On February 9, 2022, the Financial Industry Regulatory Authority, Inc. ("FINRA") published its 2022 Report on FINRA's Examination and Risk Monitoring Program (the "Report"). FINRA intends for the Report to be an up-to-date, evolving resource for firms that may help inform their compliance programs. In this regard, the Report builds on the structure and content of last year's report and adds new topics for 2022, including funding portals and crowdfunding offerings, trusted contact persons, disclosure of routing information, portfolio margin and intraday trading, and firm short positions and fails-to-receive in municipal securities, as well as new material, such as new exam findings and effective practices, to topics that FINRA covered in 2021. Further, for each topical area covered in the Report, FINRA provides the relevant rule(s), key considerations for member firms' compliance programs, noteworthy findings from recent examinations, including findings that are particularly relevant for new member firms in their first year of operation, effective practices that FINRA observed during its oversight, and additional resources that may be helpful to member firms in reviewing their supervisory procedures and controls and fulfilling their compliance obligations. Firms should carefully review the Report as applicable to their business operations with a view to identifying potential gaps and/or areas for enhancement in their compliance programs and supervisory controls. In addition to the new topics for 2022, firms should pay attention to the new material that FINRA added to previously covered topics, in particular new exam findings and effective practices. When preparing for upcoming exams, firms should ensure that they can explain their current practices and that their current practices are appropriately documented, including relevant supervisory reviews, compliance reports and testing of supervisory systems.
The Report highlights certain areas that received considerable attention within the industry and beyond in 2021.
Regulation Best Interest ("Reg BI") and Form CRS. Firms should continue to expect FINRA to undertake a comprehensive review of firms' processes, practices and conduct in relation to requirements under Reg BI and Form CRS, including whether firms have established and enforce adequate written supervisory procedures ("WSPs"), file, deliver and track accurate Forms CRS, make recommendations that adhere with Reg BI's Care Obligation, identify and mitigate conflicts of interest and provide effective staff training.
Consolidated Audit Trail ("CAT"). FINRA continues to evaluate member firms for compliance with obligations under Rule 613 under the Securities Exchange Act of 1934 (the "Exchange Act") and the CAT NMS Plan FINRA Rule 6800 Series (collectively, the "CAT Rules"). FINRA emphasizes several aspects of the CAT Rules, including reporting required information to the Central Repository and maintaining effective supervision processes.
Order Handling, Best Execution and Conflicts of Interest. FINRA emphasizes that assessing firms' compliance with their best execution obligations under FINRA Rule 5310 (Best Execution and Interpositioning) is one of the cornerstones of FINRA's oversight activities and that it has evolved its oversight program to address changes in firms' business models, such as the advent of the "zero commission" model. FINRA launched a targeted exam initiative to evaluate the impact of the zero commission model on firms' order-routing and other business practices.1 FINRA also is reviewing firms' order handling disclosures for compliance with the requirements of SEC Rule 606 of Regulation NMS.
