The Financial Industry Regulatory Authority’s (FINRA) annual report on examinations and risk monitoring indicated a new emphasis for the regulator on combating financial crime, particularly cybercrime.
For the first time, the “2023 Report on FINRA’s Examination and Risk Monitoring Program” advised firms how they should protect themselves and their customers against cybercrimes, including identity theft, account takeovers, ransomware, and network intrusions.
The annual report highlighted “FINRA’s increased focus on protecting investors and safeguarding market integrity against these ongoing threats.”
The report noted emerging risks in 2022, which include an increase in manipulative trading in small cap initial public offerings; more attempts at sanctions evasion; and an emerging trend in which cybercriminals take over a customer’s identity, open a brokerage account, and then request to transfer funds from accounts the legitimate customer owns at different firms using an automated customer account transfer service request.
In its examinations of member firms, FINRA found a number of common weaknesses in firms’ cybersecurity processes, including a lack of multifactor identification for employees, contractors, and customers logging into the firm’s operational, email, and registered representative systems; ineffective tools for validating the identity of customers or detecting suspicious activity associated with the opening of new accounts; implementing a generic identity theft prevention program that is not appropriate to the firm’s size and complexity; not adequately monitoring network activity to identify unauthorized copying or deletion of data; inadequate cybersecurity protocols used by branch offices and vendors; inadequate recordkeeping and logging of activity; and a lack of adequate procedures for investigating cyber events and considering whether to file suspicious activity reports (SARs).
On the anti-money laundering (AML) front, FINRA found some firms did not conduct adequate customer identification and customer due diligence, including an inadequate verification of customer identities and failing to detect and respond to red flags of identity theft. Some firms lacked adequate procedures for identifying when to investigate suspicious activity and file SARs, particularly in transactions like wire and automated clearing housing transfers, debit card and ATM transactions, and securities trading. There were issues with firms not adequately testing their AML programs, especially when they have taken on new products, services, or client bases.
Some firms fell short of providing all information requested by law enforcement, clearing firms, state and federal regulators, and the Financial Crimes Enforcement Network, the report said.
As was the case in last year’s report, FINRA found many firms were not adhering to the provisions of Regulation Best Interest (Reg BI), which establishes a “best interest” standard of conduct for broker-dealers and associated persons when they make recommendations to retail customers of any securities transaction or investment strategy involving securities, including account recommendations.
FINRA found many firms were violating Reg BI when they recommended risky products or services that did not match the risk profiles of their retail customers, particularly through complex investment vehicles or digital assets like cryptocurrency. Firms did not comply with Reg BI when they did not adequately disclose conflicts of interest or the “full and fair” material facts related to a recommended investment, including fees. Some firms had inadequate policies and procedures for monitoring their compliance with Reg BI, the report said.