FINRA’s Examination and Risk Monitoring Program 2021

LinkedIn


FINRA released its 2021 Report on FINRA’s Examination and Risk Monitoring Program on Feb 10th 2021 that sets the direction for the market for 2021.

Please Note: All information here is as stated in FINRA’s report. This article is only intended to covers the areas where La Meer offers solutions, and is not the complete report. For the complete report please refer to the original document link below.

https://www.finra.org/sites/default/files/2021-02/2021-report-finras-examination-risk-monitoring-program.pdf

Note 2 : We have used the material from the report to create this article and portions of it are verbatim to keep the legal language, as stated by FINRA. FINRA copyright is acknowledged.

Selected Highlights from their Examination Priorities

The Report addresses several regulatory key topics for each of the four categories:

  • Firm Operations
  • Communications and Sales
  • Market Integrity
  • Financial Management

There are several key areas to highlight that impact compliance programs across a large population of member firms:

Regulation Best Interest and Form CRS

FINRA will continue to focus on assessing whether member firms have

  • Established and implemented policies, procedures.
  • System of supervision reasonably designed to comply with Reg BI and Form CRS.
  • In 2021, FINRA intends to expand the scope of our Reg BI and Form CRS reviews and testing to effect a more comprehensive review of firm processes, practices and conduct and take appropriate action in the event where they see conduct that may cause customer harm, violated previous standards (e.g., suitability), or indicates a clear disregard of the requirements of Reg BI and Form CRS.
  • Member firms should review considerations FINRA staff will use when examining a firm for compliance with Reg BI and Form CRS.

Reg BI Communication and Sales

Reg BI establishes a “best interest” standard of conduct for broker-dealers and associated persons when they make a recommendation to retail customers of any securities transaction or investment strategy involving securities, including recommendations of types of accounts.

Broker-dealers are also required to provide a brief relationship summary, Form CRS, to retail investors on the types of client and customer relationship and services the firm offers; the fees, costs, conflicts of interest, and required standard of conduct associated with those relationships and services; whether the firm and its financial professions currently have reportable legal or disciplinary history; and how to obtain additional information about the firm.

Related Considerations

  • Does the firm have policies, procedures and controls in place to assess recommendations using a best interest standard?
  • Do the firm and associated persons apply a best interest standard to recommendations of types of accounts and recommendations to roll over or transfer assets from one type of account to another?
  • Do the firm’s policies, procedures and controls continue to address compliance with FINRA Rule 2111 (Suitability), which still applies to recommendations made to non-retail investors?
  • Does the firm have policies, procedures and controls addressing Reg BI’s recordkeeping requirements?
  • Has the firm provided adequate Reg BI training to its sales and supervisory staff?
  • Does the firm and associated persons consider the express new elements of care, skill and costs when making recommendations to retail customers?
  • Do your firm and your associated persons consider reasonably available alternatives to the recommendation?
  • Do your firm and your registered representatives guard against excessive trading, irrespective of whether the broker-dealer or associated person “controls” the account?
  • Does your firm have policies and procedures to provide the disclosures required by Reg BI?
  • Does the firm place any material limitations on the securities or investment strategies involving securities that may be recommended to a retail customer, and if so, does the firm address and disclose such limitations?
  • Does your firm have policies and procedures to identify and address conflicts of interest?
  • If the firm is not dually registered as an investment adviser, commodity advisor or municipal advisor, does the firm or any of its associated persons who are not dually registered advisors or advisory representatives use “adviser” or “advisor” in their name or title?
  • Does the firm have policies, procedures and controls in place regarding the filing, updating and delivery of Form CRS?
  • Does the firm’s Form CRS accurately respond to the disciplinary history question with regard to the firm and its financial professionals?
  • If the firm has a website, has it posted its Form CRS in a prominent location on that website?
  • Does your firm’s Form CRS include required conversation starters, headers and prescribed language?

Exam Findings and Effective Practices

As FINRA is in the early stages of reviewing for compliance with these new obligations, this Report will not include exam findings or effective practices relating to Reg BI and Form CRS. FINRA notes that the SEC held a virtual Roundtable on Regulation Best Interest and Form CRS that discussed some early examination findings.

FINRA anticipates issuing a separate publication in the future after more exams have been conducted. FINRA reminds firms to review the materials noted in the Additional Resources section below.

Additional Resources

  • Regulatory Notice 20-18 (FINRA Amends Its Suitability, Non-Cash Compensation and Capital Acquisition
  • Broker (CAB) Rules in Response to Regulation Best Interest)
  • Regulatory Notice 20-17 (FINRA Revises Rule 453Problem Codes for Reporting Customer Complaints and
  • for Filing Documents Online)
  • FINRA Highlights Firm Practices from Regulation Best Interest Preparedness Reviews
  • SEC’s Regulation Best Interest, Form CRS and Related Interpretations
  • FINRA’s Regulation Best Interest (Reg BI) Topic Page

Anti-Money Laundering

The Bank Secrecy Act (BSA) requires firms to monitor for, detect and report suspicious activity conducted or attempted by, at, or through the firms to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). Firms should also be aware of the recently enacted Anti-Money Laundering Act of 2020, which may result in material revisions to the implementing regulations over time.

