Outsourcing in the Securities Industry: Assessing the Regulatory Landscape
by By John V. Ayanian & Theodore R. Lazo

Like many other industries, the securities industry has increasingly turned to outsourcing arrangements in its business operations. While any outsourcing arrangement can raise a number of legal and regulatory issues, outsourcing arrangements involving broker-dealers face particular regulatory issues due to the highly regulated nature of the brokerage industry. Although securities regulators have issued some guidance in the area of outsourcing, the landscape is not entirely clear. As a practical matter, the structure of outsourcing arrangements in the securities industry must be guided not only by the specific guidance on outsourcing, but also by more general rules and guidance previously issued by regulators, including requirements regarding supervision and registration.

Background

For many years, securities regulators have permitted broker-dealers, investment advisers, and investment companies to enter into certain types of outsourcing arrangements. The rules of the Financial Industry Regulatory Authority (FINRA), which governs member regulation issues for broker-dealers, expressly permit outsourcing in the form of clearing arrangements.1 In addition, broker-dealers and investment advisers are permitted under Securities and Exchange Commission (SEC) rules and SEC staff guidance to outsource certain of their recordkeeping requirements to third-party vendors.

Many broker-dealers use clearing arrangements, which allow broker-dealers to operate a securities business without having to invest in the extensive infrastructure necessary to process, clear, and settle their customers’ transactions. Instead, these so-called “introducing brokers” outsource back-office functions to clearing brokers that have the necessary capital, infrastructure, and technology, and which, in turn, provide clearing services to a number of different introducing brokers. The New York Stock Exchange’s Rule 382 and NASD, Inc.’s Rule 2320 expressly permit broker-dealers to enter into clearing arrangements. Under those rules, the clearing agreement between the introducing broker and the clearing broker must specify the respective functions and responsibilities of each party to the agreement, the allocation of which must be disclosed to customers.

Participants in the asset management industry also make regular use of outsourcing arrangements. Investment advisers frequently contract with other advisers, so-called “subadvisers” to obtain certain expertise or services (e.g., to obtain a subadviser’s expertise in a certain type of investment). In addition, many investment companies outsource certain regulatory functions to their transfer agents. While practices vary, many investment companies delegate to their transfer agents the responsibility for performing anti-money laundering compliance with respect to the investment companies’ investors and for enforcing policies on market timing and late trading. In fact, the SEC recognized the role that transfer agents play in mutual fund compliance by including them as required service providers in Rule 38a-1 under the Investment Company Act, which requires mutual funds to establish and implement written policies and procedures for compliance with the federal securities laws by the funds and their service providers.2

SEC Rules also expressly permit broker-dealers to use third parties to maintain and preserve required records. Specifically, Rule 17a-4(i) under the Securities Exchange Act of 1934 (Exchange Act) permits broker-dealers to use third-party service providers to maintain required records. Under the rule, the broker-dealer must obtain a written undertaking from the service provider to the effect that the records will be made available for examination promptly on request, and must file any such undertakings with the SEC.

By contrast, Rule 204-2(e)(1) under the Investment Advisers Act of 1940 (Advisers Act) requires investment advisers to keep most of their books and records “in an appropriate office of the investment adviser.” However, in 2005, the SEC staff granted no-action relief in this area, stating that it would not recommend enforcement action against an investment adviser to hedge funds for using a third-party administrator to maintain and preserve the adviser’s required books and records, provided that (a) the administrator acts as a service provider to the adviser in maintaining, preparing, organizing or updating the adviser’s records for the adviser’s ongoing use in its business, and does not merely provide long-term storage of the records; and (b) on request of the SEC staff, the records are produced promptly for the staff at the appropriate office of the adviser or an office of the administrator.3

This article provides a description of recent studies on outsourcing practices and arrangements in the securities industry, both by U.S. regulators and international bodies. Next, the article describes the initiatives taken and guidance issued by U.S. securities regulators regarding outsourcing arrangements. Finally, the article provides practical guidance for market participants to consider with respect to securities industry outsourcing arrangements.

Recent Studies on Outsourcing Practices

Survey by U.S. Self-Regulatory Organizations — In October 2004, prior to the creation of FINRA as the self-regulatory organization (SRO) responsible for member regulation issues, its predecessor organizations – the member regulatory operations of NASD and NYSE — conducted a joint survey of member firms’ outsourcing practices. The survey requested information about the types of activities being outsourced and the nature of the third-party service providers being used. To that end, the survey covered both general and specific areas, including whether functions are outsourced to foreign locations, whether service providers are affiliated entities, the regulatory status of the service providers, and the economics of the outsourcing arrangement.

