2023 REPORT ON FINRA’S EXAMINATION AND RISK MONITORING PROGRAM
On January 10, 2023, the Financial Industry Regulatory Authority (“FINRA”) issued its 2023 Report on FINRA’s Examination and Risk Monitoring Program (the “Report”). The Report, which is a more comprehensive version of FINRA’s former “Risk Monitoring and Exam Priorities Letter” it published in prior years, provides insights and observations on key regulatory topics. Specifically, FINRA (i) identifies the relevant rule(s), (ii) highlights key considerations for member firms’ compliance programs, (iii) summarizes noteworthy findings or observations from recent oversight activities, (iv) outlines effective practices that FINRA observed through its oversight activities, and (v) provides reference to resources that may be helpful to member firms in reviewing their supervisory procedures and controls with respect to these topics. In addition, FINRA’s podcast “2023’s Must-Read, Report on FINRA’s Examination and Risk Monitoring Program” (“Podcast”) provides a helpful overview and focus to some of the principal findings in the Report.
The Report serves as a valuable tool for firms to perform a risk assessment, identify potential gaps in their existing compliance programs, and improve their supervisory procedures and controls as the Report is often thought of as a roadmap for potential future enforcement interests.
The following section provides an overview of four new priorities, and certain continuing priorities, that FINRA highlighted in the Report.
We are currently advising firms on their existing compliance programs and the guidance set forth in the Report, and would be happy to discuss any questions you may have.
New and Continuing Priorities
FINRA’s newly identified priorities for 2023 are:
- Manipulative Trading: Manipulative trading, together with Cybersecurity and Technology Governance and Anti-Money Laundering, Fraud and Sanctions, is captured in a section entitled, “Financial Crimes”. According to FINRA, the addition of this section was to underscore its increased focus on protecting investors and safeguarding market integrity against these threats. With respect to manipulative trading, FINRA’s findings principally centered on firms’ failure to (i) implement adequate written supervisory procedures to identify firm personnel to monitor manipulative conduct, (ii) establish escalation processes, (iii) implement surveillance controls to capture manipulative trading, and (iv) monitor customer activity to identify patterns of potential manipulation.
- Fixed Income and Fair Pricing: FINRA highlighted that firms incorrectly determined the prevailing market price, had outdated mark-up/mark-down grids, and failed to implement reasonable supervision for establishing fair pricing in fixed income securities.
- Fractional Shares—Reporting and Order Handling: FINRA generally found that firms failed to report, or report in a timely manner, fractional share orders, routes, and trades to trade reporting facilities (e.g., ORF or CAT), and to implement adequate supervisory procedures or controls to ensure effective reporting practices and advised that firms should refer to FINRA’s guidance on fractional share executions, including CAT and trade reporting FAQs.
- Regulation SHO—Bona Fide Marking Making Exemptions and Reuse of Locates for Intraday Buy-to-Cover Trades: FINRA observed that firms relied on Regulation SHO’s bona fide market making exceptions with respect to proprietary trading activity that is not eligible for such exceptions and did not comply with the guidance set forth under Question 4.4 of the SEC’s Reg SHO FAQ with respect to reuse of locates to short sales of threshold or hard to borrow securities. FINRA provided examples of how firms should establish supervisory systems and appropriate policies and procedures to comply with the same.
FINRA also emphasized continuing priorities in its Report (and has provided additional insight about its concerns in its Podcast) that, in its view, present evolving risks worth highlighting:
- Anti-Money Laundering (“AML”): One of FINRA’s principal concerns with respect to AML compliance is new account fraud where accounts are opened using stolen or synthetic identities, which are used for a range of suspicious or illicit activities, including, for example, fraudulent account transfers to ACATS, the Automated Customer Account Transfer Service. The Report covers FINRA’s findings regarding this threat and discusses examples of effective practices firms are employing to mitigate it. The Report also identifies manipulative trading of small cap IPOs and sanctions evasions as emerging risk areas.
