Transparency Spreads to FINRA Exam Findings

On December 6, 2017, FINRA did something it has never done before: It released a summary report of its examination findings. While FINRA has annually released an examination priorities letter, this report is a first for examination findings. Why now? Credit FINRA’s new president and CEO, Robert W. Cook..  Since joining FINRA in 2016, Cook has been meeting with member firms and listening to their feedback concerning how FINRA can improve. Such meetings have been part of FINRA’s comprehensive self-evaluation and organizational improvement initiative called FINRA360. In a November 2017 FINRA webcast, Cook stated that, “We’re looking at a series of process improvements in our examination program, particularly our ‘cycle’ examination program, with a view to announcing those sometime in the next few months.” (Stay tuned for FINRA’s update on such improvements.)

As you dig into the report’s details, one cautionary note to bear in mind – FINRA pointed out that the 14-page report, “does not represent a complete inventory of observations about the industry, does not imply that any issues discussed exist at any firms,” and, perhaps most importantly, firms should not interpret the report’s findings “as creating new legal or regulatory requirements or new interpretations of existing requirements.” The report goes on to say, “There should be no inference, however, that FINRA requires firms to implement any specific practices described in this report that extend beyond the requirements of existing securities rules and regulations.”

So, what has FINRA been finding on its examinations?  Here’s a summary:

Not surprisingly, with cyber-crime leading the headlines on an almost weekly basis, cybersecurity heads the list of findings, as FINRA found that broker-dealers have increased their focus on “cybersecurity challenges over the past two years, including at the executive management level.”  Ascendant has observed the same, as cybersecurity risks are often at the top of senior management concerns when they’re asked about key risks facing their firms. The report lists six cybersecurity areas where firms could implement measures to improve their cybersecurity, leading with system access management, where the report states, “Some firms FINRA examined did not address basic access management issues such as terminating departing employees’ access to firm systems on a timely basis.” The lack of ongoing formal ITrelated risk assessments and vendor management due diligence processes are also noted in the report. The remaining cybersecurity concerns include:

  • Risk assessments – conducting a formal process to assess critical assets and the potential threats
  • Vendor management – reviewing a current or prospective vendor’s cybersecurity preparedness, including contract provisions regarding data breaches. FINRA also noted that in organizations in which firms leveraged their parent company programs, that the parent’s cybersecurity obligations were not properly documented, such as in a service level agreement.
  • Branch offices – branch offices generally have weaker controls around data security and incident reporting.
  • Segregation of duties – ensuring that developers don’t have access to live data.
  • Data loss prevention – implementing controls to prevent the transmission of critical information, such as account numbers or social security numbers.

Another highlighted topic concerns practices surrounding outside business activities and private securities transactions – FINRA Rules 3270 and 3280, respectively. The report stated “that Firms implemented various tools to identify individuals involved in undeclared Outside Business Activities (OBAs) and Private Securities Transactions (PSTs), including monitoring correspondence, fund movements, marketing materials, employee online activities and customer complaints. This also included monitoring for evidence of involvement in OBAs or PSTs the firm had prohibited.”

The report went on to list several other findings, summarized here:

  • Anti-Money Laundering – Firms were observed with inadequate procedures to detect and report suspicious activity, poor clarity around the assigned responsibility for monitoring, a lack of resources for AML monitoring and the failure to obtain independent testing of the AML program.
  • Product Suitability – FINRA observed that some firms failed to meet their suitability obligations to customers, specifically with respect to selecting appropriate mutual fund share classes and by recommending complex products without a reasonable basis to believe that the product was suitable in light of the client’s risk tolerance and investment time horizon. Further, FINRA noted that some firms failed to provide adequate training with respect to suitability issues.
  • Best Execution – FINRA expressed concern regarding the duty of best execution at firms that route or execute customer orders. FINRA found that some firms “failed to implement and conduct an adequate regular and rigorous review” of execution quality, including failing to compare execution quality against other competing markets.
  • Other topics:
    • Market access controls
    • Alternative investments held in Individual Retirement Accounts
    • Net capital and credit risk assessments
    • Order capacity
    • Regulation SHO
    • TRACE reporting

A Few Takeaway Tips

These observations are consistent with areas where Ascendant has assisted clients over the past year. As a response to the report, we offer a few key takeaways:

  1. First, closely review the report with special emphasis on any topics that impact your business model and then revisit your firm’s written policies and procedures (“WSPs”) to ensure that concerns discussed in the report are being addressed.
  2. Next, review those WSP sections for any material gaps.
  3. Test to ensure that the policies are being adhered to. For example, if your WSPs call for supervisory or compliance oversight of sales practice exception reports that identify red flags, make sure the oversight is being completed adequately, including documentation of the reviews. That said, it’s always an interesting exercise to perform a word search of your WSPs for the terms “review, analysis, and report.” Often, the search results will highlight reviews and/or reports required by your WSPs that may have been long forgotten or overlooked, especially, if you firm utilizes an off-the-shelf manual that has not been fully tailored. Testing is a crucial step.
  4. Finally, take advantage of practices described in the report, as FINRA points out, “This report also describes certain practices that FINRA has observed to be effective in appropriate circumstances, which other firms may be able to use as a resource in tailoring their compliance and supervisory programs to their business.”

Related Content

Latest Content

SEC Delays Form N-PORT Submission Requirements

On Friday, December 8, 2017, the SEC issued a Temporary Rule that provides a nine-month delay of the filing dates for certain registered investment companies to submit data using the new Form N-PORT via the EDGAR system. The SEC delayed the initial reporting requirement for Form N-PORT, giving the agency time to review data security … Continued

Cyber Crimes – Don’t Forget to File that SAR!

  Stopping, or even slowing, the proliferation of cyber-event related criminal activities remains a chief goal in the broker-dealer and investment advisory communities. As pointed out in a 2016 advisory released by the Financial Crimes Enforcement Network (“FinCen”), “Cyber-events targeting financial institutions often constitute criminal activity and can serve as means to commit a wide range of … Continued

DOL Rule Extension to Overlap with SEC Consideration of Fiduciary Standards

Following the Department of Labor’s November 27, 2017 announcement of an 18-month extension to the existing Fiduciary Rule transition period, the industry will enter a period of further study for proper standards for disclosure or elimination of conflicted compensation arrangements. That’s a mouthful right there. The Obama administration’s March 31, 2017 implementation of various new prohibited … Continued

Due Diligence of Sub-Advisers and Other Third-Parties

November’s Compliance Cast will look at the Adviser/Sub-adviser relationship, from the standpoint of sub-adviser. During the session, we will discuss: Qualities of an attractive sub-adviser candidate Initial and ongoing due diligence expectations Communications with the primary adviser Compliance and operational issues The session will be presented by Melanie Mendoza and Matt Calabro of Ascendant, and … Continued

Schedule 13D/13F Clarity on ETF Issues

Do I need to file a 13D or 13G if my client accounts hold in excess of 5% of an ETF? Generally, no. The SEC has granted no-action relief to ETFs with respect to compliance with Section 13(d) of the Securities Exchange Act. Section 13(d) was designed to require disclosure when holders begin to accumulate … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.