When NASD and NYSE announced the results of their survey in 2005, they indicated that broker- dealers frequently outsourced functions associated with accounting and finance (payroll, expense account reporting, etc.), legal and compliance, information technology (IT), operations functions (e.g., statement production, disaster recovery services, etc.), and administrative functions (e.g., human resources, internal audits, etc.).4 In addition, the survey indicated that approximately two-thirds of the third-party vendors used by survey participants were regulated entities, subject to the jurisdiction of the SEC, NASD, NYSE, the Board of Governors of the Federal Reserve System, or the Office of the Comptroller of the Currency. The remaining third-party vendors were unregulated entities located both inside and outside the United States. Both NASD and NYSE stated that, in many instances, broker-dealers had not implemented written procedures to monitor the outsourcing of services or formalized a due diligence process to screen service providers for proficiency. In addition, NASD and NYSE stated that many service providers used in broker-dealer outsourcing arrangements lacked business continuity plans.

Reports Issued by International Bodies — In February 2005, two international bodies, the International Organization of Securities Commissions (IOSCO) and the Basel Committee on Banking Supervision (Basel Committee), issued their own reports on the topic of outsourcing. IOSCO is composed of global securities regulators, including the SEC, and its purposes include cooperating and exchanging information in an effort to promote high standards of regulation in order to maintain just, efficient, and sound markets. The Basel Committee’s objective is to enhance understanding of key supervisory issues and improve the quality of banking supervision worldwide. Among the Basel Committee’s members are the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Federal Reserve Bank of New York, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

IOSCO Report

IOSCO’s report, entitled Principles on Outsourcing of Financial Services for Market Intermediaries, 5 set forth four "fundamental precepts" and seven "outsourcing principles" regarding outsourcing arrangements by market intermediaries (e.g., broker-dealers).

Fundamental Precepts — The fundamental precepts set forth in the IOSCO covered four areas: Materiality of Outsourcing, Accountability and Scope of Outsourcing, Outsourcing to Affiliates, and Outsourcing on a Cross-Border Basis.

• Materiality of Outsourcing — IOSCO stated that its outsourcing principles should be applied according to the degree of materiality of the outsourced activity to the ongoing business of the broker-dealer and its regulatory obligations. In addition, IOSCO stated that the assessment of what is material is often subjective and depends on the circumstances of the particular firm, and that factors to be considered should include, among other things: (1) financial, reputational and operational impact on the firm of the failure of a service provider to perform; (2) potential impact of outsourcing on the provision of adequate services to a firm’s customers; (3) potential losses to a firm’s customers on the failure of a service provider to perform; and (4) impact of outsourcing the activity on the ability and capacity of the firm to conform to regulatory requirements and changes in requirements.
• Accountability and Scope of Outsourcing — Like U.S. securities regulators, IOSCO adopted the concept that a broker-dealer retains “full legal liability and accountability to the regulator for any and all functions that the firm may outsource to a service provider to the same extent as if the service were provided in-house.” IOSCO stated that the broker-dealer should develop and implement appropriate policies designed to achieve satisfaction of the outsourcing principles, periodically review the effectiveness of those policies, and address outsourcing risks in an effective and timely manner. In addition, IOSCO stated that the firm must retain the competence and ability to be able to ensure its compliance with all regulatory requirements.
• Outsourcing to Affiliates — The IOSCO report acknowledged that the risks associated with outsourcing activities to an affiliated entity within a corporate group may be different than those encountered in outsourcing to an unaffiliated external service provider and that, in certain cases, risks may not be as pronounced within an affiliated group. IOSCO also noted, however, that intragroup outsourcing may be less than an arm’s-length relationship, and the broker-dealer (and its customers) may have different interests than the affiliated service provider. While IOSCO concluded that it is necessary to apply the outsourcing principles to affiliated entities, the report also indicated that it may be appropriate to adopt them with some modification in those cases.
• Outsourcing on a Cross-Border Basis — The IOSCO report noted that, with respect to outsourcing on a cross-border basis, there may be additional concerns that are not necessarily present in cases where the service provider is in the same jurisdiction as that of the outsourcing broker-dealer. IOSCO also stated that the use of a foreign service provider may necessitate an analysis of economic, social or political conditions that might adversely affect the service provider’s ability to perform effectively for the broker-dealer. In light of these stated concerns, IOSCO noted that outsourcing on a cross-border basis may raise additional issues that should be addressed during the due diligence process, as well as during the implementation of a contract with a foreign service provider. The report stated further that special consideration and procedures may be necessary with respect to other issues relating to the use of a foreign service provider, such as the provision of books and records maintained in a foreign jurisdiction, as well as issues relating to the translation of such books and records.

