RegEd.com|  Lessons from FINRA’s 2023 Examination and Risk Monitoring Program Report
Adam Schaub

  By Adam Schaub, Vice President, Platform Product Management, RegEd

About the Author: Adam Schaub has been in compliance in the financial services industry for more than 20 years. He most recently led the Compliance Services team at Avantax, and formerly served as Chief Compliance Officer at 1st Global. Adam joined RegEd in 2021, where he is Vice President of Platform Product Management.

Using Technology to Strengthen Your Compliance Program

FINRA’s 2023 Report on its Examination and Risk Monitoring Program highlights several new topics and provides new insight on many longstanding areas of regulatory concern. Three of the new topics fall within the Market Integrity section (Fixed Income – Fair Pricing; Fractional Shares – Reporting and Order Handling; and Reg SHO – Bona Fide Market Making Exemptions and Reuse of Locates for Intraday Buy-to-Cover Trades). A fourth new topic, Manipulative Trading, is described within the new Financial Crimes section which itself has a focus on safeguarding market integrity. In addition, FINRA specifically identified the expanded focus of its regulatory operations program in the following key risk areas:

  • Reg BI and Form CRS
  • Consolidated Audit Trail (CAT)
  • Order Handing, Best Execution, and Conflicts of Interest
  • Mobile Apps
  • Cybersecurity
  • Complex Products and Options.

Overall, the 2023 Report gives firms insights into 24 topics covered by examiners. As it addresses each topic, FINRA identifies the relevant rule(s), highlights key considerations for firms’ compliance programs, summarizes noteworthy findings from recent examinations, outlines effective practices that FINRA observed during its oversight, and recommends additional resources that may help firms in reviewing their supervisory procedures and controls and fulfilling their compliance obligations.

In issuing the Report, FINRA states: “The Report reflects FINRA’s commitment to providing greater transparency to member firms and the public about our regulatory activities as well as the increasing integration among our regulatory operations programs. We hope that this integrated approach will also increase the Report’s utility for member firms as an information source they can use to strengthen their compliance programs.”

The following covers four areas that FINRA includes throughout its guidance and best practices for compliance across all sections of the Report – Training, Communications and Disclosures, Written Supervisory Procedures, and Surveillance and Audits.

Training

Cybersecurity

It should come as no surprise that FINRA incorporates many considerations and guidance for training for representatives and other associated persons. One such example is cybersecurity training. FINRA states that “Cybersecurity threats continue to be one of the most significant risks many customers and member firms face. The frequency, sophistication and variety of attacks continue to increase; in 2022, for example, the attacks FINRA witnessed included customer account intrusions, ransomware attacks and cyber-enabled fraud.” Training staff on these threats is a preventative measure, and FINRA strongly implies that such training needs to be given, stating in its cybersecurity considerations: “What kind of security training does your firm conduct, such as email best practices and phishing?” and “Does your firm provide training to all staff, and not just to registered persons?” The Report also emphasizes the importance of strong branch-specific cybersecurity controls and technology governance.

AML

AML (3310(e) requires ongoing training for appropriate personal), and as such, firms must establish and maintain an AML training program, with FINRA providing guidance on an effective AML training program being “for appropriate personnel that is tailored to the individuals’ roles and responsibilities, addresses industry developments impacting AML risk and regulatory developments, and, where applicable, leverages trends and findings from the firm’s QA controls and independent AML testing.”

Reg BI and Form CRS

Regarding Reg BI and Form CRS, FINRA asks whether your firm incorporates into timely training any enhancements made to your firm’s supervisory system, procedures and processes based on feedback it has received from internal reviews, regulatory examinations or SEC and FINRA guidance concerning Reg BI compliance. FINRA found a common issue of firms failing to incorporate this into their training materials.

Other Training Topics

FINRA references the need for training within many other sections of the Report. The guidance suggests training for:

  • Staff that is responsible for surveillance of manipulative trading;
  • Outside business activities. Specifically, FINRA asks firms to consider the training and guidance the firm provides registered persons and associated persons, during onboarding and periodically thereafter, with regards to their potential engagement in OBAs and PSTs.
  • Associated persons to complete before they are permitted access to firm-approved communication channels, including guidance for all permitted features of each channel;
  • Obligations to report regulatory events;
  • Compliance with the requirements of Rule 2165 (Financial Exploitation of Specified Adults). Specifically, training for both front office and back office staff on the warning signs of potential: (1) customer exploitation; (2) diminished capacity; or (3) fraud perpetrated on the customer, along with training on the escalation process for issues relating to seniors;
  • Municipal securities advertisements and the applicable FINRA and MSRB rules and firm policies;
  • Registered representatives and supervisors, regarding how to assess and compare costs and fees, surrender charges and long-term income riders to determine whether exchanges complied with the standards of FINRA Rule 2330 and Reg BI;
  • Customer Protection Rule requirements;
  • Branch office personnel, regarding how to respond to cybersecurity incidents in the branch, including when to report the incident to the home office.

