FINRA is preparing for a “new normal” in which firms will work remotely even after the pandemic passes.
For example, FINRA is considering changing how it defines “branch office” and “office of supervisory jurisdiction” for supervision and inspection purposes based on industry feedback. “Many” commenters that responded to a request for feedback on lessons learned during the COVID-19 pandemic urged the regulator to revisit the definitions under FINRA Rule 3110 because firms have shifted to remote work.
“Several commenters expressed concern that without amendments, personal residences of many associated persons will need to be registered (and inspected) to facilitate remote work arrangements after the pandemic. Several commenters supported a transition of the office definitions to a risk-based approach (e.g., whether funds and securities are handled at the location), rather than a location-based approach,” according to FINRA Regulatory Notice 21-44.
In response, “FINRA is engaging with stakeholders to reevaluate Rule 3110(f) (Definitions) and the potentially significant supervisory impacts that may result from changing the current framework for defining a branch office and the exclusions,” the regulator stated in the regulatory notice.
FINRA also stated that it is responding to concerns about its Membership Application Program (MAP) rules and their potential to impact firms that have shifted to remote work. The use of remote inspections remains a focus as well.
“FINRA seems to accept that firms will probably continue to work remotely after the pandemic passes and that it may need to address the possibility of short-term responses becoming long-term changes,” said Margie Webber, director of regulatory compliance for RegEd.
Pandemic review feedback emphasizes shift to remote work.
FINRA solicited feedback on lessons learned from member firms and their customers’ experiences during the pandemic through Regulatory Notice 20-42, which it issued in December 2020. The regulator also requested comment on whether to consider changes to FINRA rules, operations, or administrative processes in response to pandemic experiences or to address anticipated long-term impacts of the pandemic on member firms and investors. FINRA received 32 comment letters covering a range of issues in response.
In addition to soliciting feedback on business continuity planning, the Pandemic Review also sought comments on other areas covering remote offices, alternative work arrangements, and remote inspections, according to the findings that FINRA published in Regulatory Notice 21-44. Commenters to Regulatory Notice 20-42 most frequently raised issues related to member firms’ use of remote offices and remote inspections after the pandemic, FINRA stated, noting that commenters “generally expect strong continued interest in remote work after the pandemic.”
Commenters worry about MAP rules.
Several commenters also expressed concern about how MAP rules could impact firms if they must register many new offices due to remote work. “FINRA is considering these interrelated issues and potential changes to the current framework,” it stated.
FINRA acknowledged, “As member firms fully implement their return-to-office plans, they may need to register as branch offices some of their currently temporary locations or new locations established as a result of the ‘new normal.’ For many member firms, resuming the requirement to designate and register offices on Form BR may result in an increase in the number of offices (registered or unregistered) that could exceed the MAP rule’s safe harbor thresholds or could otherwise represent a material change in business operations that would require the submission of a continuing membership application (CMA) for FINRA’s approval.”
FINRA stated that it is considering the concerns and potential ways to find a balanced approach for helping members navigate the “new normal,” including the application of the MAP rules.
Firms find remote inspections effective.
FINRA also stated that it is “considering modifications to firms’ obligations under Rule 3110(c) and the current framework for defining offices as an OSJ, branch office and non-branch location.” Commenters generally supported allowing member firms to conduct remote inspections to satisfy their Rule 3110(c) (Internal Inspections) obligations and stated that they believe remote inspections have been effective.
“Several commenters to Regulatory Notice 20-42 also indicated that their remote inspection findings for 2020 were similar to onsite inspection findings for prior years,” according to Regulatory Notice 21-44, which also noted that several member firms and trade associations supported the transition to a risk-based approach to allow for remote inspections of lower-risk locations.
Additionally, some commenters to Regulatory Notice 20-42 indicated that, even if remote inspections were permitted, onsite inspections would continue to have a role, like for inspecting higher risk locations or periodically inspecting each location, FINRA noted. Several commenters shared information on how they conduct remote inspections and why they believe they are effective. (After publishing Regulatory Notice 21-44 in December, FINRA announced in January that it would extend remote inspections through the end of 2022.)
Review of business continuity rule concludes that no changes are needed.