FINRA Rule 331(Anti-Money Laundering Compliance Program) requires that members

  • Develop and implement a written anti-money laundering (AML) program reasonably designed to comply with the requirements of the BSA and its implementing regulations.
  • Additionally, FinCEN’s Customer Due Diligence (CDD) rule requires that firms identify beneficial owners of legal entity customers, understand the nature and purpose of customer accounts, and conduct ongoing monitoring of customer accounts to identify and report suspicious transactions and—on a risk basis—update customer information.

Related Considerations

  • How does the firm’s AML compliance program address new business lines, products, customers and risks?
  • Does the firm tailor and adequately resource their AML program to the firm’s business model and associated AML risks?
  • Does the firm’s independent testing confirm that it maintains appropriate risk-based procedures for collecting and verifying customer identification information on all individuals and entities that would be considered customers under the Customer Identification Program rule, and beneficial owners of legal entity customers under the CDD rule?
  • Does the firm review the integrity of its data feeds for its surveillance and monitoring programs?
  • How does the firm coordinate with their clearing firm, including with respect to the filing of joint suspicious activity reports?
  • Does the firm document the results of its reviews and investigations into potentially suspicious activity identified by exception reports?

Exam Findings and Effective Practices

  • Inadequate AML Transaction Monitoring – Not tailoring transaction monitoring to address firms’ business risk(s).
  • Limited Scope for Suspicious Activity Reports (SARs) – Not requiring staff to notify AML departments or file SARs for a range of events involving suspicious transactions, such as financial crime-related events, including but not limited to cybersecurity events, account compromises, account takeovers, new account fraud and fraudulent wires
  • Inadequate AML Framework for Cash Management Accounts – Failing to incorporate, or account for, in their AML programs, the AML risks relating to Cash Management Accounts, including the following:
    • monitoring, investigating and reporting suspicious money movements
    • a list of red flags in their WSPs indicative of potentially suspicious transactions; or
    • expanding or enhancing their AML compliance program resources to address Cash Management Accounts.
  • Unclear Delegation of AML Responsibilities – Non-AML staff (e.g., business line staff responsible for trade surveillance) failing to escalate suspicious activity monitoring alerts to AML departments because firms did not:
    • Clearly define the activities that were being delegated
    • Articulate those delegations and related
    • Surveillance responsibilities in their WSPs  
    • Training of non-AML staff on AML surveillance policies and procedures.
  • Data Integrity Gaps – Excluding certain types of data and customer accounts from monitoring programs as a result of problems with ingesting certain data, inaccuracies and missing information in data feeds.
  • Failure to Document Investigations – Not documenting initial reviews and investigations into potentially suspicious activities identified by SARs.
  • Concerns About High-Risk Trading by Foreign Legal Entity Accounts – Inadequate identification of or follow-up on increased trading by foreign legal entity accounts in similar low-float and low-priced securities, which raised concerns about potential ownership or control by similar beneficial owners.
  • Insufficient Independent Testing – Not reviewing how the firm’s AML program was implemented; not ensuring independence of the testing; and not completing tests on an annual calendar year basis.
  • Improper Reliance on Clearing Firms – Introducing firms relying primarily or entirely on their clearing firms for transaction monitoring and suspicious activity reporting, even though they are required to monitor for suspicious activity attempted or conducted through their firms.

Emerging AML and Other Financial Crime Risks

Microcap and Other Fraud Some firms continue to engage in fraud, financial crimes and other problematic practices, such as those described in the SEC Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities, which addresses microcap and penny stock activity transacted in omnibus accounts maintained or foreign financial institutions and foreign affiliates of U.S. broker-dealers.

Issuers Based in Restricted Markets Certain foreign national and foreign entity nominee accounts appear to have been opened solely to invest in the initial public offerings and subsequent aftermarket trading in one or more exchange-listed issuers based in restricted markets, such as China. FINRA has observed red flags that the owners of the accounts may be acting at the direction of others, multiple accounts being opened using the same foreign bank for the source of funds or multiple accounts with the same employer and same email domain. The trading activity may include multiple similar limit orders being placed by the accounts at the same time, which could be indicative of coordinated and manipulative trading of the issuers’ securities.

Risks Relating to Special Purpose Acquisition Companies (SPACs) Some firms are engaging in the formation and initial public offerings (IPOs) of SPACs without having adequate WSPs that would require independently conducting due diligence of SPACs’ sponsors, and procedures that address other potential fraud risks, including but not limited to:

Misrepresentations and omissions in offerings documents and communications with shareholders regarding SPAC acquisition targets, such as the prospects of the target company and its financial condition;  fees associated with SPAC transactions, including cash and non-cash compensation and compensation earned by affiliates;

Control of funds raised in SPAC offerings; and insider trading (where underwriters and SPAC sponsors may possess and trade around material non-public information regarding potential SPAC acquisition targets, including private placement offerings with rights of first refusal provided to certain investors prior to the acquisition).

Effective Practices

Customer Identification Program – Using, on a risk-basis, both documentary (such as drivers’ licenses or passports) and non-documentary methods (such as using third-party sources) to verify customers’ identities.

Monitoring for Fraud During Account Opening – Implementing additional precautions during account opening, including limiting automated approval of multiple accounts opened by a single customer; reviewing account application fields for repetition or commonalities among multiple applications; and using technology to detect indicators of automated scripted attacks in the digital account application process.

Bank Account Verification, Restrictions on Fund Transfers and Ongoing Monitoring – Confirming customers’ identities through verbal confirmation, following client verification protocols or using a third-party verification service, such as Early Warning System (EWS); monitoring of outbound money movement requests post-ACH set-up; restricting fund transfers in certain situations; and conducting ongoing monitoring of accounts.

