In February 2022, the Financial Industry Regulatory Authority (FINRA) released the 2022 Report on FINRA’s Examinations and Risk Monitoring Program. This annual document aims to provide guidance to the broker-dealer industry. While the 60-page report includes a few new topics, it largely reflects pre-existing guidance and “does not create any new legal or regulatory requirements.”
Rather, the report is a tool to guide firms in examining and developing their processes and procedures. While they should be aware of the effective practices FINRA identifies, firms should analyze their obligations in light of their own businesses.
The following discussion provides a summary of some of the key items addressed in the report.
The firm operations portion of the report highlights obligations of firms’ day-to-day functions. While it includes three new topics not found in previous reports, the firm operations portion of the 2022 report focuses on the roles firms play in oversight of clients and associated persons. Cybersecurity is one of the topics designated as a selected highlight.
Anti-Money Laundering (AML)
The report discusses a series of AML-related areas where a firm should consider its obligations. FINRA observes that some firms failed to implement sufficient AML programs that identify known red flags. Firms were not tailoring AML programs to the various risks that different customers, products and transactions can present, and AML departments often were not notified of suspicious activity, including the growing risk of cybersecurity events, leaving such firms open to risk and regulatory exposure. As discussed below in the cybersecurity section, the report flags FINRA’s and the Financial Crimes Enforcement Network’s (FinCEN) expectation that events involving cybercrime would be reported via suspicious activity reports (SARs), which highlights the need to ensure that the AML department is apprised of cybersecurity events.
The report reminds firms that effective practices involve ongoing AML training for personnel in the AML department and in departments that work with AML. Similarly, FINRA notes that firms should not only conduct AML surveillance reviews but accurately document them. Finally, FINRA highlights the best practices in meeting Customer Identification Program obligations when opening accounts online through, among other things, conducting “likeness checks,” requesting additional documentation or using of third-party vendors to provide verification services.
Cybersecurity and Technology Governance
The report reiterates that cybersecurity is a “principal operational risk” to firms. FINRA notes that it is a firm’s responsibility to monitor its vendors to ensure compliance with the cybersecurity infrastructure put in place. FINRA states that firms failed to maintain branch-level written cybersecurity policies, in addition to failing to maintain systems that ensure branches are implementing the necessary upgrades and software patches to firm technology. FINRA also identifies an increase in the number and sophistication of cyberattacks — even offering an example of phishing attacks where the sender purports to be FINRA.
Additionally, the report highlights obligations surrounding the reporting of suspicious activity, specifically related to cybercrime. The Compliance Issues Related to Suspicious Activity Monitoring and Reporting Risk Alert by the SEC, cited in the report, notes that “broker-dealers [must] file with FinCEN a report of any suspicious transaction relevant to a possible violation of law or regulation.” The report specifically explains that “[e]vents involving, or enabled by, cybercrime are expected to be reported via SARs.” FinCEN’s guidance adds that “[i]f a financial institution knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions.” This report does not create a new obligation for firms but indicates a potential focus of FINRA and also emphasizes the need to report attempted cyber-events.
Outside Business Activities (OBAs) and Private Securities Transactions (PSTs)
FINRA reminds registered representatives to notify firms of proposed OBAs in writing. This contrasts with the obligation of all associated persons to notify their firms in writing of proposed PSTs. FINRA’s examinations concluded that individuals were failing to submit their OBAs and PSTs in writing; further, firms failed to have written policies or documentation of reviews of those written submissions. The report reminds firms that training and annual attestations, especially with open-ended questions, are an effective method to remind individuals of the obligation to report and to ensure that individuals understand the scope of that reporting obligation. The report notes that an effective practice for identifying undisclosed OBAs and PSTs is monitoring of social media, emails, and lifestyle of associated persons.
The report describes FINRA’s findings of inadequate reviews and record keeping of activities involving digital asset securities (or cryptocurrencies). Specifically, the report notes that FINRA identified digital asset activities that warranted treatment as PSTs but were neither supervised nor recorded in the firm’s books and records. The report recommends that a checklist to determine whether digital asset activities may be considered OBAs or PSTs could assist in ensuring proper reporting and supervision. While the report describes this as an effective practice, firms are not required to generate a checklist.
