The Financial Industry Regulatory Authority has released its annual “Regulatory and Examination Priorities Letter,” a rundown of areas it plans to review in 2017 exams.
A common thread running throughout the letter is a focus on core “blocking and tackling” issues of compliance, supervision, and risk management, FINRA President and CEO Robert Cook wrote in an introduction. Starting this year, it will publish a summary report that outlines key findings from examinations in selected areas. The document will alert firms to what FINRA is seeing from a national perspective and serve as an additional tool firms can use to strengthen the control environment for their business.
In 2017, FINRA will also introduce a “compliance calendar” and a directory of compliance service providers as tools to assist firms, in particular smaller entities. It will also be looking for opportunities to support and help facilitate capital formation by small and emerging growth companies by providing guidance— when appropriate and consistent with maintaining investor protections—that encourages innovative business models and new technologies in the FinTech space.
In the months ahead, FINRA will also initiate electronic, off-site reviews to supplement traditional on-site cycle examinations. This program will enable FINRA to review selected areas without going on site to the firm. Instead, it will make targeted and limited information requests to firms and then analyze responses off site. It will conduct these off-site exams only on a select group of firms that are not currently scheduled for a cycle exam in 2017.
High-risk and recidivist brokers
In 2017, FINRA will devote particular attention to firms’ hiring and monitoring of high-risk and recidivist brokers, including whether they establish appropriate supervisory and compliance controls for them. It recently established a dedicated examination unit to identify and examine brokers who may pose a high risk to investors. It will review these brokers’ interactions with customers, including their compliance with rules regarding suitability, know-your-customer, outside business activities, private securities transactions, commissions and fees.
FINRA will examine firms’ due diligence on these individuals and that will include determining whether, as part of the verification process, a firm or third-party service provider conducts a national search of reasonably available public records to verify the accuracy and completeness of the information contained in an applicant’s Form U4. FINRA also will continue to monitor for the timely submission of disclosures required on Forms U4 and U5.
FINRA will assess whether firms develop and implement a supervisory plan reasonably tailored to detect and prevent future misconduct by a particular broker based on prior misconduct and regulatory disclosures. The focus will include the supervision of account activity; advertising and communications, including the potential use of unapproved email addresses for business; communications with customers, including through the use of social media, seminars, radio shows or podcasts; registered representatives’ websites; outside business activities; the use of consolidated account statements; and operational activities such as distribution of funds and changes of address or investment objectives.
In the year ahead, FINRA will assess firms’ controls to protect senior investors from fraud, abuse and improper advice. “While the quest for higher yield is not per se problematic, FINRA will assess whether such recommendations were suitable given an investor’s profile and risk tolerance, and whether firms have appropriate supervisory mechanisms in place to detect and prevent problematic sales practices,” the letter says. FINRA will focus on microcap fraud schemes, especially those targeting the elderly.
FINRA continues to observe instances where firms recommend products that are unsuitable for customers, including situations where customers and sometimes registered representatives do not understand important product features. In response, it will assess how firms conduct “reasonable-basis and customer-specific suitability reviews.”
These reviews may include examining firms’ product vetting processes, supervisory systems and controls to review recommendations. Firms should be attentive to the adequacy of their supervision and training when new products come to market, new features of existing products are introduced or market conditions change in ways that could affect product performance. Firms that hire registered representatives who sell products with which the firm is not familiar should educate themselves on the products and then carefully evaluate their ability to supervise recommendations. Training should ensure that registered representatives, compliance and supervisory staff understand the objectives, risks and pricing factors of the products sold, including any changes in the features of those products.
Reviews this year will also focus on the controls firms use to monitor recommendations that could result in excess concentration in customers’ accounts. This could include excessive concentration in a particular type of product. Firms should also monitor for excessive concentration in securities exposed to an industry sector.
Excessive and short-term trading of long-term products
FINRA has observed instances of registered representatives recommending that their clients trade long-term products—such as open- and closed-end mutual funds, variable annuities and unit investment trusts (UITs)—on a short-term basis. This trading is detrimental to clients who may experience diminished investment returns because of increased costs (commissions, underwriting fees, or creation and development fees) or missed dividend payments in the case of UITs.
In the letter, FINRA urges firms to evaluate whether their supervisory systems can detect activity intended to evade automated surveillance for excessive switching activity. Examiners have observed situations where registered representatives switch customers across products to evade surveillance that focuses on switching within the same product class.
