FINRA Publishes New 2021 Report on FINRA’s Examination and Risk Monitoring Program with Guidance to Member Firms, Including on Emerging Risks
On February 1, 2021, the Financial Industry Regulatory Authority (“FINRA”) published the first annual Report on FINRA’s Examination and Risk Monitoring Program (the “Report”), which (i) provides an analysis of prior examination results and (ii) highlights areas FINRA plans to review in the coming year. In prior years, FINRA covered these topics in two separate publications—the Report on Examination Findings and Observations and the Risk Monitoring and Examination Program Priorities Letter—but with the Report, has now merged these into one publication.
The Report addresses key regulatory topics divided into four categories: (1) Firm Operations, (2) Communications and Sales, (3) Market Integrity, and (4) Financial Management. The topics addressed in the Report were selected by FINRA for their interest to the largest number of member firms. For each regulatory obligation discussed, the Report identifies the applicable framework and related key considerations for member firms’ compliance programs, summarizes noteworthy findings and effective practices from recent examinations, and describes additional resources potentially helpful to member firms.
The Report also notes certain “Emerging Risks” within the four categories, which represent potentially concerning practices that FINRA has observed and that may be examined by FINRA in more detail going forward. The Report does not address examination findings, observations or effective practices specifically related to how member firms have adjusted their operations during the COVID-19 pandemic; rather, FINRA noted that those reviews are underway and will be addressed in a future publication.
The Report explores a wide array of regulatory obligations within the four categories, including certain perennial areas of focus for FINRA. However, it also highlights several key areas that impact compliance programs across many member firms, including Regulation Best Interest (“Reg BI”) and Form CRS, Consolidated Audit Trail (“CAT”), Cybersecurity, Communications with the Public, Private Placements, Best Execution, and Variable Annuities.
Certain themes, including digitization issues and the increased use of technology, emerge across topics in the Report. For example, with respect to Communications with the Public, the Report notes FINRA’s increased focus on how member firms are addressing risks related to new digital communication channels, including app-based platforms with interactive or “game-like” features. With respect to Books and Records, the Report focuses on cloud service providers and whether they are storing required records on the required electronic storage media. Additionally, with respect to Cybersecurity, the Report focuses on technology-related problems, such as insufficient oversight for changes in technology, which can expose member firms to operational failures and increased cybersecurity risk.
II. Regulatory Areas of Focus
Some items of note concerning the content of the Report are highlighted below.
- Regarding Firm Operations, the Report addresses risks in the following areas: Anti-Money Laundering (“AML”), Cybersecurity and Technology Governance, Outside Business Activities and Private Securities Transactions, Books and Records, Regulatory Events Reporting, and Fixed Income Mark-up Disclosure.
- In discussing emerging AML risks faced by member firms, the Report highlights risks in connection with the formation and initial public offering (“IPO”) of special purpose acquisition companies (“SPACs”). SPACs, which surged in popularity in 2020, are “blank check” companies formed for the purpose of effectuating an initial business combination with a target acquisition company within a specified period of time following the SPAC’s IPO. FINRA notes that the formation and IPO of SPACs require the development of adequate written supervisory procedures (“WSPs”) requiring member firms to “independently conduct due diligence” of SPAC sponsors. The Report also highlights the importance of implementing procedures that address other potential fraud risks related to SPACs, including misrepresentations and omissions in offering documents and shareholder communications regarding SPAC acquisition targets (such as the prospects of the target company and its financial condition), fees associated with SPAC transactions (including cash and non-cash compensation and compensation earned by affiliates), control of funds raised in SPAC offerings, and insider trading (where underwriters and SPAC sponsors may possess and trade around material non-public information regarding potential SPAC acquisition targets).
- As member firms continue to manage their operations remotely, the Report notes that FINRA has observed increased numbers of cybersecurity- and technology-related incidents, including system-wide outages, email and account takeovers, fraudulent wire requests, imposter websites, and ransomware. As such, the Report highlights the continued importance of effective cybersecurity controls in preventing operational incidents, including by maintaining robust third-party vendor oversight and implementing change management procedures to protect non-public information and firm services.
- The Report also focuses on risks in connection with obligations to disclose outside business activities (“OBAs”) and private securities transactions (“PSTs”). The Report recommends providing registered representatives and other associated persons with open-ended questionnaires regarding their new or previously disclosed OBAs and PSTs, conducting thorough, periodic reviews to ensure that OBAs and PSTs have been disclosed, monitoring performance, production, and lifestyle to look for indications that a registered representative or other associated person is involved in an undisclosed or prohibited OBA or PST, and conducting periodic training on OBAs and PSTs. The Report identifies the federal Paycheck Protection Program (“PPP”) as a source of emerging risks in this area, noting that some member firms’ registered representatives had received loans pursuant to the PPP for OBAs that had not been disclosed to their firms. As such, member firms should consider reviewing public data on PPP loans to identify any registered representatives who have received such loans.
- The Report also notes that FINRA’s recent examinations indicated that member firms had misinterpreted obligations requiring them to perform due diligence on their vendors’ ability to comply with books and records rules, including Cloud Vendors. The Report recommends reviewing vendor contracts and agreements to assess compliance capabilities, including the requirement that electronic storage media (“ESM”) be maintained in a non-rewriteable and non-erasable format and that representations and attestations be provided to FINRA in accordance with Exchange Act Rule 17a-4(f).
- Regarding Communications and Sales, the Report addresses risks across a range of topics, including Reg BI and Form CRS, Communications with the Public, Private Placements, and Variable Annuities.
