Skip to main content

2010 Regulatory and Examination Priorities Letter

March 1, 2010

Dear Executive Representative:

FINRA is issuing its 2010 annual examination priorities letter to highlight new and existing areas of significance to FINRA's examination program for the year. This year's annual letter goes beyond the focus of FINRA's Market Regulation and Member Regulation Departments to also include topics that are of heightened importance to the Enforcement Department. We hope you use the information in this letter to gain valuable insights into key FINRA examination and regulatory topics as you assess your firm's compliance, ethics and supervisory programs.

The financial services industry continues to face unique challenges stemming from current economic conditions. While some sectors of the market saw a recovery in 2009 from historic lows, many investors and broker-dealers are still struggling after incurring significant losses. In 2009, the financial decline also exposed investment frauds perpetrated by registered and unregistered parties — many of whom were outside of the broker-dealer community. These frauds have reinforced the need for FINRA to execute rigorous regulatory programs over its regulated entities throughout their business structures with respect to both broker-dealer and related activities. This heightened focus will better ensure strong compliance and fraud detection that protect investors.

Moreover, FINRA points out that as the financial services industry has evolved, firms have been registering both as broker-dealers and investment advisers, and many registered representatives have registered either as investment advisers or investment adviser representatives. It is FINRA's longstanding position that firms must supervise, as private securities transactions, their registered representatives' investment adviser business to the extent that those representatives participate in the execution of a transaction on behalf of their advisory clients. Dually registered firms and dually registered individuals are advised that FINRA examiners may review their investment advisory activities to ascertain that the firms are properly supervising those activities in a manner that reasonably ensures that those activities comply with applicable FINRA rules, including best execution and Rule 2010 governing just and equitable principles of trade.

FINRA regularly issues communications to firms to highlight areas of heightened concern. In this regard, we suggest that you review this, as well as previous communications, to ensure you understand FINRA's examination focus and priorities. You can reference prior communications at:

FINRA's examination program is risk-based. This means that the frequency, content and scope of your firm's examination will depend on the risk, scale and nature of your operations.

New Developments

Office of Fraud Detection and Market Intelligence

In October 2009, FINRA established the Office of Fraud Detection and Market Intelligence. This new office provides a heightened review of allegations of serious frauds, provides a centralized point of contacton fraud issues, and consolidates subject-matter expertise in expedited fraud detection and investigation. The creation of this office is one component of FINRA's broader effort to promote proactive fraud prevention and detection, and improve regulatory responses to specific fraud instances.

Expansion of Broker Check and Permanent Disclosure of Final Regulatory Actions Against Former Brokers

In November 2009, FINRA instituted a major expansion of its BrokerCheck® service (, which makes certain records of final regulatory actions against brokers permanently available to the public, regardless of whether they continue to be employed in the securities industry. As a result, investors can now find disclosure information on such formerly registered persons beyond the two years following the termination of their registration. FINRA believes this expansion will enable the investing public to learn about the backgrounds of former brokers who have been subject to such actions and who may no longer be registered with a broker- dealer, but are describing themselves as financial planners or other financial services professionals. In addition to the final regulatory actions (such as bars, suspensions and fines), disclosure records generally include administrative information such as employment and registration history, and the dates and names of qualification examinations passed by the individual.

FINRA is committed to continually evaluate the utility of the information provided to the public through BrokerCheck and to consider whether greater disclosure of information is appropriate. In this regard, the FINRA Board of Governors recently approved proposed changes to the BrokerCheck program that would

  1. extend from two years to 10 years the period during which any former registered person's record is displayed through BrokerCheck after that person's registration is terminated;
  2. disclose "historic complaints" that became historic (i.e., non-reportable) on or after August 1999; and
  3. expand the types of events that cause a former registered person's record to be permanently displayed through BrokerCheck.

Rule Consolidation Process

Following the consolidation of NASD and NYSE's member regulation functions into FINRA, FINRA established a process to develop a new consolidated rulebook (Consolidated FINRA Rulebook). FINRA has been proposing new sets of consolidated rules to the Securities and Exchange Commission (SEC) in phases. The most recent consolidated rules that the SEC approved and for which effective dates have been announced are described in Regulatory Notice 10-10 (and go into effect April 19, 2010) (

FINRA created three rule conversion charts that map NASD and incorporated NYSE rules to new FINRA rules and vice versa. The charts are located at and serve as a reference aid only — they do not serve as a substitute for diligent review of the relevant new rule language.

As rules become effective, firms must carefully review the new rule requirements to ensure compliance with those rules. Changes to rule citations in a firm's written supervisory procedures can wait until its next scheduled update, provided the update cycle frequency is reasonable. However, to the extent a new FINRA rule imposes new or different compliance requirements than its NASD or Incorporated NYSE predecessor, firms should promptly update procedures. FINRA also expects firms to communicate the specific requirements of rule amendments to appropriate firm personnel, and provide education and training to the extent deemed necessary for full compliance with the requirements.

eFOCUS Filing Platform

During 2009 and 2010, FINRA has been introducing eFOCUSTM — an upgraded technology platform for firms to submit Financial and Operational Combined Uniform Single (FOCUS) Reports to FINRA. By mid-year 2010, FINRA anticipates completing the migration of all firms to eFOCUS. The process of transitioning firms to eFOCUS was phased-in to ensure that each firm was provided with a high level of support. Thus far, more than 3,300 firms have migrated to eFOCUS.

