Report on FINRA’s Examination and Risk Monitoring Program | January 2023
1
2023 Report on FINRA’s Examination and
Risk Monitoring Program
JANUARY 2023
INTRODUCTION .......................................... 1
FINANCIAL CRIMES NEW FOR 2023 ........ 5
Cybersecurity and Technology
Governance ....................................................5
Anti-Money Laundering, Fraud and
Sanctions ........................................................9
Manipulative Trading NEW FOR 2023......15
FIRM OPERATIONS ................................... 18
Outside Business Activities and Private
Securities Transactions ...............................18
Books and Records .....................................20
Regulatory Events Reporting .....................22
Firm Short Positions and Fails-to-
Receive in Municipal Securities ................24
Trusted Contact Persons ............................26
Funding Portals and Crowdfunding
Offerings .......................................................28
COMMUNICATIONS AND SALES ............. 31
Reg BI and Form CRS ..................................31
Communications with the Public ..............39
Private Placements ......................................44
Variable Annuities .......................................46
MARKET INTEGRITY .................................. 50
Consolidated Audit Trail (CAT) ...................50
Best Execution .............................................53
Disclosure of Routing Information ...........55
Fixed Income—Fair Pricing
NEW FOR 2023 ............................................58
Fractional Shares—Reporting and Order
Handling NEW FOR 2023 ...........................60
Regulation SHO—Bona Fide Market Making
Exemptions and Reuse of
Locates for Intraday Buy-to-Cover Trades
NEW FOR 2023 ............................................61
FINANCIAL MANAGEMENT ...................... 63
Net Capital ....................................................63
Liquidity Risk Management .......................64
Credit Risk Management ............................67
Portfolio Margin and Intraday Trading ....68
Segregation of Assets and Customer
Protection .....................................................70
Appendix—Using FINRA Reports in
Your Firm’s Compliance Program .............72
Introduction
The 2023 Report on FINRA’s Examination and Risk Monitoring Program (the
Report) provides member firms with insight into findings from the recent oversight
activities of FINRA’s Member Supervision, Market Regulation and Enforcement
programs (collectively, regulatory operations programs). The Report reflects
FINRA’s commitment to providing greater transparency to member firms and the
public about our regulatory activities as well as the increasing integration among
our regulatory operations programs. We hope that this integrated approach will
also increase the Report’s utility for member firms as an information source they
can use to strengthen their compliance programs. As a result, this year’s Report
addresses a materially broader range of topics than in prior years (particularly in
the Market Integrity section). Additionally, the Report introduces a new Financial
Crimes section, consisting of three topics—Anti-Money Laundering (AML), Fraud
and Sanctions; Cybersecurity and Technological Governance; and Manipulative
Trading—that highlight FINRA’s increased focus on protecting investors and
safeguarding market integrity against these ongoing threats. As in the prior two
years, for each topic covered, the Report:
X
identifies the relevant rule(s);
X
highlights key considerations for member firms’ compliance programs;
1
X
summarizes noteworthy findings or observations from recent oversight
activities;
X
outlines effective practices that FINRA observed through its oversight activities;
and
X
provides additional resources that may be helpful to member firms in reviewing
their supervisory procedures and controls, and fulfilling their compliance
obligations.
FINRA’s intent is that the Report be an up-to-date, evolving resource or library of
information for member firms. To that end, the Report builds on the structure and
content in the 2021 and 2022 Reports by adding new topics (e.g., Fixed Income
Fair Pricing, Manipulative Trading) denoted NEW FOR 2023 and new material (e.g.,
findings, effective practices) to existing sections where appropriate. (New material
in existing sections is in bold type.)
As always, FINRA welcomes feedback on how we can improve future publications
of this Report. Please contact Steve Polansky, Senior Director, Member Supervision
at (202) 728-8331 or by email; or Rory Hatfield, Principal Research Analyst, Member
Supervision at (240) 386-5487 or by email.
Updated on 1/13/2023
>
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
2
Selected Highlights
This Report highlights FINRA’s regulatory operations programs’ expanded focus on ongoing key areas of risk to
investors and the markets:
Reg BI and Form CRS
Regulation Best Interest (Reg BI) and Form CRS remain areas of focus across FINRA’s regulatory operations
programs. FINRA’s reviews of member firms’ adherence to their obligations pursuant to Reg BI and Form
CRS address a number of areas, such as making recommendations that adhere to Reg BI’s Care Obligation;
identifying and addressing conflicts of interest; disclosing to retail customers all material facts related to conflicts
of interest; establishing and enforcing adequate written supervisory procedures (WSPs), including the provision
of effective staff training; and filing, delivering and tracking accurate Forms CRS. Member firms should regularly
review and update their approach to compliance with Reg BI and Form CRS, taking into consideration new
interpretive guidance the SEC continues to issue.
