Transparency Spreads to FINRA Exam Findings

On December 6, 2017, FINRA did something it has never done before: It released a summary report of its examination findings. While FINRA has annually released an examination priorities letter, this report is a first for examination findings. Why now? Credit FINRA’s new president and CEO, Robert W. Cook..  Since joining FINRA in 2016, Cook has been meeting with member firms and listening to their feedback concerning how FINRA can improve. Such meetings have been part of FINRA’s comprehensive self-evaluation and organizational improvement initiative called FINRA360. In a November 2017 FINRA webcast, Cook stated that, “We’re looking at a series of process improvements in our examination program, particularly our ‘cycle’ examination program, with a view to announcing those sometime in the next few months.” (Stay tuned for FINRA’s update on such improvements.)

As you dig into the report’s details, one cautionary note to bear in mind – FINRA pointed out that the 14-page report, “does not represent a complete inventory of observations about the industry, does not imply that any issues discussed exist at any firms,” and, perhaps most importantly, firms should not interpret the report’s findings “as creating new legal or regulatory requirements or new interpretations of existing requirements.” The report goes on to say, “There should be no inference, however, that FINRA requires firms to implement any specific practices described in this report that extend beyond the requirements of existing securities rules and regulations.”

So, what has FINRA been finding on its examinations?  Here’s a summary:

Not surprisingly, with cyber-crime leading the headlines on an almost weekly basis, cybersecurity heads the list of findings, as FINRA found that broker-dealers have increased their focus on “cybersecurity challenges over the past two years, including at the executive management level.”  Ascendant has observed the same, as cybersecurity risks are often at the top of senior management concerns when they’re asked about key risks facing their firms. The report lists six cybersecurity areas where firms could implement measures to improve their cybersecurity, leading with system access management, where the report states, “Some firms FINRA examined did not address basic access management issues such as terminating departing employees’ access to firm systems on a timely basis.” The lack of ongoing formal ITrelated risk assessments and vendor management due diligence processes are also noted in the report. The remaining cybersecurity concerns include:

  • Risk assessments – conducting a formal process to assess critical assets and the potential threats
  • Vendor management – reviewing a current or prospective vendor’s cybersecurity preparedness, including contract provisions regarding data breaches. FINRA also noted that in organizations in which firms leveraged their parent company programs, that the parent’s cybersecurity obligations were not properly documented, such as in a service level agreement.
  • Branch offices – branch offices generally have weaker controls around data security and incident reporting.
  • Segregation of duties – ensuring that developers don’t have access to live data.
  • Data loss prevention – implementing controls to prevent the transmission of critical information, such as account numbers or social security numbers.

Another highlighted topic concerns practices surrounding outside business activities and private securities transactions – FINRA Rules 3270 and 3280, respectively. The report stated “that Firms implemented various tools to identify individuals involved in undeclared Outside Business Activities (OBAs) and Private Securities Transactions (PSTs), including monitoring correspondence, fund movements, marketing materials, employee online activities and customer complaints. This also included monitoring for evidence of involvement in OBAs or PSTs the firm had prohibited.”

The report went on to list several other findings, summarized here:

  • Anti-Money Laundering – Firms were observed with inadequate procedures to detect and report suspicious activity, poor clarity around the assigned responsibility for monitoring, a lack of resources for AML monitoring and the failure to obtain independent testing of the AML program.
  • Product Suitability – FINRA observed that some firms failed to meet their suitability obligations to customers, specifically with respect to selecting appropriate mutual fund share classes and by recommending complex products without a reasonable basis to believe that the product was suitable in light of the client’s risk tolerance and investment time horizon. Further, FINRA noted that some firms failed to provide adequate training with respect to suitability issues.
  • Best Execution – FINRA expressed concern regarding the duty of best execution at firms that route or execute customer orders. FINRA found that some firms “failed to implement and conduct an adequate regular and rigorous review” of execution quality, including failing to compare execution quality against other competing markets.
  • Other topics:
    • Market access controls
    • Alternative investments held in Individual Retirement Accounts
    • Net capital and credit risk assessments
    • Order capacity
    • Regulation SHO
    • TRACE reporting

A Few Takeaway Tips

These observations are consistent with areas where Ascendant has assisted clients over the past year. As a response to the report, we offer a few key takeaways:

  1. First, closely review the report with special emphasis on any topics that impact your business model and then revisit your firm’s written policies and procedures (“WSPs”) to ensure that concerns discussed in the report are being addressed.
  2. Next, review those WSP sections for any material gaps.
  3. Test to ensure that the policies are being adhered to. For example, if your WSPs call for supervisory or compliance oversight of sales practice exception reports that identify red flags, make sure the oversight is being completed adequately, including documentation of the reviews. That said, it’s always an interesting exercise to perform a word search of your WSPs for the terms “review, analysis, and report.” Often, the search results will highlight reviews and/or reports required by your WSPs that may have been long forgotten or overlooked, especially, if you firm utilizes an off-the-shelf manual that has not been fully tailored. Testing is a crucial step.
  4. Finally, take advantage of practices described in the report, as FINRA points out, “This report also describes certain practices that FINRA has observed to be effective in appropriate circumstances, which other firms may be able to use as a resource in tailoring their compliance and supervisory programs to their business.”

Related Content

Latest Content

When Policies, Procedures and Testing Protocols Aren’t Enough…

The Compliance Program Rule continues to be a powerful tool for SEC enforcement, recently used by the SEC to address trading away in wrap accounts, misappropriation of retail client assets, and the misuse of an omnibus account. Advisory firms had written policies and procedures and testing protocols, but they were not good enough; are yours? … Continued

The Compliance Professionals Guide to Effective Trade Desk Monitoring

Global regulators continue to enhance their ability to monitor the activities of market participants through a combination of new rules, filing requirements, and upgrades to surveillance technologies. As a result, many market participants, including both buy-and sell-side firms, need to re-assess how they currently monitor the trading desk, and whether new policies and procedures are … Continued

How Do You Supervise for SEC Pay-to-Play Violations?

If you wanted more information about the contours of the SEC’s Pay-to-Play Rule, or how the SEC may enforce it, three recent Settlement Orders against large investment advisers for “over de minimis” political contributions provide some insight regarding one of the prohibitions: Contributions by Covered Associates to certain Government Officials over the specified Exception amount (capitalized words are terms in the … Continued

Do your Fund Documents Clearly Disclose Receipt of Accelerated Monitoring Fees?

Somewhat more reminiscent of the broken-windows enforcement era, two affiliated private equity advisers managing billions settled with the SEC on charges that they failed to make pre-commitment disclosures in fund governing documents related to accelerated fees received from portfolio companies. Interestingly, according to the Settlement Order, the advisers had made some disclosures in fund documents … Continued

With New Risk Alert, SEC Doubles Down on Best Execution

On July 11, 2018, the SEC issued a Risk Alert outlining commonly found compliance issues related to best execution by investment advisers. Advisers have an obligation to seek best execution of client transactions, taking into consideration quantitative factors such as execution quality and commission rate, as well as more qualitative factors such as the value … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.