Print Tech Insights 11: 12/12/11 – How to Supervise Your Vendor

How to Supervise Your Vendor

- Larry Goldfarb

In an effort to improve productivity of your firm, many compliance professionals hire outside vendors to either provide technology solutions or deliver consulting services.  According to Finra Regulatory Notice 11-14, “when a member firm outsources a function or activity related to its business as a regulated broker-dealer to a third-party service provider, it does not relieve the firm of its obligation to comply with applicable securities laws and regulations” and “the firm cannot delegate its responsibilities for, or control over, any outsourced functions or activities. The proposal also requires a member firm to have supervisory procedures, including due diligence measures, to ensure that its arrangements with third-party service providers are reasonably designed to achieve compliance with applicable securities laws and regulations.”

At the recent meeting of the Midtown Regulatory Group, hosted by Linda Lerner of Debevoise & Plimpton, an issue was elevated about the responsibility for hardcopy documents stored at a leading provider of physical archive services.  It seems that a box of files was requested by a regulator during a routine examination; the service provider could not locate the box.  The company was cited for a violation with a fine that amounted to tens of thousands of dollars.  The question at the meeting was who was responsible?  The unequivocal answer was the financial firm.  As noted above, the obligation of the financial firm is clear – the vendor is treated like any employee or consultant of the firm.  They are subject to the applicable policies and procedures and compliance monitoring.  That is not to say that the financial firm cannot sue the service provider for lack of performance under the contract.

One way that the financial firm can gain comfort from this type of vendor, a remedy that was mentioned in the meeting, is to request data from the vendor throughout the year.  For instance, request a series of boxes looking for a particular file; this will ensure that the vendor is doing its job.  I recommend that you perform these tests for all types of vendors because you are responsible for your data, not the third party vendor.  Moreover, check your contract to make sure that remedies exist if the vendor is unable to perform.

***                                ***                              ***                                 ***

In line with the above issue above, I often get asked how do you know if your vendor is using your data for untoward means.  The SEC made a big issue with this over the way Financial Tracking, an employee conflicts of interest vendor, shared information with “one or more consultants” and “a global technology and business services firm[i].”  For instance, allowing the archive email vendor to mine your emails for potential marketing opportunities or an employee trading monitoring vendor using your data to help it prepare surveys or advertising alternative brokerage firms to the financial services clients monitored on its platform.  This is particularly a problem with Software-as-a-Service vendors where the data is easily accessible in one database.  One way to ensure that this doesn’t happen to you is to ask the vendor to provide you a log noting every time anyone at the vendor (i.e. technicians, marketing staff, management) touches your records and for what purpose.  Preferably, this would be an automated report and could be delivered to your email on a regular basis

[1] Data gleaned from an article in the Huffington Post, October 14, 2011.


Click to Read Earlier Columns in ‘Compliance Technology Insights’