A new report from the Financial Industry Regulatory Authority (FINRA) provides insights and observations from examiners on emerging issues affecting the industry, including surveilling potential use of off-channel communications by employees, crypto-asset developments, cybersecurity trends, and more.

Released Tuesday, the 2024 FINRA Annual Regulatory Oversight Report, formerly known as the Report on FINRA’s Examination and Risk Monitoring Program, also provides guidance to member firms on implementing robust anti-money laundering, fraud, and sanctions screening programs and supervising issues related to the Securities and Exchange Commission’s (SEC) Regulation Best Interest and Form CRS regulations.

In the report, FINRA said it uses a “risk-based approach to review how firms capture, surveil, and maintain business-related communications.” In addition to policies and procedures to monitor potential new electronic communication channels available to customers and firm employees, FINRA examiners will ask how firms surveil their employees for potential off-channel communications use.

Those questions include:

  • Does your firm surveil approved communications and customer complaints for references to potential off-channel communications?
  • Does your firm look for underutilization of approved communications channels as a potential indicator of off-channel communications use?
  • What corrective and disciplinary actions are in place to deter employees from circumventing supervisory controls related to off-channel communications?

FINRA requires member firms to have their crypto asset securities business line assessed by the self-regulatory organization to ensure it meets all application rules from the SEC, under its member application program. FINRA also requested member firms notify the organization if they or their affiliates engage or plan to engage in crypto-related activities.

On dealing with crypto assets, FINRA expects the policies and procedures of member firms to answer questions the crypto industry has struggled with, including:

  • Does your firm have policies and procedures in place to determine, when necessary, if a crypto asset is a security?
  • Does your firm confirm whether a crypto asset is subject to an effective registration statement or has an applicable exemption?
  • Has your firm tested for any potential weaknesses in its cybersecurity controls related to crypto asset business lines?

FINRA addressed several cybersecurity trends that have appeared in examinations of member firms, including imposter websites used to launch phishing campaigns; insider threats where employees, purposefully or inadvertently, provide access to a firm’s systems to outside threat actors; ransomware; and cybersecurity events at critical vendors that result in harm to firms or their investors.