Improving Examination Results

May 2008

FINRA issues this publication to assist member firms in their compliance efforts. As in past years, this edition highlights examination priorities and frequently found deficiencies relating to FINRA's examination program.

While each firm must establish its own compliance programs and supervisory systems, FINRA shares its examination priorities and frequently found deficiencies to help firms focus their efforts on pertinent, timely issues and to prepare effectively for regulatory examinations. This document also offers guidance on how to avoid common deficiencies. The topics addressed below are not exhaustive, nor are the topics necessarily provided in order of priority. In this regard, FINRA will examine other relevant areas in addition to those highlighted in this communication.

As a reminder, member firms may be subject to both NASD rules and certain NYSE rules that FINRA has incorporated (Incorporated NYSE Rules). FINRA is in the process of consolidating the NASD and Incorporated NYSE Rules into a single FINRA rulebook. In the meantime, the Incorporated NYSE Rules apply to those members of FINRA that are also members of NYSE, referred to as “Dual Members.” Dual Members also must comply with NASD rules. Contact your firm's FINRA Coordinator for further guidance.

Examination Priorities

Senior Investors

FINRA has devoted considerable resources to the topics of senior investors and “baby boomers.” FINRA efforts include educating these investors, firms and registered representatives on key issues surrounding investors in or approaching retirement. FINRA also actively participated in the SEC's second Seniors Summit, and conferred with the SEC and certain state regulators, focusing on sales seminars. These inquiries identified many concerns relating to seniors, including sales pitches masquerading as educational seminars, misleading advertising and sales materials, poor supervision, product suitability and outright fraud.

A cogent summary of FINRA's concerns related to senior investors and member firm obligations relating to seniors is contained in Regulatory Notice 07-43. Member firms should ensure advertisements and sales material are fair and accurate. Firms and their representatives should not make exaggerated or misleading statements, including referencing self-conferred designations or other unwarranted claims of senior specialty. As with other customers, firms should also ensure that recommendations made to seniors are suitable, with consideration paid to current investment objectives and age. Supervisors of registered representatives who conduct business with seniors should also be cognizant of suitability issues that pertain to senior investors.

In their sales practice reviews, FINRA examiners will focus on sales to seniors and other investors approaching retirement. If member firms or their representatives target these investor classes in their marketing efforts, these are likely to be reviewed. Member firms should ensure that their supervisory system is adequate to detect and prevent any type of abusive or inappropriate sales practices towards these investors.

Deferred Variable Annuities

On May 5, 2008, paragraphs (a), (b) and (e) of Rule 2821 (Members' Responsibilities Regarding Deferred Variable Annuities) became effective. This rule applies to the purchase or exchange of a deferred variable annuity and the subaccount allocations. Rule 2821 requires that no member or person associated with a member recommend to any customer the purchase or exchange of a deferred variable annuity unless such member or person associated with a member has a reasonable basis to believe that the transaction is suitable in accordance with Rule 2310 (Suitability).

In addition, Rule 2821 requires member firms that conduct business in deferred variable annuities to develop and document specific training policies or programs for associated persons and principals who effect or review deferred variable annuity transactions. FINRA examiners will review for member firm compliance with Rule 2821 (paragraphs a, b and e) beginning on May 5, 2008.1 Refer to Regulatory Notice 07-53 and a recording of FINRA's April 18 phone-in workshop for more information on the requirements of Rule 2821.

Anti-Money Laundering (AML)

The AML requirements for broker-dealers, which have been in effect since April 24, 2002, continue to be an examination focus. It is important to note that the AML requirements in the Bank Secrecy Act and implementing regulations apply to all FINRA member firms—regardless of of size or business model—even member firms that do not hold customer funds. Firms' AML compliance programs can be risked-based and must be designed to reasonably mitigate money laundering risks at the firm.

In 2007, FinCEN issued a final rule (31 CFR 103.176(b)) implementing a key provision of Section 312 of the USA PATRIOT Act. The rule clarified the risk-based procedures firms could use in tailoring their enhanced due diligence for some foreign banking relationships. The rule took effect on February 8, 2008, for new foreign banking relationships covered under the rule. May 5, 2008, was the effective date for existing foreign banking relationships covered under the rule. Examiners are testing firms' procedures for compliance with these new provisions for foreign banking relationships.

Additional information regarding AML compliance requirements can be found in the Frequently Found Deficiencies section below.

Member firms can expect that FINRA staff will examine whether they are effectively monitoring for suspicious activity and filing Suspicious Activity Reports (SARs) when appropriate. FINRA examiners will also verify that member firms are appropriately testing their AML programs per Rule 3011 (AML Compliance Program).

