FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

Sidley’s Takeaways

While the Report covers more than 20 regulatory areas, some common themes emerge. The Report continues the trend from last year’s report of increasing the emphasis on topic areas involving market integrity. The four new topic areas referenced above are market integrity focused, and firms should expect heightened regulatory scrutiny in these areas.

Best Execution and Rule 606

Firms should expect continued attention to best execution and compliance with the order routing disclosure requirements of Rule 606 of Regulation NMS. In particular, FINRA will continue to focus on

• the quality of “regular and rigorous reviews” of execution quality and how the results of these reviews affect broker-dealer routing decisions
• potential conflicts of interest including internalized order executions
• zero-commission firms and wholesale market makers’ order handling practices

As a result, firms should pay close attention to order handling and execution issues during FINRA examinations and inquiries, particularly given the recently proposed best execution rule from the Securities and Exchange Commission (SEC).²

Online Platforms and Digital Communications

The Report emphasizes FINRA’s commitment to analyzing the use of online platforms and digital communications, which have gained prominence particularly among newer, retail investors in recent years. The Report suggests that FINRA will

• pay particular attention to whether firms clearly disclose accurate information and risks through mobile apps and other digital communication platforms
• pay closer attention to firms’ communications relating to crypto assets and environmental, social, and governance (ESG) factors.

Financial Crimes

The addition of an entirely new section dedicated to financial crimes indicates that FINRA will be paying particular attention to cybersecurity issues. This comes as no surprise in light of the increasing number of cyberthreats financial firms continue to face. Firms can expect FINRA examinations to closely consider their cybersecurity risk management controls and other security, authentication, and surveillance mechanisms designed to protect against these threats.

Firms also should expect CAT reporting compliance to remain a focal point in examinations this year and should be prepared for the upcoming Customer and Account Information System (CAIS) reporting deadlines. Firms should also be prepared for examinations of Reg BI compliance to remain front and center as the Report indicates that FINRA expects firms to regularly update their approach to compliance with Reg BI and Form CRS.

Key Report Highlights

The Report is intended to provide broker-dealers with information to use to prepare for examinations and to review and assess compliance and supervisory procedures related to business practices, compliance, and operations. It also is an important preview of areas that may garner the interest of FINRA Enforcement. We summarize some key highlights of the Report below.

Communications With the Public

Mobile Apps

Following an increased focus noted in last year’s report, the Report identifies concerns with the potential for mobile apps to influence retail investor behaviors in ways that may be inconsistent with their stated investment goals or risk tolerance. In addition, the Report notes that FINRA has observed potential issues with some mobile apps not adequately distinguishing between products and services of the broker-dealer and those of affiliates or other third parties.

Key takeaways for firms using mobile applications:

• Clearly disclose the risks and features of products and services.
• Mobile apps should consider detailed customer information, including knowledge, investment experience, and investment objectives, when approving customer access to options or other complex products.
• Establish and implement a comprehensive supervisory system for communications on mobile apps so that statements are fair and balanced and do not contain false, misleading, or promissory statements.

Given the Report’s focus on mobile apps and FINRA’s statement that it will monitor how mobile apps disclose and explain risks of higher-risk products or services, expect FINRA to continue to scrutinize all mobile app disclosures and communications in the same manner as any other written communication.

Digital Communication Channels

According to the Report, FINRA has identified findings of insufficient supervision of and recordkeeping for digital communications. FINRA examinations also found that some firms did not have adequate processes to identify and respond to red flags of registered representatives’ communication through unapproved digital channels. Expect FINRA to continue to examine for policies on digital communications that address all permitted and prohibited communication channels and features and whether content on approved digital platforms meets the standards of FINRA Rule 2210. The Report indicates that FINRA will also pay close attention to firms’ supervision and maintenance of books and records in accordance with SEC and FINRA rules for all digital communications with the public. Firms’ policies and procedures for reviewing red flag indicators of potential off-channel communications take into consideration customer complaints, email communication review, outside business activities reviews, and advertising reviews.

ESG Communications

The Report highlights FINRA’s findings that some communications promoting ESG factors were inconsistent with or unsupported by the fund’s offering documents or contained other unsubstantiated or misleading information. Expect FINRA to pay close attention to firms’ procedures related to ESG communications, including that such procedures are designed such that ESG-related claims are supported by the fund’s offering documents and any risks specific to ESG funds are clearly described.

Crypto Asset Communications

The Report explains that in November 2022, FINRA launched an ongoing targeted examination into firms’ crypto asset retail communications. The examination is designed to evaluate the extent to which these communications contain false or misleading statements, appropriately balance investment benefits and risks, or misrepresent the extent to which crypto assets are regulated by FINRA, are subject to securities laws, or are eligible for the protections under the Securities Investor Protection Act of 1970.

