Broker-dealers and other financial service firms using third-party service vendors, whether to reduce costs, enhance performance, and obtain access to specific expertise, and perform vital functions, sounds good in most instances. But doing so is not without risks.
FINRA’s recent disciplinary action against Ameriprise, tagging it with a censure and fine of $525,000, is a reminder of inherent risks when firms fail to monitor outsourced service work to third parties. In settling with Ameriprise (through an Acceptance Waiver and Consent, FINRA Case # 2011029100301) FINRA found that Ameriprise, in approximately 580,000 transactions, failed to timely deliver mutual fund prospectuses to its customers within three business days of their purchases. FINRA also found Ameriprise to have failed to establish and maintain adequate supervisory systems and written supervisory procedures that should have reasonably monitored and ensured the timely delivery of mutual fund prospectuses — a requirement of Section 5(b)(2) of the Securities Act of 1933.
As FINRA noted, Rule 10b-10, promulgated under Section 10(b) of the Securities Exchange Act of 1934, requires a broker-dealer to provide to the customer, in writing, certain information “at or before completion of such transaction” and that transactions are complete when they settle. Rule 15c6-l(a) provides that securities transactions settle in three business days, unless otherwise specified. Consequently, a broker-dealer must deliver a prospectus to a customer who has purchased a mutual fund no later than three business days after the transaction.
What are the compliance takeaways from the Ameriprise action? How does a firm avoid or mitigate legal, reputational and operational risks to its business when dealing with outside vendors?
First, firms should make sure they hire qualified vendors and that such relationship are structured to avoid operational problems. Expectations on both sides need to be clearly articulated. Second, monitor frequently and document that the outsourced activity is being properly managed.* Appropriate oversight ensures that the third-party program is meeting its regulatory purpose. Third, document and make sure that the third-party has adequate internal controls. Finally, make sure that the vendor has a contingency plan in the event of a disruption, and make sure that you do the same.
In the end, while day-to-day management of a service like sending the prospectus can, in some instances, be transferred to a third party, ultimate responsibility for any compliance requirement cannot be delegated and remains with the financial service firm.
*Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks, Federal Reserve Bank of New York, October 1999, p. 5, available online.; Outsourcing By Financial Services Firms, Broker-Dealer Regulation (Second Edition) Practicing Law Institute, C.E. Kirsch.