Outside business activities
In 2017, FINRA will focus on firms’ obligations with respect to their registered representatives’ outside business activities and private securities transactions. It will continue to evaluate firms’ procedures to review registered persons’ written notifications of proposed outside business activities.
Social media and electronic communications
In light of the increasingly important role they play in the securities business, FINRA will review firms’ compliance with their supervisory and record-retention obligations with respect to social media and other electronic communications.
The letter notes that under Securities and Exchange Commission and FINRA record-retention requirements, firms must ensure the capture of business-related communications regardless of the devices or networks used. A firm must capture and maintain all business-related communications in a way that it can review them for inappropriate business conduct.
Throughout 2016, FINRA identified firms that lacked liquidity risk management plans, did not conduct stress tests, applied insufficiently rigorous assumptions in their stress tests or maintained insufficient sources of funding. It also found that many firms’ funding contingency plans relied on committed secured and unsecured loan facilities. Contracts for these facilities may contain provisions (restrictive covenants, acceleration and material adverse change clauses) that could compromise or delay the availability of that funding during a stress event.
In response to these findings, in 2017, FINRA will review firms’ funding and liquidity plans to assess whether they adequately evaluate liquidity needs related to market-wide and idiosyncratic stresses, that they develop contingency plans, and that they conduct stress tests and other reviews to gauge the effectiveness of those contingency plans.
Financial risk management
This year, FINRA will ask a select group of firms to explain how they would react to a specific stress scenario that affects a firm’s market, credit and liquidity risks. It will assess these firms’ risk management practices, considering areas such as readiness, communication plans, risk metrics and triggers, as well as contingencies.
Credit risk policies
In June 2016, the SEC established margin requirements for covered agency transactions. On Dec. 15, 2016, the first phase of the new amendments became effective. In 2017, FINRA will review firms’ implementation of these new obligations. It will assess firms’ written risk policies, procedures, risk limit setting processes and the way they establish and supervise for compliance with the rule’s requirements.
In 2017, FINRA will continue to assess firms’ programs to mitigate cyber-security risks.
“FINRA recognizes there is no one-size-fits-all approach to cyber-security, and we will tailor our assessment of cyber-security programs to each firm based on a variety of factors, including its business model, size and risk profile,” the letter says.
Among the areas FINRA may review are firms’ methods for preventing data loss, including understanding their data (including its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors. Examinations may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools.
In some instances, FINRA will review how firms manage their vendor relationships, including the controls to manage those relationships. The controls should be informed by a clear understanding of any customer or employee personally identifiable information or sensitive firm information to which vendors have access. Controls to protect sensitive information from insider threats will also be considered.
The letter notes that cyber-security controls at branch offices, particularly independent contractor branch offices, tend to be weaker than those at firms’ home offices. Reviews have observed poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data.
Segregation of client assets
FINRA will evaluate whether firms have implemented adequate controls and supervision to protect customer assets. It will assess whether firms properly include customer securities positions and money balances on multiple platforms in the reserve formula and in the possession or control calculations. It will also evaluate the adequacy of firms’ supervision and controls to identify, and where appropriate prevent, manual overrides of automated possession or control calculations.
FINRA is also concerned “that some firms may be engaging in transactions with little or no economic substance designed primarily, if not solely, to reduce their reserve or segregation requirements under the financial responsibility rules.” This would put customer cash or securities at risk if, for example, a firm went out of business and held its customers’ securities in an account subject to a lien or if a firm artificially reduced the reserve computation through such transactions.
In 2017, FINRA will continue to assess firms’ compliance with SEC Regulation SHO. In light of recent SEC enforcement actions, it will focus on the locate process to ensure firms have reasonable grounds to believe securities are available for borrowing prior to accepting a short sale.
Anti-money laundering and suspicious activity monitoring
FINRA will continue to focus on firms’ anti-money laundering programs, focusing on shortcomings that may include gaps in firms’ automated trading and money movement surveillance systems caused by data integrity problems, poorly set parameters or surveillance patterns that do not capture problematic behavior such as suspicious microcap activity.
Firms may perform anti-money laundering suspicious activity monitoring using the same trading surveillance they use for supervisory purposes, but that surveillance must also include alerts tailored to the firm’s anti-money laundering red flags.
FINRA has developed a cross-product surveillance pattern to detect layering in an underlying equity to influence options prices. In 2017, it will expand surveillance for cross-product manipulation to trading in ETPs and related securities, and improper trading strategies directed at unique attributes of ETPs.