Skip to Main Content

insightsarticles

FINRA:
Broker-dealer
obligations when selling private placements 

08.01.23

Read this if you are a broker-dealer involved in selling private placements.

In May 2023, the Financial Industry Regulatory Authority (FINRA) issued Regulatory Notice 23-08 (the Regulatory Notice), which is meant to serve as a reminder to members of their obligations when selling private placements. This Regulatory Notice is not meant to alter principles or guidance previously issued by FINRA, but is meant to supplement prior guidance, primarily Regulatory Notice 10-22, in light of the ever-evolving unregistered offering market and the related regulatory landscape. The Regulatory Notice is broken down into three parts: (1) Developments in Unregistered Offerings; (2) Member Regulatory Requirements for Private Placements; and (3) Effective Practices Relating to Reasonable Investigation and Related Supervisory Practices. According to the Regulatory Notice, 69% of new capital was raised through unregistered offerings in 2019. 

The Regulatory Notice goes into great detail about FINRA Rule 2111 (Suitability) and the Securities and Exchange Commission’s (SEC) Regulation Best Interest (Reg BI). Reg BI requires a member or associated person when making a recommendation of any securities transaction or investment strategy involving securities to a retail customer, to act in the best interest of the retail customer without placing the financial or other interest of the member or associated person ahead of the interest of the retail customer. Reg BI was adopted by the SEC after the publication of FINRA’s Regulatory Notice 10-22. When recommending private placements to non-retail customers, members must follow FINRA Rule 2111, which holds similarities to Reg BI. Other topics covered in the Regulatory Notice are:

  • Private placement filings with FINRA (FINRA Rule 5122 and companion rule, FINRA Rule 5123): requires members to submit a form that contains information about the member selling the private placement securities, the issuer, and the offering terms as well as any offering documents, if applicable, electronically through the FINRA gateway.
  • Supervision (FINRA Rule 3110): a member must establish and maintain a system to supervise the activities of each associated person, and must establish, maintain, and enforce written procedures to supervise the types of business in which it engages and the activities of its associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations and FINRA rules. 
  • Private Securities Transactions (FINRA Rule 3280): at times, private placements are sold by an associated person outside of their relationship with the member. These are considered to be private securities transactions (PSTs). If the member approves a person’s participation in the PST for compensation, the transaction must be recorded on the books and records of the member and the member must supervise the person’s participation in the transaction as if the transaction were executed on behalf of the member. 

Regulatory Notice 10-22 provides examples of practices that some members adopted to help them adequately perform and supervise a reasonable investigation of a recommended private placement. Regulatory Notice 23-08 expands on these examples by offering some additional best practices observed since the release of Regulatory Notice 10-22. These best practices may be useful when developing new or modifying existing practices.

This article is only meant to provide a summary. We encourage those involved in private placement offerings to read the entire Regulatory Notice 23-08. However, if any questions arise, please contact our Broker-dealer financial services team. We’re here to help.
 

Related Industries

Related Services

Accounting and Assurance

Related Professionals

Principals

BerryDunn experts and consultants

The IRS announced plans to conduct examinations of the universal availability requirements for 403(b) plans (Plans) this summer. Noncompliance with these requirements results in operational errors for Plans―ultimately requiring correction. Plan sponsors should review their Plans for proper inclusion and exclusion of employees. Such review can help you avoid costly penalties if the IRS does conduct an examination and uncovers an issue with the Plan’s implementation of universal availability.

Universal availability requires that, if you permit one employee to make elective deferrals into a 403(b) plan, then all other employees must receive the same opportunity. There are a few exceptions to this rule. Plan sponsors may exclude employees who meet one of the following exceptions:

  • Employees who will contribute $200 annually or less
  • Employees eligible to participate in a § 401(k), 457(b), or other 403(b) plan of the same employer
  • Employees who normally work less than 20 hours per week (the equivalent of less than 1,000 hours in a year)
  • Students performing services described in Internal Revenue Code § 3121(b)(10)

Of these exceptions, errors in applying the universal availability requirements are typically found with the less than 20 hours per week exception. Even if an employee works less than 20 hours per week (essentially a part-time employee), if this employee works 1,000 hours or more, you must allow this employee to make elective deferrals into the Plan. Further, you can’t revoke this permission in subsequent years―once the employee meets the 1,000 hour requirement, they are no longer included in the less than 20 hours per week employee class.