Protection of Customer Information

With the growing sophistication of technology, the financial sector faces increasing risks of security breaches, hacking, cyber attacks and online account intrusion. Over the last year, the brokerage industry has continued to be a target for online account intruders who illegally access customer accounts. It appears these intruders are able to access accounts by using a number of methods to obtain customer login credentials. After logging into a customer account, the intruders may wire out funds or use the account for a market manipulation scheme in tandem with other accounts. The perpetrators of intrusion schemes target firms of various sizes.

Firms must examine how they are protecting customer information and records, including information stored on electronic devices. Regulation S-P requires firms to have policies and procedures that address administrative, technical and physical safeguards for the protection of customer information and records. Firms must ensure that their policies and procedures are designed to reasonably protect against any anticipated threats or hazards to the security and integrity of customer records and information. Among other things, firms should consider how they protect customer information stored on electronic devices, such as hard drives, CDs, flash drives, floppy disks, laptops and PDAs when such devices are discarded by the firm.

In addition, firms offering online customer access or trading should assess their internal surveillance and develop plans for handling account intrusions. This assessment might include a review of the online interface with customers to determine if there are any inefficiencies or gaps that can be strengthened in order to reduce the ability of intruders to access customer accounts and records. Firms should also be diligent in their review of account activity for "red flags" that may indicate suspicious activity. Notice to Members (NTM) 02-21 discusses anti-money laundering compliance programs and suspicious activity reporting requirements.

Regulation S-P remains an important examination focus area for FINRA examiners. Firms can expect examination staff to review their Reg S-P policies and to make sure that member firms are taking the appropriate steps to ensure the privacy and security of customer information.

Supervision and Supervisory Controls

Supervision is a core area of review on all FINRA examinations. The supervisory structure implemented by member firms is vital to protecting investors as well as achieving overall compliance with applicable rules and regulations. Firms must establish adequate systems, policies and procedures for all areas of their business and appropriately review and update their supervisory systems, policies and procedures.

Firms should also have procedures in place for reviewing and identifying individuals or business areas that require enhanced scrutiny due to sales practice concerns, such as a pattern of customer complaints. Compliance with NASD Rules 3010, 3012 and 3013 (and NYSE Rule 342 for Dual Members) are reviewed on cycle examinations. Firms that engage in a municipal securities business should take particular note of the amendments to MSRB Rule G-27, which became effective on February 29, 2008. These amendments were designed to harmonize MSRB's supervision rule with the requirements of NASD Rules 3010 and 3012 and include a requirement that firms designate certain offices of supervisory jurisdiction (OSJs) as “municipal OSJs.”

Find additional information on supervisory control provisions in the following NTMs: 04-71, 04-79, 05-08, 05-29, 06-04 and 06-11; NYSE Information Memos 04-38 and 05-07; and MSRB Notices 2008-06, 2007-32 and 2007-16. For guidance on the establishment of adequate written supervisory procedures, heightened supervision of high-risk brokers and an adequate supervisory system, see NTMs 97-19, 99-45 and 98-96, and NYSE Information Memo 97-20. Find additional information in the supervisory controls issue center.

Sales of New or Non-Conventional Products

Member firms need adequate procedures for vetting new products that continually arrive on the market and may have complex features or risky characteristics. Firms should conduct adequate due diligence to understand the features of a product it allows its representatives to market. Firms should also perform a reasonable-basis suitability analysis for the product, as well as perform a customer-specific suitability analysis in connection with any recommended transactions. Firms must also provide a balanced disclosure of the risks and potential rewards associated with the particular product, implement appropriate internal controls, and train registered persons regarding the features, risks and suitability of these products.

For additional information on recent published guidance on the retail sale of non-conventional investments and structured products, see NTMs 03-71 and 05-59; on best practices involving the sales of new products, see 05-26; and on the sales practice obligations in the sale of bonds or bond funds, see 04-30.

Suitability is an important review area of any FINRA sales practice examination. While examiners will consider suitability of any product that member firms recommend, they are particularly focused on recommendations in new and non-conventional products, such as hedge funds, CMOs/CDOs, REITS, auction rate securities and other structured products. Many of these products are not suitable for all customers. For example, for those firms engaged in municipal securities transactions, recent market events give rise to questions about customer disclosure and suitability. See MSRB Notices 2008-4 and 2008-9.

All product recommendations must take into account the customer's investment time horizon, available funds, existing investments and investment objectives, among other things. Firms should not recommend products that are not understood by their salespersons.

Transaction Reporting

Transaction reporting is a focus of FINRA's automated surveillance and on-site examinations of member firms. Firms are reminded that they are responsible for the accuracy of the transaction information reported on their behalf, regardless of the means by which that information is reported to FINRA.