Collaboration With Clearing Firms – Understanding the allocation of responsibilities between clearing and introducing firms for handling ACH transactions; and implementing policies and procedures to comply with those responsibilities.

AML Compliance Tests – Confirming annual AML independent tests

Evaluating the adequacy of firms’ AML Compliance programs, review firms’ SAR reporting processes, and include sampling and transaction testing of firms’ monitoring programs.

Risk Assessments – Updating risk assessments based on the results of AML independent tests, audits, and changes in size or risk profile of the firms, including their businesses, registered representatives and customer account types; and using AML risk assessments to inform the focus of firms’ independent AML tests.

Testing of Transaction Monitoring and Model Validation – Performing regular, ongoing testing and tuning of transaction monitoring models, scenarios and thresholds; and confirming the integrity of transaction monitoring data feeds and validating models (which are more frequently used at large firms).

Collaboration with AML Department – Increasing the likelihood that all potentially reportable events are referred to the AML department by establishing a line of communication (such as reporting and escalation processes, awareness and educational programs, regular meetings, policies and procedures, or exception reports) between the AML department and other departments that may observe potentially reportable events (such as registered representatives and client-facing teams, technology, cybersecurity, compliance, operations, trading desks and fraud departments).

Training Programs – Designing training programs for each of the roles and responsibilities of the AML department (as well as departments that regularly work with AML) and addressing all AML regulatory and industry developments.

Additional Resources

  • Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)
  • Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations)
  • SEC Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities
  • Anti-Money Laundering (AML) Template for Small Firms
  • Frequently Asked Questions (FAQ) Regarding Anti-Money Laundering (AML)
  • Anti-Money Laundering (AML) Topic Page

Cybersecurity and Technology Governance

Member firms’ ongoing and increasing reliance on technology for many customer-facing activities, communications, trading, operations, back-office and compliance programs especially in our current remote work environment requires them to address new and existing cybersecurity risks, including risks relating to cybersecurity-enabled fraud and crime.

  • Should be reasonably designed and tailored to the firm’s risk profile, business model and scale of operations.
  • FINRA reminds firms that they would review cybersecurity programs for compliance with business continuity plan requirements, as well as the SEC’s Regulation S-P Rule 30, which requires member firms to have policies and procedures addressing the protection of customer records and information.
  • Given the increase in remote work and virtual client interactions, combined with an increase in cyber-related crimes, FINRA encourages member firms to review the considerations, observations and effective practices noted in the Report, as well as Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic), Report on Selected Cybersecurity Practices – 2018 and Report on Cybersecurity Practices – 2015.

Regulatory Obligations and Related Considerations

Regulatory Obligations

The SEC’s Regulation S-P Rule 3 requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information. FINRA Rule 437(Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to members’ operations. In addition to firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers, and expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.

Technology-related problems, such as problems in firms’ change- and problem-management practices, can expose firms to operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 437(Business Continuity Plans and Emergency Contact Information), 311(Supervision) and 4511 (General Requirements), as well as Securities Exchange Act of 1934 (Exchange Act) Rules 17a-3 and 17a-4.

Related Considerations

  • What kind of governance structure has the firm developed to identify and respond to cybersecurity risks?
  • What is the scope of the firm’s Data Loss Prevention program, including encryption controls?
  • How does the firm address branch-specific cybersecurity risks?
  • What kind of training does the firm conduct on cybersecurity, including phishing?
  • What process does the firm have to evaluate your firm’s vendors’ cybersecurity controls?
  • Has the firm implemented multi-factor authentication (MFA) or other relevant access management controls?
  • What controls does the firm implement to mitigate system capacity performance and integrity issues that may undermine its ability to conduct business and operations, monitor risk or report key information?
  • How does the firm document system change requests and approvals?
  • What type of testing does the firm perform prior to changes being moved into a production environment and post-implementation?
  • What are the firm’s procedures for tracking information technology problems and their remediation?
  • Does the firm categorize problems based on their business impact?

Exam Observations and Effective Practices

Exam Observations

  • Data Loss Prevention Programs – Not encrypting all confidential data, including a broad range of non-public customer information in addition to Social Security numbers (such as other account profile information and firm information).
  • Branch Policies, Controls and Inspections – Not maintaining branch-level written cybersecurity policies; inventories of branch-level data, software and hardware assets; and branch-level inspection and automated monitoring programs.
  • Training – Not providing comprehensive training to registered representatives, personnel, third-party providersand consultants on cybersecurity risks relevant to individuals’ roles and responsibilities, including phishing.
  • Vendor Controls – Not implementing and documenting formal policies and procedures to review prospective and existing vendors’ cybersecurity controls and managing the lifecycle of firms’ engagement with all vendors (i.e., from onboarding, to ongoing monitoring, through off-boarding, including defining how vendors will dispose of non-public client information).
  • Access Management – Not implementing access controls, including developing a “policy of least privilege” to grant system and data access only when required and removing it when no longer needed; not limiting and tracking individuals with administrator access; and not implementing MFA for registered representatives, employees, vendors and contractors.
  • Inadequate Change Management Supervision – Insufficient supervisory oversight for application and technology changes (including upgrades, modifications to or integration of firm or vendor systems), which lead to violations of other regulatory obligations, such as those relating to data integrity, cybersecurity, books and records, and confirmations.
  • Limited Testing and System Capacity – Order management system, account access and trading algorithm malfunctions due to a lack of testing for changes or system capacity issues.