Mobile Apps. FINRA points out that the use of mobile applications ("apps") and related technologies to attract and interact with customers raise novel questions and potential concerns, including whether they encourage retail investors to engage in trading activities and strategies that may not be consistent with their investment goals or risk tolerance and how the apps' interface designs could influence investor behavior. FINRA notes that it has identified significant problems with some mobile apps' communications with customers and firms' supervision of activity on those apps, particularly controls around account openings. FINRA also launched a targeted exam initiative to assess firms' use of social media to acquire customers and compliance with obligations relating to the collection of information from those customers and other individuals who may provide data to firms.2
Special Purpose Acquisition Companies ("SPACs"). FINRA has increased its focus on firms' compliance with regulatory obligations in executing SPAC transactions. FINRA identifies several focus areas in its review of firms participating in SPAC offerings, including: due diligence conducted at the IPO and business combination stages, including as to the relevant officers, directors and control persons of the SPAC and SPAC-sponsor(s) and pre-identified acquisition targets; compliance with FINRA rules governing outside business activities ("OBAs"), private securities transactions ("PSTs") and Form U-4 amendments for associated persons who hold positions with, advise or personally invest in, SPACs or SPAC sponsors; whether firms are correctly taking net capital charges relative to the size of their commitment or using a written agreement with another syndicate member (i.e., "backstop provider"); and whether firms are maintaining and regularly updating their WSPs and supervisory controls to address risks related to SPACs (e.g., Reg BI, due diligence, information barrier policies, conflicts of interest). FINRA launched a targeted exam to explore issues relating to firms' SPAC
2 Mayer Brown | FINRA Publishes 2022 Report on Its Examination and Risk Monitoring Program
activities, including how firms manage potential conflicts of interest in SPACs, whether firms are performing adequate due diligence on business combination targets and if firms are providing adequate disclosures to customers.3
On a separate note, FINRA advises firms that underwrite IPOs of issuers based in the People's Republic of China ("China-based issuers") to evaluate carefully whether the firms' controls are able to identify and report market manipulation, other abusive trading practices and potential anti-money laundering ("AML") concerns, which may result from the involvement of nominees for an undisclosed control person. In this respect, FINRA describes numerous red flags of potentially manipulative trading associated with how these investors open new accounts and trade these securities after completion of the IPO. FINRA also provides a list of resources regarding the risks associated with China-based issuers in recent statements from the U.S Securities and Exchange Commission ("SEC"). For additional information regarding the risks associated with China-based issuers, see our previous article here.
Cybersecurity. FINRA describes cybersecurity threats as "one of the primary risks firms and their customers face." In 2021, FINRA observed a continued increase in the number and sophistication of these threats and has issued alerts about phishing campaigns involving fraudulent emails purporting to be from FINRA, new customers opening online brokerage accounts to engage in Automated Clearing House ("ACH") "instant funds" abuse, the increase in bad actors using compromised registered representative or employee email accounts to execute transactions or move money, the use of customer information to gain unauthorized entry to customers' email accounts, online brokerage accounts or both (i.e., customer account takeover incidents), and using synthetic identities to fraudulently open new accounts.4 FINRA will continue to assess firms' information security programs and share information about cybersecurity threats and effective practices.
Complex Products. FINRA will continue to review firms' communications and disclosures made to customers in relation to complex products. FINRA will review customer account activity to assess whether firms' recommendations regarding these products are in the best interest of retail customers given their investment profile and the potential risks, rewards and costs associated with the recommendation. FINRA launched a targeted exam initiative in August 2021 to review firms' practices and controls relating to the opening of options accounts, which in some cases may be used to engage in complex investment strategies.5 With respect to mitigating the risk that recommendations of high-risk or complex investments might not be in a retail customer's best interest, FINRA notes as an effective practice establishing product review processes to identify and categorize risk and complexity levels for existing and new products, limiting high-risk or complex product, transaction or strategy recommendations to specific customer types, and applying heightened supervision to recommendations of high-risk or complex products.
The Report addresses 21 regulatory areas organized into four categories: Firm Operations; Communications and Sales; Market Integrity; and Financial Management. We highlight below the new topics for 2022 and the new material that FINRA added to previously covered topics.
3 Mayer Brown | FINRA Publishes 2022 Report on Its Examination and Risk Monitoring Program
The Firm Operations section of the Report discusses AML obligations, cybersecurity and technology governance, OBAs and PSTs, books and records, regulatory events reporting under FINRA Rule 4530, firm short positions and fails-to-receive in municipal securities, trusted contact persons and funding portals and crowdfunding offerings.
FINRA highlights several considerations relating to both AML and cybersecurity and technology governance. FINRA notes that firms experiencing substantial growth or changes to their business should provide for reasonable growth and evolution in their AML programs alongside the business. In our experience, FINRA takes a similar view with respect to firms' cybersecurity and technology governance programs. FINRA also indicates that firms should consider whether they have appropriate procedures to communicate cyber events to their AML department, Compliance department or both, to fulfill regulatory obligations such as the filing of suspicious activity reports ("SARs"). In this regard, FINRA highlights as an exam finding that firms did not notify their AML departments of events that involve suspicious transactions including cybersecurity events, account compromises or takeovers, new account fraud, fraudulent wires and ACH transfers.6 FINRA expects that events involving, or enabled by, cybercrime be reported via SARs. In addition, FINRA urges firms to consider how FinCEN's 2021 publication of government-wide priorities for AML and countering the financing of terrorism will be incorporated into their risk-based AML programs.
