FINRA Reminds Firms of Responsibilities When Providing Customers with Consolidated Financial Account Reports
|Referenced Rules & Notices
NASD Rule 2210
NASD Rule 2340
NASD Rule 3010
NASD Rule 3012
NYSE Rule 342
NYSE Rule 409
Regulatory Notice 08-27
Communications with the Public
Supervisory Controls Systems
The practice of providing customers with consolidated financial account reporting has become increasingly common in the financial services industry. In many cases, these reports offer a single document that combines information regarding most or all of the customer's financial holdings, regardless of where those assets are held. Firms are reminded that these reports represent communications with the public by the firm; the dissemination of these reports must comply with all applicable FINRA rules as well as the federal securities laws.
As investor demand for this service has grown and as increasingly sophisticated software and data service providers have become available, firms have developed differing practices for generating these communications. If not rigorously supervised, this activity can raise a number of regulatory concerns, including the potential for communicating inaccurate, confusing or misleading information to customers, lapses in supervisory controls, and the use of these reports for fraudulent or unethical purposes.
This Notice reminds firms of their responsibilities to ensure that they comply with all applicable rules when engaging in this activity, and highlights a number of sound practices. Firms are strongly encouraged to review the overall adequacy and effectiveness of their current policies and procedures relating to their consolidated reporting. Any firm that cannot properly supervise the dissemination of consolidated reports by its registered representatives must prohibit the dissemination of those reports and take the necessary steps to ensure that its registered representatives comply with this prohibition.
General questions about this Notice should be directed to:
For questions about communications with the public, contact Amy Sochard, Director, Programs & Investigations, Advertising Regulation, at (240) 386-4508.
Discussion and Background
Many firms, as a service to their customers, provide documents that consolidate information regarding a customer's various financial holdings.1 For the purpose of this Notice we will refer to this practice and document as "consolidated reporting" and "consolidated reports," respectively. These consolidated reports offer a broad view of customers' investments, may include assets held away from the firm, and may provide not only account balances and valuations, but performance data as well. In many cases these consolidated reports are prepared at the request of the customer, who may also direct which of his or her accounts to include and provide access to data for non-held accounts. These communications may supplement, but do not replace, the customer account statement required pursuant to NASD Rule 2340 and NYSE Rule 409,2 which is prepared and disseminated to the customer through a separate process. Consolidated reports may not be represented as a substitute for, and must be distinguished from, account statements that are required by rule.
Firms create consolidated reports through fully integrated, in-house data gathering and reporting systems, fully outsourced solutions from third-party vendors,3 "off-the-shelf" software applications or a combination of these methods. Firms also disseminate these consolidated reports through a variety of means, such as direct mailing to customers, providing access to secure servers via the Internet and hand delivery during face-to-face meetings. The consolidated reports themselves may contain a variety of information and may be produced as a highly customized document created by an individual representative, or as a standardized report created by a firm system. To the extent individual representatives create consolidated reports, firms are required to supervise this activity, and both the firm and the individual representatives are responsible for compliance with all applicable rules.
Consolidated reports are communications with the public. Therefore, they must be clear, accurate and not misleading.4 For assets held at the firm, this includes providing information, including valuations, that is consistent with the customer's official account statement.5 For assets held away, this includes, among other things, taking reasonable steps to accurately reproduce information obtained regarding outside accounts and not to include information that is false or misleading.
Consolidated reports, particularly those published on firm letterhead, can create a misconception that the firm produced or verified all of the data, including the valuation of assets held away. Therefore, these reports should be constructed and provided in such a manner that neither customers nor third parties with whom the customer interacts (e.g., banks, mortgage companies, other broker-dealers) are likely to be confused or misled as to the nature of the information presented, or mistake these documents for official account statements regarding the reported assets. The reports should clearly delineate between information regarding assets held on behalf of the customer, which are included on the firm's books and records, and other external accounts or assets.
