The Financial Industry Regulatory Authority published its 2019 Report on Examination Findings and Observations (2019 Report) on October 16, 2019. This marks the third annual report of FINRA findings, but in a departure from the prior reports, the 2019 Report distinguishes “findings” (determinations that a firm or registered person has violated SEC, FINRA or other relevant rules) from “observations” (suggestions as to how a firm might improve its control environment, communicated separately from a formal examination report).
The 2019 Report focuses on a number of findings and observations, involving: sales practice and supervision; firm operations; market integrity; and financial management. In addition, the 2019 Report provides examples of effective practices, which can help firms improve their supervision, compliance and risk management programs. This OnPoint discusses key findings from the 2019 Report, as well as FINRA’s observations regarding how firms might have avoided related weaknesses and risks.1
Sales Practice and Supervision
The 2019 Report focuses on a variety of supervision issues, as well as: suitability; digital communication; anti-money laundering (AML); and Uniform Transfers to Minors Act (UTMA) and Uniform Grants to Minors Act (UGMA) accounts. Noteworthy examination findings and observations include:
- Supervision:2 FINRA found that some firms did not have sufficient written supervisory procedures (WSPs) to adequately address newly adopted or amended rules applicable to their businesses. In addition, FINRA found that some firms had limited branch supervision, inadequate record-keeping, and insufficient supervision for specific types of accounts (i.e., restricted and insider accounts; margin accounts; option accounts). FINRA further noted weaknesses involving some firms’ branch office and non-branch office supervision and inspection programs. In particular, FINRA found: a lack of understanding of particular products and services offered at certain locations; inspections that were not tailored to the products and services offered; and instances of inadequate response to red flags of potential problematic activities. The 2019 Report references a lack of consistency in memorializing inspection reports in writing. Further, FINRA noted supervisory deficiencies when registered representatives used Consolidated Account Reports (CARs), including with respect to verification that information regarding assets held away from the member firm were reflected accurately in CARs.3
- Suitability: FINRA found that some firms did not have adequate supervisory systems to determine that recommendations satisfied the firm’s customer-specific suitability obligation in light of the particular customer’s investment profile (e.g., financial situation and needs, investment experience, risk tolerance, time horizon, investment objectives, liquidity needs).4 Although FINRA did not discuss these findings in connection with preparation for Regulation Best Interest, firms will want to take them into account when reviewing their supervisory systems and controls in connection with preparing for the SEC’s new rule.
Generally, FINRA noted that some firms lacked (or failed to use) supervisory systems that were reasonably designed to detect red flags indicating potentially unsuitable recommendations (e.g., not questioning multiple transactions in the same security that were marked as “unsolicited”). Other findings related to supervisory systems that were not adequately designed to reasonably assess the suitability of recommendations that customers exchange certain securities (particularly, mutual funds, variable annuities and unit investment trusts). FINRA indicated that some firms did not have adequate supervisory processes to identify patterns of unsuitable recommendations, especially in connection with exchanges of long-term products (e.g., reviews of trade blotters). FINRA further noted inadequate supervisory controls over registered representatives’ changes to customers’ account information, as well as supervisory failures to: detect trading patterns suggesting possible excessive trading; or respond to red flags for excessive trading highlighted in exception reports.
- Digital Communication: The 2019 Report generally notes the difficulties that some firms have experienced in complying with their supervisory and recordkeeping requirements with respect to the use of digital communications tools, technologies and services. In particular, although some firms have prohibited the use of certain communication channels such as texting, messaging, social media or collaboration applications (e.g., WhatsApp, WeChat, Facebook, Slack, HipChat) for business-related communications with customers, FINRA noted that some firms failed to maintain a process to reasonably identify and respond to red flags that registered representatives were using prohibited communication channels for firm business. FINRA also observed that some registered representatives used chatrooms or other digital communications to conduct electronic sales seminars in violation of firm procedures and outside of the firm’s supervisory and recordkeeping processes.5
FINRA noted that firms should conduct reviews of customer complaints, registered representatives’ emails, outside business activities and advertising, in order to detect the use of prohibited communications channels. Moreover, FINRA cited as examples of effective practices: the establishment of comprehensive governance processes; defining and controlling permissible digital channels; implementing WSPs to manage video content; implementing mandatory training programs; and disciplining the misuse of digital communications.
