FINRA issued this risk alert on Feb 9th 2022.
All information here is Quoted from the FINRA’s document. Please refer to FINRA’s document in the below link for complete information
The 2022 Report on FINRA’s Examination and Risk Monitoring Program (the Report) provides firms with information that may help inform their compliance programs. For each topical area covered, the Report identifies the relevant rule(s), highlights key considerations for member firms’ compliance programs , summarizes noteworthy findings from recent examinations, outlines effective practices that FINRA observed during its oversight, and provides additional resources that may be helpful to member firms in reviewing their supervisory procedures and controls and fulfilling their compliance obligations. FINRA’s intent is that the Report be an up-to-date, evolving resource or library of information for firms. To that end, the Report builds on the structure and content in the 2021 Report by adding new topics (e.g., Disclosure of Order Routing Information, Funding Portals) denoted NEW FOR 2022 and new material (e.g., new exam findings, effective practices) to existing sections where appropriate. (New material in existing sections is in bold type.) In addition, those general findings that are also particularly relevant for firms in their first year of operation are denoted with a star .
Please note only Selected Highlights have been included here in areas where La Meer’s GRACE systems offer comprehensive functions to address deficiencies as highlighted by FINRA
In 2021, considerable industry, and in some cases public, attention was focused on topics that FINRA also addressed through its exam and risk monitoring program. These topics include newer SEC Rules (e.g., Regulation Best Interest (Reg BI), Form CRS, amendments to Rule 606), recent increases in the number and sophistication of cybersecurity threats, and the proliferation of securities trading through mobile apps.
Reg BI and Form CRS
During Reg BI’s and Form CRS’ first full calendar year of implementation in 2021,FINRA expanded the scope of its reviews and testing relative to 2020 to execute a more comprehensive review of firms’ processes, practices and conduct in areas such as establishing and enforcing adequate written supervisory procedures (WSPs); filing, delivering and tracking accurate Forms CRS; making recommendations that adhere with Reg BI’s Care Obligation; identifying and mitigating conflicts of interest; and providing effective training to staff. In this Report, FINRA notes its initial findings from its Reg BI and Form CRS reviews during the past year and will share additional findings at a future date.
Cybersecurity threats are one of the primary risks firms and their customers face. Over the past year, FINRA has continued to observe increases in the number and sophistication of these threats. For example, in 2021, FINRA has alerted firms about phishing campaigns involving fraudulent emails purporting to be from FINRA, as well as new customers opening online brokerage accounts to engage in Automated Clearing House (ACH) “instant funds” abuse. FINRA has issued additional regulatory guidance concerning the increase of bad actors using compromised registered representative or employee email accounts to execute transactions or move money; using customer information to gain unauthorized entry to customers’ email accounts, online brokerage accounts or both (i.e., customer account takeover (ATO) incidents); and using synthetic identities to fraudulently open new accounts. FINRA will continue to assess firms’ programs to protect sensitive customer and firm information, as well as share effective practices firms can employ to protect their customers and themselves. Where appropriate, FINRA will also share information about cybersecurity threats to firms.
FINRA will continue to review firms’ communications and disclosures made to customers in relation to complex products, and will review customer account activity to assess whether firms’ recommendations regarding these products are in the best interest of the retail customer given their investment profile and the potential risks, rewards and costs associated with the recommendation. In addition, in August of last year, FINRA launched a targeted exam to review members’ practices and controls related to the opening of options accounts which, in some instances, may be used to engage in complex strategies involving multiple options (such as spreads). FINRA will share its findings from this review at a future date.
AML Exam Findings and Effective Practices
Inadequate Ongoing Monitoring and Reporting of Suspicious Transactions – Failing to establish and implement an AML program reasonably expected to detect and report suspicious activity in compliance with FINRA Rule 3310(a) by, for example:
- Not using AML reports or systems that accurately and reasonably capture potentially suspicious activity, and are free of data integrity issues
- Not conducting and accurately documenting AML surveillance reviews
- not implementing appropriate risk-based procedures to understand the nature and purpose of customer relationships in order to develop a customer risk profile;
- Not implementing procedures that are reasonably designed to investigate inquiries from clearing firms that concern “red flags” of potentially suspicious activity
- Not tailoring AML programs to risks presented by products, customers, business lines and transactions (e.g., cash management products, low-priced securities trading) and wire and ACH transfers; and
- Not notifying AML departments of events that involve suspicious transactions (e.g., cybersecurity events, account compromises or takeovers, new account fraud, fraudulent wires and ACH transfers).
- Inadequate AML Independent Tests – Failing to comply with FINRA Rule 3310(c) by conducting AML tests that fail to review key aspects of the AML program, are not performed within the required timeframe, are not completed by persons with the requisite independence or are not completed at all.
- Insufficient Compliance With Certain Requirements of the BSA – Failing to establish a risk-based CIP to verify the identity of each customer in compliance with FINRA Rule 3310(b), failing to verify the identity of the beneficial owners of legal entity customers in compliance with FINRA Rule 3310(f) or failing to conduct due diligence on correspondent accounts of foreign financial institutions in compliance with FINRA Rule 3310(b).