Effective Practices

  • Insider Threat and Risk Management – Collaborating across technology, risk, compliance, fraud, and internal investigations/conduct departments to assess key risk areas, monitor access and entitlements, and investigate potential violations of firm rules or policies with regard to data access or data accumulation.
  • Incident Response Planning – Establishing and regularly testing written formal incident response plans that outlined procedures for responding to cybersecurity and information security incidents; and developing frameworks to identify, classify, prioritize, track and close cybersecurity-related incidents.
  • System Patching – Implementing timely application of system security patches to critical firm resources (e.g., servers, network routers, desktops, laptops and software systems) to protect non-public client or firm information.
  • Asset Inventory – Creating and keeping current an inventory of critical information technology assets— including hardware, software and data—as well as corresponding cybersecurity controls.
  • Change Management Processes – Implementing change management procedures to document, review,prioritize, test, approve, and manage hardware and software changes, as well as system capacity, in order to protect non-public information and firm services.

Emerging Cybersecurity Risks

FINRA recently observed increased numbers of cybersecurity- or technology-related incidents at firms, including:

  • Systemwide outages;
  • E-mail and account takeovers;
  • Fraudulent wire requests;
  • Imposter websites; and
  • Ransomware

FINRA also noted data breaches at some firms and remain concerned about increased risks for firms that do not implement practices to address phishing emails or require MFA for accessing non-public information.

Additional Resources

  • Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection With
  • Potential Account Takeovers and New Account Fraud)
  • Information Notice 03/26/2(Measures to Consider as Firms Respond to the Coronavirus Pandemic (COVID-19))
  • Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)
  • Report on Selected Cybersecurity Practices – 2018
  • Report on Cybersecurity Practices – 2015
  • Small Firm Cybersecurity Checklist
  • Core Cybersecurity Controls for Small Firms
  • Customer Information Protection Topic Page
  • Cybersecurity Topic Page
  • Non-FINRA Cybersecurity Resources

Outside Business Activities and Private Securities Transactions

Regulatory Obligations and Related Considerations

Regulatory Obligations

FINRA Rules 327 (Outside Business Activities of Registered Persons) and 328 (Private Securities Transactions of an Associated Person) require registered representatives to notify their firms

  • In writing of proposed outside business activities (OBAs)
  • All associated persons to notify their firms in writing of proposed private securities transactions (PSTs), so firms can determine whether to limit or allow those activities.
  •  A firm approving a PST where the associated person has or may receive selling compensation must record and supervise the transaction as if it were executed on behalf of the firm.

Related Considerations

  • Does the firm’s WSPs explicitly state where notification or pre-approval is required to engage in an OBA or PST?
  • Does the firm require associated persons or registered persons to complete and update, as needed, questionnaires and attestations regarding their involvement—or potential involvement—in OBAs and PSTs; and if yes, how often?
  • Do they have a process in place in to update a registered representative’s Form U4 with OBAs that meet the disclosure requirements of that form?
  • What methods does the firm use to identify individuals involved in undisclosed OBAs and PSTs?
  • Does the firm take into account the unique regulatory considerations and characteristics of digital assets when reviewing digital asset OBAs and PSTs?
  •  How does the firm supervise PSTs, including digital asset PSTs, and document its compliance with the supervisory obligations?
  •  Does the firm record the PSTs on its books and records, including PSTs involving new or unique products and services?

Exam Findings and Effective Practices

Exam Findings

  • Incorrect Interpretation of Requirements – Interpreting compensation” too narrowly (by focusing on only direct compensation, such as salary or commissions, rather than evaluating all direct and indirect financial benefits from PSTs, such as membership interests, receipt of preferred stock and tax benefits); and, as a result, erroneously determining that certain activities were not PSTs, or approving participation in proposed transactions without adequately considering whether the firms need to supervise the transaction as if it were executed on their own behalf.
  • No Documentation – Not retaining the documentation necessary to demonstrate firms’ compliance with the supervisory obligations for PSTs and not recording the transactions on the firm’s books and records because certain PSTs were not consistent with firms’ electronic systems (such as where securities businesses conducted by a registered representative would not be captured in their clearing firm’s feed of purchases and sales activity).
  • No or Insufficient Notice and Notice Reviews – Registered persons failing to notify their firms in writing of OBAs or PSTs; and
  • WSPs not requiring the review of such notices, or the documentation that such reviews had taken place.  
  • No PST Monitoring – Not monitoring limitations placed on OBAs or PSTs, such as prohibiting registered representatives from soliciting firm clients to participate in the OBA or PST.
  • No Review and Recordkeeping of Digital Asset Activities – Incorrectly assuming all digital assets are not securities and, therefore, not evaluating digital asset activities, including activities performed by affiliates, to determine whether they are PSTs; and for certain digital asset or other activities that were deemed to be PSTs because registered representatives received selling compensation, not supervising such activities or recording such transactions on the firm’s books and records.

Emerging OBA/PST Risks

Paycheck Protection Program (PPP) Loans for Registered Representatives

FINRA noted that some registered representatives received a PPP loan for an OBA that had not been disclosed to their firms, and which may have required an update to their Form U4 as well. Firms should consider reviewing the publicly available data on PPP loans to determine if they have a registered representative who obtained a PPP loan for an undisclosed OBA.

