BROKER-DEALERS—New FINRA report highlights exam findings, key compliance considerations - 03 February 2021
FINRA’s new combined report on exam findings and priorities provides compliance insights drawn from its ongoing regulatory operations.
The Financial Industry Regulatory Authority (FINRA) has released a new annual report that seeks to provide insights from the SRO’s examination findings and priorities that member firms can use to improve their compliance efforts. The report highlights several key areas that impact the compliance programs of broker-dealers, including Regulation Best Interest (Reg BI), cybersecurity, and best execution. The report also notes that FINRA will share in a future publication the results of its ongoing targeted review of firms’ decisions to move to "zero-commission" trading model, an area of great interest recently following the trading halts implemented by pioneering no-fee brokerage Robinhood Financial that resulted from the GameStop "short squeeze."
The 2021 Report on FINRA’s Examination and Risk Monitoring Program replaces two prior FINRA publications: (1) the Report on Examination Findings and Observations, which analyzed FINRA’s examination results from the prior year; and (2) the Risk Monitoring and Examination Program Priorities Letter, which set forth the SRO’s exam priorities for the coming year. FINRA stated that it expects to revisit the report annually, as it did with the prior publications.
Regulation Best Interest and Form CRS. While FINRA will continue to focus on assessing whether broker-dealers have established and implemented policies, procedures, and supervisory systems to comply with Reg BI and Form CRS, the SRO intends to expand the scope of its reviews and testing to carry out a more comprehensive review of firm processes and practices. Among the several considerations in this area that are set forth in the report, FINRA included the following:
- Does the firm have policies, procedures, and controls to assess recommendations using a best interest standard?
- Do the firm’s policies, procedures and controls continue to address compliance with FINRA Rule 2111 (Suitability), which still applies to recommendations made to non-retail investors?
- Does the firm have policies, procedures and controls addressing Reg BI’s recordkeeping requirements?
- Does the firm and its associated persons consider the express new elements of care, skill and costs when making recommendations to retail customers?
- Do the firm and its registered representatives guard against excessive trading, irrespective of whether they "control" the account?
- Does the firm have policies, procedures, and controls in place regarding the filing, updating and delivery of Form CRS?
- Does the firm’s Form CRS accurately respond to the disciplinary history question with regard to the firm and its financial professionals?
Cybersecurity. The report reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers. Accordingly, FINRA expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.
In the area of emerging cybersecurity risks, the reports observe that FINRA has seen increased numbers of cybersecurity- or technology-related incidents at firms, including systemwide outages; email and account takeovers; fraudulent wire requests; imposter websites; and ransomware. FINRA also noted that data breaches had occurred at some firms and remains concerned about increased risks for broker-dealers that do not implement practices to address phishing emails or require multi-factor authentication (MFA) for accessing non-public information. FINRA emphasized several effective practices that firms should review in this area, including:
- Insider threat and risk management – collaborating across technology, risk, compliance, fraud, and internal investigations/conduct departments to assess key risk areas, monitor access and entitlements, and investigate potential violations of firm rules or policies with regard to data access or data accumulation.
- Incident response planning – establishing and regularly testing written formal incident response plans that outline procedures for responding to cybersecurity and information security incidents; and developing frameworks to identify, classify, prioritize, track, and close cybersecurity-related incidents.
- System patching – implementing timely application of system security patches to critical firm resources to protect non-public client or firm information.
- Asset inventory – Creating and keeping current an inventory of critical information technology assets, including hardware, software and data, as well as corresponding cybersecurity controls.
Best execution. FINRA reminded firms that in connection with their obligations under FINRA Rule 5310 (Best Execution and Interpositioning), broker-dealers must conduct a "regular and rigorous" review of the execution quality of customer orders if the firm does not conduct an order-by-order review. These reviews must be performed at a minimum on a quarterly basis and on a security-by-security, type-of-order basis. If a firm identifies material differences in execution quality among the markets that trade the securities under review, it should modify its routing arrangements or justify why it is not doing so.
Among the several considerations related to firms' best execution obligations, FINRA listed the following:
- How does the firm determine whether to employ order-by-order or "regular and rigorous" reviews of execution quality?
- How does the firm address potential conflicts of interest in order-routing decisions, including those relating to its routing of orders to affiliated alternative trading systems (ATSs), affiliated broker-dealers, or affiliated exchange members?
- How does the firm address potential conflicts of interest related to its routing of orders to market centers that provide payment for order flow (PFOF) or other-routing inducements?
- Does the firm perform its best execution obligations with respect to trading conducted in both regular and extended trading hours?
- How does the firm handle fractional share investing in the context of its best execution obligations?
As one of the effective practices in this area, the reports references the use of exception reports and surveillance reports to support firms’ efforts to meet their best execution obligations. With regard to payment for order flow, FINRA suggested that firms review how PFOF affects the order-routing process, including considering the following factors: any explicit or implicit contractual arrangement to send order flow to a third-party broker-dealer; terms of these agreements; whether it is on a per share basis or per order basis; and whether it is based upon the type of order, size of order, type of customer or the market class of the security.