New Topics and Material Highlight FINRA's Increased Focus on Market Integrity and Other Key Risk Areas
On January 10, 2023, the Financial Industry Regulatory Authority, Inc. ("FINRA") published the 2023 Report on FINRA's Examination and Risk Monitoring Program (the "Report"). FINRA highlights several topics as key areas of risk for investors and the markets, including mobile apps, complex products and options, order handling/best execution, Regulation Best Interest ("Reg BI") and Form CRS, and cybersecurity. FINRA's focus on these topics in 2023 is expected given that each has been the subject of regulatory initiatives of FINRA and the US Securities and Exchange Commission ("SEC") in the recent past. The regulators' focus on these topics is likely to intensify with the continued fallout from the collapse of FTX and other market participants, particularly with respect to those business practices and products with extensive use by, or impact on, retail investors.
Notably, the Report also adds several new topics relating to Market Integrity, including with respect to fair pricing obligations for fixed income securities, trade reporting and order handling requirements for fractional shares, and certain aspects of Regulation SHO. Additionally, the Report includes manipulative trading as a new topic, which, together with existing topics on cybersecurity/technology governance and anti-money laundering ("AML")/fraud/sanctions, is covered under a new Financial Crimes section. Finally, FINRA adds new content on a wide range of topics covered in previous years.
Below, we provide a brief overview of the Report's new topics, as well as the new material in previously covered topics.
The Report identifies the following topics as key areas of risk to investors and the markets.
- Reg BI and Form CRS. FINRA's reviews focus on, among other things, whether firms are making recommendations that adhere to Reg BI's Care Obligation, identifying and addressing conflicts of interest, disclosing to retail customers all material facts related to conflicts of interest, and establishing and enforcing adequate written supervisory procedures ("WSPs") (including the provision of effective staff training).
- Consolidated Audit Trail ("CAT"). With respect to firms' compliance with CAT reporting requirements, FINRA focuses on the timely submission of reportable events and corrections, reporting complete and accurate CAT records, and effectively supervising third-party vendors (including those responsible for CAT submissions and clock synchronization).
- Order Handling, Best Execution and Conflicts of Interest. To assess firms' compliance with best execution obligations under FINRA Rule 5310 and Rule 606 of Regulation NMS, FINRA evaluates whether firms are fully and promptly executing marketable customer orders, adequately conducting periodic "regular and rigorous reviews," and disclosure of the terms of profit-sharing relationships (e.g., payment for order flow) with venues to which firms route orders. FINRA's continued focus on order handling, best execution and conflicts of interest is consistent with the targeted regulatory efforts it has undertaken in recent years, including targeted reviews of the impact of the zero-commission model on firms' order routing practices1 and the order handling practices of wholesale market makers. We expect FINRA's focus on best execution and order handling to continue for the foreseeable future, particularly in light of the SEC's recent rulemaking proposals to reshape the US equity markets and adopt a new best execution regulation.
- Mobile Apps. FINRA emphasizes again, as it did in last year's report, that mobile apps raise novel questions and potential concerns relating to customer protection. FINRA highlights that some mobile apps are not adequately distinguishing between products and services of the brokerdealer and those of affiliates and/or other third parties. Moreover, FINRA will monitor how mobile apps disclose and explain risks associated with higher-risk products and services. Last year, FINRA identified significant problems with some mobile apps' communications with customers and firms' supervision of activity on those apps (particularly with respect to controls around account openings). Mobile apps continue to be a focus of securities regulators, as we will further highlight below.
- Cybersecurity. To enhance FINRA's ability to proactively address cybersecurity threats, FINRA has established a new "Cyber and Analytics Unit," which has separate teams for examining firms' cybersecurity risk management programs, conducting investigations of cyber-related fraud, and investigating and examining crypto-asset activities. FINRA also has increased its outreach to firms regarding cybersecurity threats, including notifying them of websites or social media profiles which may be attempting to impersonate a firm or its personnel, or individuals purporting to be associated with the firm.
