cyber compliance

Vendor Oversight Insights from the FINRA Small Firm Conference

November 20, 2025by Tiffany Magri

At the recent FINRA Small Firm Conference, panelists explored how effective vendor management supports compliance, cybersecurity, and operational resilience across financial services. The discussion surfaced several best practices firms may want to consider as part of their broader governance and risk frameworks.

Focus area	Practice to consider
Vendor oversight	Take a lifecycle approach that includes selection, due diligence, onboarding, monitoring, and offboarding.
Cybersecurity and Regulation S-P	Review whether vendors have written incident-response procedures and clear reporting protocols for data incidents.
AI use	Keep human oversight in the loop and understand how vendors use and secure data when AI is part of their offering.
Documentation	Maintain clear records of vendor reviews and decisions to show a consistent process.
Communication records	Ensure vendors can meet books and records and supervision obligations, especially for communications data.
Resilience and continuity	Test business continuity and vendor backup processes periodically to stay prepared for disruptions.

What stood out to me during the session was how much vendor risk overlaps with regulatory and operational risk. The conversation wasn’t about adding more checklists. It was about building stronger relationships and clearer visibility into the vendors firms rely on every day.

For anyone managing compliance or technology partnerships, these insights were a timely reminder that good vendor oversight is really about resilience, transparency, and trust.

What are FINRA's key vendor oversight practices?

A lifecycle approach is emphasized: vendor selection, due diligence, onboarding, active monitoring, and structured offboarding to support compliance and risk management.

Why is vendor risk management important for financial services firms?

Vendor risk closely overlaps with regulatory, cybersecurity, and operational risk. Effective oversight helps firms maintain resilience, transparency, and alignment with FINRA and SEC expectations.

How should firms evaluate vendors using AI technologies?

Firms should ensure human oversight remains in place, confirm how vendors use and secure customer data, and verify that AI-enabled platforms support books-and-records and supervision requirements.

FEATURED WHITE PAPER

Right-sized Compliance for Lean Teams

Read Now

Share this post!

Author
Recent Posts

Tiffany Magri

Senior Regulatory Advisor at Smarsh

As a Regulatory Advisor at Smarsh, Tiffany Magri monitors, evaluates and consults on the financial services regulatory landscape. Tiffany has more than 10 years of experience facilitating compliance with laws and regulations, policies, and risk management. Prior to joining Smarsh, Tiffany was a Senior Associate at Benefit Street Partners and a Compliance Analyst at Broadstone and Manning & Napier Advisors.

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

watch it work

More Resources

finra washingtonDC q4 2022 event 650x330