FINRA has observed red flags of potentially manipulative trading associated with Update on Initial Public Offerings (IPOs) of China-Based Issuers how these investors open new accounts and trade these securities after the IPO is completed, including:
- Numerous unrelated accounts being opened at the same time, including with similar banking information, physical addresses, email address domains and current employer (which is often associated with the IPO issuer);
- Documents investors provide in order to open an account or verify source of funds that may have been altered or could be fictitious;
- Wire transfers received into these accounts that exceed the financial wherewithal of the investor as indicated on their new account documents, exceed the value of the shares purchased in the IPO and are either sent from similar banks, or bank accounts that share certain identifying information (e.g., employer of account holder, email domain);
- Investor accounts being accessed by a different Internet Protocol (IP) or Media Access Control (MAC) address than is known for the customer, granting log in and trading capabilities to a third party or both;
- Multiple orders with substantial similar terms being placed at or around the same time by seemingly unrelated investors in the same security that is indicative of “spoofing” or “layering”; and X investors engaging in trading activity that does not make economic sense.
Given the potential risks, firms underwriting these IPOs and whose customers trade in these securities after the IPO should carefully evaluate whether they have controls in place necessary to identify and report market manipulation, other abusive trading practices and potential AML concerns. Firms can find additional information regarding the risks associated with China-based issuers in recent statements from the SEC:
Risk Assessments –
- Conducting an initial, formal written risk assessment and updating it based on the results of AML tests, audits and changes in size or risk profile of the firm (e.g., business lines, products and services, registered representatives and customers).
- Verifying Customers’ Identities When Establishing Online Accounts – In meeting their CIP obligations, validating identifying information or documents provided by applicants (e.g., Social Security number (SSN), address, driver’s license), including, for example, through “likeness checks”; asking follow-up questions or requesting additional documents based on information from credit bureaus and credit reporting agencies, or digital identity intelligence (e.g., automobile and home purchases); contracting third-party vendors to provide additional support (e.g., databases to help verify the legitimacy of suspicious information in customers’ applications);
- Limiting automated approval of multiple accounts by a single customer
- Reviewing account applications for repetition or commonalities amongst multiple applications; and using technology to detect indicators of automated scripted attacks.
Delegation and Communication of AML Responsibilities
When AML programs rely on other business units to escalate red flags of suspicious activity, establishing clearly delineated written escalation procedures and recurring cross-department communication with AML and compliance staff.
- In meeting their obligations to provide ongoing AML training for appropriate personnel under FINRA Rule 3310(e), establishing and maintaining AML training programs that are tailored for the respective roles and responsibilities of the AML department, as well as departments that regularly work with AML that address regulatory and industry developments impacting AML risk or regulatory requirements; and that, where applicable, leverage trends and findings from quality assurance controls.
Detection and Mitigation of Wire and ACH Fraud
In meeting their obligations to conduct ongoing monitoring to identify and report suspicious transactions under FINRA Rule 3310(f), monitoring outbound money movement requests post-ACH setup and restricting fund transfers in certain situations (e.g., identity theft is detected in an investor’s account).
GRACE AML solution helps with establishing AML Policies and procedures, conduct risk assessments, offers API based verification of the prospect and client verifications against Sanctions, Pep watch list to bring back Pep, Beneficiary ownership, Adverse media information, Conduct KYC, Account Opening Customer Due Diligence, Transaction monitoring, Scoring Client Risks and creating Client Risk Profiles, conductiong Periodic risk assessments and automated monitoring, SAR identification, Issues recording and Management as well as online Training and attestation.
Cybersecurity and Technology Governance
Regulatory Obligations and Related Considerations Regulatory Obligations:
- Rule 30 of the SEC’s Regulation S-P requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information.
- FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to members’ operations.
- In addition to firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers and expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.
- Technology-related problems, such as problems in firms’ change- and problem-management practices or issues related to an increase in trading volumes, can expose firms to operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370, 3110 (Supervision) and 4511 (General Requirements), as well as Securities Exchange Act of 1934 (Exchange Act) Rules 17a-3 and 17a-4.
Related Considerations: Cybersecurity
- What is the firm’s process for continuously assessing cybersecurity and technology risk?
- What kind of governance processes has your firm developed to identify and respond to cybersecurity risks?
- What is the scope of your firm’s Data Loss Prevention program, including encryption controls and scanning of outbound emails to identify sensitive information?
- How does your firm identify and address branch-specific cybersecurity risks?
- What kind of training does your firm conduct on cybersecurity, including phishing?
- What process does your firm have to evaluate your firm’s vendors’ cybersecurity controls?
- What types of penetration (“PEN”) testing, if any, does your firm do to test web-facing systems that allow access to customer information or trading?
- How does your firm monitor for imposter websites that may be impersonating your firm or your registered representatives? How does your firm address imposter websites once they are identified?
- What are your firm’s procedures to communicate cyber events to AML or compliance staff related to meeting regulatory obligations, such as the filing of SARs and informing reviews of potentially impacted customer accounts?
FINRA continues to observe fraudsters and other bad actors engaging in cybercrime that increases both fraud risk (e.g., synthetic identity theft, customer account takeovers, illegal transfers of funds, phishing campaigns, imposter websites) and money laundering risk (e.g., laundering illicit proceeds through the financial system).
Events involving, or enabled by, cybercrime are expected to be reported via SARs. FINRA has also published Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts), which discusses cybersecurity practices firms may find effective in mitigating risks related to ATOs and funds transfers.
What controls does your firm implement to mitigate system capacity performance and integrity issues that may undermine its ability to conduct business and operations, monitor risk or report key information?
How does your firm document system change requests and approvals?
What type of testing does your firm perform prior to system or application changes being moved into a production environment and post-implementation?
