New Topics and Content Highlight FINRA's Increased Focus on Cybersecurity, Crypto Assets, Artificial Intelligence, Market Integrity, Off-Channel Communications and Other Key Risk Areas

On January 9, 2024, the Financial Industry Regulatory Authority, Inc. ("FINRA") published the 2024 FINRA Annual Regulatory Oversight Report (the "Report"), which builds on the structure and content of FINRA's prior reports for 2021-2023. This year, the Report adds new content relating to: crypto assets; Market Integrity, including OTC Quotations in Fixed Income Securities (Rule 15c2-11 under the Securities Exchange Act of 1934 (the "Exchange Act")), Advertised Volume (FINRA Rule 5210) and the Market Access Rule (Rule 15c3-5 under the Exchange Act); the potential impact of artificial intelligence ("AI") on firms' regulatory obligations; and considerations concerning firms' compliance with books and records requirements, including with respect to "off-channel communications" as well as the Securities and Exchange Commission's ("SEC") 2023 amendments to SEC Rule 17a-4 and the requirements regarding the maintenance and preservation of electronic records thereunder. Additionally, FINRA adds new findings and effective practices relating to a wide range of topics covered by FINRA in prior years' reports. Finally, the Report's title (formerly, "Report on FINRA's Examination and Risk Monitoring Program") has been changed to signal both FINRA's ongoing integration of its regulatory operations programs and also the Report's intended utility for member firms as a resource to strengthen their compliance programs.

Certain Areas of Focus

In light of the nature and scope of FINRA's discussion of the following topics in the Report, as well as FINRA's and the SEC's recent attention to these issues in other publications and enforcement matters, firms should closely review the Report's new content regarding these topics.

  • Cybersecurity. FINRA has observed an increase in the variety, frequency and sophistication of certain cybersecurity incidents (e.g., imposter websites, insider threats, ransomware, cybersecurity events at member firms' critical vendors). In this context, in addition to discussing effective practices and common findings in the Report, FINRA reminds member firms that cybersecurity incidents could implicate certain existing regulatory obligations, including self-reporting requirements under FINRA Rule 4530(b). Additionally, pursuant to new cybersecurity disclosure rules adopted by the SEC in July 2023 for public reporting companies, member firms that are public reporting companies are required to (i) promptly disclose aspects of material cybersecurity incidents they experience (e.g., nature, scope, timing, material impact) on a Current Report on Form 8-K and (ii) on an annual basis, disclose certain information regarding their cybersecurity risk management, strategy and governance.1 Finally, in March 2023, the SEC proposed a new cybersecurity risk management rule for broker-dealers and other market participants that, if adopted, would require member firms to address cybersecurity risks, including by establishing written policies and procedures reasonably designed to address cybersecurity risks and to provide immediate notice of significant cybersecurity incidents to the SEC. 2
  • Crypto Asset Developments. The Report sets forth various considerations for firms seeking to engage in crypto asset-related activities, including assessing a firm's obligations under the SEC's financial responsibility rules (including the customer protection rule), topics that should be evaluated when submitting a New Membership Application or Continuing Membership Application to FINRA's Membership Application Program, and surveillance themes, effective practices and related practices identified by FINRA, as further discussed below.
  • Anti-Money Laundering ("AML"), Fraud and Sanctions. FINRA adds new content regarding AML, fraud and sanctions-related risks, findings and effective practices, including specifically identifying new account fraud as an emerging risk (both as a standalone activity and as a precursor to other illicit activities), as further described below. In addition, FINRA identifies deficiencies in member firms' AML compliance procedures that it believes should be addressed.
  • Regulation Best Interest ("Reg BI") and Form CRS. FINRA has been examining member firms' implementation of Reg BI and Form CRS obligations for multiple years. In the Report, FINRA shares certain new considerations, findings and effective practices for member firms to review, as further discussed below.

Select Topics

The Report addresses 26 regulatory topics organized into six sections: Financial Crimes; Crypto Asset Developments; Firm Operations; Communications and Sales; Market Integrity; and Financial Management. We highlight below certain new topics for 2024 and new content that FINRA added to previously covered topics.

