In October 2019, the Financial Industry Regulatory Authority (FINRA) released its “2019 Report on FINRA Examination Findings and Observations” (the “2019 Report”). FINRA publishes a report yearly to highlight its examination “findings” (i.e., findings of violations committed by member firms) detected throughout the year. In addition to findings, the 2019 Report advances further than years past and consists of “observations.” Observations (formerly known as recommendations) are suggestions to a member firm on how to improve its control environment to address weaknesses that do not typically rise to the level of a violation or cannot be tied to an existing rule.
Although the 2019 Report repeats many of the findings highlighted in previous years with respect to important topics such as suitability, anti-money laundering, segregation of assets, and best execution, the 2019 Report introduces new findings and expands upon findings made in previous reports. FINRA hopes that the 2019 Report, like previous reports, can assist member firms navigating common pitfalls such as fixed income mark-up disclosures, direct market access controls, liquidity management, and net capital calculations.
FINRA’s new/expanded key findings involve hot topics such as supervision, digital communication, know-your-customer rules, cybersecurity, and business continuity plans. This GT Alert highlights certain of the new findings and observations within the 2019 Report.
Key New/Expanded Findings
FINRA Rule 3110 details member firms’ requirements concerning supervision. Member firms must “establish, maintain and enforce a system to supervise their activities and the activities of their associated persons that is reasonably designed to achieve compliance with securities laws and regulations, as well as FINRA rules.” Although supervision deficiencies have frequently been noted in previous reports, the 2019 Report advances the analysis of such deficiencies. In 2019, FINRA has found supervision inadequate with respect to a broad range of operations of some member firms. Findings in this area included insufficient written supervisory procedures (WSPs) to address new or amended rules, limited branch supervision, limited internal inspections, insufficient supervision of accounts, insufficient supervisions of account statements, and insufficient supervision of consolidated account reports and other forms.
Given the findings with respect to supervision, member firms may consider taking two practical steps to mitigate the risk of future violations. First, member firms should evaluate whether they need to review WSPs more frequently to ensure that they comply with new and/or amended rules and train personnel regarding such changes. Second, member firms should ensure that the processes for supervision set forth in the WSPs are implemented correctly, as FINRA has noted that even well-designed compliance programs can be deficient in implementation.
In a similar vein to supervision, the 2019 Report notes deficiencies concerning digital communications. For background, FINRA rules require that member firms create and preserve, in an easily accessible place, originals of all communications received and sent relating to its business. The 2019 Report notes that member firms used prohibited digital channels of communication and prohibited electronic sales seminars. However, on a positive note, at least some member firms have maintained comprehensive governance processes, defined and controlled permissible digital channels, managed video content, trained registered representatives, and disciplined supervised persons for failing to comply with policy. As a starting point, member firms may wish to review their digital communications policies in these key areas.
Any discussion of digital communications deficiency tends to invoke a broader concern of a member firm’s cybersecurity practices. The 2019 Report includes several observations with respect to cybersecurity. Most notably, according to the report, member firms should be conscious of cybersecurity issues, maintain branch-level written cybersecurity policies to protect data, maintain formal policies and procedures to manage the lifecycle of vendor and third-party engagement, regularly test incident response plans, encrypt all confidential data, adopt procedures to implement timely application of system security patches, maintain policies and procedures to grant system and data access only when required, create and keep current an inventory of critical information technology assets, implement data loss prevention controls, provide robust cybersecurity training, and implement change management systems.
As a general precept, the 2019 Report posits a common theme of ever-changing technology and the rules that apply to it. Given the propensity for digital communications and cyber-attacks to evolve, member firms should be cognizant of their policies with respect to digital communications and cybersecurity policies. Such policies should be reviewed frequently along with the WSPs.
Moving along, FINRA Rule 2090 (Know Your Customer) imposes a responsibility on member firms and their associated persons to use reasonable diligence to determine the essential facts concerning every customer and the authority of each person acting on behalf of such customer. The 2019 Report finds that some member firms did not establish, maintain, or enforce a supervisory system reasonably designed to achieve compliance with their continuing obligation to know the essential facts of minor customer accounts subject to UTMA or UGMA (UTMA/UGMA Accounts).
Member firms should be extra cognizant with respect to UTMA/UGMA accounts. FINRA believes that the nature of these accounts require that member firms track them properly. The 2019 Report highlights how some member firms successfully monitored such accounts. These member firms provided notifications to custodians to advise them that beneficiaries were approaching the age of majority, and notified registered representatives with automated alerts when beneficiaries reached the age of majority. FINRA will surely look to ensure that such practices are followed in their future exams.
Lastly, the 2019 Report makes a number of findings concerning inadequate Business Continuity Plans (BCPs). FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) requires member firms to create and maintain a written BCP. Key findings include BCPs that did not identify mission-critical systems, insufficient capacity to handle substantial call volume during business disruption, failure to update BCPs after significant operational changes, BCPs containing outdated emergency contact information, employees maintaining critical working documents on their computers, and managers not maintaining the required registered principal registration. However, FINRA does observe that some member firms have engaged in annual BCP testing and correctly incorporated testing results into firm training.
Given both the new findings and previous findings, a keen-eyed observer can gauge themes developing within FINRA’s examinations. These themes center on the need for member firms to stay up-to-date with relevant regulations, their customers, and increasingly evolving technology.
Please be advised that following reports, such as the 2019 Report, serves only as a reactive measure to stay in compliance. Also, this GT Alert is not meant to be read as a substitute for reading the 2019 Report or any of the rules noted therein. However, if you have any questions with respect the 2019 Report or on how to improve your firm’s compliance practices, please don’t hesitate to reach out to any of the GT attorneys listed below. We would be happy to assist you in navigating this developing web of rules and regulations.