2019 Annual Risk Monitoring and Examination Priorities Letter
Each year, FINRA publishes its Annual Risk Monitoring and Examination Priorities Letter to highlight issues of importance to FINRA's regulatory programs.
Cover Letter From FINRA President and CEO, Robert Cook
January 22, 2019
We are pleased to release the 2019 FINRA Risk Monitoring and Examination Priorities Letter, which describes topics that member firms should consider as they identify opportunities to improve their compliance, supervisory and risk management programs. This year’s letter takes a somewhat new approach—as compared to similar letters issued in prior years—by focusing primarily on those topics that will be materially new areas of emphasis for our risk monitoring and examination programs in the coming year. FINRA will, of course, continue to review and examine for longstanding priorities discussed in greater detail in past letters, but we agree with the suggestion from many of our member firms that a sharper focus on emerging issues will help them better determine whether those issues are relevant to their businesses and how they should be addressed.
As the new title of the letter reflects, we also have broadened the scope of the letter to more explicitly include our priorities for risk monitoring. Risk monitoring is the ongoing process through which FINRA monitors developments at firms and across the securities industry to identify risks and assess their prevalence and impact. We use this analysis to evaluate whether a regulatory response is appropriate, determine what that response should be and then allocate the required resources to implement the response. The risk monitoring process involves numerous inputs, including firms’ reporting to FINRA, data from our market and member surveillance programs, findings from our examinations, FINRA surveys and questionnaires, and ongoing dialogue between FINRA and the industry as well as other stakeholders.
Another central element of our work, of course, is examinations. FINRA examines firms and associated persons for compliance with securities laws, regulations and rules, and, where appropriate, also exercises its regulatory powers to investigate, initiate enforcement action and impose sanctions. Such actions serve to deter, punish, and, where possible, make whole those who have been harmed by non-compliant conduct.
Risk monitoring, examinations and enforcement are FINRA’s core regulatory tools, but they are not our only tools. The needs of investors, the U.S. securities markets, and companies seeking to raise capital are dynamic and FINRA and the industry must adapt to meet those evolving needs. We are taking additional steps to make FINRA a regulator that can better foster a vibrant market through our mission to protect investors and promote market integrity. Last year, these steps included, for example, providing broad examination feedback to all firms through the issuance of our Report on Examination Findings; helping educate firms on new regulatory issues, such as through our report on Technology Based Innovations for Regulatory Compliance (“RegTech”) in the Securities Industry and Report on Selected Cybersecurity Practices – 2018; and soliciting firms’ views on how FINRA can support FinTech innovation through a Special Notice on Financial Technology Innovation. Other examples of changes made or underway were summarized in our last FINRA360 Progress Report.
In 2019, FINRA also will continue to implement targeted regulatory responses to address specific risk and compliance issues in a variety of ways. For example, FINRA recently held a conference on RegTech to provide firms with insights on how technology is being used to strengthen firms’ compliance programs. This is just one of several conferences we plan to host in 2019 to foster compliance in the industry. We will continue to enhance our market surveillance to incorporate new data and address new market practices. And FINRA will continue its retrospective rule review process to assess whether a FINRA rule or rule set is meeting its intended purpose and doing so in an efficient fashion.
More broadly, we will continue to work to improve the operation of our regulatory programs to the benefit of investors. Last year marked the full integration of our enforcement programs, and we have now launched a transformation of our risk monitoring and examination programs to integrate them into a single more effective, efficient and consistent program. We already have taken steps to further align our resources based on risk, and we will continue to refine and develop our capabilities in this area. We also will continue our work to organize the examination program around the firms we regulate and to provide a single point of accountability for all firm examinations. With this transformation, we will avoid duplication and conduct examinations that are more tailored to firms’ business models and risks.
The wide-ranging changes underway at FINRA promise to make 2019 a productive year, and one where we substantially strengthen our ability to deliver on our mission. As always, I welcome feedback on ways that FINRA can improve, and I thank the dedicated team here at FINRA for their hard work and unwavering commitment to investor protection.