FINANCIAL CRIMES

The Financial Crimes section and the primary topics thereunder – including cybersecurity and technology management; AML, fraud and sanctions; and manipulative trading – are consistent with last year's report, with new content added in each section. Below are certain highlights from this section.

In its discussion of Cybersecurity and Technology Management, FINRA encourages member firms considering the use of AI technologies to be mindful of how these technologies may implicate their regulatory obligations, particularly with respect to AML, books and records, business continuity, communications with the public, customer information protection, cybersecurity, model risk management (including testing, data integrity and governance, and explainability), research, Reg BI/suitability, supervision and vendor management. FINRA reminds member firms to be mindful that the regulatory landscape may change as AI continues to develop.3

With respect to AML, fraud and sanctions, the Report contains several new issues to consider. For example, in examinations, FINRA has found that some member firms failed to reasonably review for and/or respond to "red flags" (i.e., indicators of illicit activity) associated with automatically approving customer accounts and orders for crypto asset trades.

Relatedly, FINRA has observed an increase in new account fraud ("NAF"), which occurs when a bad actor uses stolen or synthetic identification information to fraudulently open an account. FINRA describes NAF as an "emerging risk," particularly for member firms that offer fully online account-opening processes (including those for mobile application-based brokerage accounts). Additionally, NAF may be a precursor to other fraud schemes, such as fraudulent requests to the ACATS and fraudulent ACH transfers and wire transfers.

CRYPTO ASSET DEVELOPMENTS (NEW FOR 2024)

FINRA reminds member firms seeking to engage in crypto asset-related activities to identify and address relevant regulatory and compliance challenges and risks. For example, firms should review and evaluate their supervisory programs and controls, and compliance policies and procedures, in areas such as cybersecurity, AML compliance, communications with customers, manipulative trading, performing due diligence on crypto assets in connection with private placements, and supervising their associated persons' involvement in crypto asset-related outside business activities ("OBAs") and private securities transactions ("PSTs"). With respect to associated persons engaging in crypto asset-related activities through OBAs and/or PSTs, FINRA has found such activities to include, for example, proprietary trading, operating investment funds that invest in crypto assets, selling private placements or crypto asset offerings, and participating in crypto mining operations.

FIRM OPERATIONS

The Firm Operations section addresses: OBAs and PSTs (see preceding paragraph); books and records; regulatory events reporting; trusted contact persons; and crowdfunding offerings (broker-dealers and funding portals). Certain key takeaways from this section are discussed below.

With respect to books and records requirements under SEC Rules 17a-3 and 17a-4 and FINRA rules, FINRA reminds member firms that they must preserve originals of all communications (e.g., emails, instant messages, test messages, chat messages) received and sent relating to their "business as such," including through non-firm or third-party digital communications channels used by personnel to conduct firm business. FINRA uses a risk-based approach to review how firms capture, surveil and maintain these communications. FINRA is examining how firms are supervising for compliance with firm policy, including prohibitions thereunder, and disciplinary measures imposed by firms for violations of firm policy. FINRA also reminds firms that the SEC's amendments to SEC Rule 17a-4, which modify the rule's requirements regarding the maintenance and preservation of electronic records, including the use of third-party recordkeeping services, became effective on January 3, 2023. As a result, those firms that utilize an electronic recordkeeping system, including firms that elect to continue using their current third-party access arrangements, must file with FINRA updated third-party access undertakings that reflect the new language specified in SEC Rule 17a-4(f)(3)(v).

With respect to regulatory events reporting, FINRA reminds firms that they are required to promptly report certain internal conclusions of violations to FINRA pursuant to FINRA Rule 4530(b). Firms also need to be mindful that they need to escalate customer complaints received through non-traditional channels (e.g., text message). In addition, the Report provides guidance for Form U5 filings, including that: (i) each question on the Form U5 stands on its own, and firms should carefully read each question and respond appropriately to each question; and (ii) a firm must provide sufficient detail when responding to questions on Form U5 such that a reasonable person can understand the circumstances behind the reason for termination.

