FINRA Conference 2022 key takeaways

Regulatory Briefs
Written By Jon Hurd

The Asgard Team attended the 2022 FINRA Conference and gathered several key takeaways noted below.

Topics covered include: Continuing Education Changes, Cybersecurity: Emerging Industry Priorities and Threats, Reg Best Interest: Lessoned Learned, Social Media and the Rise of Finfluencers, Remote Supervision, Communications: Compliance and Current Developments, FINRA’s Examination and Risk Monitoring Program, Vendor Management: Due Diligence and Oversight, Senior and At-Risk Investors, Consolidated Audit Trail (“CAT”), and Alternative Investments and Complex Products.

Continuing Education Changes:

Several enhancements have been made to the Continuing Education program that will become effective on January 1, 2023:

Regulatory Element Continuing Education (“RECE”)

  • Registered Representatives (“RR”) will have until December 31st of each year to complete RECE; 3-year anniversaries will no longer be applicable.

  • Each RR will receive specific training related to their licenses.

  • The more licenses a RR holds, the more courses they will take (non-duplicative).

  • FINRA will publish the training courses in advance (by October 1st) so Firms can review content in advance.

Firm Element Continuing Education (“FECE”)

  • FINRA will launch a marketplace where firms can use content for trainings (firms are not required to use the marketplace).

  • Third parties will be allowed to upload content for other firms to utilize.

  • FINRA has broadened the definition of Registered Persons to mean ALL registered persons who maintain solely a permissive registration pursuant to FINRA Rule 1210.02.

  • Firms are permitted to utilize their Annual Compliance Meeting and anti-money laundering related training to satisfy an individual’s FECE requirement.

In addition to the Continuing Education enhancements, FINRA also launched the Maintaining Qualifications Program (“MQP”) on March 15, 2022. The MQP allows an RR to maintain licenses for up to 5 years after being terminated (fully or partially):

  • An RR may elect to participate in the MQP within two years of a termination date or termination of a registration.

  • An RR must have had held a registration for at least one year prior to enrolling in the MQP.

  • There is a $100 annual fee for the MQP.

  • Individuals enrolled in the MQP must enroll in FinPro to complete RECE and Practical Element on an annual basis for the length of time he or she is enrolled in the MQP.

  • An RR can re-qualify for the MQP program at different times within their career.

Cybersecurity: Emerging Industry Priorities and Threats: 

Cybersecurity threats have become increasingly prevalent and FINRA urged members to have an incident response plan in place for responses to cyber-attacks. The panel also urged members to conduct testing of the plan on an annual basis by way of a tabletop exercise. 

Several of the current cyber-threats noted were:

  • Hacktivist

  • Insider Threats

  • Network Intrusions

  • Nation State Actors

  • Ransomware Attacks

  • Account takeovers

  • Imposter Websites

  • Spear Phishing

In addition to the above cyber threats, the panel also noted that new fintech, working from home and vendor onboarding are new risks that create opportunities for criminals to infiltrate a firm.

The panel repeatedly expressed the importance of contacting the FBI if a cyber incident were to take place. The FBI will collect information related to the incident and will assist with mitigating long term risks. The FINRA website has all FBI supervisors posted for firm accessibility. In addition to contacting the FBI, the firm should then contact its risk monitoring analyst, vendors utilized, notify customers, and construct a media plan if the incident were to become public knowledge.

 FINRA offered the following effective practices for minimizing cyber risk:

  • Cyber training

  • Penetration Testing

  • Patching system

  • Law Enforcement Relationship

  • Multi Factor Authorization

  • One central individual responsible for the cyber program

Reg Best Interest: Lessons Learned

During the Reg BI panel, the panelists noted what to expect from both a FINRA exam perspective and an SEC exam perspective:

 FINRA Exam -

  • Sampling of Care Obligation

  • Reviewing how the firm determines Best Interest and ensuring there is documentation to support Best Interest

  • Supervisory Process

  • Specific Written Supervisory Procedures (“WSP”)

  • Suitability violations that have been corrected

SEC Exam -

  • Consideration of alternative options

  • Mitigation of conflicts

  • Specific WSP

  • Disclosures

  • Evaluation of Recommendation

One key deficiency noted by the panelists were policies and procedures. Specifically, the panel noted the lack of specificity to the firm’s processes. Other areas of deficiency included lack of specific training for employees.

