Third-Party Risk Landscape

NEW FOR 2025

Firms rely on third parties for many activities and functions, which can present risks. Over recent years FINRA has observed an increase in cyberattacks and outages at third-party vendors¹ (also known as third-party providers²) firms use. Given the financial industry’s reliance on third-party vendors to support key systems and covered activities³, an attempted cyberattack or an outage at a third-party vendor could potentially impact a large number of firms.

Regulatory Obligations

Firms have an obligation to establish and maintain a supervisory system, including establishing and maintaining written supervisory procedures for any activities or functions third-party vendors perform, that is reasonably designed to achieve compliance with applicable securities laws and regulations (e.g., Regulation S-P)⁴ and with applicable FINRA rules (e.g., FINRA Rules 3110 and 4370).

Observations and Effective Practices

Observations

Below are areas that have emerged in recent FINRA examinations that firms may consider when developing and enhancing their third-party vendor risk management programs:

establishing adequate third-party vendor risk management policies;
conducting initial or ongoing due diligence on third-party vendors that support systems related to key areas (e.g., information technology and cybersecurity; AML monitoring)
validating data protection controls in third-party vendor contracts;
involving third-party vendors that support key systems in the testing of their Incident Response Plan;
maintaining a list of all third-party services, or third-party provided hardware and software components, that the firm’s technology infrastructure uses;
having procedures that address the return or destruction of firm data at the termination of a third-party vendor contract; and
addressing third-party vendors’ use of vendors (i.e., fourth-party vendors) that may handle firm data.

FINRA’s Firm Outreach

FINRA’s Risk Monitoring program engages with firms on an ongoing basis to understand how firms use and supervise third-party vendors.
In November 2023, FINRA issued a questionnaire to gather information from firms related to their engagement with third-party vendors, particularly those used for mission critical systems and functions. This information supplemented FINRA’s understanding of the potential impact and effect of a third-party vendor event for our firms and the securities markets.
Additionally, FINRA used the information we gathered to quickly and proactively alert firms of cybersecurity and other vendor-related events that may impact their firm.
Firms can contact their Risk Monitoring Analyst to report any changes to third-party vendors that support their key systems or any cybersecurity events at these vendors.

Effective Practices

Firms that use—or are contemplating using—third-party vendors may consider these effective practices when assessing and managing the risks associated with third-party vendors during the lifecycle of the relationship, from onboarding to ongoing monitoring, through offboarding, including, for example:

maintaining a list of all third-party vendor-provided services, systems and software components that the firm can leverage to assess the impact on the firm in the event of a cybersecurity incident or technology outage at a third-party vendor;
establishing supervisory controls for a third-party technology vendor’s business impact, including assessments and contingency plans;
evaluating the impact on the firm’s ability to meet its regulatory obligations if the third-party vendor fails to perform the outsourced activity or function;
asking potential third-party vendors if they incorporate Gen AI⁵ into their products or services, and, if so, evaluating contracts with these third-party vendors and requesting that they be amended—as necessary—to comply with your firm’s regulatory obligations (e.g., adding language that prohibits firm or customer sensitive information from being ingested into a third-party vendor’s open-source Gen AI tool);
reviewing, and as appropriate adjusting, third-party vendor tool default features and settings to meet firm business needs and applicable regulatory obligations (e.g., disabling a chat feature, reviewing whether communications are being captured for supervisory review);
assessing third-party vendors’ ability to protect sensitive firm and customer non-public information and data; and
ensuring that a third-party vendor’s access to systems, data and corporate infrastructure is revoked when the relationship ends.

Additional Resources

FINRA
- FINRA Cybersecurity Advisory: Increasing Cybersecurity Risks at Third-Party Providers
- Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors)
- Notice to Members 05-48 (Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers)
- The SEC Amends Regulation S-P to Enhance Protection of Customer Information “callout” box in Technology Management topic.

Artificial Intelligence: Continuing and Emerging Trends

As noted in the 2024 Report, AI-based tools have been widely used in the financial services industry for a number of years. The expansion of AI crosses many business sectors, technologies and operations; this new technology can offer many potential benefits to firms and investors, but may also present certain risks. In light of this, FINRA has increased its discussions and information-sharing with firms on this topic to help identify and mitigate such risks.

FINRA has observed that firms are proceeding cautiously with their use of Gen AI technology, generally exploring or implementing third-party vendor-supported Gen AI tools to increase efficiency of internal functions, including:

summarizing information from multiple information sources into one document;
conducting analyses across disparate data sets (e.g., assessing and validating the accuracy of reported transactions with source documentation); and
utilizing Gen AI for employees to retrieve relevant portions of policies or procedures.

