General Publications November 7, 2019

“FINRA Exams Show Greater Cybersecurity, Comms Focus,” Law360, November 7, 2019.

Extracted from Law360

The U.S. Financial Industry Regulatory Authority recently released its 2019 report on its examination findings and observations. Although FINRA has released reports on its examination findings since 2017, this year’s report comes earlier than years prior, and takes pains to distinguish findings from observations, which member firms may find useful as they seek to integrate FINRA guidance into their compliance programs.

Since FINRA requires broker-dealer compliance programs to be both risk-weighted and tailored to the entity, firms should take particular note of FINRA’s separation of findings — which are FINRA’s determination of a violation of FINRA or U.S. Securities and Exchange Commission rules — from observations — which are suggestions for improvement.

The timing of the report and this new approach signals heightened expectations for compliance in several key aspects of firm activities. In particular, the report includes findings for all key topics except liquidity and credit risk management and cybersecurity, for which it instead provides observations and effective practices.

The lack of findings in these areas should not be read to indicate a lack of regulatory focus or rigor on those critical functions, but rather to be a result of the highly tailored, confidential and proprietary nature of those functions.

Supervision and Sales Practice

Not surprisingly, supervision features prominently in the report, and in contrast to prior years, is presented as a standalone category. Notably, the first finding relates to member firms not having adequate written supervisory procedures for new or amended rules.

While FINRA does not tie this observation directly to the new Regulation Best Interest, given the relatively close compliance date of June 2020, firms should be cognizant that adaptability to new rules is top of mind for FINRA. The report additionally highlights shortcomings in internal branch supervision and inspection programs, including inadequate understanding, inspection and/or documentation of review of all branch businesses.

FINRA’s discussion of sales practices should be familiar to firms based on past guidance and enforcement matters, including the supervision of product exchanges, identifying and monitoring for suspiciously timed changes to customer profile information and suitability red flags (e.g., similar recommendations across a variety of customers), and supervision of excessive trading. In addition, FINRA specifically identifies the unsuitable recommendation of complex options strategies as a concern for customers lacking the requisite sophistication or profile.

In addition, in a change from prior years, FINRA specifically identifies the supervision of accounts held for the benefit of minors under the Uniform Transfers to Minors Act and Uniform Grants to Minors Act. In particular, FINRA notes the lack of monitoring and controls to track and determine when the beneficiaries of these accounts reach the age of majority and establishing safeguards against the custodians who manage these accounts from continuing to effect transactions after the beneficiary comes of age.

New digital communications tools, applications and third-party services pose compliance challenges for fulfilling record-keeping requirements to maintain business-related communications as well as supervisory obligations to detect potentially violative conduct.

The report includes findings that indicate that firms must have the ability to retain business-related communications and monitor them for potential red flags. As social media and collaboration-driven applications become more prevalent, firms should expect FINRA to continue to examine and enforce supervisory and record-keeping requirements, and to view those new communication technologies as in-scope.

FINRA continues to stress anti-money laundering, or AML, compliance and the importance of firms’ obligations to monitor for suspicious activity under the Bank Secrecy Act and related rules and regulations. Specifically, FINRA found that certain firms have failed to properly tailor their AML monitoring to their relevant business lines and transaction activity, and noted the “ongoing misconception that securities trading does not need to be monitored for suspicious activity reporting purposes.”

FINRA also notes flawed procedures for monitoring third-party wire transfers and that certain introducing firms were overly reliant on their clearing broker-dealer to perform transaction monitoring and suspicious activity reporting.

Firm Operations

Cybersecurity risk management — particularly supervision of branch-level cybersecurity programs and oversight of third-party service providers — continues to be a key focus of FINRA examinations.

Although FINRA did not include any cybersecurity findings in the report, the observations closely track the 2018 report on selected cybersecurity practices, and particularly as it relates to branch office controls, asset inventory, data loss prevention, training and awareness, and access controls.

The report also highlights the importance of incident response planning and testing. FINRA observations suggest that firms with effective practices have not only implemented comprehensive policies and procedures to manage cybersecurity risk, but also regularly test and improve them based on the evolving threat landscape.

To that end, the report notes the use of auditing and inspection to verify branch-level compliance, the importance of testing and refining incident response plans, adherence to timely patch-management schedules, and the provision of training geared toward individuals based on their roles and responsibilities and tailored by threat profile.

FINRA scrutiny of business continuity plans includes findings relating to incomplete identification of mission-critical systems; insufficient capacity to handle increased customer call volume and online activity; and outdated plans – both in terms of operational changes and escalation contacts, and written procedures to allow customer access to accounts during a significant business disruption.

