Every year, the Financial Industry Regulatory Authority releases a regulatory oversight report which, “provides member firms with key insights and observations from recent activities of FINRA’s regulatory operations to use in strengthening their compliance programs.”
The 2024 version, which was released in late January, includes coverage of multiple topics: Financial Crimes, Cryptocurrency, Firm Operations, Communications & Sales, Market Integrity, and Financial Management.
To help our readers understand the significance of the report, we’ve summarized the main sections and provided insight into FINRA’s findings. The first blog of the series covered Financial Crime and Cryptocurrency. Today, we will take a look at sections on Firm Operations and Communications & Sales.
Firm Operations
OBAs & Private Securities Transactions
Incorrect interpretations of selling comp and inadequate approval processes for private transactions leads the list of noted findings. Documentation, controls, and recordkeeping issues round out the list of findings for FINRA members’ OBAs and private securities transactions (PSTs).
FINRA identified overarching “effective practices” for this area:
- Questionnaires – Detailed, open-ended questionnaires addressing involvement (or potential involvement) in OBAs or PSTs
- Due Diligence – Conducted upon initial disclosure of OBAs or PSTs and periodically. Also review social media, email, and supporting documentation
- Monitoring – Establish monitoring to detect red flags of undisclosed OBAs or PSTs
- Affiliate Activities – FINRA Rules 3270 & 3280
- WSPs
- Training
- Disciplinary Action – Significant consequences for violations of WSPs
- Controls for Outside Crypto Asset-related Activities – Establish policies and procedures
- Crypto Asset Checklists – Create a list of considerations to determine whether crypto-related activities are OBAs or PSTs
Books & Records
Off Channel Communications have been a high priority for FINRA and the SEC with several enforcement actions in recent years. These continue to be an area of increased risk as these communications occur outside of member firm’s systems.
Findings noted in the report are: misinterpreted obligations, failure to maintain email correspondence, and failure to maintain converted records (particularly those converted to digital format). While the findings focus on failures at the firm level, the effective practices focus on vendors:
- Contract Review – Review vendor contracts to ensure compliance with records retention requirements
- Testing and Verification – Test recordkeeping vendor’s capabilities to fulfill requirements
Regulatory Event Reporting
U5 Guidance – FINRA reminds firms to provide “timely, complete, and accurate” information on the U5. Sufficient details must be provided so a “reasonable person” can understand the circumstances behind the termination.
The findings noted deal primarily with reporting issues both to the firm and FINRA as well as inadequate surveillance and incorrect application of Rule 4530 product/problem codes.
Effective practices are:
- WSPs – Particularly around reporting of customer complaints
- Compliance Questionnaires – Detailed annual questionnaires to verify accuracy of disclosures with appropriate follow-up questions
- FINRA Risk Monitoring Report Cards
- Surveillance of Communications Channels – Watch for customer complaint indicators
- Review of Registered Representatives’ Financial Condition – Review for issues that may indicate unreported events
- Review of Publicly Available Information – Periodic searches of associated persons’ names in public records for reportable events
- Assessing Disclosure Timelines
- Training – FINRA Rule 4530 requirements
Trusted Contact Persons
FINRA members are required in Rule 4512 to make a “reasonable” attempt to obtain contact information for a trusted person (TCP_ over age 18). Findings relate to Rules 4512, 3241, and 2165. The findings noted in the report are: no reasonable attempt to obtain TCP information, no written disclosure, no documented training, no documented internal review, and attempted circumvention of FINRA Rule 3241.
The effective practices are:
- Training – Identifying red flags of customer exploitation, diminished capacity, and fraud
- Escalation Process – Create clear process to escalate potential red flags
- Emphasizing the Importance of TCP and Promoting Effective Practices
- Senior Investor Specialists
- Firm Outreach
Crowdfunding
The crowdfunding section of the report deals largely with funding portals. The findings noted are: failure to obtain written undertaking as required by Crowdfunding Rule 404; missing disclosures; failure to report customer complaints as required by Funding Portal Rule 300(c); late filings; not filing CMAs; offering investment advice or recommendations including soliciting purchases, sales, or offers; misleading statements; failing to transmit funds; and, failing to take measures to reduce fraud risk.