FINRA addresses risks relating to OBAs and PSTs and reminds firms of their obligation under FINRA Rule 3270.01 to determine whether proposed OBAs will interfere with or otherwise compromise the registered representative's responsibilities to the firm and its customers, or should be treated as a PST subject to the requirements of FINRA Rule 3280. FINRA highlights as an effective practice conducting due diligence of OBAs that involve raising capital or directing securities transactions with investment advisers or fund companies in order to identify potential PSTs.
FINRA emphasizes, in particular for new member firms, that for purposes of compliance with the books and records requirements under SEC Rules 17a-3 and 17a-47 and FINRA rules, firms must file a Financial Notification when selecting or changing an archival service provider. Firms also should perform due diligence to verify vendors' ability to comply with applicable books and records requirements, including standards for electronic storage media ("ESM") and ESM notification requirements, and confirm that service contracts and agreements comply with ESM notification requirements. FINRA found that firms failed to comply with the ESM notification requirements, such as not obtaining the third-party attestation letters required by SEC Rule 17a-4(f)(3)(vii). FINRA also highlights as an effective practice firms' review of vendor contracts and agreements to assess whether firms will be able to comply with applicable books and records requirements.
FINRA did not add any new content with respect to regulatory events reporting under FINRA Rule 4530, but the Report's discussion of exam findings and effective practices in this area serves as helpful guidance.
With respect to firm short positions and fails-to-receive in municipal securities, a new topic in 2022, FINRA highlights findings relating to inadequate controls and procedures for preventing, identifying and resolving adverse consequences to customers when a firm does not maintain possession or control of municipal securities, which may result in customers receiving taxable,
4 Mayer Brown | FINRA Publishes 2022 Report on Its Examination and Risk Monitoring Program
substitute interest instead of tax-exempt interest as expected. FINRA suggests certain effective practices to identify and prevent this issue, including developing operational and supervisory reports to identify customer long positions for which the firm has not taken possession or control of the security.
Another new topic in 2022 is trusted contact persons ("TCP"), as defined in FINRA Rule 4512(a)(1)(F). FINRA notes exam findings relating to firms' failure to make a reasonable attempt to obtain the name and contact information of a TCP for all non-institutional customers and not providing certain TCP-related written disclosures. FINRA also notes emerging customer account information risks relating to when registered representatives are named a beneficiary of a customer's estate, executor or trustee, or have a power of attorney for a customer.
FINRA adds discussion of regulatory obligations related to funding portals and crowdfunding offerings as a new topic in 2022. This is consistent with the increased SEC enforcement focus on crowdfunding. In September 2021, for example, in its first action in this area, the SEC charged a registered funding portal and certain of its executives in connection with allegedly conducting fraudulent and unregistered crowdfunding offerings. The Report identifies a number of exam findings, including among these, missing disclosures. Offerings on platforms have failed to include disclosures required by Regulation Crowdfunding, such as use of proceeds descriptions, offering process details, descriptions of capital stock, and financial statements. Funding portals also are failing to report written customer complaints (required by FINRA Funding Portal Rule 300(c)) and failing to make required filings, such as statements of gross revenues, within the specified time periods. The Report suggests developing annual compliance questionnaires to, among other things, verify the accuracy of associated persons' disclosures, as well as developing compliance checklists and schedules in order to assist in the process of confirming that obligations are being met in a timely manner. In addition, the Report notes that funding portals should be implementing supervisory review procedures tailored to the communications requirements applicable to portals.
COMMUNICATIONS AND SALES
The Communications and Sales section of the Report discusses Reg BI and Form CRS, communications with the public, private placements and variable annuities.
