As the football season was winding down, on January 4, 2017, the Financial Industry Regulatory Authority (FINRA) published its 2017 Annual Regulatory and Examination Priorities Letter.1 According to FINRA President and CEO, Robert Cook, this year’s 11-page letter focuses on “core ‘blocking and tackling’ issues of compliance, supervision and risk management.”2 In contrast, last year’s letter “address[ed] three broad issues—culture, conflicts of interest and ethics; supervision, risk management and controls; and liquidity,” in addition to “more narrowly focused topics.”3 The focus (and brevity) of FINRA’s priorities letters continues to improve—11 pages this year, 13 pages last year and 17 pages in 2015 (with 19 footnotes, covering at least 35 issues). It appears that FINRA has heeded the industry’s request to make its annual priorities letter more focused to give firms the opportunity to “evaluat[e] their business” and “to help identify applicable priorities.”4 Perhaps FINRA is taking to heart the precepts of George Allen (former head coach of the old Los Angeles Rams and the Washington football team) who once said, “Try not to do too many things at once.”5
Unlike many other summaries of FINRA’s priorities, this analysis focuses on some of FINRA’s 2017 priorities, as well as priorities from previous years, while also examining real-world implications arising from these priorities based on relevant disciplinary actions from 2016.6
The Starting Lineup
- The Old Pros (Senior Investors)
The 2017 Priorities Letter confirms FINRA’s increasing scrutiny on firms’ treatment of senior investors.7 Interestingly, the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE), in its recently released 2017 examination priorities letter, also focused on senior investors and retirement investments.8 While FINRA discussed senior investors in the 2015 and 2016 priorities letters,9 they were not featured in previous years as prominently as this year. For example, in 2016, FINRA “urged” firms to proactively monitor for “red flags of possible abuse” related to senior investor accounts.10 This year, in contrast, FINRA sternly warned firms that FINRA examiners will actively “assess firms’ controls to protect senior investors.”11 This increased scrutiny revolves around three main areas:
- Supervisory controls: FINRA will be examining firms to see if they have supervisory controls in place to “protect senior investors from fraud, abuse, and improper advice.”12
- Suitability: FINRA will be reviewing firms’ policies and procedures addressing product suitability and (over)concentration in particular products, including “examining firms’ product vetting processes, supervisory systems and controls to review recommendations.”13
- Complex products: FINRA will be particularly focused on firms’ sales of complex, novel, illiquid and highly speculative products to seniors.14
During 2016, FINRA brought 19 cases involving senior-related matters, assessed fines of approximately $1.5 million, and ordered disgorgement or restitution of approximately $700,000. Based on the 2017 Priorities Letter, these numbers will likely increase during 2017 and beyond.
- Calling the Plays (Product Suitability and Concentration)
The 2017 Priorities Letter emphasized fundamental suitability issues, addressing:
- Whether customers and registered representatives understand product features;
- How firms conduct reasonable-basis and customer-specific suitability reviews; and
- How firms vet products and supervise recommendations, including focusing on excessive concentration in customers’ accounts.
In addition, the 2017 Priorities Letter focused on the market’s impact on particular financial products, noting that firms “should be attentive to shifts in the interest rate environment and should be prepared to assess and discuss the possible impact of these changes on recommendations to clients.”15 The 2017 Priorities Letter also highlighted certain products, only some of which were similarly featured in 2016, as set forth below:
Please click here to view table.
FINRA did not explain why the mix of products changed substantially from 2016 to 2017.
In 2016, FINRA brought 53 cases involving suitability, assessed fines of approximately $7.4 million, and ordered disgorgement or restitution of almost $14 million. In addition to those cases, FINRA brought 11 cases involving churning and excessive trading, assessed fines of approximately $1.3 million, and ordered disgorgement or restitution of approximately $2.8 million. Given the mix of new highlighted products, it is difficult to predict whether enforcement actions will increase in 2017.
- Not Quite “Spygate”17 (Cybersecurity)
In both the 2016 and the 2017 Priorities Letters, FINRA emphasized that cybersecurity was a top priority.18 While FINRA recognized that “there is no one-size-fits-all approach to cybersecurity,” the 2017 Priorities Letter highlighted the following areas of concern:
- “[M]ethods for preventing data loss”;
- Understanding data and how it flows through the firm and possibly to vendors;
- Controls used to “monitor and protect” data;
- Management of vendor relationships, “including the controls to manage those relationships”;
- “[C]ontrols to protect sensitive information from insider threats”;
- Controls at branch offices, “particularly [at] independent contractor branch offices,” which “tend to be weaker than those at firms’ home offices.”19 FINRA noted that it observed “poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data.”20
In addition, like last year, in 2017 FINRA connected cybersecurity to books and records requirements. Under Securities Exchange Act Rule 17a-4(f), certain records are to be preserved in a non-rewriteable, non-erasable format, commonly referred to as a “write once, read many” (WORM) format. In the 2016 Priorities Letter, FINRA stated that it would “consider examining firms’ abilities to protect the confidentiality, integrity and availability of sensitive customer and other information, including compliance with SEC Regulation S-P” and Rule 17a-4(f).21 FINRA did, in fact, conduct such examinations, and it brought enforcement actions against 12 firms for, among other things, failing to preserve records in WORM format. FINRA fined these firms a total of $14.4 million.22
While these settlements contained no allegations of cybersecurity breaches or hacking, FINRA attempted to connect this basic books and records issue to cybersecurity by making the following statement in its press release: “Over the past decade, the volume of sensitive financial data stored electronically has risen exponentially and there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records, further emphasizing the need to maintain records in WORM format.”23
Other than those so-called cybersecurity cases, FINRA brought one case involving an actual instance of hacking.24 In that case, FINRA fined the firm $650,000 for failing to establish, maintain and enforce a supervisory system reasonably designed to ensure the security of confidential customer information stored on electronic systems at the firm’s branch offices. The firm’s alleged failure allowed hackers with foreign Internet Protocol addresses to access the firm’s server, exposing the confidential records and information of approximately 5,400 of the firm’s customers. Given the priority of cybersecurity cases and the almost-daily breaches reported in the media, these cases are likely going to increase in 2017 and beyond.