- AML: FINRA found that some firms had deficiencies in the design and implementation of systems and processes to detect and report suspicious activity as required by the Bank Secrecy Act and regulations thereunder.6 In particular, FINRA noted that firms should be careful to review and revise their AML programs as their businesses and customers change. FINRA also reminded firms that securities trading must be monitored for suspicious activity reporting, including for red flags potentially indicating market dominance, prearranged trading or instances where groups of seemingly unrelated accounts were working in concert to manipulate stock prices. FINRA also noted the need to monitor third-party wire transactions, and for introducing brokers not to rely excessively on their clearing firms. According to FINRA, introducing brokers remain responsible for monitoring suspicious activity attempted or conducted through the member firm.
- UTMA and UGMA Accounts: FINRA indicated that some firms did not satisfy their “Know Your Customer” obligations under FINRA Rule 2090 with respect to UTMA and UGMA accounts, because such firms did not transfer authority for an account to its beneficiary once he or she reached the age of majority. In particular, FINRA noted that effective practices might include implementing procedures to: verify the authority of custodians of UTMA and UGMA accounts; include automated tools to track when beneficiaries of those account reach the age of majority; and notify custodians and registered representatives when beneficiaries are approaching or have reached the age of majority.
The 2019 Report focuses on cybersecurity, business continuity plans (BCPs) and fixed income mark-up disclosure. Noteworthy examination findings and observations include:
- Cybersecurity: To help firms improve their cybersecurity programs, and potentially their Regulation S-P compliance, FINRA identified a number of practices that some firms have implemented to enhance their cybersecurity risk-management programs. These practices include:
- Maintaining branch-level written cybersecurity policies, and establishing procedures to verify the implementation and functioning of such controls.
- Documenting policies regarding vendor and third-party management
- Establishing and testing written formal incident response plans (including tools to identify, classify, prioritize, track and close cybersecurity-related incidents).
- Encrypting all confidential data wherever stored.
- Implementing timely application of system security patches for critical firm resources (e.g., servers, network routers, desktops, laptops, software systems).
- Implementing and maintaining “Policies of Least Privilege,” or other appropriate policies and procedures, to: grant system and data access only when required; and track access to data or systems (e.g., multi-factor authentication controls).
- Maintaining a current inventory of critical information technology assets, which should include legacy assets that are no longer supported by vendors.
- Implementing data loss prevention controls to protect sensitive customer information.
- Providing robust cybersecurity training for registered representatives, third-party providers and consultants.
- Implementing procedures that address the documentation, review, prioritization, testing, approval and management of hardware and software changes.
- BCPs:7 FINRA indicated that some firms’ BCPs did not reflect certain market conditions, business models or other circumstances. Furthermore, FINRA noted that some firms failed to identify all of their mission-critical systems or to update their BCPs after significant operational changes. FINRA noted that effective practices for BCPs might include: engaging in annual testing (e.g., for sufficient capacity, currency of contact information and to reflect operational changes); and incorporating test results into firm training. In addition, FINRA noted that a registered principal must be responsible for the firm’s annual BCP review, and that firms should incorporate the test results into their training programs.
- Fixed Income Mark-up Disclosure: The 2019 Report notes many of the same deficiencies with this disclosure (which is required by FINRA Rule 2232 and Municipal Securities Rulemaking Board Rule G-15) as FINRA had identified in its 2018 Report. In particular, FINRA noted that some firms: mischaracterized their compensation by disclosing additional charges separate and apart from their disclosure of mark-ups and mark-downs; created confusion by inaccurately depicting registered representatives’ sales credits or concessions; or labeled only sales credits or concessions as the total mark-up or mark-down. Other deficiencies identified by FINRA involved inaccuracies in the determination of prevailing market prices and the disclosure of execution times.
The 2019 Report focuses on best execution, direct market access controls and short sales. Noteworthy examination findings and observations include:
- Best Execution: FINRA found that some firms failed to conduct execution quality reviews of competing markets or certain order types. FINRA also found that, in some cases, firms failed to consider the factors required by FINRA Rule 5310 when conducting execution quality reviews (e.g., speed of execution, price improvement opportunities, likelihood of execution of limit orders).8 FINRA further noted that some firms did not adequately address or disclose potential conflicts of interest relating to their routing of orders to affiliated alternative trading systems. FINRA also observed failures in some firms’ order routing reports pursuant to Rule 606 of Regulation NMS, including with respect to orders routed to their own trading desks.