In addition to soliciting feedback on pandemic lessons, FINRA conducted a retrospective rule review of its business continuity plan (BCP) rule. FINRA started the review before the pandemic by requesting comment on Rule 4370 through Regulatory Notice 19-06.
FINRA solicited additional feedback through a confidential pre-pandemic survey that drew 288 responses. After the pandemic started, FINRA gathered additional information by speaking directly with internal and external stakeholders following the widespread activation of BCPs by member firms due to the pandemic.
“The BCP Rule Review, as well as the related feedback received during the Pandemic Review, confirmed the continuing value and effectiveness of Rule 4370 and its flexible, nonprescriptive approach, and so FINRA proposes to maintain the rule without change,” FINRA stated in Regulatory Notice 21-44.
Stakeholders appreciated “the rule’s straightforward approach and expressed a preference for maintaining the current flexible approach,” FINRA noted. “In addition, commenters to Regulatory Notice 20-42 generally indicated that the rule worked well and expressed the view that the rule provided member firms with the necessary flexibility to successfully execute their BCPs and respond to the pandemic,” the regulator stated.
FINRA Rule 4370 requires firms to create and maintain a written BCP identifying procedures relating to an emergency or significant business disruption. The elements that comprise a BCP may be tailored to the size and needs of a member but must meet at least 10 requirements, such as addressing data back-up and recovery, and regulatory reporting.
In reviewing FINRA Rule 4370, one stakeholder recommended supplementing the rule’s minimum BCP requirements to include other categories such as critical data backup, cloud usage and storage, vendor relationships, and alternative business locations, according to FINRA Regulatory Notice 21-44. The stakeholder also suggested requiring firms to adopt separate disaster recovery and incident response plans and to integrate those plans with the BCP. Most survey respondents agreed that the disaster recovery and incident response plans should be integrated with the BCP if the firm has these plans, FINRA noted.
However, FINRA is not changing its BCP rule. “Based on stakeholder feedback, including feedback subsequent to the survey regarding firms’ experiences during the pandemic, we believe that the rule’s flexible, non-prescriptive and risk-based approach has been effective in ensuring firms of different sizes are prepared for potential business disruptions,” FINRA stated in Regulatory Notice 21-44.
“Moreover, the rule is intended to ensure that a firm can meet its existing obligations to customers in a significant business disruption regardless of the length of the business disruption. Accordingly, FINRA does not propose amending the minimum elements of a BCP at this time.”
Technology supports business continuity and remote work.
“Based on the BCP Rule Review and the Pandemic Review, both of which involved extensive feedback from a wide range of internal and external stakeholders, FINRA has determined to maintain Rule 4370 without change due to its effectiveness during the pandemic,” RegEd’s Webber said. “FINRA has also indicated that it is open to revisiting parts of FINRA Rule 3110 based on how effective firms have been in shifting to remote work and conducting inspections remotely.”
RegEd’s Policies and Procedures Management solution enables comprehensive, end-to-end administration and oversight of all elements of a firm’s policies and procedures, including business continuity plans. Also, RegEd’s Audit Management solution enables firms to implement an effective audit program and efficiently conduct remote inspections, per FINRA Rule 3110.17.
View RegEd’s on-demand webinar on branch inspections to learn more about how branch oversight has changed during the COVID-19 pandemic. Experts review practical challenges and opportunities facing audit teams, as well as the latest best practices that have emerged as firms navigate the pandemic and remote work.
RegEd is the market-leading provider of RegTech enterprise solutions with relationships with more than 200 enterprise clients, including 80% of the top 25 financial services firms.
Established in 2000 by former regulators, the company is recognized for continuous regulatory technology innovation with solutions hallmarked by workflow-directed processes, data integration, regulatory intelligence, automated validations, business process automation and compliance dashboards. The aggregate drives the highest levels of operational efficiency and enables our clients to cost-effectively comply with regulations and continuously mitigate risk.
Trusted by the nation’s top financial services firms, RegEd’s proven, holistic approach to RegTech meets firms where they are on the compliance and risk management continuum, scaling as their needs evolve and amplifying the value proposition delivered to clients. For more information, please visit www.reged.com.