We recommend Plan sponsors review their Plan documents to ensure they are appropriately applying elected eligibility provisions. Further, we recommend Plan sponsors annually review an employee census to ensure those exceptions (listed above) remain appropriate for any employees excluded from the Plan. For instance, if you note that an employee worked 1,000 hours during the year, who was being excluded as part of the “less than 20 hours per week” category, you should ensure you notify this employee of their eligibility to participate in the Plan. In addition, you should retain documentation regarding the employee’s deferral election or election to opt out of the Plan. Such practices will help ensure, if your Plan is selected for IRS examination, it passes with no issues.

For more information: https://www.irs.gov/retirement-plans/403b-plan-fix-it-guide-you-didnt-give-all-employees-of-the-organization-the-opportunity-to-make-a-salary-deferral
 

Article
Not the summer of love: IRS universal availability examinations

LIBOR is leaving—is your financial institution ready to make the most of it?

In July 2017, the UK’s Financial Conduct Authority announced the phasing out of the London Interbank Offered Rate, commonly known as LIBOR, by the end of 20211. With less than two years to go, US federal regulators are urging financial institutions to start assessing their LIBOR exposure and planning their transition. Here we offer some general impacts of the phasing out, some specific actions your institution can take to prepare, and, finally, background on how we got here (see Background at right).

How will the phase-out impact financial institutions?

The Federal Reserve estimates roughly $200 trillion in LIBOR-indexed notional value transactions in the cash and derivatives market2. LIBOR is used to help price a variety of financial services products,  including $3.4 trillion in business loans and $1.3 trillion in consumer loans, as well as derivatives, swaps, and other credit instruments. Even excluding loans and financial instruments set to mature before 2021—estimated by the FDIC at 82% of the above $200 trillion—LIBOR exposure is still significant3.

A financial institution’s ability to lend money is largely dependent on the relative stability of its capital position, or lack thereof. For institutions with a significant amount of LIBOR-indexed assets and liabilities, that means less certainty in expected future cash flows and a less stable capital position, which could prompt institutions to deny loans they might otherwise have approved. A change in expected cash flows could also have several indirect consequences. Criticized assets, assessed for impairment based on their expected future cash flows, could require a specific reserve due to lower present value of expected future cash flows.

The importance of fallback language in loan agreements

Fallback language in loan agreements plays a pivotal role in financial institutions’ ability to manage their LIBOR-related financial results. Most loan agreements include language that provides guidance for determining an alternate reference rate to “fall back” on in the event the loan’s original reference rate is discontinued. However, if this language is non-existent, contains fallbacks that are no longer adequate, or lacks certain key provisions, it can create unexpected issues when it comes time for financial institutions to reprice their LIBOR loans. Here are some examples:

  • Non-existent or inadequate fallbacks
    According to the Alternative Reference Rates Committee, a group of private-market participants convened by the Federal Reserve to help ensure a successful LIBOR transition, "Most contracts referencing LIBOR do not appear to have envisioned a permanent or indefinite cessation of LIBOR and have fallbacks that would not be economically appropriate"4.

    For instance, industry regulators have warned that without updated fallback language, the discontinuation of LIBOR could prompt some variable-rate loans to become fixed-rate2, causing unanticipated changes in interest rate risk for financial institutions. In a declining rate environment, this may prove beneficial as loans at variable rates become fixed. But in a rising rate environment, the resulting shrink in net interest margins would have a direct and adverse impact on the bottom line.

  • No spread adjustment
    Once LIBOR is discontinued, LIBOR-indexed loans will need to be repriced at a new reference rate, which could be well above or below LIBOR. If loan agreements don’t provide for an adjustment of the spread between LIBOR and the new rate, that could prompt unexpected changes in the financial position of both borrowers and lenders3. Take, for instance, a loan made at the Secured Overnight Financing Rate (SOFR), generally considered the likely replacement for USD LIBOR. Since SOFR tends to be lower than three-month LIBOR, a loan agreement using it that does not allow for a spread adjustment would generate lower loan payments for the borrower, which means less interest income for the lender.

