With the publication of the Financial Industry Regulatory Authority's (FINRA) report on its examination and monitoring priorities for 2022, broker-dealer (BD) firms now face a new set of compliance obligations to enhance investor protection and market integrity.
According to Greg Ruppert, FINRA's vice president of member supervisions, the watchdog's 2022 report reflects an increasingly "dynamic" and modern securities industry transformed by new business models, technologies, and products.
A dominant tech theme driving regulatory reform is the disruptive, 'Wall Street Bets' Reddit board movement of 2021, which famously squeezed several blue-chip hedge funds out of billions they had tied up in short positions.
A year later, the FINRA examination report illustrates how this 'meme stock' frenzy has brought mobile-trading apps and the controversial payment-for-order-flow (PFOF) practice, which scandalized the Robinhood investing app into tighter regulatory focus. Pioneered by the notorious and now-deceased hedge-fund fraudster Bernie Madoff in the 90s, PFOF is a fee paid to the brokerage firm for directing orders to different counter-parties so trades can be executed.
Regarding PFOF, FINRA is most concerned with risks presented by the conflict of interest and how various order-routing decisions may impact trade execution quality. For example, in the wake of the WSB mania, it was revealed that Robinhood, which booked a significant chunk of the Redditors' trades, generated most of its revenue from PFOF routing. But at the same time, Robinhood concealed from their customers that they were paying a higher price to execute trades.
While the WSB saga dominated the conversation around industry compliance reforms last year, the FINRA report discusses 21 general examination topics to watch out for. But of these 21 topics, the 2022 examination guide highlights seven key areas, including mobile apps and the order handling and conflict-of-interest concerns raised by PFOF.
The other five monitoring areas highlighted most prominently by FINRA are:
- Regulation Best Interest (Reg BI) and Form CRS (customer relationship summary),
- Consolidated Audit Trail (CAT),
- Best Execution,
- Private Placements, and
Given the priority emphasis delegated to these topics, the following guide will discuss best practices for implementing risk-appropriate compliance controls in each area while also advising how to remediate errors when internal control processes fail.
Reg BI and Form CRS
Reg BI and Form CRS were part of a package of new rules and interpretations adopted by the Securities & Exchange Commission (SEC) in 2019. This package was "designed to enhance the quality and transparency of retail investors' relationships with investment advisers and broker-dealers," according to a press release announcing these regulations.
The SEC envisioned that these reforms would bring the "legal requirements and obligatory disclosures in line with reasonable investor expectations." At the same time, the regulator hoped Reg BI and Form CRS would help investors preserve access, both in terms of choice and cost, to a broad range of investment products and services.
The end goal of these reforms was to help investors make the most "informed choice about the relationship best suited to their needs and circumstances, and foster greater consistency in the level of protections provided" by each reform. The amendments went into effect in June 2020. So, 2021 was the first full year in which FINRA examined firm compliance with Reg BI and Form CRS mandates.
Specifically, last year's review assessed the firm's practices in making recommendations that comply with Reg BI's care obligation, which entails exercising reasonable diligence and skill when making account recommendations to retail customers. The exams also focused on conflict of interest and the practical training of investment professionals.
Some effective practices recommended by FINRA to BDs include identifying and mitigating potential conflicts of interest, establishing and implementing policies to address conflicts, providing resources to advisers making investment recommendations, and implementing new surveillance processes by conducting monthly reviews and Reg BI-specific reviews.
FINRA also warns about failing to develop adequate controls or developing these safeguards and neglecting to update their written supervisory procedures (WSPs) with the new guidance.
Consolidation Audit Trail
The CAT rule covers the accurate reporting of "clock synchronization; time stamps; connectivity and data transmission; development and testing; record-keeping; and timeliness, accuracy, and completeness of data requirements," according to FINRA.
Naturally, data integrity is vital, highlighting the increasingly digital nature of financial services compliance. On this note, common errors highlighted by FINRA include:
- Inaccurate reporting of CAT orders.
- Late resolution of correctable mistakes.
- Inadequate vendor supervision.
