Many firms do not contemplate the legal requirements when they consider outsourcing any part of their operations. There are many regulations that must be considered and should be asked of any outsourcing provider and guaranteed in writing.

Regulations that must be considered include the Federal Rules of Civil Procedure, Sarbanes-Oxley, various SEC and NASD requirements, Basel II, Gramm-Leach Bliley Act, and many others. For the sake of this article I am going to keep to security requirements and record keeping requirements.

Security Considerations are at the top of the list. If you have a security problem you can be shut down and sued. Violations of these requirements can end your business very quickly. Even if all that happens is a fine or note of deficiency, the public relations fallout could be considerable.

All data must be stored and transmitted in an encrypted form.
This is required by the FDIC, Gramm-Leach-Bliley Act of 1999, Sarbanes-Oxley and indirectly the SEC and NASD. If your client data is on a digital medium it must be encrypted.

Windows provides facilities for encrypting directories and files so that only authorized users can read the files on your internal network. But, this is up to your third party provider to implement. Make sure that you have a statement from any provider that your data is encrypted.

All data must be protected from third parties.
This is required by FDIC, Gramm-Leach-Bliley Act of 1999, OCC, SEC and NASD. Some states also have their own individual requirements. Third party providers must not be able to read your data.

If you outsource your PMS system for example, none of the outsourcing companies employees are allowed to read your data. Ask questions like, can their employees directly query the database? Can their staff see the downloaded files?

If you outsource your email, can any of their staff read your email? Can they log in as you and view your emails? Can they get to the raw email stores and view them?

This is the requirement that makes it difficult for third party outsourcing firms to work. The PMS example above is interesting, how can a third party import and reconcile your data? It’s a complex answer, but basically the least access principle applies.

The third party has to be able to import the data and reconcile it. They don’t need access to SSN, addresses or names for your clients. Direct access to the database or downloaded files is not acceptable, this would violate Sarbanes-Oxley, SEC 17a (3 and 4), NASD 3010, 3012 and 2013.

For support staff of the third party PMS example it’s even more difficult. How can they answer tech- support questions for a website if they can’t see your data? That’s a good challenge, in general they should not need access to your data to support the system. But they may if there is a defect in the software.

Anything they do in the system must be logged automatically. The staff that does import-reconcile and support should all be in a physically secured area with computer privacy screens and should have background checks done. They must be using systems with no way to save data, in other words no printers, no usb flash drives, no cd burners or floppy drives.

Record Retention & Review:
This is also very important. In the wake of all the corporate scandals many regulations were passed that state the importance of data storage and knowing the data is accurate. In addition, there are requirements for review by supervisory personnel.

In general you should be storing six years of data. Remember the encryption requirements when you store them. All electronic records must be stored in on non-rewritable, non-erasable media. According to SEC 17a (3 and 4), the most recent two years must be accessible.

If you are in the supervisory role, you are probably required to review communications with clients. You need to make sure that your email provider gives you some easy way to meet this requirement. You don’t want to spend hours every day to meet this requirement. The key here is tying back to the earlier section, making sure your provider cannot do this review or query the emails for you.

These are just a few of the things you must consider when you are outsourcing any part of your business. If you are with a broker/dealer that provides compliance support, I strongly recommend that you ask them for a list of requirements as well. They will probably have a manual for this and may have a list of already approved vendors.