What’s In The New FINRA Report: Spotlight On AML & Cybersecurity

March 15, 2021

By a Biometrica staffer

The Financial Industry Regulatory Authority (FINRA) published a new report last month with annual insights from its examinations and risk monitoring programs. The report is aimed at helping inform compliance programs at member firms of areas of importance.

“This report is designed to give member firms a single, authoritative source that provides insights derived both from the last year’s examinations and risk assessments and from where we have identified emerging issues for the coming year,” said Bari Havlik, FINRA’s executive vice president for member supervision, according to a post on Compliance Week.

This new report — titled 2021 Report on FINRA’s Examination and Risk Monitoring Program — replaces two of FINRA’s previously published annual reports that provided analysis of prior examination results and highlighted areas the organization planned to review in the coming year.

The report addresses 18 regulatory areas in total under the following four categories: firm operations, communications and sales, market integrity, and financial management, the Compliance Week post said. The importance and relevance of the considerations, findings and effective practices in each of these areas will vary for each member firm, FINRA says in its website on selected highlights from the report.

But in general, there are six key areas that impact compliance programs across a large population of member firms. Here are snippets from those highlights:

  • Regulation Best Interest (Reg BI) and Form CRS (Customer Relationship Summary) – In 2021, FINRA intends to expand the scope of its Reg BI and Form CRS reviews and testing to effect a more comprehensive review of firm processes, practices and conduct. In the Reg BI and Form CRS sections of the report, member firms can review considerations FINRA staff will use when examining a firm for compliance with those aspects. The report also includes a list of previously published considerations and materials— such as its Reg BI Topic Page
  • Consolidated Audit Trail (CAT) – FINRA is in the early stages of reviewing for compliance with certain CAT obligations; accordingly, exam findings or effective practices are not included in this report but will be provided later when more information is available. In the interim, member firms should review the list of recommended steps provided in the Notice, and the list of considerations and relevant resources provided in the report in assessing the adequacy of their CAT compliance programs.
  • Cybersecurity – Member firms’ ongoing and increasing reliance on technology for many customer-facing activities, communications, trading, operations, back-office and compliance programs —especially in our current remote work environment — requires them to address new and existing cybersecurity risks, including risks relating to cybersecurity-enabled fraud and crime. A firm’s cybersecurity program should be reasonably designed and tailored to the firm’s risk profile, business model and scale of operations. Given the increase in remote work and virtual client interactions, combined with an increase in cyber-related crimes, FINRA encourages member firms to review the considerations, observations and effective practices noted in the report, as well as Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)Report on Selected Cybersecurity Practices – 2018 and Report on Cybersecurity Practices – 2015.
  • Communications with the Public – FINRA continues to evaluate member firms for compliance with Rule 2210 (Communications with the Public), which includes principles-based content standards that are designed to apply to ongoing developments in communications technology and practices. In addition, it is increasingly focused on communications relating to certain new products, and how member firms supervise, comply with recordkeeping obligations, and address risks relating to new digital communication channels. This focus includes risks associated with app-based platforms with interactive or “game-like” features that are intended to influence customers, their related forms of marketing, and the appropriateness of the activity that they are approving clients to undertake through those platforms (for example, under FINRA Rule 2360 (Options)).
  • Best Execution – FINRA has routinely reviewed member firms for their compliance with best execution obligations under Rule 5310 (Best Execution and Interpositioning) in its examinations. Among other things, FINRA has continued to focus on potential conflicts of interest in order-routing decisions, appropriate policies and procedures for different order and security types, and the sufficiency of member firms’ reviews of execution quality. It also conducted a targeted review of member firms that do not charge commissions for customer transactions (“zero commission” trading) to evaluate the impact that not charging commissions has, or will have, on member firms’ order-routing practices and decisions, and other aspects of member firms’ business.
  • Variable Annuities – FINRA continues to evaluate variable annuity exchanges under Rule 2330 (Members’ Responsibilities Regarding Deferred Variable Annuities) and, when applicable, under Reg BI. Additionally, in early 2020, it engaged in an informal review of buyout written supervisory procedures (WSPs), training, and disclosures for member firms whose customers were impacted by a recent announcement from an insurer with sizable variable annuity assets stating it will terminate servicing agreements, cancel certain trail commissions for registered representatives, and provide buyout offers to its variable annuity customers.

While the report goes on, then, to give details about 18 regulatory areas as mentioned earlier, our focus for this piece is on two key topics: Anti-money laundering and cybersecurity. Within these two topics, we bring you snippets from the report that further emphasize effective practices and emerging risks.

Anti-Money Laundering (AML)

The Bank Secrecy Act (BSA) requires firms to monitor for, detect and report suspicious activity conducted or attempted by, at, or through the firms to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). Firms should also be aware of the recently enacted Anti-Money Laundering Act of 2020, which may result in material revisions to the implementing regulations over time. FINRA Rule 3310 (Anti-Money Laundering Compliance Program) requires that members develop and implement a written AML program reasonably designed to comply with the requirements of the BSA and its implementing regulations.

Additionally, FinCEN’s Customer Due Diligence (CDD) rule requires that firms identify beneficial owners of legal entity customers, understand the nature and purpose of customer accounts, and conduct ongoing monitoring of customer accounts to identify and report suspicious transactions and — on a risk basis — update customer information.

