FINRA - 2021 Report on FINRA’S Examination and Risk Monitoring Program

In February 2021, FINRA replaced two of their prior publications - the Report on FINRA Examinations Findings and Observations and the Risk Monitoring and Examination Priorities Letter - with the Risk Monitoring and Examination Activities Report. This new report was released to inform member firms’ of relevant practices to incorporate into their compliance programs and provide insight to improve ongoing regulatory operations. Along with the practices, FINRA also encourages member firms to stay informed on new or amended laws, while also keeping Written Supervisory Procedures (“WSP”) and compliance programs updated on an ongoing basis. FINRA expects to revisit this report annually, where they will continue to update the information in the provided areas to address changes in business models, technologies or other factors that may affect how regulatory obligations are fulfilled.

The report addresses several key regulatory topics which relate to a firm’s business model, supervisory control system and prior exam findings. However, the report is considered to be just one tool that a member firm can utilize for the development of its operations program; it does not represent a complete inventory of obligations and considerations. Each key topic within the report is split up into the following sections:

Regulatory Obligations and Related Considerations – This section includes a brief description of:

• Relevant federal securities laws, regulations and FINRA rules; and

• Questions FINRA may ask when examining your firm for compliance. These questions will be considered useful when evaluating your compliance program or preparing for FINRA examinations.

Exam Findings and Effective Practices – This section includes noteworthy findings FINRA has noted while conducting exams at member firms, including:  

• New findings from recent and old examinations including 2017, 2018 and 2019;

• Topics noted as “Emerging Risks” representing potential risks within practices that will receive more attention moving forward; and

• Topics noted as Cybersecurity, Liquidity Management and Credit Risk, will be looked at in depth for potential weaknesses that elevate risk, but for which there are not specific rule violations in place.
  

Several key topics that FINRA reported on are highlighted below:

Anti-Money Laundering: FINRA Rule 3310 requires that members develop and implement a written anti-money laundering (“AML”) program to comply with the Bank Secrecy Act (“BSA”). Firms should also be aware of the recently enacted AML Act of 2020, which may result in material revisions to regulations over time.

Exam Observations included the following:

• Failing to tailor transaction monitoring to address firms’ business risk(s);

• Excluding certain types of data and customer accounts from monitoring programs;

• Failing to review how the firm’s AML program was implemented as well as not ensuring independence of the testing;

• Unclear delegation of AML responsibilities; and

• Failing to properly train and report suspicious activity to the AML department.

Related Considerations included:

• Does your firm’s independent testing confirm that it maintains appropriate risk-based procedures for collecting and verifying customer identification information on all individuals and entities that would be considered customers under the Customer Identification Program rule, and beneficial owners of legal entity customers under the CDD Rule?

• Does your firm review the integrity of its data feeds for its surveillance and monitoring programs?

• Does your firm tailor and adequately resource their AML program to the firm’s business model and associated AML risks?

Effective Practices included:

• Monitoring for fraud during account opening;

• Collaborating with clearing firms to understand allocation of responsibilities;

• Testing of transaction monitoring and model validation.

Cybersecurity and Technology Governance: FINRA reminds Firms that cybersecurity remains one of the principal operational risks facing broker-dealers and expects firms to develop programs and controls that are consistent with their risk profile.

Exam Observations included:

• Failing to maintain branch-level written cybersecurity policies and limited testing for changes or system capacity issues;

• Failing to provide comprehensive training to personnel;

• Lack of policies and procedures to vet prospective vendors and lack of policies and procedures to continuously monitor existing vendors.

Related Considerations included:

• What kind of governance structure has your firm developed to identify and respond to cyber risks?

• What kind of training does your firm conduct on cybersecurity?

• What process does your firm have to evaluate your firm’s vendors’ cybersecurity controls?

Effective Practices included:

• Establishing and regularly testing written formal incident response plans that were made to respond to security incidents;

• Creating and keeping current an inventory of critical information technology assets; and

• Implementing timely application of system security patches

Outside Business Activities (“OBA”) and Private Securities Transactions (“PST”): FINRA Rules 3270 and 3280 require all registered representatives (“RR”) to notify their firms in writing of proposed OBA’s and all associated persons to notify of proposed PST’s. FINRA noted that some RR received a Paycheck Protection Program (“PPP”) that they did not disclose, and which may have been required to update their U4 as well. Effective practices include conducting training on OBA and PST’s during onboarding training, as well as ongoing annual training.

Related Considerations: How does your firm supervise PSTs, including digital asset PSTs, and document its compliance with the supervisory obligations? Does your firm take into account the unique regulatory considerations and characteristics of digital assets when reviewing digital asset OBAs and PSTs?

Reg BI and Form CRS: Reg BI establishes a “best interest” standard of conduct for broker-dealers and associated persons when they make a recommendation to retail customers of any securities transactions. Form CRS requires broker-dealers to provide a brief relationship summary to retail investors on the types of services and relationships the firm offers.

Related Considerations: Does your firm have policies, procedures and controls in place to assess recommendations using a best interest standard? Does your firm have policies and procedures to provide the disclosures required by Reg BI? Does your firm have policies, procedures and controls in place regarding the filing, updating and delivery of Form CRS?

Variable Annuities: FINRA Rule 2330 establishes sale practice standards regarding recommended purchases and exchanges of deferred variable annuities. In addition, the rule requires that firms conduct surveillance to determine if any associated person is affecting deferred variable annuity exchanges at a rate that might suggest conduct inconsistent with the rule. Exam findings include not reasonably supervising recommendations of exchanges that were inconsistent with the customer’s objectives which resulted in increased fees to the customer.

Related Considerations: How does your firm review for rates of variable annuity exchanges? What do your WSPs require RR to do in order to support a determination that a transaction meets the standard of care requirements and that there is a reasonable basis for it?

Please refer to this link to read the whole report by FINRA.