Business Continuity Planning (BCP)

As the California wildfires unfortunately reminded us in 2007, disasters can strike without warning. All member firms are required to create and maintain a business continuity plan, conduct an annual review of their plan and update the plan as needed. In addition to developing a business continuity plan, each firm should periodically test their plan to ensure all of its components work as envisioned. NTM 06-74 highlights the importance of BCP testing as evidenced by the experiences of member firms following Hurricanes Katrina and Rita.

Additional information regarding BCP compliance requirements can be found in the Frequently Found Deficiencies section below.

FINRA examining staff will ensure that member firms are maintaining current BCPs and that these BCPs are tested so that firms have assurance that they could continue business, or implement alternative plans, in the event of an emergency.

Data Integrity

FINRA examiners will continue to conduct reviews to determine both the timeliness and the accuracy of information that member firms submit to FINRA. The integrity of data submitted to FINRA, including regulatory data and information submitted via WebIR in advance of an examination, is critical because inaccurate or untimely information can result in inefficient examinations, creating a greater regulatory burden for member firms. Moreover, publicly available information regarding firms and registered representatives is adversely impacted by inaccurate or untimely submissions. Member firms can expect data integrity reviews regarding CRD filings (Forms U4, U5, BD and BR), the customer complaint reporting systems and data reported pursuant to NASD Rule 3150 (Reporting Requirements for Clearing Firms).

Bank Sweep Programs

Firms are advised that FINRA will continue to examine the programs of broker-dealers sweeping customer credit balances into deposits at banks. The focus of the examinations are to ensure that customer funds are protected at all times and include requirements for minimum net capital requirements, titling of bank sweep accounts, treatment of bank sweep account balances under SEC Rules 15c3-1 and 15c3-3, written agreements with the bank and other related parties, bank sweep account reconciliations, and maintenance of books and records. Firms are encouraged to contact their FINRA Coordinator if they are planning to enter into any new customer bank sweep program arrangements. In addition, firms should consider the use of good business practices with regard to such programs. At a minimum, customers are entitled to clear, complete, prominent and unambiguous disclosures of relevant information. Other pertinent factors to consider include potential conflicts, differences in SIPC/FDIC coverage, presentation on customer account statements and maintenance of appropriate records.

Agency Lending Disclosure

In 2008, agency lending practices will continue as an important area of review during FINRA examinations of member firms that operate an agency securities lending business. Our continued emphasis on this area is based in part on 2007 examination findings that disclosed that some member firms were not performing principal counterparty credit risk monitoring or reconciliations and were not resolving contract differences nor computing securities borrow deficit capital charges at the principal counterparty level.

Firms conducting this business are advised that examiners will focus on pre-approval of principal counterparties, the adequacy of credit risk reviews performed, preparation of daily reconciliations at both the agent and underlying principal counterparty level, maintenance of books and records at the principal counterparty level, application of securities borrow deficit charges to the net capital computation, and inclusion of excess collateral received from agent lenders on securities borrow contracts as credit items in the customer reserve formula computation. Firms engaged in agency lending practices are urged to review information published by FINRA regarding the Agency Lending Disclosure initiative. This initiative resulted from regulatory concerns regarding the lack of transparency with the underlying principal counterparties, as well as the lack of information disclosures from the principal counterparties and the impact on the ability of the member firm to monitor credit exposure and other regulatory requirements when conducting agency securities lending transactions. See NTM 05-45 and NYSE Information Memos 05-39 and 06-21.

Inventory Valuations

Firms are reminded to review controls to independently validate the pricing of inventory positions. As the credit markets have become more illiquid, validation of prices to third-party sources has become more challenging. This heightens the need to strengthen controls to ensure the integrity of pricing of proprietary inventory and collateral to financing transactions. A review of firms' practices with respect to inventory valuation is an area FINRA examiners are focusing on in 2008.


Firms are reminded that outsourced activities should not impair the quality of its internal controls and the ability to monitor for compliance with all applicable rules and financial and operational reporting obligations. FINRA expects and will examine for formalized oversight and monitoring policies, procedures and processes as part of its review of a firm's supervisory system. In addition, firms should especially consider the risks of activities that are outsourced to entities operating in foreign jurisdictions, and determine the impact of outsourcing arrangements on the firm's business continuity plans.

Order Audit Trail System (OATS)

Effective February 4, 2008, OATS reporting requirements were expanded to include OTC equity securities. The new reporting requirements apply to orders for OTC equity securities traded on the OTCBB, Pink Sheets or otherwise, as well as orders for foreign equity securities (if any resulting executions are required to be trade reported pursuant to NASD Rule 6620) and other securities meeting the definition of OTC equity security in NASD Rule 6951. To assist firms with their compliance, an "OATS Reportable Flag" has been added to the OATS Symbol Directory/Daily List on the OTCBB Web site. Also effective February 4, 2008, other modifications were implemented to address Reg NMS requirements and certain other technical changes. OATS modifications for Reg NMS include a requirement to identify intermarket sweep orders routed to other trading centers with a Routing Method Code "I" and the addition of a new "ISO" Special Handling Code to identify the receipt of an order identified as an Intermarket Sweep Order.

