FINRA Requests Comment on Proposed New FINRA Rule 3190 to Clarify the Scope of a Firm's Obligations and Supervisory Responsibilities for Functions or Activities Outsourced to a Third-Party Service Provider
Third-Party Service Providers
Request for Comment
Clearing and Carrying Activities
Third-Party Service Providers
|Referenced Rules & Notices
FINRA Rule 4311
FINRA Rule 8210
Incorporated NYSE Rule 382
NASD Rule 3010
NASD Rule 3230
SEA Rule 17a-4
FINRA is requesting comment on a proposed new rule to clarify a member firm's obligations and supervisory responsibilities regarding outsourcing arrangements. Specifically, proposed FINRA Rule 3190 (Use of Third-Party Service Providers) makes clear that:
The proposal also requires a member firm to have supervisory procedures, including due diligence measures, to ensure that its arrangements with third-party service providers are reasonably designed to achieve compliance with applicable securities laws and regulations and FINRA and MSRB rules. Further, the proposed rule imposes additional restrictions and obligations that apply solely to a clearing and carrying member firm and its third-party service provider arrangements.
The text of the proposed rule is set forth in Attachment A.
Questions concerning this Notice should be directed to Patricia Albrecht, Associate General Counsel, Office of General Counsel, at (202) 728-8026.
FINRA encourages all interested parties to comment on the proposal. Comments must be received by May 13, 2011.
Member firms and other interested parties can submit their comments using the following methods:
Marcia E. Asquith
Office of the Corporate Secretary
1735 K Street, NW
Washington, DC 20006-1506
To help FINRA process and review comments more efficiently, persons should use only one method to comment on the proposal.
Important Notes: The only comments that FINRA will consider are those submitted pursuant to the methods described above. All comments received in response to this Notice will be made available to the public on the FINRA website. Generally, FINRA will post comments on its site one week after the end of the comment period.1
Before becoming effective, a proposed rule change must be authorized for filing with the SEC by the FINRA Board of Governors, and then must be approved by the SEC, following publication for public comment in the Federal Register.2
Background and Discussion
Recognizing member firms' increasing use of outside entities—both regulated and unregulated—to perform certain activities and functions related to their business operations and the compliance risks that can accompany the use of such outside entities, FINRA has provided substantial guidance regarding member firms' responsibilities when outsourcing activities to third-party service providers.3 However, FINRA has continued to receive inquiries regarding outsourcing and the scope of the guidance, including, among other things, requests to identify specific functions that a clearing or carrying member firm may outsource to a third-party service provider and the appropriateness of any member firm outsourcing activities to a third-party service provider that is not registered as a broker-dealer.
In view of these questions and continued concerns regarding the risks related to outsourcing, FINRA is proposing new Rule 3190 to clarify a member firm's obligations and supervisory responsibilities regarding its outsourcing arrangements, including imposing additional restrictions and obligations that would apply solely to a clearing and carrying member firm and its third-party service provider arrangements.
Proposed FINRA Rule 3190(a)(1) clarifies that a member firm's use of a third-party service provider (including any sub-vendor) to perform functions or activities related to the member firm's business as a regulated broker-dealer does not relieve the firm of its obligation to comply with applicable securities laws and regulations and with applicable FINRA and MSRB rules. Proposed Supplementary Material .01 (Scope of Third-Party Service Provider) clarifies that the term "third-party service provider (including any sub-vendor)" shall include any person controlling, controlled by or under common control with a member firm, unless otherwise determined by FINRA.4 The proposed provision also prohibits a member firm from delegating its responsibilities for, or control over, any functions or activities performed by a third-party service provider. Proposed FINRA Rule 3190(a)(1) is consistent with FINRA's current guidance that a member firm's use of a third-party service provider for such activities does not relieve the firm of its ultimate responsibility to achieve compliance with all applicable securities laws and regulations and FINRA and MSRB rules, and that the ultimate responsibility for supervision of outsourced activities lies with the firm.5
Additionally, FINRA Rule 3190(a)(3) clarifies that nothing in the proposed rule's provisions shall be construed to permit any person to engage in activities that require registration and qualification under FINRA rules without obtaining the necessary registrations and qualifications.
Proposed FINRA Rule 3190(a)(2) requires each member firm, pursuant to its obligations under FINRA rules, to establish and maintain a supervisory system and written procedures for any functions or activities performed by a third-party service provider that are reasonably designed to achieve compliance with applicable securities laws and regulations and applicable FINRA and MSRB rules.