Effective Practices

Questionnaires – Requiring registered representatives and other associated persons to complete upon hire, and periodically thereafter, detailed, open-ended questionnaires with regular attestations regarding their involvement —or potential involvement—in new or previously disclosed OBAs and PSTs (including asking questions relating to any other businesses where they are owners or employees; whether they are raising money for any outside activity; whether they act as “finders”; and any expected revenues or other payments they receive from any entities other than member firms, including affiliates).

Thorough Reviews – Conducting reviews to learn about all OBAs and PSTs at the time of a registered representative’s initial disclosure to the firm and periodically thereafter, including thorough reviews of:

  • Social media, professional networking and other publicly available websites and other sources (such as legal research databases and court records);
  • Email, social media and other communications;
  • Interviews with registered representatives; and
  • Documentation supporting the activity (such as organizational documents).

 Monitoring – Monitoring significant changes in or other red flags relating to registered representatives’ or associated persons’ performance, production levels, or lifestyle that may indicate involvement in undisclosed or prohibited OBAs and PSTs (or other business or financial arrangements with their customers, such as borrowing or lending), including conducting regular, periodic background checks and reviews of:

  • Correspondence (including social media);
  • Fund movements;
  • Marketing materials;
  • Online activities;
  • Customer complaints; and
  • Financial records (including bank statements and tax returns).

Affiliate Activities – Considering whether registered representatives’ and other associated persons’ activities with affiliates, especially self-offerings, may implicate FINRA Rules 327and 3280.

 WSPs – Clearly identifying types of activities or investments that would constitute an OBA or PST subject to disclosure/approval or not, as well as defining compensation, and in some cases, providing FAQs to remind employees of scenarios that they might not otherwise consider applicable to these rules.

Training – Conducting training on OBAs and PSTs during onboarding and periodically thereafter, including regular reminders that registered representatives must give written notice of such activities to their firms and update their disclosures.

Disciplinary Action – Imposing significant consequences—including heightened supervision, fines or termination—for registered representatives and associated persons who fail to notify firms in writing and receive approval for their OBAs and PSTs.

Digital Asset Checklists – Creating checklists with a list of considerations to confirm whether digital asset activities would be considered OBAs or PSTs (including reviewing private placement memoranda or other materials and analyzing the underlying products and investment vehicle structures).

Additional Resources

  • Regulatory Notice 20-23 (FINRA Encourages Firms to Notify FINRA if They Engage in Activities Related to Digital Assets)
  • Regulatory Notice 18-08 (FINRA Requests Comment on Proposed New Rule Governing Outside Business
  • Activities and Private Securities Transactions)
  • Notice to Members 96-33 (NASD Clarifies Rules Governing RRs/IAs)
  • Notice to Members 94-44 (Board Approves Clarification on Applicability of Article III, Section 4of Rules of Fair Practice to Investment Advisory Activities of Registered Representatives)

Regulatory Events Reporting

Regulatory Obligations and Related Considerations

Regulatory Obligations

FINRA Rule 453 (Reporting Requirements) requires firms to promptly report to FINRA, and associated persons to promptly report to firms, specified events, including, for example, violations of securities laws and FINRA rules, certain written customer complaints and certain disciplinary actions taken by the firm. Firms must also report quarterly to FINRA statistical and summary information regarding certain written customer complaints.

Related Considerations

  • Do your firm’s WSPs require associated persons to report written customer complaints, judgments, liens and other events to the firm’s compliance department?
  •  Does your firm provide periodic reminders or training on such requirements, and what consequences does your firm impose on those persons that do not comply?
  • How does your firm monitor for red flags of unreported written customer complaints and other reportable events?
  • How does your firm ensure that it accurately and timely reports to FINRA written customer complaints that associated persons reported to your firm’s compliance department?
  • How does your firm determine the problem and product codes it uses for its statistical reporting of written customer complaints to FINRA?

Exam Findings and Effective Practices

Exam Findings

  • No Reporting to the Firm – Associated persons not reporting complaints, judgments, liens and other events to
  • the firms’ compliance departments because they were not aware of firm requirements;
  • Inadequate Surveillance – Firms not conducting regular email and other surveillance for unreported events.
  • No Reporting to FINRA – Failing to report to FINRA written customer complaints that associated persons reported to the firms’ compliance departments.
  • Incorrect Rule 453 Product/Problem Codes – As part of the statistical reporting to FINRA, failing to use codes that correlated to the most prominent product or the most egregious problem alleged in the written customer complaints, but instead, reporting less prominent or severe codes or other codes based on the firms’ investigations or other information.

Effective Practices

  • Compliance Questionnaires – Developing detailed annual compliance questionnaires to verify the accuracy of associated persons’ disclosures, including follow-up questions (such as whether they have ever filed for bankruptcy, have any pending lawsuits, are subject to an unsatisfied judgments or liens, or received any written customer complaints).
  • Email Surveillance – Conducting email surveillance targeted to identify unreported complaints (by, for example, including complaint-related words in their keyword lexicons, reviewing for unknown email addresses, and conducting random email checks).
  •  Review of Registered Representatives’ Financial Condition – Identifying expenses, settlements and other payments that may indicate unreported events by conducting periodic reviews of their associated persons’ financial condition, including background checks and credit reports.
  • Review of Publicly Available Information – Conducting periodic searches of associated persons’ names on web forums, court filings and other publicly available databases, including reviewing for any judgments, liens and other reportable events.

