On January 10, 2023, FINRA published the 2023 Report on FINRA’s Examination and Risk Monitoring Program. The Report serves as a resource for firms to use to bolster their compliance programs and provides a roadmap of FINRA’s main areas of examination for 2023.
FINRA’s 2023 priorities continue to include topics such as AML, cybersecurity, net capital, communications, and sales practices (including issues related to Reg. BI and Form CRS). Notably, the Report includes a broader range of topics than in the prior two years, especially related to matters pertaining to market integrity. It also contains a new section on financial crimes, which addresses topics included in previous reports (i.e., cybersecurity and technology governance, AML, fraud, and sanctions) as well as manipulative trading.
FINRA identified the following topics as “key areas of risk to investors and the markets” in 2023:
- Reg. BI and Form CRS – FINRA’s reviews in these areas include compliance with the Reg. BI Care Obligation (when making recommendations), identifying and disclosing conflicts of interest, development and implementation of adequate WSPs and training, and how Form CRS is filed, delivered, and tracked.
- Order Handling, Best Execution, and Conflicts of Interest – FINRA will consider whether firms are fully and promptly executing marketable customer orders, adequately conducting periodic “regular and rigorous reviews,” and clearly and completely disclosing the specific terms of any profit-sharing relationships (like payment for order flow) with venues to which they route orders. The Report includes findings and observations from targeted FINRA examinations of wholesalers last year. While likely a 2024 compliance consideration, firms will also need to start thinking about proposed SEC Regulation Best Execution.
- Mobile Apps – FINRA notes that it observed potential issues with some mobile apps not adequately distinguishing between products and services of the broker-dealer and those of affiliates or other parties (such as transactions involving crypto assets). These observations unsurprisingly follow the SEC’s solicitation for public comment on digital engagement practices (which also shows up on the SEC’s “Reg Flex” agenda for brokers and advisers). FINRA will continue monitoring mobile app disclosures, generally, and explanations of risks for certain products or services.
- Cybersecurity – FINRA notes its recent establishment of a Cyber and Analytics Unit in August 2022 to enhance its ability to proactively address the evolving sophisticated cyber threat landscape and growth of the crypto asset market, highlighting its December 2022 Regulatory Notice 22-29 (FINRA Alerts Firms to Increased Ransomware Risks) that provided firms with questions they can use to evaluate their cybersecurity programs, information about possible additional ransomware controls, and relevant resources. Cybersecurity also remains a key area of focus for the SEC.
- Complex Products and Options – FINRA will continue reviewing firm communications and disclosures made to customers related to complex products as well as customer account activity to assess whether recommendations regarding these products are in the best interest of retail customers, given their investment profile and the potential risks, rewards, and costs associated with the recommendation. FINRA highlighted its November 2022 targeted exam of firms’ crypto asset retail communications, as well as the December 2022 update to FINRA’s targeted exam of firms’ practices and controls related to the opening of options accounts and related areas, including account supervision, communications and diligence.
- Consolidated Audit Trail (CAT) – FINRA will continue its review of CAT compliance, including timely submission of reportable events and corrections, reporting complete and accurate CAT records, and effectively supervising third-party vendors (including those responsible for CAT submissions and clock synchronization).
Other key topics covered in the 2023 Report include:
- Environmental, Social, and Governance Considerations – For the first time, FINRA has highlighted ESG considerations for firms and offers examples of effective disclosure practices under FINRA Rule 2210. This may be an indication that there is more to come on the topic, including application of the reasonable care standard of Reg. BI and the reasonable basis suitability requirement of Rule 2111 (for institutional investors) when recommending investments and strategies taking into account ESG factors. Firms are now on notice that they should evaluate their communications promoting ESG factors and related procedures to ensure consistency with effective practices, and otherwise be prepared to respond to exam or other routine inquiries related to these communications.
- Recordkeeping – FINRA highlighted the recent SEC amendments to Exchange Act Rule 17a-4 regarding electronic recordkeeping requirements, including by reminding firms relying on Rule 17a-4(f) of their obligation to file new “undertakings,” and directing firms to a chart that it recently released summarizing the significant changes to the rule.
- Manipulative Trading – FINRA highlighted manipulative trading related to AML, fraud, and sanctions as its own standalone topic. Manipulative trading in small cap IPOs was identified as an emerging area of risk. This comes off the heels of recent notices and alerts released by FINRA, Nasdaq, and NYSE, having observed that these exchange-listed small cap issuers may be the subject of market manipulation schemes. FINRA is keenly focused on impermissible trading practices. FINRA urges members to review its recent Regulatory Notice 22-25 and sets forth a comprehensive list of findings and effective practices related to manipulative trading.
- Trusted Contact Persons (TCPs) – FINRA highlighted its continued focus on TCPs and related regulatory obligations. This is evident from the recent release of Regulatory Notice 22-31, the adoption of Rule 3241 in February 2021, and amendments to Rule 2165, which allows firms to place temporary holds on securities transactions “when firms reasonably believe that financial exploitation has occurred, is occurring, has been attempted or will be attempted and requires firms to notify the TCP, if available, when placing temporary holds.” FINRA also identified senior investors as an emerging financial crime risk.
We will follow up with updates highlighting specific FINRA focus areas to help firms strengthen their supervisory, compliance, and operations programs to ensure that they are well-positioned to weather exams and other inquiries later this year.