5 key messages from FINRA’s 2022 Report

As we settle in to 2023, FINRA has published its 2022 Report on FINRA’s Examination and Risk Monitoring Program. FINRA’s report provides firms with a foundation of focus for the year ahead, drawing on common issues identified during FINRA exams and providing outlines for what “effective practices” may look like. While comprehensive, the entirety of the report will not apply to all FINRA member firms – who should instead refer to relevant topic areas to help build out and inform their compliance programs.

We’ve condensed the 60-page report into the five key provisions for end-to-end communications and data, including mobile apps, restricted channels, supervision, and cybersecurity.

1. Communications, restricted channels, and mobile apps

After a succession of regulatory enforcement actions over the last 18 months, from FINRA to the Securities and Exchange Commission (SEC), it comes as no surprise a significant portion of FINRA’s report is devoted to communications with the public, especially those made through new technologies and mobile apps.

This focus falls broadly in line with the SEC’s new Marketing Rule, which came into effect on November 4, 2022 and creates more stringent regulatory requirements for how investment advisers can market and advertise services. As technology evolves, regulators are clearly looking to close the net to ensure that all methods of communication are properly surveilled and captured. 

Communications with the public

Focusing specifically on FINRA Rule 2210, 2220 and MSRB Rule G-21, FINRA’s report asks firms to consider whether their communications with the public meet certain, general standards. Among other things, this includes knowing whether your firm’s communications contain false or misleading claims, whether they include information that makes them fair, balanced, and not misleading, and whether they balance claims about investment benefits with the associated risks.

Mobile apps and prohibited communication channels

For mobile apps in particular, FINRA wants to see that firms have “established and implemented a comprehensive supervisory system for communication through mobile apps”, to avoid compliance black holes. The same is true for digital communication channels. Within FINRA’s Report, the regulator asks firms to consider how they are supervising and maintaining books and records in accordance with applicable rules under FINRA and the SEC. As well as this, FINRA asks that firms include both prohibited and permitted digital communication channels within their digital communication policies.

In the wake of significant fines against – for example, JP Morgan – for their use of unauthorized communication channels, many firms have banned certain communication apps such as WhatsApp. FINRA clearly wants to see that where communication channels have been prohibited, there is rationale and a clear policy behind it – rather than unsubstantiated blanket bans. Where blanket bans do exist, FINRA still wants to see that firms are monitoring or reviewing for “red flags that may indicate a registered representative is communicating through unapproved communication channels”. Where red flags do occur, FINRA asks whether firms are then following up on them.  

Procedures for digital communications

Looking ahead, FINRA lists a number of “effective practices” to mitigate risk and ensure regulatory compliance when managing digital communications. Among those effective practices are “comprehensive procedures” for the supervision of digital communication channels, including:

– Monitoring new tools and features

– Clearly defining the communication channels that are permissible, and those that are prohibited

– Implementing supervisory review procedures that are tailored for each channel, including video content which should have separate Written Supervisory Procedures (WSPs) and controls

– Ensuring that mandatory training is delivered, with those that fail to comply subsequently suspended or blocked from using certain channels

In short, FINRA wants to see that firms are taking a considered, logical, and proactive approach to communication channels – not just banning and burying their heads in the sand. Where channels are banned, firms should continue to monitor for their use, using surveillance or supervisory technology – and where red flags do appear, action should be taken. Where channels and apps are permitted, firms should implement the appropriate systems, policies and controls to ensure that they are monitored – and that communications are compliant.

2. Books and records

A long-established (though no less important) area of focus in FINRA’s report is on books and records, broadly covered by Exchange Act Rules 17a-3, 17a-4, and FINRA Rules 3110(b)(4) and the 4510 series.

In particular – and in keeping with a wider industry trend – there appears to be increasing focus on the use of third-party vendors for books and records. As third-party vendors become the preferred, most viable choice, regulators want to see that firms are taking care to conduct proper due diligence and considering operational resilience factors when entering into new, third-party contracts.

Failure to meet due diligence requirements

FINRA highlights a number of failures in its exam findings. Notably, it has found that some firms are misinterpreting their regulatory obligations by:

– Not carrying out due diligence to verify a vendor’s ability to comply with books and records rules

– Not confirming that service contracts and agreements comply with ESM Notification Requirements

This also extends to firms failing to comply with the ESM Notification Requirements insofar as they have failed to obtain third-party attestation letters as required by Exchange Act Rule 17a-4(f)(3)(vii).

How to meet regulatory expectation

In order to avoid the above misgivings, FINRA sets out a number of suggested effective practices. These include:

– Reviewing contracts and agreements to ensure that third-party vendors can meet books and records rules and associated ESM obligations.

– Fully testing all vendors’ capabilities to meet regulatory expectation. This testing could extend to the simulation of regulatory examinations by requesting certain records and engaging consultants to see whether the returns comply with Books and Records Rules.

– Confirming with vendors, including cloud vendors, whether they will provide the requisite third-party attestation.  

3. Regulatory events reporting

For years U.S. regulators have called on firms to self-disclose in the event that something goes wrong. Given the recent increased focus, FINRA’s report touches on regulatory events reporting. In particular, it focuses on Rule 4530, which requires firms to promptly disclose violations of securities and FINRA rules.

As well as providing training and ensuring staff are up-to-date with the reporting requirements, FINRA asks firms to consider how they monitor for red flags of “unreported written customer complaints and other reportable events”. For instance, are you searching your archive of communications data to detect instances of complaints, or avoided complaints? Within its exam findings, FINRA found that many firms were not conducting adequate surveillance for email and other channels to detect unreported events.

As an effective solution, FINRA suggests that firms should be conducting targeted email surveillance to pick up any instances of unreported complaints. In order to do this, firms will need to employ technology that not only captures communications data, but that allows easy and effective search.

4. Cybersecurity and technology governance

Cybersecurity remains a stalwart pillar of compliance. Owing to the pace of technological change, cybersecurity is – and will continue to be – a regulatory priority. As FINRA’s report highlights, “cybersecurity remains one of the principal operational risks facing broker-dealers”.

As above, the proliferation of third-party and outsourced vendors is transforming the way that regulators approach security risks. Not only must firms ensure that their internal policies, procedures, systems, and controls are operationally sound, they must also ensure that they have successfully evaluated their “firm’s vendors’ cybersecurity controls”.

In the past year, we have seen hackers make considerable gains in cases against Ronin and Uber. In a number of instances, firms failed to successfully control the access of individuals. FINRA highlights “access management” as a key focus area for cybersecurity, noting that firms should track all individuals with access to technology – not just administrators – as well as enable multi-factor authentication in all instances.

5. New supervisory requirements for funding portals and crowdfunding

A final point of note, though not one that is discussed at length within FINRA’s report, is that funding portals and crowdfunding offerings are now obliged to register with the SEC and become a member of FINRA. As such, they must adhere to supervision and compliance requirements and implement tailored supervisory review procedures that “clearly define permissible and prohibited communications”, among other things.

If you’d like to know more about how Global Relay empowers compliant communication for your business, we’d love to hear from you.