The migration to eFOCUS does not result in a significant change in business processes or policies even though it is an enhanced technology platform that provides new analytical tools for firms and Regulatory Coordinators. With eFOCUS, firms can easily navigate their FOCUS filings (including historical filings made through WebFOCUS). Some of the tools and features that eFOCUS provides include line-item help and history, an option to submit explanatory text or calculations with the FOCUS filing, the ability to perform trending analysis, and the ability to create charts and compare eFOCUS reports or line items across multiple filing periods.

Regulatory and Business Considerations

New Products

In the 2008 and 2009 versions of this letter, FINRA addressed concerns surrounding sales of new products, whether the products were new to the industry or a firm, and sales of alternative investments. FINRA reminds firms that prior to creating or selling a new product, they must understand the nature and risks associated with the product.

In particular, FINRA has observed growth in the retail market for principal-protected notes (PPNs). These securities are often marketed as combining the relative safety of bonds with a potential for growth not available witht raditional fixed income products. Sales of reverse convertible notes have also increased, and these products carry certain risks, as their terms and structures can be complex. Firms and sales persons must be mindful of the concerns outlined in Regulatory Notices 09-73 (PPNs) ( and 10-09 (reverse convertibles) ( These types of products raise particular concerns for investors reaching for high yields who may not fully understand the complex structure of the products, including terms, features and risks that can be difficult for retail investors to evaluate. When selling any structured product, including reverse convertibles, firms must consider the suitability of the security recommended, and must carefully review and understand the product itself.

Firms must first perform a reasonable-basis suitability analysis to determine if a product is suitable for at least some customers before offering the product. Firms must then perform customer-specific suitability analysis to determine if a product is appropriate before making a recommendation to an individual customer. And they must ensure that all applicable disclosures about risks are made to investors. Once a firm starts selling a new product, it should ensure it has appropriate supervisory and surveillance capabilities, such as being able to determine whether market conditions have altered the risks or predicted performance of the product. Firms must also provide appropriate training regarding any approved new products.

Merged or Acquired Firms

As a result of recent economic events, the securities industry has witnessed a series of mergers and acquisitions. The substantial integration efforts involved in combining two entities present unique opportunities for regulatory risk. Complications may arise beyond simply integrating back-office operations and systems. For instance, successor firms must:

  • properly craft supervisory procedures and systems to effectively monitor combined personnel and reflect the new business model;
  • integrate trading platforms and trade reporting functions;
  • potentially assimilate or close overlapping branches;
  • update system entitlements and physical access restrictions;
  • ensure proper electronic record retention and surveillance; and
  • develop and implement a single business continuity plan.

Firms should also conduct post-merger reviews to ensure that the changes that have been implemented are working as intended. Additionally, subject firms may need to address heightened insider threats and system attacks resulting from layoffs and otherwise disgruntled personnel. For more information, visit FINRA's Mergers, Acquisitions and Business Transfers webpage at

Direct Market Access/Sponsored Access

The growth of high-frequency trading in an increasingly automated equities market has placed a heightened focus on sponsored access. Under a sponsored access arrangement, a broker-dealer allows a third party (customers or other broker-dealers) to electronically route orders directly to various market centers, including exchanges and alternative trading systems (ATS), without the active participation of the sponsoring firm. In these types of arrangements, the third party routes its orders directly by using the sponsoring firm's market participant identifier (MPID)to access the trading system. Sponsored access arrangements can vary, including those where the sponsoring firm provides technology to the customer that allows the customer's orders to pass through the sponsoring firm's system of controls (often referred to as "direct market access"). Or the sponsoring firm can provide the customer with a direct link to an exchange or ATS, such that the customer's orders do not pass through the sponsoring firm's systems (often referred to as "naked" or "unfiltered" sponsored access).1

Whether sponsored access is filtered or naked, the sponsoring broker is ultimately responsible for certain legal, financial and regulatory risks associated with that arrangement. The sponsoring broker is also responsible for ensuring that its sponsored participants' activities comply with all applicable securities rules and regulations, including those of FINRA and the exchange or ATS where orders are executed. Firms that provide sponsored access are reminded that they should have written internal control and supervisory procedures to monitor this activity. Firms are responsible for taking steps to ensure that such orders (whether entered by the member firm, customers or non-members)are free of errors and represent bona fide trading interest, and for taking steps to prevent the entry of orders without compliance with FINRA and exchange rules. Firms also need to have an appropriate process for conducting due diligence to determine which customers they approve for DMA/sponsored access.

In addition, firms should establish controls that systemically limit financial exposure arising from the trading activity of sponsored participants. As an example, firms may establish pre-set credit thresholds for each participant and may set certain price, size or value parameters that would reject orders that exceed the established parameters (e.g., "Fat-Finger" checks). Firms should also establish controls that limit the use of the system to authorized persons or parties, (e.g., prohibition on the use of shared passwords/log-ons), establish checks for validation of order accuracy, and monitor for duplication/retransmission of orders previously transmitted for execution.2 Sponsored access in any form does not relieve a sponsoring broker of its obligations to monitor and supervise the activity conducted by its sponsored participants.