What are your firm’s procedures for tracking information technology problems and their remediation? Does your firm categorize problems based on their business impact?
Exam Findings and Effective Practices
- Inadequate Risk Assessment Process – Not having an adequate and ongoing process to assess cyber and IT risks at the firm, including, for example, failing to test implemented controls or conducting PEN testing regularly
- Data Loss Prevention Programs – Not encrypting all confidential data, including a broad range of non-public customer information in addition to Social Security numbers (such as other account profile information) and sensitive firm information.
- Branch Policies, Controls and Inspections – Not maintaining branch-level written cybersecurity policies; inventories of branch-level data, software and hardware assets; and branch-level inspection and automated monitoring programs.
- Training – Not providing ongoing comprehensive training to registered representatives, other firm personnel, third-party providers and consultants on cybersecurity risks relevant to individuals’ roles and responsibilities (e.g., phishing).
- Vendor Controls – Not implementing and documenting formal policies and procedures to review prospective and existing vendors’ cybersecurity controls and managing the lifecycle of firms’ engagement with all vendors (i.e., from onboarding, to ongoing monitoring, through off-boarding, including defining how vendors will dispose of non-public client information).
Emerging Vendor Risk
Due to the recent increase in the number and sophistication of cyberattacks during the COVID-19 pandemic, FINRA reminds firms of their obligations to oversee, monitor and supervise cybersecurity programs and controls provided by third-party vendors. Firms can find guidance in this area in Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors) and the Cybersecurity and Infrastructure Security Agency’s (CISA) Risk Considerations for Managed Service Provider Customers.
- Not implementing access controls, including developing a “policy of least privilege” to grant system and data access only when required and removing it when no longer needed
- Not limiting and tracking individuals with administrator access
- Not implementing multi-factor authentication (MFA) for registered representatives, employees, vendors and contractors.
- Inadequate Change Management Supervision – Insufficient supervisory oversight for application and technology changes (including upgrades, modifications to or integration of firm or vendor systems), which lead to violations of other regulatory obligations, such as those relating to data integrity, cybersecurity, books and records, and confirmations.
- Limited Testing and System Capacity – Order management system, online account access and trading algorithm malfunctions due to a lack of testing for changes or system capacity issues.
- Insider Threat and Risk Management – Collaborating across technology, risk, compliance, fraud and internal investigations/conduct departments to assess key risk areas, monitor access and entitlements, and investigate potential violations of firm rules or policies regarding data access or data accumulation.
- Incident Response Planning – Establishing and regularly testing (often using tabletop exercises) a written formal incident response plan that outlines procedures for responding to cybersecurity and information security incidents; and developing frameworks to identify, classify, prioritize, track and close cybersecurity related incidents.
- System Patching – Implementing timely application of system security patches to critical firm resources (e.g., servers, network routers, desktops, laptops, mobile phones, software systems) to protect non-public client or firm information.
- Asset Inventory – Creating and keeping current an inventory of critical information technology assets— including hardware, software and data—as well as corresponding cybersecurity controls.
- Change Management Processes – Implementing change management procedures to document, review, prioritize, test, approve, and manage internal and third-party hardware and software changes, as well as system capacity, in order to protect non-public information and firm services.
- Online System Capacity – Continuously monitor and test the capacity of current systems, and track average and peak utilization, to anticipate the need for additional resources based on increases in accounts or trading volumes, as well as changes in systems.
- Customer Account Access – Requiring customers to use MFA to access their online accounts.
GRACE IT GRC , Vendor Risk solution helps with establishing IT Governance policies and procedures, establish controls and do controls monitoring, IT asset inventory of all your data and applications, manage vendor information including SLAs, contracts, vendor locations and contacts, conduct risk assessments with online questionnaires for internal risk assessments as well as vendor assessments, incident reporting and incident management , online training and attestation from one integrated system With online dashboards, the CISO has a single source of truth for on all their IT infrastructure and data to monitor cybersecurity, data privacy, vendors, business continuity and ensure all cybersecurity processes are well defined and established as a business as usual process using the Best Practices from NIST, ISO 27001, COBIT and other frameworks.
Outside Business Activities and Private Securities Transactions Regulatory Obligations and Related Considerations
Regulatory Obligations: FINRA Rules 3270 (Outside Business Activities of Registered Persons) and 3280 (Private Securities Transactions of an Associated Person) require registered representatives to notify their firms in writing of proposed outside business activities (OBAs), and all associated persons to notify their firms in writing of proposed private securities transactions (PSTs), so firms can determine whether to limit or allow those activities.
A firm approving a PST where the associated person has or may receive selling compensation must record and supervise the transaction as if it were executed on behalf of the firm.
- What methods does your firm use to identify individuals involved in undisclosed OBAs and PSTs?
- Do your firm’s WSPs explicitly state when notification or pre-approval is required to engage in an OBA or PST?
- Does your firm require associated persons or registered persons to complete and update, as needed, questionnaires and attestations regarding their involvement— or potential involvement—in OBAs and PSTs; and if yes, how often?
- Upon receipt of a written notice of proposed OBAs, does your firm consider whether they will interfere with or otherwise compromise the registered person’s responsibilities to the firm and the firm’s customers, be viewed by customers or the public as part of the member’s business or both?
- Does your firm also determine whether such activities should be treated as a PST (subject to the requirements of FINRA Rule 3280)?
- Does your firm have a process in place to update a registered representative’s Form U4 with activities that meet the disclosure requirements of that form?
