| Americas | Articles
On December 6, FINRA released its first public summary of recent exam findings to help members address potential areas of concern examiners felt were worth highlighting. The report highlights eleven areas where FINRA saw member firms experiencing compliance shortfalls. FINRA indicates this report should be used as a resource for firms to strengthen their compliance while also identifying where effective practices were witnessed.
Highlighted Observations
1) Cybersecurity
The “bad practices” that FINRA raised included concerns where firms did not immediately remove employee access to systems following their departure from the firm. Certain broker-dealers also lacked a formal process to conduct ongoing risk assessments of data, systems and applications, or to review a prospective vendor’s preparedness or protections of same, and lastly FINRA noted some firms demonstrated limited ability to block untrusted recipients and file transfers over email.
In its summary of observed good practices FINRA noted firms established, or were establishing, risk management practices to address what is one of the “principal operational risks facing broker-dealers”. Firms with effective cybersecurity programs in FINRA’s view had established strong governance structures and supported this with regular vulnerability and penetration tests, including requiring employees to participate in regular cybersecurity training and testing through phishing email exercises.
2) Outside Business Activities & Private Securities Transactions
FINRA Rule 3270 requires that representatives notify their firms of proposed outside business activities (OBAs) and Rule 3280 requires all associated persons notify their firms of proposed private securities transactions (PSTs). Both rules are aimed to mitigate misconduct and avoid conflicts of interest. FINRA found firms that require regular attestation of outside involvement – or proposed involvement and ongoing training to make staff aware of these requirements had achieved best practice. FINRA noted instances where individuals had failed to notify their firms, the individual did not understand what constitutes OBA or PST and the firm had not clearly defined this in the written supervisory procedures or in any ongoing compliance training.
3) Anti-Money Laundering Compliance Program
FINRA noted firms with effective AML programs were those which “tailor their risk-based AML program to the firm’s business model and associated AML risks as opposed to simply implementing a more “generic” program”, and designed training programs that were specific to each role of a participating employee. These firms also conducted independent testing, including whether customer information was being collected and verified on all individuals and entities that would be considered customers under the BSA, as well as testing on trading and money movement activity to determine whether there is adequate monitoring for and investigations of potentially suspicious activity.
FINRA found deficiencies where firms:
- had failed to establish and implement reasonably designed procedures to report suspicious transactions
- did not update and tailor their policies and procedures in line with the growth of the business, or
- did not adequately staff the AML department to carry out the responsibilities of the program.
FINRA also observed instances where firms made decisions to exclude certain types of customer accounts from monitoring programs, but failed to properly document or revisit the rationale for the decision, resulting in unidentified suspicious activity.
4) Product Suitability
FINRA identified worrisomeselling practices surrounding complex products such as unit investment trusts (UITs) and leveraged and inverse exchange trade funds (ETFs). FINRA found that firms were recommending products that incurred higher fees without determining whether they meet the suitability requirements, based on the customer’s investment profile. FINRA highlighted a variety of effective practices in recommending the purchase or sale of these products, including
- thoroughly training on the products’ performance and risk characteristics
- establishing criteria to consider in determining whether a product was suitable for a specific customer
- communicating product risks to customers in a way those customers could understand, and
- tailoring supervisory systems to products’ features and sources of risk to customers.
FINRA identified instances in which customers were advised to roll their UIT investments over early, and firms did not have appropriate supervisory mechanisms in place to identify and review the suitability of the recommendation causing investors to incur additional sales charges, including both creation and development fees and deferred sales charges.
5) Best Execution
In the area of best execution, FINRA found that Broker-dealers with established, maintained, and enforced policy and supervisory procedures, along with a documented review process to check for execution quality that provides enough granularity to help the regulatory understand what information was considered in executing a trade was good practice.
On the opposite side, FINRA found that some firms failed to implement and conduct an adequate, regular and rigorous review of the quality of the executions of their customers’ orders. FINRA expressed concerns over how firms reviewed certain types of orders (e.g. market, marketable limit and non-marketable limit orders) and assured order flow was directed to markets providing the most beneficial terms for their orders.
6) Market Access Controls
Increased automation in trading activity has also increased the impact to the severity of trading errors (or a rapid series of errors) caused by a computer, human error or a malicious act. FINRA observed firms that maintain documentation to support thresholds; conduct periodic reviews that assess the reasonableness of thresholds (e.g. through a credit or capital utilization review); aggregate capital or credit usage limits by assigning finely tuned or granular limits, which in total represent a reasonable threshold, or by aggregating across applicable measures (e.g., accounts and systems) on a pre-trade basis; and establish well-defined procedures that clearly describe the process to adjust a threshold both on an intra-day and permanent basis satisfied the requirements by the SEC’s Market Access Rule.
Areas where firms fell short are those seen as not complying with the tailoring of erroneous trade controls, pre-trade financial thresholds, and the implementation and monitoring of aggregate capital or credit exposures
Additional Observations
7) Alternative Investments Held in Individual Retirement Accounts (IRAs)
FINRA found that some firms that maintained custody of customers’ alternative investment assets held in IRAs did not satisfy the requirements for establishing possession or control per the SEC’c customer protection rule, did not accurately reflect customer positions on account statements of assets held away, and inaccurately prepared net capital and reserve formula computations.
8) Net Capital and Credit Risk Assessments
Certain firms faced challenges assessing the creditworthiness of non-convertible debt or money market instruments they held in their inventory for client facilitation or other purposes, and did not adequately design or document their policies and procedures for monitoring and assessing creditworthiness. FINRA also noted firms misapplied criteria in certain SEC no-action letters for determining if a security has a “ready market” as well as the thresholds to determine if securities have minimal credit risk and indices as benchmarks for credit risk assessments.
9) Order Capacity
Broker-dealers engaging in equities business also failed to comply with the requirement to enter the correct capacity code when reporting an off-exchange trade to a tradiereporting facility. Such firms were noted to have failed to maintain written supervisory procedures reasonably designed to achieve compliance with trade reporting rules, adequately train employees to indicate the capacity in order entry systems, and supervise employees on the same.
10) Regulation SHO
Firms using third party order management systems were of great concern to FINRA as it relates to meeting obligations under Regulation SHO. FINRA found such firms to be overly reliant on the third party systems and their ability to account for open sell orders. FINRA felt such firms were unable to adequately monitor activity as a result of limitations with vendor provided information. Firms also had weaknesses in their locate practices and continued to provide locates after available shares had been depleted.
11) TRACE Reporting
FINRA found instances where fixed income broker-dealers had reported trace securities late (more than 15 minutes from the time of execution) and inaccurately and also failed to report transactions in TRACE-eligible securities because they did not have an updated list of TRACE-eligible securities.
We can help
FINRA’s extensive or wide-ranging list of topics exemplifies the need for strong and comprehensive compliance arrangements in place. The summary should help firms determine the focus of their compliance programs for the upcoming year.
Bovill can provide a comprehensive review of compliance programs to help identify and assess the appropriateness and effectiveness of your firm’s governance systems and management of conflict of interest arrangements, as well as carry out regulatory due diligence work on your behalf to keep up on any changes and the impacts to your business.
If you have any questions about these requirements or need any other support, please contact us at 312-600-9992 or at info@bovill.com