FINRA is also engaging with firms to stay current on the evolving AI landscape and potential impacts for the industry:

FINRA issued a questionnaire to firms in November 2023 concerning their use of third-party vendors that included questions on third-party vendor-supported AI.⁶ FINRA has followed up with firms based on their responses to the survey and further outreach is ongoing.
In June 2024, FINRA issued Regulatory Notice 24-09 (FINRA Reminds Members of Regulatory Obligations When Using Generative Artificial Intelligence and Large Language Models), reminding firms of their regulatory obligations when using Gen AI and large language models (LLMs) and inviting continued engagement through FINRA’s process for interpretive requests, or discussions with your firm’s Risk Monitoring Analyst.⁷

FINRA intends for its rules to be technologically neutral, and they continue to apply when firms use Gen AI or similar technologies in the course of their businesses, just as they apply when firms use any other technology or tool. As with any technology or tool, a firm should evaluate Gen AI tools prior to deploying them and ensure the firm can continue to comply with existing FINRA rules applicable to the business use of those tools.

Firms contemplating the use of Gen AI tools and technologies may want to consider:

how to supervise the use of Gen AI on an enterprise level (as well as by individual associated persons);
how to identify and mitigate associated risks, for example, regarding accuracy or bias; and
whether the firm’s cybersecurity program considers:
- risks associated with the firm’s and third-party vendor’s use of Gen AI (e.g., leakage of customer PII and the firm’s proprietary information entered into prompts by employees); and
- use of technology tools, data provenance, and processes to identify the use of AI or Gen AI by threat actors.

Firms contemplating using a third-party vendor-driven Gen AI tool may want to consider how to use that tool and still ensure compliance with applicable regulatory requirements and undertakings, including with respect to:

the deployment of foundation models provided by third-party vendors (e.g., OpenAI, Anthropic, Google, Meta, open-source); and
third-party software vendors that are including Gen AI within their existing solutions.

Finally, all firms may want to consider whether the firm’s cybersecurity program addresses risks associated with threat actors’ potential exploitation of Gen AI to increase the number, credibility or severity of attacks (e.g., fake web personas, deepfake audio and video, creation of advanced malware and other malicious tools).

For additional guidance related to AI please see:

the Emerging Risk: Adversarial Use of Generative Artificial Intelligence “callout” box in the Anti-Money Laundering, Fraud and Sanctions topic
the Communications with the Public topic in the 2025 Report (for guidance concerning communications that are created by, or promote a firm’s use of, AI)
FINRA FinTech Key Topics Page
Regulatory Notice 24-09 (FINRA Reminds Members of Regulatory Obligations When Using Generative Artificial Intelligence and Large Language Models)
Frequently Asked Questions About Advertising Regulation, Questions B.4 and D.8 (May 10, 2024)
FINRA Podcast: An Evolving Landscape: Generative AI and Large Language Models in the Financial Industry (March 5, 2024)
FINRA, SEC, NASAA Investor Insight: Artificial Intelligence (AI) and Investment Fraud (January 25, 2024)
Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors)
FINRA Report – Artificial Intelligence (AI) in the Securities Industry (June 10, 2020)
National Institute of Standards and Technology (NIST): Artificial Intelligence Risk Management Framework (AI RMF 1.0) (January 2023)

Previous:
Firm Operations

Up:
Third-Party Risk Landscape

Next:
Technology Management

1 See Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors) for additional guidance concerning third-party vendors (e.g., common activities or functions firms outsource to third-party vendors; questions firms may consider when evaluating their systems, procedures and controls relating to third-party vendor management).

2 The FINRA Cybersecurity Advisory—Increasing Cybersecurity Risks at Third-Party Providers incorporates the National Institute of Standards and Technology’s (NIST) definition of third-party providers: "service providers, integrators, vendors, telecommunications, and infrastructure support that are external to the organization.” However, its guidance is still applicable to firms that are designing or strengthening their compliance programs with regard to third-party vendor risk management.

3 As noted in Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors), “covered activities” refers to “activities or functions that, if performed directly by a member firm, would be required to be the subject of a supervisory system and WSPs pursuant to FINRA Rule 3110.”

4 The Regulation S-P amendments will require covered institutions, as part of their incident response programs, to establish, maintain and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers. These policies and procedures must be reasonably designed to ensure that service providers take appropriate measures to (i) protect against unauthorized access to or use of customer information; and (ii) provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.

5 See the Report’s Emerging Risk: Adversarial Use of Generative Artificial Intelligence “callout” box for more guidance concerning firms’ use of Gen AI technology.

6 See the Report’s Third-Party Risk Landscape topic for additional information on FINRA’s vendor questionnaire to firms, as well as guidance concerning firms’ use of third-party vendors.

7 As noted in Regulatory Notice 24-09 (FINRA Reminds Members of Regulatory Obligations When Using Generative Artificial Intelligence and Large Language Models), to the extent firms find ambiguity in the application of FINRA rules based on their specific use of Gen AI or other technology, they may seek interpretive guidance from FINRA by following FINRA’s process for interpretive requests. Firms also are encouraged to have ongoing discussions with their Risk Monitoring Analyst as AI-related issues or other changes in their business arise.