The panel offered the following insight into key areas related to Reg BI:

Cost: Includes hidden costs, indirect costs, markup, and order flow.

Documentation: Important to note why, if applicable, complex, or risky products were recommended. Also, explanation of reasonable alternatives and fees, commissions and other costs associated with the recommendations.

Rollovers: Important to ask the client for information about the plan they are currently enrolled in and if you cannot get the information, you must evaluate if you have enough information to make a recommendation.

Training: Continuous training for employees is imperative as regulators want to see what the training included.

 If you are a dual registrant, determining which hat you are wearing should include the following:

  • Compensation consideration

  • Type of account

  • Disclosure of which capacity you are acting in and a process for determining which capacity you are acting in.

Social Media and the Rise of Finfluencers:

During the pandemic, the rapid acceleration of digital adoption has changed the way the financial services industry engages with each other and clients. With this comes compliance challenges regarding proper documentation, storage and establishing firm procedures regarding social media use. A good exercise is to review a firm’s WSP regarding social media to ensure the policy in place matches the Firm’s current practices. If the Firm allows Associated Persons (“AP”) to communicate with clients on social media platforms, firms must ensure that all records are maintained pursuant to SEA Rule 17a-4. Firms must also conduct social media training to ensure each AP is aware of the firm’s policies and procedures.

“Finfluencers'' are social media influencers that use their platform to discuss financial information and expertise. Finfluencers are becoming an increasingly popular source of financial advice for Gen Z and Millennials. Firms are considering partnering with these Finfluencers as a marketing tool to advertise their firm’s platform and services. When considering partnering with a Finfluencer, firms must:

  1. Ensure the content being posted by the Finfluencer is accurate and not misleading. Firms can do this by ensuring that the Finfluencer sends the content for review prior to posting.

  2. Ensure that all record keeping requirements are followed.

  3. Have policies in place to supervise the content being posted by the Finfluencer.

Remote Supervision:

The Remote Supervision panel discussed tips for effective controls, procedures, and processes that member firms are incorporating to supervise in a remote environment. One recommendation of note is to start conducting quarterly risk assessments evaluating the risks associated with working from home. Examples of risks include cybersecurity, access to material nonpublic information, record retention and disclosures. In addition, firms must also consider the termination of an AP in a remote environment. Important questions to consider are: 

  • Does this individual still have access to firm information on their remote desktop or laptop?

  • Does this individual have any firm related information downloaded on their remote desktop or laptop?

FINRA is expecting to release guidance regarding remote branch office inspections, branch office definitions and remote supervision by the end of the year. 

Communications: Compliance and Current Developments

The virtual environment has changed how employees, firms and customers communicate with each other. This new environment brings challenges for compliance departments in order to ensure all communications are supervised. One area of note is the rise of video conferencing calls. Online conference call meeting chat rooms are considered correspondence and, in some cases, retail communication. If firms allow an AP to communicate with this chat feature, all communications must be documented and supervised properly. If an AP communicates with clients over text, firms must ensure compliance with all supervision and record-keeping requirements. Firms are encouraged to conduct ongoing training and education for APs regarding the firm’s policies surrounding business communications. This includes what communication methods or platforms are approved. 

When producing or distributing advertising materials, firms must comply with FINRA Rule 2210. All communications must be fair and balanced. The material must provide balanced treatment of risks and potential benefits and avoid exaggerated claims. 

The panelists discussed how some firms are communicating with clients in the metaverse and the challenges of supervising these communications effectively. Some firms are utilizing recordings, screenshots, and third-party vendors to properly capture and document communications in the metaverse. 

FINRA’s Examination and Risk Monitoring Program:

Almost two years ago, FINRA established a new examination and risk monitoring structure, shifting to five (5) firm groupings and eighteen (18) sub groupings, which align staff to areas that they have previously worked on. This transition has allowed FINRA to assess risk in a more consistent manner. 