- In particular, the Report emphasizes obligations under Regulation Best Interest (“Reg BI”) and Form CRS, which became effective in June 2020. Reg BI establishes a “best interest” standard of conduct for broker-dealers and associated persons when they make recommendations of securities transactions or investment strategies involving securities to retail customers who use those recommendations for personal, family, or household purposes. Relatedly, broker-dealers are required to provide a brief “relationship summary” on Form CRS if they provide services to retail investors.
- The Report refers to the well-known content standards for a member firm’s communications with the public, including the FINRA Rule 2210 requirements that all communications be based on principles of good faith and fair dealing, be fair and balanced, provide a sound basis for evaluating the facts, include all material facts or qualifications necessary to ensure the communications are not misleading, and not include any false, misleading, promissory or exaggerated statements or any predictions or projections of performance. The Report highlights FINRA’s heightened focus on digital communications, recommending a clear and comprehensive set of procedures for digital communication policies, with a focus on monitoring and supervision, development of protocols for video communications, training, and disciplinary action. The Report acknowledges recent changes to the markets as a result of applications with interactive and “game-like” features, many of which contain related advertising and marketing designed to attract new retail investors. The Report details how the features of these digital communications, which are sometimes operated by member firms, may “result in increased risks to customers if not designed with the appropriate compliance considerations in mind,” and highlights member firms’ requirements to evaluate these features with a view toward regulatory obligations, including compliance with Reg BI, Form CRS, and FINRA’s communications rules. The Report further outlines recommended procedures for member firms’ digital asset communications, including adequate risk disclosure, review of digital asset communications to ensure compliance with the content standards of FINRA Rule 2210, and the differentiation of non-securities digital asset products that may be offered by an affiliate of a member firm from securities products offered by the member firm.
- The Report highlights a member firm’s obligations in respect of private placements, including the duty under FINRA’s suitability rule to conduct a reasonable investigation of a private placement offering and the duty under Reg BI to exercise reasonable diligence, care, and skill to understand the potential risks, rewards, and costs associated with a private offering. The Report underscores the importance of addressing red flags as part of this due diligence process, including reviewing conflicts of interest and other significant concerns, especially when relying on a third party’s due diligence review. Effective practices listed by the Report include identifying red flags in connection with an offering (including unlikely projections or results), verifying information that is key to the performance of the offering (including costs projected to effect the business plan and aggressively projected timing), and conducting ongoing monitoring after the offering to ensure that proceeds were used in a manner consistent with the offering memorandum.
- The Report recommends that member firms conduct a “holistic review” of variable annuity buyout offers, level registered representatives’ compensation for buyout offers in order to mitigate conflicts of interest, strengthen disclosures, and conduct additional post-transaction review. To bolster compliance with regulatory obligations associated with variable annuity exchanges, the Report recommends several measures including the use of automated surveillance tools, standardized review thresholds, and data integrity measures.
- Regarding Market Integrity, the Report addresses risks across a range of topics, including CAT, Best Execution, Large Trader Reporting, Market Access, and the Vendor Display Rule.
- The Report lists several relevant factors for member firms to consider in connection with compliance with rules regarding the Consolidated Audit Trail (“CAT”), including whether a member firm’s relevant WSPs (1) identify the individual responsible for the review of CAT reporting; (2) describe specifically the type of review(s) that will be conducted; and (3) specify how often the review(s) will be conducted and evidenced.
- To bolster compliance with the Best Execution and Interpositioning Rule, the Report recommends using exception and surveillance reports, reviewing how payment for order flow (“PFOF”) affects the order-routing process, conducting “regular and rigorous” reviews on at least a quarterly basis, and implementing continuous updates to WSPs and best execution analyses.
- The Report also notes that, as part of FINRA’s 2020 targeted review of member firms’ decisions to move to “zero-commission trading,” FINRA is evaluating whether these models adversely affected member firms’ compliance with their best execution obligations, how member firms used other practices to potentially offset lost commission revenue, and whether member firms prominently communicated the limitations and restrictions of the zero-commission model and other fees charged to customers.
- Regarding Financial Management, the Report details developments related to the Net Capital Rule, Liquidity Management, Credit Risk Management, and Segregation of Assets and Customer Protection.
- The Report underscores the requirement that member firms at all times have and maintain net capital at specific levels to protect customers and creditors from losses that can occur when member firms fail. FINRA will pay special attention to ensuring that member firms properly classify receivables, liabilities, and revenues so as to achieve accurate financial reporting, maintain adequate capital in connection with underwriting commitments in light of their role in connection with the underwriting (i.e., best efforts or firm commitment), and, with regards to expense-sharing agreements, allocate expenses proportionate to the benefit to the broker-dealer and sufficient documentation to substantiate the methodology for allocating specific costs to the broker-dealer or its affiliates.
- The Report reviews observations from examinations related to liquidity management, which are especially relevant in light of recent pandemic-related market volatility. Notable findings from the Report include failures related to the refinement of liquidity management plans and stress tests to adapt to difficult market environments. The Report’s recommendations include updating liquidity risk management practices, including stress tests, to take into account a member firm’s current business activities, and creating a liquidity management plan that considers potential mismatches in duration between liquidity sources and uses, potential losses of counterparties, assumptions based on idiosyncratic and market-wide conditions, and early warning indicators and escalation procedures for risk limit breaches.
- To enhance internal practices related to credit risk management, FINRA recommends developing comprehensive internal control frameworks to capture, measure, aggregate and report credit risk, maintaining approval and documentation processes for increases or other changes to assigned credit limits, and monitoring exposure to affiliated counterparties.
FINRA member firms should carefully review the Report, which is a useful tool to aid member firms in identifying risks associated with the business activities in which they are engaged and evaluating elements of their compliance programs to identify any gaps. The Report also provides insight into emerging areas of risk of interest to FINRA that member firms can expect to see raised in upcoming examinations.