Books and Records
The primary focus of the report regarding books and records findings and best practices is the increased use of electronic storage media (ESM) and cloud service providers. FINRA advises firms to ensure that they understand the full scope of their record retention requirements and how they will fulfill them in the ESM environment. FINRA advises that firms undertake thorough contract reviews and periodic testing to include conducting a simulated examination production exercise, to ensure that the vendor can provide the third-party attestation letters required by Exchange Act Rule 17a-4(f)(3)(vii).
FINRA requires prompt reporting of specified events under Rule 4530. FINRA says associated persons were failing to report events such as customer complaints, relevant litigation, and other reportable events to compliance departments. The report specifically advises firms that effective practices involve “reviewing for any judgments concerning securities, commodities, or financial-related civil litigation and other reportable events.” The report also notes that firms were not conducting adequate surveillance for unreported events.
Communications and Sales
The report discusses some considerations, exam findings and effective practices identified by FINRA related to broker-dealer communications and sales practices, including under Regulation Best Interest (Reg BI) and Form CRS.
FINRA discusses observations on Reg BI’s disclosure, care, conflicts of interest, and compliance obligations.
Disclosure Obligation. Under the disclosure obligation, a broker-dealer, prior to or at the time of making a recommendation, is required to provide in writing full and fair disclosure of:
- all material facts relating to the scope and terms of the relationship with the retail customer, including the broker-dealer’s (and the associated person’s) capacity; material fees and costs; and the type and scope of services provided, including any material limitations on securities or investment strategies involving securities that may be recommended, and
- all material facts relating to conflicts of interest associated with a recommendation.
FINRA observed that some firms appeared to provide insufficient disclosures regarding the scope and terms of the relationship with retail customers and conflicts of interest associated with a recommendation, such as material fees received, potential conflicts of interest, and material limitations on available products. FINRA also noted that some firms that are not also registered as investment advisers, and associated persons who are not also supervised persons of an investment adviser, appear to be using the terms “adviser” and “advisor.”
Care Obligation. Under the care obligation, a broker-dealer and its associated persons are required to exercise reasonable diligence, care and skill in making a recommendation to:
- understand the potential risks, rewards, and costs associated with the recommendation, and have a reasonable basis to believe the recommendation could be in the best interest of at least some retail customers (the “reasonable-basis component”);
- have a reasonable basis to believe that the recommendation is in the best interest of a particular retail customer based on that retail customer’s investment profile and the potential risks, rewards, and costs associated with the recommendation and not place the financial or other interest of the broker-dealer or associated person ahead of the interest of the retail customer (the “customer-specific component”); and
- have a reasonable basis to believe that a series of recommended transactions, even if in the retail customer’s best interest when viewed in isolation, is not excessive and is in the retail customer’s best interest when taken together in light of the retail customer’s investment profile and does not place the financial or other interest of the broker-dealer or associated person ahead of the interest of the retail customer (the “quantitative component”).
FINRA notes, without providing any examples, that firms appeared to violate the customer-specific and quantitative components of the care obligation by making recommendations that were not in the best interest of a particular retail customer and recommending a series of transactions that were excessive in light of a retail customer’s investment profile. The report also observes that, with respect to private placements, some firms failed to perform reasonable diligence of offerings prior to recommending them to retail customers and failed to inquire into and analyze red flags identified during the reasonable diligence process.
Conflicts of Interest Obligation. The conflicts of interest obligation requires a broker-dealer to establish, maintain, and enforce written policies and procedures reasonably designed to:
- identify and at a minimum disclose or eliminate all conflicts of interest associated with a recommendation;
- identify and mitigate any conflicts of interest associated with a recommendation that create an incentive for an associated person to place the interest of the broker-dealer or associated person ahead of the interest of the retail customer;
- identify and disclose any material limitations placed on the securities or investment strategies involving securities that may be recommended to a retail customer and any conflicts of interest associated with such limitations; and prevent such limitations and associated conflicts of interest from causing the broker-dealer or associated person to make recommendations that place the interest of the broker-dealer or associated person ahead of the interest of the retail customer; and
- identify and eliminate any sales contests, sales quotas, bonuses, and non-cash compensation that are based on the sales of specific securities or specific types of securities within a limited period of time.