- Does your firm take into account the unique regulatory considerations and characteristics of digital assets when reviewing digital asset OBAs and PSTs? X Does your firm record PSTs for compensation on its books and records, including PSTs involving new or unique products and services?
- How does your firm supervise activities that are PSTs, including digital asset PSTs, and document its compliance with the supervisory obligations?
Exam Findings and Effective Practices Exam Findings:
- Incorrect Interpretation of Compensation – Interpreting “compensation” too narrowly (by focusing on only direct compensation, such as salary or commissions, rather than evaluating all direct and indirect financial benefits from PSTs, such as membership interests, receipt of preferred securities and tax benefits); and as a result, erroneously determining that certain activities were not PSTs.
- Inadequate Consideration of Need to Supervise – Approving participation in proposed transactions without adequately considering whether the firms need to supervise the transaction as if it were executed on their own behalf.
- No Documentation – Not retaining the documentation necessary to demonstrate the firm’s compliance with the supervisory obligations for PSTs and not recording the transactions on the firm’s books and records because certain PSTs were not consistent with the firm’s electronic systems (such as where securities businesses conducted by a registered representative would not be captured in their clearing firm’s feed of purchases and sales activity).
- No or Insufficient Notice and Notice Reviews – Registered persons failing to notify their firms in writing of OBAs or PSTs; and WSPs not requiring the review of such notices, or the documentation that such reviews had taken place.
- Inadequate Controls – Inadequate controls to confirm adherence to limitations placed on OBAs or PSTs, such as prohibiting registered representatives from soliciting firm clients to participate in an OBA or PST.
- No Review and Recordkeeping of Digital Asset Activities – Failing to conduct the required assessment of OBAs that involve digital assets or incorrectly assuming all digital assets are not securities and therefore, not evaluating digital asset activities, including activities performed through affiliates, to determine whether they are more appropriately treated as PSTs; and for certain digital asset or other activities that were deemed to be PSTs for compensation, not supervising such activities or recording such transactions on the firm’s books and records.
- Questionnaires – Requiring registered representatives and other associated persons to complete upon hire, and periodically thereafter, detailed, open-ended questionnaires with regular attestations regarding their involvement—or potential involvement—in new or previously disclosed OBAs and PSTs (including asking questions relating to any other businesses where they are owners or employees; whether they are raising money for any outside activity; whether they act as “finders” for issuers seeking new investors; and any expected revenues or other payments they receive from any entities other than the member firm, including affiliates).
- Conducting due diligence to learn about all OBAs and PSTs at the time of a registered representative’s initial disclosure to the firm and periodically thereafter, including interviewing the registered representative and thoroughly reviewing:
- Social media, professional networking and other publicly available websites, and other sources (such as legal research databases and court records);
- Email and other communications;
- Documentation supporting the activity (such as organizational documents); and
- OBAs that involve raising capital or directing securities transactions with investment advisers or fund companies in order to identify potential PSTs
Monitoring significant changes in, or other red flags relating to, registered representatives’ or associated persons’ performance, production levels or lifestyle that may indicate involvement in undisclosed or prohibited OBAs and PSTs (or other business or financial arrangements with their customers, such as borrowing or lending), including conducting regular, periodic background checks and reviews of:
- correspondence (including social media);
- fund movements;
- marketing materials;
- online activities;
- customer complaints; and
- financial records (including bank statements and tax returns).
- Considering whether registered representatives’ and other associated persons’ activities with affiliates, especially self-offerings, may implicate FINRA Rules 3270 and 3280. X WSPs
- Clearly identifying types of activities or investments that would constitute an OBA or PST subject to disclosure/approval or not, as well as defining selling compensation and in some cases providing FAQs to remind employees of scenarios that they might not otherwise consider to implicate these rules.
- Training – Conducting training on OBAs and PSTs during registered person and associated person onboarding and periodically thereafter, including regular reminders of written notice requirements and for registered persons to update their disclosures.
- Disciplinary Action – Imposing significant consequences—including heightened supervision, fines or termination—for persons who fail to notify firms in writing of their OBAs and PSTs, or fail to receive approval of their PSTs for compensation.
- Digital Asset Checklists Creating checklists with a list of considerations to confirm whether digital asset activities would be considered OBAs or PSTs (including reviewing private placement memoranda or other materials and analyzing the underlying products and investment vehicle structures).
Exam Findings and Effective Practices Exam Findings:
- Misinterpreted Obligations
- Not performing due diligence to verify vendors’ ability to comply with Books and Records Rules requirements if they use that vendor; or not confirming that service contracts and agreements comply with ESM Notification Requirements because firms did not understand that all required records must comply with the Books and Records Rules, including records stored using Cloud Vendors’ storage services.
- No ESM Notification – Not complying with the ESM Notification Requirements, including obtaining the third party attestation letters required by Exchange Act Rule 17a-4(f)(3)(vii).
- Contract Review – Reviewing vendors’ contracts and agreements to assess whether firms will be able to comply with the Books and Records Rules, ESM Standards and ESM Notification Requirements.
- Testing and Verification – Testing all vendors’—including Cloud Vendors’—capabilities to fulfill regulatory obligations by, for example, simulating a regulator’s examinations by requesting records and engaging regulatory or compliance consultants to confirm compliance with the Books and Records Rules, ESM Standards and ESM Notification Requirements (and in some cases engaging the consultant to provide the third-party attestation).
- Attestation Verification – Confirming with vendors, including Cloud Vendors, whether the vendors will provide the third-party attestation.