OATS reporting continues to be a focus for FINRA's Market Regulation examination program. FINRA examiners routinely conduct reviews to determine the accuracy of order information submitted to OATS.

Firms are encouraged to review the Frequently Asked Questions, reporting specifications and other information available on the OATS Web site for more details regarding these and other OATS reporting requirements, or to call the OATS Helpdesk at (800) 321-6273.

Regulation NMS

SEC Rules 610 (the Access Rule) and 611 (the Order Protection Rule) were fully implemented for all NMS stocks as of October 8, 2007. Under Reg NMS, a "trading center" includes alternative trading systems, exchange and OTC market makers and “any other broker or dealer that executes orders internally by trading as principal or crossing orders as agent.”

FINRA examinations may include a combination of: (a) on-site observation of member firms' operations, (b) review of member firms' written operational procedures, (c) review of member firms' written supervisory procedures, (d) review of member firms' documentation evidencing the conduct of supervisory reviews, and/or (e) review of data retained by the firm (e.g., Firm Specific Quote Data, Firm Specific Order and Trade Data, Network Data) to support its compliance obligations under Reg NMS. Rules tested for compliance will vary, based on the firm and its business model, taking into consideration whether the member firm is a Trading Center and the method(s)/venue(s) used to display quotations.

Initial examinations conducted by FINRA for compliance with Reg NMS indicate that some firms mistakenly may believe that Reg NMS does not apply to them, either because they make markets in a limited number of NMS stocks or because they infrequently execute orders internally. Firms should be aware that Reg NMS does not include any exception to the definition of “trading center” based on de minimis activity. Firms are reminded that the requirements for ISOs apply to “any broker or dealer” that uses ISOs, and are not limited solely to broker-dealers that operate as trading centers.

Firms may obtain more information from the SEC's “Spotlight On Regulation” and Frequently Asked Questions on Rules 610 and 611.

 1 The effective date of paragraphs c and d of Rule 2821 (Principal Review and Approval and Supervisory Procedures) are currently delayed.

Frequently Found Deficiencies

The following information addresses deficiencies that were identified during recent examinations.

Supervisory Controls (NASD Rules 3012 and 3013, and NYSE Rules 342 and 401)

Deficiency: FINRA examiners continue to find firms incorrectly interpreting the applicability of supervisory control rules to their business. As a result, these firms fail to meet some or all of the requirements to implement supervisory control procedures, test and update supervisory procedures annually, and have the CEO certify that the firm has adequate processes to establish and maintain sufficient compliance policies and written supervisory procedures.

Some firms fail to recognize that the requirements for specific Supervisory Control Procedures under Rule 3012 differ from the long-standing requirements for Written Supervisory Procedures under Rule 3010. Firms not only need to maintain written supervisory procedures, but they also need a control process for insuring these procedures are adequate and current. This is a fundamental purpose of the supervisory control rules. In addition, examiners found that firms have failed to meet specific requirements under the rules, including:

  • designating the principal(s) responsible for establishing, maintaining and enforcing the firm's system of supervisory control policies and procedures;
  • annually testing and verifying its supervisory procedures and amending them, as necessary, based on such testing;
  • adequately supervising the customer account activity of producing managers;
  • adequately supervising producing managers subject to heightened/alternate supervision;
  • reviewing, monitoring and confirming transmittal of funds or securities from customers to third parties, changes of address and changes of investment objectives;
  • adequately providing electronic notification to FINRA within 30 days of reliance upon the “limited size and resource” exception of the rule and annually thereafter (for firms relying on the exception); and
  • complying with the annual CEO certification and books and records requirements of NASD Rules 3013(b) and IM-3013 and NYSE Rule 342.30. One common deficiency with respect to this aspect of the rule is that the certification made by the CEO was not accurate in that one or all components of the certification had not been discharged.

Why this is important: Sales practice and operational abuses by registered representatives or others can result from the failure to properly establish and enforce supervisory and supervisory control procedures (see NTM 04-71 and NYSE Information Memos 04-38 and 05-07). NASD Rule 3012 and NYSE Rules 342 and 401 provide specific requirements for ensuring that members have a control system in place to make sure their supervisory system is current and adequate and for ensuring that senior management is involved with compliance and supervision. These rules also specifically address two areas of concern regarding supervision of producing managers and misappropriation of customer funds by the firm's employees. Failure to implement the requirements of NASD Rule 3012 and NYSE Rules 342 and 401 leaves a firm vulnerable to issues arising from the inadequate oversight of producing managers' sales activities.

