FINRA’s Approach to Member Firm Risk Assessments

FINRA evaluates 11 broad risk categories as a foundation to monitor and assess member firm¹ risk and inform our risk-based examination program. We are sharing this risk framework and risk assessment methodology as part of our FINRA Forward Initiative to provide greater transparency into our risk assessment processes to further empower member firm compliance.

Risk Framework Overview

FINRA classifies each member firm into one of five business models: Capital Markets and Investment Banking Services, Carrying and/or Clearing, Diversified, Retail, and Trading and Execution. From there, FINRA assigns firms to the narrower business segments within each business model, that best reflects the firm’s primary business (e.g., private placements, FinTech, M&A and investment banking, proprietary trading and market making, alternative trading systems and electronic communication networks). Categorizing a firm’s business segment is typically determined by considering a combination of factors including, but not limited to, the firm’s major revenue streams, products and services offered, business model and customer composition. 

In assessing a member firm’s risks, FINRA considers all available information in the context of potential risk to investors, counterparties and the securities markets, and draws a conclusion about these levels of risk. FINRA’s risk assessment begins with the Risk Monitoring team, which—in addition to acting as a point of contact and resource to firms, providing firms with prompt answers to their regulatory questions—is responsible for evaluating risk for each member firm. Risk is viewed in the context of two core concepts: 

1. the likelihood of an adverse event happening (“risk likelihood”) after considering inherent risk and the effectiveness of controls (people, processes and systems); and
2. the impact on the firm, customers and the market if that adverse event happens (“risk impact”). 

To consistently assess risk across such a diverse landscape, FINRA has developed a taxonomy, or Risk Construct, that foundationally starts with 11 broad risk categories:

1. Accuracy of Regulatory Capital: The risk of error in a member firm’s computation and reporting of regulatory capital
2. Credit: The risk of financial loss for a member firm due to the inability of a counterparty or borrower to meet its financial obligations
3. Cybersecurity and Technology: The risk to a member firm of financial loss, business disruption or compromised data confidentiality, integrity or availability due to vulnerabilities in information systems and technology infrastructure, including the possibility of unauthorized access, disruption or systems failure
4. Fraud and Deception: The risk of harm to a member firm, its customers or the securities markets due to the fraudulent actions of the member firm, its associated persons or its customers
5. Liquidity: The risk of a member firm being unable to meet short-term financial demands in both business-as-usual and stressed environments
6. Market: The risk of financial loss to a member firm due to price movements in the securities markets
7. Market Integrity: The risk of harm to the fair and safe operation of the securities markets due to a member firm’s trading practices, particularly around trade execution
8. Money Laundering: The risk of unlawful money movement and/or the facilitation of criminal activity by, at or through a member firm
9. Operational: The risk to a member firm’s operations from inadequate or failed internal policies, procedures, controls and personnel
10. Protection of Customer Assets: The risk of improper utilization or inadequate protection by a member firm of customer funds and securities
11. Sales: The risk of investor harm due to the actions of a member firm or its associated persons through the offering of products and services

Risk Assessment Methodology Overview

FINRA assesses each of the 11 risk categories using a combination of quantitative and qualitative inputs to determine the level of inherent risk and the effectiveness of controls to mitigate that risk. The residual risk for each category, or the level of inherent risk that remains after consideration of controls, is represented by a risk likelihood score. These 11 risks are the basis for a risk assessment and taken into consideration with other information regarding a firm’s risks.

Where available, FINRA uses quantitative inputs to determine a firm’s inherent risk. The risk assessment methodology uses member firm-reported data, as well as internally sourced data. 

When data is limited or unavailable, we use a Qualitative Input Assessment (QIA) structured evaluation framework. QIAs are topics that address inherent risk and controls and standardize how to identify and document aggravating and mitigating factors associated with each risk category. Unlike the quantitative inputs, QIAs incorporate observations, and other qualitative information the Risk Monitoring team and other departments within FINRA gather, such as information from exam findings, observations relating to member firms’ compliance effectiveness, responsiveness and control environments. 

FINRA updates these inputs on an ongoing basis as new data or information becomes available. The updates often result in changes in risk scoring for one or more of the 11 individual risk categories. We assign each category in the risk scoring model a numeric value and weight, based on its relative contribution to the potential for harm. We use the weighted average to calculate a risk likelihood score: “low,” “medium-low,” “medium-high” or “high.” We then calculate the aggregate risk likelihood score using the weighted average of the individual risk likelihood scores and similar classification.

It is important to recognize that we regularly review and update these methodologies and weightings in the risk framework to address emerging risks and regulatory priorities. In addition, a firm’s risk likelihood score is subject to change dependent upon the unique business situations of each member firm. 

This risk assessment process helps inform how FINRA plans for and conducts member firm exams. As part of the examination schedule planning, the aggregate risk likelihood score is a factor FINRA Examination teams consider. FINRA may open examinations based on a firm's risk profile, including factors such as high-risk business activities, significant customer complaints, unusual trading patterns or previous regulatory deficiencies. Additionally, firms are subject to routine cycle examinations based on their size and risk characteristics, with larger or higher-risk firms examined more frequently. FINRA’s risk assessment process enables a data-driven risk-based oversight program.

When a member firm is subject to an exam, the Examination team uses information Risk Monitoring provides related to the member firm’s sales practice, financial, operational and trading risks to inform the scope of the exam. We also use the risk assessment to ensure that a member firm’s exam is appropriately tailored. The Examination team can also use this information to review a member firm’s compliance with federal securities laws and FINRA rules.

FINRA values member firms’ ongoing engagement and the opportunity to leverage expertise and input from firms. To that end, if member firms have questions about the risk assessment process, they should contact their Risk Monitoring Analyst. 

This publication does not create any new legal or regulatory obligations for firms or other entities. It represents FINRA's current approach to risk assessments and is subject to change without notice.