- Direct Market Access Controls: As in FINRA’s 2017 and 2018 Reports, FINRA found many of the same issues related to firms’ compliance with Rule 15c3-5 under the Securities Exchange Act of 1934, especially in the case of providing access to trading in fixed-income securities on exchanges or alternative trading systems. In particular, FINRA noted that some firms’ WSPs and risk management controls did not address: pre-trading order limits; pre-set capital thresholds; or duplicative and erroneous order controls. FINRA also identified weaknesses in some firms’ controls for requesting, approving, reviewing and documenting intra-day adjustments to credit controls. Similarly, FINRA noted inadequate financial risk management controls (e.g., lack of appropriate capital thresholds, aggregate daily limits or credit limits). FINRA reminded firms to regularly assess the appropriateness of their customer-specific capital thresholds and pre-set credit limits. In addition, the 2019 Report indicates that some firms failed to maintain reasonably designed risk-management controls that could support certification by the firm’s chief executive officer, as required by Rule 15c3-5(e)(2). With respect to some firms that use multiple systems to provide direct market access, FINRA noted the absence of reasonable controls to confirm that those systems’ records were aggregated and integrated in a timely manner (e.g., with respect to post-trade and supervisory reviews), especially in the case of potential manipulative trading.
- Short Sales: FINRA reminded firms of observations in its 2017 Report with respect to compliance with Regulation SHO Rules 200-204.9 The 2019 Report also references the inability of some firms to satisfy Rule 204’s Continuous Net Settlement (CNS) System fail-to-deliver close-out requirement. Specifically, FINRA noted that these firms did not implement a sufficient process to properly account for instances of failure to deliver shares at settlement (fails), which resulted in fails not being closed out during the required settlement period. FINRA also noted that some firms did not accurately allocate CNS fails to other registered brokers or dealers for which the firm clears trades or from which it receives trades for settlement. As potential effective practices for firms to adopt with respect to rates charged for borrowing, sourcing and locating securities, FINRA identified the periodic review of policies relating to firms’ rates, as well as monitoring the aging of short positions to determine the appropriateness of originally assigned rates.
The 2019 Report focuses on liquidity and credit risk management, segregation of client assets and net capital calculations. Noteworthy examination findings and observations include:
- Liquidity and Credit Risk Management: FINRA highlighted practices for firms to strengthen their liquidity management programs, including: developing contingency plans for operating in a stressed environment; updating liquidity risk management practices; conducting stress tests; and maintaining a robust internal control framework to capture, measure, aggregate, manage and report credit risk.
- Segregation of Client Assets: FINRA stated that it found many of the same concerns as were discussed in its 2018 Report regarding compliance with the requirements of Exchange Act Rule 15c3-3. In particular, FINRA observed that some firms faced continuing challenges with respect to check forwarding, possession and/or control. In this regard, some firms were found to have: missing or inaccurate information on their blotters; inadequate processes with respect to possession or control; inaccurate reserve formula calculations; and coding errors.
- Net Capital Calculations: FINRA noted the same deficiencies in some firms’ compliance with Exchange Act Rule 15c3-1 as it had discussed in its 2017 and 2018 Reports. Further, FINRA identified additional deficiencies – in particular, FINRA noted that some firms: applied incorrect haircuts to fixed income securities, used incorrect capital charges for underwriting commitments; and employed inaccurate classifications of receivables, liabilities and reserves. FINRA also found that some firms failed to: recognize on their books and records receivables due from insurance carriers and the corresponding liabilities owed to customers; obtain opinions of counsel as required by Rule 15c3-1; maintain adequate documentation to substantiate the allocation of costs under expense sharing agreements, accurately accrue expenses; or correctly net intercompany accounts with different affiliated entities.
While the examination findings and observations in the 2019 Report may indicate potential areas where FINRA intends to focus resources in the coming year, member firms should not expect examinations to be limited to the issues highlighted in this OnPoint. It is important to note that the 2019 Report reflects FINRA’s continuing emphases on supervision and cybersecurity, as well as a considerable push for firms to adopt FINRA-recommended best practices. The 2019 Report also may foreshadow areas of focus once compliance with Regulation Best Interest is required commencing June 30, 2020.