Additional Resources

  • Regulatory Notice 20-17 (FINRA Revises Rule 453Problem Codes for Reporting Customer Complaints and
  • for Filing Documents Online)
  • Regulatory Notice 20-02 (FINRA Requests Comment on the Effectiveness and Efficiency of Its Reporting
  • Requirements Rule)
  • Regulatory Notice 15-05 (SEC Approves Consolidated FINRA Rule Regarding Background Checks on
  • Registration Applicants)
  • Regulatory Notice 13-08 (FINRA Amends Rule 453to Eliminate Duplicative Reporting and Provide the
  • Option to File Required Documents Online Using a New Form)
  • FINRA’s Rule 453Reporting Requirements
  • FINRA’s Rule 453Reporting Codes
  • FINRA Report Center – 453Disclosure Timeliness Report Card

Private Placements

Regulatory Obligations and Related Considerations

Regulatory Obligations

As noted in Regulatory Notice 10-22 (Obligations of Broker-Dealers to Conduct Reasonable Investigations in Regulation D Offerings), as part of their obligations under FINRA Rule 2111 (Suitability) and supervisory requirements under FINRA Rule 311(Supervision), firms must conduct

  • a “reasonable investigation” by evaluating “the issuer and its management; the business prospects of the issuer; the assets held by or to be acquired by the issuer; the claims being made; and the intended use of proceeds of the offering.”
  • The SEC’s Reg BI became effective on June 30, 2020, and would apply to recommendations of private offerings to retail customers. Reg BI similarly requires, among other things, a broker-dealer to exercise reasonable diligence, care and skill to understand the potential risks, rewards and costs associated with a private offering recommendation and have a reasonable basis to believe that the private offering recommendation could be in the best interest of at least some retail customers.
  • In addition, firms must make timely filings for specified private placement offerings with FINRA’s Corporate Financing Department under FINRA Rules 5122 (Private Placements of Securities Issued by Members) and 5123 (Private Placements of Securities).

Related Considerations

  • What policies and procedures does your firm have to address filing requirements and timelines under FINRA Rules 5122 and 5123? How does it review for compliance with such policies?
  • How does your firm use and evaluate consultants, experts or other third-party vendors’ due diligence reports?
  • How does your firm conduct reasonable investigations on private placement offerings, including conducting further inquiry into red flags identified during the reasonable investigation process?
  • How does your firm address conflicts of interest identified in third-party due diligence reports?
  • How does your firm handle escrowed funds and amended terms in contingency offerings?
  • If your firm is engaging in new business, such as Regulation A offerings or SPACs, has it implemented WSPs to address this business? If this business may constitute a material change in your firm’s business operations, has your firm considered whether it needs to file a Continuing Membership Application (CMA)?

Exam Findings and Effective Practices

Exam Findings

  • Late Filings – Not having policies and procedures, processes and supervisory programs to comply with filing requirements; and failing to make timely filings (with, in some cases, delays lasting as long as six to twelve months after the offering closing date).
  • No Reasonable Investigation – Failing to perform reasonable investigations of private placement offerings prior to recommending the offerings to retail investors, including failing to conduct additional research about new offerings, relying on their experience with the same issuer in previous offerings and not conducing further inquiry into red flags identified during the investigation process.
  • Concerning Third-Party Due Diligence – Failing to address red flags (such as disciplinary history of the issuer’s management), conflicts of interest (such as undisclosed direct or indirect common ownership of affiliated entities or the issuer) or significant concerns (such as no legitimate operating history for the issuer) identified in third-party due diligence reports.

Effective Practices

  • Private Placement Checklist – Creating checklists with—or added to existing firm Regulation D and other offering checklists—all steps, filing dates, related documentation requirements and evidence of supervisory principal approval for the filing requirements of FINRA Rules 5122 and 5123.
  • Independent Research – Conducting and documenting independent research on material aspects of the offering; identifying any red flags with the offering or the issuer (such as questionable business plans or unlikely projections or results); and addressing and, if possible, resolving concerns that would be relevant to a potential investor (such as tax considerations or liquidity restrictions).
  • Independent Verification – Verifying information that was key to the performance of the offering (such as unrealistic costs projected to execute the business plan coupled with aggressively projected timing and overall rate of return for investors); and, in some cases, receiving support from due diligence firms, experts and third-party vendors.
  • Mitigating Conflicts of Interest – Using firms’ reasonable investigation processes to mitigate conflicts of interest and developing comprehensive disclosures for offerings involving firm affiliates or issuers whose control persons were also employed by the firm.
  • Ownership for Filings – Assigning responsibility for private placement filing requirements to specific individual(s) or team(s) and conducting targeted, in-depth training about the firms’ policies, process and technical filing requirements.
  • Automated Alert System – Creating an automated system that alerts responsible individual(s) and supervisory principal(s) about upcoming and missed filing deadlines.
  • Private Placement Committee – Creating a private placement committee (at larger firms) or formally designating one or more qualified persons (at smaller firms); charging committee-designated individuals with investigating and determining whether to approve the offering for sale to investors; and conducting research and identifying and highlighting red flags with the offering or the issuer.
  • Post-Approval Processes – Using the investigation analysis to establish post-approval processes and investment limits based on the complexity or risk level of the offering.
  • Ongoing Monitoring – Conducting ongoing monitoring after the offering to ascertain whether offering proceeds were used in a manner consistent with the offering memorandum, particularly for ongoing sales of an offering after initial closing.