- Regulation Best Interest (“Reg BI”) and Form CRS: Reg BI and Form CRS remain areas of focus across FINRA’s regulatory operations programs. FINRA’s observations generally concern firms making recommendations that adhere to Reg BI’s Care Obligation, identifying and addressing conflicts of interest, disclosure to retail customers of material facts as they relate to conflicts of interest, establishing and enforcing adequate written supervisory procedures, including the provision of effective staff training, and filing, delivering, and tracking accurate Forms CRS. FINRA advised that it will focus on (i) the intersection of Reg BI and complex products, particularly with respect to reasonable alternatives to a new product, (ii) whether a brokerage or fee-based product or other account types are in the best interest of the client and documenting that decision, and (iii) how firms determine what is a recommendation and the accuracy of such determination.
- Cybersecurity: FINRA’s Cyber and Analytics Unit team examines member firms’ cybersecurity risk management through reviews of their controls. FINRA highlights instances where firms did not have reasonably designed procedures to investigate cyber events and whether a suspicious activity report (“SAR”) filing should be made, emphasizing that many cyber threats should be strongly considered for filing an SAR. The Report also provides an update on effective cyber securities practices, including specific risks associated with ransomware. It also addresses managing the risks associated with firms’ critical vendors or third-party providers.
- Complex Products and Options: FINRA confirmed that it will continue to review firms’ communications and disclosures made to customers in relation to complex products. FINRA advised that firms should review Regulatory Notice 22-08 regarding their compliance obligations for complex products and options. FINRA advised that it will share its results from its targeted exam of firms’ crypto asset retail communications that it announced in November 2022, which evaluated whether these communications contained false or misleading statements or claims, misrepresented the extent to which the federal securities laws or FINRA rules apply to a crypto asset product or service, or failed to balance the benefits of crypto asset products with their associated investment risks.
- Consolidated Audit Trail (“CAT”): FINRA continues to evaluate member firms that receive or originate orders in National Market System (“NMS”) stocks, over-the-counter equity securities, and listed options for compliance with Securities Exchange Act of 1934, as amended (“Exchange Act”) Rule 613 and the CAT NMS Plan FINRA Rule 6800 Series (Consolidated Audit Trail Compliance Rule). As a general matter, FINRA’s review centers on timely submission of reportable events and corrections, reporting complete and accurate CAT records, and effectively supervising third-party vendors, including those responsible for CAT submissions and clock synchronization.
- Order Handling, Best Execution, and Conflicts of Interest: With respect to these compliance obligations, FINRA continues to evaluate whether firms are fully and promptly executing marketable customer orders, adequately conducting periodic “regular and rigorous reviews,” and clearly and completely disclosing the specific terms of any profit-sharing relationships—such as payment for order flow with venues to which they route orders. FINRA also expressed that firms are not publishing accurate quarterly reporting reports under Rule 606. The Report includes findings and observations from FINRA’s targeted exam in 2020 that evaluated the impact that not charging commissions has or will have on member firms’ order-routing practices and decisions, and other aspects of member firms’ business, and its targeted reviews of wholesale market makers concerning their order handling practices for customer orders they receive from other broker-dealers.
- Mobile Apps: Among FINRA’s concerns with respect to mobile apps are whether they encourage retail investors to engage in trading activities and strategies that may not be consistent with their investment goals or risk tolerance, and how the apps’ interface designs and functionality, could influence investor behavior. FINRA observed that mobile apps were not adequately distinguishing between the products and services of the broker-dealer and those of affiliates or other third parties such as transactions. For example, firms did not always make it clear that it was their crypto asset affiliate or the third party that was offering the crypto assets and not the broker-dealer. FINRA noted that this lack of clarity may raise client confusion about whether a product is protected under SIPC, under FDIC, or not protected at all. FINRA also continues to monitor whether mobile apps disclose and explain risks of higher-risk products or services such as the certain option and margin lending activities.
