Remarks from the PLI Seminar on Broker-Dealer Regulation and Enforcement 2012
Executive Vice President, Member Regulation Sales Practice
As prepared for delivery
Thank you for that introduction, and thanks Carmen [Lawrence] and Neal [Sullivan] for the invitation to speak today. The speed of change in the financial industry means that firms must work diligently to remain current—and a great way to do that is by attending events like this, sharing ideas with your peers and discussing your concerns with regulators. This is a great point in the year to reflect on what has transpired so far in 2012 from a regulatory perspective and discuss many current areas of focus for FINRA.
Today, I will focus on some of the recent developments in the industry, both in terms of the regulatory landscape and broker-dealer compliance programs. Many of these developments present challenges for firms and regulators alike. And as you are aware, the global financial crisis has resulted in some of the most significant regulatory reforms since the Great Depression. Like the industry, which continues to be proactive in its response to these reforms, FINRA considers the regulatory and economic environments each year when developing its areas of focus. I will discuss some of these priorities and initiatives, including significant enhancements to our examination program. I will also leave you with some of my thoughts about things you can do to stay on top of these issues.
Regulatory Environment and Challenges
This past January, FINRA issued its annual exam priorities letter—hard to believe we issued this letter 10 months ago—which highlights new and existing areas of significance and heightened importance to our regulatory programs. These issues include: product-specific concerns, sales practice issues such as suitability of recommendations, high frequency trading and the challenges that come with supervising these activities—including brokers who conduct business activities away from their firms. This year's letter also covers enhancements to our risk-based examination program, which is generating better results for FINRA and allowing us to give more robust exam-related feedback to firms. So let me focus for a moment on our examination program and how it has evolved.
Evolution of FINRA's Examination Program
If FINRA has examined your firm in the past year, chances are that you noticed a difference from your prior examination. We are continuing to enhance the exam process by focusing on risk through a flexible, dynamic exam program. At the root of this enhanced program is a risk-based approach to both the frequency of exams and the areas focused on by examiners. This process is heavily driven by ongoing data collection and analysis—most of which occurs before we ever start an exam. We have restructured our district offices so that there is a dedicated staff managing this ongoing surveillance function. Regulatory coordinators and surveillance directors conduct ongoing analysis of various data sources relevant to each firm. They also request information from firms in advance to help develop a risk-based plan for each examination. We can analyze this data before examiners ever arrive at the firm—which means their time in the field is more efficient. As FINRA collects additional data, we expect our examinations to become even more risk-focused.
One way in which we're doing this is through the Risk Control Assessment Survey, which we sent to firms in February. We appreciate that many of you took the time to complete the survey, and we are planning improvements to make the process even better for firms. For example, next year we expect to streamline the questionnaire and reduce the number of questions. If firms complete it again, FINRA will pre-populate the second RCA with the firm's responses, as applicable, so these firms need only update their responses. Also, enhanced technology will enable the printing of blank or pre-populated RCA forms to better facilitate information sharing and collection within your firm. This technology will also allow firms to better target the sections of the RCA that are relevant to their firms. It will also give firms more text boxes so they can explain their answers when the available options don't exactly fit their firm's situation. We expect to continue to refine the RCA survey based on our experience with the process and feedback from firms.
Also in the area of data collection, we are better leveraging some of our existing transactional data—like TRACE and OATS—and combining it with external information to better target specific risks. Some of the external data we are using include transactional data from the MSRB as well as product reference data, which helps us understand the risk characteristics of individual products. The intent of this analytic effort is to better align our regulatory resources to specific risks and better target our exams before the examiners ever arrive at the firm.
FINRA is also gathering additional financial information through the Supplemental Statement of Income, or SSOI. Starting with the September 30 FOCUS filing, firms are required to submit additional income information, and firms deriving greater than 10 percent of their total revenues from unregistered offerings will submit information about those offerings. Not only will this information be invaluable to the exam planning teams, we will combine it with other information to help determine how often we should visit your firm, again based on risk.