    Not allowing for a spread adjustment on reference rates lower than LIBOR could also cause a change in expected prepayments—say, for instance, if borrowers with fixed-rate loans decide to refinance at adjustable rates—which would impact post-CECL allowance calculations like the weighted-average remaining maturity (WARM) method, which uses estimated prepayments as an input.

What can your financial institution do to prepare?

The Federal Reserve and the SEC have urged financial institutions to immediately evaluate their LIBOR exposure and expedite their transition. Though the FDIC has expressed no intent to examine financial institutions for the status of LIBOR planning or critique loans based on use of LIBOR3, Federal Reserve supervisory teams have been including LIBOR transitions in their regular monitoring of large financial institutions5. The SEC has also encouraged companies to provide investors with robust disclosures regarding their LIBOR transition, which may include a notional value of LIBOR exposure2.

Financial institutions should start by analyzing their LIBOR exposure beyond 2021. If you don’t expect significant exposure, further analysis may be unnecessary. However, if you do expect significant future LIBOR exposure, your institution should conduct stress testing using LIBOR as an isolated variable by running hypothetical transition scenarios and assessing the potential financial impact.

Closely examine and assess fallback language in loan agreements. For existing loan agreements, you may need to make amendments, which could require consent from counterparties2. For new loan agreements maturing beyond 2021, lenders should consider selecting an alternate reference rate. New contract language for financial instruments and residential mortgages is currently being drafted by the International Securities Dealers Association and the Federal Housing Finance Authority, respectively3—both of which may prove helpful in updating loan agreements.

Lenders should also consider their underwriting policies. Loan underwriters will need to adjust the spread on new loans to accurately reflect the price of risk, because volatility and market tendencies of alternate loan reference rates may not mirror LIBOR’s. What’s more, SOFR lacks abundant historical data for use in analyzing volatility and market tendencies, making accurate loan pricing more difficult.

Conclusion: Start assessing your LIBOR risk soon

The cessation of LIBOR brings challenges and opportunities that will require in-depth analysis and making difficult decisions. Financial institutions and consumers should heed the advice of regulators and start assessing their LIBOR risk now. Those that do will not only be better prepared―but also better positioned―to capitalize on the opportunities it presents.

Need help assessing your LIBOR risk and preparing to transition? Contact BerryDunn’s financial services specialists.

1 https://www.washingtonpost.com/business/2017/07/27/acdd411c-72bc-11e7-8c17-533c52b2f014_story.html?utm_term=.856137e72385
2 Thomson Reuters Checkpoint Newsstand April 10, 2019
3 https://www.fdic.gov/regulations/examinations/supervisory/insights/siwin18/si-winter-2018.pdf
4 https://bankingjournal.aba.com/2019/04/libor-transition-panel-recommends-fallback-language-for-key-instruments/
5 https://www.reuters.com/article/us-usa-fed-libor/fed-urges-u-s-financial-industry-to-accelerate-libor-transition-idUSKCN1RM25T

Article
When one loan rate closes, another opens

In auditing, the concept of professional skepticism is ubiquitous. Just as a Jedi in Star Wars is constantly trying to hone his understanding of the “force”, an auditor is constantly crafting his or her ability to apply professional skepticism. It is professional skepticism that provides the foundation for decision-making when conducting an attestation engagement.

A brief definition

The professional standards define professional skepticism as “an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence.” Given this definition, one quickly realizes that professional skepticism can’t be easily measured. Nor is it something that is cultivated overnight. It is a skill developed over time and a skill that auditors should constantly build and refine.

Recently, the extent to which professional skepticism is being employed has gained a lot of criticism. Specifically, regulatory bodies argue that auditors are not skeptical enough in carrying out their duties. However, as noted in the white paper titled Scepticism: The Practitioners’ Take, published by the Institute of Chartered Accountants in England and Wales, simply asking for more skepticism is not a practical solution to this issue, nor is it necessarily always desirable. There is an inevitable tug of war between professional skepticism and audit efficiency. The more skeptical the auditor, typically, the more time it takes to complete the audit.