Firm Groupings

  1. Retail

  2. Capital Markets

  3. Carrying and Clearing

  4. Trading and Execution

  5. Diversified

 Risk Monitoring Conversations

  • FINRA is trying to be more proactive in reaching out to firms. You should expect frequent communication from your Risk Monitoring Analysts and/or Risk Monitoring Director.

Examination Structure

  • Firm Exam Program - FINRA looks at a firm from a big picture perspective. What are its risks? What are operations like? This occurs once every four (4) years or so, depending on the risk level of the firm.

  • Teams from Member Supervision, Market Regulation and Specialist Teams that sit within both member and market are working together to execute one cohesive exam.

  • Specialists was a big change internally - Fixed Income, Data, Variable Annuity, Placement, AML, and Cybersecurity. Many individuals working as part of a broader team executing a firm Exam.

  • Data Onboarding Period - FINRA started this relatively recently. Before the exam begins, staff will make individual requests for information, like procedures or supporting documents. Upon receipt, the data will go into a risk identification process to tailor the exam accordingly.

  • If you receive a request from FINRA for your Purchase and Sales Blotter, there is a 99% chance FINRA will be conducting an exam, which will be underway in about one (1) month.

Vendor Management: Due Diligence and Oversight: 

When a firm outsources a function to a third party, they have a responsibility to monitor and supervise functions and activities of the vendor. Is the vendor meeting the obligations of the contract? Is staff trained to escalate vendor related issues? Is the firm meeting the requirements of FINRA and SEC rules and regulations? This requirement is outlined in two (2) FINRA Regulatory Notices: Regulatory Notice 05-48 and Regulatory Notice 21-29

What functions are typically outsourced?

  1. Accounting

  2. Legal

  3. Compliance

  4. Operations

  5. Information Technology

  6. Human Resources

Regulatory considerations to consider when you are outsourcing: 

  1. Supervision - Understand your supervisory responsibility.

  2. Regulatory Requirements - What are the registration requirements? Does the vendor need to be registered in a Registered Representative or Non-Registered Fingerprint Person capacity?

  3. Cybersecurity - What are the potential cyber threats and Regulation S-P threats?

  4. Business Continuity Plan - In the event the outsourced vendor cannot do their job, is there a backup plan?

  5. Reputational Risk - Is there a potential reputational risk?

To gain a better understanding of the capabilities or limitations of a vendor, a firm should consider the use of a questionnaire. This allows a firm to gain information regarding the vendor's processes and controls over the specific outsourced function. Questionnaires also gather information on the use of subcontractors and personnel that have access to sensitive information. 

 Considerations when terminating a vendor: 

  1. Will there be a gap when one vendor is terminated, and another is brought on?

  2. What measures are in place to ensure the vendor understands its obligations when terminating?

  3. How can you ensure firm and customer information is secured?

  4. How can the vendor evidence it has destroyed customer and firm sensitive information?

FINRA Disciplinary Actions

FINRA has disciplined member firms for failure to establish adequate procedures and failure to enforce supervision over outsourced relationships. Firms did not provide regulatory oversight of vendors, whereby vendors did not encrypt their data correctly, they did configure their cloud services correctly, and they did not install antivirus software. 

Senior and At-Risk Investors:

FINRA provides tools and other resources for senior and at-risk investors and member firms. In 2015 FINRA launched FINRA’s Securities Helpline for Investors (“Helpline”) (1-844-57–HELPS).  The Helpline provides free resources that senior investors can call to get assistance from FINRA or raise concerns about issues with brokerage accounts and investments.  The Helpline has received more than 4,000 calls since January 2021.

Key rules have been implemented to address senior and at-risk investors:

  • Rule 4512 - Trusted Contact Person

  • Rule 2165 - Financial Exploitation of Eligible Adults

  • Rule 3241 - Registered Person Being Named a Customer’s Beneficiary or Holding a Position of Trust for a Customer.

FINRA Rule 4512 (Customer Account Information)

  • Requires member firms to make a reasonable effort to obtain the name and contact information for a trusted contact person for the customer’s account.