Regarding supervision, FINRA again highlights the importance of memorializing new controls in firms' WSPs.
FINRA advises BDs to implement a "comparative review" of CAT submissions against order records to correct these problems. The regulator also recommends that covered entities obtain sufficient clock synchronization data from counter-parties to meet the relevant requirements.
The disclosure of order routing data is a new examination requirement for 2022 and was inspired by Robinhood's scandalous PFOF practices. Per Rule 606 of Regulation NMS, BDs must divulge information regarding the "handling of their customers' orders in NMS stocks and listed options," according to FINRA.
The purpose of these disclosures is to help clients better comprehend how their "heir firm routes and handles their orders; assess the quality of order handling services provided by their firm, and ascertain whether the firm is effectively managing potential conflicts of interest that may impact their firm's routing decisions," FINRA advises.
FINRA's exam uncovered inaccurate quarterly reports, incomplete disclosures, inadequate communications with investors, and deficient WSPs lacking in detail or failing to articulate the supervisory processes that allow firms to comply with the rule.
To remediate these potential errors, FINRA emphasized enhancing supervisory controls over quarterly public reports and customer-specific documents and providing more detail about their PFOF arrangements to mitigate potential conflicts. FINRA also urged BDs to conduct more robust due diligence on their vendors.
Pursuant to FINRA Rule 5310, member firms must ensure that all transactions involving a BD customer implement "reasonable diligence" to determine the "best market" for security being traded so that customers receive the best price possible.
Common failures identified by FINRA's review included:
- No assessment of execution in competing markets.
- No review on order types.
- Emphasizing the market.
- Marketable limit orders.
- Non-marketable limit orders.
FINRA also flagged no evaluation of required factors like a "regular and rigorous review" of contextual elements like execution speed, price improvement, the likelihood of limit-order trades going through, and using "routing logic that was not necessarily based" on execution quality. Lastly, FINRA again cited conflict of interest, referring back to PFOF from wholesale market makers and exchange liquidity rebates.
To correct these issues, FINRA advised member firms to implement more exception reports and surveillance reviews, analyze how PFOF impacts their order-handling processes, conduct more regular and risk-based reviews, and continuously update their WSPs and best execution analysis to better satisfy evolving market and technological conditions.
Mobile WealthTech applications occupy a significant part of the 'Communications with the Public' section of FINRA's report. Communications with customers over mobile apps are also subject to FINRA Rule 2210, which covers firm communications with the public.
FINRA Rule 2210 "defines all communications into three categories—correspondence, retail communications or institutional communications," according to the report. This rule also sets "principles-based content standards" meant to evolve alongside and adapt to shifts in digital communications.
Addressing mobile-app risks, FINRA urges member firms to establish and implement a "comprehensive supervisory system for communications through mobile apps." The watchdog also advises firms to verify the accuracy of account information displayed on their mobile interfaces.
The report also recommends that apps correctly describe the functionality of their features, the intuitiveness of their user experience, "readily available information" about complex strategies and investments and related risks, and to consider whether the information transmitted to customers is actually a "recommendation" and thus subject to Reg BI compliance.
Dovetailing with FINRA's complex strategies advisory and in a nod to Robinhood, FINRA warns that the recommendation of options or variable annuities demand heightened attention to ensure they comply with communications protocols outlined by FINRA Rules 2360 (Options) or 2330 (Members' Responsibilities Regarding Deferred Variable Annuities).
FINRA advises mobile WealthTech platforms to implement and maintain comprehensive policies covering the issues highlighted above to remediate any potential communications violations they might be committing.
Notable purpose acquisition companies (SPACs) were one of last year's hottest financial industry trends, inspiring 613 special-purpose listings and raising $145 billion in total – a 91% rise over the amount these vehicles raised in 2020. SPACs are a way to take privately held companies public and have become popular with private equity managers to give retail investors access to more esoteric investment vehicles.
Noting the growing popularity of these private placements, FINRA reminded member firms that this asset class is still subject to Rule 2111 (Suitability), Rule 3110 (Supervision), Rule 5122 (Private Placements of Securities Issued by Members), and 5123 (Private Placements of Securities).