The effective practices are noted as:
- Compliance Resources
- Supervision
Communications & Sales
Communications with the Public
FINRA appears to take aim at mobile apps and crypto assets within the scope of communications with the public. FINRA highlights: false, misleading, and inaccurate information in mobile apps; deficient communication promoting crypto assests (with multiple sub-findings); municipal securities advertisements; and communications promoting ESG factors. The findings are primarily related to false or misleading statements in communication with the public, which is a common deficiency.
The effective practices identified are aimed to combat these deficiencies as follows:
- Reasonably Designed Procedures for Mobile Apps
- Reasonably Designed Procedures for Digital Communications – Monitoring, training, content protocols, supervision, etc.
- Crypto Asset Retail Communications Review – Ensure communication provides fair and balanced picture of risks
- Differentiating Crypto Asset Products Communications from Broker-Dealer Products Communications
- Municipal Securities Advertisements
- Communications Promoting ESG Factors
Reg BI & Form CRS
FINRA found failures to comply with Reg BI obligations around the standard of care, conflicts of interest, disclosure, and compliance practices. Additionally, FINRA noted findings pertaining to Form CRS related to deficient filings; failing to deliver, post, and amend Form CRS; as well as misconstruing the obligations to file and deliver the document.
Effective practices are broken down as follows:
- Care Obligation
- Costs and Reasonably Available Alternatives
- Heightened Scrutiny of Investments for Retail Customers
- Conflict of Interest Obligation
- Policies and Procedures
- Disclosure Obligation
- Implementing Systems Enhancements for Tracking Delivery of Required Customer Documents
- Providing Clear Disclosure on Account Type Recommendations
- Compliance Obligation
- Implementing New Surveillance Processes
Private Placements
Findings around private placements were identified as: late filings; failure to comply with Reg BI’s conflicts of interest obligation; failing to conduct reasonable investigation (failing to fulfill reasonable basis obligations prior to recommending the private placement); and failure to evidence due diligence.
Effective practices include:
- Private Placement Checklist
- Bad Actor Questionnaires
- Independent Research
- Identifying Conflicts of Interest
- Responsibility for Reasonable Investigation and Compliance
- Review of Offering Terms
- Post-Closing Assessment
Targeted Exam: SPACs
FINRA observed areas firms should consider to determine whether supervisory systems are reasonably designed to address risks related to SPACs:
- Reasonable investigation of the issuers and the securities they recommend, including SPACs
- Underwriting compensation and disclosures
- Identifying, addressing, and disclosing potential or actual conflicts of interest when underwriting or recommending transactions in SPACs
- Firms’ supervisory systems, procedures, processes and controls for underwriting and recommending transactions in SPACs
Variable Annuities
FINRA Rule 2330 addresses member responsibilities related to deferred variable annuities. FINRA identified several findings: failing to supervise recommendations of exchanges (re: Reg BI & Rule 2330 compliance); inadequate surveillance; insufficient training for registered reps and supervisors on compliance with Reg BI & Rule 2330; poor and insufficient data quality; not appropriately supervising issuer buyout offers and surrender recommendations; failing to supervise recommendations for additional deposits in VA contracts; and insufficient consideration of reasonably available alternatives as required by Reg BI.
FINRA noted effective practices as:
- Automated Surveillance
- Detailed Rationales for VA Exchanges
- Clear Guidance for Retail Customers
- Review Thresholds
- Automated Data Supervision
- Data Integrity
- Data Acquisition – Key data to be acquired noted as follows:
- Transaction date
- Representative name
- Customer name
- Investment amount
- Whether a new contract or additional investment
- Contract type (qualified vs. non-qualified)
- Contract number
- Product issuer
- Product name
- Source of funds
- Exchange identifier
- Share class
- Commissions
- Data Analysis – The following data points should be considered:
- Branch location
- Customer state of residence
- Policy riders
- Policy fees
- Issuers of exchange policy
- Exchanged policy product name
- Date exchanged policy was purchased
- Whether the customer has had another VA exchange within the preceding 36 months
- Living benefit value, death benefit value, or both, that was forfeited
- Surrender charges incurred
- Any additional benefits surrendered with forfeiture
Check back in for the final part of our series covering the 2024 FINRA Annual Regulatory Oversight Report.
Have questions about the report and the implications for your firm? Schedule time to speak with an expert today!