COMMUNICATIONS AND SALES

The Communications and Sales section of the Report adds guidance relating to: communications with the public; Reg BI and Form CRS; private placements; and variable annuities. Below, we highlight certain points in this section.

With respect to communications with the public, FINRA encourages member firms to consider whether their mobile apps include appropriate risk disclosures at account opening or before a customer transaction. In this connection, FINRA has found instances of false, misleading and inaccurate information in mobile apps, such as by failing to fully explain and clearly and prominently disclose risks (where required by a specific rule or needed to balance promotional claims) associated with options trading, the use of margin and crypto assets.

The Report contains new material related to the four component obligations of Reg BI (Care, Conflict of Interest, Disclosure and Compliance). In particular, the Report addresses several points related to complex or higher-risk productse.g., member firms should consider applying heightened scrutiny in determining whether investments that are high-risk, high-cost, complex or represent a conflict of interest are in a retail customer's best interest. With respect to the Care Obligation, among other considerations set out in the Report, member firms should understand how they and their associated persons evaluate reasonably available alternatives when making recommendations, and the potential risks, rewards and costs associated with such reasonably available alternatives. Firms are well served to provide guidance to their registered representatives on how to identify alternatives (as applicable) and to document the process. In addition, regarding the Conflict of Interest Obligation, member firms should identify conflicts of interest in a manner relevant to such member firms' businesses, and provide for ongoing processes to identify conflicts arising from changes in the firms' businesses or structures, changes in compensation structures and changes in product offerings. FINRA also highlights findings relating to Form CRS, including deficient Form CRS filings and failing to properly deliver Form CRS.

With respect to private placements, FINRA cites to FINRA Regulatory Notice 23-08 for a discussion of member firms' obligations when recommending private placements, including the obligation to conduct a reasonable investigation of those securities under Reg BI and FINRA Rule 2111, and other applicable rules, some of which impose obligations on member firms even in the absence of a recommendation. 4 In addition, FINRA references the October 2023 update concerning its targeted exam sweep to review firms' offering of, and services provided to, Special Purpose Acquisition Vehicles, or "SPACs," and their affiliates.5

MARKET INTEGRITY

The Market Integrity section of the Report discusses: the Consolidated Audit Trail; best execution; disclosure of routing information; Regulation SHO – bona fide market making exemptions; fixed income – fair pricing; OTC quotations in fixed income securities (SEC Rule 15c2-11); advertised volume (FINRA Rule 5210); and the Market Access Rule (SEC 15c3-5). Below, we discuss certain key takeaways from this section of the Report.

This section of the Report emphasizes the SEC's adoption of rule changes to shorten the standard securities settlement cycle to T+1 for most broker-dealer transactions. 6 The compliance date for the rule changes is May 28, 2024; this also is the date for firms to comply with updates to FINRA rules conforming to the T+1 settlement cycle. Importantly, the move to T+1 has implications for compliance with numerous rules and regulations, including, for example, Regulation SHO, the SEC financial responsibility rules, the payment period for purchases on Regulation T, FINRA rules related to clearly erroneous transactions, FINRA's Uniform Practice Code and recordkeeping requirements. FINRA encourages all member firms to review the rule changes related to the move to the T+1 settlement cycle and to take all necessary steps (technological and otherwise) to ensure they are prepared to comply with such rules on May 28, 2024.

Under the new topic of OTC quotations in fixed income securities, FINRA discusses the application of SEC Rule 15c2-11 ("Rule 15c2-11"), which governs the publication or submission of quotations by brokerdealers in a medium other than a national securities exchange,7 with respect to fixed income securities. The SEC has provided temporary no-action relief from Rule 15c2-11's requirements for fixed income securities with defined criteria, which continues until January 4, 2025. Additionally, in response to a petition for exemptive relief filed by Mayer Brown on behalf of the National Association of Manufacturers and the Kentucky Association of Manufacturers, the SEC issued an order in October 2023 granting broker-dealers permanent exemptive relief from Rule 15c2-11 for fixed income securities sold in compliance with the safe harbor of Rule 144A under the Securities Act of 1933.8 Given the SEC's attention in recent years to the application of Rule 15c2-11 to fixed income securities, this topic is likely to be the subject of increasing regulatory scrutiny by the SEC and FINRA, particularly as the expiration date of the temporary no-action relief for certain fixed income securities approaches. As such, member firms should closely review the Report's discussion of effective practices, findings and related considerations with respect to OTC quotations in fixed income securities.

