Troutman Pepper

Who Needs to Know
FINRA member firms

Why It Matters
The 2021 Report on FINRA’s Examination and Risk Monitoring Program serves as an authoritative resource for member firms to evaluate and, where necessary, enhance their compliance programs and operations procedures. The Report addresses 18 different regulatory obligations, which are grouped into four categories: (1) firm operations; (2) communications and sales; (3) market integrity; and (4) financial management.


Last month, FINRA published its 2021 Report on FINRA's Examination and Risk Monitoring Program (Report). The Report serves as an authoritative resource for member firms to evaluate and, where necessary, enhance their compliance programs and operations procedures. The 46-page Report provides insights regarding: (1) FINRA's recent examination findings; (2) regulatory obligations, concerns, and risks; and (3) best practices for compliance and supervisory policies and procedures. The Report replaces two of FINRA's prior annual publications — the Report on FINRA Examination Findings and Observations (which outlined examination results) and the Risk Monitoring Examination Priorities Letter (which outlined key focus areas that FINRA planned to review in the upcoming year).

The Report addresses 18 different regulatory obligations, which are grouped into four categories: (1) firm operations; (2) communications and sales; (3) market integrity; and (4) financial management. For each regulatory obligation, the Report summarizes: (1) the applicable federal securities laws, regulations, and FINRA rules, as well as related considerations for member firms; (2) noteworthy findings from and effective practices observed in FINRA's recent examinations, including emerging risks; and (3) additional resources that may be helpful to member firms.

Notably, the Report does not address exam findings or best practices related to certain key current events, including operations adjustments and other considerations by firms related to the COVID-19 pandemic. FINRA advised that its reviews regarding these issues will be addressed in a future publication.

Key Regulatory Risks Addressed

While the Report provides information on a wide range of regulatory obligations, it specifically highlights certain obligations that impact compliance programs at many member firms. The Report also identifies emerging risks related to several of the regulatory requirements. These risks are summarized by category below, along with FINRA's recommendations for addressing these risks.

Firm Operations

Anti-money laundering (AML) has been a significant focus of FINRA examinations, and a robust and multifaceted compliance program is necessary to ensure compliance with FINRA Rule 3310 and the Bank Secrecy Act. As discussed in the Report, FINRA identified several firms that maintained deficient AML compliance practices, including inadequate AML transaction monitoring, laxity in suspicious activity reports disclosure and reporting, and failure to incorporate cash management accounts into the AML risk framework. Concerning AML obligations, the Report identifies three types of emerging risks that FINRA observed in recent examinations. The first concerns fraud and financial crimes related to low-priced securities transactions through omnibus accounts, particularly those maintained for foreign financial institutions and foreign affiliates of U.S. broker-dealers. The second pertains to foreign national and foreign entity nominee accounts opened solely to trade in issuers based in restricted markets. The third involves a series of risks associated with the formation and initial public offerings of special purpose acquisition companies (SPACs), including lack of adequate written supervisory procedures (WSPs) that would require independent due diligence of SPACs' sponsors. In addition to these WSPs, FINRA recommends that firms implement procedures that address other potential risks related to SPACs, such as misrepresentations and omissions in offering documents and communications with shareholders about SPAC acquisition targets.

The Report outlines several best practices that should be encompassed in an effective AML program, which generally center around: (1) robust customer identification and account verification protocols to capture red flags; (2) transaction monitoring and routine risk assessments; (3) establishing strong communication channels between AML and other departments to ensure proper reporting and disclosure; and (4) training and education programs specific to AML obligations.

Cybersecurity has also been a key issue for FINRA in recent years because operational deficiencies in the cyber realm can result in data breaches, customer data leaks, and other significant challenges. Although cybersecurity issues have been a focus of FINRA annual reports for a while now, this concern is magnified as a result of the COVID-19-imposed remote work protocols at most member firms. For regulatory obligations related to cybersecurity, the Report emphasizes that FINRA has observed an increase in cybersecurity and technology-related incidents at firms simultaneous with the recent increase in remote work and virtual client interactions. These incidents include systemwide outages, email and account takeovers, fraudulent wire requests, imposter websites, and ransomware. To mitigate these emerging risks and protect firms' nonpublic information, FINRA recommends specific cybersecurity controls and best practices, including implementing timely application of system security patches to critical firm resources (e.g., servers and network routers) and change management procedures to test, review, and manage hardware and software changes.

FINRA rules require registered representatives to report to their firms in writing (and obtain approval for) any outside business activities (OBAs) or private securities transactions (PSTs). However, these requirements can be more difficult to monitor in a remote work environment. In particular, the Report identifies the COVID-19-related Paycheck Protection Program (PPP) loans as an area of emerging risk. For example, FINRA observed instances where advisors received PPP loans for outside businesses that were not reported to their firms. Additionally, with the increase in investments in digital assets, the exam findings concerning PSTs noted instances, where those assets were not accounted for in assessing or supervising PSTs.

In this aberrational environment, it is important for firms to update their policies and procedures to carefully account for outside activities and investments more easily conducted (and not disclosed) due to a remote work platform. The Report encourages firms to closely monitor advisors' email communications, financial reports, and public records to detect potential outside activities, and to perform more robust background checks both before and during the advisors' association with the firm. More frequent and comprehensive training on outside activities may be warranted regarding digital assets — including information specific to whether and when a digital asset constitutes a private securities transaction.