Life Settlements

Sales of existing life insurance policies to third parties—referred to as life settlements — have increased in recent years, and FINRA has reminded firms of their obligations with respect to this activity (see Regulatory Notice 09-42 ( and NTM 06-38 (

The 2009 Notice advises firms that if they seek to enter the business of variable life settlements, they must file a continuing membership application with FINRA for approval of this material change pursuant to NASD Rule 1017. Both Notices address firm participation in the sale and marketing of interests in fixed and variable life insurance policies for investment purposes. The Notices also seek to ensure that firms deal only with licensed providers in the states that require it, and they provide guidance regarding best execution and fair charges for commissions or services performed. Finally, the Notices contain important guidance pertaining to the supervision of life settlement activity, including sales to senior investors.

See for additional information and educational resources.

Member Private Offerings

On June 17, 2009, FINRA adopted Rule 5122, which addresses member private offerings (MPOs)(see Regulatory Notice 09-27 at FINRA Rule 5122 is intended to address potential conflicts and abuses that can occur when a firm sells its own securities or those issued by a control entity to investors through private placements. The new rule requires a firm that engages in a private placement of unregistered securities issued by itself or a control entity to:

  1. make certain disclosures to investors in a private placement memorandum (PPM),
  2. file the PPM with FINRA and
  3. commit that at least 85 percent of the offering proceeds will be used for the business purposes identified in the PPM.

Firms that have conducted MPOs can expect FINRA examiners to carefully review this issue.

Apart from firms engaging in private placements of unregistered securities issued by itself or a control entity, FINRA has seen an increase in the number of investor complaints involving the sale of private placements in general. For example, in 2009 several enterprises that had raised capital through private placements by FINRA firms collapsed. FINRA examinations have revealed serious concerns relating to substantive reviews, reasonable-basis and customer-specific suitability, disclosure, internal controls, training, adherence to the registration and exemption requirements, and consideration of the credit worthiness of the product and issuer.

For additional information, see NTMs 03-71, 05-18, 05-48 and 05-26 and Regulatory Notices 07-43 and 08-81 (see, as well as the 2008 and 2009 versions of this letter, which discuss new products and alternative investments.

Hiring and Compensation Practices

On August 31, 2009, SEC Chairman Mary L. Schapiro issued an open letter to remind broker-dealer chief executive officers of their supervisory responsibilities ( under the federal securities laws. Her letter followed reports that special recruitment programs at some firms involve enhanced compensation arrangements that require brokers to meet certain sales targets. The letter states that some enhanced compensation arrangements could induce brokers to engage in conduct that is not in investors' best interest and reminds CEOs that they have an obligation to police such conflicts. In addition, the letter reminds CEOs that as their firms grow, their supervisory and compliance infrastructures should retain sufficient size and capacity. FINRA examinations will continue to identify and review activities of newly hired individuals who have been offered enhanced compensation packages as part of their recruitment, as well as supervision of these individuals.

Additionally, firms are reminded of their obligations surrounding the unnecessary liquidation of proprietary and non-proprietary products of newly hired individuals that may not be freely transferable to the new firm. NTM07-06 ( discusses suitability considerations for recommendations to liquidate, replace or surrender existing investments based upon the investment needs of customers and not the financial needs of the firm or its associated persons.

Municipal Securities

The impact of the economic downturn on municipalities has reinforced the importance of firms' disclosure responsibilities under SEC and MSRB rules with respect to municipal securities. Securities Exchange Act (SEA) Rule15c2-12(b)(5) requires an underwriter to make a reasonable determination that the municipal issuer or obligated person has undertaken in writing to provide the MSRB continuing disclosure information, including annual financial information and information about events with respect to the issuer's securities as stated in paragraphs (b)(5)(i)(C) and (D) and paragraph (d)(2)(ii)(B), commonly known as "material events notifications."

In addition, Rule 15c2-12(c) requires any municipal securities broker or dealer, prior to recommending the purchase of a municipal security, to have procedures in place that provide reasonable assurance that it will receive prompt notice of those material events. MSRB Rule G-17 requires firms to disclose, at or before the sale of municipal securities to a customer, all material facts about the transaction, including a complete description of the security and information obtained from established industry sources. These obligations apply even when a dealer is acting as an order taker and effecting non-recommended secondary market transactions.  MSRB Rule G-32 requires any firm selling a municipal security to a customer during the primary offering disclosure period, as defined in Rule G-32(d)(ix), to provide the customer a notice explaining how to obtain the official statement (OS) from the MSRB's Electronic Municipal Market Access (EMMA) Website ( and that a copy of the OS is available on request. The Rule G-32 official statement delivery requirement applies to all firms selling municipal securities during the primary offering disclosure period, regardless of whether they participated in the underwriting syndicate or conducted transactions in the secondary market. For additional information, see Regulatory Notice 09-35 (

FINRA's MSRB G-32 report card can help underwriters of municipal securities analyze and improve compliance with MSRB Rule G-32 and related reporting to EMMA. For more information, see

Supervision of Transmittals and Withdrawals of Customer Assets

Recent cases involving the misappropriation of customer assets have highlighted the importance of having adequate procedures for verifying the validity of instructions to transmit or withdraw securities or other assets from customer accounts. Misappropriation of customer assets can be perpetrated by employees of the firm or through outside investment advisers or other third parties purporting to be acting on behalf of the customer. As part of their duty to safeguard customer assets and to meet their supervisory obligations, firms must have and enforce policies and procedures governing the withdrawal or transmittal of funds or other assets from customer accounts. Policies and procedures should be reasonably designed to review and monitor all instructions to transmit or withdraw assets from customer accounts, including instructions from an investment adviser or other third party purporting to act on behalf of the customer.  Firms are required to test and verify their procedures for adequacy and to update them when necessary. NASD Rule 3012 (Supervisory Control System) and Incorporated NYSE Rule 401 (Business Conduct) require all firms to establish, maintain and enforce written supervisory control policies and procedures that include procedures that are reasonably designed to review and monitor the transmittal of funds (e.g., wires or checks) or securities. For additional information, see Regulatory Notice 09-64 (