FINRA notes that some firms failed to comply with the conflicts of interest obligation. Some firms apparently did not identify conflicts. Other firms identified conflicts, but, according to FINRA, did “not adequately addressing those conflicts.” FINRA’s formulation here — not adequately addressing conflicts — appears imprecise. Reg BI requires the elimination or disclosure of firm conflicts, and requires mitigation of conflicts (in other words, that they be addressed) at the representative level.
Compliance Obligation. Under the compliance obligation, a broker-dealer is required to establish, maintain, and enforce written policies and procedures reasonably designed to achieve compliance with Reg BI.
The report notes that some firms had written supervisory procedures (WSPs) that were not reasonably designed to achieve compliance with Reg BI, including by providing insufficiently precise guidance regarding Reg BI’s obligations, failing to modify existing WSPs to reflect Reg BI’s obligations, and failing to develop or memorialize controls. FINRA also notes that some firms failed to provide adequate training on Reg BI in advance of the June 30, 2020, compliance date. For example, FINRA observed that some firms did not reasonably supervise recommendations of variable annuity exchanges, provided insufficient training on variable annuities and provided poor or insufficient data on variable annuity transactions.
Form CRS is a standardized form that a broker-dealer (and investment adviser) must provide to retail investors describing the firm’s services, fees, conflicts of interest, and disciplinary history. The instructions to Form CRS prescribe certain content and formatting requirements, including that (1) the firm must respond to each item and provide responses in the same order as the items appear in the instructions; (2) Form CRS must not exceed two pages (except that dual registrants that use a combined Form CRS must not exceed four pages); and (3) a firm must post Form CRS prominently on its public website, if it has one, in a location and format that is easily accessible to retail investors.
FINRA observed that some Form CRS filings significantly departed from the instructions and the U.S. Securities and Exchange Commission (SEC) staff’s frequently asked questions by, for example, exceeding prescribed page lengths, omitting material facts, incorrectly stating that the firm does not provide recommendations, and changing or excluding required language. FINRA also notes that firms failed to file Form CRS and post Form CRS to their websites. The SEC has charged nearly 40 firms with failing to meet their Form CRS obligations.
Delivery of Form CRS. A broker-dealer is required to deliver Form CRS to a retail investor, before or at the earliest of:
- recommending an account time, securities transaction, or investment strategy involving securities;
- placing an order for the retail investor; or
- opening a brokerage account for the retail investor.
A dual registrant is required to deliver Form CRS at the earliest of those three triggers or entering into an investment advisory contract with the retail investor.
A firm must deliver its current Form CRS to a retail investor who is an existing customer or client before or at the time the firm:
- opens a new account that is different from the retail investor’s existing accounts;
- recommends that the retail investor roll over assets from a retirement account into a new or existing account or investment; or
- recommends or provides a new brokerage or investment advisory service or investment that does not necessarily involve the opening of a new account and would not be held in an existing account, for example, the first-time purchase of a direct-sold mutual fund or insurance product that is a security through a “check and application” process, i.e., not held directly within an account.
Updating Form CRS. A firm is required to update its Form CRS and file it with the SEC within 30 days whenever any information in the Form CRS becomes materially inaccurate and communicate any changes to retail investors who are existing clients or customers within 60 days after the updates are required to be made and without charge. The firm can communicate the changes by delivering the amended Form CRS or through another disclosure that is delivered to the retail investor. An amended Form CRS that is delivered to a retail investor must highlight the most recent changes by, for example, marking the revised text or including a summary of material changes, and be attached as an exhibit to the unmarked amended Form CRS.
FINRA states that some firms failed to refile amended Form CRS in a timely manner or timely communicate those changes to existing retail investor customers.
