Broker-Dealers Third-Party Risk Management Regulatory Requirements

Broker-dealers must comply with strict standards when servicing their clients, according to agencies like the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA). These standards cover key areas, such as recommending securities transactions or investment strategies, safeguarding their clients’ information, and preventing disruptions to critical operations. Third-party risk management (TPRM) has become another important standard for broker-dealers in recent years. Regulations on data breach notifications, cybersecurity, and business continuity planning have all addressed the need for broker-dealers to implement TPRM practices within their operations.

As broker-dealers continue to rely on third-party vendors to support business activities, it’s essential to understand the regulatory expectations on TPRM. Here’s an overview of some key TPRM regulatory requirements and best practices that can help your brokerage firm stay compliant. 

Third-Party Risk Management Regulatory Requirements for Broker-Dealers

In general, many TPRM regulations share a common theme that emphasize the importance of proper third-party oversight. Regulators expect broker-dealers to supervise their third parties to ensure any outsourced activity is performed safely. Noncompliance with regulations could lead to negative consequences, such as reputational damage, legal fees, or regulatory fines. It’s essential for broker-dealers to carefully read and understand their regulatory obligations and work to comply.

Here are 4 TPRM regulations and standards relevant for broker-dealers: 

1. Financial Industry Regulatory Authority (FINRA) – Regulatory Notice 21-29 was released in 2021 as a reminder for broker-dealers of their obligations related to outsourcing. The notice outlines four categories of obligations including supervision, registration, cybersecurity, and business continuity planning. Supervision refers to establishing and maintaining a system and written procedures to oversee third-party activities and ensure compliance. The registration category obligates broker-dealers to determine whether their third parties fall under the requirements of Rule 1220, which outlines registration categories for individuals associated with brokerage firms. Cybersecurity refers to establishing written policies and procedures that safeguard client records, which should include vendor management, also referred to as third-party risk management. Broker-dealers are also required to create written business continuity plans that include their use of vendors. 
2. Securities and Exchange Commission (SEC) – TPRM has regularly been included in the SEC’s annual Examination Priorities, with the 2024 report focusing on critical third parties and concentration risk. In addition to these yearly reports, the SEC has also released its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule. The rule provides guidance on how broker-dealers and other covered entities should investigate and disclose cybersecurity incidents, even when they originate with a third-party service provider. The rule also requires covered entities to describe any processes in place for overseeing, identifying, and mitigating third-party cybersecurity risks. 
   
   Note: The SEC has also proposed an outsourcing rule for registered investment advisors (RIAs). This would prohibit RIAs from outsourcing certain activities unless they perform TPRM activities such as risk assessments, due diligence, ongoing monitoring, and orderly termination, if needed. The full scope of the proposed rule is still undetermined, and broker-dealers may need to comply.
3. Digital Operational Resilience Act (DORA) – All financial institutions in the EU or doing business in the EU will need to comply with DORA once it takes effect in January 2025. A key objective of DORA is to manage third-party information communication technology (ICT) risk within the financial industry. Financial institutions like broker-dealers must follow a list of TPRM principles, such as completing pre-contract risk assessments and due diligence, establishing certain contract provisions and exit plans, and creating an oversight framework. DORA also describes the criteria for required contract termination and considerations for criticality classification.
4. Investment Industry Regulatory Organization of Canada (IIROC) – Broker-dealers can learn how to build operational resilience from the IIROC guide Fundamentals of Technology Risk Management. Section 6.6 of the guide covers several key vendor risk management principles, such as due diligence, onboarding, and monitoring vendor risk and performance. The guide also highlights the importance of including vendors in business continuity planning and how to safely terminate vendor relationships. Broker-dealers can see a list of baseline controls to implement for each vendor risk management concept, such as obtaining a contract that describes ownership of information and technology, and reviewing performance compared to established metrics.

Best Practices for Third-Party Risk Management Broker-Dealer Compliance

Regulatory expectations around TPRM are likely going to increase because of the continuous emergence of new and complex risks and heavy reliance on third-party vendors. Broker-dealers can establish and maintain compliance with these expectations by following these TPRM best practices: 

• Establish TPRM governance documents – Most regulators expect organizations to have documentation related to their TPRM processes and procedures. Developing and maintaining governance documents like a policy, program, and procedures will help set clear and consistent standards for your TPRM practices. 
  
  • A policy can be high level and describe the scope, roles and responsibilities, and minimum requirements of your TPRM program. 
  • A program document should be instructive to senior management and other stakeholders, which tells them how to meet the policy requirements. 
  • Procedures are the step-by-step guides for executing a process, such as completing a risk assessment or negotiating and approving a vendor contract.
• Determine criticality – Maintaining operational resilience is a common theme in many TPRM regulations and vendor criticality plays an important role in this requirement. Criticality determines the business impact risk of a third party on your firm’s operations. It’s important to create a standard that can be used across your third-party inventory. The recommended standards may vary depending on the regulation, but there are typically three key questions you can ask to determine criticality:
  
  • If we abruptly lost this vendor, would there be a significant disruption to our operations?
  • Would the sudden loss of this vendor impact our clients?
  • If the time to restore the vendor’s service required more than 24 hours, would there be a negative impact on our organization?
  Answering “yes” to one or more of these questions will usually mean the vendor is critical.
• Perform risk-based due diligence – Regulators set guidelines on third-party relationships but recognize that not every third party requires the same level of oversight. One way to maintain TPRM compliance is through risk-based due diligence. In this practice, the amount and types of inherent risks in a vendor engagement will determine the scope and frequency of due diligence. This strategy ensures vendors with high levels of risks, such as compliance, cybersecurity, and business continuity, will be evaluated and monitored with more scrutiny. 
• Include relevant contract provisions – A third-party contract is one of the most effective risk management tools because it sets the standards for the relationship at the beginning. Consult with your legal team to determine which provisions will need to be included to ensure compliance with TPRM regulations. Depending on the third-party relationship, you may need to include provisions on data breach notifications, a right to audit, required security controls, and minimum performance standards. 

Staying on top of TPRM regulations and following these best practices will take some effort, but broker-dealers have a lot to gain by implementing a compliant program. Aside from meeting regulatory requirements, broker-dealers will have an effective strategy for keeping their firms and clients protected against third-party risks and minimizing operational disruptions.