Just as a client performs due diligence on a registered representative before engaging him or her, each broker-dealer must perform different types of due diligence in the course of its business. This can pose a particular burden for smaller firms, which often do not have the compliance staff necessary to conduct specific due diligence responsibilities. For example, a firm must perform appropriate due diligence on every product offered to clients, and must check out every new employee hired. To accomplish these tasks many firms are increasingly retaining third party providers to accomplish these services. While this type of outsourcing is permitted by FINRA, there are certain potential landmines that firms and compliance personnel must consider when delegating this important function. Simply put, any firm must be able to demonstrate that it has first conducted an appropriate due diligence review of its due diligence provider.
In 2010, FINRA reiterated important guidance regarding the outsourcing of operational functions to third party providers, reminding firms of their “continuing responsibility to oversee, supervise and monitor a service provider’s performance.” Factors to be considered should include the experience and the ability of the service provider to perform the outsourced services, the service provider’s reputation and financial status, the effectiveness of the service provider’s privacy and confidentiality controls, and the risk of concentration of functions with any single service provider. In addition, FINRA stressed that:
- Firms must establish controls/procedures to ensure that vendors are in compliance with applicable rules;
- Firms should meet with vendor personnel and management;
- Firms should assign qualified personnel to monitor, review and supervise the activities of the service provider;
- Firms should carefully consider the risks of outsourcing to entities operating in foreign jurisdictions.
Most importantly, entering into an outsourcing relationship does not diminish a firm’s responsibility for its own compliance with securities laws and regulations and Self-Regulatory Organization (SRO) rules. The firm may still be responsible for failures by the outside provider. And any product-based due diligence outsourcing must be especially robust – regardless of product type. As SEC Chairman Mary Shapiro noted in 2008, “Consumers of financial products and services must receive the same level of protection regardless of the product or service they purchase.”
New Product Due Diligence Using a Vendor
This type of review is especially problematic as clients demand (and issuers create) an astonishing array of new products. FINRA’s special concerns surrounding some of these products include:
- Structured Products: Firms must consider the suitability of the security recommended and must carefully review and understand the product itself.
- Alternative Investments: Firms must consider the investment’s liquidity, secondary market availability and transparency, the credit worthiness of issuer and the quality of the underlying collateral.
- Hedge Funds: Firms must investigate manager(s), check references, and evaluate the performance of the fund.
- Non-Conventional Investments: Reliance on the prospectus/disclosure document is not enough, firms must seek additional information, and persons conducting due diligence must have “appropriate training and skill.”
- Reg D Offerings: Firms must consider the issuer and management, the business prospects of the issuer, the claims being made about the investment, the intended use of proceeds, “for each offering not withstanding that a subsequent offering may be for the same issuer.”
New Employee Due Diligence Conducted by a Third-Party Vendor
Earlier this year, the SEC approved a FINRA proposal requiring member firms to beef up background reviews of all new hires. Under new FINRA Rule 3110(e), which took effect on July 1, 2015, firms must adopt written procedures to verify the accuracy of a registered representative’s U4 information. Firms must conduct a search of “reasonably available public records.” The check should cover any criminal history, civil litigation and business records. The background check must be completed within 30 days of a U4 being filed with FINRA. Firms will no doubt be judged on the quality of their background checks – especially if a new hire turns out to be a “bad broker.” Consequently, the due diligence on the new employee must be thorough, and if an outside provider is used to conduct the background check, then the due diligence on that selection must be well-documented. Many small firms will likely need to outsource these due diligence obligations.
Whether the due diligence is on an investment – or a new employee – there will be a lot of information to sift through. So in documenting a firm’s due diligence on any third party provider, what must that firm do to best protect itself from future litigation or regulatory scrutiny? These four decision points are a good starting point:
- Review: Actually review the documents. Do not simply accumulate data on the due diligence provider. You may be called upon to justify the engagement of a particular service provider at a later date by a regulator or in litigation.
- Retain: Maintain well-organized files on each due diligence provider. Make sure that they are complete and as thorough as possible.
- References: Do not rely simply on the information provided by the vendor about their services and qualifications. Indeed, consult with colleagues, competitors and trade organizations. The most important thing to remember is that your firm will be judged on this engagement for many years into the future: leave no (reasonable) stone unturned in the process.
- Revisit and Monitor: One cannot simply engage in this exercise once, hire a third party due diligence provider – and then not revisit the process. Consequently, it is a good idea to redo the vendor search process at logical intervals. Those intervals can be decided by time, product type, or even personnel change at the vendor. Then, watch for “red flags.” Signs that a vendor is not maintaining standards should prompt a follow-up review.
If a broker-dealer does retain an outside vendor to perform compliance for the firm, the agreement for the service should be detailed, and carefully set forth the services and quality standards to be met. If a duty is not assigned to and accepted by the outside provider, it continues to rest on the firm to perform.