If a firm is unable to test or otherwise validate data for non-held assets, including valuation information, the firm should clearly and prominently disclose that the information provided for those assets is unverified. In addition, to the extent a consolidated report contains information regarding financial products that are outside a registered representative's area of proficiency, representatives must discuss and present these financial products in a manner that does not mislead customers as to the scope of the representative's financial expertise.6
Consolidated reports are also subject to the regulatory requirements regarding supervision and internal controls, records retention, privacy and safeguarding of customer information.7 Effective firm controls would include procedures to vet and approve consolidated report templates for compliance with regulatory requirements before they are put into production. These reviews can help ensure that any new consolidated report-generating process complies with regulatory requirements and firm policies, and that it is integrated into the firm's supervisory control program. Similar controls should be put in place for any programming that permits customization, as well as any subsequent changes to the approved templates or programming.
The risks associated with a firm's failure to maintain adequate safeguards over the use and dissemination of customer account information are well established. Beyond the obvious concern regarding the use of account information for fraudulent activity, even well-intentioned but incautious consolidated reporting could result in customers being misled or confused. Given the reliance that customers may place on consolidated reports and the potential consequences if these communications contain mistakes or are misused by firm personnel, firms must review their consolidated reporting programs with particular care. The more complex a firm's program for consolidated reporting, the more difficult it may be to conform that reporting to applicable rule requirements. Factors that contribute to program complexity include:
If a firm provides this service to customers, it must ensure that the size and complexity of the consolidated reporting program does not exceed the firm's ability to supervise the activity and to subject it to a rigorous system of internal controls. Any firm that cannot properly supervise the dissemination of consolidated reports by its registered representatives must prohibit the dissemination of those reports and take necessary steps to ensure that its registered representatives comply with this prohibition.
FINRA encourages firms to consider the practices described below when reviewing their consolidated reporting programs. This Notice is not intended to be a comprehensive roadmap for compliance and supervision; rather, it outlines measures that may assist firms in complying with their various supervisory obligations. Firms should consider these practices in assessing their own procedures and in implementing improvements that will best protect their customers. Firms must adopt procedures and controls that are most effective given the firm's size, structure and operations.
Due to the potential risks related to consolidated reporting, some firms have incorporated a review of the consolidated reporting process as a standard element in their testing and oversight programs. These firms test for regulatory compliance, data accuracy and adherence to supervisory procedures in audits, branch office reviews and as an ongoing part of their program of internal inspections required by NASD Rule 3010. Some firms require branch offices that produce consolidated reports to obtain an annual third-party audit of the process.
Maintaining multiple consolidated reporting systems can create a patchwork of processes and applications that may be difficult to adequately supervise. Some firms have chosen to centralize their consolidated reporting programs by requiring use of a single firm-wide system. Other firms that allow multiple report-producing systems, subject them to a centralized review and approval process. Participants in this review and approval process may include personnel from information technology, compliance and legal departments.
Some of the stronger programs require that all consolidated reports be mailed centrally using the customer's address of record,9 and have processes in place that reconcile address information used for account statements and consolidated reports. In the limited circumstances where different addresses are used to deliver customer account statements and consolidated reports, firms should maintain documentation explaining the discrepancy and indicating that the customer was provided notice or acknowledged the differing addresses.10
Some firms verify, when possible, information pertaining to assets held away. Some of these firms have opted not to include assets in the consolidated report when the firm cannot verify their existence or cannot validate the valuations.
Some firms maintain supporting documentation for reported assets with the customer file, or otherwise have it available to be reviewed alongside the consolidated report. This documentation may include information regarding source of data and methods used to determine accuracy and asset valuation. The information may be useful in discussing the consolidated reports with customers, in validating the accuracy of consolidated report-generating systems and for internal control/audit testing purposes.
It is sound practice to encourage customers to review and maintain the original source documents that are integrated into the consolidated report, such as the statements for individual accounts held away from the broker-dealer. Customers may be tempted to disregard these source documents because of the convenience of the consolidated report. However, source documents may contain notices, disclosures and other information important to the customer, and may also serve as a reference should questions arise regarding the accuracy of the information in the consolidated report.
The design and formatting of consolidated reports is important for ensuring information is clearly communicated. In addition to the requirements outlined above, firms are encouraged to include, when applicable, the following disclosures:11
To help ensure that a customer is apprised of the nature of the consolidated reporting process, and to ensure delivery of any disclosures or other pertinent information, firms may consider obtaining the customer's signed acknowledgement that he or she has been provided with the relevant disclosures and understands the nature and limitations of the consolidated reporting process. These disclosures may, for example, be included with applicable communications regarding privacy protections. Firms should consider a means to refresh this notice on a periodic basis.
