Now that FINRA and the SEC have released their 2020 priorities letters, we can take a closer look at what firms should prepare for this year. In the letters, the regulators highlighted technology-related topics while also focusing on existing priorities, reminding firms of the need to adopt comprehensive supervisory processes that will ensure compliance and exam preparedness.

The SEC’s office of compliance inspections and examinations (OCIE) released its 2020 exam priorities. OCIE prefaces the 2020 priorities by emphasizing the vital importance of compliance programs and compliance professionals. OCIE notes that the positive impact of effective compliance is clear from the exams it has conducted.
The OCIE 2020 priorities include the following critical areas:

Financial Technology (Fintech) and Innovation, Including Digital Assets and Electronic Investment Advice – OCIE recognizes that advancements in financial technologies, methods of capital formation and market structures, and registered firms’ use of new sources of data (often referred to as “alternative data”) warrant ongoing attention and review. OCIE also will continue to identify and examine SEC-registered firms engaged in the digital asset space, as well as RIAs that provide services to clients through automated investment tools and platforms (often referred to as “robo-advisers”). Areas of focus include:

(1) SEC registration eligibility,

(2) cybersecurity policies and procedures,

(3) marketing practices,

(4) adherence to fiduciary duty, including adequacy of disclosures, and

(5) effectiveness of compliance programs.

Focus Areas Relating to Investment Advisers, Investment Companies, Broker-Dealers, and Municipal Advisors – OCIE will continue its risk-based examinations for each type of these registered entities. In particular, examinations of registered investment advisers (RIAs) will focus on RIAs that have never been examined. These examinations will include RIAs advising retail investors as well as private funds. Investment company examinations will focus on mutual funds and exchange-traded funds, the activities of their RIAs, and the oversight practices of their boards of directors. Broker-dealer examinations will focus on issues relating to the preparation for and implementation of recent rulemaking, along with trading practices. Municipal advisor examinations will include review of registration and continuing education requirements and municipal advisor fiduciary duty obligations to municipal entity clients.

Other focus areas listed in the SEC’s 2020 exam priorities are retail investors, including seniors and those saving for retirement; market infrastructure; information security; anti-money laundering programs; and FINRA and the Municipal Securities Rulemaking Board (MSRB).

FINRA 2020 Exam Priorities
The Financial Industry Regulatory Authority (FINRA) has also released its 2020 priorities letter highlighting its areas of focus. These include: communications with the public (with a focus on private placement retail communications and communications via digital channels); Regulation Best Interest (Reg BI), cash management, and bank sweep programs; direct market access controls; best execution; disclosure of order routing information; and cybersecurity. FINRA will also continue to review ongoing priorities such supervision, sales practice risks, anti-money laundering and fraud, insider trading, and manipulation across markets and products.

Below are highlights of the FINRA 2020 priorities:

Communications via Digital Channels – An emerging focus for FINRA is digital communications. Registered representatives’ and customers’ use of an increasingly broad array of digital communication channels (e.g., texting, messaging, social media, collaboration applications) may pose challenges to a firm’s ability to comply with obligations related to the review and retention of such communications.

The examiners provided a checklist when reviewing a firm’s use and supervision of digital channels:

• Does your firm have a process in place to evaluate new tools available to your registered representatives to determine whether there are digital communications channels that should be captured, included in your firm’s routine electronic communications supervisory reviews, and stored in accordance with books and records requirements?
• Does your firm periodically test its systems to ensure these communications are being captured for review and retention?
• Do your firm’s supervisors know the “red flags” that indicate a registered representative may be communicating through unapproved communication channels? Are your firm’s supervisors following up on such red flags, which include, but are not limited to:
  • email chains that include non-approved email addresses for registered representatives;
  • references in emails to communications with a registered representative that occurred outside approved firm channels; or
  • customer complaints mentioning such communications?

Private Placement Retail Communications – In addition to ongoing reviews for compliance with these core obligations, FINRA will focus on Private Placement Retail Communications. FINRA will review how firms review, approve, supervise, and distribute retail communications regarding private placement securities via online distribution platforms⁹, as well as traditional channels.

Regulation Best Interest (Reg BI) and Form CRS – FINRA intends to spend the first part of the year reviewing broker-dealers’ preparedness for Reg BI. Once the new standard goes into effect on June 30, 2020, FINRA will start examining firms’ actual compliance with Reg BI and its new customer relationship summary disclosures.

FINRA included a checklist of what examiners will be looking for after Reg BI goes into effect:

• Does your firm have procedures and training in place to assess recommendations using a best interest standard?
• Do your firm and your associated persons apply a best interest standard to recommendations of types of accounts?
• If your firm and your associated persons agree to provide account monitoring, do you apply the best interest standard to both explicit and implicit hold recommendations?
• Do your firm and your associated persons consider the express new elements of care, skill, and costs when making recommendations to retail customers?
• Do your firm and your associated persons consider reasonably available alternatives to the recommendation?
• Do your firm and your registered representatives guard against excessive trading, irrespective of whether the broker-dealer or associated person “controls” the account?
• Does your firm have policies and procedures to provide the disclosures required by Reg BI?
• Does your firm have policies and procedures to identify and address conflicts of interest?
• Does your firm have policies and procedures in place regarding the filing, updating, and delivery of Form CRS?

TAKEAWAY:

Firms should consult this year’s priorities letters to better assess their compliance with relevant requirements and regulators’ expectations. Review the firm’s practices, policies, and procedures to confirm that these address the enforcement priorities.

Technology continues to be a key theme for the regulators. This means firms need to capture, archive, and supervise all written business communications. This includes retention of electronic communications such as email, text messages, instant messages, social media, and collaboration tools. This is a good time to review your policies and procedures to ensure the policies properly address the firm’s business activities and comply with the provisions of the recordkeeping rule.

Outline whether employees have the ability to communicate via email through means other than their firm email address and through third-party communication systems such as Bloomberg and Reuters. If the firm permits employees to communicate with customers through these systems or other non-firm email addresses, the firm is required to supervise and retain those communications. If the firm elects to prohibit its use altogether, keeping employees from accessing non-member email platforms for business purposes, then there is a need to require employees to certify that they are acting in accordance with such policies and procedures on an annual or more frequent basis. Where possible, firms should block access to these email platforms through their networks. Thus, an employee would be able to access the Internet but not the email functionality. Members utilizing this blocking functionality should periodically conduct tests to ensure that it is functioning as designed or intended. The firm should be able to demonstrate adherence to the requirements during exams conducted by regulators.

Periodically test the systems to ensure the communications are being captured for review and retention. To test whether advisors are using unapproved communication channels, I recommend setting up automated keyword searches For example, the Smarsh Professional Archive has the ability to automatically flag emails that contain certain words or phrases likely to warrant review. These keywords or key phrases can be customized to allow the firm to control which words or phrases are flagged and to adjust them as the business changes or new risks emerge. You can create keywords and key phrases to flag the risk of advisors using unauthorized communication channels.
Examples include: “send to my personal email,” “respond to my gmail account,” “text me,” “let’s take this offline.” These common phrases are indicative of the risk of using unauthorized communication channels. Firms cannot assume advisors aren’t using their personal emails to communicate with clients.

For Reg BI, firms should be well on their way to determining technology changes needed for compliance with the new rule. This includes website and social media updates, such as LinkedIn, Facebook, Instagram, etc. Regulators are focusing on both Reg BI implementation and technology, so make sure not to miss the mark.

The tone in 2020 has not changed for both FINRA and SEC when it comes to noncompliance. The regulators will continue to penalize firms and their employees for failing to meet regulatory requirements, including fines and other disciplinary actions.