New FINRA Financial and Operational Rules

Firms are reminded that FINRA Rule 4110 (Capital Compliance), which became effective on February 8, 2010, prohibits all firms from withdrawing equity capital for a period of one year from the date it was contributed, unless otherwise permitted by FINRA in writing. Further, firms that carry or clear customer accounts must obtain prior written approval before withdrawing any capital that exceeds 10 percent of the firm's excess net capital in any rolling 35-calendar-day period. This includes withdrawals of profits, routine dividends and similar distributions. The rule also prohibits carrying and clearing firms from making any unsecured advance or loan to a stockholder, partner, sole proprietor, employee or affiliate where such advances or loans in the aggregate exceed 10 percent of the firm's excess net capital in any rolling 35-calendar-day period. See Regulatory Notice 09-71 (


Market events of the past two years have demonstrated the importance of sound liquidity risk management practices. Firms must tailor these practices to their size, nature of their business and complexity of their operations, and should consider intra-day and overnight liquidity risk. Firms should actively manage their intra-day liquidity positions to meet payment and settlement obligations on a timely basis under both normal and stressed conditions. It is important for firms to actively manage collateral positions, including the ability to promptly revalue collateral after market movements, as well as understand the physical location of these positions and how they may be mobilized in a timely manner.  Sufficient collateral should be available to meet expected and unexpected borrowing needs and unanticipated increases in margin requirements over various timeframes. Firms are reminded of the importance of diversifying lending counter parties in the event of market-wide or specific stress situations. Firms should conduct stress tests on a regular basis to identify sources of potential liquidity strain and use the outcomes of these stress tests to adjust their liquidity risk management strategies, policies and positions and to develop effective contingency plans.

Cross-Market Surveillance

In recent years, trading activity in both equities and options has continued to disperse across multiple trading venues due to increased competition among exchanges and alternative trading systems. FINRA's automated surveillance systems have the capability to evaluate trading activity across multiple market places to detect potential manipulative conduct on a single or cross-market basis. FINRA expects firms' policies, procedures and controls to be fashioned in a manner that addresses potential manipulative trading activity on a cross-market basis.

Circulation of Rumors

Firms are reminded of their obligations under FINRA Rule 6140(e) and NYSE Rule435(5). FINRA Rule 6140(e) prohibits registered persons from making a statement or circulating and disseminating any information that might reasonably be expected to influence the market price of certain securities.  Similarly, NYSE Rule 435(5) prohibits circulation of sensational rumors that might reasonably be expected to affect market conditions on the exchange. In addition to these requirements, registered persons have obligations under FINRA Rule 201039 to refrain from any conduct or activity inconsistent with just and equitable principles of trade. Firms should review their internal controls, procedures and surveillance practices with regard to rumors to ensure that potential misconduct is identified and reviewed in a timely manner.

Fair Pricing and Best Execution Obligations for Fixed Income Securities

FINRA has seen an increased level of retail investor participation in the fixed income markets. FINRA continues to review execution pricing in debt securities transactions between firms and their customers (pricing reviews). Pricing reviews focus on whether a firm charged a fair and reasonable mark-up (or mark-down) in relation to the prevailing market price under FINRA Rule 2010,4 NASD Rule 2440, NASD IM-2440-1, NASD IM-2440-2, MSRB Rule G-17 and MSRB Rule  G-30.

In light of increased market volatility, FINRA has intensified its focus on firms' obligations with respect to providing best execution in debt securities transactions under NASD Rule 2320 (Best Execution and Interpositioning). Through automated surveillance, FINRA reviews customer transactions in debt securities to determine the extent to which a firm has exercised reasonable diligence to ascertain the best market so that the resulting price to the customer is as favorable as possible under prevailing market conditions. FINRA reminds firms that they are required to have written supervisory policies and procedures to supervise all debt securities execution pricing determinations.

Additionally, as stated in Regulatory Notice 09-57 (, debt securities that are issued or guaranteed by an agency or government-sponsored enterprise (collectively, Agency Debt Securities) will become TRACE-eligible securities effective March 1, 2010, and transactions in such securities will be reported and disseminated. Certain primary market transactions — those that qualify as list or fixed price offering or takedown transactions — in TRACE-eligible securities will be  reportable TRACE transactions, but will not be disseminated. FINRA is developing comprehensive automated surveillance to review for compliance in this area and will publish a separate report card for transaction reporting in Agency Debt Securities. FINRA also offers e-learning courses on fixed income topics (

On February 22, 2010, the SEC approved FINRA Rule Filing SR-FINRA-2009-065, which expands the definition of TRACE-eligible securities to include asset-backed, mortgage-backed and other similar securities. FINRA will notify firms prior to the effective date of this rule.

OATS Reporting

OATS data remains an important component of FINRA's automated surveillance process. As such, firms must understand their reporting status (reporting member, exempt firm, non-reporting member, etc.) and their related obligations. Reporting members are reminded of their responsibility for the accuracy and integrity of OATS data submitted by them or on their behalf, and of the importance of a frequent review of the OATS Web interface as part of an effective supervisory system. The Web interface allows firms to monitor late reporting, rejected data, unmatched reports and out of sequence reports.

