Why regulators don't care, why flaky now means flaky later, and why the fine print isn't always so fine
Last week we began a wide-ranging discussion with Aimee Blinder—a 20-year compliance and risk veteran whose primary focus has been in the broker-dealer and registered investment advisor arenas. We tapped her considerable professional knowledge on some of the big picture considerations of working with third-party compliance vendors. You can read the article in full here.
This week we continue picking her brain, but descend from the heights of high-level considerations down into the more nitty-gritty, day-to-day concerns of working with third-party compliance vendors.
REGULATORS DON'T CARE
When it comes to policies and processes, firms both large and small can find it challenging to stay on top of things. "It comes down to resources," says Blinder. "A small shop may literally have just one or two compliance staff members handling all aspects of the program. With big firms there may be more available resources, but big firms may also be less agile due to the layers of process and approval needed to make policy or system changes."
But while firm size can play into the impact of compliance methodologies, ultimately all regulated entities must comply with the same standards. "Regulators don't care that you have only two compliance staff members. You can't make the pitch that you should get a pass because you're smaller. Regulations are regulations. It's a level playing field, in that sense. The standards are the same for everyone." This, of course, is where compliance tech can make a difference for any financial firm: the efficiencies and increased overall effectiveness it can bring to operations large and small, regardless of staffing structures.
THE POWER OF THE PEER
Most of us, when considering a purchase, especially a large one, will do a considerable amount of research. Part of that research may include reaching out to a peer network. If it's a personal purchase, that peer network may consist of friends and family. If the purchase is related to our job, professional peer networks should likewise be consulted. Blinder: "In my time as a compliance professional, I helped set up and manage third-party relationships of all shapes and sizes. And a great place to start was always reaching out to peers on what vendors they're using. You generally get very candid feedback. If a vendor isn't good, you'll hear about it."
If you're not lucky enough to have a peer network you can depend on in situations like this, FINRA can help. Their Compliance Vendor Directory is a searchable database of industry vendors of all kinds that offers at least a starting point for the peer-network deficient. Again, Blinder: "While not endorsing these vendors, FINRA does provide a listing and general information on some of the better known vendors."
FLAKY NOW, FLAKY LATER
Once you get in touch with a few vendors, it's time to winnow the field. Shoot for a final spread of two to three vendors. Have them complete RFPs and then load them into a spreadsheet so you can get a clear, side-by-side comparison of what each has to offer. Face time with each potential vendor is also very important, and will give you a real feel for how their team operates. "This is hopefully going to be a long-term relationship," says Blinder, "so it's critical you feel good about how you communicate with them. And if they're unresponsive or flaky during the RFP process, then chances are high they'll be even worse once you're a paying customer. Lack of prompt responsiveness during the due diligence process should be a giant red flag."
Of course, it's possible for the selection process to go swimmingly, and the client-vendor relationship to be hunky-dory for a long time, and then things can change. "You can have an established relationship that becomes inconsistent," offers Blinder, "either because certain resources have left or the culture has changed. This is a good reason for ongoing check-ins. Stay in touch with your vendors, even when things are going well. Get face to face. Nothing's ever static in life. You've got to keep checking in on everything. That includes your vendors."
THE FINE, AND NOT SO FINE, PRINT
Once you’ve kicked the tires and feel ready to proceed with a vendor, don't underestimate the importance of the contract process. The details contained therein will dictate what each side's responsibilities are moving forward. These formal terms also tie into the firm’s regulatory obligations. Things like data privacy, business continuity processes, record keeping practices, access to records, initial and ongoing costs, breaches, and oversight expectations should all be addressed in the final agreement each side signs.
"So much time is spent in due diligence, in terms of sourcing the vendor," says Blinder, "but don't overlook the actual agreement. Vendors will tuck things in there. You have to be careful. And from their standpoint, they're protecting their position. But it really comes down to the two parties: what the obligations are, who has access to what, and ownership. We were always very, very clear on that fact our vendors were using our data. 'That data belongs to us.' And so, if the vendor goes away, or we the client go away, whatever the terms of termination are we want to make sure we can access that data."
It may also be tempting to involve only compliance in the contract review process. It will, after all, be your team using the tool. According to Blinder, this is a temptation that should be resisted. "With client-vendor agreements there can be a lot of baked-in assumptions: things that aren't said that need to be made explicit. One mindset, with one perspective on things, might not consider everything that needs to be considered. I’d highly recommend that compliance, legal, and IT all engage in the contract review process, as each team will add value."
And once the agreement is finalized it should be kept where key teams at the firm can access it, because you will need to access it. Blinder: "In my experience, questions about these agreements come up time and time again, either internally or for regulatory audits. And in the case of vendor terminations, you absolutely are going to need to access your agreement. There are times it's taken firms days or weeks to find the agreement. The single copy. Sitting on someone's personal drive. What happens if that person leaves the firm? These agreements need to be on shared, secured drives and readily accessible."
YOU CAN'T OUTSOURCE LIABILITY
Another temptation that needs to be resisted is becoming overly reliant on the vendor's understanding of system tools and settings, if for no other reason than regulatory expectations. "FINRA, as one example, knows and expects that firms will be using third-party vendors," says Blinder. "Regulatory expectation for firms to embrace stronger regtech is increasing. And FINRA in particular has been very clear that firms can't outsource their regulatory obligations. The firm is always liable for all activities and requirements being facilitated on its behalf."
The solution is to treat the third-party vendor tool as if it were your own proprietary tool. "Internally, you have to know who's responsible for your compliance tech," says Blinder. "I've seen it time and again; you set up these relationships, you're going along, and no one's really paying attention and there are no solid procedures. It's all very vague as to who's in charge and what the process is. You need a person, or a team of people, who know the tool and are responsible for it."
"Internal ownership is crucial. From that, everything else flows. You have to view the output of these vendor tools as part of your compliance program. If your third-party tech were a proprietary tool, how would you manage it? You'd have policies. You'd have staff in place to manage it. You'd have resources assigned to it. You'd be concerned about the settings. So why is working with a vendor any different? The answer is, it isn't."
Did you miss part one of our fascinating talk with Aimee Blinder? You can find it here.