Communications and Sales

The Report explains that FINRA will continue to focus on whether member firms have established and implemented policies, procedures, and a supervision system reasonably designed to comply with Regulation Best Interest (Reg BI) and Form CRS. The SEC's Reg BI establishes a "best interest" standard of conduct for broker-dealers and associated persons when they make a recommendation to retail customers of any securities transaction or securities-related investment strategy. Broker-dealers must provide retail investors a relationship summary (Form CRS) of the types of client and customer relationships and services offered by the firm.

The deadline for the SEC's implementation of Reg BI was in June 2020 — in the middle of the COVID-19 pandemic. As a result, FINRA is still in the early stages of its Reg BI and Form CRS exams, and the Report does not contain exam findings or best practice suggestions, but it refers member firms to previously published considerations and materials on Reg BI and CRS. The Report notes, however, that in 2021 FINRA intends to "expand the scope" of its Reg BI and Form CRS reviews and testing. As a result, firms can expect to see a comprehensive report from FINRA on its expectations concerning Reg BI mandates, and as the Report also states, FINRA will pursue firms that run afoul of those mandates.

FINRA has historically placed great emphasis on regulatory considerations stemming from communications with the investing public. With respect to such regulatory obligations, FINRA notes its increasing focus on how member firms supervise, comply with the recordkeeping obligations, and address risks relating to new digital communication channels, particularly app-based platforms with interactive or "game-like" features. The Report recommends that firms implement and maintain comprehensive procedures for digital communication channels, including monitoring new channels and features; defining and enforcing permissible and prohibited channels; supervising each channel; and developing WSPs for video content protocols.

Here again, FINRA also addresses risks associated with digital assets. In fact, the Report lists effective procedures for communications regarding digital assets, such as a thorough risk disclosure and review of communications to ensure they did not exaggerate potential benefits of digital assets or overstate the status of digital asset projects. The Report also addresses communications regarding cash management accounts and recommends that firms require new product groups or departments to conduct an additional review that ensures a firm's capability to support proposed cash management accounts.

Variable annuities have been a mainstay of prior FINRA annual reports, and FINRA has cautioned firms to inform customers clearly and accurately about the properties, fees, tax implications, and risks associated with these products. The Report contains findings that firms have not properly addressed issues where customers who accept variable annuity buyout offers may (among other things) lose benefits associated with their product. The Report confirms FINRA's continued evaluation of variable annuity buyout offers and exchanges under FINRA Rule 2330 and, when applicable, Reg BI.

In terms of effective practices for buyout offers, FINRA recommends a "holistic review" process by the firm's supervisory principal to ensure that all facets of the buyout and implications are appropriate for the customer. In addition, FINRA recommends extensive training to registered representatives regarding buyout offers, leveling registered representatives' compensation for buyout offers to mitigate potential conflicts of interest, and creating additional disclosures and post-transaction review. For variable annuities exchanges, FINRA recommends the use of automated surveillance, written rationales for exchanges from registered representatives, standardized review thresholds, and automated data integrity measures.

Market Integrity

The market integrity segment of the Report addresses issues, such as best execution for customer trades, market access, and large trader reporting — issues that are frequently the subject of FINRA exams. The Report also outlines Consolidated Audit Trail (CAT) reporting obligations for member firms that receive or originate orders in National Market System Stocks, over-the-counter equity securities, or listed options. These firms must report certain data to CAT and develop policies to ensure proper reporting. FINRA provides several key considerations for member firms developing and implementing their CAT Rules compliance program. These include assessing whether a firm's WSPs identify the individual responsible for review of CAT reporting and specifically describe the type, frequency, and evidence of reviews that will be conducted of the data posted on the CAT Reporter Portal. As with Reg BI, however, FINRA is in the early stages of reviewing for compliance with certain CAT obligations, and as a result, the Report does not address exam findings and best practices for CAT Rules (but refers firms to other resources on the topic).

With respect to the regulatory obligations for best execution, FINRA's focus remains on potential conflicts of interest in customer order-routing decisions, appropriate policies and procedures for different order and security types, and the sufficiency of firms' reviews of execution quality of customer orders. The Report also notes that FINRA is continuing its 2020 targeted review of member firms that have moved to "zero-commission" trading. This review evaluates (1) the potential adverse effects of the "zero-commission" model on firms' compliance with their best execution obligations; (2) how firms have used other practices to potentially offset lost commission revenue; and (3) whether firms prominently communicated restrictions and limitations of "zero-commission" structures and other fees charged to customers. FINRA's findings from this review will be addressed in a forthcoming publication.

Recommended Use of the Report for Compliance Programs

Finally, FINRA member firms should thoroughly review the Report to identify the findings, observations, and effective practices relevant to their business models. Member firms are encouraged to use the findings and best practices outlined in the Report to evaluate their compliance programs and operations procedures to identify possible deficiencies or gaps that could result in the types of exam findings highlighted in the Report. The Report may also serve as a road map to prepare for an examination. Where there are concerns in advance of an examination, member firms would be well served by including counsel who are familiar with these issues in their preparation for the examination.