Recently, the Financial Industry Regulatory Authority (“FINRA”) released a report detailing its observations from its cycle examination program. FINRA hopes the report will assist broker-dealers in strengthening their compliance with securities rules and regulations. FINRA noted that the report does not represent a complete inventory of observations about the industry as a whole, does not imply that any issues discussed exist at any particular firms, and should not be read as creating new legal or regulatory requirements or new interpretations of existingrequirements. The report discusses six areas that FINRA discovered that many firms had similar deficiencies in. The areas include Cybersecurity, Outside Business Activities and Private Securities Transactions, Anti-Money Laundering Compliance Program, Product Suitability, Best Execution, and Market Access Control.
It should be no surprise that cybersecurity is one of the principal operational risks highlighted by FINRA. Among the common threats observed during the examinations include phishing and spearphishing attacks, ransomware attacks and fraudulent third-party wires. FINRA suggests that firms should address several areas in order to improve their cybersecurity program against these threats. A few of the areas discussed include access management, segregation of duties, and data loss prevention.
Outside Business Activities and Private Securities Transactions
During the examinations, FINRA found that many firms failed to meet their obligations under FINRA Rules 3270 and 3280. The rules require registered representatives to notify their firms of proposed outside business activities (OBAs), and all associated persons to notify their firms of proposed private securities transactions (PSTs), respectively.
Anti-Money Laundering Compliance Program
Firms are required to develop and implement a written AML program that is reasonably designed to comply with the requirements of the Bank Secrecy Act (BSA). However, FINRA observed that many firms failed to maintain adequate policies and procedures for suspicious activity. Additionally, in cases where firms delegated aspects of their suspicious activity monitoring program to non-AML staff, potentially suspicious activity was not escalated appropriately. Lastly, FINRA reported deficiencies in the firms’ monitoring systems due to gaps in the data feeding those systems that were created.
FINRA observed that many firms failed to meet their suitability obligations to customers. Specifically, with products such as unit investment trusts (UITs) and certain multi-share class and complex products, such as leveraged and inverse exchanged traded funds (ETFs). Additionally, Firms failed to provide training to their registered representatives with respect to suitability issues as it relates to the products mentioned.
Firms are required to execute customers’ orders in a way to obtain the most advantageous terms for the customer. Upon examination, it was found that many firms failed to implement and conduct an adequate regular and rigorous review of the quality of the executions of the customers’ orders which is critical to the supervision of best execution practices.
Market Access Control
As it relates to Market Access, FINRA found that many firms that provide market access fail to establish pre-trade financial thresholds, implement and monitor aggregate capital or credit exposures, and tailor erroneous trade controls. Additionally, FINRA found that many firms did not appropriately apply the Market Access Rule to some or all of their fixed income activities.
Within the report, FINRA notes the processes that many firms have successfully implemented to address the areas discussed. Firms should read FINRA’s report, assess their programs and procedures, then make any necessary changes.