The rule also requires supervisory control procedures for three specific supervisory areas: (1) reviews of the transmittal of customer funds or securities, (2) changes in customer addresses and (3) changes in customer investment objectives. If supervisory procedures are not established, implemented and enforced in these three areas, the results could lead to customer harm and potentially aid in the misappropriation of customer funds.

The solution: Each member firm, regardless of size or business type, must establish, maintain and enforce a system of supervisory control policies and procedures that test and verify the firm's policies and procedures. Firms must ensure that a person senior to or “otherwise independent” of producing branch managers are performing the day-to-day supervisory reviews of the producing branch managers' activities and must alternate such review responsibility with another qualified person every two years or less. In the instance where a firm is relying on the "limited size and resource" exception, firms must notify FINRA electronically via the Rule 3012 notification system within 30 days of reliance on the exception and annually thereafter. As a reminder, member firms need to provide notice if they cease to rely on the exception.

Firms must ensure that heightened/alternate supervision procedures are established and enforced over the activities of each producing manager who generates revenue/income that meets the thresholds identified under NASD Rule 3012 and NYSE Rule 342.19. Firms must ensure that the procedures related to preventing and detecting misappropriation of customer funds are adequate and enforced. Annually, the firm's designated principals must submit a report detailing the firm's system of supervisory controls, the summary of the test results and exceptions noted, as well as any additional or amended supervisory procedures created in response to the test results.

There are a number of helpful resources on FINRA's Web site regarding supervisory control procedures, including NTMs 04-71, 05-29 and 06-04. NYSE Information Memos 04-38 and 05-07 are also highly valuable references for Dual Members on the requirements of NYSE Rules 342 and 401. 

Written Supervisory Procedures (NASD Conduct Rule 3010; NYSE Rule 342)

Deficiency: Member firms are required to establish, maintain and enforce an adequate supervisory system. Supervisory systems are composed of many different elements—both objective, such as regular reviews of specific areas of activity, and subjective, including placing competent, qualified and experienced individuals in supervisory roles. Written supervisory procedures document the supervisory system that the firm has established.

FINRA examiners encounter firms with procedures that do not include a description of the controls and procedures used by a firm to reasonably detect and prevent misconduct, but that instead merely repeat the rule requirements or firm policies. Moreover, examiners encounter instances where it is not clear who is responsible for a particular supervisory function.

Why this is important: Having adequate written supervisory procedures with accountable individuals enables firms to properly supervise their business, registered representatives and protect investors. Registered representatives also rely on clear written procedures to determine what is expected of them in order to conduct their business in compliance with applicable regulatory requirements.

The solution: Member firms must have written supervisory procedures that adequately address all activities in which the firm engages and that adequately describe how the firm supervises the activity and who specifically is responsible for supervising each activity. A firm's written supervisory procedures should clearly state:

  • Who: The identification of the principal responsible for conducting the subject procedure;
  • What: A description of the specific procedure that is to be conducted by the supervisor;
  • When: A statement as to when and/or how often the specific procedure is to be conducted; and
  • How: A statement as to how the principal will evidence the fact that the procedure has been conducted.

A number of resources are available on FINRA's Web site to assist with supervisory and compliance responsibilities. These resources include templates, frequently asked questions, Regulatory Notices, transcripts of educational compliance workshops and more. Firms frequently cite NTM 99-45 (Guidance on Supervisory Responsibility) as highly valuable on the topic of supervision and compliance.

Anti-Money Laundering (NASD Rule 3011; NYSE Rule 445)

Deficiency: NASD Rule 3011 and NYSE Rule 445 require member firms to develop and implement a written AML program reasonably designed to achieve and monitor the firm's compliance with the requirements of the Bank Secrecy Act (31 U.S.C. 5311, et seq.) and the implementing regulations promulgated by the Department of the Treasury. Member firms are required to establish and enforce a supervisory system to provide for annual (on a calendar-year basis) independent testing for compliance to be conducted by firm personnel or by a qualified outside party, unless the firm does not execute transactions for customers or otherwise hold customer accounts or act as an introducing broker with respect to customer accounts (e.g., engages solely in proprietary trading or conducts business only with other broker-dealers), in which case such “independent testing” is required every two years (on a calendar-year basis).

Examiners have frequently found a variety of testing deficiencies, including member firms that failed to conduct a test, failed to conduct an adequate test, failed to ensure the test is conducted by an independent party, failed to have any procedures or adequate procedures addressing testing, and failed to follow up on independent test results and findings.

