FINRA Vendor-Management Guidance: You Can't Outsource Responsibility

On August 13, 2021, the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 21-29, collecting guidance on outsourcing and vendor management.  The Notice was prompted by increased reliance on outsourcing (especially during COVID), some enforcement actions involving vendor-management issues, and similar proposed inter-agency guidance by banking regulators.

The Notice reminds firms that while they can outsource task or functions, they cannot outsource-away their regulatory compliance obligations.  In turn, that means the outsourcing process itself must comply with those regulatory obligations.  It also means that firms cannot “set it and forget it.”  Broadly, they are:

Supervision – Firms must supervise, and have the ability to use supervisory controls over, the outsourced functions, and must memorialize that in their written supervisory procedures and in vendor contracts.

Business Continuity Plans – Vendors (and the functions they perform) must be addressed in firms’ business continuity plans.

Books and Records – The records maintained by vendors in connection with their work for member firms must be kept as prescribed by rule, subject to inspection by the firm (and regulators), and retained as required, with accompanying attestations.

Registration - Depending on the functions outsourced, vendors and/or their personnel may require FINRA registration.

Cybersecurity – Controls, access management, change management, testing and data loss prevention must comply with SEC Reg. SP.

Drawing on examination findings and some previous enforcement actions, the Notice provides some best-practices in the form of questions to ask in each phase of outsourcing and vendor management.  Summarized, they are:

Outsourcing Decisions:

  • Develop a robust and formal process;
  • Address it the firm’s Written Supervisory Procedures;
  • Include a formal risk assessment;
  • Involve all appropriate internal stakeholders in each decision.

Due Diligence:

  • Conduct systematic and substantive due diligence;
  • Make it risk-based;
  • Investigate vendor systems;
  • Make sure your due-diligence investigators are qualified in the subject investigated;
  • Be alert to, and manage to overcome, conflicts.


  • Ensure contracts address, and enable compliance with, all regulatory requirements;
  • Double-check and adjust features and default settings as necessary;
  • Have off-boarding processes in place to avoid regulatory non-compliance.


  • Contracts must address and permit;
  • Require attestations;
  • Require monitoring, including access and procedures;
  • Allow investigation and follow up to any red flags;
  • Have supervisory testing and controls in place.

The Notice expressly mentions similar Proposed Guidance and the request for comment by the Federal Reserve Board of Governors, the FDIC and the OCC, issued July 13, 2021, here:  FINRA says it will monitor that Proposal and will harmonize its Rules as appropriate.

FINRA Regulatory Notice 21-29 is here:

Thomas K. Potter, III ( is a partner in the Securities Litigation Practice Group at Burr & Forman, LLP. Tom is licensed in Tennessee, Texas, and Louisiana. He has over 35 years of experience representing financial institutions in litigation, regulatory, and compliance matters. See attorney profile.

Posted in: FINRA
Jump to Page
Arrow icon Top

Contact Us

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.