Why does it matter? Audit quality.

First and foremost, how your auditor applies professional skepticism to your audit directly impacts the quality of their service. Applying an appropriate level of professional skepticism enhances the likelihood the auditor will understand your industry, lines of business, business processes, and any nuances that make your company different from others, as it naturally causes the auditor to ask questions that may otherwise go unasked.

These questions not only help the auditor appropriately apply professional standards, but also help the auditor gain a deeper understanding of your business. This will enable the auditor to provide insights and value-added services an auditor who doesn’t apply the right degree of skepticism may never identify.

Therefore, as the white paper notes, audit committees, management, and investors should be asking “How hard do our auditors get pushed on fees, and what effect does that have on the quality of the audit?” If your auditor is overly concerned with completing the audit within a fixed time budget, professional skepticism and, ultimately, the quality of the audit, may suffer.

Applying skepticism internally

By its definition, professional skepticism is a concept that specifically applies to auditors, and is not on point when it comes to other audit stakeholders. This is because the definition implies that the individual applying professional skepticism is independent from the information he or she is analyzing. Other audit stakeholders, such as members of management or the board of directors, are naturally advocates for the organizations they manage and direct and therefore can’t be considered independent, whereas an auditor is required to remain independent.

However, rather than audit stakeholders applying professional skepticism as such, these other stakeholders should apply an impartial and diligent mindset to their work and the information they review. This allows the audit stakeholder to remain an advocate for his or her organization, while applying critical skills similar to those applied in the exercise of professional skepticism. This nuanced distinction is necessary to maintain the limited scope to which the definition of professional skepticism applies: the auditor.

Specific to the financial statement reporting function, these stakeholders should be assessing the financial statements and ask questions that can help prevent or detect flaws in the financial reporting process. For example, when considering significant estimates, management should ask: are we considering all relevant information? Are our estimates unbiased? Are there alternative accounting treatments we haven’t considered? Can we justify our selected accounting treatment? Essentially, management should start by asking itself: what questions would we expect our auditor to ask us?

It is also important to be critical of your own work, and never become complacent. This may be the most difficult type of skepticism to apply, as most of us do not like to have our work criticized. However, critically reviewing one’s own work, essentially as an informal first level of review, will allow you to take a step back and consider it from a different vantage point, which may in turn help detect errors otherwise left unnoticed. Essentially, you should both consider evidence that supports the initial conclusion and evidence that may be contradictory to that conclusion.

The discussion in auditing circles about professional skepticism and how to appropriately apply it continues. It is a challenging notion that’s difficult to adequately articulate. Although it receives a lot of attention in the audit profession, it is a concept that, slightly altered, can be of value to other audit stakeholders. Doing so will help you create a stronger relationship with your auditor and, ultimately, improve the quality of the financial reporting process—and resulting outcome.

Article
Professional skepticism and why it matters to audit stakeholders

In a closely held business, ownership always means far more than business value. Valuing your business will put a dollar figure on your business (and with any luck, it might even be accurate!). However, ownership of a business is about much more than the “number.” To many of our clients, ownership is about identity, personal fulfillment, developing a legacy, funding their lifestyle, and much more. What does business ownership mean to you? In our final article in this series, we are going to look at questions around what ownership means to different people, explore how to increase business value and liquidity, and discuss the decision of whether to grow your business or exit—and which liquidity options are available for each path. 

While it may seem counterintuitive, we find that it is best to delay the decision to grow or exit until the very end of the value acceleration process. After identifying and implementing business improvement and de-risking projects in the Discover stage and the Prepare stage (see below), people may find themselves more open to the idea of keeping their business and using that business to build liquidity while they explore other options. 

Once people have completed the Discover and Prepare stages and are ready to decide whether to exit or grow their business, we frame the conversation around personal and business readiness. Many personal readiness factors relate to what ownership means to each client. In this process, clients ask themselves the following questions:

  • Am I ready to not be in charge?
  • Am I ready to not be identified as the business?
  • Do I have a plan for what comes next?
  • Do I have the resources to fund what’s next? 
  • Have I communicated my plan?