To further assist firms in identifying potential OATS issues in a timely manner, FINRA now publishes, in addition to the regular report card, a preliminary report card on the eighth business day of the month. Firms identified as having compliance rates outside their peer group norms are notified by email. Firms receiving such emails are encouraged to take action to resolve any potential compliance issues in a timely manner. Additional information can be found at

In addition to reporting status, firms' OATS reporting responsibilities depend largely on the capacity and manner in which a firm handles orders in NASDAQ and OTC equity securities. For instance, a firm routing orders on a straight agency basis will have different responsibilities from firms handling orders on a riskless principal or on an agency average price basis.  For additional information, see FAQ C62( and the related OATS report (

Finally, firms engaging in sponsored access relationships with other firms are reminded that both the sponsored and sponsoring parties maintain OATS reporting obligations, as discussed in FAQ C83 ( Firms sponsoring non-member entities also have an obligation to report all activity occurring under the sponsoring MPID in NASDAQ and OTC equity securities.

Examination Priorities

Fraud Detection

Financial disruptions over the past two years have placed a spotlight on securities fraud. In response to the discovery of fraudulent activities carried out by certain firms, FINRA has strengthened its fraud detection efforts through the creation of the Office of Fraud Detection and Market Intelligence. Notably, FINRA examiners now investigate evidence of potentially fraudulent conduct regardless of product or service if the activity is in the same legal entity as the registered broker-dealer. FINRA has also enhanced examiner training and procedures for detecting and investigating red flags indicating fraudulent behavior, and placed an increased emphasis on performing independent verification of information that firms provide. Fraud concerns include Ponzi schemes, stock manipulations, insider trading, falsified financial statements and misappropriation.

FINRA expects firms to maintain robust supervisory systems reasonably designed to prevent and detect fraudulent activities by employees. For example, robust anti-money laundering (AML) monitoring systems can assist in detecting possible illegal customer conduct, such as unregistered  stock distributions or other suspicious penny stock liquidations. Conversely, deficient electronic communication retention and supervisory systems can allow rogue employees to conduct undetected fraudulent activities.5 FINRA recognizes that some fraud events involve the direct participation of senior management. In this regard, firms must maintain strong control environments, including segregation of critical duties that mitigate potential for management-directed fraud. Firms should treat whistleblower tips seriously and investigate them thoroughly. Once evidence of a potential fraud is uncovered, firms should timely notify the appropriate authorities, including FINRA.

Information Barriers

FINRA examinations continue to find firms with weak information barriers, particularly firms that engage in private investment in public equity (PIPE) activities. FINRA reminds firms that they must have procedures in place to monitor or otherwise control the flow of material, non-public information within the firm and with its affiliates, clients and others to prevent insider trading or other misuse of material and non-public information.

Firms must tailor their information barrier procedures to their business activities and organizational structure. Firms must implement procedures addressing the use of restricted and watch lists, monitoring systems, reviews of proprietary and employee trading (both at the firm and away from it), reviews of questionable activities and record keeping requirements. Procedures should identify the departments and individuals responsible for executing the firm's policies on monitoring for insider trading and other misuses of material, non-public information. FINRA has an ongoing special review of information barriers. For more information, see

Variable Annuities

On February 8, 2010, FINRA moved NASD Rule 2821 into the Consolidated FINRA Rulebook as FINRA Rule 2330. On that same date, paragraph (c) regarding principal review and approval, paragraph (d) on supervisory procedures and supplementary material to the rule became effective.

A primary focus of examinations in this area will continue to be recommendations to exchange annuities. These include recommendations to exchange annuities involving different living and death benefits, recommendations to exchange annuities after a registered representative changes firms, and recommendations involving annuity exchanges where the financial condition of the issuer has appeared to decline. Finally, FINRA remains concerned with annuity recommendations made to senior investors. For more information on variable annuities, see

Protection of Customer Information and IT/Cyber-Security

The financial services industry, like other industries, faces increased information technology (IT) and cyber-security risks. Firms, employees, vendors and customers increasingly rely on technology to support various functions and capabilities. While technology can create efficiencies, it also exposes potential risks, such as individual client account intrusions, system intrusions, hacking, cyber attacks and espionage, data loss, privacy issues, insider threats, corruption of critical supply chain software, and risks involving third-party service providers and industry utilities. Appropriately monitoring and supervising technology-related areas within the firm and vendors helps mitigate this risk. Additionally, the recent FBI-reported hacking of payment processors highlights the importance of understanding not just emerging threats, but the existing vulnerabilities lying inside a firm's systems.6

Firms can also be susceptible to malicious internal activity. Insider smay include employees, exemployees, contractors or vendors. A disgruntled employee often has more access and ability than an external intruder to harm a firm or its customers.

The SEC's Regulation S-P requires policies and procedures that address administrative, technical and physical safeguards for the protection of customer information and records. Firms must ensure that their policies and procedures are designed to reasonably protect against any anticipated threats or hazards to the security and integrity of customer records and information. Firms should also consider how they mitigate the risk of insider threats, such as through internal surveillance, monitoring and controls.

