Third-party risk management is rightfully a key priority for banking regulators like the Office of the Comptroller of the Currency (“OCC”). It should be considered as a material operational risk alongside business continuity, cybersecurity, and more. Some banks use thousands of vendors, including affiliates, to operate their businesses and deliver the solutions and convenience that the market demands. Every one of the many thousands of service providers a bank may use exposes them to different levels of risk - some of which can be serious and costly. This is why banking regulators are requiring strong, risk-based due diligence and ongoing monitoring before and after a third party is hired.
Bank asset management groups leverage many third parties or affiliates. In particular, broker-dealers prove to be critical vendors who effect trades, provide retail non-deposit investment products for bank customers, and obtain research on various securities and markets to help portfolio managers make informed investment decisions.
On December 7, 2018 the Financial Industry Regulatory Authority (“FINRA”) issued a report summarizing its examination findings for the year. This report, according to a press release, "includes a collection of FINRA’s observations from recent examinations [of broker-dealers] that it considers worth highlighting because of their potential significance, frequency, and impact on investors and the markets." The purpose of this report is to help broker-dealers more easily comply with applicable rules and regulations by learning from the mistakes of its peers. It may prove beneficial for banks to also leverage the findings in this report when evaluating whether or not to do business with a specific broker-dealer.
What You Should Know
In the report, FINRA highlights numerous concerns that could expose bank asset management groups to risk if left unchecked and uncontrolled. Here’s a list of FINRA's findings, and why banks should care.
A bank never wants to hear about pervasive best execution issues at a broker-dealer, but it does happen. According to FINRA, “firms failed to assure that order flow was directed to markets providing the most beneficial terms for their customers’ orders.” Bank asset management groups are accountable for best execution, so it’s worth their time to investigate how their broker-dealers control the quality of its customers’ orders.
FINRA continues to see evidence of unsuitable recommendations to customers including but not limited to uninformed investment decisions, over concentration in complex structured notes or similar securities, and excessive trading. FINRA’s report in this area uncovered many control weaknesses specific to the sale of variable annuities. Banks operating retail non-deposit investment sales programs should care about this finding and ensure they have mechanisms in place to oversee the activities of registered representatives.
Abuse of Authority
FINRA identified numerous instances where brokers executed transactions without the proper authority, and in some cases attempted to cover up their wrongdoing. The risk this poses to banks whose brokers engage in this fraudulent activity is obvious. Banks should ensure controls are in place at the broker-dealer to prevent or detect unauthorized transactions.
FINRA requires a certain level of net capital to protect customers in the event a broker-dealer fails. FINRA identified incorrect net capital computations resulting in misreporting to vendors and other interested parties. A vendor’s financials are important to a bank’s hiring decision.
Safeguarding Customer Assets
FINRA found it difficult for some firms to segregate client assets from the broker-dealer’s proprietary activities. This becomes an issue for banks if a broker-dealer fails and creditors go after client and firm assets since they are commingled. This also increases the risk that client assets are misappropriated.
FINRA identified firms with inaccurate confirmations due to insufficient supervisory programs. Banks rely on these confirms to comply with regulations. It’s important that banks are aware of these issues at their broker-dealers.
FINRA’s broker-dealer “report card” includes risk areas that all banks should consider for their third-party risk management programs. Knowing this information can benefit banks and the customers they serve.
To read the full report go here.
How ACA Can Help
ACA’s vendor management outsourcing service (VMOS) provides a combined white-glove service and technology solution that allows your firm to offload the vendor due diligence and risk assessment process. Our team of experienced information security risk analysts can administer due diligence questionnaires (DDQ), analyze DDQ responses, identify vendor risks, and report on results so your company can focus on more strategic tasks. Our tailored DDQs include over 300 questions and are customized for each vendor type to provide an accurate assessment of possible risks. Our service also includes a vendor management platform that allows you to track progress and view findings.
For More Information
If you have questions or would like to learn more, please contact Roy Kim at firstname.lastname@example.org
About the Author
Roy Kim joined ACA’s Diversified Financial Services practice in 2018 as the Director of Banking Asset Management. Prior to ACA, Roy served in the Office of the Comptroller of the Currency as Examiner-in-Charge and Functional Examiner-in-Charge for a portfolio of trust banks and divisions. Specifically, he developed and led the execution of supervisory strategies for his portfolio and assisted other examiners with similar activities. In addition, Roy led the development of regulatory technology at the OCC that enabled examiners to supervise fiduciary activities more efficiently and effectively.
In his career, Roy has also worked as part of the first, second, and third lines of defense as a risk, compliance, and audit leader. In this capacity, Roy helped organizations within the asset-management industry identify, assess, mitigate, and monitor risk by, among other things, applying his programming skills and building tools to automate risk and control monitoring and validation. Roy earned his Bachelor of Science degree in Finance from the University of Maryland at College Park.