Additionally, proposed FINRA Rule 3190(b) requires that a member firm include in these supervisory procedures an ongoing due diligence analysis of each current or prospective third-party service provider to determine, at a minimum, whether: (1) the third-party service provider is capable of performing the activities being outsourced; and (2) with respect to any activities being outsourced, the member firm can achieve compliance with applicable securities laws and regulations and applicable FINRA and MSRB rules. These provisions are consistent with existing guidance noting that, if a member firm outsources activities, its supervisory system and written supervisory procedures required by NASD Rule 3010 (Supervision) must include supervisory procedures for its outsourcing practices to ensure such compliance and that those procedures should include, without limitation, conducting a due diligence analysis of all of its current or prospective third-party service providers to determine whether they are capable of performing the outsourced activities.6
In addition to the requirements discussed above in proposed FINRA Rule 3190(a) and (b), the proposed rule imposes certain heightened requirements on a clearing or carrying member firm's outsourcing arrangements. Given the additional responsibilities of a clearing or carrying member firm to protect customer funds and securities, these heightened requirements are designed to address concerns regarding the great potential harm that could result from its third-party service providers' non-compliance (either accidental or intentional) with the federal securities laws and FINRA and MSRB rules. The involvement by improperly authorized or inadequately supervised persons may cause systemic risk and undermine investor confidence in the securities industry. As detailed further below, FINRA believes these concerns can be mitigated by requiring a clearing or carrying member firm to limit certain enumerated activities to persons directly subject to the control and supervision of the member firm, have additional supervisory procedures to oversee third-party service providers and notify FINRA of its outsourcing arrangements.
Specifically, proposed FINRA Rule 3190(c) requires a clearing or carrying member firm to vest an associated person of the firm with the authority and responsibility for the following activities:
With respect to the movement of customer or proprietary cash or securities, FINRA has found this area to be subject to additional risk for errors, fraud or other violative conduct. The involvement of improperly authorized persons could, in certain circumstances, cause systemic risk and undermine investor confidence in the securities industry. FINRA believes these concerns would be mitigated by expressly limiting authority and responsibility for this activity to an associated person directly subject to the clearing or carrying member firm's supervision and control. Accordingly, the proposed rule would require that persons responsible for the handling, transfer or disposition of cash or securities as they enter and flow from the firm be associated persons of the member firm.
Proposed Supplementary Material .02 (Posting to Books and Records) clarifies that the restriction regarding the movement of funds or securities would not preclude a designated third-party service provider from posting items to a clearing or carrying member firm's books or records, provided the firm reviews each posting prior to the close of the business day following the posting. In this regard, FINRA generally would permit the prompt supervisory review required by proposed Supplementary Material .02 to be performed by substantiation of financial balances and spot-check reviews of individual entries, rather than an actual sign off on each individual entry. FINRA believes that the proposed approach balances the need to protect the integrity of the clearing or carrying member firm's books and records with the efficiencies of having the work performed by a third-party service provider.7
FINRA also has concerns about the use of third-party service providers in the preparation of net capital or reserve formula computations. The execution of the SEC's financial responsibility rules8 enables firm management and regulators to ascertain the financial state of a firm and helps to ensure protection of customer assets. Accordingly, FINRA believes that a properly registered associated person of the clearing or carrying member firm should be directly responsible for this function. For purposes of proposed FINRA Rule 3190(c), FINRA would consider the performance of calculations in aid of the preparation of these computations to be ministerial functions that could be performed by a third-party service provider; however, the review and understanding of the computations and the ability to explain the mechanics and rationale of the computations to FINRA staff would reside with the firm's properly registered associated person vested with authority and responsibility for this function.
With respect to the adoption or execution of compliance or risk management systems, the proposed rule does not prohibit a firm from using a third-party service provider or its systems as part of the member firm's compliance and risk management solutions, provided the member firm adopts such services and systems in a manner consistent with the regulatory requirements as they apply in light of the firm's size, businesses and business model, retains control over their implementation and use within the firm, and independently determines that they achieve compliance with the applicable securities laws and FINRA and MSRB rules. Further, basic calculations, logging or maintaining lists that are preparatory to creating related books and records and review of output from these systems could be performed by a third-party service provider; however, any analysis or conclusions based upon the data would have to be performed by an associated person of the firm.
Proposed FINRA Rule 3190(d) requires that a clearing or carrying member firm include additional supervisory procedures that would: (1) enable the firm to take prompt corrective action where necessary to achieve compliance with applicable securities laws and regulations and with applicable FINRA and MSRB rules; and (2) require the firm to approve any transfer of duties by a third-party service provider to a sub-vendor. As with the restrictions in proposed FINRA Rule 3190(c), FINRA believes that these supplementary procedures will help prevent potential harm that could result from possible non-compliance by a clearing or carrying member firm's third-party service provider with the federal securities laws and FINRA and MSRB rules.
