Each year, FINRA releases its Risk Monitoring and Examination Priorities letter, and this year, the letter is back but has a new name: 2021 Report on FINRA’s Examination and Risk Monitoring Program (the “Report”). In 2020, FINRA focused on issues including Reg BI and Form CRS, communications with the public, cash management and bank sweep programs, best execution, digital assets, cybersecurity and technology governance, among a few other topics.
FINRA continues to emphasize several key areas. Regardless of topic, FINRA encourages firms to be proactive in identifying and remedying perceived deficiencies in their supervisory and compliance structure. Based on what we see in our practice and anticipating where the industry is heading, we wanted to draw particular attention to certain notable topics. If you or one of your colleagues has any questions regarding these or other regulatory issues, the attorneys at Reminger are available to assist.
Regulation Best Interest (Reg BI) and Form CRS
Despite the challenges imposed on FINRA members by the COVID-19 pandemic, the Reg BI compliance deadline came and went on June 30, 2020 as planned. Reg BI establishes a “best interest” standard of conduct for broker-dealers and associated persons when they make a recommendation to customers of a securities transaction or investment strategy involving securities, including account-type recommendations. In addition, Reg BI requires that firms provide retail customers with a brief relationship summary called Form CRS, which details information related to fees, conflicts, and services to be provided.
In the Report, FINRA has reminded members to consider whether they have adequate policies and procedures in place addressing Reg BI’s various requirements, including the filing, updating and delivery of Form CRS. Unfortunately, this is a continuously evolving process and FINRA has not provided any guidance, or exam findings included in the Report. FINRA simply notes that it is in the early stages of reviewing for compliance with Reg BI and Form CRS and states that it anticipates issuing a separate publication describing Reg BI and Form CRS exam findings once more exams have been conducted.
Industry commentary shows that the first exams to look at Reg BI compliance focused on ensuring that firms were using their best efforts and taking steps to implement and comply with Reg BI, even if those steps were not 100% correct. However, that focus has begun to shift and now it appears that examinations are moving towards a more traditional compliance review to determine whether firms are actually in compliance with the establishment, implementation, and enforcement of these new standards.
Consolidated Audit Trail (CAT)
FINRA has made a point to highlight the Consolidated Audit Trial (“CAT”) Compliance Rule along with Exchange Act Rule 613 (collectively, the “CAT Rules”), which cover reporting to the CAT; clock synchronization; time stamps; connectivity and data transmission; development and testing; recordkeeping; the timeliness, accuracy and completeness of data; and compliance dates. In the past, FINRA has described certain practices and recommended steps that firms should consider when developing and implementing their CAT Rules compliance program.
To remind members of their CAT obligations, the Report poses various questions designed to ensure that all member firms that receive or originate orders in National Market System (NMS) stocks, over-the-counter (OTC) equity securities or listed options report to CAT. Further, firms are reminded that all proprietary trading activity, including market making activity, is subject to CAT reporting. There are no exclusions or exemptions for size or type of firm or type of trading activity. Finally, as with Reg BI, FINRA states that it is in its early stages of reviewing for compliance and therefore the Report does not include any exam findings.
As has become commonplace over the last year, many registered representatives and associated persons of FINRA member firms continue to work remotely, which has created a myriad of security issues. This has led FINRA to state its concern that member firms’ cybersecurity programs are up to snuff. This is because the increased reliance on technology for customer-facing activities, communications, trading, operations, and compliance programs present an increased risk for cybersecurity breaches. While cybersecurity has been a strong concern of FINRA’s for a long time, these challenging times could pose an increased risk for potential cyber-based crime. In order to face these challenges, the Report includes that FINRA expects “firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.”
Further, the Report notes that FINRA has recently observed issues with firms’ data loss prevention programs, specifically branch policies, controls and inspections, training, vendor controls, access management, inadequate supervision of technology changes and upgrades, and firms’ lack of testing and system capacity. In addition, FINRA reports that it has recently observed increased numbers of cybersecurity or technology-related incidents at firms, including systemwide outages, email and account takeovers, fraudulent wire requests, imposter websites, and ransomware. In order to combat these growing threats, FINRA recommends that firms focus on insider threat and risk management; incident response planning, system patching, keeping current inventory of critical I.T. assets and cybersecurity controls; and implementing change management procedures.
Under FINRA Rule 2330, FINRA established sales practice standards for recommending and exchanging deferred variable annuities. These standards include requiring a reasonable belief that the customer has been informed of the various features of annuities and prior to a recommendation, requiring reasonable efforts to determine the customer’s age, annual income, investment experience, investment objectives, investment time horizon, existing assets and risk tolerance. The Report reminds member firms to have policies and procedures in place to ensure compliance with this Rule.
The Report further includes findings from variable annuity related exams. FINRA states that it found that firms’ supervision systems failed to address situations where customers were accepting buyouts, losing benefits and possibly paying higher fees with new products; that firms failed to supervise recommendations that were unsuitable; that firms were not performing sufficient review of the source of funds to purchase new variable annuities; and that firms were not conducting sufficient training to comply with Rule 2330.
The fact that the Report continues its practice of repeating priorities from prior years serves as a reminder for member firms to remain vigilant and proactive in modifying and improving existing supervisory systems. The topics included herein, while far from exhaustive, were selected because of FINRA’s particular interest in these areas.
Should you have any questions about FINRA’s 2021 Report or any other FINRA, SEC, or state regulatory issues, please contact a member of Reminger’s Financial Services Liability Practice Group.
This has been prepared for informational purposes only. It does not contain legal advice or legal opinion and should not be relied upon for individual situations. Nothing herein creates an attorney-client relationship between the Reader and Reminger. The information in this document is subject to change and the Reader should not rely on the statements in this document without first consulting legal counsel.
THIS IS AN ADVERTISEMENT
 FINRA Rule 6800, et seq.
 See Regulatory Notice 20-31 (FINRA Reminds Firms of Their Supervisory Responsibilities Relating to CAT).
 Id. at 9.
 See FINRA Rule 2330 (Members’ Responsibilities Regarding Deferred Variable Annuities)