As we continue to enhance our examination program, we've heard more positive responses, primarily about the exams hitting on the right issues and being better focused. Now I must admit that on occasion the feedback isn't good. But that's okay. So when you have your next exam, whether you have a positive experience or not, please consider giving me or your district director a call to discuss how it went. We are constantly looking for ways to improve our examination process, and your feedback is a critical part of doing so.
Consolidated Audit Trail
Back to the topic of data collection for a moment, I would be remiss not to highlight the SEC's recent adoption of Rule 613, which will require the creation of a comprehensive consolidated audit trail. There currently isn't a consolidated, single source of trading data. Each SRO has its own audit trail system for tracking this information, and FINRA's is OATS. The new rule requires FINRA to work with other SROs to submit a plan, which will create and maintain a central repository for the collection of data about transactions in National Market System (NMS) securities. Once we have one uniform set of trading information that covers all U.S. markets, we'll be able to close the regulatory gaps that currently exist and conduct broader, more effective cross-market surveillance. In doing so, we'll be better positioned to detect improper conduct at an earlier stage. We strongly believe that as this process evolves, we can leverage OATS to become the foundation of the new consolidated audit trail. So now let me shift from data collection to several other FINRA priorities, starting with cyber security.
By no means is cyber security a new issue, but in 2012, it continued to grow as a risk to the financial services industry. The obligation to protect customer accounts and information has never been more important than it is today. FBI Director Robert Mueller, in his January 2012 testimony before the Senate Select Committee on Intelligence, stated that cyber-threats would surpass terrorism as the country's top security concern. Despite the risks, customers are seeking greater convenience in accessing their accounts online and through electronic means, presenting new challenges for broker-dealers. FINRA has warned firms that the sophistication of potential electronic attacks against the industry has increased significantly and that firms need to be prepared for these threats. While discrete, one-off threats such as brokerage account intrusions and insidious insider behavior remain, would-be attackers have greatly increased their abilities. Indeed as recently as last month, the customer websites of a number of major U.S. banks were hit with coordinated cyber attacks.
FINRA has also warned investors about the problems it has seen in the area of cyber security. For example, FINRA issued an Investor Alert earlier this year warning investors and firms about email hack attacks. In a typical case of this nature, a fraudster may gain access to an investor's email account and use that access to issue instructions that broker-dealers transfer funds out of the account—in some cases to overseas accounts. Some even contain fraudulent letters of authorization. FINRA also issued guidance about this practice in Regulatory Notice 12-05. In addition, FINRA has warned about hoax emails purporting to be regulatory inquiries from the SEC or IRS. In one instance, an email purportedly from the IRS was addressed to "Chief Accountant Officer" and warned the recipient that their tax return had been rejected. The email contained a link that the recipient could click, purportedly to appeal and resubmit their return—but that actually had the potential to expose them to malicious software instead.
Another area of concern is data loss, which can occur through theft or loss of equipment, and sometimes even account intrusions. Information protection is not just a technology issue—it can be a physical security issue, and firms should ensure that they have adequate reporting systems in place when employees lose data. Firms that lose customer data should carefully analyze reporting and notification requirements, as well as conduct a comprehensive root-cause analysis.
FINRA has previously issued guidance with respect to fund withdrawals and transfers from customer accounts. Firm procedures must include "a means or method of customer confirmation, notification or follow up that can be documented." Supervisory and compliance requirements [Rule 3012] related to cyber security and customer information protection are not new. However, firms should ensure that they consider all regulatory developments—and in this case, cyber security developments—from the preceding year when conducting their annual reviews of supervisory systems and procedures. Also, in an area that is as fast-moving as cyber security, firms should consider updating systems and procedures more frequently than annually. Firms should also consider the experiences of their peers to understand where their own vulnerabilities may lie.
