On Dec. 6, the Financial Industry Regulatory Authority (FINRA) published its “Report on FINRA Examination Findings” (Report). The Report highlights recent examination findings that FINRA deems to be particularly important due to market impact or frequency of occurrence. The Report describes particular compliance challenges and best practices to deal with these issues.
The determination to provide this type of feedback to firms en masse was prompted by the FINRA360 initiative of CEO Robert Cook. In today’s regulatory environment, it is rare for examiners to share best practices, provide guidance or assist member firms in complying with FINRA rules and federal and state securities laws — over time, the examination process has become an enforcement-focused enterprise. FINRA should be commended for making the effort to provide guidance outside of the enforcement context, and we hope to see more of it.
Firms should consider this guidance seriously. A firm not adopting this guidance should ensure that it is able to demonstrate that its procedures are equally effective.
The following summarizes the topics outlined in the Report and focuses on FINRA’s remarks regarding best practices.
FINRA characterizes cybersecurity as one of the principal operational risks facing broker-dealers.1 In its Report, FINRA lists areas of general cybersecurity weakness, including controls related to accessing firm systems and management of vendors who handle firms’ sensitive information. FINRA notes that small- and medium-size firms have not begun to utilize robust data-loss prevention tools and have not consistently segregated responsibilities for requesting and approving cybersecurity changes. FINRA also notes that branch offices have faced greater challenges in managing cybersecurity risks, such as ensuring password security and updating antivirus software.
Firms with the most effective cybersecurity policies generally feature strong governance structures that facilitate escalation of issues to the appropriate levels for resolution. As examples of best practices, FINRA specifically highlights cybersecurity-related procedures that require regular risk assessments and detailed testing to resolve high-risk concerns. FINRA also states that the best cybersecurity programs require employees to participate in regular cybersecurity training and testing.
Outside Business Activities and Private Securities Transactions
FINRA rules require registered representatives to notify their firms of proposed outside business activities (OBAs) and all associated persons to notify their firms of proposed private securities transactions (PSTs). In its Report, FINRA notes that individuals often failed to notify their firms of OBAs and PSTs and that certain firms did not have adequate written procedures for reviewing OBAs and PSTs.
Best practices regarding OBAs and PSTs typically involve firms establishing proactive compliance efforts. According to FINRA, part of this proactive approach often includes frequent training of registered representatives and associated persons to keep them aware of their OBA and PST reporting obligations. Some firms periodically required these individuals to complete open-ended questionnaires and attestations while implementing tools to identify and monitor individuals involved in undeclared OBAs and PSTs.
Anti-Money-Laundering (AML) Compliance Program
FINRA requires members to develop and implement a written AML program reasonably designed to comply with the applicable laws and regulations. Some firms failed to establish and implement risk-based policies to handle suspicious transactions or improperly delegated monitoring responsibilities to employees within the firm.
While many firms experienced difficulty in adjusting their AML programs to match their business growth, FINRA states that the best AML programs are appropriately tailored to their firms’ size and business model. FINRA observes that firms with the most effective AML programs regularly tested customer accounts to help ensure that the firms collected and verified information related to applicable laws and regulations, as well as to ensure the adequacy of suspicious activity monitoring. In many cases, these firms designed role-specific training programs for all employees participating in their AML programs.
FINRA rules place obligations on members and associated persons to ensure that investment recommendations are appropriate given a particular individual’s investment profile. In its Report, FINRA expresses concern in connection with firms’ practices related to unit investment trusts (UITs) and exchange-traded funds (ETFs). FINRA observes that in many instances, firms advised customers to roll over their UITs early without reviewing for suitability. Short-term UIT trading causes investors to incur additional sales charges, and some firms failed to implement adequate internal controls to identify potential sales practice abuse by registered representatives. Similarly, many firms failed to adequately supervise and review recommendations to purchase complex products like leveraged or inverse ETFs.
The most effective product suitability programs included thorough training on the performance and risks of UITs and ETFs. Training typically emphasized the communication of product risks to customers and outlined criteria to consider in determining whether a product was suitable for a specific customer.
According to its Report, FINRA observed best execution deficiencies at firms of all sizes in nearly all classes of securities. These deficiencies included failure to compare execution quality of routed orders against potential executions at competing markets, failure to conduct review of certain order types and failure to perform execution quality reviews in a manner consistent with FINRA rules and available guidance. Regarding effective best execution procedures, FINRA emphasizes in its Report the importance of regular and rigorous reviews for execution quality. FINRA states that firms should establish procedures describing the reviews that must be performed and documentation standards. FINRA states that to assist a regulator in understanding how firms make routing decisions, firms should thoroughly document their rationale and the data or other information that the firm considers in its routing strategies.2
Market Access Controls
FINRA observed many types of deficiencies in firms’ market access controls. Among these were instances in which firms failed to establish reasonable pre-trade capital and credit thresholds for their market access programs. In addition, FINRA observed numerous instances where firms did not appropriately tailor erroneous order controls to particular products, situations or order types. Occasionally, FINRA also found that instead of establishing their own thresholds, firms allowed outside vendors to set capital thresholds.
Examples of best practices for market access programs from the FINRA Report include maintenance of reasonable documentation to support thresholds, conducting periodic reviews of thresholds and establishing procedures that describe the process to adjust a threshold on an intraday and permanent basis. FINRA also highlights the appropriate use of “hard” blocks to prevent entry of certain orders as opposed to “soft” blocks that merely provide warnings to users with market access.
FINRA concludes its Report by mentioning additional areas where some firms faced challenges in meeting their compliance obligations. The final section discusses alternative investments held in individual retirement accounts (IRAs), net capital and credit risk investments, order capacity, Regulation SHO, and Trade Reporting and Compliance Engine (TRACE) reporting. Regarding alternative investments held in IRAs, FINRA observed many instances of firms failing to maintain custody of investment assets or keeping incorrect records of customer positions. In seeking to comply with the Securities and Exchange Commission’s net capital rule, some firms faced difficulty in assessing creditworthiness of nonconvertible debt or money market instruments held in inventory. Further, firms had trouble entering correct capacity codes (e.g., agency, principal, riskless principal) when reporting off-exchange trades. FINRA also observed weaknesses in firms’ compliance with Regulation SHO, notably with respect to firms’ locate practices. Finally, firms faced many challenges in reporting sales of fixed-income securities in accordance with TRACE rules — in some cases, firms did not have systems or processes to determine whether a particular security was TRACE-eligible.