Regulatory Oversight: FINRA 2024 Annual Report

KPMG Regulatory Insights

• Emerging/Key Risks: Call out of risk areas, including AI, fraud, crypto, cybersecurity, and off-channel communications.
• Future Exam Focus: Puts forth a “roadmap” for upcoming 2024 exam expectations.
• Regulatory Environment: Consider FINRA’s insights and findings in concert with the SEC’s 2024 Examination Priorities and regulatory agenda (see KPMG Regulatory Alerts, here and here) 

 ______________________________________________________________________________________________________________________________________________________________________

January 2024

The Financial Industry Regulatory Authority (FINRA) issues its 2024 Annual Regulatory Oversight Report. The report contains insights and findings from FINRA’s Member Supervision, Market Regulation, and Enforcement programs. (Note: FINRA previously issued this report under the title “Report on FINRA’s Examination and Risk Monitoring Program”. The new title reflects “ongoing efforts to increase both the integration among our regulatory operations programs and the utility of the Report for member firms as an information source they can use to strengthen their compliance programs”.)

Key Sections. The report covers twenty-six (26) topics across six (6) key sections, including 1) Financial Crimes; 2) Crypto Asset Developments; 3) Firm Operations; 4) Communications and Sales; 5) Market Integrity; and 6) Financial Management. For each topic, FINRA:

• Identifies relevant rules
• Highlights key considerations for compliance
• Summarizes findings or observations from recent oversight activities
• Outlines effective practices

While the structure and content of the report is consistent with previous years, FINRA specifically highlights areas of emerging risk, new topics, and other areas of interest (e.g., new material, new findings).

Emerging Risks. FINRA highlights two areas of emerging risk, both of which are related to technology management and financial crime:

• Artificial Intelligence: FINRA cautions that the development and deployment of AI, and generative AI in particular, raises concerns about accuracy, privacy, bias and intellectual property. Firms are encouraged to be mindful of the implications that using such technology may have on regulatory obligations spanning across areas such as AML, books and records, model risk management, SEC Regulation Best Interest, customer information protection, and cybersecurity, among others.
• New account fraud (NAF): Examiners note observed increases in suspicious and fraudulent activity related to new account fraud (which FINRA defines as an occurrence of a bad actor utilizing stolen or synthetic identification information to fraudulently open an account), especially related to fully online account opening processes. FINRA cautions that NAF may be a precursor to other fraud schemes and encourages firms to evaluate and enhance their processes related to new account opening and monitoring customer account activity.

New Topics. FINRA adds one new section and three new topics to the report:

• Crypto Asset Developments (New Section): FINRA provides considerations for firms engaged in or seeking to engage in crypto-related activities. Highlighted regulatory and compliance challenges and risks include supervisory programs and controls, and compliance policies and procedures, in areas such as cybersecurity, AML compliance, communications with customers, manipulative trading, performing due diligence on crypto asset private placements, and supervising associated persons’ involvement in crypto asset-related activities and transactions.
  • Call outs highlight FINRA’s Membership Application Program for proposed crypto asset securities business lines; potential crypto asset-related market abuses; and a forthcoming report on findings and effective practices identified as part of a recent targeted exam on crypto asset-related retail communications.
• Market Integrity (three new topics): new topics highlight findings and effective practices.
  • OTS Quotations in Fixed-Income Securities – findings include inadequate supervisory controls and procedures and failure to test applicability.
  • Advertised Volume – findings include overstating or inflating trade volumes and failing to establish and maintain “supervisory systems that are reasonably designed to achieve compliance with Rule 5210.”
  • Market Access Rule – findings include insufficient or inadequate controls, reliance on third-party vendors, and failure to consider additional data.

Additional Areas of Interest.

• Book and Records: Acknowledging the growing scrutiny of data retention and recordkeeping, especially with regard to off-channel electronic communications where FINRA states “there is an increased risk that they are not maintained and preserved as part of the firm’s books and records.” Firms are encouraged to consider their policies, procedures, and controls related to maintaining and preserving business-related off-channel communications as well as communications to associated persons regarding compliance with the policies, prohibitions against unapproved communications, and corrective or disciplinary measures. (See KPMG Regulatory Alert, here.)
• Cybersecurity: FINRA states that cybersecurity continues to be a persistent threat to financial services firms. The report highlights an increase in the variety, frequency, and sophistication of cyber incidents, including imposter websites, insider threats, ransomware, and events at critical vendors and notes the importance of combatting cyber threats by establishing supervisory controls in areas such as vendor management, change management, and business continuity. Call outs highlight new and anticipated SEC rulemakings (see KPMG Regulatory Alerts, here, here, here, and here.)
• T+1 Settlement: Compliance required beginning May 28, 2024, for FINRA rule updates conforming to the SEC’s final rule. FINRA notes the move to T+1 has implications for numerous rules, including Regulation SHO, SEC financial responsibility rules, and FINRA rules related to clearly erroneous transactions.

A FINRA podcast featuring highlights of FINRA’s report is available here. In addition to the points above, FINRA principals also address Regulation Best Interest, regulatory reporting, liquidity risk management, net capital, and Consolidated Audit Trail compliance.