FINRA and the SEC focus on protecting clients’ interests by covering all potential risk areas that could harm investors. One pivotal area for financial firms to consider is their due diligence efforts related to third-party service providers. Third-party service providers are an extension of your firm. Regardless of whether the vendor is deemed critical or non-critical (Read more on this here), if not properly vetted and continuously supervised, weak controls by your vendor can expose your firm, and by extension, your clients to a range of risks. FINRA and the SEC have set forth guidelines for overseeing common risks to analyze in relation to your third-party vendors.
FINRA
FINRA requires broker-dealers to demonstrate critical-vendor due diligence. Firms can perform due diligence by implementing the Third-Party Vendor Questionnaire that records vendor’s adherence to regulatory compliance. The questionnaire aims to identify and assess the risks related to a vendor and is a key piece of a firm’s regulatory compliance and risk mitigation efforts.
Step 1
- Classify or review the previously assigned classification of the vendor as either a mission-critical vendor or a non-critical vendor as it is vital to have a robust system in place for monitoring all third-party vendors.
Step 2
- Send vendors the questionnaire ensuring the responses address the following:
- Data security practices
- Compliance programs
- Incident response policies and procedures
- Cybersecurity practices
- Data retention practices
In addition, identifying information such as the following should be included:
- Vendor name and services provided
- Whether the services provided by the vendor are classified as mission critical or non-critical (such as IT network service providers)
Step 3
- Review the responses to identify any compliance gaps and address those with your compliance and legal team.
SEC Vendor Due Diligence Regulatory Requirements
As part of its fiduciary duties and in compliance with Rule 2026(4)-7, registered investment advisers (RIAs) are also required to conduct adequate due diligence as part of its oversight of third-party vendors. In addition to SEC examinations, which, according to the 2025 SEC Exam Priorities released in October 2024, will include increased scrutiny on third-party oversight, the SEC also will consider an RIA’s oversight of third-party vendors through:
- Form ADV disclosures of material information on the use of third-party vendors, especially those used for critical operations such as IT, data security, and more.
- Regulation SCI (Systems Compliance and Integrity), which requires firms such as clearing agencies and alternative trading firms to implement and maintain robust technological infrastructure for all processes, including third-party vendor oversight. There is also a proposal to expand this regulation to include larger broker-dealers.
Areas for due diligence reviews include cybersecurity controls, Regulation S-P safeguarding protections, risk management and fulfillment of service obligations by the third-party vendor.
Jacko Law Group understands the potential risks associated with third-party vendors, and we assist our clients in making sure they not only maintain the highest level of security for their clients but also meet their compliance requirements.
For assistance with meeting your regulatory requirements for third-party vendors, please call us at 619.298.2880 or email info@jackolg.com.