rule 4311 replaces NASD Rule 3230 (Clearing Agreements) and NYSE Rule 382 (Carrying Agreements) and will govern the requirements applicable to member firms when entering into agreements for the carrying of customer accounts. See Securities Exchange Act Release No. 63999 (March 1, 2011), 76 FR 12380 (March 7, 2011) (Order Approving File No. SR-FINRA-2010-061). FINRA will announce the new rule's effective date in a future Regulatory Notice.


Attachment A

* * * * *

3000. SUPERVISION AND RESPONSIBILITIES RELATING TO ASSOCIATED PERSONS

3100. SUPERVISORY RESPONSIBILITIES

* * * * *

3190. Use of Third-Party Service Providers

(a) General Requirements
(1) The use by a FINRA member of a third-party service provider (including any sub-vendor) to perform functions or activities related to the member's business as a regulated broker-dealer does not relieve the member of its obligation to comply with applicable securities laws and regulations and with applicable FINRA and MSRB rules. No member shall delegate its responsibilities for, or control over, any functions or activities performed by a third-party service provider (including any sub-vendor).
(2) Pursuant to its obligations under FINRA rules, a member shall establish and maintain a supervisory system and written procedures for any functions or activities performed by a third-party service provider (including any sub-vendor) that are reasonably designed to achieve compliance with applicable securities laws and regulations and with applicable FINRA and MSRB rules.
(3) Nothing in this Rule shall be construed to permit any person to engage in functions or activities that require registration and qualification under FINRA rules without obtaining the necessary registrations and qualifications.
(b) Due Diligence Analysis of Third-Party Service Providers

The procedures required by paragraph (a)(2) shall include an ongoing due diligence analysis of each current and prospective third-party service provider (including any sub-vendor) to determine, at a minimum, whether:
(1) the third-party service provider (including any sub-vendor) is capable of performing the activities being outsourced; and
(2) the member can achieve compliance with applicable securities laws and regulations and with applicable FINRA and MSRB rules with respect to any functions or activities being outsourced.
(c) Restrictions Applicable to Clearing or Carrying Members

A clearing or carrying member shall vest an associated person of the member with the authority and responsibility for:
(1) the movement of customer or proprietary cash or securities;
(2) the preparation of net capital or reserve formula computations; and
(3) the adoption or execution of compliance or risk management systems.
(d) Oversight of Third-Party Service Providers by Clearing or Carrying Members

In the case of a clearing or carrying member, the procedures required by paragraph (a) (2) shall include procedures that:
(1) enable the member to take prompt corrective action where necessary to achieve compliance with applicable securities laws and regulations and with applicable FINRA and MSRB rules; and
(2) require the member to approve any transfer of duties by a third-party service provider to a sub-vendor.
(e) Notifications by Clearing or Carrying Members
(1) A clearing or carrying member entering into any outsourcing agreement with a third-party service provider (including any sub-vendor) to perform any function or activities related to the member's business as a regulated broker-dealer that is permitted to be outsourced by this Rule shall notify FINRA within 30 calendar days after the date the member enters into such outsourcing agreement.
(2) Within three months of [insert effective date of the proposed rule change], a clearing or carrying member shall notify FINRA of all outsourcing arrangements in effect as of [insert effective date of the proposed rule change].
(3) All notifications provided pursuant to this paragraph (e) shall include:
(A) the function or functions being performed by the third-party service provider (including any sub-vendor, if known);
(B) the identity and location of the third-party service provider (including any sub-vendor, if known);
(C) the identity of the third-party service provider's regulator (including any sub-vendor's regulator, if the identities of sub-vendors are known), if any; and
(D) a description of any affiliation between the member and the third-party service provider (including any sub-vendor).
(4) A copy of each notification provided pursuant to this paragraph (e) and the underlying written agreement(s) with the third-party service provider (including any sub-vendor) shall be maintained by the member, in accordance with SEA Rule 17a-4(b).
(f) Exceptions
(1) The provisions of this Rule shall not apply to ministerial activities performed on behalf of a member, unless otherwise prohibited by applicable securities laws and regulations or applicable FINRA or MSRB rules.
(2) The provisions of this Rule shall not restrict activities performed pursuant to a carrying agreement approved under FINRA Rule 4311.

•••Supplementary Material: --------------

.01 Scope of Third-Party Service Provider. The term "third-party service provider (including any sub-vendor)" shall include any person controlling, controlled by, or under common control with a member, unless otherwise determined by FINRA.
.02 Posting to Books and Records. The provisions of paragraph (c)(1) of this Rule do not preclude a designated third-party service provider (including any sub-vendor) from posting items to a member's books or records, provided that the member reviews each posting prior to the close of the business day following the posting.