In December 2017, The Financial Industry Regulatory Authority (“FINRA”) released its first Report on Examination Findings (the “Report”), which focused on selected observations from recent exams that FINRA considered illuminating. The Report is not a representation of all the observations about the industry, and broker-dealers (“firms”) should not view the Report findings as creating new legal or regulatory requirements or new interpretations of the existing requirements. FINRA also noted that an individual firm may not have any deficiencies in the risk areas identified in the Report.
The Report describes certain practices that FINRA has observed to be effective in appropriate circumstances. Firms may be able to use the Report as a resource in customizing their compliance and supervisory programs. FINRA intends to issue the Report annually.
FINRA notes that each firm is examined at least once every four years, and many are examined even more frequently. In connection with each of these examinations, the authority prepares a report which is available only to the relevant firm, addressing that firm’s compliance with securities rules and regulations. Firms are required to address issues identified by FINRA, with remediation usually strengthening a firm’s compliance and supervisory programs, ultimately helping to better protect investors and the integrity of the markets. FINRA CEO Robert Cook said in a webcast that FINRA plans to revamp its exam program this year. We will wait and see which changes are made and how firms react.
Findings From the Report
Cybersecurity – FINRA has seen a significant increase in firms’ attention to cybersecurity over the past years. Firms are required to have a cybersecurity program with written policies and procedures addressing the safeguarding of customer information and records. The Report states that cybersecurity threats continue to evolve so that even robust and advance cybersecurity programs can be compromised when, for example, an employee opens an email attachment that contains malware or spam mail.
Common threats FINRA observed include phishing and spear-phishing attacks, ransomware and fraudulent third-party wires that frequently use email or stolen customer or financial advisor credentials. FINRA observed a variety of areas where some firms could improve their cybersecurity programs against these and other threats in terms of access management, risk assessment, vendor management and/or date loss prevention tools.
Anti-Money Laundering (“AML”) Compliance – Firms are required to develop and implement a written AML program designed to comply with the requirements of the Bank Secrecy Act (BSA). FINRA observed that firms with effective AML programs actively tailor them to the firm’s business model and AML risks, as opposed to implementing a generic program.
These firms also conducted independent testing that included sampling customer accounts in order to test whether the firm was collecting and verifying customer identification information on all individuals and entities as required under the Bank Secrecy Act, as well as trading and money movement activity to test whether the firm was performing adequate monitoring for, and investigations of, potentially suspicious activity.
Those with effective anti-money laundering programs also had training programs that were specific to the roles and responsibilities of the participating employees and captured current and evolving aspects of the AML landscape.
Firms have also previously failed to establish and implement an AML program reasonably designed to detect, and cause the reporting of, suspicious activity.
Net Capital and Credit Risk Assessments – FINRA observed issues principally in different areas regarding the challenges in assessing the credit worthiness of non-convertible debt or money market instruments held by firms which can affect the haircut percentage charges on these securities in the firm’s net capital computations. There is a risk of taking a lower haircut charge.
Product Suitability – A firm must have a reasonable basis to believe that a recommended transaction or investment strategy involving a security or securities is suitable for the customer, based on the information about the customer’s investment profile obtained through the reasonable diligence process done by the firm. A firm is obligated to establish and maintain a system to supervise its activities that is reasonably designed to achieve compliance with applicable securities laws and regulations. As stated in the Report, FINRA found the suitability of certain products and their supervision did not vary materially by firm size, but did occur more frequently in connection with certain product classes, specifically unit investment trusts and certain multi-share class and complex products such as leveraged and inverse exchange-traded funds. Some firms failed to provide adequate training for registered representatives with respect to these products.
FINRA expects the report to be helpful in supporting firms’ compliance and supervisory efforts, and welcomes feedback on how future Reports on Findings can be more helpful. Please see the full report on FINRA’s website.