Text of the 2019 Risk Monitoring and Examination Priorities Letter
January 22, 2019
The 2019 Risk Monitoring and Examination Priorities Letter identifies topics that FINRA will focus on in the coming year. The letter begins with materially new priorities and then discusses priorities in areas of ongoing concern, but with an emphasis on aspects of those topics we have not articulated in prior letters. Unlike previous Priorities Letters, we do not repeat topics that have been mainstays of FINRA’s attention over the years.
Nonetheless, firms should expect that FINRA will review for compliance regarding these ongoing areas of focus, namely obligations related to suitability determinations, including with respect to recommendations relating to complex products, mutual fund and variable annuities share classes, as well as recommendations to use margin or execute trades in a margin account; outside business activities and private securities transactions; private placements; communications with the public; anti-money laundering (AML); best execution; fraud (including microcap fraud), insider trading and market manipulation; net capital and customer protection; trade and order reporting; data quality and governance; recordkeeping, risk management and supervision related to these and other areas.
In addition, FINRA will focus on risks related to associated persons with a problematic regulatory history.1 Although this is a longstanding priority, we will continue to enhance our examination program to evaluate how firms address these risks in their hiring practices and supervision programs.2
FINRA will also continue to review the adequacy of firms’ cybersecurity programs to protect sensitive information, including personally identifiable information. FINRA recently published our Report on Selected Cybersecurity Practices – 2018, and this document provides additional information on practices that may help some firms strengthen their cybersecurity programs.3
In addition, FINRA’s 2017 and 2018 Reports on Examination Findings present observations on concerns and effective practices relevant to many of the topics addressed in this letter, and FINRA encourages firms to use those reports, this letter and other resources FINRA makes available to enhance their compliance, supervisory and risk management programs.4
Online Distribution Platforms
Firms increasingly are involved in the distribution of securities through online platforms in reliance on Rule 506(c) of Regulation D and Regulation A under the Securities Act of 1933 (Securities Act). While some online distribution platforms are owned and operated by broker-dealers, others are operated by unregistered entities, which may use member firms as selling agents or brokers of record, or to perform activities such as custodial, escrow, back-office and financial technology (FinTech)-related functions.
FINRA is concerned that some member firms assert they are not selling or recommending securities when involved with online distribution platforms despite evidence to the contrary, including handling customer accounts and funds, or receiving transaction-based compensation. We will evaluate how firms conduct their reasonable basis and customer-specific suitability analyses, supervise communications with the public and meet AML requirements. Further, given the broad visibility of offerings distributed through online platforms, FINRA will evaluate how firms are addressing the risk of offering documents or communications with the public that omit material information or may contain false or misleading statements, or promissory claims of high targeted returns. For offerings subject to Regulation D, we will also evaluate how firms address the risk of sales to non-accredited investors and non-compliant escrow arrangements. For offerings subject to Regulation A, FINRA will also assess the risk of excessive or undisclosed compensation arrangements between firms and the issuers.
Fixed Income Mark-Up Disclosure
FINRA will review firms’ compliance with their mark-up or mark-down disclosure obligations on fixed income transactions with customers pursuant to amendments to FINRA Rule 2232 (Customer Confirmations) and MSRB Rule G-15, which became effective on May 14, 2018.
To help firms evaluate their compliance with mark-up requirements, FINRA developed a Mark-up/Mark-down Analysis Report that is available to individual firms. The report provides a mark-up summary (including median and mean percentage mark-ups), detailed information such as trade details (e.g., FINRA’s calculated markup percentage and dollar profit) and graphical displays of data across longer periods of time for trend analysis. FINRA also made publicly available the Bond Facts Tool, which provides security-specific product data to help retail investors understand the quality of their fixed income securities transactions (e.g., the time, price and size of other transactions in the same bond).
FINRA will also review for any changes in firms’ behavior that might be undertaken to avoid their mark-up and mark-down disclosure obligations.
Firms are using a variety of innovative regulatory technology (RegTech) tools to make their compliance efforts more efficient, effective and risk-based.5 FINRA will engage with firms to understand how they are using such tools and addressing related risks, challenges or regulatory concerns, including those relating to supervision and governance systems, third-party vendor management, safeguarding customer data and cybersecurity.