For more information, visit the following pages on FINRA's Web site:

  • Customer Information Protection (
  • Firm Identity Protection (
  • Firm Checklist for Compromised Accounts (

Anti-Money Laundering

AML compliance continues to be a focus of FINRA examiners. On January 1, 2010, FINRA adopted NASD Rule 3011 and NASD IM-3011-2 (without substantive change) and NASD IM-3011-1, (subject to certain amendments) into the Consolidated Rulebook as FINRA Rule 3310. FINRA Rule 3310 eliminates the independent testing exception in NASD IM-3011-1. Accordingly, effective with the 2010 calendar-year testing, firms that used the exception in IM-3011-1 (typically small firms) will have to find an individual that meets the independent testing requirements in FINRA Rule 3310 to conduct their AML test. This rule change may require firms that previously used the exception to find an external party to conduct the AML test to meet the independence requirement. For more information, see SR-FINRA-2009-039 ( and Regulatory Notice 09-60 (

FINRA examiners will continue to closely review firms' systems for monitoring, detecting and reporting suspicious activity. In 2009, FINRA took action against firms for failing to establish and/or implement procedures to detect and report suspicious securities transactions, particularly trading in low-priced securities due to the risks associated with these securities and red flags that went undetected.7 FINRA's AML small firm template, updated as of January 1, 2010, includes new red flags related to securities transactions, deposits of physical certificates and penny stock companies. Firms of all sizes should consider incorporating these red flags into their AML programs. Firms using automatedmonitoring that does not focus on manipulative trading activity, or focuses only on suspicious trading accompanied by a suspiciousmoneymovement,may not have adequate systems.8 Firms are reminded that they should tailor their monitoring systems to their business and risk profile. (The updated template is available at

Pandemic Preparedness/Business Continuity Planning

Effective December 14, 2009, FINRA adopted NASD Rules 3510 (Business Continuity Plans) and 3520 (Emergency Contact Information), without substantive change, as FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information). For more information, see SR-FINRA-2009-036 ( and Regulatory Notice 09-60 (

In 2009, the outbreak of influenza A (H1N1) or swine flu, while less severe to date than initially predicted, nonetheless reminded the industry of the importance of adequate business continuity and pandemic planning. Firms are reminded that theymust create and maintain a written business continuity plan (BCP) that is designed to meet existing obligations to customers and address relationships with other broker-dealers and counterparties. In order to forma comprehensive plan, firmsmust conduct their own risk analysis to determine their vulnerability to various types of business disruptions, such as a pandemic, hurricane, earthquake, flood or cyber event. As noted in Regulatory Notice 09-59 (, the amount and degree of preparation needed depends on, among other things, the size of the firm, its office locations, its counter party and service provider relationships, and the nature of its business. FINRA examiners review firms' BCPs, as appropriate, to understand how the possible effects of a pandemic are taken into account.

For more information, visit the following pages on FINRA's Web site:

  • Pandemic Preparedness (
  • Business Continuity Planning (

Branch Office Supervision

In 2010, FINRA will continue to examine certain branch offices with an emphasis on registered representatives with multiple customer complaints and sales practice disclosures, statutorily disqualified persons and branch office supervision. Many sales practice violations by registered representatives could be prevented or quickly detected through diligent or heightened supervision. FINRA inspections will also include a review of the adequacy of firms' internal inspections of their branch offices. Branch office internal inspectionsmust include specific areas of review enumerated in NASD Rule 3010(c)(2). Internal inspections should be risk-based, customized to the business of the branch, and a report of the inspectionmust be created andmaintained.

More information about branch office supervision and registration is available on FINRA's Web site at FINRA also offers related e-learning courses (


The number of broker-dealers that outsource key operational functions, including many back office securities processing activities, continues to increase as firms look for additional opportunities to reduce expenses and focus on core business activities. Firms are reminded that while they may outsource certain functions, a firm has a continuing responsibility to oversee, supervise and monitor a service provider's performance (see NTM 05-48 at As a result, firms must performthe necessary due diligence and counterparty risk assessment when outsourcing functions to service providers. Factors to consider when performing due diligence reviews of service providersmay include the experience and ability of the service provider to performthe outsourced services, the service provider's reputation and financial status, the effectiveness of the service provider's privacy and confidentiality controls, and the risk of concentration of functions with any single service provider.

In addition, firms must also establish controls and procedures to ensure that vendors are fulfilling their duties responsibly and in compliance with applicable rules and service agreements. These ongoing obligationsmay be fulfilled by requiring vendors tomeet measurable performance standards,meeting frequently with vendor personnel and management, and assigning qualified personnel tomonitor, review and supervise the activities of the service provider. Furthermore, firms should consider the risks of activities that are outsourced to entities operating in foreign jurisdictions and determine the impact of outsourcing arrangements on the firm's business continuity plans.

Firms are also reminded that outsourcing covered activities in no way diminishes a firm's responsibility for either its performance or its full compliance with all applicable federal securities laws and regulations, and FINRA and MSRB rules. Finally, a firm may never contract away its supervisory and compliance activities from its direct control. This prohibition, however, does not preclude a firm from outsourcing certain activities that support the performance of its supervisory and compliance responsibilities.

Inventory and Collateral Valuation

Examiners continue to pay close attention to the valuation of inventory and collateral positions that do not have readily observable market prices. It is important that firms with significant positions in illiquid, structured or complex securities have processes in place to obtain reliable valuations for these instruments from sources independent of the trading desk. In addition, a review by senior management of unverified positions should occur at prescribed intervals. Extending the duties of the independent price verification function to the firm's financing desks to ensure consistent pricing is a practice that is encouraged.