Consistent with cybersecurity risk management, business continuity plans should be updated to reflect relevant upgrades that are otherwise part of information technology and security improvements. In this regard, the report’s findings related to incomplete system identification and outdated information may be avoidable if plans are tested annually and refreshed as key operational changes are made to a firm’s information technology and security infrastructure.

Market Quality and Integrity

Fixed income mark-up/mark-down disclosures remain a key topic in the report, and best execution is given expanded treatment compared to 2018's report.

FINRA’s mark-up concerns include firms that exclude or mischaracterize certain charges from its disclosures that should properly be included as part of the mark-up disclosure. In addition, FINRA notes that certain firms did not calculate, or accurately calculate, the prevailing market price determination, which should figure prominently in the assessment of the fairness of a given mark-up.

FINRA further notes that firms were not accurately confirming to the customer the same time of execution that was being reported in their required transaction reports (e.g., to FINRA’s Trade Reporting and Compliance Engine, or TRACE, facility).

FINRA details a number of deficiencies in firms’ best execution reviews, including failure to assess competing markets, specific order types and all required factors (e.g., speed, price and likelihood of execution).

FINRA also specifically identifies the conflict of interest associated with routing trade flow to affiliated venues (e.g., alternative trading systems) and not conducting adequate review of those practices. On a related point, FINRA identifies that firms were not adequately disclosing on their SEC Rule 606 disclosures certain material aspects of nondirected order flow to the firm’s own principal trading desk or affiliated venues.

Market access controls are a repeat topic compared to prior years, with FINRA emphasizing its findings on pretrade controls and written supervisory procedures regarding access to alternative trading systems, and how firms establish financial risk controls on specific trading desks or customers, including over intraday requests for changes from those customers.

Notably, FINRA identifies that certain firms had no basis for the conclusions made in the certification that is annually required of their CEO under the Market Access Rule. FINRA also faults firms for not having effective controls to prevent erroneous trades, as well as insufficient post-trade controls and surveillance to conduct “holistic post-trade and supervisory reviews for … potential manipulative” activity.

In a change from 2018, FINRA also highlights Regulation SHO compliance among its findings, particularly the failure of certain firms to monitor aged failures to deliver, which resulted in firms not properly closing out these fails. FINRA also faulted clearing firms for not accurately allocating fails to their correspondent firms, including inaccurately and inconsistently calculating those amounts.

Financial Management and Responsibilities

Compared to 2018, FINRA provides more detail on how member firms effectively manage liquidity and risk management. Without offering any findings on deficiencies, FINRA offered several observations on strong liquidity management programs, including developing clear plans for operating in a stressed environment, updating plans to reflect changes in firm business, conducting stress tests in a reasonable manner compared to the firm’s business model and deploying internal controls to ensure firms are accurately capturing exposure to credit risk, including increases and with affiliated counterparties.

As in prior years, FINRA flags a number of topics related to the key financial responsibility rules applicable to firms, namely customer protection (i.e., segregation and reserve of customer assets) and minimum net capital requirements.

FINRA found that for customer protection requirements, certain firms failed to keep adequate records of the forwarding of funds and had inadequate procedures for its possession or control processes, including required no-lien documentation from custodians. FINRA also identified inaccurate calculations in the customer reserve formula that did not properly account for related accounts or relied on inaccurate coding for certain account types.

FINRA describes several deficiencies in minimum net capital computations or processes employed by firms, including incorrectly applying haircut charges related to the creditworthiness of fixed income securities; assessing capital charges related to underwriting commitments; methods for classifying receivables, liabilities and revenue; recognition of insurance claims receivables and obligations; and documenting methodologies for expense-sharing arrangements with affiliates.


As part of its ongoing FINRA360 initiative, FINRA has been consolidating its examination and risk monitoring function from three different legacy programs into a single, integrated program. As FINRA continues to refine its examination programs, firms may wish to redouble their efforts to identify their own enhancements to their compliance programs and use the report to keep pace with FINRA expectations for supervision and compliance.

Although the course of future enforcement action is never certain, firms should be mindful that the report, while presented as constructive feedback, serves the related purpose of providing early warning of the potential drivers for future enforcement action.

In addition to its repeat and core themes governing supervision and sales practice, the report is noteworthy for its increasing granularity and specificity of observations related to cybersecurity risk management and evolving digital communication tools.

Moreover, as firms devote substantial time in the coming months to complying with Regulation Best Interest by June 30, 2020, they should consider taking advantage of the early release of the report to identify FINRA’s findings and observations to other existing regulations, and to scrutinize which ones are relevant to any potential gaps in the firm’s supervisory system.

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.