Sales Practice Risks
As always, suitability will remain one of FINRA’s top priorities. This year, some of the specific areas on which we may focus include: (1) deficient quantitative suitability determinations or related supervisory controls; (2) overconcentration in illiquid securities, such as variable annuities, non-traded alternative investments and securities sold through private placements; and (3) recommendations to purchase share classes that are not in line with the customer’s investment time horizon or hold for a period that is inconsistent with the security’s performance characteristics (which could include, for example, a recommendation to purchase and hold a security that is intended for short-term trading or to engage in short-term trading in products designed primarily for long-term holding).
As the exchange-traded product (ETP) market continues to grow with novel and increasingly complex products, FINRA will evaluate whether firms are meeting their suitability obligations and risk disclosure obligations when recommending such products. These include leveraged and inverse exchange-traded funds (ETFs), floating-rate loan ETFs (also known as bank-loan or leveraged loan funds) and mutual funds that invest in loans extended to highly indebted companies of lower credit quality.
In addition, FINRA remains concerned about securities products that package leveraged loans (e.g., collateralized loan obligations). Although these products are typically sold via private placement to qualified institutional buyers, if we observe that firms are selling them to retail investors, we will review how firms are supervising such transactions to ensure their compliance with applicable sales restrictions.
Protection of senior investors, as well as investors who are retired or approaching retirement, remains a top priority for FINRA and we will continue to focus on how firms are protecting such persons from fraud, sales practice abuses and financial exploitation. FINRA will assess firms’ supervision of accounts where registered representatives serve in a fiduciary capacity, including holding a power of attorney, acting as a trustee or co-trustee, or having some type of beneficiary relationship with a non-familial customer account. In particular, we are concerned about registered representatives using their role as a fiduciary to take control of trusts or other assets and direct funds to themselves.6 FINRA will assess the supervisory systems firms employ to place heightened scrutiny over such accounts.
FINRA will also review firms’ controls regarding their obligations under amendments to FINRA Rule 4512 (Customer Account Information) requiring firms to make reasonable efforts to obtain information about trusted contacts for non-institutional accounts and new FINRA Rule 2165 (Financial Exploitation of Specified Adults), to the extent that firms anticipate placing temporary holds on disbursements pursuant to the Rule 2165 safe harbor, including whether firms have clearly defined policies and procedures or practices.
FINRA is also interested in learning about firms’ early experiences with these new provisions. FINRA developed them, in large measure, to provide firms with tools to protect seniors and other specified adults, which is especially important for firms that have, or soon will have, a significant number of customers who fall into such categories.7
Outside Business Activities and Private Securities Transactions
FINRA will continue to assess firms’ controls related to associated persons’ outside business activities8 and private securities transactions, including associated persons raising funds from their customers away from their firm and outside of their firm’s supervision. We are particularly concerned about fundraising activities for entities that the associated persons control or in which they have an interest, specifically entities with potentially misleading names that are similar to established issuers.
Supervision of Digital Assets Business
Some firms have demonstrated significant interest in participating in activities related to digital assets and FINRA encourages firms to notify FINRA if they plan to engage in such activities, even where a membership application is not required.9 This year, FINRA will review firms’ activities through its membership and examination processes related to digital assets and assess firms’ compliance with applicable securities laws and regulations and related supervisory, compliance and operational controls to mitigate the risks associated with such activities. Coordinating closely with the U.S. Securities and Exchange Commission, FINRA will consider how firms determine whether a particular digital asset is a security and whether firms have implemented adequate controls and supervision over compliance with rules related to the marketing, sale, execution, control, clearance, recordkeeping and valuation of digital assets, as well as AML/Bank Secrecy Act rules and regulations.
Customer Due Diligence and Suspicious Activity Reviews
FINRA will assess firms’ compliance with FinCEN’s Customer Due Diligence (CDD) rule, which became effective on May 11, 2018. The CDD rule requires that firms identify beneficial owners of legal entity customers, understand the nature and purpose of customer accounts, conduct ongoing monitoring of customer accounts to identify and report suspicious transactions and, on a risk basis, update customer information. FINRA will focus on the data integrity of those suspicious activity monitoring systems, as well as the decisions associated with changes to those systems.