Over the last several years, FINRA has brought several enforcement actions against firms that failed to ensure that their systems and procedures were effectively updated to prevent the loss of customer information through cyber attacks. In one of these cases, the issue was as simple as the firm's failure to stay current with technology on its password access systems, resulting in the compromise of customer data. In another case, a broker simply didn't update the anti-virus software on a computer, which allowed an intruder to obtain a broker's credentials to access customer accounts and enter orders.
Since 2010, FINRA has conducted thematic reviews in the area of technology and cyber security. With the thematic approach, we are particularly concerned with understanding how firms control critical risks, rather than just testing for compliance with various securities rules. The onsite reviews yielded a number of observations of strong controls, including:
- structured governance over application risk classification and controls;
- robust IT organizations interacting with all areas and facets of the firm;
- full encryption policies and practices for all devices, including those utilized outside the firm;
- independent reviews and testing of operating systems and security; and
- strong user credential requirements and management.
FINRA expects cyber security to remain a regulatory focus for the foreseeable future.
Let me now turn to complex products. This is an area that warrants our attention because of the continuous and rapid evolution of these types of products, and more importantly, because these products are now more frequently being offered to retail investors. There is no doubt that customers are seeking higher returns. The industry has responded by creating products that offer the potential for greater yields. But the greater yields provided through complex products can expose customers to increased risk. Firms and registered representatives must ensure that these products are only sold after a careful evaluation, through which all parties fully understand the intricacies of each product. Effective product vetting is critical if your firm is going to sell complex products.
FINRA examiners have been focused on several product types, including principal-protected notes, non-traded REITs, reverse-convertible notes, structured notes, and leveraged and inverse ETFs. FINRA recently issued Regulatory Notice 12-03 highlighting our concerns about complex products and offering guidance to firms on developing adequate supervisory systems for these products. In that guidance, FINRA notes that complex products often necessitate more scrutiny and supervision by a firm. More specifically, the guidance calls for a comprehensive process that includes due diligence prior to approval of the product for sale to clients. Also, this due diligence process must inform the firm's written supervisory procedures and training programs. Brokers should be trained on the features of the product as well as the firm's own suitability guidelines for that product. And these guidelines should be specific enough to identify those to whom the product should and should not be offered. The decision to offer complex products to retail investors is one that should be carefully considered and made only after a thorough assessment of a product's features, a comprehensive training effort and a full evaluation of firm supervisory systems related to that product. Firms should also consider whether they have any conflicts—particularly where they maintain affiliations with the product issuer or where there is a compensation arrangement that creates a conflict. When developing procedures for the sale of complex products, firms should identify potential conflicts and document their process for ensuring that they do not place their interest—or that of their brokers—before the client's.
FINRA examinations have identified improper sales and supervision of these products, and some of the common themes in these examinations include: failures to take a proactive approach to vetting the product, failure to develop adequate supervisory procedures and insufficient broker training programs. We have observed in some instances that brokers are not effectively considering two of the most important factors in recommending a complex product to a retail client: whether that client understands the risks the product poses and whether the level of risk is appropriate based on the client's profile.
FINRA recently sanctioned four firms for unsuitable sales of leveraged and inverse ETFs as well as failure to develop adequate supervisory systems. In these four cases, firms were required to pay fines of $7.3 million and over $1.8 million in restitution to customers. One of the findings was that brokers made recommendations without a reasonable basis to customers with conservative investment objectives. The firms also failed to conduct adequate due diligence on the products.
In another case, a FINRA hearing panel ordered a firm, its owner and one of its brokers to pay $1.6 million in restitution to clients for making fraudulent sales of CMOs to unsophisticated, elderly and retired investors. The firm was also fined $1 million and the owner and broker were barred from the securities industry. The firm's former chief compliance officer was suspended for two years in all capacities and barred as a principal. The affected customers were retired investors looking for safer alternatives to equity investments. The panel found that the firm's owner and a broker, "preyed on their elderly customers' greatest fears," such as losing their assets to nursing homes and becoming destitute during their retirement and old age, all in order to induce them to purchase unsuitable CMOs.