Additional Resources

  • Regulatory Notice 20-21 (FINRA Provides Guidance on Retail Communications Concerning Private
  • Placement Offerings)
  • Regulatory Notice 10-22 (Obligations of Broker-Dealers to Conduct Reasonable Investigations in
  • Regulation D Offerings)
  • Report Center – Corporate Financing Report Cards
  • FAQs about Private Placements
  • Corporate Financing Private Placement Filing System User Guide
  • Private Placements Topic Page

Variable Annuities

Regulatory Obligations and Related Considerations

Regulatory Obligations

FINRA Rule 233 (Members’ Responsibilities Regarding Deferred Variable Annuities) establishes sales practice standards regarding recommended purchases and exchanges of deferred variable annuities, including requiring a reasonable belief

  • That the customer has been informed of the various features of annuities (such as surrender charges, potential tax penalties, various fees and costs, and market risk);
  • Prior to recommending the purchase or exchange of a deferred variable annuity, requiring reasonable efforts to determine the customer’s age, annual income, investment experience, investment objectives, investment time horizon, existing assets and risk tolerance.
  • To the extent that a broker-dealer or associated person is recommending a purchase or exchange of a deferred variable annuity to a retail customer, Reg BI’s obligations, discussed above, also would apply.
  • In addition, the rule requires that firms conduct surveillance to determine if any associated person is effecting deferred variable annuity exchanges at a rate that might suggest conduct inconsistent with FINRA Rule 2330.
  • Firms must also have procedures to implement corrective action to address any exchanges and conduct that violate FINRA Rule 2330.

Related Considerations

  • How does the firm review for rates of variable annuity exchanges (i.e., does your firm use any automated tools, exception reports or surveillance reports)?
  • Does the firm have standardized review thresholds for rates of variable annuity exchanges?
  • Does the firm have a process to confirm its variable annuity data integrity (including general product information, share class, riders and exchange-based activity) and engage with affiliate and non-affiliated insurance carriers to address inconsistencies in available data, data formats and reporting processes for variable annuities?
  • What is the firm’s process to supervise buyout offers (i.e., does it include pre-approval, exception reports and post-transaction reviews)?
  • What does the WSPs require registered representatives to do in order to support a determination that a transaction meets the standard of care requirements and that there is a reasonable basis for it? What is the manner in which they are to obtain, evaluate and record such information such as whether a customer would incur a surrender charge; would be subject to a new surrender period; would lose existing benefits; would be subject to increased fees or charges; would invest a substantial portion of the customer’s liquid net worth in the variable annuity; has liquidity needs that are inconsistent with the variable annuity; would be investing in a share class that is not in the customer’s best interest given his or her financial needs, time horizon and riders included with the contract; and has had another exchange within the preceding 36 months?

Does the firm’s policies and procedures require registered representatives to inform customers of the various features of annuities, such as surrender charges, potential tax penalties, various fees and costs, and market risk?

How do the firm’s registered principals supervise variable annuity transactions, including verifying how the customer would benefit from certain features of deferred variable annuities, such as tax-deferral, annuitization, or a death or living benefit? What processes, forms, documents and information do the firm’s registered principals rely on to make such determinations?

Does the firm have WSPs to address when it decides to stop selling or retires certain products, or opens buyout or exchange periods, including, but not limited to: how it will handle the product termination process; how it decides whether it offers an exchange or buyout; the scope of its exposure (in terms of contracts and customers), how will it notify customers and registered representatives; and how it will monitor for exchange rates?

Exam Findings and Effective Practices

Exam Findings

  • Not Addressing Buyouts – Not addressing within firms’ systems of supervision (by having applicable WSPs,  delivering training, or making appropriate disclosures, etc.) that customers accepting buyouts may be losing valuable benefits associated with their existing products, subject to new surrender charge periods, and paying higher fees and expenses with new products (as was the case when customers were impacted by a recent announcement that an insurer with sizable variable annuity assets will terminate servicing agreements, cancel certain trail commissions for registered representatives, and provide buyout offers to its variable annuity customers).
  • Unsuitable Exchanges – Not reasonably supervising recommendations of exchanges that were inconsistent with the customer’s objectives and time horizon and resulted in, among other consequences, increased fees to the customer or the loss of material, paid-for accrued benefits.
  • Inadequate Source of Funds Review – Not performing sufficient review of source of funds used to purchase new variable annuities.
  • Insufficient Training – Not conducting training for registered representatives and supervisors regarding how to assess fees, surrender charges and long-term income riders to determine whether exchanges were suitable for customers.

Effective Practices

Buyout Offers

  • Policies and Reviews – Performing a holistic review of buyout offers; requiring supervisory principal pre-approval (and, in some cases, additional second-level approval) for buyout offers; and requiring registered representatives’ recommendations to consider all changes to customers’ variable annuities, such as possible surrender charges,loss of benefits, contract values, riders, cash surrender values, expenses and fees.
  • Training – Providing extensive, ongoing training and communications to all registered representatives aboutbuyout offers and related compliance obligations (including, in some cases, creating dedicated firm telephone
  • Conflicts of Interest – Addressing and mitigating potential conflicts of interest for registered representatives who may recommend that customers pursue buyout offers to free up proceeds for new investments or variable annuity exchanges by, for example, leveling registered representatives’ compensation for buyout offers, exchanges or new investments.
  • Additional Disclosures – Developing new buyout offer disclosures or expanding existing variable annuity disclosure forms to address considerations for buyout offers.
  • Additional Post-Transaction Review – Creating additional exception reports and conducting additional transaction monitoring for those customers who accepted buyout offers to confirm that those transactions were submitted for supervisory principal pre-approval (and, where required, additional second-level approval) and, if not, evaluating for compliance with FINRA Rule 2330.

