On Tuesday, FINRA released its 2024 FINRA Annual Regulatory Oversight Report* to provide member firms with insights collected from the agency’s Member Supervision, Market Regulation and Enforcement programs.
The report is intended to provide transparency to member firms and the public about its regulatory activities and as an information source they can use to strengthen their compliance programs.
The document addresses some tried and true topics, such as anti money laundering (AML) and sanctions compliance, cybersecurity and Regulation Best Interest, but it also introduces several new content areas.
Those new areas target crypto assets; information related to artificial intelligence’s potential impact on firms’ regulatory obligations; Market Access Rule guidance; and guidance on the supervision and retention of off-channel communications.
New technologies, new threats
FINRA notes that new technologies invite new risks and require special attention, particularly requiring the monitoring of whether and how they are performing as intended and building supervisory controls around them.
The agency reminds member firms that technology vendors are key partners, but they must be closely monitored. FINRA asks them to the adequacy of their supervisory controls to manage such things as vendor onboarding and offboarding, managing access controls, and having contingency plans if a vendor cannot perform its duties.
In terms of a firm’s own technology, the agency stresses having strong business continuity plans that anticipate and prevent technology disruptions.
“In my time in the industry, I’ve rarely seen one issue permeate legal and compliance as off-channel communication has in the last year or two.”
Michael Solomon, head, FINRA national examination program
The oversight report highlights a list of cybersecurity concerns, specifically asking what steps the business has taken to prevent such things as business email compromises and phishing attempts, and to practice an incident response plan, including one that anticipates a cyber incident occurring at a critical vendor.
And it adds emphasis this year to the periodic training of staff to thwart attacks such as phishing and social engineering ones.
FINRA says that AI tools may present promising opportunities, firms must consider veritable concerns about accuracy, privacy, bias and intellectual property, among others. “As member firms continue to consider the use of new technologies, including generative AI tools, they should be mindful of how these technologies may implicate their regulatory obligations,” FINRA says.
Crypto-asset developments
A new section was dedicated purely to crypto assets, thanks to the expansion in crypto asset-related activity by member firms.
Member firms have been approved to engage in crypto activities, such as serving as placement agents and private placements of crypto asset securities, operating alternative trading systems for crypto asset securities, and providing custodial services for crypto asset securities.
The agency advises firms to prepare for and mitigate their crypto asset-related risk exposure by reviewing and evaluating their supervisory programs and how they interact with that crypto-asset activity. Some of those areas include cybersecurity controls, AML compliance programs, and establishing policies, procedures and controls related to their associated persons involvement in crypto asset-related outside business activities, and private security transactions.
The violations FINRA has seen by member firms and associated persons have generally involved:
- Communications with the public: Failing to disclose relevant risks associated with crypto products and services in such communications.
- Supervision: Failing to conduct appropriate due diligence on crypto-asset private placements recommended to customers.
- AML programs: Failing to create AML programs reasonably designed to detect suspicious crypto asset trading and transactions.
In a FINRA-produced podcast (and accompanying transcript) centered on the new oversight report, Ornella Bergeron says: “I really just also want to make sure we’re reminding firms that it is really important for firms to let us know their involvement or their affiliates’ involvement in crypto assets … or they plan to engage in crypto activities.”
Books and records – off-channel comms
FINRA’s report reminds firms that as of January of last year, the SEC amended Rule 17a-4 to modify the requirements regarding the maintenance and preservation of electronic records, including the use of third-party recordkeeping services to hold records and the prompt production of records.
Quite noticeably, there is zero tolerance for these types of failures from regulators such as FINRA, the SEC and the CFTC as a point of principle, despite the lack of evidence of customer harm.
SEC Enforcement Division Director Gurbir Grewal has reiterated a point that sums up his agency’s laser focus on them. The whole reason his agency cares so much about these records is because it cannot properly do its job investigating businesses if it does not have access to the firm’s records, including these types of business-related communications.
Best practice and compliance
In the above-mentioned podcast about FINRA’s new oversight report, Michael Solomon said this about recordkeeping that relates to off-channel communications: “In my time in the industry, I’ve rarely seen one issue permeate legal and compliance as off-channel communication has in the last year or two. It’s an area that we know is of keen interest to firms, and firms are asking questions about best practices and compliance in this space.”
He notes that some firms allow business communications on non-firm-provided platforms (apps); which means the agency is then looking to see how the firm reasonably supervises the activity and preserves the communications. And some firms have outright prohibitions against text-messaging or using non-firm platforms; which means the agency is then examining how employees are complying with that policy and how the firm is disciplining for violations of it.
Additions to the report this year include asking firms to consider how they communicate to associated persons any prohibition against using unapproved off-channel communication methods for business communications.
And it asks firms to consider how they surveil their employees in general and for red flags specifically, such as any signs of an underutilization of approved channels, since this could mean the associated person is using an unapproved channel for business communications.
Market Access Rule
Exchange Act Rule 15c3-5, or the Market Access Rule, requires firms with market access or that provide market access to their customers to appropriately control the risks associated with market access so as not to jeopardize their own financial condition, that of other market participants, the integrity of trading on the securities markets and the stability of the financial system.
A few of the related considerations FINRA notes in this area are:
- If your firm has or provides market access, does it have reasonably designed risk-management controls and WSPs to manage the financial, regulatory or other risks associated with this business activity?
- If your firm is highly automated, how does it manage and deploy technology changes for systems associated with market access; and what controls does it use, such as kill switches, to monitor and respond to aberrant behavior by trading algorithms or other impactful market-wide events?
- How does your firm adjust credit limit thresholds for customers, including institutional customers (whether temporary or permanent)?
- Does your firm maintain documentation to demonstrate the reasonableness of its controls and corresponding parameters?
Concluding points
The oversight report concludes by mentioning some of the ways in which member firms have used its report – among other FINRA guidance documents – to enhance their compliance programs.
They included referring to them as part of their risk assessment processes; looking for gaps in their compliance programs (especially their written supervisory procedures) that could lead to issues; as training for personnel and in presentations to business leaders, and to engage the legal department for additional guidance on these regulatory obligations.
*The 2021-2023 versions of the report were published under a previous title; the new title is meant to represent integration among the agency’s regulatory operations programs and its use by member firms as an information source to strengthen their compliance programs.