FINRA is concerned about firms failing to use reasonable diligence to assure that their customer order flow is directed to the best market given the size and types of transactions, the terms and conditions of orders and other factors. In particular, FINRA will review firms’ best execution decision-making where the firm routed all or substantially all customer orders to a small number of wholesale market makers from which they received payment for order flow or an affiliated broker-dealer or an alternative trading system (ATS) in which the firm had a financial interest. FINRA will also assess how firms check additional venues for potential price improvement. FINRA will also review how firms quantify the benefits to customers from firms’ receipt of order routing inducements and how firms manage the conflict of interest between their duty of best execution and any inducements or benefits they receive from the routing or internalization of customer orders.
FINRA continues to focus on market manipulation by enhancing FINRA’s surveillance capabilities and providing firms with tools they can use to identify possible manipulative activities. This year, FINRA will focus on manipulative trading in correlated ETPs, including those that track common, broad market indices. We are using pattern exploration to better identify the exploitation of the unique characteristics of ETPs, such as the creation and redemption process and composition changes to the ETP portfolios, and expanding the use of machine learning to improve our ability to react to changes in the ETP market. Similarly, FINRA will focus on reviews for potential manipulation across correlated options products (e.g., options on broad market indices and options on ETFs overlying the same indices).
FINRA will also continue to help firms with their compliance efforts by providing Cross Market Supervision Report Cards. These report cards help firms identify potential manipulation across multiple firms, markets and products and proactively address related compliance risks.
FINRA will continue to review firms’ compliance with Rule 15c3-5 (the Market Access Rule) under the Securities Exchange Act of 1934 (Exchange Act), focusing on how firms apply appropriate controls and limits to sponsored access orders; retain the sole authority to determine the boundaries for those controls and limits; test the effectiveness of those controls and limits; and implement and test exception reporting systems covering sponsored access orders. We will also assess how firms monitor their customers’ activity and maintain policies and procedures, as well as technical controls, to detect and prevent potentially manipulative or other prohibited trading activity.
FINRA will review whether firms have structured their aggregation units in a manner that is consistent with the requirements of Exchange Act Rule 200(f) and can demonstrate the independence of the units through measures such as separate management structures, location, business purpose, and profit and loss treatment.
As in 2018, FINRA will review how firms account for their options positions when tendering shares in the offer. Exchange Act Rule 14e-4 provides that if, following the announcement of a tender offer, a market participant sells call options with a strike price less than the tender offer price, the firm must reduce its long position by the shares underlying the options for purposes of calculating its net long position. FINRA will continue to educate firms about these requirements and evaluate their compliance with them.
FINRA will review firms’ policies and procedures for identifying, measuring and managing credit risk, including risk exposures that may not be readily apparent. For example, a firm may be exposed to credit risk when it becomes responsible for transactions that its customers and correspondents execute “away” from the firm, without the firm’s participation until after execution. Such responsibility can be incurred under clearing arrangements, prime brokerage arrangements (especially fixed income prime brokerage), “give up” arrangements, sponsored access arrangements (discussed above under “Market Access”) or principal letters. Usually trades under these arrangements are completed without incident, but if they are sizable and conducted in a period of high volatility, they may create large exposures for which the firm holds little or no collateral (and which the firm may need to fund out of its own resources).
FINRA will also assess the extent to which firms identify and address all relevant risks when they extend credit to their customers and counterparties. Since broker-dealers generally extend secured credit, a firm may believe that its margin requirements eliminate counterparty or customer credit risk. A firm, however, can be exposed to sizeable losses in the event of a default by a customer whose margin account contains illiquid, volatile or concentrated securities positions because the firm may not be able to promptly liquidate the positions at a price that fully covers the customer’s obligations. Similar risk exposures may exist when firms lend on products or strategies that have potential for large market moves, such as certain options strategies and structured products. In connection with this review, we will also examine firms’ compliance with FINRA Rule 4210(f)(1) (Margin Requirements), which requires substantial additional margin on long and short positions in securities that are subject to “unusually rapid or violent changes in value, or do not have an active market on a national securities exchange, or where the amount carried is such that the position(s) cannot be liquidated promptly.”
