FINRA’s Hot-button Issues for 2018
Following their New Year’s tradition, the Financial Industry Regulatory Authority (FINRA) just posted its annual Regulatory and Exam Priorities letter, signaling to member firms where they can improve compliance, supervisory and risk management programs. As is typically the case, the topics closely follow their report on FINRA Examination Findings from last month, which focused heavily on Cybersecurity, Product Suitability, and Anti-Money Laundering (AML) programs.
Unlike previous years, however, this year’s Exam Letter starts with a self-exam of FINRA’s own operations and efforts to create greater transparency through its FINRA360 program. FINRA is stressing its continued commitment to operational transparency in its examination programs, including a newly launched Compliance Report Center to promote and share supervision ‘report cards’, as well as its FinTech Industry Advisory Committee, to track the adoption of emerging areas including blockchain and artificial intelligence technologies. FINRA also indicates that it remains committed to its Compliance Vendor Directory launched in 2017, which has helped to improve the exposure of technology vendor solutions to FINRA members versus the earlier version of the program.
Regarding the Exam priorities, FINRA makes several clear statements in the Letter:
- There will be no “one-size fits all” approach to FINRA exams: One challenge that FINRA has had historically is attempting to create an efficient compliance oversight mechanism for firms that vary drastically in size and complexity. FINRA’s work to improve a risk-based framework will attempt to better align FINRA exam resources to risk profiles of firms, presumably placing greater scrutiny on firms that have experienced more frequent reporting mishaps, those possessing portfolios containing higher risk financial products, as well as those who have more than their share of “high risk” brokers. FINRA’s follow through on the risk-based approach should provide regulatory relief for smaller firms with smaller compliance teams and clean records, and stronger incentive for firms who have previously been found to have inadequate supervisory controls to address those issues.
- Supervisory and surveillance systems should be tuned to higher risk activities: The exam letter notes an increase in the number of referrals to the SEC for activities including microcap pump-and-dump and Ponzi schemes as well as suitability issues involving senior investors. FINRA is expecting that firms tailor supervisory practices to be specific to high risk brokers, and that they also evaluate policies, training, and technologies to track communications and interactions to spotlight brokers who are participating in fraudulent activities. FINRA’s focus on areas of higher risk should be a clear signal for firms to move beyond outdated supervisory review processes that are based upon broker activity – such as random sampling – and more toward advanced surveillance approaches that use analytics that highlight sophisticated policy violations that may be hidden within data.
- Cybersecurity remains in the forefront: As was highlighted in the 2017 Examination Finding Report, firm practices continue to vary widely with regard to security-related risk assessments, access controls, and the use of technologies including threat detection and data loss prevention (DLP). FINRA expects a continued focus on firms’ preparedness, security defense infrastructure, as well as policies and procedures in place if a cybersecurity event occurs. FINRA’s on-going focus on cybersecurity and data protection should drive further collaboration between compliance and IT security stakeholders in defining information risk priorities and cooperation in technology selection.
- Technology governance enters the FINRA exam vocabulary: FINRA notes an increase in regulatory challenges created by the implementation of new systems and operational breakdowns of legacy technologies. This should not be a surprise given the challenges we see financial services firms encountering in trying to get one more year out of an legacy technology maintenance and support agreement. However, FINRA is going to expect firms to be prepared for the possible outage of primary systems, in the form of system controls and business continuity plans. FINRA’s focus on technology governance should drive tighter alignment between compliance and IT infrastructure teams to ensure that existing systems are prepared to manage compliance workloads, and that compliance systems have back-up plans to ensure that data remains available during migration projects.
New communications … no new guidance: Somewhat surprisingly, the FINRA exam letter did not offer any added guidance on the proliferation of new social media, video, voice, or messaging applications to follow its Regulatory Notice 17-18 guidance from April 2017. The lack of additional discussion on these topics should not lead firms to the conclusion that these topics are not FINRA priorities; instead, it should reinforce the point that FINRA has made in several publications since FINRA 11-39 – that it is a firm’s obligation to satisfy FINRA rule 4511 Books and Recordsrequirements or any other topic addressed in the Exam letter applying to any communications tool that firms choose to use.
How Actiance can help
As noted in this year’s Exam Letter, FINRA-regulated firms must be prepared to meet a number of regulatory priorities that extend across the domains of information capture and storage, supervisory review, risk management, as well as cybersecurity and data protection.
As a starting point, firms need to have all content sources under control to meet FINRA 4511 requirements and to remain prepared for FINRA examination. That begins with information capture and storage, where Vantage and Socialite provide the capabilities to capture and control any communication network in use, including Microsoft Skype for Business, Microsoft Teams, Cisco Spark, Symphony, Slack, WhatsApp, LinkedIn, and many others. Vantage and Socialite enable the capture of communications in context, and deliver those communications to Actiance Alcatraz to meet all SEC 17a-4 storage requirements.
In the area of supervisory review. Actiance Alcatraz provides robust supervisory pre- and post-review capabilities to monitor and review content in its native form from 80+ communication channels for policy violations, send alerts to compliance staff of potential violations, and manage granular supervisory policies that can be configured by user, group, or location. Actiance is built using an open, extensible platform, allowing financial services firms to easily feed downstream workloads including behavioral and sentiment analysis and trade reconciliation applications.
Where to go from here?
Join our upcoming FINRA webinar on January 16 at 10:00AM PST with Mitch Atkins, Founder and Principal of FirstMark Regulatory Solutions, as we dive further into the Exam letter and steps firms can take now to remain compliant.