IOSCO’s Outsourcing Principles — The principles adopted in the IOSCO report address specific topics regarding outsourcing. A number of these principles echo those identified in the joint SRO survey, and later included in regulatory guidance and proposals issued by U.S. regulators.

• Due Diligence — A broker-dealer should conduct suitable due diligence processes in selecting an appropriate third-party service provider and in monitoring the service provider’s ongoing performance.
• Contract with a Service Provider — There should be a legally binding written contract between the broker-dealer and each third-party service provider, the nature and detail of which should be appropriate to the materiality of the outsourced activity to the ongoing business of the broker-dealer.
• Information Technology Security and Business Continuity — The broker-dealer should take appropriate measures to determine that (a) procedures are in place to protect the outsourcing firm’s proprietary and customer-related information and software; and (b) the service providers establish and maintain emergency procedures and a plan for disaster recovery, with periodic testing of backup facilities.
• Client Confidentiality Issues — The broker- dealer should take appropriate steps to require that service providers protect confidential information regarding the firm’s proprietary and other information, as well as the firm’s clients, from intentional or inadvertent disclosure to unauthorized individuals.
• Concentration of Outsourcing Functions — Regulators should be cognizant of the risks posed where one service provider provides outsourcing services to multiple regulated entities.
• Termination Procedures — Outsourcing with third-party service providers should include contractual provisions relating to termination of the contract and appropriate exit strategies.

Basel Committee Report

In its report on outsourcing in the financial services industry,6 the Basel Committee followed an approach similar to that of IOSCO in that the Committee adopted a set of “guiding principles” regarding outsourcing arrangements, rather than suggesting prescriptive requirements. The Basel Committee’s guiding principles largely cover the specific areas noted by IOSCO. However, one of the Basel Committee’s guiding principles addressed outsourcing arrangements from a corporate governance standpoint. Specifically, the Basel Committee stated that a regulated entity seeking to outsource activities should have in place a comprehensive policy to guide the assessment of whether and how those activities can be appropriately outsourced. In addition, the Basel Committee stated that the board of directors or equivalent body retains responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy.

U.S. Regulatory Guidance and Initiatives

Overlay: Functions May Be Outsourced, Responsibilities May Not — While commentary on the subject has addressed a variety of market participants, U.S. regulatory initiatives to date have focused on outsourcing arrangements involving broker-dealers. In this regard, securities regulators’ historical recognition of outsourcing arrangements is grounded in the well-settled notion that, while broker-dealers may outsource the performance of certain functions, they are not permitted to outsource or otherwise delegate their ultimate regulatory responsibilities.7 As an example, many broker-dealers use third-party service providers to produce and send transaction confirmations to customers. However, it is clear that the broker-dealers retain the ultimate responsibility to send the confirmations, even if the service provider fails to perform.

SRO Initiatives — In July 2005, NASD issued a Notice to Members to remind NASD member firms of their existing responsibilities when outsourcing activities to third-party service providers. 8 NtM 05-48, which remains in effect as guidance of FINRA, takes a principles-based approach to outsourcing that emphasizes establishing controls around outsourced functions rather than imposing specific requirements and detailed prohibitions on outsourcing specific functions.

On March 16, 2005, NYSE filed a proposed rule change with the SEC to implement specific conditions to be satisfied by NYSE member firms in connection with outsourcing arrangements with service providers,9 and subsequently filed two amendments to the proposal.10 In addition to the two formal filings with the SEC, a number of preliminary drafts of the proposal were circulated informally to industry representatives over a two-year period.

In contrast to FINRA’s guidance, NYSE’s proposal followed a prescriptive approach that included broad prohibitions on outsourcing specific types of functions. Because of the highly prescriptive nature of the requirements, as well as uncertainty regarding the actual scope of the prohibitions, NYSE’s proposal generated considerable controversy and concern among member firms about their practical ability to comply with the requirements. Possibly as a result of that controversy, the SEC never published NYSE’s proposal, and there have been indications that FINRA will not be moving forward with the proposal. Nevertheless, certain portions of the proposal may be informative in considering specific aspects of outsourcing arrangements in light of the principles set forth in FINRA’s guidance.