Proposed FINRA Rule 3190(e) requires a clearing or carrying member firm to notify FINRA within 30 calendar days after entering into any outsourcing agreement with a third-party service provider to perform any functions or activities related to the firm's business as a regulated broker-dealer that is permitted to be outsourced pursuant to the proposed rule.9 Pursuant to proposed FINRA Rule 3190, a clearing or carrying member firm's notification must include:
FINRA notes that proposed FINRA Rule 3190 and its heightened requirements for clearing or carrying member firms does not necessarily require a clearing or carrying member firm to alter any contracts with its third-party service providers. Nonetheless, a clearing or carrying member firm remains responsible for maintaining control over any outsourced activity and effecting any necessary changes to achieve compliance with the proposed rule's requirements. Consequently, upon approval of proposed FINRA Rule 3190, FINRA would expect each clearing or carrying member firm to consider whether amendments or addendums to any such contracts would be necessary to comply with the rule's requirements.11
Proposed FINRA Rule 3190 excepts from its requirements ministerial activities performed on behalf of a member firm, unless otherwise prohibited by applicable securities laws and regulations or applicable FINRA and MSRB rules, and clarifies that its provisions would not restrict activities performed pursuant to a carrying agreement approved under FINRA Rule 4311 (Carrying Agreements).12
1 FINRA will not edit personal identifying information, such as names or email addresses, from submissions. Persons should submit only information that they wish to make publicly available. See Notice to Members (NTM) 03-73 (November 2003) (NASD Announces Online Availability of Comments) for more information.
2 Section 19 of the Securities Exchange Act of (SEA or Exchange Act) permits certain limited types of proposed rule changes to take effect upon filing with the SEC. The SEC has the authority to summarily temporarily suspend these types of rule changes within 60 days of filing. If the SEC takes such action, the SEC shall institute proceedings to determine whether the proposed rule should be approved or disapproved. See Exchange Act Section 19 and rules thereunder.
3See NTM 05-48 (April 2005) (Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers); see also FINRA Office of General Counsel Interpretive Memorandum, dated August 15, 2006 (A Member's Responsibilities Regarding the Outsourcing of Certain Activities). Among other things, the guidance notes that parties conducting activities or functions requiring registration under FINRA rules generally will be considered associated persons of the member firm, absent the service provider separately being registered as a broker-dealer and such arrangement being contemplated by FINRA rules (such as in the case of carrying arrangements), MSRB rules or applicable federal securities laws or regulations. See NTM 05-48 (April 2005).
4 Although proposed FINRA Rule 3190 uses "third-party service provider (including any sub-vendor)" throughout the rule text, for readability, this Notice generally uses the term "third-party service provider" without the reference "including any sub-vendor."
6See NTM 05-48 (April 2005).
7 Member firms are reminded that SEA Rule 17f-2 (Fingerprinting of Securities Industry Personnel) mandates that persons with regular access to the keeping, handling or processing of securities, money or original books and records relating to securities or money must be fingerprinted and have those fingerprints submitted to the U.S. Attorney General or its designee for identification and appropriate processing.
8See, e.g., SEA Rule 15c3-1 (Net Capital Requirements for Brokers or Dealers) and SEA Rule 15c3-3 (Customer Protection — Reserves and Custody of Securities).
9 The proposed rule also requires that, within three months of the effective date of the rule, a clearing or carrying member firm must notify FINRA of all outsourcing arrangements related to the firm's business as a regulated broker-dealer in effect as of that effective date.
10See generally SEA Rule 17a-4(b) (requiring a member firm to preserve certain enumerated records for a period of not less than three years, the first two years in an easily accessible place). Additionally, as with all member firm books and records, such notifications and underlying written agreements would be subject to inspection by or production under FINRA Rule 8210 (Provision of Information and Testimony and Inspection and Copying of Books).
11 Additionally, although not required by proposed FINRA Rule 3190, a clearing or carrying member firm may want to consider submitting prospective outsourcing arrangements for FINRA for review prior to entering into such outsourcing arrangements.
12 FINRA Rule 4311 replaces NASD Rule 3230 (Clearing Agreements) and NYSE Rule 382 (Carrying Agreements) and will govern the requirements applicable to member firms when entering into agreements for the carrying of customer accounts. See Securities Exchange Act Release No. 63999 (March 1, 2011), 76 FR 12380 (March 7, 2011) (Order Approving File No. SR-FINRA-2010-061). FINRA will announce the new rule's effective date in a future Regulatory Notice.
* * * * *
3000. SUPERVISION AND RESPONSIBILITIES RELATING TO ASSOCIATED PERSONS
3100. SUPERVISORY RESPONSIBILITIES
* * * * *
3190. Use of Third-Party Service Providers
The procedures required by paragraph (a)(2) shall include an ongoing due diligence analysis of each current and prospective third-party service provider (including any sub-vendor) to determine, at a minimum, whether:
A clearing or carrying member shall vest an associated person of the member with the authority and responsibility for:
In the case of a clearing or carrying member, the procedures required by paragraph (a) (2) shall include procedures that:
•••Supplementary Material: --------------