The focus on advertised volume is noteworthy given that FINRA has been sanctioning firms for errors or failures for more than a decade. FINRA reminds member firms that if they communicate or advertise their trading activity to the market through service providers that disseminate that information to subscribers and the market, such firms must ensure the information is truthful, accurate and not misleading, consistent with the requirements of FINRA Rule 5210. In this regard, FINRA continues to find that some firms have overstated, or inflated, their trade volume data due to technological or procedural failures or errors.

FINRA adds the Market Access Rule, SEC Rule 15c3-5, as a new topic in the Report, with an extensive discussion of considerations, effective practices and findings relating to market access controls and corresponding parameters, among other things. FINRA also reminds firms with market access or that provide market access to their customers that they must appropriately control the risks associated with market access so as not to jeopardize their own financial condition, that of other market participants, the integrity of trading on the securities markets and the stability of the financial system.

FINANCIAL MANAGEMENT

The Financial Management section of the Report discusses: net capital; liquidity risk management; credit risk management; portfolio margin and intraday trading; and segregation of assets and customer protection.

With respect to net capital, FINRA notes certain deficiencies that it found in 2023 examinations focused on financial controls and net capital compliance, including: lack of supervisory review of various key functions (e.g., wire movements and financial report preparation); failure to properly designate Financial and Operations Principals per FINRA Rule 1220; misclassification of assets and liabilities, inadequate reconciliations and not adequately accruing liabilities; expense sharing and service level agreements that failed to adequately outline expense allocations as required under SEC rules and as addressed in Notice to Members 03-63 of the former National Association of Securities Dealers, Inc.; and providing persons not associated with the broker-dealer with authority over firm bank accounts (thereby allowing them to perform certain covered functions without proper registration).

Conclusion

Firms should review the Report's discussion of the new topics and new content for previously covered topics to identify potential gaps and areas in which they can enhance their compliance programs and supervisory controls. Moreover, firms should use the Report in preparation for regulatory exams and pay close attention to emerging risk areas relevant to their particular business operations and practices.

Footnotes

1. In September 2023, the Cyber and Analytics Unit (the "CAU") within FINRA's Member Supervision program published guidance stating that although the SEC's "new rules apply to SEC reporting companies (i.e., "public companies") and, therefore, only impact member firms that are public companies, FINRA recommends that all member firms review the rules as a guide to help ensure their cybersecurity risks are appropriately identified, assessed and managed, regardless of whether a member firm is subject to the new rules' requirements." See FINRA Cybersecurity Advisory - SEC Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Exchange Act Release No. 97989) (Sept. 21, 2023) (emphasis added), available here.

2. See Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Exchange Act Release No. 97142 (Mar. 15, 2023), 88 FR 20212 (Apr. 5, 2023), available here.

3. The SEC proposed rules to address conflicts of interest associated with the use of predictive analytics and similar technologies by broker-dealers and investment advisers in investor interactions. Our Legal Update on this SEC proposal is available here.

4. For additional information regarding FINRA Regulatory Notice 23-08, see our Legal Update here.

5. See FINRA Provides Update on Sweep: Special Purpose Acquisition Companies (SPACs) (October 2023).

6. Our Legal Update regarding the SEC's adoption of final rules to shorten the standard securities settlement cycle to T+1 is available here.

7. Rule 15c2-11 generally prohibits publication of a quotation for any security in a quotation medium unless the broker-dealer has reviewed current and publicly available information about the issuer whose security is the subject of the quotation, and the broker-dealer believes this information is accurate and obtained from a reliable source.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.