With respect to firm communications regarding crypto assets, the Report details effective practices identified during the examinations, including these:

• clear differentiation of communications relating to crypto asset products from those related to broker-dealer products and services and explanations that crypto asset products are not subject to the same regulatory protections as those available for securities
• clear presentation of the applicability of the federal securities laws and FINRA rules to such products and accurate description of associated risks
• clear differentiation of communications related to broker-dealer products and services from those related to offerings by crypto asset affiliates and prominent identification of the entities responsible for nonsecurities crypto assets businesses

Reg BI and Form CRS

The Report provides extensive feedback for firms on Reg BI and Form CRS compliance exam findings. In particular, the Report flags a number of examination findings related to the duty of care and conflict of interest obligations.
Specifically, with respect to Reg BI and Form CRS, FINRA’s examinations found that some firms

• made inappropriate recommendations in light of customers’ investment profiles and other factors and failed to consider all relevant factors affecting cost
• failed to maintain profile information consistent with Exchange Act Rule 17a-3(a)(35) and to conduct reasonable investigation of offerings before making a recommendation
• had not identified, disclosed, mitigated, or eliminated all relevant conflicts of interest associated with making a recommendation; specifically, Form CRS filings that contained inaccuracies or omissions and were not properly delivered and posted on firm websites were among other specific Form CRS observations in the Report

Expect FINRA to continue to carefully assess firms’ written supervisory procedures related to the Reg BI requirements. Firms will want to review carefully this section as they regularly update their approach to compliance with Reg BI and Form CRS, accounting for any new interpretive guidance issued by the SEC.

CAT

According to the Report, CAT compliance remains a key area of expanded focus for FINRA. The Report identifies several findings of deficiencies, including failures to timely and correctly report new order events, route events, and execution events. Exam findings also noted CAT errors that were not repaired by the correction deadline and failures to correct previously inaccurately reported data. FINRA also observed some firms without supervisory procedures or controls over CAT reporting and clock synchronization performed by third-party vendors. The Report further describes failures by some firms to maintain sufficient recordkeeping of CAT data or provide such data to regulators on request.

The Report highlights FINRA’s Rapid Remediation review process by which FINRA will identify reporting deficiencies and alert firms informally about potential CAT reporting violations. These reviews are conducted weekly or monthly, and firms should be prepared to respond to any inquiry by promptly addressing any identified issues. The Rapid Remediation review process is used in other quality of markets areas in addition to CAT and should be responded to similarly.

It will be important for broker-dealers to have effective supervisory procedures that require a comparative review of CAT submissions against firm order records, review the CAT Reporter Portal daily, and use CAT report cards and FAQs. Firms should also consider mapping their internal records to CAT reporting fields and archiving CAT feedback within an appropriate timeframe. In light of the November 2022 extension to the CAIS reporting deadlines, broker-dealers will want to establish reasonable supervisory procedures for CAIS reporting prior to the new deadlines. Such procedures might address monitoring for data formatting and inconsistencies, monitoring that information is securely reported, confirming CAIS data is consistent with prior submissions, and timely repairing CAIS inconsistencies.

Best Execution and Fair Pricing

Compliance with FINRA’s best execution rule, Rule 5310, has become a clear, ongoing focus area for FINRA. This year’s Report continues FINRA’s focus on payment for order flow arrangements while reflecting findings and observations from FINRA’s 2020 targeted exam of zero-commission firms and 2021 review of wholesale market makers’ order handling practices for customer orders received from other broker-dealers. The Report advises firms to establish committees that meet at least quarterly to conduct “regular and rigorous reviews” and consider modifications to order handling practices. Expect FINRA to assess whether firms have considered execution quality at various trading centers while conducting their “regular and rigorous reviews,” including trading centers to which the firm does not send order flow. Firms should also be able to sufficiently support their best execution analyses, particularly in the case of internalized orders or other potential conflicts of interest. The Report recommends firms have supervisory procedures, systems, and controls, as well as effective monitoring, to facilitate the full and prompt handling of marketable order flow.

In addition, as highlighted above, the SEC recently proposed its own best execution rule, which, while largely consistent with FINRA’s approach, would extend beyond FINRA’s requirements in many ways. Firms will want to pay close attention to industry comments on the SEC’s proposal and on any adoption of a rule by the SEC and the effects it may have on FINRA’s existing regime.

Also noteworthy in this year’s Report is FINRA’s new section on fair pricing for fixed income securities. Exam findings in this area included incorrect determinations of prevailing market prices, using outdated markup/markdown grids, and failures to conduct facts and circumstances analyses in assessing fair pricing. Expect FINRA to pay close attention to firms’ written supervisory procedures governing their fair pricing practices for fixed income transactions. Firms that transact in fixed income securities should consider conducting periodic reviews of their markups and markdowns and documenting the prevailing market price for each transaction.

