Earlier this week, FINRA published its 2021 Report on FINRA’s Examination and Risk Monitoring Program (the “Report”). The Report, which combines FINRA’s prior publications on regulatory priorities and examination findings, identifies specific areas of regulatory focus along with applicable rules and considerations, noteworthy exam findings, and best practices and emerging risks for firms to consider when evaluating their compliance programs and controls. Below, we summarize key takeaways for each of the topics identified in the Report.
Firm Operations
Anti-Money Laundering (“AML”) – Anti-money laundering continues to be a perennial topic for regulators’ priority letters, and 2021 will be no different. In the Report, FINRA stresses the importance of developing AML programs tailored to a firm’s unique business risks and that are subjected to regular, independent testing. FINRA cautions against relying on data feeds for monitoring and surveillance functions without periodically verifying the accuracy of those feeds, and similarly advises against relying on clearing firms to report suspicious activity that should be reported by the member firm. FINRA recommends that firms use automated systems to detect trends around account openings, employ both documentary and non-documentary methods for customer identification, and train both AML and non-AML staff on the requirements to report a range of potentially suspicious activity. In addition, the Report noted three areas of focus for emerging AML risks in the coming year: (i) microcap / penny stock activity in omnibus accounts of foreign institutions; (ii) account activity in restricted markets, such as China; and (iii) fraud risk attendant to public offerings of special purpose acquisition companies (SPACs).
Cybersecurity and Technology Governance – Newfound reliance on remote, work-from-home technology combined with increasing customer demand for convenient and on-demand account services presents member firms with an ever-changing landscape of cybersecurity risks such as system-wide outages, email and account takeovers, fraudulent wire transfers, ransomware, and “imposter” websites. FINRA suggests that firms consider whether their cybersecurity governance programs adequately address those emerging risks, including whether firms’ testing functions include reviews of (i) vendors’ controls; (ii) pre-production environments for new technology rollouts; and (iii) trading algorithm functionality in periods of market dislocation. Firms should confirm that Data Loss Prevention programs have encryption controls in place for confidential data, and that cybersecurity policies are not “one size fits all” when branches and remote locations have varying levels and types of activity and technology sophistication. As cybersecurity continues to grow in both scope and importance, firms should enhance training modules and require that all staff – not just registered representatives – complete annual assessments.
Outside Business Activities (OBAs) and Private Securities Transactions (PSTs) – Representatives that engage in business away from member firms present a host of risks ranging from sales practices issues to cybersecurity concerns to customer fraud. FINRA suggests that firms require that reps and associated persons complete – both upon hire and periodically thereafter – detailed questionnaires and attestations regarding their involvement in OBAs and PSTs. Firms should also retain documentation supporting both their review of the questionnaires/attestations and monitoring of any limitations for approved OBA/PST activity. As certain representatives may have received payment from the Paycheck Protection Program (PPP) during the pandemic, FINRA suggests that firms review publically available data on such loans to determine if a registered representative received one for an undisclosed OBA.
Books and Records – Member firms should review vendor contracts to confirm that their agreements provide for compliance with recordkeeping requirements, Electronic Storage Media (ESM) formatting standards and notification requirements. FINRA recommends that firms use simulations to test vendor programs, including “Cloud Vendor” programs, for compliance with the Books and Records rule and other ESM requirements.
Regulatory Events Reporting – Rule 4530 requires that member firms promptly report certain violations of securities laws and FINRA rules and statistics on customer complaints. FINRA emphasized the importance of not only ensuring that policies and procedures explicitly require such reporting (both from the firm to FINRA and representatives to the firm) but also provide for monitoring public databases and internal records (such as e-mails) for signs that representatives have undisclosed reportable events. FINRA recommends firms review training to confirm that it properly educates representatives on the type of financial events that need to be disclosed, and confirm that personnel use the proper Rule 4530 codes when reporting information to FINRA.
Fixed Income Mark-up Disclosure – FINRA and the Municipal Security Rulemaking Board require that firms provide customers with confirmations that contain specific, transaction-related information when those customers trade corporate, agency and municipal debt securities. Based on observations from prior exams, FINRA noted that certain firms failed to accurately disclose all of the required transaction information, and failed to realize that certain forms of debt (such as structured notes) are also within the scope of the disclosure rules. To avoid inadvertent mistakes, firms should conduct regular reviews of a sample of trade confirmations to confirm that all required transaction-related data (such as prevailing market price and time of execution) and necessary customer disclosures flow to confirmations. In particular, firms using multiple vendors for different types of fixed income transactions should develop policies that provide for accuracy and consistency of disclosures across different platforms and trading desks.