GRACE Branch and Rep Examination and Outside Activity Monitoring solution helps managing all the Branch, Registered Representatives, Advisor data, their Registrations, CE Training, Attestations, Outside Business Activity reports, U4s in a centralized way. It helps conducts Branch and Rep examinations on a calendar basis by setting up standardized questionnaires and gathering information on each branch , rep and advisor. GRACE can bring in data from public sources on the associated persons outside business interests, debts, leins, criminal violations information to help compliance officers have a complete picture on each of them. Online forms for the Associate persons to report their gift, political contributions, take pre-trade approvals, report private placements, and personal accounts and personal trade monitoring, helps compliance officers identify all conflicts and violations.
Regulatory Obligations and Related Considerations Regulatory Obligations: FINRA Rule 4530 (Reporting Requirements)
requires firms to promptly report to FINRA, and associated persons to promptly report to firms, specified events, including, for example, violations of securities laws and FINRA rules, certain written customer complaints and certain disciplinary actions taken by the firm. Firms must also report quarterly to FINRA statistical and summary information regarding certain written customer complaints.
- Does your firm provide periodic reminders or training on such requirements, and what consequences does your firm impose on those persons who do not comply?
- How does your firm monitor for red flags of unreported written customer complaints and other reportable events?
- How does your firm confirm that it accurately and timely reports to FINRA written customer complaints that associated persons reported to your firm’s compliance department?
- How does your firm determine the problem and product codes it uses for its statistical reporting of written customer complaints to FINRA?
Exam Findings and Effective Practices Exam Findings
- No Reporting to the Firm – Associated persons not reporting written customer complaints, judgments concerning securities, commodities- or financial-related civil litigation and other events to the firms’ compliance departments because they were not aware of firm requirements.
- Inadequate Surveillance – Firms not conducting regular email and other surveillance for unreported events.
- No Reporting to FINRA – Failing to report to FINRA written customer complaints that associated persons reported to the firms’ compliance departments.
- Incorrect Rule 4530 Product/Problem Codes – As part of the statistical reporting to FINRA, failing to use codes that correlated to the most prominent product or the most egregious problem alleged in the written customer complaints, but instead reporting less prominent or severe codes or other codes based on the firms’ investigations or other information. Effective Practices:
- Compliance Questionnaires – Developing detailed annual compliance questionnaires to verify the accuracy of associated persons’ disclosures, including follow-up questions (such as whether they are the subject of any pending lawsuits or have received any written customer complaints)
- Email Surveillance – Conducting email surveillance targeted to identify unreported written customer complaints (by, for example, including complaint-related words in their keyword lexicons, reviewing for unknown email addresses and conducting random email checks).
- Review of Registered Representatives’ Financial Condition – Identifying expenses, settlements and other payments that may indicate unreported events by conducting periodic reviews of their associated persons’ financial condition, including background checks and credit reports.
- Review of Publicly Available Information – Conducting periodic searches of associated persons’ names on web forums, court filings and other publicly available databases, including reviewing for any judgments concerning securities, commodities- or financial-related civil litigation and other reportable events.
GRACE Client Management system Complaints management module helps record and monitor mitigation of customer complaints as well as see a dashboard of the reason, the associated persons involved and the frequency of such complaints as well as status of mitigation.
Reg BI and Form CRS Regulatory Obligations and Related Considerations Regulatory Obligations:
The SEC’s Regulation Best Interest (Reg BI) establishes a “best interest” standard of conduct for broker-dealers and associated persons when they make recommendations to retail customers of any securities transaction or investment strategy involving securities, including account recommendations. Pursuant to this standard, a broker-dealer and its associated persons must not put their financial or other interests ahead of the interests of a retail customer.
In addition, whether or not they make recommendations, firms that offer services to retail investors must provide them with a Form CRS, a brief relationship summary that discloses material information in plain language (e.g., investment services provided, fees, conflicts of interest, legal and disciplinary history of the firms and financial professionals).
Reg BI and Form CRS became effective on June 30, 2020, and 2021 marked the first full calendar year during which FINRA examined firms’ implementation of related obligations.
The findings presented here are thus an initial look at firms’ practices. FINRA will share further findings as we continue to conduct exams and gather additional information on firms’ practices.
When your firm determines whether it is obligated to comply with Reg BI, does your firm consider the following key definitions in the context of the rule?
- “Retail customer” is defined as “a natural person, or the legal representative of such natural person, who:
- receives a recommendation of any securities transaction or investment strategy involving securities from a broker-dealer; and
- uses the recommendation primarily for personal, family, or household purposes.”
- A retail customer “uses” a recommendation of a securities transaction or investment strategy involving securities when, as a result of the recommendation:
- the retail customer opens a brokerage account with the broker-dealer, regardless of whether the broker-dealer receives compensation;
- the retail customer has an existing account with the broker-dealer and receives a recommendation from the broker-dealer, regardless of whether the broker-dealer receives or will receive compensation, directly or indirectly, as a result of that recommendation; or
- the broker-dealer receives or will receive compensation, directly or indirectly as a result of that recommendation, even if that retail customer does not have an account at the firm.