FINRA Guidance: Notice to Members 05-48

FINRA’s interpretive guidance addresses outsourcing in the context of broker-dealers’ existing supervisory obligations under NASD Rule 3010.11 As a general matter, FINRA reminded member firms of its view that outsourcing covered activities in no way diminishes a member’s responsibility for either its performance or its full compliance with all applicable federal securities laws and regulations and FINRA rules. In particular, NtM 05-48 addresses two general areas with respect to outsourcing arrangements: supervisory responsibility for outsourced functions; and activities and functions that are prohibited from being outsourced.

Supervisory Responsibility for Outsourced Functions — NtM 05-48 states that, if a member firm outsources “covered activities,”12 the member’s supervisory system and written supervisory procedures must include procedures regarding its outsourcing practices to ensure compliance with applicable securities laws and regulations and FINRA rules. FINRA states that the required procedures should include, without limitation, a due diligence analysis of all of its current or prospective third-party service providers to determine whether they are capable of performing the outsourced activities.

NtM 05-48 provides further that FINRA member firms have a continuing responsibility to oversee, supervise, and monitor the service provider’s performance of covered activities. In particular, member firms must have in place specific policies and procedures that will monitor the service providers’ compliance with the terms of any agreements and assess the service provider’s continued fitness and ability to perform the covered activities being outsourced. In addition, NtM 05-48 provides that member firms should ensure that FINRA and all other applicable regulators have the same complete access to the service provider’s work product for the member as if the covered activities had been performed directly by the member firm.

FINRA also stated in NtM 05-48 that member firms should establish specific policies and procedures to determine whether any covered activities that the member is contemplating outsourcing are appropriate for outsourcing. To that end, FINRA suggested that, to determine the appropriateness of outsourcing a particular activity, member firms may want to consider certain factors, such as the financial, reputational, and operational impact on the member firm if the third-party service provider fails to perform; the potential impact of outsourcing on the member firm’s provision of adequate services to its customers; and the impact of outsourcing the activity on the ability and capacity of the member firm to conform with regulatory requirements and changes in requirements.

Functions and Activities Prohibited from Being Outsourced — In NtM 05-48, FINRA expressed the view that the performance of covered activities requiring qualification and registration cannot be deemed to have been outsourced because the person performing the activity is an associated person of the member firm irrespective of whether such person is registered with the member. However, FINRA recognized an exception from this requirement where a third-party service provider is separately registered as a broker-dealer and the contracted arrangement between the member firm and the service provider is contemplated by FINRA rules, the rules of the Municipal Securities Rulemaking Board, or applicable federal securities laws or regulations (e.g., a clearing arrangement executed pursuant to NASD Rule 3230 or NYSE Rule 382 between a member firm and a clearing broker).

FINRA stated that a member firm may never contract its supervisory and compliance activities away from its direct control. However, FINRA also stated that this general prohibition does not preclude a member firm from using a supervisory system designed by another party (e.g., a computer software program that detects excessive trading in customer accounts). In those cases, the member firm must make its own determination that the system implemented is current and reasonably designed to achieve compliance as required under Rule 3010.

NYSE Proposal

In its 2005 filing and subsequent amendments, NYSE proposed a new Rule 340 regarding outsourcing arrangements. In contrast to the principles- based guidance in NtM 05-48, NYSE’s proposal would have imposed a highly rules-based regime around its member firms’ outsourcing arrangements. As proposed, Rule 340 would have imposed specific requirements and prohibitions in four general areas: (1) prohibitions on functions that could be outsourced; (2) due diligence requirements; (3) prior written notification requirements; and (4) oversight. Although there are strong indications that the NYSE proposal will not be moving forward in its original form, certain aspects of the proposal, particularly the prohibited functions and the due diligence requirements, may be instructive in assessing whether specific portions of an outsourcing arrangement conform with the principles set forth in NtM 05-48.

