2022 Report on FINRA’s Examination and Risk Monitoring Program

Regulatory Briefs
Written By Jonathan Hurd, CAMS

The 2022 Report on FINRA’s Examination and Risk Monitoring Program was released, providing information to firms that may help update and improve compliance programs. The report covers topics FINRA deems important based on 2021 firm examinations. For each section, FINRA identified relevant rules, key considerations for compliance programs, findings from recent exams, effective practices and helpful resources for firms when reviewing their own procedures and controls related to compliance. FINRA has also identified new topics for firms to monitor for 2022.

 Topics of Interest

Cybersecurity and Technology Governance

Rule 30 of the Security and Exchange Commission’s (“SEC”) Regulation S-P requires firms to have written policies and procedures that are designed to safeguard sensitive customer information.

Exam Observations:

  • Failing to have an adequate and ongoing process to assess cyber and IT risks;

  • Failing to encrypt confidential data, more specifically non-public customer information;

  • Not maintaining branch-level written cybersecurity policies; and

  • Not providing comprehensive training on cyber risks.

Related Considerations:

  • What is the firm’s process for continuously assessing cybersecurity and technology risk?

  • What types of penetration testing, if any, does your firm do to test web-facing systems that allow access to customer information or trading?

  • What are your firm’s procedures to communicate cyber events to AML or compliance staff related to meeting regulatory obligations, such as the filing of SARs and informing reviews of potentially impacted customer accounts?

Effective Practices:

  • Continuously monitor and test the capacity of current systems, and track average and peak utilization, to anticipate the need for additional resources based on increases in accounts or trading volumes, as well as changes in systems;

  • Requiring customers to use multi-factor authorization to access their online accounts; and

  • Establish and regularly test written procedures for responding to cybersecurity and information security incidents.

 Reg BI and Form CRS

Reg BI and Form CRS became effective on June 30, 2020, making 2021 the first full year in which FINRA was able to examine firms’ implementations of these obligations within their policies and procedures. Reg BI ensures associated persons put the interest of their clients before their own and Form CRS is a brief relationship summary disclosing material information to retail investors.

Exam Observations:

  • Failing to modify Policies and Procedures to reflect Reb BI requirements;

  • Failing to properly train staff to comply with the new requirements of Reg BI and Form CRS;

  • Failing to post Form CRS or failing to post Form CRS prominently, in a location and format that is easily accessible to retail investors on website;

  • Not providing retail customers with “full and fair” disclosures of all material facts related to the scope and terms of their relationship with customers or related to conflicts of interest that are associated with recommendations.

Related Considerations:

  • Does your firm and your associated persons consider cost and reasonably available alternatives when making recommendations to retail customers?

  • How does your firm test its policies and procedures determine if they are adequate and performing as expected?

  • What controls does your firm have to assess whether disclosures are provided timely, and if provided electronically, in compliance with the SEC’s electronic delivery guidance?

 Effective Practices:

  • Monitoring communication channels to confirm that associated persons who were not investment adviser representatives were not using the word “adviser” or “advisor”

  • Incorporating Reg BI-specific reviews into the branch exam program as part of overall Reg BI compliance efforts, focusing on areas such as documenting Reg BI compliance and following the Firm’s Reg BI protocols

  • Tracking and delivering Form CRS and Reg BI-related documents to retail investors and retail customers in a timely manner

 New for 2022

 Firm Short Positions and Fails-to-Receive in Municipal Securities:

As stated in Regulatory Notice 15-27, customers may receive taxable, substitute interest instead of the tax-exempt interest that was expected when a firm effects sales to customers of municipal securities that not under the firms possession or control. Firms must create and implement controls and procedures for detecting, resolving, and preventing these adverse tax consequences to customers.

  Related Considerations:

  • When municipal securities short positions are identified, does your firm begin to cover the shorts, or do they wait until the trades have settled?

 Trusted Contact Persons (“TCP”)

FINRA Rule 4512(a)(1)(F) requires that for each non-institutional customer account, a firm should make a reasonable effort to obtain the name and contact information for a TCP age 18 or older. FINRA Rule 4512 states that the firm and their associated persons must contact the TCP to disclose information related to the customer’s account.

Related Considerations:

  • Has your firm established an adequate supervisory system, including WSPs, related to seeking to obtain and using the names and contact information for TCPs?

 Funding Portals and Crowdfunding Offerings

Title III of the JOBS Act contains provisions related to securities offered or sold through crowdfunding. Funding portals must register with the SEC and become a member of FINRA. To engage in the sale of securities in reliance on the crowdfunding exemptions broker-dealers must notify FINRA in accordance with FINRA Rule 4518.

  Related Considerations:

  • What steps is your firm taking to confirm all required issuer information, pursuant to Regulation Crowdfunding Rules 201 and 203(a), is publicly available on your firm’s platform?

 Other Topics

  • Anti-Money Laundering

  • Outside Business Activities and Private Securities Transactions

  • Books and Records

  • Regulatory Event Reporting

  • Communications with the Public

  • Private Placements

  • Variable Annuities

  • Consolidated Audit Trail (CAT)

  • Best Execution

  • Disclosure of Routing Information

  • Market Access Rule

  • Net capital Liquidity Risk management

  • Credit Risk Management

  • Segregation of Assets and Customer Protection

  • Portfolio Margin and Intraday Trading

Jonathan Hurd, CAMS

CEO, COMPLIANCE AND RISK MANAGEMENT

Previous

February 2022 FINRA Disciplinary Actions

Next

SEC Proposes Cybersecurity Risk Management Rules and Amendments for registered investment advisers and funds