- Do your firm and your associated persons adhere to the Care Obligation of Reg BI when making recommendations by:
- exercising reasonable diligence, care and skill to understand the potential risks, rewards and costs associated with a recommendation and having a reasonable basis to believe, based on that understanding, that the recommendation is in the best interest of at least some retail investors;
- considering those risks, rewards and costs in light of the retail customer’s investment profile and having a reasonable basis to believe that a recommendation is in that particular customer’s best interest and does not place the broker-dealer’s interest ahead of the customer’s interest; and
- having a reasonable basis to believe that a series of recommended transactions, even if in the retail customer’s best interest when viewed in isolation, is not excessive and is in the retail customer’s best interest when taken together in light of the retail customer’s investment profile?
- Do your firm and your associated persons consider costs and reasonably available alternatives when making recommendations to retail customers?
- Are your firm’s policies and procedures reasonably designed to identify and disclose or eliminate conflicts, as well as to mitigate conflicts that create an incentive for an associated person of the firm to place his or her interests or the interest of the firm ahead of the retail customer’s interest?
- How does your firm test its policies and procedures to determine if they are adequate and performing as expected?
- Does your firm place any material limitations on the securities or investment strategies involving securities that may be recommended to a retail customer? If so, does your firm identify and disclose such limitations and prevent those limitations from causing the firm or its associated persons to make recommendations that place the firm’s or associated person’s interests ahead of the retail customer’s interest?
- Are your firm’s policies and procedures reasonably designed to identify and eliminate sales contests, sales quotas, bonuses and non-cash compensation that are based on the sale of specific securities or specific types of securities within a limited period of time, or mitigate conflicts for those not required to be eliminated?
- Do your firm’s disclosures include a full and fair disclosure of all material facts relating to the scope and terms of the firm’s relationship with retail customers (e.g., material fees and costs associated with transactions or accounts, material limitations involving securities recommendations) and all material facts relating to conflicts of interest that are associated with the recommendation?
- What controls does your firm have to assess whether disclosures are provided timely, and if provided electronically, in compliance with the SEC’s electronic delivery guidance?
- Do your firm’s policies and procedures address Reg BI, including new obligations that did not exist prior to Reg BI?
- Do your firm’s policies and procedures:
(1) identify specific individual(s) who are responsible for supervising compliance with Reg BI;
(2) specify the supervisory steps and reviews appropriate supervisor(s) should take and their frequency; and
(3) note how supervisory reviews should be documented? If your firm is not dually registered as an investment adviser, commodity trading advisor, municipal advisor or advisor to a special entity, do the firm or any of its associated persons who are not dually registered use “adviser” or “advisor” in their name or title?
- Does the firm provide dually-registered associated persons with adequate guidance on how to determine and disclose the capacity in which they are acting?
- Has your firm provided adequate Reg BI training to its associated persons, including supervisory staff?
If your firm offers services to retail investors:
- Does it deliver Form CRS to each new or prospective customer who is a retail investor before the earliest of:
(i) a recommendation of an account type, securities transaction or investment strategy involving securities;
(ii) placing an order for the retail investor; or
(iii) opening a brokerage account for the investor?
- For existing retail investor customers, does the firm deliver Form CRS before or at the time the firm:
(i) opens a new account that is different from the retail customer’s existing account;
(ii) recommends that the retail customer roll over assets from a retirement account; or
(iii) recommends or provides a new service or investment outside of a formal account (e.g., variable annuities or a first-time purchase of a direct-sold mutual fund through a ‘‘check and application’’ process)?
- Does it file a relationship summary with the SEC through the Central Registration Depository (CRD), if the firm is registered as a broker-dealer; through the Investment Adviser Registration Depository (IARD), if the firm is registered as an investment adviser; or both CRD and IARD, if the firm is a dual-registrant?
- Does your firm have processes in place to update and file the amended Form CRS within 30 days whenever any information becomes materially inaccurate and to communicate, without charge, any changes in the updated relationship summary to retail investors who are existing customers within 60 days after the updates are required to be made (a total of 90 days to communicate the changes to customers after the information becomes materially inaccurate)?
Exam Findings and Effective Practices Exam Findings:
- Reg BI and Form CRS X WSPs That Are Not Reasonably Designed To Achieve Compliance with Reg BI and Form CRS –
- Providing insufficiently precise guidance by:
- Not identifying the specific individuals responsible for supervising compliance with Reg BI; and
- Stating the rule requirements, but failing to detail how the firm will comply with those requirements (i.e., stating “what” but failing to address “how”).
- Failing to modify existing policies and procedures to reflect Reg BI’s requirements by:
- Not addressing how costs and reasonably available alternatives should be considered when making recommendations;
- Not addressing recommendations of account types; z not addressing conflicts that create an incentive for associated persons to place their interest ahead of those of their customers; and
- Not including provisions to address Reg BI-related recordkeeping obligations and the testing of the firms’ Reg BI and Form CRS policies, procedures and controls.
- Failing to develop adequate controls or developing adequate controls but not memorializing these processes in their WSPs.
Inadequate Staff Training
- Failing to adequately prepare associated persons to comply with the requirements of Reg BI beyond previous suitability obligations or Form CRS by:
- Failing to deliver initial training before the June 30, 2020, compliance date; z delivering training without making clear Reg BI’s new obligations; or
- Delivering training that focused on Reg BI and Form CRS requirements in general, without addressing the specific steps associated persons should take to comply with these requirements.
Failure to Comply With Care Obligation –
- Making recommendations that were not in the best interest of a particular retail customer based on that retail customer’s investment profile and the potential risks, rewards and costs associated with the recommendation.
- Recommending a series of transactions that were excessive in light of a retail customer’s investment profile and placing the broker-dealer’s or associated person’s interest ahead of those of retail customers.
