The Financial Industry Regulatory Authority on Wednesday released its first exam findings report, which focuses on “selected observations” from recent exams that FINRA considers “worth highlighting” because of their impact on the industry.
The 14-page report “does not represent a complete inventory of observations about the industry as a whole, does not imply that any issues discussed exist at any particular firms,” FINRA said, adding that broker-dealers should not consider the report’s findings “as creating new legal or regulatory requirements or new interpretations of existing requirements.”
FINRA notes that an “individual firm may not have any deficiencies in the risk areas identified in the report.”
FINRA CEO Robert Cook said recently that FINRA intends to issue the report annually, stating that “it’s a bit of an experiment.”
Cook said FINRA wants “to be very thoughtful about what we put out in this report, so it’s useful and in cases where it’s appropriate, offer ideas about best practices but also not to stray too far into the area of telling people they have to do something when that might not be appropriate for them.”
FINRA hopes to get feedback on the initial report, he continued, “and it may evolve over time.”
In the area of cybersecurity, the report notes that as the “nature and sophistication of cybersecurity threats continue to evolve, even robust cybersecurity programs can be compromised when, for example, an employee opens an email attachment that contains malware.”
Common threats FINRA observed in 2016 and 2017 include phishing and spear-phishing attacks, ransomware attacks and fraudulent third-party wires that frequently involve use of email or stolen customer or financial advisor credentials. FINRA observed a variety of areas where some firms could improve their cybersecurity programs against these and other threats, the report states.
2. Product Suitability