- Complex Products and Options. FINRA is continuing its review of firms' business practices with respect to complex products and options, including related communications and disclosures to customers. Last year, FINRA published a regulatory notice to remind firms of their current regulatory obligations regarding complex products and options2 and initiated a targeted exam of firms' crypto asset retail communications.3 In December 2022, FINRA provided an update on its previous targeted exam on firms' practices and controls related to the opening of options accounts and related areas, including account supervision, communications and diligence.4
The Report addresses 24 regulatory topics organized into five sections: Financial Crimes; Firm Operations; Communications and Sales; Market Integrity; and Financial Management. We highlight below the new topics for 2023 and certain of the new material that FINRA added to previously covered topics.
The Financial Crimes section has been newly added and includes discussion of cybersecurity, AML, fraud and sanctions, and manipulative trading as topics. Cybersecurity and AML were previously covered in the Firm Operations section of last year's report.
FINRA identifies numerous new cybersecurity-related considerations, observations and effective practices. In particular, FINRA adds a new section regarding branch controls, which addresses, among other things, branch-specific cybersecurity risks and registered representatives' use of personal devices for firm business.
With respect to AML, fraud and sanctions, FINRA highlights several considerations relating to identity theft, including identifying and responding to relevant identity theft "red flags" in connection with account openings, particularly for firms that offer account openings online or through mobile apps. Additionally, FINRA identified the following as emerging AML risk areas: (i) manipulative trading in small cap initial public offerings ("IPOs"), in which FINRA has observed significant unexplained price increases on the day of or shortly after such IPOs;5 (ii) activity in customer accounts that may relate to the evasion of Russian sanctions;6 and (iii) fraudulent transfers of accounts through the Automated Customer Account Transfer Service (referred to by FINRA as ACATS fraud).7
With respect to manipulative trading, a new topic in 2023, FINRA highlights several effective practices, including maintaining and reviewing customer and proprietary data to detect manipulative schemes, such as those that involve correlated securities (e.g., stocks, exchange-traded products and options) and monitoring activity occurring across multiple platforms that also may involve related financial instruments or multiple correlated products.
The Firm Operations section of the Report discusses outside business activities ("OBAs") and private securities transactions ("PSTs"), books and records requirements, regulatory events reporting under FINRA Rule 4530, firm short positions and fails-to-receive in municipal securities, "trusted contact persons" for purposes of FINRA Rule 4512(a)(1)(F), and funding portals and crowdfunding offerings. Below, we discuss key takeaways from this section of the Report.
FINRA encourages firms to monitor whether a previously approved OBA has changed over time and potentially created new conflicts or issues, or evolved into a PST requiring firm approval, supervising and recording of compensation. FINRA also encourages firms to consider providing training and guidance to personnel regarding their potential engagement in OBAs and PSTs during on-boarding and periodically thereafter.
With respect to books and records requirements under SEC Rules 17a-3 and 17a-4 and FINRA Rules 3110(b)(4) and 4511, FINRA reminds firms that they must preserve originals of all communications (e.g., emails, instant messages, test messages, chat messages) received and sent relating to their "business as such," including through non-firm or third-party digital communications channels used by personnel to conduct firm business. Firms should consider whether their digital communication policy addresses all permitted and prohibited digital communication channels and features for customers and associated persons. Firms also should consider whether they have processes and procedures to monitor for new communications methods available to customers and associated persons, and whether to establish reviews for "red flags" that may indicate a registered representative is communicating through an unapproved communication channel. Following the SEC's significant enforcement actions against numerous firms in 2022 for "off-channel communications" and related recordkeeping failures, FINRA will likely focus on what firms are doing to address these issues and what technology solutions firms are incorporating into their operations to ensure compliance.
With respect to the SEC's recent amendments to SEC Rule 17a-4, FINRA reminds firms which rely on SEC Rule 17a-4(f) to preserve required records electronically to file with FINRA new undertakings reflecting the amended language by May 3, 2023.8
COMMUNICATIONS AND SALES
The Communications and Sales section of the Report includes Reg BI and Form CRS, communications with the public, private placements and variable annuities as topics. Below are certain highlights from this section.
The Report contains a substantial amount of new material related to the four component obligations of Reg BI: Care, Conflict of Interest, Disclosure and Compliance. The Report addresses several points related to complex or higher-risk products e.g., firms should consider applying heightened scrutiny in determining whether investments that are high-risk, high-cost, complex or represent a high conflict of interest are in a retail customer's best interest.