- Failure to Comply with Conflict of Interest Obligation – Not identifying conflicts or, if identified, not adequately addressing those conflicts.
- Improper Use of the Terms “Advisor” or “Adviser” – Associated persons, firms or both, using the terms “advisor” or “adviser” in their titles or firm names, even though they lack the appropriate registration.10
- Insufficient Reg BI Disclosures – Not providing retail customers with “full and fair” disclosures of all material facts related to the scope and terms of their relationship with these customers or related to conflicts of interest that are associated with the recommendation, including:
- material fees received as a result of recommendations made (e.g., revenue sharing or other payments received from product providers or issuers, as well as other fees tied to recommendations to rollover qualified accounts);
- potential conflicts of interest (e.g., associated persons trading in the same securities in their personal account(s) or outside employment); and
- material limitations in securities offerings.
Deficient Form CRS Filings – Firms’ Form CRS filings significantly departing from the Form CRS instructions or guidance from the SEC’s FAQ on Form CRS by:
- Exceeding prescribed page lengths
- Omitting material facts (e.g., description of services offered; limitations of the firm’s investment services);
- Inaccurately representing their financial professionals’ disciplinary histories;
- Failing to describe types of compensation and compensation-related conflicts; z incorrectly stating that the firm does not provide recommendations; z changing or excluding language required by Form CRS; and z not resembling a relationship summary, as required by Form CRS.11
Form CRS Not Posted Properly on Website
- For firms that have a public website, failing to post or failing to post prominently, in a location and format that is easily accessible to retail investors, the current Form CRS (e.g., requiring multiple click-throughs or using confusing descriptions to navigate to the Form CRS
- Inadequate Form CRS Amendments – Firms not in compliance with Form CRS in relation to material changes because they: z failed to re-file in CRD in a timely manner (i.e., within 30 days of the date when Form CRS became materially inaccurate); or
- Failed to communicate or timely communicate changes to existing retail investor customers (e.g., delivering amended summary, with required exhibits, showing revised text or summarizing material changes or communicating the information through another disclosure within 60 days after the updates are required to be made—90 days total from the date when Form CRS became materially inaccurate).
- Misconstruing Obligation to File Form CRS
- Incorrectly determining that filing Form CRS hinges solely on making recommendations, rather than offering services to a retail investor.
- Incorrectly claiming a firm is not subject to the Form CRS delivery obligation because of, among other things, their customer base (e.g., retail investors who are high-net-worth individuals) or the services they offer (e.g., investment company products held directly by an issuer, self-directed accounts)
- Identifying and Mitigating Conflicts of Interest – Identifying, disclosing, and eliminating or mitigating conflicts of interest across business lines, compensation arrangements, relationships or agreements with affiliates, and activities of their associated persons by:
- Establishing and implementing policies and procedures to identify and address conflicts of interest, such as through the use of conflicts committees or other mechanisms or creating conflicts matrices tailored to the specifics of the firm’s business that address, for example, conflicts across business lines and how to eliminate, mitigate or disclose those conflicts;
- Sampling recommended transactions to evaluate how costs and reasonably available alternatives were considered;
- Providing resources to associated persons making recommendations that account for reasonably available alternatives with comparable performance, risk and return that may be available at a lower cost, such as:
- Worksheets, in paper or electronic form, to compare costs and reasonably available alternatives; or
- Guidance on relevant factors to consider when evaluating reasonably available alternatives to a recommended product (e.g., similar investment types from the issuer; less complex or risky products available at the firm);
- Updating client relationship management (CRM) tools that automatically compare recommended products to reasonably available alternatives;
- Revising commission schedules within product types to flatten the percentage rate; and
- Broadly prohibiting all sales contests.
- Limiting High-Risk or Complex Investments for Retail Customers – Mitigating the risk of making recommendations that might not be in a retail customer’s best interest by:
- Establishing product review processes to identify and categorize risk and complexity levels for existing and new products; z limiting high-risk or complex product, transaction or strategy recommendations to specific customer types; and
- Applying heightened supervision to recommendations of high-risk or complex products.
- Implementing Systems Enhancements for Tracking Delivery of Required Customer Documents
- Tracking and delivering Form CRS and Reg BI-related documents to retail investors and retail customers in a timely manner by:
- automating tracking mechanisms to determine who received Form CRS and other relevant disclosures; and
- memorializing delivery of required disclosures at the earliest triggering event.
- Implementing New Surveillance Processes – Monitoring associated persons’ compliance with Reg BI by: Conducting monthly reviews to confirm that their recommendations meet Care Obligation requirements, including system-driven alerts or trend criteria to identify:
- account type or rollover recommendations that may be inconsistent with a customer’s best interest;
- excessive trading; and
- sale of same product(s) to a high number of retail customers;
- monitoring communication channels (e.g., email, social media) to confirm that associated persons who were not investment adviser representatives (IARs) were not using the word “adviser” or “advisor” in their titles; and z incorporating Reg BI-specific reviews into the branch exam program as part of overall Reg BI compliance efforts, focusing on areas such as documenting Reg BI compliance and following the firms’ Reg BI protocols.
GRACE Client Management system specifically built for addressing all the Aspects of Regulation Best Interest comprehensively with one single system to address The Disclosures Obligation with ability to share Disclosures including Form CRS with clients and recording their receipt, The Duty of Care obligation during selection and establishing the suitability of products and alternates to clients’ risk profile , The Compliance Obligation for proper oversight on all trades done on behalf of the client to meet their portfolio objectives preventing usage of unsuitable products, trade churn, high fees and other risks to customer portfolios, and The Conflicts of Interest Obligation to ensure all conflicts in business are identified, mitigated and where not possible correctly disclosed to clients.
