FINRA 2020 Disciplinary Actions Indicate Surge in Enforcement Activity
Table of Contents
1. FINRA disciplinary totals in 2020
2. Anti-Money Laundering (AML)
3. Books and Records
4. Lessons from recordkeeping violations
5. Cybersecurity and Technology
6. Regulation Best Interest (Reg BI)
7. How to get ahead of regulatory risks in 2021
Eversheds Sutherland, a global law firm with expertise in many industries, including financial services, tracks FINRA disciplinary actions each year to analyze for ongoing trends. Their analysis of 2020 cases showed an increase in almost every area of regulatory enforcement, with a particular focus on anti-money laundering (AML), books and records, cybersecurity and supervision, and last year’s new regulation best interest (Reg BI) rule.
FINRA disciplinary totals in 2020
The increase in fines ordered by FINRA was accompanied by an increase in what Eversheds Sutherland refers to as “supersized” ($1 million or more) and “mega” ($5 million or more) fines. In 2020, there were 10 supersized fines, totaling $38.6 million. The two mega fines ordered in 2020 carried a combined penalty of $21.5 million.
Anti-Money Laundering (AML)
Anti-money laundering was highlighted in FINRA's 2021 examination and risk monitoring program report and priorities letter. In addition to that, the SEC's Division of Examinations recently released a new risk alert reminding broker-dealers of their obligations under AML requirements. It outlined some deficiencies that it found during examinations, in firms' policies and procedures and their implementation of procedures designed to identify and report suspicious activity.
AML produced the single largest “mega” fine in 2020 at $15 million. FINRA found that a firm did not reasonably surveil hundreds of millions of dollars of its customers' wire transfers for money laundering concerns, including millions of dollars of third-party deposits into customers' accounts from high-risk jurisdictions. The firm did not reasonably investigate suspicious activity it found because it lacked sufficient personnel and a reasonably designed case management system.
The firm failed to establish and implement policies, procedures and internal controls reasonably designed to identify suspicious transactions. In certain instances, the firm's AML staff identified suspicious conduct, including manipulative trading and other fraudulent and even criminal activity. The firm filed suspicious activity reports for that conduct only after it was prompted to do so by FINRA's investigation.
Separate from the fine, FINRA also required the firm to retain a third-party consultant to remedy its AML deficiencies. In addition to FINRA sanctions, the SEC and the CFTC brought actions against the firm resulting in a total of more than $38 million in fines and penalties.
AML has been a top enforcement issue for the last five years and has resulted in more than $120 million in fines over that same period. Firms should be taking a close look at their annual policies and procedures to ensure they're addressing the main issues that continue to result in significant sanctions:
- Does the firm allocate enough resources, both in terms of personnel and technology, to adequately supervise its AML concerns?
- Are the firm's AML systems and procedures appropriately tailored to the firm's business? Are they operating as intended? Are they identifying appropriate red flags?
- Is the firm investigating and reacting to the red flags it identifies adequately, including filing suspicious activity reports where appropriate?
- If a firm has experienced significant growth or change in a short period, has it reviewed its AML program to make sure it's evolved accordingly?
Large fines will likely continue to be levied against firms for failing to ensure their AML programs are adequate and reasonably tailored to their business operations. As this case shows, the consequences can be major.
Books and Records
The largest books and records case last year cost a firm $6.5 million. The firm was fined for failing to establish and maintain a supervisory system for more than five years, including written procedures reasonably designed to achieve compliance with its record retention obligations.
There were a variety of additional issues in this case. The findings stated that the firm failed to:
- Retain electronic records in the required format
- Preserve certain electronic records
- Notify FINRA prior to employing electronic storage media
The findings noted that the firm's procedures didn't inform personnel that local and shared computer drives didn't meet the record retention requirements and shouldn't be used for record storage. This resulted in at least 87 million records, including its general ledger, supervisory procedures, customer statements, onboarding documents and notices to customers being stored improperly on these drives.
In addition to those records, more than 1.5 million customer communications maintained by a third-party data vendor were deleted. It had placed the customer communications in a temporary storage location that automatically deleted them after a year. After discovering that approximately 500,000 records had been deleted, the firm didn't take the necessary steps to ensure that any other records in the temporary storage location had been properly migrated. As a result, another million records were deleted.
Lessons from recordkeeping violations
This case demonstrates that books and records requirements continue to be an important area for FINRA and one where large fines do occur. As communication methods continue to evolve, companies must be able to preserve and monitor that data. In the 2021 priorities letter, FINRA called out insufficient supervision and recordkeeping for collaboration platforms (Microsoft Teams, Slack, etc.) and video (live streams, webinars, etc.) specifically.
Using a purpose-built communications archiving solution for compliance ensures recordkeeping requirements can be met. The solution should have capabilities for collecting and storing communications data from all platforms and controls for data retention.
Cybersecurity and Technology
Cybersecurity and technology continue to be a foundational and growing area of concern for FINRA. In the 2021 report, FINRA reminded firms that cybersecurity remains one of the principal operational risks they face. FINRA expects firms to develop cyber programs and controls that are consistent with their risk profile, business model and operational scale.
These issues have been especially heightened during the pandemic due to employees working remotely and the anxiety and confusion caused by the potential economic impact of the pandemic. While personnel slowly return to the office this year, firms must ensure their remote infrastructure is robust enough to handle all that work from home demands.
FINRA noted an increase in cybersecurity incidents at firms and has given some examples of scenarios to look out for, including system-wide outages, email and account takeovers, fraudulent wire requests, imposter websites, and ransomware. Cyber issues, if not properly addressed, can lead to data breaches, which can have significant ramifications, not only from regulators but also in private lawsuits.
Regulation Best Interest (Reg BI)
Reg BI went into effect on June 30th of last year. This regulation is subject to the jurisdiction of both the SEC and FINRA. Both regulators were focused on what they called “good faith compliance,” giving firms the chance to show they were working to adopt the rule. They have begun examinations and are expected to start enforcing Reg BI in the coming year.
Both regulators have addressed Reg BI publicly. FINRA CEO Robert Cook noted that the early Reg BI exams zeroed in on firms' broad approach to implementation. He said some firms would need to provide more training on both Reg BI and Form CRS. He also said that going forward, they're expecting nothing shorter than compliance with the rule.
SEC Commissioner Crenshaw said the next step for the SEC on the Reg BI front will be to assess how it's performing. SEC staff is going to continue to incorporate compliance with Reg BI into its exam enforcement process. Crenshaw said she believes the data that exam staff accumulate will illuminate whether the rule is working as promised, or whether changes may be required.
How to get ahead of regulatory risks in 2021
To get ahead of regulatory risks in 2021, firms need to implement a modern, cloud-based communications archiving solution that can capture and store content from popular channels like collaboration and conferencing platforms. Content should be stored in its native format with conversational context, so it can be easily accessed and reviewed for an examination or legal event.
Regulated organizations should also employ a supervision solution that can identify red flags in employee communications with precision, to get ahead of potential misconduct and make the supervision process more effective and efficient.
As cybersecurity continues to ramp up across the virtual workplace, a unified technology solution for monitoring, remediating, and reporting on cyber risk is the best line of defense for automating cybersecurity and compliance controls.
As the above data suggests, the continuation of remote work in 2021 isn’t reducing enforcement activity. In fact, it is more likely regulatory enforcement will increase. Firms need to remain diligent in their approach to supervising personnel and managing regulatory compliance. Enhancements to the firm’s compliance and cybersecurity technology infrastructure can ensure peace of mind and mitigate potential regulatory and legal consequences.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.