Transparency Spreads to FINRA Exam Findings

On December 6, 2017, FINRA did something it has never done before: It released a summary report of its examination findings. While FINRA has annually released an examination priorities letter, this report is a first for examination findings. Why now? Credit FINRA’s new president and CEO, Robert W. Cook..  Since joining FINRA in 2016, Cook has been meeting with member firms and listening to their feedback concerning how FINRA can improve. Such meetings have been part of FINRA’s comprehensive self-evaluation and organizational improvement initiative called FINRA360. In a November 2017 FINRA webcast, Cook stated that, “We’re looking at a series of process improvements in our examination program, particularly our ‘cycle’ examination program, with a view to announcing those sometime in the next few months.” (Stay tuned for FINRA’s update on such improvements.)

As you dig into the report’s details, one cautionary note to bear in mind – FINRA pointed out that the 14-page report, “does not represent a complete inventory of observations about the industry, does not imply that any issues discussed exist at any firms,” and, perhaps most importantly, firms should not interpret the report’s findings “as creating new legal or regulatory requirements or new interpretations of existing requirements.” The report goes on to say, “There should be no inference, however, that FINRA requires firms to implement any specific practices described in this report that extend beyond the requirements of existing securities rules and regulations.”

So, what has FINRA been finding on its examinations?  Here’s a summary:

Not surprisingly, with cyber-crime leading the headlines on an almost weekly basis, cybersecurity heads the list of findings, as FINRA found that broker-dealers have increased their focus on “cybersecurity challenges over the past two years, including at the executive management level.”  Ascendant has observed the same, as cybersecurity risks are often at the top of senior management concerns when they’re asked about key risks facing their firms. The report lists six cybersecurity areas where firms could implement measures to improve their cybersecurity, leading with system access management, where the report states, “Some firms FINRA examined did not address basic access management issues such as terminating departing employees’ access to firm systems on a timely basis.” The lack of ongoing formal ITrelated risk assessments and vendor management due diligence processes are also noted in the report. The remaining cybersecurity concerns include:

  • Risk assessments – conducting a formal process to assess critical assets and the potential threats
  • Vendor management – reviewing a current or prospective vendor’s cybersecurity preparedness, including contract provisions regarding data breaches. FINRA also noted that in organizations in which firms leveraged their parent company programs, that the parent’s cybersecurity obligations were not properly documented, such as in a service level agreement.
  • Branch offices – branch offices generally have weaker controls around data security and incident reporting.
  • Segregation of duties – ensuring that developers don’t have access to live data.
  • Data loss prevention – implementing controls to prevent the transmission of critical information, such as account numbers or social security numbers.

Another highlighted topic concerns practices surrounding outside business activities and private securities transactions – FINRA Rules 3270 and 3280, respectively. The report stated “that Firms implemented various tools to identify individuals involved in undeclared Outside Business Activities (OBAs) and Private Securities Transactions (PSTs), including monitoring correspondence, fund movements, marketing materials, employee online activities and customer complaints. This also included monitoring for evidence of involvement in OBAs or PSTs the firm had prohibited.”

The report went on to list several other findings, summarized here:

  • Anti-Money Laundering – Firms were observed with inadequate procedures to detect and report suspicious activity, poor clarity around the assigned responsibility for monitoring, a lack of resources for AML monitoring and the failure to obtain independent testing of the AML program.
  • Product Suitability – FINRA observed that some firms failed to meet their suitability obligations to customers, specifically with respect to selecting appropriate mutual fund share classes and by recommending complex products without a reasonable basis to believe that the product was suitable in light of the client’s risk tolerance and investment time horizon. Further, FINRA noted that some firms failed to provide adequate training with respect to suitability issues.
  • Best Execution – FINRA expressed concern regarding the duty of best execution at firms that route or execute customer orders. FINRA found that some firms “failed to implement and conduct an adequate regular and rigorous review” of execution quality, including failing to compare execution quality against other competing markets.
  • Other topics:
    • Market access controls
    • Alternative investments held in Individual Retirement Accounts
    • Net capital and credit risk assessments
    • Order capacity
    • Regulation SHO
    • TRACE reporting

A Few Takeaway Tips

These observations are consistent with areas where Ascendant has assisted clients over the past year. As a response to the report, we offer a few key takeaways:

  1. First, closely review the report with special emphasis on any topics that impact your business model and then revisit your firm’s written policies and procedures (“WSPs”) to ensure that concerns discussed in the report are being addressed.
  2. Next, review those WSP sections for any material gaps.
  3. Test to ensure that the policies are being adhered to. For example, if your WSPs call for supervisory or compliance oversight of sales practice exception reports that identify red flags, make sure the oversight is being completed adequately, including documentation of the reviews. That said, it’s always an interesting exercise to perform a word search of your WSPs for the terms “review, analysis, and report.” Often, the search results will highlight reviews and/or reports required by your WSPs that may have been long forgotten or overlooked, especially, if you firm utilizes an off-the-shelf manual that has not been fully tailored. Testing is a crucial step.
  4. Finally, take advantage of practices described in the report, as FINRA points out, “This report also describes certain practices that FINRA has observed to be effective in appropriate circumstances, which other firms may be able to use as a resource in tailoring their compliance and supervisory programs to their business.”

Related Content

Latest Content

Insurance Considerations for Investment Advisers

How much coverage is enough? What types of insurance policies do you need? Whether you are starting an investment advisory practice, launching a new line of business, or reevaluating your existing risks, there are critical questions to ask to make sure you understand the various ways to protect your firm. Join us for a practical … Continued

Fifth Circuit Weighs In on DOL Fiduciary Rule

A panel of the U.S. Court of Appeals for the Fifth Circuit has vacated the Department of Labor’s Fiduciary Rule. In a 2-1 split, the Fifth Circuit’s decision overrules a Dallas District Court’s decision, which had previously upheld the rule. Unfortunately, the decision does little to settle the fate of the beleaguered rule. Although it … Continued

SEC Proposes Amending Investment Company Liquidity Disclosures in Forms N-PORT and N-1A

On March 14, 2018, the Securities and Exchange Commission (“SEC”) proposed amendments to the mutual fund liquidity-related disclosure requirements. Specifically, the proposal: Adds a new requirement to “briefly discuss the operation and effectiveness of the Fund’s liquidity risk management program during the most recently completed fiscal year” in the Fund’s Management Discussion of Fund Performance … Continued

Paradigm Shift in SEC Exams, Benefits of a Mock Exam

For investment advisers currently going through an SEC exam, the process likely bears little resemblance to exams of old. Call it the new normal, a paradigm shift, or simply the effects of the SEC having to do more with less, but anecdotal evidence among those now experiencing the exam process suggests some interesting new trends. … Continued

Why Should a Big Hedge Fund Use a Compliance Consultant?

If your firm isn’t already using an outside consultant, you may want to ask yourself “why not?” Oftentimes at hedge funds, compliance officers struggle to successfully fulfill the requirements of the job without an essential tool in their toolbox: the outside compliance consultant. Why? The primary reason is simple: resources. When your head is down … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.