Common violations found by FINRA during last year's examinations were related mainly to late filings and a lack of reasonable diligence performed on private placements before recommending them to retail investors.
Examples of diligence gaps cited by the report include:
- "Failing to conduct an appropriate level of research, particularly when the firm lacks experience or specialized knowledge" about private-placement issuers.
- Relying too much on the firm's experience with the issuer in previous offerings to assess risk.
- Failing to dig deeper into red flags identified during the reasonable-diligence process or that were uncovered in third-party diligence reports.
FINRA advises firms to create a private placement checklist, citing all steps, filing dates, related documentation requirements, and staff designated to perform diligence functions and tasks. FINRA also mandates that the firm provide "evidence of supervisory principal approval for the reasonable diligence process and the filing requirements of FINRA Rules 5122 and 5123."
FINRA also urges firms to conduct independent research into SPACs and other private placements, verify data independently, identify any possible conflicts of interest associated with private offerings, train staff in firm policies and filing requirements, create an alert system that notifies key personnel about deadlines, and to conduct assessments after offerings have closed.
The last item is crucial because it can help member firms assess whether "offering proceeds were used in a manner consistent with the offering memorandum," according to the FINRA report.
Cybersecurity controls are a vital examination priority cited in the 'Firm Operations' section of the FINRA report. The report notes that "cybersecurity remains one of the broker-dealers' principal operational risks." Accordingly, FINRA expects its members to "develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations."
Relevant cyber-regulations cited by the report include Rule 30 of the SEC's Regulation S-P, which mandates that firms have "have written policies and procedures that are reasonably designed" to protect customer records and related data, and FINRA Rule 4370 addresses' business continuity plans and emergency contact information.
Common failures flagged by FINRA during last year's examinations were inadequate risk assessment process, which the regulator defined as the absence of adequate and ongoing controls to assess cyber and IT risks at the firm and failing to regularly conduct network penetration (PEN) testing.
FINRA also noted defective data loss prevention (DLP) programs, as evidenced by firms that failed to encrypt all confidential data, "including a broad range of non-public customer information in addition to Social Security numbers (such as other account profile information) and sensitive firm information."
Furthermore, FINRA flagged inadequate branch policies, controls, and inspections in the form of missing branch-level cybersecurity policies, branch-level IT assets inventories, and branch-level inspection of IT systems, including automated monitoring programs.
FINRA also flagged inadequate cybersecurity training programs and deficient vendor controls in the form of missing policies and processes to assess the security posture of vendors and the failure to monitor vendors' cyber-resilience throughout the lifecycle of the firm's business engagement with them.
Effective practices to remediate cybersecurity compliance errors include collaborative processes to detect and mitigate risks associated with insider threats posed by staff and contractors, enhancing incident response planning, and patching security vulnerabilities in a timely fashion, according to the FINRA report.
FINRA also advised firms to create a detailed and current IT asset inventory and implement change-management processes to "review, prioritize, test, approve, and manage internal and third-party hardware and software changes and system capacity." Regarding online system capacity, FINRA said that firms should "continuously monitor and test the capacity of current systems, and track average and peak utilization, to anticipate the need for additional resources based on increases in accounts or trading volumes."
Lastly, FINRA encouraged firms to implement multi-factor authentication (MFA) to enhance customer verification and to protect their accounts from intruders better.
Preparing for the Next Round of Examinations
While the seven examination priorities discussed in this report represent the most emergent areas of regulatory scrutiny, member firms cannot let the other 14 review areas fall by the wayside. Regardless, the digital era has transformed financial services, with a new generation of investors increasingly able to compete with financial institutions at the touch of their smartphones.
As the WealthTech revolution continues to reshape the investment industry for Millennials and Generation Z, member firms must transpose their compliance organizations into the era of mobile-first finance and all related cyber-risks that go along with it. Monitoring cyber-threats posed by would-be malicious insiders has become essential to the latter point.