Functions and Activities Prohibited from Being Outsourced — Under NYSE’s outsourcing proposal, member firms would have been prohibited from outsourcing what NYSE considered certain essential functions. The prohibitions focused on functions relating to certain key regulatory requirements, including supervision and protection of customer property. Most notably, NYSE would have prohibited its member firms from outsourcing the following functions and activities:

• Establishing supervisory principles or exercising supervisory or compliance responsibilities (including those arising under NYSE Rule 342);
• Activities that require registration with, or qualification by, NYSE, including the performance of functions customarily performed by principal executives including the chief executive officer, chief financial officer, chief operations officer, and chief compliance officer;
• Control over cash or securities of the member firm or its customers;
• Control over the accuracy and integrity of the books and records of the member firm;
• Control over compliance with the SEC’s financial responsibility rules; and
• “Non-ministerial” clearing and custodial services.

Due Diligence Requirements — Under the NYSE proposal, member firms outsourcing regulated functions and activities would have been subject to a prescribed due diligence standard made up of mandatory elements that would have to be considered in making the outsourcing arrangements. Unlike NASD’s principles-based approach to due diligence and IOSCO’s general statement of principle regarding due diligence, NYSE’s proposal provided that if any of the due diligence factors were not applicable, the member firm would be required to specify each such factor and state the reason for its exclusion.13 Although NYSE’s requirements have not been adopted, the proposal’s list of factors to be considered is helpful as a roadmap of conducting the due diligence review of a securities industry outsourcing arrangement. Specifically, NYSE’s proposal set forth the following factors to be considered in a due diligence review:

• The experience and ability of the service provider to perform the services being provided;
• The adequacy of the written agreement governing the terms of the outsourcing arrangement, including material terms as well as corrective and exit strategy or transition provisions;
• If the service provider is a regulated entity, its reasonably available record of regulatory compliance;
• If the service provider subcontracts services under the arrangement, the ability of the subvendors to perform the services in a manner consistent with the requirements of the NYSE proposal;
• The service provider’s reputation and financial status;
• The service provider’s internal controls related to the services to be provided;
• The adequacy of the service provider’s business continuity plan;
• The extent of insurance coverage maintained by the service provider with respect to losses arising from the service provider’s performance of the services provided;
• The effectiveness of the service provider’s privacy and confidentiality controls;
• Effective access by NYSE and other applicable regulators to the information, policies and records produced pursuant to the arrangement and on behalf of the member firm and, when necessary, to the pertinent facilities and operations of the service provider;
• The ability of the member firm to monitor the level of service over time; and
• The risk of concentration of functions by a member firm in any single service provider.

NYSE’s proposal also provided that, if the service provider was located or performing contemplated services outside of the United States, the member firm’s due diligence would have to include an assessment of the impact of the laws and business practice of the jurisdiction to which the service provider is subject, and the political and legal factors that may bear on the service provider’s ability to perform the contracted services.

Prior Written Notification — Under the NYSE proposal, a member firm generally would have been required to provide prior written notification to NYSE when outsourcing “regulated functions and activities,” which were defined generally as “functions or activities essential to its functioning as a broker-dealer.”14 However, the prior written notification requirement would not have applied where regulated functions and activities were outsourced to any registered or regulated foreign or domestic entity, and where the outsourcing arrangement involves the regulated services or expertise that are the specific subject of such registration or regulation.

Oversight Responsibilities — NYSE’s outsourcing proposal included a number of specific requirements regarding the member firm’s oversight of outsourced functions and activities. In particular, member firms would have been required to appropriately oversee and monitor the service provider’s performance of functions outsourced, the service provider’s compliance with the terms of the contract, and its continued fitness and ability to provide the services being contracted. Member firms also would have been expressly prohibited from seeking or purporting to disclaim responsibility for any regulated functions or activities outsourced to a service provider. Additionally, member firms would have been required to promptly consult with NYSE if they became aware of any impending or reasonably foreseeable disruption or failure in the provision of a regulated function or activity that had been outsourced and that might give rise to a violation of SEC or NYSE Rules.

Practical Questions to Consider in Securities Industry Outsourcing Arrangements

Although U.S. securities regulators have not established specific rules for broker-dealer outsourcing arrangements, the various studies and regulatory initiatives that have been put forward over the last several years have a number of common themes that are well applied to these arrangements. In considering the regulatory implications of an outsourcing arrangement, broker- dealers should take into account four important factors: (1) the functions and activities that will be outsourced; (2) the due diligence review of the service provider; (3) the contract between the broker-dealer and the supervisor; and (4) the structure for oversight of the service provider’s performance.