The Report contains a substantial amount of new material relating to Reg BI and Form CRS, including an overview of key regulatory considerations, a list of exam findings and a summary of effective practices observed in connection with FINRA's oversight activities. FINRA notes that the findings present an initial look at firms' practices and, as it continues to conduct exams and gather additional information on firms' practices, FINRA intends to publish additional findings in the future.
In addition, the Report includes a substantial amount of new content relating to communications with the public, with a particular focus on communications relating to mobile apps, digital assets, cash management accounts and municipal securities. For example, FINRA highlights findings relating to false, misleading and inaccurate information in mobile apps, including providing incorrect account balance or historical performance information, sending margin call warnings to customers whose account balances were not approaching or were below minimum maintenance requirements, and distributing false and misleading promotions through social media and "push" notifications that made promissory claims or omitted material information. FINRA also highlights several considerations for
5 Mayer Brown | FINRA Publishes 2022 Report on Its Examination and Risk Monitoring Program
communications relating to municipal securities. FINRA reminds new member firms that they are required to file, prior to use, retail communications that are published or used in any electronic or other public media with FINRA's Advertising Regulation Department during their first year of membership.8 FINRA notes that it has observed deficient communications promoting digital assets that may create confusion about the role of the broker-dealer in relation to other entities involved in the offer of digital assets.
Given the increased reliance by issuers on private placements, the Report once again includes a discussion of private placements. The Report reminds firms of their due diligence obligations in connection with private placements, which are set forth in FINRA RN 10-22. The Report notes that FINRA's suitability rule continues to apply to non-retail customers, and Reg BI applies to recommendations to retail customers of any securities transaction, including recommendations relating to a private placement. The Report reminds firms of their obligation to make timely filings under FINRA Rules 5122 or 5123, and reminds firms of the recent amendments to these rules.9 Among its findings, FINRA notes that some firms failed to perform reasonable diligence concerning private placements, especially in connection with offerings that relate to issuers in businesses as to which the member firm lacks specialized experience. In addition, FINRA notes it has observed in exams that firms failed to inquire into and analyze red flags identified during the diligence practice. The Report highlights a number of effective practices in the area, including: creating checklists relating to private placements; conducting and documenting independent research on offerings and addressing any identified red flags; independently verifying aspects of the business plan that are key to the future prospects; identifying and addressing any conflicts of interest; and post-offering, conducting a review to ascertain whether offering proceeds were used in a manner consistent with the plan disclosed in the offering materials.
FINRA addresses risks relating to variable annuities in new content regarding firms' processes to supervise registered representatives who advise their clients' decisions on whether to accept a buyout offer. FINRA highlights findings relating to poor and insufficient data quality on variable annuity transactions, particularly in connection with exchange transactions, as well as failing to address inconsistencies in available data for variable annuities, data formats and reporting processes. FINRA notes as an effective practice creating automated solutions to synthesize variable annuity data when warranted in light of transaction volumes.
The Market Integrity section of the Report discusses CAT reporting obligations, best execution, disclosure of routing information, and the market access rule.
FINRA highlights several new exam findings relating to CAT reporting obligations, including inaccurate reporting of required information to the Central Repository, failure to resolve repairable CAT errors in a timely manner, and inadequate supervisory procedures and controls regarding CAT reporting and clock synchronization that are performed by third-party vendors.
FINRA emphasizes that best execution obligations apply to any firm that receives customer orders for purposes of handling and execution and reminds that any firm subject to FINRA Rule 5310 cannot transfer its duty of best execution to another person. FINRA urges firms to consider how they address potential conflicts of interest in order routing decisions, such as those involving affiliated broker-
6 Mayer Brown | FINRA Publishes 2022 Report on Its Examination and Risk Monitoring Program
dealers or other entities, market centers that provide payment for order flow ("PFOF") or other orderrouting inducements, and orders received from customers of another broker-dealer for which the receiving firm provides PFOF. FINRA is conducting targeted best execution reviews of wholesale market makers concerning their relationships with broker-dealers that route to them as well as their own order routing practices and decisions.