The report addresses various items involving supervision and record keeping for digital communications. Specifically, FINRA found instances where firms were not maintaining policies and procedures to reasonably identify and respond to red flags, such as customer complaints, representatives’ email, OBA reviews or advertising reviews. FINRA also found instances where registered representatives used business-related digital communications methods not controlled by the firm, including texting, messaging, social media, collaboration apps or “electronic sales seminars” in chat rooms. FINRA recommends that firms maintain and implement procedures for supervision of digital communications channels, including monitoring new tools and features available to associated persons and customers; defining and enforcing what is permissible and prohibited; implementing supervisory review procedures tailored to each digital channel, tool and feature; developing WSPs for video content; implementing mandatory training programs; and taking appropriate disciplinary action for violations of firm policies.
Cash Management Accounts (CMA) Communications
The report also brings back certain observations made in prior reports related to firms’ communications related to their CMAs. Specifically, FINRA found instances where it considered representations made by firms in connection with their CMAs to be misleading. Namely, they contained inaccuracies or gaps in claims that state or imply (1) the broker-dealer is a bank, (2) the cash management accounts are checking and savings accounts, (3) the amount of FDIC insurance coverage provided to investor funds when they are held at a partner bank, (4) the amount of time it may take for customer funds to reach the bank accounts or be available to investors once deposited at a partner bank, and/or (5) the actual terms of the cash management accounts. FINRA also found instances where firms did not balance promotional claims with the risks of participating in such programs. FINRA suggests that firms review their capabilities for cash management accounts to ensure that their existing business processes, supervisory systems and compliance programs — especially those relating to communications — can support such programs.
The report discusses obligations and considerations, exam findings and effective practices identified by FINRA in several topics under the umbrella of market integrity, including the consolidated audit trail, best execution, disclosure of routing information, and the market access rule. The market integrity sections received more attention than in prior years, no doubt as a reaction to the market volatility experienced in 2021.
Consolidated Audit Trail (CAT)
FINRA’s observations on the implementation of CAT echo a theme from its 2021 report: Firms continue to struggle with complete and accurate reporting, timely correction of CAT errors and supervision of vendors supporting CAT reporting. The report details the three primary exam findings:
- Firms are submitting inaccurate values in core event fields, including account holder type, buy/sell side, cancel quantity, route event quantity, trading session code, new order code, department type code, handling instructions and representative indicator.
- Firms are not resolving repairable CAT errors in a timely manner, i.e., by T+3.
- Firms are not establishing and maintaining WSPs or supervisory controls regarding CAT reporting and clock synchronization that are performed by third-party vendors.
The findings are not surprising, given that the implementation of each CAT phase has been complicated by ongoing changes to the technical specifications and the parallel need to address prior reporting errors. FINRA’s finding concerning supervision will likely continue to be a focus area in the next exam cycle. It intersects with FINRA’s focus on the supervision of third-party vendors and cybersecurity risks. The report highlights that FINRA wants to know how firms are working with clearing firms and third-party vendors to maintain CAT compliance.
Moreover, after July 11, 2022, exams will likely begin to test the accurate and complete reporting of firms’ full customer and account information to the CAIS database.
FINRA notes observations on best execution compliance, calling it “one of the cornerstones of FINRA’s oversight activities,” with particular focus on wholesale market makers as well as conflicts of interest. The report states that FINRA is conducting targeted best execution reviews on wholesale market makers “concerning their relationships with broker-dealers that route orders to them as well as their own order routing practices and decisions.” The report also builds on FINRA’s interest from prior annual reports in firms’ order routing practices and decisions, zeroing in on what firms are doing to consider and address potential conflicts of interest related to order routing decisions involving both affiliated broker-dealers and affiliated alternative trading systems (ATSs). The report confirms that the findings from the 2020 targeted exam of firms moving to a zero-commission model are still forthcoming.
With respect to exam findings, FINRA first notes that firms are “[n]ot considering and addressing potential conflicts of interest relating to routing orders to affiliated brokers, affiliated ATSs, or market centers that provide routing inducements.” Further, FINRA reports that it found gaps in conducting adequate reviews on a type-of-order basis, and that firms are not “comparing the quality of the execution obtained via firms’ existing order-routing and execution arrangements against the quality of execution they could have obtained from competing markets.” And lastly, FINRA says firms are not “considering certain factors set forth in Rule 5310 when conducting a ‘regular and rigorous review,’” such as “speed of execution, price improvement and the likelihood of execution of limit orders; and using routing logic that was not necessarily based on quality of execution.”