Fractional Shares

This year’s Report introduces a new focus on reporting and order handling of fractional share activity. In particular, FINRA examinations identified firms that failed to accurately, completely, and timely report fractional share orders, routes, and trades to the required trade reporting facilities. FINRA expects firms to maintain a supervisory system and procedures to confirm fractional shares are appropriately reported to a FINRA trade reporting facility, FINRA’s over-the-counter trade reporting facility, and CAT as required. The Report specifically guides firms to consider how they process dividend reinvestments so that fractional share transactions are appropriately reported. Firms should also appropriately include fractional share activity in their best execution processes and reviews.

Financial Crimes

This year’s Report provides a section focused entirely on financial crimes with a focus on three key areas: (1) cybersecurity and technology governance; (2) anti-money laundering, fraud and sanctions, and (3) manipulative trading. As noted above, the emphasis on these key areas is not unexpected; however, firms should clearly review these areas in the Report to ensure that they are assessing how their efforts to combat potential financial crimes aligns with regulatory expectations set forth in the Report.

Cybersecurity and Technology Governance

FINRA has noted in the Report that cybersecurity remains one of the principal operational risks facing broker-dealers. As a result, FINRA’s expectation is that firms have developed and maintained reasonably designed cybersecurity programs and controls that are consistent with the firm’s risk profile, business model, and scale of operations.

The Report lists a host of observations and effective practices for firms to assess for their own programming alignment. Some of the key areas firms should focus on related to cybersecurity and technology governance are ensuring that the firm has effective

• multifactor authentication for login access to the firm’s operational, email, and registered representatives systems for employees, contractors, and customers
• data loss prevention monitoring programming related to network activity to identify unauthorized copying or deletion of customer or firm data, for example
• procedures for investigating cyber events and considering whether a Suspicious Activity Report is required following applicable guidance

Anti-Money Laundering, Fraud, and Sanctions

Notably in this section of the Report, FINRA calls out some emerging risk areas for firms. In particular, FINRA highlights manipulative trading in small cap initial public offerings (IPOs), sanctions evasion, and Automated Customer Account Transfer Service (ACATS) fraud.

With respect to manipulative trading in small cap IPOs, FINRA reminds firms to review its Regulatory Notice 22-25 that provides potential indicators of these schemes and risk management programs to confirm that firms are monitoring for this type of activity.

FINRA’s assessment that sanctions evasion is an emerging risk is not surprising. The Report specifically points firms to Office of Foreign Assets Control sanctions related to Russia and informs them to consider how to approach activity in customer accounts for Russian sanctions evasion.
The Report also notes that FINRA has observed an increased number of fraudulent transfers of customer accounts through ACATS. In particular, FINRA notes that bad actors are using the stolen identity of a legitimate customer to open online brokerage accounts and shortly thereafter submitting ACATS requests to transfer customer assets out of an account the customer holds at another firm. The bad actor then makes efforts to move the ill-gotten assets to an external account at another financial institution. As a result, the Report reminds firms that offer online account opening services to confirm that their reviews of red flags of new account fraud are incorporated into customer onboarding processes.

Manipulative Trading

In 2022, FINRA devoted additional attention to impermissible trading practices such as manipulative trading, evidenced by the topic’s gaining its own section in this year’s Report. FINRA’s examination efforts in this space uncovered inadequate supervisory procedures to monitor for and address manipulative conduct. FINRA also identified firms that did not reasonably design or operate surveillance controls and that did not sufficiently consider nonsurveillance sources for red flags of manipulative activity. The Report shares several recommendations to improve practices in this area, including that firms review customer and proprietary data to detect manipulative schemes and consult the FINRA Cross-Market Equities Supervision Manipulation Report Card. Firms should also develop an appropriately tailored surveillance program and supervisory system designed to detect a variety of manipulative schemes across various product types including correlated products. Specific areas of manipulative activity highlighted by the Report include momentum ignition trading, ETP manipulation, and wash trading.

Finally, review the Appendix — Using FINRA Reports in Your Firm’s Compliance Program. While the Appendix suggests that firms consider these practices, examination and enforcement experience demonstrate that FINRA expects the reports referenced in the Appendix to be part of firms’ compliance programs.

¹ A copy of the complete Report is available at https://www.finra.org/rules-guidance/guidance/reports/2023-finras-examination-and-risk-monitoring-program.
² For more information on the SEC’s proposed Regulation Best Execution, please see Sidley’s recent Update.