Disclosure of routing information is a new topic for 2022. FINRA highlights numerous findings relating to order routing disclosures under Rule 606 of Regulation NMS, such as inaccurate quarterly reports (e.g., incorrectly stating that the firm does not have a profit-sharing arrangement or receive PFOF from execution venues), failure to adequately describe material aspects of the firm's relationships with disclosed venues in the quarterly report, and insufficient WSPs relating to, for example, failing to make updates to include new requirements of amended Rule 606(a)(1) or new Rule 606(b)(3).
FINRA adds new content regarding the Market Access Rule (SEC Rule 15c3-5). In particular, FINRA notes that the rule applies generally to securities traded on an exchange or alternative trading system ("ATS"), including equities, equity options, exchange-traded funds, debt securities, security-based swaps, security futures products and digital assets that meet the SEC's definition of a security. With respect to firms that operate an ATS that has subscribers that are not broker-dealers, FINRA instructs that such firms should consider how they establish, document and maintain a system of controls and supervisory procedures reasonably designed to manage the financial, regulatory and other risks of this business activity.
The Financial Management section of the Report discusses net capital, liquidity risk management, credit risk management, segregation of assets and customer protection, and portfolio margin and intraday trading.
With respect to net capital compliance, FINRA highlights, in particular for new member firms, that if firms have an affiliate paying any of their expenses, Notice to Members 03-63 of the former National Association of Securities Dealers, Inc. ("NASD") sets forth specific requirements for establishing an Expense Sharing Agreement. In addition, firms with office leases should apply the guidance in RN 1908 for reporting lease assets and lease liabilities on their FOCUS reports. Moreover, firms must align their revenue recognition practices with the requirements of the Financial Accounting Standards Board's Topic 606 (Revenue from Contracts with Customers).10
FINRA recently adopted a new filing requirement relating to firms' liquidity risk management practices for firms with large customer and counterparty exposures.11 The new requirement, the Supplemental Liquidity Schedule ("SLS"), becomes effective on March 1, 2022, and the first SLS, which will be filed as a supplement to the FOCUS report, is due by May 4, 2022. FINRA directs firms to consider whether their liquidity risk management practices include processes for accessing liquidity during common stress conditions and "black swan" events, determining how the funding would be used, and using empirical data from recent stress events to increase the robustness of firms' stress testing. FINRA states that it observed firms incorrectly basing clearing deposit requirements on information that does not accurately represent their business operations, such as using the amounts listed on FOCUS reports rather than spokes in deposit requirements that may have occurred on an
7 Mayer Brown | FINRA Publishes 2022 Report on Its Examination and Risk Monitoring Program
intra-month basis. In addition, an effective practice, FINRA states that firms' liquidity management plans should consider material changes in market value of firm inventory over a short period of time.
FINRA includes credit risk management and segregation of assets and customer protection as topics in the Report, as it did in last year's Report, although neither section contains new content for 2022. Nevertheless, FINRA's discussion of considerations and exam findings relating to these topics should be reviewed carefully, including FINRA's discussion of digital assets in the context of SEC Rule 15c3-3.
With respect to portfolio margin and intraday trading, a new topic for 2022, FINRA highlights findings relating to systems that are not adequately designed to identify credit risk exposure on an intra-day and end-of-day basis, failure to promptly identify and escalate elevated risk exposures to senior management (in part due to insufficient expertise), and WSPs that do not adequately outline intraday monitoring processes and controls. FINRA identifies several effective practices relating to internal risk frameworks, concentration risk and communicating with clients with large or significantly increasing exposures.
The Report addresses a variety of topics, ranging from findings that FINRA highlighted in prior reports and that FINRA continues to note in recent examinations to emerging risks representing potentially concerning practices that FINRA has observed and which may receive increased scrutiny going forward. Firms should address potential gaps in their compliance programs and incorporate relevant practices in a manner tailored to their business operations.
For more information about the topics raised in this Legal Update, please contact any of the following lawyers.
