Every year, the Financial Industry Regulatory Authority releases a regulatory oversight report which, “provides member firms with key insights and observations from recent activities of FINRA’s regulatory operations to use in strengthening their compliance programs.”
The 2024 version, which was released in late January, includes coverage of multiple topics: Financial Crimes, Cryptocurrency, Firm Operations, Communications & Sales, Market Integrity, and Financial Management.
To help our readers understand the significance of the report, we’ve summarized the main sections and provided insight into FINRA’s findings. In the first blog of the series, we will cover Financial Crime and Cryptocurrency.
Financial Crimes
Cybersecurity
Firms must consider whether written supervisory procedures (WSPs) accurately reflect the firm’s current cybersecurity practices and risk profile. Deficiencies have been observed in the following areas: WSPs, branch office security controls, third-party vendor supply chain management, digital transformation and the adoption of cloud, account access authorization, new account opening identity validation, data loss prevention (DLP), log management practices, identity theft prevention program (ITPP), and SAR filings.
FINRA sets out several “effective practices” for both technology management and cybersecurity in the Regulatory Oversight Report:
- Technology Management
- Data Backups
- Vendor Management
- Branch Office Procedures
- Risk Assessments
- Secure Configurations
- Log Management
- IT Resiliency
- Cybersecurity
- Account Intrusion
- Imposter Domains
- Outbound Email Monitoring
- Potential Intrusion Report Card
- Training and Security Awareness
- Identity Verification
An additional “Emerging Risk” identified by FINRA is Artificial Intelligence (AI). AI has the potential to affect every aspect of a FINRA member firm’s compliance and regulatory obligations. FINRA reminds member firms that they “should be mindful that the regulatory landscape may change as this area continues to develop.” Firms should also note that the risks associated with AI and cybersecurity are ever-evolving, and a cybersecurity program cannot be a set-it-and-forget-it solution.
AML
FINRA has found deficiencies related to: inadequate verification of customer identity, inadequate responses to red flags (auto-approval, insufficient procedures, etc.), inadequate due diligence, inadequate ongoing monitoring and reporting of suspicious transactions, inadequate handling of FinCEN information reports, and inadequate testing. The common theme in the findings is that firms were unprepared for the risks present when working to combat money laundering and illegal activity in brokerage accounts.
Effective practices identified in the report are:
- Regulatory Updates – Review alerts, advisories, and other updates from regulatory and law enforcement agencies.
- Risk Assessments
- Verifying Customers’ Identities When Establishing Online Accounts
- Emerging Risk: New Account Fraud – Stolen or synthetic information used to fraudulently open an account. This could be a precursor to other fraud schemes. Firms should review account (especially online-only) opening practices to monitor for new account fraud red flags in addition to other types of fraudulent activity.
- Delegation and Communication of AML Responsibilities
- Training
Manipulative Trading
The findings noted in the report for manipulative trading were centered on inadequate WSPs and insufficient surveillance practices. Surveillance controls were not adequately designed to detect manipulative trading, were not evaluated as to their effectiveness, or did not adequately monitor trading activity for patterns that may have indicated manipulation.
The report identified effective practices related to:
- Manipulative Schemes – Tailoring systems and processes to types of manipulative trading activity
- Multiple Platform and Product Monitoring
- Algorithmic Trading – Reference Regulatory Notice 15-09
- Momentum Ignition Trading – Robust surveillance necessary to detect customers’ activity
- Exchange Traded Products – Safeguards against front running and trading ahead using MNPI
- Wash Trading – Monitor to detect customers using wash trading to collect liquidity rebates
Crypto Asset Developments NEW FOR 2024
A new addition to the report for 2024 is crypto assets. FINRA has included surveillance themes firms should be aware of, including: 2210 (Communications with the Public), 3110 (Supervision), and 3310 (Anti-Money Laundering Compliance Program). While not exhaustive, this list gives some insight into areas FINRA will focus on when addressing member firms’ cryptocurrency programs.
Market Abuse is a particular area of concern as bad actors take advantage of interest in crypto assets and blockchain. It is noted that these bad actors are using schemes commonly associated with low-priced securities as well as other manipulative practices.
Retail Communications related to crypto assets are noted to have a significantly higher rate of non-compliance than other products. In November 2022, FINRA conducted targeted examinations to review the practices of FINRA members actively communicating with retail customers about crypto assets and related services.
Effective practices for Crypto in the report are:
- Due Diligence of Unregistered Offerings
- On-Chain Reviews – Risk-based assessments when the firm or associated persons accept, trade, or transfer crypto assets (securities & non-securities).
- Customer Outreach – Ensure customers have a clear understanding of the differences between brokerage and crypto accounts, etc.
Check back in for the next part of our series covering the 2024 FINRA Annual Regulatory Oversight Report.
Have questions about the report and the implications for your firm? Schedule time to speak with an expert today!