FINRA is the largest independent regulator for all securities firms doing business in the United States and its recent proposed rule changes are rattling the world of outsourcing. So what happens when you mix these proposed FINRA regulatory rule changes, a well-known outsourcing partner from law firm powerhouse Loeb & Loeb, LLP, and the HfS Governator?
Well, today’s discussion, reserved especially for your weekend reading pleasure, is co-authored by Akiba Stern and Tony Filippone and focused on getting the dirty, detailed work of governance done right. And for any of you who have the good fortune of never having met Akiba, he is the most feared sight for any service provider around the negotiating table. Don't let the Jewish jokes and Manhattan charm fool you - this rabbinic lawyer can lobotomize the lox and matzah balls from any proposed litigation. Apologies, Akiba, but when you send us in a picture of Charlie Sheen for your mugshot, you're asking for trouble :)
Anyway, who knew that you could have this much fun making regulations meaningful...
Libertarians, Outsourcing and Lobotomies (LOL) and FINRA
There is a vocal group of "anything goes" executives that say crazy things like, "It's not my problem anymore. It is my vendor's problem." and "You hired us to manage this. Don't stick your nose in my business." These executives are the libertarians of outsourcing.
For some bizarre reason, they view an outsourcing contract as a lobotomy. Apparently, they believe that, upon signing a contract, they instantaneously have no responsibility to ensure their vendors have the expertise to perform the work or to ensure the outsourced function performs as expected.
Year after year, the buy-side responsibility-lobotomized libertarians do as little work as possible. They look at SLAs and assess performance credits, and angrily call with complaints. Their site audits are international junkets, resembling the Fiesta Bowl marketing “events”. These libertarians eschew statistical methods of quality auditing and rigorous, frequent performance management processes in favor of annual qualitative bitch sessions performance appraisals. The effort to compete renewals is too internally politically overwhelming and the thought of a vendor-to-vendor transition is stroke inducing, no matter the level of incompetence.
The sell-side responsibility-lobotomized libertarians are no more motivated. They direct services to new facilities their clients have never seen, to team members their clients have never met, and subcontract the services to vendors their clients have no idea exist. They use systems that are supposedly best in class and used by other “leading organizations”, but are surprisingly feeble and the reporting is rarely insightful. If a performance hiccup occurs and service credits are given, service credit earn back clauses give these lazy people a chance to paper over damage done to their customers' customers next month.
Get Hands On, Get It Done Right
We come from the school of "hands on governance and vendor management." It's not good enough to be a coach, field the team, and hope for the best. You have to run the sidelines. You have to be the referee on the field ensuring you're always close to the action. Sometimes, you even need to suit-up and play the game to get a first-hand understanding of the pace, effort, and activities of a real athlete.
So, we have a different perspective: You cannot lobotomize yourself when you outsource a function. You cannot hand over your function to a service provider, structure a nasty limit of liability clause placing the onus of regulatory fines and customer lawsuits on your service provider, neglect your outsourced operation, and then punish your service provider for failure to perform. No matter how core or non-core your outsourced function, you have a fiduciary responsibility to proactively ensure it operates as it should.
And ... how hard is it really? Why can’t you have a set of critical metrics you review with the service provider month after month? Why can’t you have the service provider’s key players (their operations team, not their snake oil salespeople) meet with their counterparts EVERY MONTH and go over those metrics, variances from budget, services problems, overbilling, opaque billing, negative trends, etc. Okay, maybe it’s boring but that’s why you are making the big bucks (Or at least that’s why you got saved from being riffed or moved to Bangaluru by your Rabbi in the executive suite. So you really need to do some work and add value to justify your cost – which otherwise reduces the business case results!)
Regulators Mandate Hands On Governance
Apparently, US regulatory bodies agree with me. Most recently, the Financial Industry Regulation Authority (FINRA), which is the securities industry’s independent regulator, proposed for comment a rule change that states:
1) Outsourcing doesn't absolve you of the responsibility for the outsourced function's outcomes. You keep responsibility to ensure your vendors perform, no matter what contrivances you write into your contract. When the government auditors come, they will don't care what your contract says about responsibility. They'll be coming to your cube and asking you the uncomfortable questions, including why you wrote contrivances into your contract.
2) If your employees need certain qualifications and licenses to perform the work, so do your vendor’s employees. Your work still needs to be performed by people who are legally qualified, licensed, and registered to do the work. You need to be sure they are.
3) You must have a detailed governance and vendor management program with sufficiently rigorous processes that, in the words of FINRA, "should include, without limitation, conducting a due diligence analysis of all of its current or prospective third-party service providers to determine whether they are capable of performing the outsourced activities" and ensure compliance with regulations.
4) Some activities are so important to the stability of your company and the industry that you have to supervise, review, audit transactions, and in some cases, even independently review your vendor's systems to ensure that they apply the right calculations and processes to your work. The FINRA rules go so far as to say that you're not only responsible for all the above, but when the auditors come, you, not your vendors, have to explain the details to the auditor. Statements like, "At a high level, I know what they do, but if you want the details, ask my vendor" or "My vendor says its systems are used by many other leading global institutions" are not going to be accepted by the auditor. You must have a rigorous, statistically-based approach to quality audits and you need to independently verify that your vendor’s systems and processes comply.
5) All the same rigor described above applies as much to the subcontractors as it does to the contractors. So, that means if your vendor subcontracts to three other vendors, you, not your prime contractor, have to exercise the detailed governance and vendor management approach to all the subcontractors.
6) For Carrying and Clearing Member Firms, FINRA needs to be notified within 30 days of entering into an outsourcing agreement. In essence, the regulator needs to be quickly made aware that your organization intends to outsource. This includes locations (and changes to locations).
FINRA is not alone. The various banking regulators (Federal Reserve, FDIC, National Credit Union Administration, the Office of the Comptroller of the Currency (OCC), and the (soon to be disbanded under Dodd-Frank) Office of Thrift Supervision), and URAC (health care management accrediting body) all limit delegation of oversight and place strict standards on the clients outsourcing.
What This Means to You
Regardless of your opinion of extending the reach of regulators or our (maybe) tongue-in-cheek perspective on lobotomized outsourcing libertarians, FINRA, and other regulators, are really asking companies to do what they already should be doing:
- If your company outsources, you should get actively involved in the governance necessary to ensure outsourced services meet expectations. This means investing in the personnel, processes, and tools required for sound governance.
- If your company provides outsourcing services, you should actively involve your customers in the delivery of the services. This means opening the kimono on your staff, processes, and systems to give your clients an unprecedented level of involvement in ensuring your services meet expectations.
We are interested in your perspective on governance. Please leave a comment here or get in touch with Tony “The Governator” Filippone, HfS Research Vice President, Governance and Sourcing Strategies.
If you’re interested in more information about the implications of FINRA’s proposed changes to your outsourcing environment, we encourage you contact Akiba Stern or Steve Cohen, partners at Loeb & Loeb.
Stern has advised clients for 30 years in all aspects of business law, both as in-house counsel and at law firms. Stern concentrates his practice on outsourcing, technology-enabled business transactions, e-commerce, technology transfers, licensing, intellectual property and joint ventures. He also specializes in transactions involving the commercialization of intellectual property.
Cohen focuses his practice on broker-dealer regulation and the securities markets. Cohen advises broker-dealer clients on a wide variety of regulatory and transactional matters, including federal and state registration and compliance issues and SRO membership and compliance issues, including FINRA (formerly NASD), the stock exchanges and the clearing corporations. His clients include major international banks, domestic and foreign investment banks, full service and boutique brokerage firms, clearing firms, transfer agents and hedge funds.