- Books and Records: FINRA reminded firms that compliance with their books and recordkeeping requirements continue to be a focus of FINRA’s review. FINRA also noted the SEC’s recent amendments to Exchange Act Rule 17a-4 that modernize electronic recordkeeping obligations for broker-dealers, which include an audit-trail alternative to the existing requirement that firms preserve electronic records exclusively in a non-rewritable, non-erasable format. FINRA reminded firms that the amendments modify the language of the required undertakings under Exchange Act Rule 17a-4(f) and, for this reason, the firms will need to file new undertaking letters that include the new language before May 3, 2023, the compliance date.
- Off-Channel Communications: As part of firms’ books and recordkeeping obligations noted above, FINRA advised that it will focus on firms’ supervisory procedures governing off-channel communications, including the steps firms have taken to address the issue, the types of compliant technologies firms have incorporated to ensure employees can text in a compliant manner, and whether all appropriate firm personnel are provided with this technology, and the adequacy of firms’ training programs in connection with the same. FINRA will also examine whether texts are fully ingested into a firms’ system, in the manner of emails, and whether those texts are surveilled and supervised in the same manner as other electronic communications. In this regard, FINRA will review firms’ policies and procedures, their annual compliance questionnaire process, and whether there are adequate consequences for employees who are not fulfilling their obligations to communicate in a compliant manner.
- Funding Portals: FINRA observed that during certain exams, there were instances where the funding portals did not deny access to their platforms to issuers where there were clear red flags suggesting the potential for fraud. Examples of this “red flag” behavior included issuers not providing all the required disclosures or otherwise making obviously misleading or exaggerated statements. FINRA also observed that some funding portals were making recommendations or offering investment advice, which is prohibited under the JOBS Act and Regulation Crowdfunding. In addition, certain funding portals didn't ensure that investor funds were being returned promptly if an offering was, for example, not successfully completed or if the return of funds is otherwise required by Regulation Crowdfunding.
- Liquidity Risk Management: FINRA reminded firms that liquidity management is an essential element of their financial responsibility. FINRA emphasized that firms were not making provision for reasonable clearing deposit stress amounts in their stress tests and that clearing deposit stress tests were sometimes based on information that didn’t accurately reflect the business operations of the firm. Concern was also expressed that firms were not developing liquidity contingency plans to operate in a stressed environment, including, for example, the process for accessing liquidity and standards on how liquidity funding will be used if there is a triggering event.
- Environmental, Social, and Governance (“ESG”) in Communications with the Public: FINRA referred to ESG in the Report when discussing firms’ regulatory obligations with respect to communications with the public. FINRA discovered that some firms’ ESG communications discussed misleading rankings, ratings or awards, and included claims about funds that were “inconsistent with or unsupported by” offering documents. Accordingly, FINRA said that firms need to be “[i]mplementing and maintaining reasonably designed procedures for communications promoting ESG factors,” including “by prominently describing the risks associated with ESG funds.”
- Private Placements: FINRA observed that firms have failed to maintain procedures and supervisory processes to perform sufficient due diligence where required, maintain adequate due diligence files evidencing such reviews, or comply with the private placement filing requirements set forth under FINRA Rules 5122 and 5123.
FINRA expects that member firms will consider the priorities in the Report as they develop and assess their compliance, supervisory, and risk management programs. In addition, member firms may find it useful to revisit the specific rules and related guidance noted in the Report as a reference to ensure that their policies and procedures are current as to any recent amendments.
While potential enforcement risks vary for every firm and are fact-and-circumstance-specific, this Report can be used as part of firms’ strategic efforts to manage their compliance risks and potentially minimize the risk of enforcement action.
As noted above, we are currently advising firms on their existing compliance programs in respect of the guidance set forth in the Report. We are happy to discuss any questions you may have.