fined a large broker-dealer $2 Million for under-resourcing its compliance
function, thereby allowing unlawful short-selling. As the firm’s trading activity increased, the
firm continued to rely on a primarily manual system to monitor compliance with
Regulation SHO’s requirements. The
handful of employees tasked with monitoring trading requested more resources as
their 12-hour workdays could not adequately surveil the activity of 700 registered
representatives. FINRA alleges that the
firm routinely violated Regulation SHO by failing to timely close-out
positions, illegally routing orders, and failing to issue required
notices. As part of the settlement, the broker-dealer
also agreed to hire an independent compliance consultant.
TAKE: Firms need to track business activity to ensure that compliance and operations
infrastructure keep up with the business.
A good metric is whether the firm spends at least 5% of revenues on compliance
infrastructure including people and technology.
At the very least, member firms should review their 529 Plan recommendations to see if they have exposure and then take action to remediate. Because of the broader implications of an enforcement action and individual liability, we recommend consulting counsel about whether to self-report.
FINRA has issued a report on cybersecurity best practices to assist firms in the development of their cybersecurity programs. FINRA notes that it continues to see “problematic cybersecurity practices” during examinations and that firms identify cybersecurity as a “primary operational risk.” The report focuses on strengthening cybersecurity controls in branch offices, ways to limit phishing attacks, how to mitigate insider threats, the elements of an effective penetration testing program, and adequate controls for mobile devices. The report also includes an appendix that lists core cybersecurity controls for small firms including patch maintenance, access management, vulnerability scanning, and email protection.
The 19-page report does a good job describing every cybersecurity nightmare scenario, which may be instructive for those C-suite executives still in denial. The best part of the report is the small firm appendix that focuses on key issues.
FINRA has released its 2018 Examinations Findings as a “resource for firms to strengthen their compliance programs and supervisory controls.” FINRA says the report selected certain observations because of “their potential significance, frequency, and impact on investors and the markets.” The report highlights widespread deficiencies in suitability policies and procedures including “quantitative suitability” (i.e. series of transactions), overconcentrations, excessive trading, and variable annuities. FINRA also cites widespread failures to ensure fulsome disclosure of fixed income mark-ups, reasonable private placement due diligence, and abuse of discretionary authority. The broker-dealer regulator summarizes other concerns including anti-money laundering, net capital and customer protection calculations, best execution and outside business activities.
This extensive list (15 pages) covers many of FINRA’s greatest regulatory hits. It’s a great document for new compliance officers because it covers a wide range of broker-dealer compliance requirements. Rather than helping compli-pros focus resources, it works better as a checklist to verify that the firm has addressed the most serious regulatory requirements.
Ray Calvano of Cipperman Compliance Services recently attended the FINRA Annual Conference in Washington. Major speakers included FINRA President and CEO Robert Cook and SEC Chairman Jay Clayton. Mr. Clayton cited the SEC’s continuing concerns about cryptocurrencies and ICO offerings. He also tried to offer some insight into the new Regulation Best Interest and what it means for broker-dealers. The Conference also addressed how FINRA could tailor its regulations to the needs of smaller firms. Feel free to contact Ray if you want more information.
FINRA released its annual Regulatory and Examination Priorities Letter identifying areas of FINRA focus for 2018. FINRA announced a focus on fraud including insider trading, microcap pump-and-dump, Ponzi schemes and the resulting referrals to the SEC, even if the wrongdoing is outside of FINRA’s jurisdiction. FINRA will also target supervision practices including the hiring and review of high-risk brokers, branch offices, and outside business activities. New this year is a focus on cryptocurrency offerings and the role registered reps play in effecting transactions. FINRA also highlights best execution, cybersecurity, anti-money laundering, and business continuity. Consistent with prior years, FINRA will devote resources to customer protection and net capital, suitability, and liquidity risk.
OUR TAKE: Compli-pros should use the Priorities Letter as a checklist to review the Written Supervisory Procedures. FINRA generally means what it says and addresses these topics during exams.
FINRA has issued a report summarizing its observations on the compliance and supervision issues arising from recent examinations. Highlighted concerns include cybersecurity, outside business activities, anti-money laundering, product suitability, best execution, and alternatives in IRA accounts. FINRA found weaknesses in cybersecurity programs including failure to control access to data, insufficient risk assessments, and inadequate vendor supervision. FINRA expressed concerns about failures to report OBAs and failures to execute adequate reviews or retain documentation. AML programs fell behind as firms changed and grew but failed to properly resource growing AML volume. FINRA raised suitability concerns over recommendations of UITs, fund share classes, and complex products. FINRA hopes that firms will use the report as a “resource in tailoring their compliance and supervisory programs to their business.”
OUR TAKE: It’s always good to get more transparency into the examination program. What’s less clear is how firms should react to this information especially since FINRA generally issues its examination priorities letter in January. Regardless, expect FINRA to focus on these issues during cycle exams.
The SEC has upheld a FINRA bar of a registered rep for failing to timely respond to FINRA’s requests for information. Following the filing of a U5 indicating the rep was terminated for failure to comply with firm policies and disclosure obligations, FINRA initiated an investigation. The respondent repeatedly failed to respond to requests sent to his CRD address. Eleven months after the initial request and 9 months after the bar became effective, the respondent sought relief from the bar on the grounds that health issues prevented his timely response. The SEC rejected his argument because he continued to work and remain active and failed to timely respond as reasonably practical.
OUR TAKE: The regulators will proceed with penalties if you ignore their requests for information. Once penalties, such as an industry bar, are imposed, it becomes very difficult to demonstrate good faith.
OUR TAKE: Most of the financial regulators use their enforcement powers to collect funds to support their activities. Rather than encourage this financial incentive to bring cases, policy-makers should consider other alternatives such as third party compliance reviews or user fees.
FINRA has published a Regulatory Notice that provides guidance on the content, recordkeeping, and supervision of certain digital communications. FINRA clarifies that text and chat messages with clients must be retained as customer communications to the same extent as written or email communications. FINRA also offers guidance on when broker-dealers adopt or become entangled when using hyperlinks and other third party content. Sharing content through hyperlink will make a firm responsible for the third party content unless the third party site is dynamic, ongoing, and not influenced by the firm. However, a firm may not use a link to a third party that the “firm knows or has reason to know contains false or misleading content.” FINRA also offers guidance on the use of native advertising, mandating that such content disclose the firm’s name, any relationship, and whether mentioned products or services are offered by the firm. FINRA will allow unsolicited third party opinions posted on social media sites (e.g. “likes” on Facebook) so long as a registered representative does not subsequently endorse the third party opinion. FINRA makes clear that the guidance does not change prior rules and does not interpret SEC rules that apply to advisers.
OUR TAKE: Give FINRA credit for its ongoing regulatory guidance that reflects evolving social media and digital content. The guidance on texts, chats and hyperlinks are fairly reasonable. The challenge for compliance officers is to find emerging technologies and systems to capture the emerging content.