How RegEd Can Help:

  • RegEd’s Anti-Money Laundering (AML) Program enables producers to fulfill AML training requirements and then share those results with all participating carriers.
  • RegEd is the leading provider of Firm Element training, and such courses can be used for targeted training, such as FINRA’s recommendation on communication channels pre-requisite training. View our Course Catalog here.
  • RegEd’s Annual Compliance Meeting On-Demand (ACMOD) solution is designed to meet FINRA requirements and offers a variety of topics that can be combined to create a compelling, relevant and compliant Annual Compliance Meeting.
  • RegEd’s Annuities Training Platform (ATP) is the industry-wide solution that enables producers to complete the required state suitability and carrier-specific product training on one shared platform.

Communications and Disclosure

FINRA provided guidance in the Report on the effective review of communications, along with required disclosures that are necessary depending upon the type of product or media used to communicate to clients. In the Report, FINRA:

  • Stated that it continues to monitor how risks of higher-risk products or services are disclosed and explained on mobile apps, and whether the apps adequately distinguish between products and services of the broker-dealer and those of affiliates or other third parties (such as transactions involving crypto assets).
  • Explained that Environmental, Social and Governance (ESG) factors in communications must be supported and consistent with the product’s offering documents, contain proper disclosure to balance ESG promotional claims, and have a sound basis for any rankings, ratings or awards mentioned.
  • Reminded firms that communications must and that associated persons, firms, or both, must avoid improperly using the terms “advisor” or “adviser” in their titles or firm names when they lack the appropriate registration.
  • Explained its findings that firms were failing to correct misleading statements that appeared on funding portals’ websites for offerings on their platforms;
  • Stated it will continue to review member firms’ communications and disclosures made to customers in relation to complex products;
  • Reiterated its general content standards around false, misleading, or promissory statements or claims; fair and balanced communications that balance claims of benefits with key risks; and projections or predictions of investment performance.
  • Provided a reminder on MSRB standards around “tax free” claims and the inclusion of “taxable equivalent yields”; specifically, whether such content provides sufficient explanations of tax consequences and tax brackets.

How RegEd Can Help:

RegEd’s Enterprise Advertising Review Solution uses advanced technology to automate and streamline marketing compliance review and speed time to market. Among many other features, RegEd’s solution offers:

  • Lexicon detection, which flags problematic keywords and phrases using firm-customized rules. Customers may also leverage RegEd’s out-of-the-box lexicon developed by RegEd subject matter experts as the basis for their own. Examples of keyword subject areas are ESG, Crypto, Misleading Statements, Performance, and approximately 50 other turnkey lexicon rules.
  • Disclosure management allows firms to provide a common set of disclosures so that all stakeholders can leverage the current and correct wording in materials.
  • Format types for particular methods of communications can be created with configurable submission questions that will provide your reviewers with the necessary information and context to review the material.
  • Configurable internal review questions by format type allows your reviewers to be consistent in their application of FINRA’s communications standards across all types of materials reviewed by all reviewing principals.
  • Advanced reporting allows firms to quickly identify all materials meeting specific criteria. For example, firms are able to pull all materials of a specific format type that relate to crypto assets, in order to provide a prompt and accurate response should FINRA make that specific request.

Written Supervisory Procedures

As all compliance professionals learn early on, your firm’s Written Supervisory Procedures (WSPs) are the standard to which regulators will hold your firm, and deficiencies or other penalties will be incurred should the WSPs not be followed. In the Report, FINRA identified several specific areas in which firms’ WSPs were insufficient or not followed, or which they found were effective practices followed by a firm:

  • WSPs did not reflect the firm’s current cybersecurity practices; and not enforcing the firm’s WSPs related to cybersecurity;
  • Accurate and timely reporting to FINRA of written customer complaints, including ones that associated persons reported to the firm’s compliance department. Additionally, FINRA asks firms to consider whether the firm looks for trends in events and written customer complaints required to be reported pursuant to Rule 4530, and how that information on trends is raised to relevant business and compliance management;
  • Establishing and enforcing adequate WSPs to address Reg BI;
  • Developing WSPs and controls for live-streamed public appearances, scripted presentations or video blogs was cited as an effective practice;
  • Failing to adopt adequate procedures to address all aspects of the firm’s private placement business, failing to adhere to the firm’s WSPs or both;
  • FINRA asks firm to consider how their WSPs support a determination that a recommendation of a variable annuity exchange has a reasonable basis, and how is relevant information obtained, evaluated and recorded (such as loss of existing benefits, increases fee or charges, etc.)
  • Not establishing and maintaining reasonable WSPs or supervisory controls regarding both CAT reporting and clock synchronization that are performed by third-party vendors;
  • Updating WSPs and best execution analysis to address market and technology changes was cited as an effective practice;
  • Firms should consider whether their WSPs identify the personnel responsible for compliance with the fair pricing rules for your firm’s fixed income business;
  • Any many more citations.