FINRA adds new material in the Report regarding communications with the public. FINRA discusses its findings and concerns regarding certain aspects of firms' communications through mobile apps and other digital communications promoting crypto assets or Environmental, Social and Governance ("ESG") products. For example, FINRA highlights concerns with the accuracy of information and the adequacy of disclosure on mobile apps and in communications promoting crypto assets. FINRA also highlights findings relating to the lack of adequate disclosure on whether crypto assets or services are covered under the federal securities laws or the Securities Investor Protection Act of 1970. With respect to ESG factors, FINRA has observed firms using fund communications that contain claims inconsistent with or unsupported by the fund's offering documents, or include rankings, ratings or awards that lack a sound basis or are unwarranted or misleading based on the criteria used or factors considered.
The Market Integrity section of the Report discusses CAT reporting obligations, best execution obligations, disclosure of routing information, fair pricing obligations for fixed income securities, reporting and order handling obligations for fractional shares, and bona fide market making exemptions and reuse of "locates" for intraday buy-to-cover trades under Regulation SHO. Key takeaways from this section are discussed below.
The Report's exam findings related to best execution obligations focus on the requirement for firms to conduct "regular and rigorous" reviews of the execution quality of its customers' orders. In relation to such reviews, FINRA highlights as an effective practice considering the potential execution quality available at various trading centers, including those to which a firm does not send order flow; and being prepared to explain and evidence the firm's best execution analysis on a "regular and rigorous" or orderby-order basis, as applicable.
FINRA adds fair pricing obligations for fixed income securities as a new topic in 2023. During exams, FINRA has observed that firms incorrectly determine the prevailing market price ("PMP") pursuant to the requirements of FINRA Rule 2121 and Municipal Securities Rulemaking Board ("MSRB") Rule G-30, use outdated mark-up/mark-down grids and provide unreasonable supervision by solely relying on grids or fixed mark-up/mark-down thresholds (i.e., without performing a facts and circumstances analysis as required by FINRA Rule 2121 and MSRB Rule G-30). FINRA notes, as an effective practice, firms can compare their mark-ups/mark-downs with industry data provided in the TRACE and MSRB Markup/Mark-down Analysis Reports.
Also a new topic in the Report is reporting and order handling obligations for fractional shares. FINRA reminds firms that trades in fractional share quantities must be reported in accordance with FINRA traded reporting rules and related guidance (which requires rounding quantities up to one if less than one share and truncating the fractional quantity for transactions that involve both a whole-share and fractional share quantity). FINRA also reminds firms that they must comply with FINRA's order handling rules, including with respect to best execution (FINRA Rule 5130), in handling and executing customer fractional share orders.
Bona fide market making exemptions and reuse of locates for intraday buy-to cover trades under Regulation SHO is a new topic this year. FINRA has observed firms failing to distinguish bona fide market making activities from other proprietary trading activity that is not eligible to rely on Regulation SHO's bona fide market making exception. FINRA also has observed impermissible reuse of locates for intraday buy-to-cover trades for a "hard to borrow" or a threshold security.
The Financial Management section of the Report discusses net capital, liquidity risk management, credit risk management, portfolio margin and intraday trading and segregation of assets and customer protection.
As part of the new material relating to net capital (SEC Rule 15c3-1), FINRA encourages firms to consider how they assess the potential impact to net capital for new, complex or atypical transactions. FINRA has observed firms that apply incorrect capital charges for underwriting commitments, including by not establishing and maintaining WSPs for calculating and applying open commitment charges and failing to maintain an accurate record or log of underwritings in which the firm is involved. FINRA highlights as an effective practice establishing WSPs for calculating and applying open contractual commitment charges (as well as focusing on the product and proper haircut percentage) and ensuring the firm's role in the underwriting (i.e., best efforts or firm commitment) is clear within the underwriting agreement.
Firms should review the Report's discussion of the new topics and new material for previously covered topics to identify potential gaps and areas for enhancement in their compliance programs and supervisory controls. Moreover, firms should use the Report in their preparation for regulatory exams and pay close attention to emerging risk areas relevant to their particular business operations and practices.