Examiners will continue to review procedures and controls in place to ensure consistency in the valuation of similar inventory and collateral positions that exist within and across various business lines or functions. In 2010, examiners will also review procedures for escalating pricing differences tomanagement and the appropriateness ofmateriality thresholds established in escalating these differences. We have also seen inconsistencies in firmpractices for the aging of firm-wide inventory, whereby only select products are aged. The inability to age inventory and report this information to management may limit management's ability to assess the liquidity position of the firm. Examiners will continue to review firms' procedures for capturing and reporting aged firm-wide inventory.

Customer Margin Debits Collateralized by Nonmarketable Securities

Examiners have noted instances where some firms extend credit to customers via amargin loan secured by nonmarketable positions in control and restricted stock. Given the illiquidity of these positions, the customer debit is deemed partly secured or unsecured for net capital purposes and may not be eligible for inclusion in the reserve formula as a debit. Further, the customer margin account is deemed to be undermargined, triggering amargin call. Firms are encouraged to review their practices for acceptingmargin collateral with a view toward salability andmarketability.

Accounting and Spreadsheet Controls

In recent years, examiners have noticed an increase in the use of spreadsheets to record transactions that cannot be easily accommodated in a transaction processing system. Problems have been identified with the flow of relevant information fromthese spreadsheets to risk systems, financial statements and regulatory computations. FINRA has observed instances where multiple departments within a firm use spreadsheets that lack controls to protect the integrity of the data when the spreadsheet moves among departments. Additionally, as firms increase the use of exception-based reports as part of their internal control processes, FINRA has observed instances where a new or revised control process is implemented and then, due to technology changes or the establishment of new accounts, the exception reports are not reassessed and tested for accuracy and relevance.

Further, recording certain transactions only on spreadsheets increases operational risk, which can exacerbate market or credit losses.

Examiners will review the controls in place to ensure that firms' books and records and regulatory computations accurately comprehend data that is not automatically posted from transaction processing systems. Examiners will also review the controls that are in place by firms to ensure the data integrity and completeness of spreadsheets and exception reports.

Day-Trading Margin

Examiners have identified instances where firms are not complying with the day trading margin rules that apply to margin-eligible equities, options and fixed income securities. Firms are reminded that day trading is not permissible in a cash account. FINRA margin rules require pattern day traders to maintain minimum equity of $25,000 in each customer account. In addition to the minimum equity requirement, customers' buying power is limited to the equity in a customer's account at the close of business of the previous day, less any maintenance margin requirements, multiplied by four for equity securities.

Fully Paid Lending Programs

FINRA continues to see an increase in the use of fully paid customer securities for lending programs. As a result of these programs, customersmay lose their SIPC protection andmay lose their proxy voting rights. It is important that customers understand the risks they take by consenting to participate in these programs, and firms should give theminformation to understand how they will be compensated for the additional risk they are assuming. Examiners will continue to review the recording of these transactions on firms' books and records, as well as the disclosuresmade and fees paid to customers. Before establishing new programs, firms are encouraged to discuss them with their Regulatory Coordinator.9 FINRA recently issued Regulatory Notice 10-03 ( requesting comment on proposed FINRA Rule 4330, which establishes new requirements to address the increase in the borrowing and lending of customers' fully paid or excess margin securities.

Market Regulation Options Examination Program

In 2010, FINRA will implement a pilot programto examine options-access firms. This options examination will be similar in nature to the current trading and market making surveillance (TMMS) equity examinations, and will focus on trading activity that cannot easily be reviewed through automated surveillance.

Short Sales and Regulation SHO Compliance

Due to ongoing concerns about short selling and its impact onmarket integrity, FINRA will continue its focus on short sale rule compliance in 2010. FINRA reminds firms that theymust comply with all SEC and FINRA regulatory requirements relating to short selling. Firms should review their compliance and supervisory programs to ensure that they are consistently meeting their obligations under SEC Regulation SHO, including the order marking requirements of Rule 200(g), the locate requirements of Rule 203(b)(1), and the close-out requirements of Rules 203(b)(3) and 204. Firms are also reminded that they must properly trade report short sales pursuant to FINRA Rules 7130, 7230A, 7230B, 7230C, 7330, 6182 and 6624, and report short positions existing in all customer and proprietary accounts twice amonth pursuant to FINRA Rule 4560.

Additionally, on February 24, 2010, the SEC adopted amendments to Regulation SHO Rules 200(g) and 201. The amendments, known as the "alternative up tick rule," are designed to restrict short selling from further driving down the price of a stock that has dropped 10 percent in one day. The amendments will become effective 60 days after the Federal Register publication date, and then market participants will have six months to comply with the requirements. See Securities Exchange Act Release No. 61595 (February 26, 2010).

Regulation SHO Rule 204 became effective on July 31, 2009, making permanent (with minor modifications) requirements that firms promptly purchase or borrow securities to deliver on equity sale transactions.10  The new rule states that a participant of a registered clearing agency is required to deliver securities for any equity long or short sale transaction by settlement date (T+3). If delivery is not made on settlement date, the participant must close out the fail to deliver by either purchasing or borrowing securities of like kind and quantity by the beginning of regular trading hours (i.e., 9:30a.m., ET)11 on the settlement day following the settlement date(T+4).