Exchanges

  • Automated Surveillance – Using automated tools, exception reports and surveillance to review variable annuity exchanges, and implementing second-level supervision of supervisory reviews of exchange-related exception reports and account applications.
  • Rationales – Requiring registered representatives to provide detailed written rationales for variable annuity exchanges for each customer (including confirming that such rationales address the specific circumstances for each customer and do not replicate rationales provided for other customers); and requiring supervisory principals to verify the information provided by registered representatives, including product fees, costs, rider benefits and existing product values.
  • Review Thresholds – Standardizing review thresholds for rates of variable annuity exchanges; and monitoring for emerging trends across registered representatives, customers, products and branches.
  • Data Integrity – Creating automated (rather than manual) solutions to synthesize variable annuity data (including general product information, share class, riders and exchange-based activity) and engaging with affiliated and non-affiliated insurance carriers to address inconsistencies in available data, data formats and reporting processes for variable annuities.

Additional Resources

  • Regulatory Notice 20-18 (FINRA Amends Its Suitability, Non-Cash Compensation and Capital Acquisition
  • Broker (CAB) Rules in Response to Regulation Best Interest)
  • Regulatory Notice 20-17 (FINRA Revises Rule 453Problem Codes for Reporting Customer Complaints and for
  • Filing Documents Online)
  • Regulatory Notice 10-05 (FINRA Reminds Firms of Their Responsibilities Under FINRA Rule 233for
  • Recommended Purchases or Exchanges of Deferred Variable Annuities)
  • Notice to Members 07-06 (Special Considerations When Supervising Recommendations of Newly Associated
  • Registered Representatives to Replace Mutual Funds and Variable Products)
  • Notice to Members 99-35 (The NASD Reminds Members of Their Responsibilities Regarding the Sales of Variable
  • Annuities)
  • Variable Annuities Topic Page
  • SEC’s Regulation Best Interest, Form CRS and Related Interpretations
  • FINRA’s Regulation Best Interest (Reg BI) Topic Page
  • COMMUNICATIONS AND SALES I VARIABLE ANNUITIES

Segregation of Assets and Customer Protection

Regulatory Obligations and Related Considerations

Regulatory Obligations

Exchange Act Rule 15c3-3 (Customer Protection Rule) imposes certain requirements on firms that are designed to protect customer funds and securities. Firms are obligated to maintain custody of customer securities and safeguard customer cash by segregating these assets from the firm’s proprietary business activities, and promptly deliver to their owner upon request. Firms can satisfy this requirement by either keeping customer funds and securities in their physical possession, or in a good control location that allows the firm to direct their movement (e.g., a clearing corporation).

Related Considerations

  • What is your firm’s process to prevent, identify, research and escalate new or increased deficits which are in violation of the Customer Protection Rule?
  • What controls does your firm have in place to identify and monitor its possession or control deficits, including the creation, cause and resolution?
  • If your firm claims an exemption from the Customer Protection Rule and it is required to forward customer checks promptly to your firm’s clearing firm, how does your firm implement consistent processes for check forwarding and maintain accurate blotters to demonstrate that checks were forwarded in a timely manner?
  • How does your firm train staff on Customer Protection Rule requirements?
  • What are your firm’s processes to confirm that your firm correctly completes its reserve formula calculation and maintains the amounts that must be deposited into the special reserve bank account(s)?
  • If your firm is engaging in digital asset transactions, what controls and procedures has it established to support facilitation of such transactions, including initial issuance or secondary market trading of digital assets?
  • Has the firm analyzed these controls and procedures to address potential concerns that they may be viewed as a custodian (i.e., holding or controlling customer property)?

Exam Findings and Effective Practices

Exam Findings

  • Inconsistent Check-Forwarding Processes – Not implementing consistent processes for check forwarding to comply with an exemption from the Customer Protection Rule.
  • Inaccurate Reserve Formula Calculations – Failing to correctly complete reserve formula calculations due to errors in coding because of limited training and staff turnover, challenges with spreadsheet controls, limited coordination between various internal departments and gaps in reconciliation calculations.
  • Omitted or Inaccurate Blotter Information – Maintaining blotters with insufficient information to demonstrate that checks were forwarded in a timely manner and inaccurate information about the status of checks.

Effective Practices

  • Legal and Compliance Engagement – Collaborating with legal and compliance departments to confirm that all agreements supporting control locations are finalized and executed before the accounts are established and coded as good control accounts on firms’ books and records.
  • Addressing Conflicts of Interest – Confirming which staff have system access to establish a new good control location and that they are independent from the business areas to avoid potential conflicts of interest; and conducting ongoing review to address emerging conflicts of interest.
  • Reviews and Exception Reports for Good Control Locations – Conducting periodic review of and implementing exception reports for existing control locations for potential miscoding, out-of-date paperwork or inactivity.
  • Check-Forwarding Procedures – Creating and implementing policies to address receipt of customer checks, checks written to the firm, and checks written to a third party.
  • Check Forwarding Blotter Review – Creating and reviewing firms’ check received and forwarded blotters to confirm that they are up to date, and including the information required to demonstrate compliance with the Customer Protection Rule exemption.

Additional Resources

www.finra.org © 2021 FINRA. All rights reserved.