Effective Practices

  • Customer Identification Program: Using, on a risk-basis, both documentary (such as drivers licenses or passports) and non-documentary methods (such as using third-party sources) to verify customers’ identities.
  • Monitoring for Fraud During Account Opening: Implementing additional precautions during account opening, including limiting automated approval of multiple accounts opened by a single customer; reviewing account application fields for repetition or commonalities among multiple applications; and using technology to detect indicators of automated scripted attacks in the digital account application process.
  • Bank Account Verification, Restrictions on Fund Transfers and Ongoing Monitoring: Confirming customers’ identities through verbal confirmation, following client verification protocols or using a third-party verification service, such as Early Warning System (EWS); monitoring of outbound money movement requests post-ACH (Automated Clearing House) set-up; restricting fund transfers in certain situations; and conducting ongoing monitoring of accounts.
  • Collaboration With Clearing Firms: Understanding the allocation of responsibilities between clearing and introducing firms for handling ACH transactions; and implementing policies and procedures to comply with those responsibilities.
  • AML Compliance Tests: Confirming annual AML independent tests evaluate the adequacy of firms’ AML compliance programs, review firms’ SAR reporting processes, and include sampling and transaction testing of firms’ monitoring programs.
  • Risk Assessments: Updating risk assessments based on the results of AML independent tests, audits, and changes in size or risk profile of the firms, including their businesses, registered representatives and customer account types; and using AML risk assessments to inform the focus of firms’ independent AML tests.
  • Testing of Transaction Monitoring and Model Validation: Performing regular, ongoing testing and tuning of transaction monitoring models, scenarios and thresholds; and confirming the integrity of transaction monitoring data feeds and validating models (which are more frequently used at large firms).
  • Collaboration with AML Department: Increasing the likelihood that all potentially reportable events are referred to the AML department by establishing a line of communication (such as reporting and escalation processes, awareness and educational programs, regular meetings, policies and procedures, or exception reports) between the AML department and other departments that may observe potentially reportable events (such as registered representatives and client-facing teams, technology, cybersecurity, compliance, operations, trading desks and fraud departments).
  • Training Programs: Designing training programs for each of the roles and responsibilities of the AML department (as well as departments that regularly work with AML) and addressing all AML regulatory and industry developments.

Emerging AML and Other Financial Crime Risks

Microcap and Other Fraud
Some firms continue to engage in fraud, financial crimes and other problematic practices, such as those described in the SEC Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities, which addresses microcap and penny stock activity transacted in omnibus accounts maintained for foreign financial institutions and foreign affiliates of U.S. broker-dealers.

Issuers Based in Restricted Markets
Certain foreign national and foreign entity nominee accounts appear to have been opened solely to invest in the initial public offerings and subsequent aftermarket trading in one or more exchange-listed issuers
based in restricted markets, such as China. FINRA has observed red flags that the owners of the accounts may be acting at the direction of others, multiple accounts being opened using the same foreign bank for the source of funds or multiple accounts with the same employer and same email domain. The trading activity may include multiple similar limit orders being placed by the accounts at the same time, which could be indicative of coordinated and manipulative trading of the issuers’ securities.

Risks Relating to Special Purpose Acquisition Companies (SPACs)
Some firms are engaging in the formation and initial public offerings (IPOs) of SPACs without having adequate WSPs (Written Supervisory Procedures) that would require independently conducting due diligence of SPACs’ sponsors, and procedures that address other potential fraud risks, including but not limited to:
– misrepresentations and omissions in offerings documents and communications with shareholders regarding SPAC acquisition targets, such as the prospects of the target company and its financial condition;
– fees associated with SPAC transactions, including cash and non-cash compensation and compensation earned by affiliates;
– control of funds raised in SPAC offerings; and insider trading (where underwriters and SPAC sponsors may possess and trade around material
non-public information regarding potential SPAC acquisition targets, including private placement offerings with rights of first refusal provided to certain investors prior to the acquisition).

Cybersecurity And Technology Governance

The SEC’s Regulation S-P Rule 30 requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information. FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to members’ operations. In addition to firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers, and expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.

Technology-related problems, such as problems in firms’ change- and problem-management practices, can expose firms to operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370 (Business Continuity Plans and Emergency Contact Information), 3110 (Supervision) and 4511 (General Requirements), as well as Securities Exchange Act of 1934 (Exchange Act) Rules 17a-3 and 17a-4.

Effective Practices

  • Insider Threat and Risk Management – Collaborating across technology, risk, compliance, fraud, and internal investigations/conduct departments to assess key risk areas, monitor access and entitlements, and investigate potential violations of firm rules or policies with regard to data access or data accumulation.
  • Incident Response Planning – Establishing and regularly testing written formal incident response plans that outlined procedures for responding to cybersecurity and information security incidents; and developing frameworks to identify, classify, prioritize, track and close cybersecurity-related incidents.
  • System Patching – Implementing timely application of system security patches to critical firm resources (for example, servers, network routers, desktops, laptops and software systems) to protect non-public client or firm information.
  • Asset Inventory – Creating and keeping current an inventory of critical information technology assets — including hardware, software and data — as well as corresponding cybersecurity controls.
  • Change Management Processes – Implementing change management procedures to document, review, prioritize, test, approve, and manage hardware and software changes, as well as system capacity, in order to protect non-public information and firm services.

Emerging Cybersecurity Risks
FINRA has recently observed increased numbers of cybersecurity- or technology-related incidents at firms, including:
– systemwide outages;
– email and account takeovers;
– fraudulent wire requests;
– imposter websites; and
– ransomware.

It also noted data breaches at some firms, and remains concerned about increased risks for firms that do not implement practices to address phishing emails or require MFA for accessing non-public information.