Communications and Sales
Reg BI and Form CRS – When the deadline for implementing the SEC’s “generational” change to the standard of care regulations coincided with an unprecedented pandemic, regulators assured firms that initial exams for Reg BI and Form CRS compliance would be conducted under a good faith standard. Now, FINRA notes that it intends to “expand the scope” of Reg BI / CRS exams in 2021. As FINRA is still in the early stages of its Reg BI and CRS exams, the Report does not contain any findings or effective practice suggestions, and the considerations largely echo prior FINRA and SEC guidance on CRS and Reg BI. Of note, however, FINRA reminded firms that suitability requirements are still in effect for non-retail (i.e., institutional) clients, and policies should continue to account for Rule 2111 requirements.
Communications with the Public – FINRA rules require that firms’ communications with the public must be fair and balanced and not misleading. In the Report, FINRA highlighted the importance of these rules in the context of new products (such as digital assets) and digital communication channels. FINRA specifically noted the risks around app-based trading platforms with “game-like features” that potentially understate the risks attendant to investing, particularly in the context of options trading. In the context of digital assets, firms should confirm that disclosures “prominently” identify the unique risks and speculative nature of such investments. In addition, the Report highlights the importance of cash management account disclosures, including proper disclosures regarding a firm’s role (bank vs. broker-dealer) and potential conflicts of interest. Firms that permit texting, social media and other forms of digital communication by associated persons should confirm that their policies and procedures account for the specific recordkeeping and supervisory challenges presented by those forms of communication. Best practices include clearly defining permissible and prohibited forms of communication in policies and procedures, administering up-to-date training that accounts for recent technology developments, and issuing appropriate discipline for infractions of digital communication policies.
Private Placements – FINRA rules and guidance require that firms offering private placement investments under Reg D perform a reasonable investigation into specific aspects of private placement issuer and the issuer’s claims regarding the potential return and use of proceeds for the private investment. To satisfy those obligations, FINRA suggests that firms develop a private placement committee, use checklists to document reviews, and rely on independent sources for verification of material facts (i.e., do not simply rely on the issuer). Firms must address red flags (such as conflicts of interest and issuer management disciplinary history) during both initial due diligence and on an ongoing basis. In order to meet various filing requirements for Reg D offerings, FINRA recommends the use of an automated alert system to keep deadlines and filings current.
Variable Annuities (VAs) – Sales practice concerns around the purchase of VAs are an evergreen topic in FINRA priority letters. In this Report, FINRA focuses primarily on VA exchanges and buyout offers. FINRA notes the importance of using automated surveillance tools and exception reports to both review proposed exchanges and to create historical reports with standardized thresholds to detect trends across representatives, customers and products. As with other topics in the Report, firms should also be cognizant of the need to test the accuracy of data feeds and other inputs used for those automation tools. In addition, FINRA recommends that representatives recommending exchanges provide detailed, written rationales for the exchange and require that supervisors verify the information provided for both the existing and proposed VA. Firm policies should also address VA buyouts and train representatives on the potentially higher fees and loss of benefits when such events occur.
Market Integrity
Consolidated Audit Trail (CAT) – Under the new CAT regulations, all member firms that receive or originate orders in National Market System (NMS) stocks, over-the-counter (OTC) equity securities or listed options must report certain data to CAT. In addition, all firm proprietary trading activity is subject to CAT reporting regardless of the size or type of firm or type of trading activity. Firms must develop policies to comply with CAT, and such policies should (i) identify the responsible parties for timely reporting; and (ii) detail the firm’s processes for confirming accuracy of data posted to the CAT Reporter Portal. Like Reg BI, FINRA is still in the early stages of exams on the new CAT requirements, so the Report does not contain specific exam findings and effective practices, but FINRA specifically highlighted CAT as an area of focus across many firms in the coming year.
Best Execution – FINRA best execution rules require that firms obtain adequate execution quality for their customers; if a firm does not review every trade for execution quality, reviews must be “regular and rigorous.” A frequent topic of priorities letters, best execution presents unique challenges for firms offering customers an array of security types across different trading systems. In the Report, FINRA highlights the importance of addressing potential conflicts of interest in order-routing decisions and the need to tailor the nature of the best execution reviews to the firm’s business (i.e. different reviews for different security types). In 2021, FINRA will focus regulatory efforts on firms that offer “zero commission” trades, and evaluate whether those firms use different order-routing practices for those products or rely on changes to other business lines (e.g. Cash Management Accounts) to offset lost commission income. FINRA suggests that firms use exception and surveillance reports to assist in meeting best execution obligations and conduct reviews on a frequency that, while at least a quarterly, adequately accounts for the nature and scope of a firm’s business.
