Over the last couple of decades, the securities self-regulatory organization FINRA (f/k/a NASD) informs its membership each year of what compliance risks are noted by its examination program. Those are risks firms should address and also might be harbingers of enforcement focus for the coming year. Years ago, it was the “Errico Letter” – a friendly reminder from NASD’s Head of Member Regulation. Then it became the Examination Priorities Letter. Now it’s a Report, but with a more useful assemblage of the Rules and Resources applicable to each risk called out.

Some risks have made the hit parade for over 20 years running, but some are new each year. Among the new risk items for 2022 are several categories relating to the meme-stock short-squeeze at the beginning of last year and its continuing fallout.

New for 2022

Muni Shorts & Fails – Muni shorts and fails can result in taxable substitute interest to customers expecting tax-free transactions, as detailed in Reg. Notice 15-27. Firms trading municipal securities need to have systems in place to monitor muni trading and controls to prevent substitute taxable interest.

Trusted Contacts – Rule 4512(a)(1)(F) requires firms to make reasonable efforts to obtain “trusted contact” information for non-institutional customer accounts. Part of the effort to protect customers, especially older ones, from financial abuse, the Report found that too many firms made too little effort to obtain the information that would allow firms to inquire about suspected elder (or other) abuse without violating Reg. SP privacy standards.

Crowdfunding & Portals – JOBS Act and Funding Portal provisions allowed these alternative forms of raising capital, but required concomitant disclosures. The Report found that many firms were not making those disclosures fully available to customers.

Margin & Intraday Trading – Rule 4210(g) permits firms to apply portfolio-based margin requirements, but FINRA noted firms failed to have comprehensive risk methodologies, apply them appropriately during intraday volatility and monitor them in real-time.

Among the Perennial Favorites

AML – Broker-dealers are covered financial institutions under the Anti-Money Laundering (“AML”) provision of the Bank Secrecy Act (“BSA”) and Treasury’s FinCEN regulations. FINRA Rule 3310 requires firms to maintain and enforce a system of AML supervision and compliance.

• Inadequate CIP, suspicious transaction reporting, and risk-based procedures coincident with a rise in online account opening and trading
• Low-priced securities, IPO for China-based issuers
• Reflects a growing inter-agency emphasis on AML compliance and enforcement.

OBA – Rules 3270 (Outside Business Activities) and 3280 (Private Securities Transactions) prevent registered persons from receiving compensation for business activities not carried on the firm’s books and records (so, theoretically due-diligenced and approved by the firm). FINRA’s exams are finding basically still-superficial programs that don’t drill down enough on specifics, question collateral risks, and continue to monitor OBA.

Cybersecurity remains a recent, but consistent, risk concern and one of the Report’s “Highlights.” Risk concerns focus on hacking, phishing, and identity theft. Rule 30 of SEC Regulation SP on safeguarding customer information, and FINRA Rule 4370 requiring Business Continuity Plans both impose cybersecurity obligations.

Risk Assessments – FINRA noted that many firms have inadequate risk assessment programs, among them: lack of ongoing risk assessments; failure to conduct regular penetration testing; and failure to test implemented controls.

Data Loss Prevention – Firms failed to encrypt all customer and firm-sensitive confidential data and did not protect data by implementing “least privilege” access policies.

Training – Firms often did not do enough to train their own personnel (and vendors) on cybersecurity risks, or to conduct incident-response planning.

Vendor Controls – Firms were not implementing downstream vendor controls, training, and requirements.

Inadequate Change Management Controls and Supervision – Supervision and compliance were not involved enough in oversight of application and technology changes that can inadvertently compromise cybersecurity.

Reg BI/Form CRS – Noted among the Report’s “Highlights,” Regulation Best Interest and Form CRS compliance continues to be an area of regulatory focus. FINRA noted a long list of exam deficiencies. As Reg BI enters its second year, regulators are finished cutting firms “transition” slack and are bringing enforcement actions instead.

VA’s – Variable Annuities have been on the list every year since its inception. Rule 2330 sets out sales-practice requirements. The Report found that firms insufficiently train their personnel and often have poor data quality and analysis. Know that FINRA Enforcement just seems to take a dim view of VA’s, so be prepared.

Best Ex – Order handling, best execution, and conflicts of interest have been on the priorities list often, but Rule 5310 compliance has become a significant focus in the wake of last year’s meme-stock short-squeeze and its ensuing fallout. The Report notes FINRA is conducting a continuing sweep review of wholesale market makers.

Disclosure of Routing Information was added to list this year as part of this tangle of issues.

Risks Foreshadowed by 2021 Sweep Exams

Every year, FINRA conducts “sweep” exams on targeted subjects of interest: https://www.finra.org/rules-guidance/guidance/targeted-examination-letters

SPACs were a Report “Highlight” in addition to a sweep exam request during the year. The risk concerns focus on due diligence, conflicts interest, and adequacy of investor disclosures.

Social Media Influencers were included in the Report’s “Highlights,” together with the use of mobile apps as continuing areas of concern over “gamification” of trading that arose in the wake of the meme-stock short squeeze in early 2021.

The full report can be found here.

[View source.]