If a participant can demonstrate on its books and records that the fail to deliver resulted from a long sale or is attributable to bona fide market making,12 the participant may close out the fail to deliver by purchasing or borrowing stock no later than the third consecutive settlement day following the settlement date (T+6).13 If a participant of a registered clearing agency does not close out its fail to deliver as required, Rule 204 prohibits the participant, and any broker-dealer for which it receives trades for clearance and settlement, from accepting or affecting a short sale order in the subject equity security, without first pre-borrowing the security or entering into a bona fide arrangement to borrow the security. This pre-borrow requirement also applies to market makers that would normally be exempt from the locate requirement under Regulation SHO Rule 203(b).

Algorithmic Trading Controls

FINRA increased its focus on firms that conduct algorithmic trading for their proprietary accounts or offer this type of trading to their customers. Firms should review their internal controls, procedures and surveillance practices with regard to algorithmic trading to ensure that the algorithms are functioning properly and the transactions are in compliance with customer instructions and FINRA regulatory requirements. FINRA reminds firms that they have an ongoing obligation to test and verify that their supervisory procedures are reasonably designed to achieve compliance with applicable securities laws, regulations and FINRA rules, and to amend those supervisory procedures when such testing identifies a need. Accordingly, the examination program will assess the extent to which the firm establishes, maintains and administers adequate supervisory controls for this area.


As always, we encourage you to contact your firm's Regulatory Coordinator with specific questions or comments that you may have. In addition, if you have comments or suggestions regarding how we can improve this letter, please send them to Daniel M. Sibears, Executive Vice President, Member Regulation Programs, at [email protected].


Robert C. Errico signature
Robert C. Errico
Executive Vice President
Member Regulation, Sales Practice


Grace B. Vogel signature
Grace B. Vogel
Executive Vice President
Member Regulation, Risk Oversight and Operational Regulation


Thomas R. Gira signature
Thomas R. Gira
Executive Vice President
Market Regulation


Susan L. Merrill signature
Susan L. Merrill
Executive Vice President


  1. On January 19, 2010, the SEC proposed a rule that would require broker-dealers to establish, document and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory and other risks related to its market access, including access on behalf of sponsored customers. Among other things, the proposed rule effectively prohibits broker-dealers from providing customers with "unfiltered" or "naked" access to an exchange or ATS. See Securities Exchange Act Release No. 61379 (January 19, 2010). The comment period for this proposal ends on March 29, 2010. The SEC also recently approved the NASDAQ Stock Market LLC's filing to adopt a modified Sponsored Access Rule (Securities Exchange Act Release No. 61345 (January 13, 2010)).
  2. Id. See Notices to Members (NTMs) 04-66 ( and 98-96 (, and NYSE Information Memo 02-48 for additional information.
  3. Formerly, NASD Rule 2110. For additional information, see SR-FINRA-2008-028 ( and Regulatory Notice08-57 ( (p.30–31).
  4. See Id.
  7. See, e.g., FINRA Fines Three Firms Over $1.25 Million for Failing to Detect, Investigate and Report Suspicious Transactions in Penny Stocks, June 4, 2009 (
  8. See, e.g., E*Trade Securities, LLC and E*Trade Clearing, LLC, FINRA AWC 2006004297301, December 31, 2008, and Scottrade Inc., FINRA AWC 2007009026302, October 26, 2009.
  9. Discussions with Regulatory Coordinators do not create "safe-harbors" for firms. In this regard, firms remain responsible for full compliance with all applicable rules and regulations, including those discussed with Regulatory Coordinators or other FINRA staff members.
  10. Securities Exchange Act Release No. 60388 (July 27, 2009). In contrast with the restrictions of Rule 204T, paragraphs (a)(1) and (a)(3) of Rule 204 provide flexibility by permitting a borrow as well as a purchase to close-out a fail to deliver position. Also, Rule204(e) now allows broker-dealers to obtain pre-fail credit if they close out their fail to deliver position by purchasing or borrowing a quantity of securities sufficient to cover the amount of that broker-dealer's "fail to deliver position," rather than the entire amount of the broker-dealer's open "short position," as was required by temporary Rule 204T.
  11. A participant of a registered clearing agency may satisfy its obligation to purchase securities to close out a fail to deliver by the beginning of regular trading hours using a volume weighted average price (VWAP) order, provided 1) the VWAP order to purchase the equity security is irrevocable and received no later than the beginning of regular trading hours on the close out date; and 2) the final execution price of any such transaction is not determined until after the close of regular trading hours when the VWAP value is calculated and the execution is on an agency basis. See footnote 66 of Securities Exchange Act Release No. 60388 (July 27, 2009).
  12. The SEC has stated that bona fide market making would not include activity that is related to speculative selling strategies or investment activity or activity that is disproportionate to the usual market making activity in the security. Additionally, the SEC does not generally consider firms that post quotes continually at or near the best bid but not at or near the best offer to be bona fide market makers. See Securities Exchange Act Release No. 50103 (July 28, 2004).
  13. Fails to deliver caused by the sale of a security that a person is deemed to own pursuant to §242.200 shall be closed out by the purchase of securities no later than the beginning of regular trading hours on the 35th consecutive calendar day following the trade date for the transaction. Such circumstances may include the situation where a convertible security, option or warrant has been tendered for conversion or exchange, but the underlying security is not reasonably expected to be received by settlement date. Another situation could include the sale o fa Rule 144 security. See footnote 141 of Securities Exchange Act Release No. 60388 (July 27, 2009).