Steffen Hemmerich +1 212 506 2129 [email protected]
Anna T. Pinedo +1 212 506 2275 [email protected]
Stephen Vogt +1 202 263 3364 [email protected]
1 See FINRA Targeted Examination Letter on Zero Commissions (February 2020). FINRA intends to share findings in the future. 2 See FINRA Targeted Examination Letter on Social Media Influencers, Customer Acquisition, and Related Information Protection
(September 2021). FINRA intends to share findings in the future. 3 See FINRA Targeted Exam Letter on Special Purpose Acquisition Companies ("SPACs") (October 2021). FINRA intends to share
findings in the future.
8 Mayer Brown | FINRA Publishes 2022 Report on Its Examination and Risk Monitoring Program
4 See e.g., FINRA Regulatory Notice ("RN") 21-20 (FINRA Alerts Firms to Phishing Email Using "gateway-finra.org" Domain Name) (June 2021); FINRA RN 21-18 (FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts) (May 2021); and FINRA RN 21-14 (FINRA Alerts Firms to Recent Increase in ACH "Instant Funds" Abuse) (March 2021).
5 See FINRA Targeted Examination Letter on Option Account Opening, Supervision and Related Areas (August 2021). FINRA intends to share findings in the future.
6 FINRA also highlights certain considerations relating to emerging low-priced securities risk as well as emerging vendor risk for cybersecurity.
7 We note that the SEC has proposed amendments to SEC Rule 17a-4 to, among other things, allow for electronic records to be preserved in a manner that permits the recreation of an original record if it is altered, over-written, or erased. See Electronic Recordkeeping Requirements for Broker-Dealers, Security-Based Swap Dealers, and Major Security-Based Swap Participants, 86 Fed. Reg. 68300 (Dec. 1, 2021).
8 See FINRA Rule 2210(c)(1)(A). Note, however, that firms may seek a waiver from this requirement under FINRA Rule 2210(c)(9)(A). 9 See FINRA RN 21-26 (FINRA Amends Rules 5122 and 5123 Filing Requirements to Include Retail Communications That Promote or
Recommend Private Placements) (July 2021) and FINRA RN 21-10 FINRA (Updates Private Placement Filer Form Pursuant to FINRA Rules 5122 and 5123) (March 2021). 10 See NASD Notice to Members 03-63 (SEC Issues Guidance on the Recording of Expenses and Liabilities by Broker/Dealers) (October 2003); see also FINRA RN 19-08 (Guidance on FOCUS Reporting for Operating Leases) (March 2019). 11 See FINRA RN 21-31 (FINRA Establishes New Supplemental Liquidity Schedule (SLS)) (September 2021).
Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world's leading companies and financial institutions on their most complex deals and disputes. With extensive reach across four continents, we are the only integrated law firm in the world with approximately 200 lawyers in each of the world's three largest financial centers--New York, London and Hong Kong--the backbone of the global economy. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry. Our diverse teams of lawyers are recognized by our clients as strategic partners with deep commercial instincts and a commitment to creatively anticipating their needs and delivering excellence in everything we do. Our "one-firm" culture--seamless and integrated across all practices and regions--ensures that our clients receive the best of our knowledge and experience. Please visit mayerbrown.com for comprehensive contact information for all Mayer Brown offices. Any tax advice expressed above by Mayer Brown LLP was not intended or written to be used, and cannot be used, by any taxpayer to avoid U.S. federal tax penalties. If such advice was written or used to support the promotion or marketing of the matter addressed above, then each offeree should seek advice from an independent tax advisor. This Mayer Brown publication provides information and comments on legal issues and developments of interest to our clients and friends. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek legal advice before taking any action with respect to the matters discussed herein. Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively the "Mayer Brown Practices") and non-legal service providers, which provide consultancy services (the "Mayer Brown Consultancies"). The Mayer Brown Practices and Mayer Brown Consultancies are established in various jurisdictions and may be a legal person or a partnership. Details of the individual Mayer Brown Practices and Mayer Brown Consultancies can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown. 2022 Mayer Brown. All rights reserved.
9 Mayer Brown | FINRA Publishes 2022 Report on Its Examination and Risk Monitoring Program