On December 6, FINRA released its first Report of Examination Findings to help member firms “address potential areas of concern well before their own cycle examinations.” This report focuses on selected observations from recent examinations, it “does not represent a complete inventory of observations about the industry as a whole, does not imply that any issues discussed exist at any particular firms, and should not be read as creating new legal or regulatory requirements or new interpretations of existing requirements.” FINRA expects the summary report will evolve over time and intends to issue the report annually. The summary report highlights the following areas:

Cybersecurity

It’s not surprising cybersecurity leads the list of findings. The regulator noted areas some firms need cybersecurity improvement, including the need to terminate departing employees’ access to firm systems on a timely basis; conducting ongoing formal risk assessments; better vendor management due diligence processes; stronger branch office oversight; segregation of cybersecurity duties; and implementing controls to prevent data loss.

Outside Business Activities and Private Securities Transactions

The report identities outside business activities (OBAs) and private securities transactions (PSTs) as a continuing issue. FINRA Rules 3270 and 3280 require registered representatives to notify their firms of OBAs, and all associated persons to notify their firms of proposed PSTs, so firms can determine whether to limit or allow those activities to proceed. FINRA observed instances where registered persons or firms failed to meet their obligations under the rules. For example, new hires or current registered persons failed to notify their prospective or current firm in writing of an existing OBA or PST. In some cases, individuals did not understand what constitutes an OBA or PST. FINRA also observed weaknesses in some firms’ OBA and PST reviews.

Anti-Money Laundering Compliance Program

FINRA cited firms for failure to establish and implement an Anti-Money Laundering (AML) program reasonably designed to detect and report suspicious activity. FINRA noted specific instances such as inadequate delegations of responsibility for AML monitoring; lack of resources for AML monitoring; and failure to conduct independent testing of AML monitoring. FINRA observed that “firms with effective AML programs actively tailor their risk-based AML program to the firm’s business model and associated AML risks as opposed to simply implementing a more generic program.”

Product Suitability

FINRA identified firms for failures to meet their suitability obligations to customers, specifically with unit investment trusts (UITs) and certain multi-share class and complex products. For example, FINRA found that some firms recommended higher-fee share classes without determining whether it fits the customer’s objectives and risk tolerance. FINRA also found some firms failed to supervise and train registered representatives with respect to suitability issues. For example, firms that relied on written supervisory procedures and compliance bulletins to inform their registered representatives and principals about UITs encountered more sales practice problems than firms that implemented UIT-focused training for registered representatives.

Best Execution

The report expressed concerns regarding firms failing to execute orders in a manner most beneficial to the client. FINRA found that some firms failed to implement and conduct periodic and rigorous reviews of customer execution quality. The self-regulator notes that conducting diligent reviews of customer execution quality is critical to the “supervision of best execution practices.”

Takeaway Tips

Supervision continues to be highlighted throughout the report. Review your Written Supervisory Procedures to ensure the policies properly address the firm’s business activities and comply with the regulatory requirements. Firms should periodically test the integrity of their systems to ensure compliance. Monitoring electronic communications can be an incredibly effective way to find potential violations across each of the highlighted areas in the report.

Lexicon-based reviews can be used to automate the search for specific policy violations. For example, the right lexicon policies can automatically find scenarios where a registered representative did not report an OBA or PST. Performing random searches of messages is an extra layer for a well-rounded review to detect potential violations, enhancing your supervision process. And don’t forget to document your hard work reviewing messages, which is a great way to demonstrate to regulators you are supervising the activities of your associated persons.

Effective training and ongoing education is critical for an adequate supervisory process. Share the recent report with the rest of the firm, as employees must be mindful of the findings. Provide focus training on specific issues to inform employees of prohibited practices. This further reinforces the firm’s culture of compliance.

It is not ideal to find out about violations from the regulators during an examination. The good news is you don’t have to wait until next year’s examination summary report to get ahead of compliance requirements. FINRA makes all cases and disciplinary actions available online. Here at Smarsh we also report on the latest regulatory news and findings, and I frequently contribute and share recent enforcement actions in our regulatory updates series. This recent report is another resource that firms can use to strengthen their controls with securities rules and regulations. Take advantage of the observations and best practices.