  • Requires disclosure in writing to the customer that the firm or AP is authorized to contact the trusted contact person and disclose information about the customer’s account to confirm the specifics of the customer's current contact information, health status, and the identity of any legal guardian, executor, trustee or holder of a power of attorney, and as otherwise permitted by Rule 2165.

The member firm may open and maintain an account if a customer fails to identify a trusted contact person.

FINRA Rule 2165 - Financial Exploitation of Eligible Adults 

  • Permits firms to place a temporary hold on a securities transaction or disbursement of funds or securities from the account of a “specified adult” (i.e., a person 65 and older or a person 18 and older who the firm reasonably believes has a mental or physical impairment that renders the individual unable to protect his or her own interests) where there is a reasonable belief of financial exploitation of that customer.

  • Rule 2165 provides a safe harbor under FINRA rules when a firm uses its discretion to place a temporary hold consistent with the requirements of the rule.

  • A temporary hold may be placed on a particular suspicious transaction or disbursement but not on other non-suspicious transactions or disbursements.

Please consult the rule for additional information and guidance. 

Rule 3241 - Registered Person Being Named a Customer’s Beneficiary or Holding a Position of Trust for a Customer

This rule protects investors by requiring member firms to affirmatively address registered persons being named beneficiaries or holding positions of trusts for customers. Rule 3241 does not apply where the customer is a member of the registered person’s “immediate family.”

  • The Rule defines “customer” to include any customer that has, or in the previous six months had, a securities account assigned to the registered person at any member firm.

  • The Rule requires the firm with which the registered person is associated, upon receiving required written notice from the registered person, to review and approve or disapprove the registered person assuming such status or acting in such capacity.

  • A registered person being named as a beneficiary or to a position of trust without their knowledge would not violate the rule; however, the registered person must act consistent with the rule upon learning that he or she was named as a beneficiary or to a position of trust.

Key takeaway - Member firms must ensure that its WSPs address the rules and requirements related to senior and at-risk investors. Ongoing monitoring and testing are critical takeaways from the FINRA panel. Likewise, member firms must be vigilant in monitoring its registered persons in the event of being named a customer’s beneficiary or holding a position of trust for a customer.  

Consolidated Audit Trail (“CAT”):

FINRA and the national securities exchanges have adopted rules requiring their members to comply with Exchange Act Rule 613 and the CAT NMS Plan FINRA Rule 6800 Series (Consolidated Audit Trail Compliance Rule) (collectively, CAT Rules), which cover reporting to the CAT; clock synchronization; time stamps; connectivity and data transmission; development and testing; recordkeeping; and timeliness, accuracy and completeness of data requirements. 

FINRA discussed certain Exam Findings which are highlighted below:

  • Inaccurate Reporting of CAT Orders

  • Late resolution of repairable CAT Errors

  • Inadequate Vendor Supervision

Effective Practices included:

  • Supervision - Implementing a comparative review of CAT submissions versus firm order records; and utilizing CAT Report Cards and CAT FAQs to design an effective supervision process.

  • Clock Synchronization Related to Third Parties - Obtaining adequate information from third parties to meet applicable clock synchronization requirements.

Alternative Investments and Complex Products:

Investment products abound that offer alternatives to conventional stock and bond investments. These products are sometimes referred to as structured products or non-conventional investments. They tend to be both more complex—and riskier—than traditional investments, and often tempt investors with special features and higher returns than offered by basic investments.

Although these products may have attractive qualities, it is crucial to understand each investment’s distinct features, risks, and rewards. The FINRA session emphasized the importance of understanding product features, characteristics, and their supervisory challenges.  

Recently, FINRA published Regulatory Notice 22-08 - FINRA Reminds Members of Their Sales Practice Obligations for Complex Products and Options and Solicits Comment on Effective Practices and Rule Enhancements.  The comment period ended on May 9, 2022.  Our key takeaway is for member firms and its registered persons to understand the characteristics and features of each alternative product that is recommended to a retail investor.  Member firms should continue to evaluate its policies and procedures on an ongoing basis and ensure that each alternative product recommended is in the best interest of the retail customer. 

Jon Hurd
Previous

SEC Risk Alert - Examinations Focused on the New Investment Adviser Marketing Rule
Next

Are you ready for the dol’s full pte rollout?