Why this is important: A program to independently test for compliance is a requirement of a firm's AML program pursuant to NASD Rule 3011(c) and NYSE Rule 445(3) and is essential for an effective AML program. Failure by a firm to independently test for AML compliance could subject the firm to FINRA action.

The solution: Establish, document and maintain an effective AML compliance program to address independent testing. Ensure that an AML test is conducted on timely basis, that the test is appropriate in scope and independence, and that the firm follows up on test results and findings.

For more information on AML and tools to assist you in complying with AML requirements, please see FINRA's AML Issue Center Web page. Also review NYSE Information Memo 06-04.

Business Continuity (NASD Rules 3510 and 3520; NYSE Rule 446)

Deficiency: NASD Rule 3510 and NYSE Rule 446 require each member firm to create and maintain a business continuity plan (BCP) and enumerate certain requirements that each plan must address. The rules further require firms to update their BCPs upon any material change and, at a minimum, to conduct an annual review of their plans. Firms also must disclose to its customers how its BCP addresses the possibility of a significant business disruption and how the firm plans to respond to events of varying scope. NASD Rule 3520 requires member firms to designate two emergency contact persons and provide this information to FINRA via electronic notice. Examiners have found that many firms have failed to prepare an adequate BCP, to update the plan as necessary or to designate qualified emergency contact persons.

Why this is important: Failure to have an adequate and current plan could leave a firm—and its customers—vulnerable if the firm faces an emergency or significant business disruption. Hurricanes Katrina and Rita and the more recent California wildfires remind us of the continued importance of business continuity planning.

The solution: Each member firm, regardless of size or business type, must develop a BCP reasonably designed to enable it to meet its existing obligations to customers. The plan must, at a minimum, address the ten elements listed in the rules. Additionally, the plan must be updated to address any significant changes to the firm's business, operations, structure and/or location. The plan must be approved by an appropriate member of senior management who is a registered principal. Firms must also designate two emergency contacts that are registered as principals, and must communicate the names of the contact persons to FINRA via the FINRA Contact System.

Further information regarding these rules, including applicable NTMs, Frequently Asked Questions and a small firm template, are available on FINRA's Business Continuity Planning Web page. Dual Members may also review NYSE Information Memos 06-30 and 05-80.

Regulation S-P

Deficiency: Member firms are required to adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. These policies and procedures must be reasonably designed to:

  1. insure the security and confidentiality of customer records and information;
  2. protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
  3. protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Examiners have found that member firms lacked procedures addressing the three Regulation S-P requirements detailed above and for the review of outsourcing arrangements involving customer information; failed to evidence that the firm provided both initial and annual privacy notices to firm customers; lacked procedures that ensure the proper disposal of consumer report information; failed to obtain required confidentiality agreements from third parties; failed to insure that outsourcing entities maintained the confidentiality of customer information; and failed to include a required “opt out” clause in their privacy policies.

Why this is important: Failure to protect customer information undermines investors' confidence in the integrity of the securities industry and specific member firms. It can also subject a firm to financial risks (customer lawsuits, data breach recovery), legal risks (lawsuits, state reporting requirements) and reputational risks (harm to brand).

The solution: Establish, document and maintain effective policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. Depending on the size of the firm, nature of its business or use of technologies, the firm should consider whether testing or training in this area is appropriate or necessary. Additionally, we remind member firms that their responsibility to protect customer information remains even when they choose to outsource or otherwise use a vendor that will or may have access to non-public information.

To learn more about the ways customer information has been lost or stolen by various companies and their employees, visit privacy advocate Privacy Rights Clearinghouse. To learn more about state security breach notification laws, visit the National Conference of State Legislators. Also see FINRA's investor education Web page.

Changes in Account Name or Designation (Rule 3110(i))2

Deficiency: NASD Rule 3110(j) states that, before any customer order is executed, there must be placed upon the memorandum for each transaction the name or designation of the account (or accounts) for which such order is to be executed. Rule 3110(j) further states that no change in such account name(s) (including related accounts) or designation(s) (including error accounts) shall be made unless the change has been authorized by a member or the person(s) designated under the provisions of FINRA rules. Such person must, prior to giving his or her approval of the account designation change, be personally informed of the essential facts relative thereto and indicate his or her approval of such change in writing on the order or other similar record of the member firms. The essential facts relied upon by the person approving the change must be documented in writing and preserved for a period of not less than three years, the first two years in an easily accessible place, as the term "easily accessible place" is used in SEC Rule 17a-4.

FINRA examiners have found instances where approval of changes in account designation have not been properly evidenced, as well as instances where the essential facts relied upon by the person approving the change were not sufficiently documented.