Large Trader Reporting – The “Large Trader Rule” (Exchange Act Rule 13h-1) requires that certain traders identify themselves to the SEC as large traders and further requires that member firms obtain and report large trader information to the CAT for accounts with CAT-reportable events. FINRA recommends that firms review their WSPs to confirm the adequacy of both large trader information reporting controls and large trade ID disclosure requirements. Based on recent exams, FINRA noted that some firms failed to properly identify or monitor for “large traders,” and recommends that firms add a “large trader” check to their Electronic Blue Sheet (“EBS”) policies and require that institutional clients identify large trader information in new account forms.
Market Access – The Market Access Rule requires that firms develop controls around market access risks so as not to jeopardize the financial condition of their own firm and other market participants. FINRA recommends that highly automated firms consider how they will manage technology changes and whether their controls (such as “kill switches”) account for market-wide events and potentially aberrant algorithmic activity. Based on recent exams, FINRA found that certain firms lacked adequate pre-trade order limits, pre-set capital thresholds and controls for accessing alternative trading systems. FINRA also found that some firms’ financial risk management controls where inadequate and improperly relied on third-party vendors for controls without maintaining “direct and exclusive” control over them. FINRA recommended that firms (i) periodically test their controls; (ii) adopt practices for systemic pre-trade “hard” blocks to prevent fixed income trades from breaching ATS thresholds; (iii) tailor erroneous or duplicative order controls to the firm’s business; (iv) develop adequate post-trade controls; and (v) implement processes for reviewing ad hoc adjustments (including the ability to return to original values as needed).
Vendor Display Rule – Firms that provide quotation information for certain stocks are responsible for providing a consolidated display of certain market data for those stocks to customers. From recent exams, FINRA noted that certain firms provided some, but not all, of the information required in consolidated displays, and failed to maintain policies that address all components of the Vendor Display Rule and adequate testing. Firms should text the accuracy of their data feeds on the front end to confirm that they are receiving all necessary market data to provide full and accurate consolidated quote information to customers, and validate the adequacy of displays on the back end, particularly after technology enhancements.
Financial Management
Net Capital – The Net Capital Rule requires that firms maintain specific levels of working capital to protect customers and creditors from losses due to an impaired financial condition. In the Report, FINRA notes that firms should periodically review how they treat certain asset types for net capital purposes and confirm that their procedures use the proper allocation methodology across asset classes and expense sharing agreements. In order to properly report net capital, firms must (i) ensure the accuracy of their classification of receivables, liabilities and revenue; (ii) accurately record revenue and expenses; (iii) document expense sharing agreements; (iv) have a process to correctly identify “failed to deliver” and “failed to receive” contracts; and (v) assess capital charges for underwriting commitments. FINRA also highlighted the importance for firms to collaborate with their clearing firms to confirm the proper flow of required asset information and to document responsibilities (at the firm and clearing firm) in the event of fails and other net capital issues.
Liquidity Management – FINRA reminded firms to review liquidity management plans and stress test frameworks to ensure consistency with their specific business model. Firms should have procedures that permit changes to their “stress test period” from a single time horizon to multiple time horizons, and confirm that their policies have a process for modifying business models in response to stress test results. As with other topics discussed in the Report, firms should confirm that their stress test and liquidity management programs are adaptable, periodically reviewed for updates to account for changes to the firm’s business model, and tailored to the specific aspects of a firm’s business.
Credit Risk Management – Consistent with the financial responsibility rules, firms must maintain a comprehensive credit risk management control framework to accurately capture the firm’s exposure to credit risk. Based on recent exams, FINRA suggests that firms develop comprehensive in-house control frameworks that identify credit exposures in real-time environments and maintain a governance process for approving new, material margin loans. In the context of credit risk limit changes, FINRA noted that some firms adopted approval and documentation processes that provided for ongoing review of adherence to those limits.
Segregation of Client Assets and Customer Protection – The Customer Protection Rule requires that firms protect customer funds by segregating assets from their proprietary business and promptly deliver assets to an owner upon request. Based on recent exams, FINRA found that some firms failed to demonstrate consistent check forwarding processes, accurate reserve formula calculations and accurate maintenance of blotter information. FINRA recommends that firms encourage collaboration among legal and compliance departments to confirm that agreements supporting control locations are in place before new accounts are established and coded on the firm’s books, and confirm that staff with system access to establish new control locations are independent from the business area.
The complete version of the Report is available here.