Disclosure of Routing Information
In a new addition in 2022, the report contains a section focused on Rule 606 of Regulation NMS, which requires firms to disclose information about the handling of their customers’ orders in national market system (NMS) stocks and listed options. Rule 606 was amended in November 2018 to provide for different broker-dealer disclosure obligations depending on whether the order at issue is a held or not-held order. Although the amendments were adopted in 2018, the SEC ultimately extended their compliance date to Sept. 30, 2019.
The report outlines four findings from its examinations regarding disclosure of routing information. First, FINRA notes that firms are publishing quarterly reports with inaccurate information on order routing. Second, FINRA says firms are not adequately describing material aspects of their relationships with disclosed venues, such as “ambiguous descriptions of receipt PFOF received,” and “inadequate descriptions of specific terms of PFOF and other arrangements.” Third, FINRA observes that firms’ communications were deficient in that they failed to notify customers in writing of the availability of information specified under Rule 606(b)(1), as required by Rule 606(b)(2). And lastly, FINRA finds that broker-dealers are not establishing and maintaining adequate WSPs reasonably designed to ensure compliance with the new requirements of Rule 606.
Market Access Rule
The SEC adopted Rule 15c3-5 (the market access rule) in 2010 and it has been a perennial issue for FINRA, appearing in every FINRA regulatory and examination letter and report since 2012. The purpose of the market access rule is twofold: to prevent firms from providing customers with unfiltered access to an exchange or ATS; and to require brokers with market access — including those who sponsor customers’ access to an exchange or ATS — to implement risk controls to prevent erroneous orders, ensure compliance with regulatory requirements and enforce preset credit or capital thresholds.
FINRA’s examination findings in the report closely track those appearing in its 2021 report. First, FINRA observes that firms have insufficient controls with regard to preorder trade limits and preset capital thresholds, and duplicative and erroneous order controls for accessing ATSs. Second, FINRA says firms with market access — and those that provide it — had inadequate financial risk management controls in place, including “inappropriate capital thresholds for trading desks, aggregate daily limits, or credit limits for institutional customers and counterparties.” And third, FINRA observes that firms are relying on third-party vendors’ tools without performing adequate due diligence or understanding how the vendor-supplied controls operate, and failing to maintain direct and exclusive control over risk controls by allowing third-party vendors to unilaterally set financial thresholds for orders without the firm’s involvement. Firms can anticipate that FINRA will continue its focus on the intersection of the market access rule and third-party vendors, based on the findings of the report and Regulatory Notice 21-29 issued by FINRA in August 2021, where it reminded firms of their supervisory obligations over third-party vendors.
The report discusses obligations and considerations, exam findings and effective practices identified by FINRA that relate to financial management, including mainstays in prior reports, such as net capital, liquidity risk management, credit risk management, and segregation of assets and customer protection. In addition, FINRA added portfolio margin and intraday trading as a new topic in the report.
FINRA addresses several specific areas in connection with the net capital rule, many of which were included in prior reports. First, FINRA describes instances where firms incorrectly classified receivables, liabilities and revenues, and incorrectly classified non-allowable assets, such as large investments in CDs, because firms did not have a process to assess the net capital treatment of CDs pursuant to Rule 15c3-1(c)(2)(vi)(E). Specifically, FINRA found instances of the following:
- Not reviewing the agreements for CDs to determine whether they contained withdrawal restrictions prior to maturity.
- Not having a process to identify, track and age intramonth fails for Rule 15a-6 chaperoning arrangements.
- Not maintaining adequate processes to assess moment-to-moment and open contractual commitment capital charges on underwriting commitments.
- Using cash accounting instead of accrual accounting for recording revenues and expenses and making ledger entries on only a monthly basis, which led to difficulties in determining proper accrual-based transaction dates.
- Having insufficient documentation regarding expense sharing agreements, including not delineating a method of allocation (or substantiating it) for payment and not properly allocating expenses proportionally to the broker-dealer.
