The newly released 2022 Report on FINRA’s Examination and Risk Monitoring Program reflects an evolving securities industry.
“Today’s securities industry landscape is highly dynamic in terms of business models, technologies, products, and compliance practices. This report looks at these significant changes through the lens of FINRA’s commitment to investor protection and market integrity so that firms’ compliance programs can benefit from our findings about emerging and ongoing issues,” stated Greg Ruppert, executive vice president, member supervision, in a press release announcing the release of FINRA’s 2022 exam report.
Exam findings in key areas
Focus areas highlighted in the report include:
- FINRA’s initial findings from its Reg BI and Form CRS reviews;
- Firms’ compliance with certain regulatory obligations related to:
- the Consolidated Audit Trail,
- best execution and
- Rule 606 of Regulation NMS;
- Problems with some mobile apps’ communications with customers and firms’ supervision of activity on those apps, particularly controls around account openings;
- Firms’ compliance with their regulatory obligations with securities activities involving SPACs;
- The increasing number and sophistication of cybersecurity threats faced by firms and their customers; and
- Firms’ communications and disclosures made to customers regarding complex products.
Reg BI and Form CRS
During Reg BI’s and Form CRS’ first full calendar year of implementation in 2021, FINRA expanded the scope of its reviews and testing relative to 2020 “to execute a more comprehensive review of firms’ processes, practices and conduct in areas such as establishing and enforcing adequate written supervisory procedures (WSPs); filing, delivering and tracking accurate Forms CRS; making recommendations that adhere with Reg BI’s Care Obligation; identifying and mitigating conflicts of interest; and providing effective training to staff,” according to the 2022 exam report.
Exam findings for Reg BI and Form CRS included:
- Written supervisory procedures (WSPs) that were not reasonably designed to achieve compliance with Reg BI and Form CRS
- Inadequate staff training
- Failure to comply with care obligation
- Insufficient Reg BI disclosures
- Deficient Form CRS filings
FINRA has continued to observe increases in the number and sophistication of cybersecurity threats. As such, it will “continue to assess firms’ programs to protect sensitive customer and firm information.” Regulatory obligations and related considerations for cybersecurity and technology governance include:
Rule 30 of the SEC’s Regulation S-P, which requires WSPs for safeguarding customer records and information; and
FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information), which applies to denials of service and other interruptions to members’ operations.
“In addition to firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers and expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations,” according to the report.
Exam findings included:
- Inadequate risk assessment process
- Not encrypting all confidential data and sensitive firm information
- Not maintaining branch-level written cybersecurity policies
- Not implementing access controls
- Inadequate change management supervision
Improving compliance with 2022 FINRA exam report
In addition to summarizing noteworthy exam findings for each topical area covered in the report, FINRA highlights key considerations for member firms’ compliance programs, outlines effective practices that FINRA observed during its oversight, and provides additional resources to help firms review their supervisory procedures and controls and fulfill their compliance obligations.
The 70-page report for 2022 covers 21 different topics—including five new subjects. The new sections among are:
- Firm Short Positions and Fails-to-Receive in Municipal Securities;
- Trusted Contact Persons;
- Funding Portals and Crowdfunding Offerings;
- Disclosure of Routing Information; and
- Portfolio Margin and Intraday Trading.
Many of the areas addressed in the Report represent ongoing core compliance responsibilities that are reviewed as part of FINRA’s regular risk-based exam program each year, such as anti-money laundering, outside business activities, and books and records. Where applicable, FINRA will continue to enhance the information in these areas, as well as add new ones, to address changes that may affect how regulatory obligations are fulfilled.
Also, for the first time, FINRA’s report on its examination and risk monitoring program emphasizes new material in sections that have appeared in previous iterations, as well as findings that are particularly relevant for firms in their first year of operation. As in prior years, FINRA will adapt its areas of focus throughout 2022 to address emerging regulatory concerns and risks for investors that may arise throughout the year, according to the press release announcing the report.
FINRA’s 2022 priorities include revisiting rules and regulations in light of changes brought about by the COVID-19 pandemic and the industry’s shift to remote work, CEO Robert Cook recently noted in a webinar hosted by SIFMA. There will also be a theme around retail-investor protection.
RegEd is the market-leading provider of RegTech enterprise solutions with relationships with more than 200 enterprise clients, including 80% of the top 25 financial services firms.
Established in 2000 by former regulators, the company is recognized for continuous regulatory technology innovation with solutions hallmarked by workflow-directed processes, data integration, regulatory intelligence, automated validations, business process automation and compliance dashboards. The aggregate drives the highest levels of operational efficiency and enables our clients to cost-effectively comply with regulations and continuously mitigate risk.
Trusted by the nation’s top financial services firms, RegEd’s proven, holistic approach to RegTech meets firms where they are on the compliance and risk management continuum, scaling as their needs evolve and amplifying the value proposition delivered to clients. For more information, please visit www.reged.com.