On the business end, readiness topics include the following:

  • Is the team in place to carry on without me?
  • Do all employees know their role?
  • Does the team know the strategic plan?
  • Have we minimized risk? 
  • Have I communicated my plan?

Whether you choose to grow your business or exit it, you have various liquidity options to choose from. Liquidity options if you keep your business include 401(k) profit sharing, distributions, bonuses, and dividend recapitalization. Alternatively, liquidity options if you choose to exit your business include selling to strategic buyers, ESOPs, private equity firms, management, or family. 

When it comes to liquidity, there are several other topics clients are curious about. One of these topics is the use of earn-outs in the sale of a business. In an earn-out, a portion of the price of the business is suspended, contingent on business performance. The “short and sweet” on this topic is that we typically find them to be most effective over a two- to three-year time period. When selecting a metric to base the earn-out on (such as revenue, profit, or customer retention), consider what is in your control. Will the new owner change the capital structure or cost structure in a way that reduces income? Further, if the planned liquidity event involves merging your company into another company, specify how costs will be allocated for earn-out purposes. 

Rollover equity (receiving equity in the acquiring company as part of the deal structure) and the use of warrants/synthetic equity (incentives tied to increases in stock price) is another area in which we receive many questions from clients. Some key considerations:

  • Make sure you know how you will turn your rollover equity into cash.
  • Understand potential dilution of your rollover equity if the acquiring company continues to acquire other targets. 
  • Make sure the percentage of equity relative to total deal consideration is reasonable.
  • Seller financing typically has lower interest rates and favorable terms, so warrants are often attached to compensate the seller. 
  • Warrants are subject to capital gains tax while synthetic equity is typically ordinary income. As a result, warrants often have lower tax consequences.
  • Synthetic equity may work well for long-term incentive plans and for management buyouts. 

We have found that through the value acceleration process, clients are able to increase business value and liquidity, giving them control over how they spend their time and resources.

If you are interested in learning more about value acceleration, please contact the business valuation services team. We would be happy to meet with you, answer any questions you may have, and provide you with information on upcoming value acceleration presentations. 

Article
Decide: Value acceleration series part five (of five)

So far in our value acceleration article series, we have talked about increasing the value of your business and building liquidity into your life starting with taking inventory of where you are at and aligning values, reducing risk, and increasing intangible value.

In this article, we are going to focus on planning and execution. How these action items are introduced and executed may be just as important as the action items themselves. We still need to protect value before we can help it grow. Let’s say you had a plan, a good plan, to sell your business and start a new one. Maybe a bed-and-breakfast on the coast? You’ve earmarked the 70% in cash proceeds to bolster your retirement accounts. The remaining 30% was designed to generate cash for the down payment on the bed-and-breakfast. And it is stuck in escrow or, worse yet, tied to an earn-out. Now, the waiting begins. When do you get to move on to the next phase? After all that hard work in the value acceleration process, you still didn’t get where you wanted to go. What went wrong?

Many business owners stumble at the end because they lack a master plan that incorporates their business action items and personal action items. Planning and execution in the value acceleration process was the focus of our conversation with a group of business owners and advisors on Thursday, April 11th.

Business valuation master plan steps to take

A master plan should include both business actions and personal actions. We uncovered a number of points that resonated with business owners in the room. Almost every business owner has some sort of action item related to employees, whether it’s hiring new employees, advancing employees into new roles, or helping employees succeed in their current roles. A review of financial practices may also benefit many businesses. For example, by revisiting variable vs. fixed costs, companies may improve their bidding process and enhance profitability. 

Master plan business improvement action items:

  • Customer diversification and contract implementation
  • Inventory management
  • Use of relevant metrics and dashboards
  • Financial history and projections
  • Systems and process refinement

A comprehensive master plan should also include personal action items. Personal goals and objectives play a huge role in the actions taken by a business. As with the hypothetical bed-and-breakfast example, personal goals may influence your exit options and the selected deal structure. 

Master plan personal action items:

  •  Family involvement in the business
  •  Needs vs. wants
  •  Development of an advisory team
  •  Life after planning

A master plan incorporates all of the previously identified action items into an implementation timeline. Each master plan is different and reflects the underlying realities of the specific business. However, a practical framework to use as guidance is presented below.