Why this is important: NASD Rule 3110(j) regulates the ability of a registered representative (or other employee) to move a trade from one account to another account. Such changes in designation are appropriate when an honest mistake has been made, such as a representative inadvertently transposing two digits in an account number when entering a trade. Account designation changes are clearly not appropriate when, for example, they are used to move an unauthorized trade when the affected customer complains, or when a trade in the account of a favored customer drops in value and the registered representative decides to move the loss to an account of a less favored customer.

There is a great deal of potential for abuse when using account designation changes, so it's important that a firm's policies and procedures in this area be clear and effective. This means that supervisors assigned to approve account designation changes ensure that each such change is valid, that it doesn't improperly disadvantage a customer and that it doesn't violate a rule or regulation. When evidencing approval of a change, supervisors should ensure that the essential facts relied upon when approving the change are clearly documented. Such facts include the name and number of involved accounts, the reason for approving the change and any additional essential supporting documentation.

The solution: Ensure that account designation changes, including those trades moved into a firm error account, are reviewed and approved by an experienced, exam-qualified person prior to transmittal. Properly document and maintain records of such changes.

 2 See also NYSE Rule 410 (Records of Orders).

Time and Price Discretion (Rule 2510(d)(1))3

Deficiency: NASD Rule 2510 prohibits the exercise of any discretionary power in a customer's account unless such customer has given prior written authorization (a Power of Attorney/Trading Authorization) to a stated individual or individuals and the account has been accepted by the member firm, as evidenced in writing by the firm or the partner, officer or manager, duly designated by the firm, in accordance with NASD Rule 3010.

There is an exception to this requirement, under subsection (d)(1), that applies to the exercise of time and price discretion—which is discretion orally granted by the customer to purchase a specific amount of a particular security (e.g., “Buy 100 shares of ABCD and get the best price you can”).

A verbal grant of time and price discretion is limited to the end of the business day on which the customer grants it. An extension of such time and price discretion requires explicit signed and dated customer instructions. Any exercise of time and price discretion must be reflected on the order ticket (as is the case with “regular” discretion).

FINRA examiners have found instances where the extension of time and price discretion beyond the business day on which the customer grants it is not being authorized by signed and dated customer instructions.

Why this is important: The concept of time and price discretion has been subject to abuse and/or misunderstanding. At one time, there was no time limit placed on a grant of verbal time and price discretion by a customer. This became problematic in instances where a registered representative was granted such discretion, but did not exercise it for an extended period of time, sometimes several weeks. This led to claims of unauthorized trading by customers who may have forgotten that they granted the discretion, or who assumed it was not valid for such an extended period of time. The "written extension" requirement under current Rule 2510(d)(1) is intended to prevent such misunderstandings. Accordingly, firms should educate their registered representatives to be cognizant of this requirement so as to avoid situations that could result in otherwise avoidable customer complaints.

Note that the “same-day” time limit does not apply to time and price discretion exercised in an institutional account, pursuant to valid “Good-Til-Cancelled” instructions, and given on a “not held” basis (e.g., instances where institutions give brokers discretion to “work a block” and the broker is “not held” responsible if prices aren't as good as the institution hoped they would be. An “institutional account” for this purpose is defined in NASD Rule 3110(c)(4).

The solution: Ensure that registered representatives are made aware, via written firm policy and training, of Rule 2510(d)(1) regulatory requirements pertaining to time and price discretion.

3 See also NYSE Rule 408 (Discretionary Power in Customers' Accounts)

Net Capital (SEC Rule 15c3-1)

Deficiency: A common examination violation related to member firms' net capital computations includes the following:

  • Inventory Valuation: FINRA examiners have identified instances in which firms have either inaccurately valued proprietary trading positions or failed to maintain adequate controls over inventory mark-to-markets performed by traders.

Why this is important: Net Capital computations are observed by several interested stakeholders, including regulators, auditors, counterparties, clearing brokers and clients. Accurate net capital reporting is essential to communicating a member firm's financial stability to the investment community.

The solution: While the examples indicated above may be disparate, the solutions to avoiding these situations are often similar. Specifically, firms must conduct proper due diligence to ensure that sufficient controls, including supervision, are in place to ensure that assets maintained by the member firm are completely understood and are accurately categorized and valued for net capital purposes.