Funding and Liquidity
FINRA will continue to evaluate firms’ liquidity planning, including whether they have a reasonable process to regularly assess the adequacy of their liquidity pools and update their stress test assumptions based on changes in their businesses, products and customers. This year, we will focus on whether firms update their stress test assumptions in light of changes in the marketplace, such as the increased volatility experienced at various points in 2018. Among other things, if government securities repo funding has a significant role in a firm’s liquidity plan, we will inquire about the firm’s contingency plans for disruptions of, or reductions in funding available from, the government securities repo market (which experienced significant quarter-end and year-end rate spikes in 2018). We will also assess the adequacy of firms’ liquidity pools and their review of the reasonableness of stress test assumptions on a regular basis in light of all of their business activities and arrangements, including any arrangements where firms become responsible for transactions that their customers and correspondents execute “away” from them.
If you have general comments regarding this letter or suggestions on how we can improve it, please send them to Carlo di Florio, Executive Vice President, Member Supervision/Shared Services, at firstname.lastname@example.org or Steven Polansky, Senior Director, Member Supervision/Shared Services, at email@example.com.
1 FINRA uses “a risk model that takes into account a range of quantitative and qualitative information” to determine whether a registered representative poses additional risk to investors. Robert W. Cook, President and CEO, FINRA, Address at the McDonough School of Business, Georgetown University, Protecting Investors From Bad Actors (June 12, 2017). This information comes “from a variety of sources, including regulatory reports by firms and brokers, our examination program, employment histories, past associations with problematic firms, customer complaints, and any history of informal actions levied by FINRA” and FINRA also reviews “aggravating factors such as patterns of behavior, conflicts of interest, and links to previously disciplined individuals.” Id.
2 See Notice to Members 97-19 (providing certain hiring practices when considering for employment an associated person with a history of customer complaints, disciplinary actions or arbitrations from the securities industry); Regulatory Notice 18-15 (listing the kinds of industry and regulatory-related incidents that firms should consider, and highlighting that statutorily disqualified persons and persons who have been disciplined in disciplinary proceedings raise significant investor protection concerns).
4 Resources that FINRA makes available to firms include, but are not limited to, the Small Firm Cybersecurity Checklist, the Anti-Money Laundering (AML) Template for Small Firms and the Report Center. For more information about these and other tools, please visit the Compliance Tools page on FINRA’s website.
5 The term “RegTech” is generally used to refer to new and innovative technologies designed to facilitate firms’ ability to meet their regulatory compliance obligations. See the Institute of International Finance defines RegTech as “the use of new technologies to solve regulatory and compliance burdens more effectively and efficiently.” See Technology Based Innovations for Regulatory Compliance (“RegTech”) in the Securities Industry (September 2018).
6 To the extent that the firm allows its registered representatives to engage in these fiduciary appointments for individuals who are not customers of the broker-dealer, firms should consider providing training to registered representatives that outlines or clarifies when the activity should be reported to the firm pursuant to FINRA Rule 3270 (Outside Business Activities of Registered Persons).
7 A “specified adult” under FINRA Rule 2165(a)(1) is defined as “(A) a natural person age 65 or older; or (B) a natural person age 18 or older who the member reasonably believes has a mental or physical impairment that renders the individual unable to protect his or her own interests.” The “trusted contact” provision in Rule 4512 is intended to be a resource for a firm in administering a customer’s account, protecting assets and responding to possible financial exploitation. See Regulatory Notice 17-11 (noting that, in addition to responding to possible financial exploitation of seniors and other specified adults, a trusted contact could be helpful if a firm has been unable to contact a customer or there is concern over a customer’s wellbeing).
8 Following a retrospective review of the outside business activities and private securities transactions rules, FINRA published Regulatory Notice 18-08, soliciting comment on proposed FINRA Rule 3290, which would replace current FINRA Rules 3270 (Outside Business Activities of Registered Persons) and 3280 (Private Securities Transactions of an Associated Person). FINRA received 52 comments on Regulatory Notice 18-08 and they are available here. FINRA is considering the comments.