Variable Annuities Regulatory Obligations and Related Considerations Regulatory Obligations:
FINRA Rule 2330 (Members’ Responsibilities Regarding Deferred Variable Annuities) establishes sales practice standards regarding recommended purchases and exchanges of deferred variable annuities. To the extent that a broker-dealer or associated person is recommending a purchase or exchange of a deferred variable annuity to a retail customer, Reg BI’s obligations, discussed above, also would apply.
In addition, Rule 2330 requires firms to establish and maintain specific written supervisory procedures reasonably designed to achieve compliance with the rule. Firms must implement surveillance procedures to determine if any associated person is effecting deferred variable annuity exchanges at a rate that might suggest conduct inconsistent with FINRA Rule 2330 and any other applicable FINRA rules or the federal securities laws.
- How does your firm review for rates of variable annuity exchanges (i.e., does your firm use any automated tools, exception reports or surveillance reports)?
- Does your firm have standardized review thresholds for rates of variable annuity exchanges?
- Does your firm have a process to confirm its variable annuity data integrity (including general product information, share class, riders and exchange-based activity) and engage with affiliate and non-affiliate insurance carriers to address inconsistencies in available data, data formats and reporting processes for variable annuities?
- How do your firm’s WSPs support a determination that a variable annuity exchange has a reasonable basis? How do you obtain, evaluate and record relevant information, such as: z loss of existing benefits;
- increased fees or charges;
- surrender charges, or the establishment or creation of a new surrender period; z consistency of customer liquid net worth invested in the variable annuity with their liquidity needs;
- whether a share class is in the customer’s best interest, given his or her financial needs, time horizon and riders included with the contract; and z prior exchanges within the preceding 36 months?
- Do your firm’s policies and procedures require registered representatives to inform customers of the various features of recommended variable annuities such as surrender charges, potential tax penalties, various fees and costs, and market risk?
- What is the role of your registered principals in supervising variable annuity transactions, including verifying how the customer would benefit from certain features of deferred variable annuities (e.g., tax-deferral, annuitization, or a death or living benefit)?
- What processes, forms, documents and information do the firm’s registered principals rely on to make such determinations?
- What is your firm’s process to supervise registered representatives who advise their clients’ decisions whether or not to accept a buyout offer?
Exam Findings and Effective Practices Exam Findings:
Exchanges – Not reasonably supervising recommendations of exchanges for compliance with FINRA Rule 2330 and Reg BI, leading to exchanges that were inconsistent with the customer’s objectives and time horizon and resulted in, among other consequences, increased fees to the customer or the loss of material, paid-for accrued benefits.
Insufficient Training – Not conducting training for registered representatives and supervisors regarding how to assess costs and fees, surrender charges and long-term income riders to determine whether exchanges were suitable for customers.
Poor and Insufficient Data Quality – Not collecting and retaining key information on variable annuity transactions, particularly in connection with exchange transactions; relying on processes for data collection and retention in situations where the volume of variable annuity transactions renders these processes ineffective; and failing to address inconsistencies in available data for variable annuities, as well as data formats and reporting processes.
Issuer Buyouts – Not reasonably supervising recommendations related to issuer buyout offers (e.g., associated persons’ recommendations that investors surrender the contract in order to generate an exchange or new purchase) for compliance with FINRA Rule 2230 and Reg BI. Effective Practices:
Automated Surveillance – Using automated tools, exception reports and surveillance to review variable annuity exchanges; and implementing second-level supervision of supervisory reviews of exchange-related exception reports and account applications.
Rationales – Requiring registered representatives to provide detailed written rationales for variable annuity exchanges for each customer (including confirming that such rationales address the specific circumstances for each customer and do not replicate rationales provided for other customers); and requiring supervisory principals to verify the information provided by registered representatives, including product fees, costs, rider benefits and existing product values.
Review Thresholds – Standardizing review thresholds for rates of variable annuity exchanges; and monitoring for emerging trends across registered representatives, customers, products and branches.
Automated Data Supervision – Creating automated solutions to synthesize variable annuity data (including general product information, share class, riders and exchange-based activity) in situations warranted by the volume of variable annuity transactions.
Data Integrity – Engaging with insurance carriers (affiliated and non-affiliated) and third-party data providers (e.g., DTCC and consolidated account report providers) to address inconsistencies in available data, data formats and reporting processes for variable annuities.
Data Acquisition – Establishing a supervisory system that collects and utilizes key transaction data, including, but not limited to:
- transaction date
- rep name
- customer name;
- customer age;
- investment amount;
- whether the transaction is a new contract or an additional investment;
- contract type (qualified vs. non-qualified);
- contract number;
- product issuer;
- product name;
- source of funds
- exchange identifier;
- share class; and
Data Analysis – Considering the following data points when conducting a review of an exchange transaction under FINRA Rule 2330 and Reg BI:
- branch location;
- customer state of residence;
- policy riders;
- policy fees;
- issuer of exchanged policy;
- exchanged policy product name;
- date exchanged policy was purchased;
- living benefit value, death benefit value or both, that was forfeited;
- surrender charges incurred; and
- any additional benefits surrendered with forfeiture.
Please write to us at firstname.lastname@example.org to see a web demo of our systems to help in all of the above areas