In a January 5, 2016 letter, the Financial Industry Regulatory Authority (FINRA) announced its 2016 Regulatory and Examination Priorities, highlighting three broad issues it will focus on during 2016: culture, conflicts of interest and ethics; supervision, risk management and controls; and liquidity.

Culture, Conflicts of Interest & Ethics

For the purposes of the letter, FINRA defines “firm culture” as “the set of explicit and implicit norms, practices, and expected behaviors that influence how firm executives, supervisors and employees make and implement decisions in the course of conducting a firm’s business.” FINRA emphasizes in the letter that its review of firm culture in 2016 is a continuation of its focus on conflicts of interest and ethics, as firm culture has a tremendous influence in these areas.

The letter notes that FINRA expects firms to take “visible actions” to mitigate conflicts of interest and “promote fair and ethical treatment of customers.” In an attempt to understand firm culture and how it impacts compliance and risk management, FINRA will assess five indicators of firm culture during its exams:

  • Whether control functions are valued within the organization.
  • Whether policy or control breaches are tolerated.
  • Whether the organization proactively seeks to identify risk and compliance events.
  • Whether supervisors are effective role models of firm culture.
  • Whether sub-cultures (e.g., a trading desk) that may not conform to overall corporate culture are identified and addressed.

Supervision, Risk Management & Controls

Closely related to FINRA’s concerns regarding firm culture, firms have a pre-existing obligation pursuant to FINRA rules to supervise their associates’ activities in a manner designed to achieve compliance with securities laws and regulations and FINRA rules. Prior FINRA exams have revealed concerns related to management of conflicts of interest, technology, outsourcing and anti-money laundering (AML).

Management Conflicts of Interest

In 2015 FINRA initiated a targeted exam of incentive structures and conflicts of interest in connection with retail brokerage business. It expects to complete this exam in 2016, focusing on firms’ approaches to mitigating conflicts of interest that arise through the sale of proprietary or affiliated products, as well as products for which a firm receives third-party payments (e.g., revenue sharing). FINRA will also assess whether firms’ research analysts are inappropriately involved in investment banking activities and whether investment banking personnel exercise undue influence on analysts. Attention will also be given to firms’ pricing of Level 3 securities to ensure fair valuation and determine whether “non-bona fide” valuations were made in exchange for some additional benefit, such as enhanced compensation. Finally, FINRA will continue to review firm controls intended to “identify, minimize and mitigate” internal and external information leaks that raise conflicts of interest concerns.

Technology

FINRA will focus on firms’ supervision and risk management activities related to cybersecurity, technology management, and data quality and governance. In light of the rapidly changing technology environment, FINRA points out that firms need to give ongoing attention to improving their cybersecurity defenses. It will review firms’ cybersecurity risk management programs and may also examine their governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training. FINRA will also consider assessing other areas of firms’ cybersecurity and technology programs, including their ability to protect confidential consumer data and internal systems from unauthorized access (e.g., by a trader) in a manner that may affect the market. It will also examine firms’ technology governance and change management practices (including review of firms’ supervision of back office and vendor system changes, development and deployment of technology changes, and quality assurance), as well as firms’ data governance, quality controls and reporting practices (to ensure accuracy, completeness, consistency and timeliness of data reporting).

Outsourcing

FINRA will review firms’ due diligence and risk assessment of providers of outsourced services and their supervision of those services. The letter states that it is “essential that broker-dealers appropriately supervise outsourced activities and … conduct adequate ongoing due diligence of outsourced providers.”

AML Controls

FINRA will continue to look at firms’ AML controls, namely, monitoring for suspicious activity. The 2016 Examination Priorities letter emphasizes FINRA’s attention to money movements and trading activities, and its oversight of higher-risk accounts such as those involving microcap securities.

Liquidity

FINRA will continue to review firms’ practices related to the management of funding and liquidity risk. Firms are required to evaluate their liquidity needs, develop contingency plans to ensure sufficient liquidity in the face of market and idiosyncratic stresses, and regularly conduct stress tests to confirm the effectiveness of these plans. FINRA will review these practices, with particular focus on the adequacy of high-frequency trading firms’ planning and controls.

Other Areas of Focus in 2016

In addition to the three primary areas of focus, FINRA will address:

  • Suitability and concentration in firms’ investment sales.
  • Oversight of sales practices and distribution to seniors.
  • Controls related to sales charges and discounts.
  • 529 Plan expense structures.
  • Suitability, disclosure and issuer diligence related to private and public offerings.
  • Firms’ assessment and evaluation of conflicts of interest related to outside business activities.
  • Financial and operational controls.
  • Market integrity in a number of areas including compliance with Regulations NMS and SHO, fixed income order handling, and audit trail integrity. Additionally, FINRA announced it would issue “compliance report cards” to firms focused on layering and spoofing, with the intent of providing information to be used to identify and address potential misconduct.