The Report also reminds firms to stay apprised of new or amended laws, rules and regulations and to update WSPs & compliance programs on an ongoing basis. So strong regulatory change management controls are necessary to maintain robust compliance programs.

How RegEd Can Help:

  • Policies & Procedures Management
    • RegEd’s enterprise software Policies & Procedures Management solution that enables comprehensive, end-to-end administration and oversight of all elements of the firm’s policies and procedures.
    • Upload existing policies and procedures and link to rules and regulations to ensure that critical compliance information is up to date.
    • Store policies in a central repository that is easily accessible for employees based on audience profile.
    • Integrate with RegEd’s Regulatory Change Management solution to receive automated notification that change has occurred, as well as which policies require action as a result.
  • Complaint Management
    • RegEd’s enterprise software Complaint Management solution can be used to systematically capture and track complaints and streamline the end-to-end process of resolution and remediation.
    • The Complaint Management solution allows users to report on the status of pending complaint resolutions, including deadline notifications, at any level of the firm’s hierarchy.
    • Electronically report complaints and disclosures to FINRA, eliminating the need for redundant data entry. In accordance with FINRA Rule 4530(d), statistical and summary information can be exported via .XML and uploaded to meet quarterly filing requirements.

Surveillance and Audits

Hand-in-hand with the establishment of WSPs is the ongoing monitoring and supervision of compliance with those procedures by the firm and its representatives. FINRA has given several effective practices that can be incorporated into the branch audit and ongoing supervisory processes of firms. For example, FINRA cites as an effective practice the use of annual compliance questionnaires: “Developing annual compliance questionnaires [is an Effective Practice] to verify the accuracy of associated persons’ disclosures, including follow-up questions (such as whether they have ever filed for bankruptcy, have any pending lawsuits, are subject to unsatisfied judgments or liens or received any written customer complaints), as well as compliance checklists and schedules to confirm that required obligations are being met in a timely manner.”

FINRA also asks firms to consider their practice of ongoing monitoring of OBAs and Private Securities Transactions (PSTs): “Does your firm monitor whether a previously approved OBA may have changed over time and potentially created new conflicts or issues; evolved into a PST requiring firm approval, supervising and recording of compensation; or both?” as well as annual attestations of OBAs and PSTs: “Does your firm require associated persons or registered persons to complete and update, as needed, questionnaires and attestations regarding their involvement—or potential involvement—in OBAs and PSTs; and if yes, how often?”

FINRA asks firms to consider how it identifies risks in several areas, including a focus on cybersecurity, all of which can be incorporated into a firm’s branch office inspection program:

  • How does your firm identify and address branch-specific cybersecurity risks, including those associated with branch-hosted email or other software systems and servers?
  • If your firm permits registered representatives to use personal devices for business, how does your firm ensure its foundational security controls are implemented (e.g., security patches, anti-virus software)?
  • How does your firm review branch office security controls to ensure compliance with required standards established in your firm’s written policies and procedures?

How RegEd Can Help:

  • RegEd’s Compliance Questionnaires solution provides a robust set of integrated, workflow-driven, enterprise tools that enables firms to initiate, distribute and track annual compliance questionnaires required by FINRA, and other critical questionnaires integral to maintaining a strong compliance program.
  • RegEd’s Outside Business Activities solution enables centralized management of OBA disclosures, attestations and amendments, reducing review time and streamlining communication.
  • RegEd’s Personal Securities Account Management solution leverages RegEd’s powerful platform capabilities to automate and streamline the time consuming supervision and reporting of personal trading accounts. The solution includes intuitive, online completion of periodic account, trade and holding attestations.
  • For each of these solutions your firm can leverage turnkey questionnaire content developed by RegEd subject matter experts as the basis for your own questionnaire. Our content maps to regulatory requirements and established industry best practices.
  • RegEd’s enterprise Branch Audit Management solution allows firms to efficiently plan, schedule, conduct, resolve and report on branch inspections in accordance with FINRA Rule 3110 and other regulatory guidelines.
Scroll to top