On December 6, 2017, FINRA did something it has never done before: It released a summary report of its examination findings. While FINRA has annually released an examination priorities letter, this report is a first for examination findings. Why now? Credit FINRA’s new president and CEO, Robert W. Cook.. Since joining FINRA in 2016, Cook has been meeting with member firms and listening to their feedback concerning how FINRA can improve. Such meetings have been part of FINRA’s comprehensive self-evaluation and organizational improvement initiative called FINRA360. In a November 2017 FINRA webcast, Cook stated that, “We’re looking at a series of process improvements in our examination program, particularly our ‘cycle’ examination program, with a view to announcing those sometime in the next few months.” (Stay tuned for FINRA’s update on such improvements.)
As you dig into the report’s details, one cautionary note to bear in mind – FINRA pointed out that the 14-page report, “does not represent a complete inventory of observations about the industry, does not imply that any issues discussed exist at any firms,” and, perhaps most importantly, firms should not interpret the report’s findings “as creating new legal or regulatory requirements or new interpretations of existing requirements.” The report goes on to say, “There should be no inference, however, that FINRA requires firms to implement any specific practices described in this report that extend beyond the requirements of existing securities rules and regulations.”
So, what has FINRA been finding on its examinations? Here’s a summary:
Not surprisingly, with cyber-crime leading the headlines on an almost weekly basis, cybersecurity heads the list of findings, as FINRA found that broker-dealers have increased their focus on “cybersecurity challenges over the past two years, including at the executive management level.” Ascendant has observed the same, as cybersecurity risks are often at the top of senior management concerns when they’re asked about key risks facing their firms. The report lists six cybersecurity areas where firms could implement measures to improve their cybersecurity, leading with system access management, where the report states, “Some firms FINRA examined did not address basic access management issues such as terminating departing employees’ access to firm systems on a timely basis.” The lack of ongoing formal ITrelated risk assessments and vendor management due diligence processes are also noted in the report. The remaining cybersecurity concerns include:
- Risk assessments – conducting a formal process to assess critical assets and the potential threats
- Vendor management – reviewing a current or prospective vendor’s cybersecurity preparedness, including contract provisions regarding data breaches. FINRA also noted that in organizations in which firms leveraged their parent company programs, that the parent’s cybersecurity obligations were not properly documented, such as in a service level agreement.
- Branch offices – branch offices generally have weaker controls around data security and incident reporting.
- Segregation of duties – ensuring that developers don’t have access to live data.
- Data loss prevention – implementing controls to prevent the transmission of critical information, such as account numbers or social security numbers.
Another highlighted topic concerns practices surrounding outside business activities and private securities transactions – FINRA Rules 3270 and 3280, respectively. The report stated “that Firms implemented various tools to identify individuals involved in undeclared Outside Business Activities (OBAs) and Private Securities Transactions (PSTs), including monitoring correspondence, fund movements, marketing materials, employee online activities and customer complaints. This also included monitoring for evidence of involvement in OBAs or PSTs the firm had prohibited.”
The report went on to list several other findings, summarized here:
- Anti-Money Laundering – Firms were observed with inadequate procedures to detect and report suspicious activity, poor clarity around the assigned responsibility for monitoring, a lack of resources for AML monitoring and the failure to obtain independent testing of the AML program.
- Product Suitability – FINRA observed that some firms failed to meet their suitability obligations to customers, specifically with respect to selecting appropriate mutual fund share classes and by recommending complex products without a reasonable basis to believe that the product was suitable in light of the client’s risk tolerance and investment time horizon. Further, FINRA noted that some firms failed to provide adequate training with respect to suitability issues.
- Best Execution – FINRA expressed concern regarding the duty of best execution at firms that route or execute customer orders. FINRA found that some firms “failed to implement and conduct an adequate regular and rigorous review” of execution quality, including failing to compare execution quality against other competing markets.
- Other topics:
- Market access controls
- Alternative investments held in Individual Retirement Accounts
- Net capital and credit risk assessments
- Order capacity
- Regulation SHO
- TRACE reporting
A Few Takeaway Tips
These observations are consistent with areas where Ascendant has assisted clients over the past year. As a response to the report, we offer a few key takeaways:
- First, closely review the report with special emphasis on any topics that impact your business model and then revisit your firm’s written policies and procedures (“WSPs”) to ensure that concerns discussed in the report are being addressed.
- Next, review those WSP sections for any material gaps.
- Test to ensure that the policies are being adhered to. For example, if your WSPs call for supervisory or compliance oversight of sales practice exception reports that identify red flags, make sure the oversight is being completed adequately, including documentation of the reviews. That said, it’s always an interesting exercise to perform a word search of your WSPs for the terms “review, analysis, and report.” Often, the search results will highlight reviews and/or reports required by your WSPs that may have been long forgotten or overlooked, especially, if you firm utilizes an off-the-shelf manual that has not been fully tailored. Testing is a crucial step.
- Finally, take advantage of practices described in the report, as FINRA points out, “This report also describes certain practices that FINRA has observed to be effective in appropriate circumstances, which other firms may be able to use as a resource in tailoring their compliance and supervisory programs to their business.”