What Are the Functions and Activities to Be Outsourced? — At the outset of any outsourcing arrangement, broker-dealers will want to create an inventory of the specific functions and activities to be outsourced. All of these functions and activities should be analyzed to consider the potential regulatory impact of outsourcing them to a service provider.

Certain types of functions will always be of particular interest to regulators in the context of outsourcing arrangements. For example, although the specific prohibitions in NYSE’s outsourcing proposal were not adopted, certain of the prohibited functions would ordinarily raise questions with regulators if they were included in an outsourcing arrangement, including functions involving control over cash or securities of the member firm or its customers, or control over compliance with the SEC’s net capital and customer protection rules. Moreover, as noted below, securities industry outsourcing arrangements always should include appropriate oversight controls over the service provider’s performance. In an outsourcing arrangement that raises key regulatory issues, such as access to customer property or to confidential customer information, regulators are likely to expect oversight controls that are stricter and more detailed than they might have to be over a non-regulatory function. For example, in an outsourcing arrangement involving such key regulatory issues, regulators are likely to expect the regulated entity to conduct frequent and regular review (e.g., weekly or daily) of the service provider to make sure that customer protections are not being breached.

Broker-dealers also should take particular care to determine whether functions in an outsourcing arrangement will create registration issues for the service provider. Certain types of functions and activities will always raise broker-dealer registration issues, such as functions involving soliciting accounts, accepting customer orders, or other activities involving direct contact with customers and investors. However, outsourcing arrangements also can raise broker-dealer status issues by virtue of the compensation structure rather than the particular functions at issue. For example, a service provider could be subject to broker-dealer registration if it receives transaction-based compensation for its services, regardless of the specific functions or activities in question. Such an arrangement also could create issues for the broker- dealer under NASD Rule 2420, which prohibits member firms from sharing commissions with persons or entities that are not registered broker-dealers.

Arrangements that raise regulatory issues are not necessarily prohibited by securities regulators. However, any such arrangements must be structured carefully in order to minimize the impact of those issues. In particular, the service provider may have to be a registered broker-dealer, and the firm engaging the provider may have to treat the service provider as an “associated person” for the purposes of compliance with applicable rules, and include that entity in its overall supervisory structure.

Has There Been Adequate Due Diligence? — A common theme of all of the regulatory guidance and studies on outsourcing has been the importance of a thorough due diligence review. Although regulators have not adopted specific due diligence requirements, certain core notions appear throughout the guidance from regulators and commentators, particularly the need to review the experience and operational ability of the service provider, as well as the service provider’s reputation and financial status. In any outsourcing arrangement where the service provider will have access to customer information, the due diligence examination should include a careful review of the service provider’s privacy and confidentiality controls. Additionally, where the outsourcing arrangement involves a non-U.S. service provider, or activities to be performed outside the United States, the due diligence should include, as suggested in NYSE’s proposal, a review of the impact of the laws and business practice of the jurisdiction (especially privacy laws) and the political and legal factors that may bear on the service provider’s ability to perform the outsourced services.

In the end, the extent of the due diligence review obviously will depend on the nature and scope of the outsourcing arrangement. And in any event, the due diligence review should be well documented, in writing, to provide assistance if necessary in conversations and correspondence with regulators.

Is the Outsourcing Arrangement Adequately Documented? — Though it has not been specifically required by any of the existing regulatory guidance, the various commentators on broker-dealer outsourcing all have noted the importance of detailing the outsourcing arrangement in writing. As is the case with any outsourcing arrangement, the written agreement should detail the specific services to be provided, the service levels to be maintained by the service provider, the broker-dealer’s ability to audit the service provider and its subcontractors, and the broker-dealer’s exit rights. However, the broker-dealer also should make sure that the agreement sufficiently details regulatory matters, such as access to books and records, compliance with applicable securities regulations, and any receipt of applicable regulatory approvals or licenses.

A written agreement not only provides legal protection to the broker-dealer, but also can help demonstrate to regulators that the broker-dealer has adequately considered all of the regulatory issues raised by the arrangement. Moreover, a carefully drafted agreement will help demonstrate that the broker-dealer has adequately considered the operational impact of a service provider’s failure to perform.

Does the Arrangement Include Appropriate Oversight Controls? — While securities regulators have expressly permitted outsourcing arrangements in certain cases, they have been clear in their guidance that even when functional responsibility may be outsourced to a service provider, legal responsibility may not. For example, a broker-dealer can outsource its functional responsibility to deliver trade confirmations and customer account statements, but the broker-dealer remains responsible for compliance under the applicable regulatory requirements if the service provider does not fulfill that functional responsibility.