1 This reporting is most commonly issued by firms that maintain an affiliated investment adviser or by registered representatives who also provide investment advisory services to their customers.
2 The FINRA rulebook currently consists of: (1) FINRA Rules; (2) NASD Rules; and (3) rules incorporated from NYSE (Incorporated NYSE Rules) (together, the NASD Rules and the Incorporated NYSE Rules are referred to as the Transitional Rulebook). While the NASD Rules generally apply to all FINRA member firms, the Incorporated NYSE Rules apply only to those members of FINRA that are also members of the NYSE (Dual Members). The FINRA Rules apply to all FINRA member firms, unless such rules have a more limited application by their terms. For more information about the rulebook consolidation process, see Information Notice 3/12/08 (Rulebook Consolidation Process). For convenience, the Incorporated NYSE Rules are referred to as the NYSE Rules.
3 Vendors include Web-based application service providers (ASPs) that aggregate financial data and create reports to firm specifications that may be mailed to customers or, if the firm desires, can be accessed on a read-only basis from the ASP's Web server. To the extent that firms rely on third-party vendors, firms are responsible for complying with applicable requirements regarding outsourcing, as discussed in Notice to Members 05-48. The Notice clarifies firm responsibilities when outsourcing "covered activities," which the Notice identifies as activities or functions that, if performed directly by firms, would be required to be the subject of a supervisory system and written supervisory procedures pursuant to NASD Rule 3010.
4 Depending on the form, content and method of dissemination, these consolidated reports may be considered sales literature or correspondence. As such, they may be subject to various requirements outlined in NASD Rules 2210 and 2211 and associated guidance, such as the requirement for clear and prominent display of the firm's name on communications and disclosures related to use of performance information.
5 Inaccuracies may include discrepancies associated with having consolidated reports and customer account statements produced through separate systems or by different entities. For example, firms have reported finding numerous instances in which the same in-house transaction was reflected differently in each document, thereby requiring a correction before publication or dissemination.
7 The better information security programs routinely test controls over access to systems and data related to the reporting process as part of the firm's internal controls regime. Access controls must be rigorously supervised to avoid unauthorized use or manipulation of customer account data.
8 These multi-system situations often arise when a firm affiliates with or acquires a new group of representatives or branch offices that bring with them legacy systems. In some instances, a reporting system may be unique to a single branch office, even to the extent that a single branch may maintain a separate contractual relationship with a third-party vendor to provide these services.
9 Firms are required to have procedures to review, monitor and validate customer changes of address. These policies and procedures must include "a means or method of customer confirmation, notification, or follow-up that can be documented." NASD Rule 3012(a)(2)(B) and NYSE Rule 401.
10 This is consistent with NYSE Rule 409(b) and FINRA's proposed rule change to adopt NASD Rule 2340 (Customer Account Statements) as FINRA Rule 2231. Proposed Supplementary Material .01 (Transmission of Customer Account Statements to Other Persons or Entities) would expressly require a firm to obtain written instructions from the customer in order to send/deliver customer statements, confirmations or other communications to other persons or entities. See Securities Exchange Act Release No. 59921 (May 14, 2009), 74 FR 23912 (May 21, 2009).
11 These elements are drawn from existing guidance relating to multi-account reporting practices for customer account statements in NYSE Rule Interpretations 409(a)/04 (Assets Externally Held and Included on Statements Solely as a Service to Customers) and (a)/06 (Use of Summary Statements) and are consistent with FINRA's proposed rule change to adopt NASD Rule 2340 (Customer Account Statements) as FINRA Rule 2231. The multi-account reporting guidance in proposed FINRA Rule 2231, Proposed Supplementary Material .04 (Assets Externally Held and Included on Statements Solely as a Service to Customers) and Proposed Supplementary Material .06 (Use of Summary Statements) are substantially unchanged from existing NYSE Rule Interpretations 409(a)/4 and 409(a)/6. See Securities Exchange Act Release No. 59921 (May 14, 2009), 74 FR 23912 (May 21, 2009).
12 Firms should consider including a disclosure clarifying that their firm's SIPC coverage would only apply to those assets held at the firm, and to the extent some of the other reported entities may be SIPC members, customers should contact their financial representative or the other entity or refer to the other entity's statement regarding SIPC membership.