Why Financial Services IT Is a Compliance Function, Not Just Support
Most industries treat IT as infrastructure. Financial services firms treat it — or should treat it — as a compliance function. When a FINRA examiner or SEC staff member arrives, they're not just asking if your systems work. They're asking whether your IT environment supports your supervisory obligations, your data protection requirements, and your incident response program.
An MSP that doesn't understand this distinction will get you cited. One that does will keep your documentation exam-ready before anyone calls.
The key frameworks a financial services MSP needs to know:
- SEC Regulation S-P — customer privacy notices and safeguards
- SEC Cybersecurity Rule (2023) — written policies, annual reviews, and incident disclosure requirements for larger registered advisers and funds
- GLBA Safeguards Rule — risk assessments, written information security programs, vendor oversight for financial institutions including many RIAs
- FINRA Rule 3110 — supervision of electronic communications (email and messaging archiving)
- FINRA Rule 4370 — business continuity and disaster recovery plans
- State-level requirements — NY DFS 23 NYCRR 500, MA 201 CMR 17, and others depending on where you're registered
The most common exam finding: "Inadequate supervision of electronic communications." If your MSP hasn't implemented a compliant archiving solution for email and, increasingly, mobile messaging, you are at risk every time an examiner visits.
The Platforms Your MSP Has to Know
Financial services firms run specialized software that most MSPs have never seen. If your provider hasn't deployed these systems in production environments at other firms, expect a learning curve at your expense:
| Category | Common Platforms | Why It Matters for IT |
|---|
| Portfolio Management / Reporting | Orion, Black Diamond, Tamarac, Envestnet | Specific server/API requirements; performance issues are expensive |
| CRM | Redtail, Wealthbox, Salesforce FSC | Integration with custodians; data sync reliability critical |
| Trading / Rebalancing | iRebal, Riskalyze, Orion Trading | Low-latency requirements; API reliability for order management |
| Custodian Integrations | Schwab, Fidelity, Pershing, TD (Schwab) | VPN/API connectivity; MFA compliance requirements |
| Email Archiving | Smarsh, Global Relay, Proofpoint | FINRA 3110 / SEC requirement; must capture all business communications |
| Document Management | LaserFiche, NetDocuments, SharePoint | Compliance record retention; version control |
What "SEC-Compliant IT" Actually Means
When firms say they want "SEC-compliant IT," they usually mean a few specific things:
- A written information security policy (WISP) that's current, tested, and presented to the board or leadership annually
- Evidence of controls — not just policies, but logs, screenshots, and documentation showing controls are actually operating
- An incident response plan with tested procedures, including who gets notified and in what timeframe under the SEC Cybersecurity Rule
- Vendor due diligence documentation — written agreements with your IT provider specifying their security obligations
- Business continuity and DR documentation per FINRA Rule 4370, including evidence of annual testing
Real Example
An SEC examiner showed up for a routine inspection and asked for cybersecurity incident response documentation. The firm had a policy document but no evidence of testing or board review. Their IT provider helped rebuild the program in six weeks — written policy, tested procedures, board briefing materials. When the examiner returned, the firm passed. That outcome required an MSP that understood what the SEC wants to see, not just how to configure firewalls.
Email Archiving: The Single Most Cited Finding
If there's one IT control that financial services firms consistently fail to implement correctly, it's electronic communications archiving. FINRA Rule 3110 requires that firms have a supervisory system for electronic communications that captures, retains, and makes reviewable all business-related correspondence. This includes:
- Email (all business email accounts, including personal accounts used for business)
- Text messages sent from company devices
- Increasingly: WhatsApp, Teams, Slack when used for client or trade-related communication
The archiving vendor (Smarsh, Global Relay, etc.) must be configured and integrated by your IT provider. Most generic MSPs have never done this configuration and will set it up incorrectly — or not at all.
Key-Person Risk in Financial Services IT
Financial services firms have one key-person risk problem that's specific to their industry: when a licensed representative or advisor leaves, you need to move fast. Their device needs to be wiped, their custodian portal access revoked, their email archived before deletion, and their client data access documented for compliance purposes. If your IT provider doesn't have a formal offboarding checklist that runs in under two hours, you have an exposure.
This is especially critical for firms with breakaway advisors or contentious departures — which in this industry happen more than in most.
What to Ask When Evaluating a Financial Services MSP
- How many RIAs or broker-dealers do you currently support? Can I speak to one?
- Which email archiving platforms have you configured and what's your integration process?
- Have you supported a firm through an SEC or FINRA examination? What was your role?
- What does your WISP template look like and how do you keep it current?
- How do you handle emergency offboarding for a departing advisor?
- What's your incident response SLA and how does your process align with SEC disclosure timelines?
- Are you familiar with NY DFS 23 NYCRR 500 / Massachusetts 201 CMR 17? (If applicable to your registration)
Warning Signs in Financial Services IT Proposals
- No mention of SEC, FINRA, or GLBA — they've never thought about compliance as part of IT
- No prior financial services clients in their reference list
- Email archiving treated as optional or add-on instead of a default component
- No SLA for emergency situations (exam prep, incident response, advisor offboarding)
- Unfamiliar with your portfolio management platform — they'll learn it on your dime
- WISP is a generic template with your firm name dropped in — not worth the paper it's written on to an examiner
Pricing: What Financial Services IT Actually Costs
Fully managed IT for wealth management firms, RIAs, and broker-dealers typically runs $175–$275 per user per month for firms with 5–50 staff. This range reflects:
- Base managed services: helpdesk, endpoint management, patch management, backups
- Security stack: EDR, email security, MFA, SIEM/logging for compliance evidence
- Compliance documentation: WISP maintenance, annual review support, vendor due diligence letters
- Email archiving: Smarsh/Global Relay/Proofpoint licensing and configuration (often billed separately)
Firms that try to save money by excluding compliance documentation services tend to pay 3–5x more when they need to build it quickly for an exam.
Frequently Asked Questions
What compliance frameworks do financial services MSPs need to know?
Registered investment advisers and broker-dealers are subject to SEC Regulation S-P, the SEC Cybersecurity Rule, FINRA rules 3110 and 4370, and the GLBA Safeguards Rule. State-registered advisers face additional state-specific requirements. An MSP working in financial services should understand which frameworks apply to your firm type and have implemented them before.
What software do wealth management and RIA firms use that an MSP needs to know?
The most common platforms are Orion, Redtail CRM, Tamarac, Black Diamond, Envestnet, Salesforce Financial Services Cloud, and Schwab/Fidelity/Pershing custodian integrations. Portfolio accounting, rebalancing, and performance reporting systems all have specific infrastructure requirements. An MSP that has never supported these platforms will spend your money learning them.
How much does IT support cost for a financial services firm?
Fully managed IT for wealth management firms and broker-dealers typically runs $175–$275 per user per month. Firms with complex compliance environments or large user counts may pay differently. The compliance overhead — WISP documentation, annual review evidence, e-comm archiving — often adds 20–30% to base MSP costs but is non-negotiable.