Securities regulators also have been clear that broker-dealers must establish specific controls for oversight, supervision, and monitoring of the service provider’s performance. However, regulators have given firms flexibility to determine the particular types of controls that are appropriate to the broker-dealer and to the outsourcing arrangement itself. Controls over outsourcing arrangements should be set forth in writing, and should provide for review and testing of the service provider’s performance. In addition, securities regulators will expect the same access to records produced by the service provider that they would have if the records were produced by the regulated entity.

Conclusion

A survey of the current regulatory landscape reveals that broker-dealer outsourcing arrangements have to be considered in light of both the specific regulatory guidance governing such arrangements and the regulatory requirements governing other aspects of the firm’s operations. And while the regulatory landscape continues to evolve, regulators and commentators have enunciated a core set of principles and guidance to inform the terms of any securities industry outsourcing arrangement.

Notes

1. On July 3 30, 2 2007, the member regulation functions of NASD, Inc. (NASD) and the New York Stock Exchange LLC (NYSE) were consolidated into a single self-regulatory organization, FINRA. The FINRA rulebook currently includes all NASD Rules, including Rule 323 3230, which governs clearing agreements. In addition, the FINRA rulebook includes certain NYSE Rules that FINRA has incorporated, including NYSE Rule 382 382, which governs clearing agreements.
2. Investment Company Act Release No. 22 2204 (December 17, 2003), 68 FR 74714.
3. See Letter to ABA Subcommittee on Private Investment Entities (December 8, 2005).
4. NASD and NYSE announced their findings from the survey in regulatory guidance and proposals issued in 2005, which are discussed below.
5. The IOSCO report was issued by IOSCO’s Technical Committee and is available at www.iosco.org.
6. See Outsourcing in Financial Services, Basel Committee on Banking Supervision (February 2005), available at www.bis.org/bcbs/index.htm. The Basel Report was produced by The Joint Forum, which consists of the Basel Committee on Banking Supervision, IOSCO, and the International Association of Insurance Supervisors.
7. See Securities Exchange Act Release No. 18497 (Feb. 19, 1982), 47 47 FR 8284 8284 (Feb. 25 25, 1982) (approving NYSE Rule 382 382 and stating that “no contractual arrangement for the allocation of functions between an introducing and carrying organization can operate to relieve either organization from its respective responsibilities under the federal securities laws”); see also SEC Staff Legal Bulletin No. 8 8 (Sept. 9 9, 1998) (addressing technological issues relating to the October 1997 market drop and stating that broker-dealers “are not excused from taking the steps necessary to ensure that adequate systems are in place merely because they rely on outside vendors”).
8. NASD Notice to Members 05-48 (July 2 2005) (NtM 05-48), available at www.finra.org.
9. File No. SR-NYSE-05-22, available at www.nyse.com.
10. On February 16, 2 2007, NYSE filed Amendment No. 1 to its proposal. On April 12, 2 2007, NYSE filed Amendment No. 2 to its proposal.
11. NASD Rule 3 3010 provides generally that each member firm must establish and maintain a system to supervise the activities of each registered representative, registered principal, and other associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable NASD Rules.
12. The term “covered activities” is defined to include order taking, handling of customer funds and securities, and supervisory responsibilities under NASD Rules 3 3010 and 3 3012, and any other activities that, if performed by the member itself, would be subject to the supervisory procedures requirements of Rule 3010.
13. In addition, NYSE’s proposal provided that, in determining the level of due diligence appropriate for the selection of a service provider that controls, is controlled by, or is under common control with the member firm, the member firm would be required to use its reasonable discretion in the effectuation of its review processes, guided by the specified due diligence standards.
14. The notification would have included the identity and location of the service provider; the service provider’s regulator, if any; the nature of the service to be provided; any affiliation with the service provider; and a brief or summary description of the relevant controls maintained by the service provider related to the specific services proposed to be provided.

John V. Ayanian is a Partner and Theodore R. Lazo is an Associate in the Washington, D.C. Office of Morgan,
Lewis & Bockius LLP. The authors thank Jared Minsk, an Associate at Morgan Lewis for his assistance in the preparation of this article. Contact: jayanian@morganlewis.com.