With respect to introducing firms, FINRA suggests that such firms should collaborate with their clearing firms to receive records of fails periodically. Further, FINRA suggests that introducing firms should confirm they were interpreting such reports correctly.
Liquidity Risk Management
The report brings back a perennial favorite, providing several observations with respect to liquidity risk management practices. FINRA also suggests certain effective practices that largely track prior guidance, including Regulatory Notices 15-46 and 21-12. FINRA’s focus here is no surprise, in light of the regulatory attention responding to the market volatility throughout 2021 and specifically to such volatility in the early part of 2021. To that end, FINRA highlights several observations:
- Failing to incorporate stress test results into firm business models.
- Establishing clearing deposit requirements that do not reflect current business operations, including suggesting that firms should use intramonth spikes in deposit requirements instead of amounts listed on a firm’s FOCUS reports.
- Failing to develop contingency plans for operating in a stressed environment.
Credit Risk Management
The report addresses how firms manage credit risk with respect to clearing, prime brokerage, “give up” and sponsored access arrangements. While not providing specific examples, FINRA notes instances where firms failed to (1) conduct credit risk management reviews, (2) maintain approval and documentation processes for reviews, and (3) monitor exposure to affiliated counterparties. FINRA also highlights that control weaknesses in this respect could result in books and records issues, by pointing to firms’ obligations under Exchange Act Rule 17a-3(a)(23), which requires firms that meet specified thresholds to make and keep current records documenting their credit, market and liquidity risk management controls.
Segregation of Assets and Customer Protection
The report briefly covers exam observations similar to prior reports with respect to Rule 15c3-3 compliance obligations. This section was largely a cut and paste from the 2021 report. Specifically, FINRA notes instances where firms had inconsistent processes for check forwarding within the applicable exemption from the rule, including inaccurate or omitted blotter information to demonstrate prompt forwarding and status of checks. FINRA also describes instances of incorrect reserve formula calculations due to coding errors. In this respect, FINRA attributes the problem to limited training and staff turnover, as well as issues with spreadsheet controls, limited interdepartment coordination and gaps in reconciliation calculations.
Interestingly, in the last two reports FINRA included as additional resources the SEC’s release discussing custody of digital asset securities — see Custody of Digital Assets Securities by Special Purpose Broker-Dealers, Exchange Act Release No. 90,788 (Dec. 23, 2020) — and an SEC no-action letter regarding an ATS role in settlement of digital asset security trades without any specific mention of digital assets in this section of either report — see SEC No-Action Letter to FINRA re: ATS Role in the Settlement of Digital Asset Security Trades (Sept. 25, 2020).
Portfolio Margining and Intraday Trading
A new entrant in the report is portfolio margining and intraday trading. FINRA Rule 4210 permits firms to apply portfolio margin requirements, based on the composite risk of a portfolio’s holdings held by certain investors, as an alternative to strategy-based margin requirements. FINRA highlights whether a firm’s policies and procedures or monitoring risk comply with Rule 4210(g)(1), which requires maintaining a “comprehensive” written risk methodology for assessing potential risk to members’ capital during specified ranges of market movements in subject positions; monitoring credit risk both intraday and end of day; and maintaining a “robust” internal control framework reasonably designed “to capture, measure, aggregate, manage, supervise and report credit risk exposure to portfolio margin accounts.”
FINRA notes instances of inadequate monitoring systems due to a lack of defined intraday risk parameters to produce notifications and exception reports without manual intervention or end-of-day parameters to monitor transactions executed away from the firm. FINRA also describes instances of inadequate escalation of incidents of elevated exposure and insufficient WSPs.
Lastly, FINRA identifies a list of effective practices: (1) developing and maintaining a “robust” internal risk framework to address risk exposure within individual portfolio margin accounts and across all portfolio margin accounts, (2) maintaining and following reasonably designed processes and “robust” controls to monitor credit exposure resulting from concentrated positions, and (3) clearly and proactively communicating with clients with large or significantly increasing exposures in accordance with firms’ WSPs and requesting that clients provide their profit and loss position each month.