FINRA report: Top risk areas for AML, cyber-security

The “2021 Report on FINRA’s Examination and Risk Monitoring Program” combines and replaces two of FINRA’s previously published annual reports that provided analysis of prior examination results and highlighted areas the organization planned to review in the coming year.

“This report is designed to give member firms a single, authoritative source that provides insights derived both from the last year’s examinations and risk assessments and from where we have identified emerging issues for the coming year,” said Bari Havlik, FINRA’s executive vice president for member supervision.

The report includes key considerations for member firm compliance programs, noteworthy findings from recent examinations, and effective practices observed by FINRA during its oversight. It addresses 18 total regulatory areas under the following four categories: firm operations, communications and sales, market integrity, and financial management.

AML compliance

One regulatory area under the category of “firm operations” is anti-money laundering (AML) compliance, which has always been, and will remain, a hot topic for FINRA. The organization reminds compliance officers that, under FINRA Rule 3310, member firms must develop and implement a written AML program “reasonably designed to comply” with the requirements of the Bank Secrecy Act and its implementing regulations.

Specific to AML, FINRA has identified in its examination findings the following common deficiencies, which compliance officers should be on alert for:

• Inadequate transaction monitoring;
• Limited scope for suspicious activity reports (SARs);
• Inadequate framework for cash management accounts;
• Unclear delegation of responsibilities;
• Data integrity gaps;
• Failure to document investigations;
• Inadequate identification of or follow-up on increased trading by foreign legal entity accounts;
• Insufficient independent testing; and
• Improper reliance on clearing firms.

In addition to describing common AML deficiencies, FINRA also lists nine best practices implemented at some firms. These include, but are not limited to, annual independent tests to evaluate the adequacy of firms’ AML compliance programs and updating risk assessments “based on the results of AML independent tests, audits, and changes in size or risk profile of the firms, including their businesses, registered representatives and customer account types.”

FINRA also encourages collaborating with the AML department, which “increases the likelihood that all potentially reportable events are referred to the AML department by establishing a line of communication (such as reporting and escalation processes, awareness and educational programs, regular meetings, policies and procedures, or exception reports) between the AML department and other departments that may observe potentially reportable events,” the organization said. These other departments may include registered representatives and client-facing teams, technology, cyber-security, compliance, operations, trading desks, and fraud departments. 

Cyber-security

Cyber-security is another regulatory area stressed by FINRA. Here, the organization reminds firms that “cyber-security remains one of the principal operational risks facing broker-dealers.” FINRA “expects firms to develop reasonably designed cyber-security programs and controls that are consistent with their risk profile, business model and scale of operations.”

Compliance officers should take note of the following areas of frequent failure:

• Not encrypting all confidential data;
• Not maintaining branch-level written cyber-security policies, inventories of branch-level data, software and hardware assets, and branch-level inspection and automated monitoring programs;
• Not providing comprehensive training to registered representatives, personnel, third-party providers, and consultants on cyber-security risks relevant to individuals’ roles and responsibilities, including phishing;
• Not implementing and documenting formal policies and procedures to review prospective and existing vendors’ cyber-security controls and managing the lifecycle of firms’ engagement with all vendors;
• Not implementing access controls; and
• Insufficient supervisory oversight for application and technology changes (including upgrades, modifications to, or integration of, firm or vendor systems).

Best practices include “collaborating across technology, risk, compliance, fraud, and internal investigations departments to assess key risk areas, monitor access and entitlements, and investigate potential violations of firm rules or policies with regard to data access or data accumulation,” FINRA said. The organization also recommends “establishing and regularly testing written formal incident response plans that outline procedures for responding to cyber-security and information security incidents; and developing frameworks to identify, classify, prioritize, track and close cybersecurity-related incidents.”

FINRA added it has recently observed increased numbers of cyber-security/technology-related incidents at firms, including systemwide outages, email and account takeovers, fraudulent wire requests, imposter websites, and ransomware.