- Show me the anti-money laundering25
Anti-money laundering (AML) has long been a priority of FINRA and the SEC,26 and that theme continued in the 2017 Priorities Letter. Among the issues highlighted by FINRA were the following:
- “[G]aps in firms’ automated trading and money movement surveillance systems caused by data integrity problems, poorly set parameters or surveillance patterns that do not capture problematic behavior such as suspicious microcap activity”;
- “[W]eaknesses in systems monitoring foreign currency transactions and transactions that flow through suspense accounts”;
- Using the same trading surveillance for other supervisory purposes, but not including “alerts tailored to the firm’s anti-money laundering red flags”; and
- Controls around accounts held by nominee companies.27
Notably, the following areas were excluded from the 2017 Priorities Letter but highlighted in the 2016 Priorities Letter:
- Acknowledging risk-based approaches to “exclude certain customer transactions from one or more aspects of AML surveillance”; and
- Delegating “monitoring of suspicious trading activity to personnel outside of the AML function,” and “ensuring an open line of communication with the personnel conducting reviews of trading activity.”28
During 2016, FINRA brought 29 AML cases and assessed fines of more than $43 million. Given the continued high priority of this issue, the number of cases will probably increase in the future.
- Comeback Players (High-Risk and Recidivist Brokers)
The 2017 Priorities Letter focused on firms’ hiring and supervising “high-risk and recidivist brokers.”29 These individuals are of particular interest to FINRA because they may “pose a high risk to investors.”30 Interestingly, the 2016 Priorities Letter did not focus on this issue but FINRA’s 2015 examination priorities letter did. Specifically, the 2015 Priorities Letter noted that “[t]he activities of certain high-risk brokers cause outsized risk to investors, including the heightened potential to become a fraud victim.”31
The 2017 Priorities Letter outlined FINRA’s prescriptive, three-step approach for deterring and detecting such representatives:
- FINRA has established a dedicated examination unit to “identify and examine brokers who may pose a high risk to investors.”32
- FINRA will “review firms’ supervisory procedures for hiring or retaining statutorily disqualified and recidivist brokers.”33
- FINRA will “evaluate firms’ branch office inspection programs as well as their supervisory systems for branch and non-branch office locations, including, but not limited to, independent contractor branches.”34
FINRA’s focus on these “problem” brokers extends not just to the regular examination cycle, but also to FINRA’s examination of firms’ applications to associate with statutorily disqualified individuals, as well as new and continuing membership applications where members “employ or seek to employ registered representatives with problematic regulatory histories.”35 FINRA has not yet focused on this issue in the context of an enforcement action.
Riding the Bench
- “Clear eyes, full hearts, can’t lose”36 (Culture, Conflicts and Ethics)
In both the 2015 and the 2016 Priorities Letters, FINRA spent considerable time discussing culture, conflicts and ethics. This year’s letter did not mention culture or ethics even once. While it did use the word “conflicts” once, the context involves “trading examination priorities” where FINRA is going to examine the “adequacy of alternative trading systems’ disclosures to customers about how they operate, [while] reviewing for potential conflicts of interest.”37 It is possible that FINRA realizes that all firms believe their culture is admirable and ethical, and there may not be value in focusing on it as a concept. It appears that FINRA may believe that if firms concentrate on the fundamentals like “blocking and tackling,” then the culture will follow or that ethical firms with good culture do, in fact, focus on core issues. While these may appear to be metaphysical issues, it is safe to say that, for now, firms would do well to focus on the substantive issues contained in the 2017 Priorities Letter.
Variable annuities were hardly addressed this year, despite playing a significant role in FINRA’s enforcement programs during 2016. The one mention concerns representatives recommending that clients trade long-term products, including variable annuities and other products, on a short-term basis.38 This omission is curious because FINRA brought numerous variable annuity cases, including eight involving L-share variable annuities, fined the firms a total of $6.2 million, and ordered five of the firms to pay more than $6 million to customers.39
- Scouting Reports (Due Diligence)
Despite the fact that due diligence cases were “yuuuge” in 2016 (to quote the former owner of the New Jersey Generals, a franchise of the United States Football League)40 (23 cases, with fines of more than $3.3 million and restitution or disgorgement of approximately $1.1 million), there is not one reference to product due diligence in the 2017 Priorities Letter. Although as discussed above, FINRA does refer to “reasonable-basis” suitability and firms’ product vetting practices under “Product Suitability and Concentration.”
The Final Score
Although FINRA may have a new head coach with a new playbook, its ultimate goals in 2017 remain the same—protect investors and preserve market integrity. The 2017 Priorities Letter outlines how FINRA intends to achieve those goals. Now it is time for firms to follow suit— lace-up and prepare for 2017 examinations, or risk being “blindsided” by disciplinary actions. Indeed, the preliminary data for 2016 indicates that last year was a record-setting year for FINRA’s fines. To try to prevent 2017 from setting similar records, firms may want to adjust their defensive line (along with their disclosures and policies and procedures). As former Dallas Cowboys Head Coach Tom Landry said: “Setting a goal is not the main thing. It is deciding how you will go about achieving it and staying with that plan.”41