Customer Protection (SEC Rule 15c3-3)

Deficiency: FINRA examiners have uncovered various failures related to SEC Rule 15c3-3 in the Customer Reserve Formula and Possession or Control. A few examples of frequently observed exceptions include the following:

  • Inaccurate Treatment of Stock Record Allocation Positions: Examiners have cited member firms for inaccurate inclusion or exclusion of customer-related balances in the Reserve Formula that resulted from misapplication of allocated positions, including positions not priced by the allocation program and inaccurate coding of accounts.
  • Non-Bona Fide Reserve Bank Deposits: Member firms have been found to have made deposits into their Special Reserve Accounts for the Exclusive Benefit of Customers from firm bank accounts that are overdrawn, rendering the deposit as non-bona fide.
  • Creation of Segregation Deficits by Deliveries, Securities Loaned and Securities Borrowed Returns: The most frequent Possession or Control violation observed is the creation of a segregation deficit by a member firm resulting from the removal of securities from a control location, typically DTC, to effect a delivery or securities lending transaction, including the return of a securities borrowed transaction.

Why this is important: Customer protection is one of the highest priorities for member firms and regulators, and taking steps to ensure that customers' assets are adequately protected by the Reserve Formula and under possession or control are among the firm's primary responsibilities.

The solution: Since much of the functionality related to Rule 15c3-3 compliance is highly automated, firms should make every effort to periodically review and test systems, such as the Stock Record and its allocation and its segregation program, to verify that they are working properly. Further, training and developing regulatory reporting and operations staff regarding the application of the customer protection rule and its importance to the member firm and its clients should ensure better compliance with the rule.

Operations: Transaction Processing and Effects on Books and Records, Net Capital and Customer Protection (SEC Rules 17a-3, 17a-4, 15c3-1 and 15c3-3)

Deficiency: While member firms' operations span numerous areas, a frequent problem noted by FINRA examiners are inaccurate books and records resulting from member firms' inability to accurately process and reconcile transactions. The most severe instances observed involve member firms that have undergone back office data processing or other systems conversions that have resulted in an inordinate amount of trade breaks. The effects of these conversions is a high number of breaks and unreconciled items and is often felt for a long period of time as the member firm works to identify and resolve the problems. These breaks have had profound effect on the accuracy of the firm's books and records and frequently resulted in net capital charges and increased customer reserve requirements.

Why this is important: The accuracy of member firms' books and records, including customer positions and balances, is one of the most basic regulatory requirements and is essential to servicing clients' needs. The effects of inaccurate books and records, trade breaks, suspense items and unreconciled transactions can be damaging to a firm and can have impacts on its profitability, liquidity and reputation, among others. Therefore, the operational efficiency of each broker-dealer is essential to its success.

The solution: Since many of the most severe operational problems resulted from system conversions, firms must be rigorous in their pre-conversion efforts, including testing and training, and must be prepared to quickly respond to unforeseen problems. Outside of conversions, firms must also be diligent in keeping systems tested and maintained, and should implement upgrades and software fixes in an environment that does not put day-to-day processing at risk.

Order Data Transmission Requirements (Rule 6955)

Deficiency: NASD Rules 6950 through 6958 (the Order Audit Trail System or OATS Rules) require member firms to record in electronic form and report to FINRA on a daily basis certain information regarding orders originated, received, transmitted, modified, canceled or executed by FINRA member firms relating to equity securities listed and traded on the NASDAQ Exchange. OATS captures this order information and integrates it with quote and transaction information to create a time-sequenced record of orders, quotes and transactions.

FINRA examiners have found instances where OATS data was not properly being submitted with accurate order information, terms and conditions, and/or special handling codes.

Why this is important: FINRA established OATS as an integrated audit trail of order, quote and trade information for NASDAQ and OTC equity securities. FINRA uses this audit trail system to recreate events in the life cycle of orders and perform surveillance regarding the trading practices of member firms. Accurate OATS information is critical to FINRA staff in conducting surveillance and investigations of member firms for compliance with NASD rules and federal securities laws.

The solution: Establish, document and maintain effective policies and written supervisory procedures to ensure proper OATS supervision. Perform adequate supervision to ensure OATS information is being reported accurately and timely.

Transaction Reporting (Rules 4632 and 6620)

Deficiency: NASD Rules 4632 and 6620 require Trade Reporting Facility participants to transmit certain information regarding last sale reports of transactions in designated securities.

FINRA examiners continue to encounter rule violations related to timeliness and accuracy of transaction reporting. Specifically, FINRA examinations have found instances where firms have incorrectly reported riskless principal transactions. Examination findings also include instances where firms incorrectly reported transactions with the long/short-sale indicator.

Why this is important: Accurate and timely submitted trade report information serve several important purposes. This information forms the basis for public dissemination of "last-sale" transaction prices to the tape, thus providing transparency. Trade report information is also an integral part of the audit trail used by FINRA in its regulatory efforts to surveil and regulate firms' activities.

The solution: Establish, document and maintain effective policies and written supervisory procedures to ensure proper compliance with trade reporting. Perform adequate supervision related to the accurate and timely submissions of transaction information.