Earlier this week, FINRA announced a significant action involving David Lerner Associates wherein the firm agreed to pay approximately $11.7 million in restitution to customers who purchased Apple REIT Ten, a publicly registered, non-traded REIT. The sanctions, which also include a suspension of the firm's President, David Lerner, as well as a $250,000 fine, stem from the firm's recommendations and sales of Apple REIT Ten without performing adequate due diligence in violation of its suitability obligations. Also, the firm marketed the product using misleading marketing materials, including the presentation of performance results for closed Apple REIT issues, which did not disclose that income from those REITs was insufficient to support the distributions. David Lerner consented to findings that he made false, exaggerated and misleading claims regarding the investment returns, market values, prospects and performance of the closed Apple REIT issues through investment seminars and in letters to customers. As FINRA has repeatedly stated, inadequate due diligence in the complex product space is a recipe for significant problems. FINRA will take appropriate action when it finds that a firm has failed to take reasonable steps in this area.
FINRA will continue to focus on the suitability of recommendations made to customers, particularly customers who are vulnerable. Product innovations are here to stay, so firms must understand the products they sell and particularly the implications when selling to retail clients.
In addition to understanding the products they sell, every firm must take steps to ensure that the products they sell are suitable for the specific customer. FINRA Rule 2111 (the Suitability Rule) and FINRA Rule 2090 (Know Your Customer Rule) became effective in July. The results of the examinations of this area, while preliminary at this stage, are very encouraging. With very few exceptions, FINRA examiners have observed that firms are demonstrating awareness of the requirements of the rules and have updated their supervisory procedures accordingly. Firms have updated their new account forms to include questions about the information that is required in the new know your customer rule. Although not a specific requirement of the rule, some firms have implemented a process whereby they create a "hold" ticket when brokers make an explicit hold recommendation. Others prefer to document the recommendation in customer relationship management systems. As we have said previously, not a one-size-fits-all approach to compliance with these rule changes.
Our approach to conducting these examinations has been to talk to firms about what they considered in preparing for compliance with the rule. We will review implementation steps to determine whether the approach appears reasonable given the nature of the firm's business. Firms should also remember to conduct appropriate training for all persons impacted by the rules. FINRA's most recent guidance on these rules, which was prepared based on many of the questions posed by legal and compliance professionals, can be found in Regulatory Notice 12-25.
Conflicts of Interest
Earlier I described a few of the conflicts that can occur when selling complex products. But conflicts can arise at all levels of a firm's business, and FINRA encourages firms to consider all conflicts and develop reasonable procedures to disclose and manage them. This year at FINRA's Annual Conference, our CEO Rick Ketchum called on firms to do a better job assessing and disclosing conflicts of interest. He asked firms to take a step back and look at how they handle conflicts. Since then, FINRA initiated discussions with firms about how they identify and manage conflicts of interest. We hope to use this information to develop additional guidance for the industry.
As a result of these challenging economic times, many businesses are seeking to do more with less. The financial services industry is no exception. FINRA is helping by enhancing our analysis of the costs and benefits of rules it proposes. FINRA has long considered how rules would impact firms by seeking industry input through various committees, including the Small Firm Advisory Board, District Committees and Standing Committees of FINRA's Board of Governors. FINRA is currently considering what additional expertise and resources it needs to perform this cost-benefit analysis. We're also reviewing current rules to determine whether they remain relevant; and if not, whether they should be repealed or modified. You should expect to hear more from us in this area in the coming months.
Lastly, as firms consider their costs, decision makers may be tempted to consider cuts in the compliance area, to delay critical technology initiatives or to outsource key functions. But firms should remember that cutting too much now will likely cost more in the future. It is imperative that firms maintain proactive and robust compliance systems. And, remember that even the best compliance systems require periodic testing under various scenarios. I ask that you give strong consideration to these suggestions, along with all of the issues I discussed today. Doing so will help to ensure that your firm is well positioned to protect the interests of its customers in this fast changing economic and regulatory environment.
Again, thank you for inviting me today. I'm happy to take your questions.