Although FINRA’s Examination and Risk Monitoring Report is characterized as a reference to inform member firms’ compliance programs, the Report serves to highlight the areas of examination focus and emerging risk that will most likely direct reviews in 2022. Firms should anticipate that examiners will be assessing how well their compliance activities in each of the topic areas align with the information contained in the Report, including exam findings, effective practices, and “relevant considerations.” Firms are encouraged to promptly review and enhance their controls and processes to ensure adherence to these areas of regulatory expectation.
FINRA published its 2022 Report on FINRA’s Examination and Risk Monitoring Program, which it states builds on the 2021 Report and is intended to serve as an evolving resource for firms to “inform their compliance programs.” The Report touches on twenty-one different topics (e.g., anti-money laundering, cybersecurity, market access, segregation of assets) grouped into four broad categories (Firm Operations, Communications and Sales, Market Integrity, and Financial Management). For each topic, FINRA outlines relevant laws, regulations, and FINRA rules; observed effective practices for member firms to consider when reviewing their supervisory controls and procedures; and “relevant considerations” that examiners may raise during an examination. Select highlights from the Report follow.
FINRA highlighted a number of topics/areas addressed through its Examination and Monitoring Program that were also subject to heightened industry and public attention in 2021, including the following:
- Regulation Best Interest (Reg BI) and Form CRS. In 2021, the first full calendar year of Reg BI and Form CRS implementation, FINRA expanded the scope of its reviews and testing to execute a more comprehensive review of firms’ efforts to:
- Establish and enforce adequate written supervisory procedures
- File, deliver, and track accurate Forms CRS
- Make recommendations that adhere with Reg BI’s Care Obligation
- Identify and mitigate conflicts of interest
- Provide effective training to staff.
FINRA detailed a number of new materials related to its exam findings, observed effective practices, and key considerations. Notably, the findings regarding Form CRS align with observations in an earlier SEC Staff Statement (see KPMG Regulatory Alert here). FINRA expects to issue a separate report specific to Reg BI and Form CRS exam findings.
- Complex Products: Firms will continue to be assessed on their customer communications and disclosures related to complex products as well as whether recommendations of these products are in the best interest of the retail customer. FINRA intends to separately release findings from a targeted exam review of members’ practices and controls related to “the opening of options accounts which, in some instances, may be used to engage in complex strategies involving multiple options.”
- Order Handling, Best Execution and Conflicts of Interest: FINRA is focusing on firms’ compliance with FINRA Rule 5310 (Best Execution and Interpositioning) and Rule 606 of Regulation National Market System (NMS). FINRA will issue a report based on its study evaluating the “impact that not charging commissions has or will have on the member firms’ order-routing practices and decisions, and other aspects of member firms’ business.” The disclosure of order routing information (compliance with Rule 606 of Regulation NMS) was added as a new topic to the Examination and Risk Monitoring Report.
- Cybersecurity: Given increased numbers and sophistication of cyber security threats, FINRA will be considering firms’ efforts to continuously assess cybersecurity and new technology risks. Attention will focus on cybercrime that increases both fraud risk (e.g., synthetic identity theft, customer account takeovers, illegal transfers of funds, phishing campaigns, imposter websites) and money laundering risk (e.g., laundering illicit proceeds through the financial system). New exam findings highlight deficiencies related to risk assessment processes and data loss prevention. (See related KPMG Regulatory Alert here.)
- Mobile Apps: FINRA noted that it has observed significant issues pertaining to firms’ supervision of activities on some mobile apps, as well as communications with customers through mobile apps and the use of social media to acquire customers. FINRA has initiated a targeted examination to further assess firms’ mobile app practices and “management of their obligations related to information collected from those customers and other individuals who may provide data to firms”.
FINRA calls out the following “emerging risks” as areas with “potentially concerning practices” that may be subject to increased scrutiny going forward:
- Low-priced securities risks. FINRA states that it has observed an increase in several types of activity in low-priced securities that could be indicative of fraud schemes—including an increase in such activity through foreign financial institutions (FFIs) that open omnibus accounts at U.S. broker-dealers. It shares some signs of potentially illicit trading activity in low-priced securities.
- Vendor risks. Due to increases in the number and sophistication of cyberattacks, FINRA reminds firms of their obligations to oversee, monitor and supervise cybersecurity programs and controls provided by third-party vendors.
- Customer account information risks. Firms must have procedures in place that require a registered person to meet certain conditions, including providing written notice to the firm and receiving approval, before being named a beneficiary of a customer’s estate, executor or trustee, or to have a power of attorney for a customer.
To keep the Report “up-to-date,” FINRA has added new material throughout, including new examination findings and new effective practices, as well as five new topics, as outlined below.
- Firm Short Positions and Fails-to-Receive in Municipal Securities. FINRA observes that firms must develop and implement adequate controls and procedures to ensure identification, prevention, and resolution of adverse impacts to customers when firm trading activity inadvertently results in a short position or a firm fails to receive municipal securities it purchases to fulfill a customer’s order.
- Trusted Contact Persons (TCP). Firms must make reasonable efforts to obtain the name and contact information of a trusted contact person (age 18 or older) for each of their non-institutional customer accounts, as well as provides guidance on firm authorization to contact the TCP and disclose information about the customer account. FINRA is focusing on the adequacy of supervisory systems and education/training for representatives.
- Funding Portals and Crowdfunding Offerings. Funding portals are required to become a FINRA member and register with the SEC. As such they are subject to certain FINRA and SEC requirements regarding attestation, notification, and disclosure.
- Disclosure of Routing Information. Broker-dealers, through Rule 606 of Regulation NMS, are required to disclose information regarding the handling of their customers’ orders in NMS stocks and listed options. FINRA highlights the need for accuracy and completeness of required disclosures and quarterly routing reports, in addition to firms’ due diligence on vendor quarterly reports and disclosures.
- Portfolio Management and Intraday Trading. FINRA requires firms to monitor the risk of positions held in margin accounts “during a specified range of possible market movements according to a comprehensive written risk methodology”. Firms will be evaluated on their compliance with FINRA Rule 4210(g) (Margin Requirements). FINRA will focus on monitoring systems, including escalation procedures.