The value acceleration process requires critical thinking and hard work. Just as important as identifying action items is creating a process to execute them effectively. Through proper planning and execution, we help our clients not only become wealthier but to use their wealth to better their lives. 

If you are interested in learning more about value acceleration, please contact the business valuation services team. We would be happy to meet with you, answer any questions you may have, and provide you with information on upcoming value acceleration presentations. 

Article
Planning and execution: Value acceleration series part four (of five)

This is our second of five articles addressing the many aspects of business valuation. In the first article, we presented an overview of the three stages of the value acceleration process (Discover, Prepare, and Decide). In this article we are going to look more closely at the Discover stage of the process.

In the Discover stage, business owners take inventory of their personal, financial, and business goals, noting ways to increase alignment and reduce risk. The objective of the Discover stage is to gather data and assemble information into a prioritized action plan, using the following general framework.

Every client we have talked to so far has plans and priorities outside of their business. Accordingly, the first topic in the Discover stage is to explore your personal plans and how they may affect business goals and operations. What do you want to do next in your personal life? How will you get it done?

Another area to explore is your personal financial plan, and how this interacts with your personal goals and business plans. What do you currently have? How much do you need to fund your other goals?

The third leg of the value acceleration “three-legged stool” is business goals. How much can the business contribute to your other goals? How much do you need from your business? What are the strengths and weaknesses of your business? How do these compare to other businesses? How can business value be enhanced? A business valuation can help you to answer these questions.

A business valuation can clarify the standing of your business regarding the qualities buyers find attractive. Relevant business attractiveness factors include the following:

  • Market factors, such as barriers to entry, competitive advantages, market leadership, economic prosperity, and market growth
  • Forecast factors, such as potential profit and revenue growth, revenue stream predictability, and whether or not revenue comes from recurring sources
  • Business factors, such as years of operation, management strength, customer loyalty, branding, customer database, intellectual property/technology, staff contracts, location, business owner reliance, marketing systems, and business systems

Your company’s performance in these areas may lead to a gap between what your business is worth and what it could be worth. Armed with the information from this assessment, you can prepare a plan to address this “value gap” and look toward your plans for the future.

If you are interested in learning more about value acceleration, please contact the business valuation services team. We would be happy to meet with you, answer any questions you may have, and provide you with information on upcoming value acceleration presentations.

Next up in our value acceleration series is all about what we call the four C's of the value acceleration process. 

Article
The discover stage: Value acceleration series part two (of five)

This is the first article in our five-article series that reviews the art and science of business valuation. The series is based on an in-person program we offer from time to time.  

Did you know that just 12 months after selling, three out of four business owners surveyed “profoundly regretted” their decision? Situations like these highlight the importance of the value acceleration process, which focuses on increasing value and aligning business, personal, and financial goals. Through this process, business owners will be better prepared for business transitions, and therefore be significantly more satisfied with their decisions.

Here is a high-level overview of the value acceleration process. This process has three stages, diagrammed here:

The Discover stage is also called the “triggering event.” This is where business owners take inventory of their situation, focusing on risk reduction and alignment of their business, personal, and financial goals. The information gleaned in this stage is then compiled into a prioritized action plan utilized in future stages.

In the Prepare stage, business owners follow through on business improvement and personal/financial planning action items formed in the discover stage. Examples of action items include the following:

  • Addressing weaknesses identified in the Discover stage, in the business, or in personal financial planning
  • Protecting value through planning documents and making sure appropriate insurance is in place
  • Analyzing and prioritizing projects to improve the value of the business, as identified in Discover stage
  • Developing strategies to increase liquidity and retirement savings

The last stage in the process is the Decide stage. At this point, business owners choose between continuing to drive additional value into the business or to sell it.

Through the value acceleration process, we help business owners build value into their businesses and liquidity into their lives.

If you are interested in learning more about value acceleration, please contact the business valuation services team. We would be happy to meet with you, answer any questions you may have, and provide you with information on upcoming value acceleration presentations.

Read more! In our next installment of the value acceleration blog series, we cover the Discover stage.

