The Financial Industry Regulatory Authority on Wednesday released its first exam findings report, which focuses on “selected observations” from recent exams that FINRA considers “worth highlighting” because of their impact on the industry.
The 14-page report “does not represent a complete inventory of observations about the industry as a whole, does not imply that any issues discussed exist at any particular firms,” FINRA said, adding that broker-dealers should not consider the report’s findings “as creating new legal or regulatory requirements or new interpretations of existing requirements.”
FINRA notes that an “individual firm may not have any deficiencies in the risk areas identified in the report.”
FINRA CEO Robert Cook said recently that FINRA intends to issue the report annually, stating that “it’s a bit of an experiment.”
Cook said FINRA wants “to be very thoughtful about what we put out in this report, so it’s useful and in cases where it’s appropriate, offer ideas about best practices but also not to stray too far into the area of telling people they have to do something when that might not be appropriate for them.”
FINRA hopes to get feedback on the initial report, he continued, “and it may evolve over time.”
In the area of cybersecurity, the report notes that as the “nature and sophistication of cybersecurity threats continue to evolve, even robust cybersecurity programs can be compromised when, for example, an employee opens an email attachment that contains malware.”
Common threats FINRA observed in 2016 and 2017 include phishing and spear-phishing attacks, ransomware attacks and fraudulent third-party wires that frequently involve use of email or stolen customer or financial advisor credentials. FINRA observed a variety of areas where some firms could improve their cybersecurity programs against these and other threats, the report states.
2. Product Suitability
Concerns that FINRA had during the course of examinations with regard to the suitability of certain products and their supervision did not vary materially by firm size, the self-regulatory said, but did occur more frequently in connection with certain product classes, specifically unit investment trusts (UITs) and certain multi-share class and complex products, such as leveraged and inverse exchange-traded funds (ETFs).
3. Anti-Money Laundering Compliance
FINRA observed that firms with effective AML programs actively “tailor their risk-based AML program to the firm’s business model and associated AML risks as opposed to simply implementing a more ‘generic’ program.”
These firms also conducted “independent testing” that included sampling customer accounts in order to test whether the firm was collecting and verifying customer identification information on all individuals and entities that would be considered customers under the BSA, as well as trading and money movement activity to test whether the firm was performing adequate monitoring for and investigations of potentially suspicious activity.
Those with effective anti-money laundering programs also “designed training programs that were specific to the roles and responsibilities of the participating employees and captured current and evolving aspects of the AML landscape.”
In selected exam findings FINRA observed instances where firms “failed to establish and implement an AML program reasonably designed to detect, and cause the reporting of, suspicious activity.”
4. Best Execution
FINRA said in the report that it had concerns regarding the duty of best execution at firms of all sizes that receive, handle, route or execute customer orders in equities, options and fixed income securities. The self-regulator found that “some firms failed to implement and conduct an adequate regular and rigorous review of the quality of the executions of their customers’ orders.”
— Check out FINRA Plans BrokerCheck Changes, Remote Exams on ThinkAdvisor.