In efforts to become more transparent and aid firms in improving their compliance and risk management programs, FINRA has developed the 2019 Report on Examination Findings and Observations. FINRA Findings and FINRA Observations are defined as follows:

Findings – constitute a determination that a firm or registered person has violated the US Securities and Exchange Commission (“SEC”), FINRA, or relevant and applicable regulations and rules

Observations – suggestions to a firm about how it could improve its control environment in order to addressed perceived weaknesses that elevate risk, but do not typically rise to the level of a rule violation

FINRA has noted the following findings and observations in the 2019 Report. Firms are expected to utilize this report as a preventative tool to measure their weaknesses, vulnerabilities, and deficiencies as well as provide guidance on the following topics:

Topic Applicable Rules Finding/Observation
Supervision FINRA Rule 3110

FINRA Rule 4512

FINRA Rule 2231

SEA Rule 17a-3, 17a-4

FINRA Rule 4510

· Firms were observed to not have adequately amended their WSPs or update their business practices according to the new applicable rule changes.

· Firms did not conduct periodic inspections of non-branch locations or implement adequate supervision and inspection programs.

· Firms did not have policies or systems in place to monitor and maintain accurate account information specific to Restricted and Insider Accounts, Margin Accounts, and Options Accounts.


Suitability FINRA Rule 2111 · Firms did not have or maintain supervisory systems for assessing the suitability of recommendations that customers exchange certain products including mutual funds, variable annuities, or unit investment trusts.

· Firms did not identify red flags for possible unsuitable transactions, recommendation patterns, different risk profiles, and timing.


Digital Communication FINRA Rule 3110

FINRA Rule 4510

· Firms were noted to prohibit the use of text messaging, collaboration applications and social media platforms; however, they did not maintain a process to reasonable respond to red flags.

· Registered Representatives made use of prohibited chatrooms for sales seminars.


Anti-Money Laundering Bank Secrecy Act

FINRA Rule 3310

· Firms did not tailor their transaction monitoring to address:

· risks of new revenue sources, higher-risk customers, and increased levels of activity

· red flags associated with third-party transfers, market dominance, prearranged trading, and stock manipulation.

· Firms were noted to primarily rely or entirely rely on their clearing firms for transaction monitoring and suspicious activity reporting.


Business Continuity Plans FINRA Rule 4370 · Firms did not identify all mission critical systems.· Inadequate capacity to handle increased call volume and online activity during a business disruption

· Contained outdated information regarding contacts, operations, and data centers.

· Firms policies allowed for files to be stored on local computer drives rather than on the firm network.


Fixed Income Mark-Up Disclosure FINRA Rule 2232

MSRB Rule G-15

· Firm’s compensation for mark-ups and mark-downs were mischaracterized.

· Inaccurately labeled sales credits and concession portions as total mark-ups or mark-downs.

· Disclosed inaccurate times of execution.

· Provided incorrect prevailing market price determinations.


Best Execution FINRA Rule 5310 · Firms did not adequately consider and address potential conflicts of interest relating to the routing of orders to market centers.

· Firms did not provide adequate information in material disclosures as required by SEC Rule 606.

· Reviews of type-of-order basis and marketable limit or non-marketable limits were not conducted.


Direct Market Access Controls Rule 15c-3 · Firms WSPs and control systems did not include pre-trade order limit pre-set capital threshold for trading desks, and fixed income transactions.

· Firms did not maintain reasonably designed risk management controls supportive of the CEO’s certifications.


Short Sales SHO Rules 200-204 · Firms were noted to not be able to satisfy the Continuous Net Settlement (CNS) system fail-to-deliver close-out requirements as they did not implement a sufficient process to age fails, resulting in fails not being closed out timely.

· Inaccurate calculations of pre-fail credits.


Consistent with market trends, FINRA took a finer look at firm’s implementation of cybersecurity programs. FINRA noted that cybersecurity attacks have increasingly occurred across member firms, taking advantage of their confidential platforms and customer information. To ensure compliance with the SEC’s Regulation S-P, FINRA highlighted effective practices by several firms as a resource to strengthen their cybersecurity risk-management programs:

Controls Effective Practices
Branch Controls · Policies and procedures were implemented to protect and monitor confidential data at the branch-level.


Document Policies on Vendor and Third-Party Management · Policies and procedures were designed to document and manage the lifecycle of the firm’s engagement with third-party vendor’s that hold confidential and sensitive information.


Incident Response Planning · Firms regularly tested written incident response plans that outline procedures related to cybersecurity events.

· Firms developed policies and procedures including cybersecurity related mechanisms to identify, classify, prioritize, track and close cybersecurity-related incidents.


Data Protection · Firms encrypted all confidential data including sensitive customer and firm information.


System Patching · Firms implemented timely system security patches to protect sensitive information across all firm resources (desktops, laptops, network routers, etc.)


Access Controls · Firms implemented policies and procedures granting timed system and data access to privileged users.

· Firms implemented technology systems to track and monitor activities when accessing data.

· Firms Implemented multi-factor authentication controls for all access users.


Management of Asset Inventory · Firms created inventory of critical information technology assets in both home and office branches along with cybersecurity controls ton limits access to protect assets.


Data Loss Prevention · Firms implemented data loss prevention controls to protective sensitive customer information.


Training and Awareness · Firms provided cybersecurity training for all associated persons and third-party vendors.


Change Management Processes · Firms implemented change management procedures to review, document, prioritize, test, and approve hardware and software changes.


In addition to FINRA’s observed best practices related to cybersecurity, the risk for cyber-attacks is still present. To continue to mitigate risk and protect sensitive information the National Institute of Standards and Technology  has highlighted the following five (5) pillars[1] to implement into policies and procedures to combat cyber-attacks:

  • Identity
  • Protect
  • Detect
  • Respond
  • Recover

In response to the increasing rate of cyber-attacks on firms, TD Ameritrade[2] released the cost of protection imposed on firms in order to protect their Firm from cyberattacks and data breaches. In comparison to 2018, 2019 has seen tremendous growth in cybersecurity investments in the following areas:

  • Cybersecurity
  • Performance Reporting
  • Digital Documents
  • Financial Planning
  • Social Media
  • Rebalancing Software
  • Robo-advice solutions

Protecting sensitive customer and firm information has been top priority for all industry regulators as the impact on cyber-attacks is detrimental to not only the firms but the industry as a whole. FINRA continues to provide guidance in developing policies and procedures to mitigate and identify data-breaches, phishing, ransomware, and malware infections. Insiders are the primary cause of cyber-attacks.  Implementing the above best practices noted in FINRA’s 2019 Report may mitigate the risks imposed by data breaches and accessibility to sensitive information.

Click here to read the Report in its entirety.

Please contact an ARG Analyst with any questions regarding the matters discussed, or to learn the benefits of our broker-dealer and investment adviser compliance and risk management consulting services.

Key Topics: Broker dealer compliance, Investment banking compliance, FINRA compliance consultants, Broker dealer compliance consultants, Outsourced compliance officer, Broker dealer compliance consulting firms, Cybersecurity programs, cybersecurity attacks, policies and procedures weaknesses, Investment banking regulatory compliance, Broker dealer compliance requirements

[1] https://www.kitces.com/blog/sec-cybersecurity-requirements-for-registered-investment-advisors-rias/

[2] https://www.forbes.com/sites/louiscolumbus/2019/06/16/top-10-cybersecurity-companies-to-watch-in-2019/#1851be566022