Article
The process: Value acceleration series part one (of five)

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

On April 2, 2019, the FDIC issued Financial Institution Letter (FIL) 19-2019, which outlines important requirements and considerations for financial institutions regarding their contracts with third-party technology service providers. In particular, FIL-19-2019 urges financial institutions to address how their business continuity and incident response processes integrate with those of their providers, and what that could mean for customers.

Common gaps in technology service provider contracts

As auditors of IT controls, we review lots of contracts between financial institutions and their technology service providers. When it comes to recommending areas for improvement, our top observations include:

  • No right-to-audit clause
    Including a right-to-audit clause encourages transparency and provides greater assurance that vendors are providing services, and charging for them, in accordance with their contract.
  • Unclear and/or inadequate rights and responsibilities around service disruptions
    In the event of a service incident, time and transparency are vital. Contracts that lack clear and comprehensive standards, both for the vendor and financial institution, regarding business continuity and incident response expose institutions to otherwise avoidable risk, including slow or substandard communications.
  • No defined recovery standards
    Explicitly defined recovery standards are essential to ensuring both parties know their role in responding and recovering from a disaster or other technology outage.

FIL-19-2019 also reminds financial institutions that they need to properly inform regulators when they undertake contracts or relationships with technology service providers. The Bank Service Company Act requires financial institutions to inform regulators in writing when receiving third-party services like sorting and posting of checks and deposits, computation and posting of interest, preparation and mailing of statements, and other functions involving data processing, Internet banking, and mobile banking services.

Writing clearer contracts that strengthen your institution

Financial institutions should review their contracts, especially those that are longstanding, and make necessary updates in accordance with FDIC guidelines. As operating environments continue to evolve, older contracts, often renewed automatically, are particularly easy to overlook. You also need to review business continuity and incident response procedures to ensure they address all services provided by third-parties.

Senior management and the Board of Directors hold ultimate responsibility for managing a financial institution’s relationship with its technology service providers. Management should inform board members of any and all services that the institution receives from third-parties to help them better understand your operating environment and information security needs.

Not sure what to look for when reviewing contracts? Some places to start include:

  • Establish your right-to-audit
    All contracts should include a right-to-audit clause, which preserves your ability to access and audit vendor records relating to their performance under contract. Most vendors will provide documentation of due diligence upon request, such as System and Organization Control (SOC) 1 or 2 reports detailing their financial and IT security controls.

    Many right-to-audit clauses also include a provision allowing your institution to conduct its own audit procedures. At a minimum, don’t hesitate to perform occasional walk-throughs of your vendor’s facilities to confirm that your contract’s provisions are being met.
  • Ensure connectivity with outsourced data centers
    If you outsource some or all of your core banking systems to a hosted data center, place added emphasis on your institution’s business continuity plan to ensure connectivity, such as through the use of multiple internet or dedicated telecommunications circuits. Data vendors should, by contract, be prepared to assist with alternative connectivity.
  • Set standards for incident response communications 
    Clear expectations for incident response are crucial  to helping you quickly and confidently manage the impact of a service incident on your customers and information systems. Vendor contracts should include explicit requirements for how and when vendors will communicate in the event of any issue or incident that affects your ability to serve your customers. You should also review and update contracts after each incident to address any areas of dissatisfaction with vendor communications.
  • Ensure regular testing of defined disaster recovery standards
    While vendor contracts don’t need to detail every aspect of a service provider’s recovery standards, they should ensure those standards will meet your institution’s needs. Contracts should guarantee that the vendor periodically tests, reviews, and updates their recovery standards, with input from your financial institution.

    Your data center may also offer regular disaster recovery and failover testing. If they do, your institution should participate in it. If they don’t, work with the vendor to conduct annual testing of your ability to access your hosted resources from an alternate site.

As financial institutions increasingly look to third-party vendors to meet their evolving technology needs, it is critical that management and the board understand which benefits—and related risks—those vendors present. By taking time today to align your vendor contracts with the latest FFIEC, FDIC, and NCUA standards, your institution will be better prepared to manage risk tomorrow.

For more help gaining control over risk and cybersecurity, see our blog on sustainable solutions for educating your Board of Directors and creating a culture of cybersecurity awareness.
 

Article
Are your vendor contracts putting you at risk?