Consolidated Audit Trail (CAT)
FINRA continues to evaluate member firms that receive or originate orders in National Market System (NMS)
stocks, over-the-counter (OTC) equity securities, and listed options for compliance with Securities Exchange
Act of 1934 (Exchange Act) Rule 613 and the CAT NMS Plan FINRA Rule 6800 Series (Consolidated Audit Trail
Compliance Rule) (collectively, CAT Rules). Generally, member firms have dedicated significant resources to CAT
implementation, and firms’ overall compliance with CAT reporting requirements remains high. FINRA’s reviews
of member firms’ compliance with CAT Rules includes timely submission of reportable events and corrections,
reporting complete and accurate CAT records, and effectively supervising third-party vendors (including those
responsible for CAT submissions and clock synchronization).
Order Handling, Best Execution and Conflicts of Interest
FINRA continues to assess member firms’ compliance with their best execution obligations under FINRA Rule
5310 (Best Execution and Interpositioning), and Rule 606 of Regulation NMS, which requires broker-dealers to
disclose information regarding the handling of their customers’ orders in NMS stocks and listed options. FINRA’s
reviews of member firms’ compliance with these regulations include whether firms are fully and promptly
executing marketable customer orders, adequately conducting periodic “regular and rigorous reviews,” and
clearly and completely disclosing the specific terms of any profit-sharing relationships—such as payment for
order flow (PFOF)—with venues to which they route orders.
As noted in last year’s Report, FINRA has undertaken targeted regulatory efforts in this area in recent years.
Specifically, FINRA began a targeted exam in 2020 to evaluate the impact that not charging commissions has or
will have on member firms’ order-routing practices and decisions, and other aspects of member firms’ business.
Last year, FINRA also launched targeted reviews of wholesale market makers concerning their order handling
practices for customer orders they receive from other broker-dealers. This year’s Report includes findings and
observations from these targeted efforts in addition to observations from our ongoing regulatory efforts.
Mobile Apps
As noted in last year’s Report, mobile apps can benefit investors in several ways, including increasing their
market participation, expanding the types of products available to them and educating them on financial
concepts. However, these apps also raise novel questions and potential concerns, such as whether they
encourage retail investors to engage in trading activities and strategies that may not be consistent with their
investment goals or risk tolerance, and how the apps’ interface designs and functionality could influence investor
behavior.
INTRODUCTION
I
SELECTED HIGHLIGHTS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
3
FINRA has observed potential issues with some mobile apps not adequately distinguishing between products and
services of the broker-dealer and those of affiliates or other third parties (such as transactions involving crypto
assets). FINRA also continues to monitor how mobile apps disclose and explain risks of higher-risk products or
services.
Cybersecurity
Cybersecurity threats continue to be one of the most significant risks many customers and member firms face.
The frequency, sophistication and variety of attacks continue to increase; in 2022, for example, the attacks FINRA
witnessed included customer account intrusions, ransomware attacks and cyber-enabled fraud. In August 2022,
FINRA established the Cyber and Analytics Unit (CAU) to enhance our ability to proactively address the evolving
sophisticated cyber threat landscape and growth of the crypto-asset market. CAU has a team that examines
member firms’ cybersecurity risk management through reviews of their controls, a team responsible for
conducting investigations of cyber-related fraud and a team that investigates and examines crypto-asset activity.
FINRA has also increased our outreach to member firms this year to make them aware of cybersecurity threats.
These efforts include email alerts to member firms’ Chief Information Security Officers (CISOs) and Chief
Compliance Officers (CCOs), and notifying member firms when we identify website(s) or social media profiles
that may be attempting to impersonate that member firm, one or more of its current or previous registered
representatives, or individuals purporting to be associated with a member firm. In December 2022, FINRA issued
Regulatory Notice 22-29 (FINRA Alerts Firms to Increased Ransomware Risks) to provide firms with questions they
can use to evaluate their cybersecurity programs, information about possible additional ransomware controls
and relevant resources.
Complex Products and Options
FINRA will continue to review member firms’ communications and disclosures made to customers in relation
to complex products; FINRA will also review customer account activity to assess whether member firms’
recommendations regarding these products are in the best interest of the retail customer given their investment
profile and the potential risks, rewards and costs associated with the recommendation. In March 2022, FINRA
issued Regulatory Notice 22-08 (FINRA Reminds Members of Their Sales Practice Obligations for Complex Products
and Options and Solicits Comment on Effective Practices and Rule Enhancements) to reiterate member firms’
current regulatory obligations regarding complex products and options, and solicit comment on effective
practices member firms have developed for these products, particularly when retail investors are involved (as
well as whether the current regulatory framework appropriately addresses current concerns these products
raise).
In November 2022, FINRA announced a targeted exam of firms’ crypto asset retail communications, evaluating
whether these communications contain false or misleading statements or claims, misrepresent the extent to
which the federal securities laws or FINRA rules apply to a crypto asset product or service, or fail to balance the
benefits of crypto asset products with their associated investment risks. FINRA will share its findings from these
reviews at a future date.
In December 2022, FINRA provided an update on its targeted exam of firms’ practices and controls related to the
opening of options accounts and related areas, including account supervision, communications and diligence.
The update includes a list of questions for firms to consider—based on FINRA’s observations to date—when
evaluating whether their supervisory systems are reasonably designed to address risks related to supervising the
approval of options accounts (both self-directed and full-service brokerage accounts) and monitoring the trading
activity in options accounts.
INTRODUCTION
I
SELECTED HIGHLIGHTS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
4
How to Use This Report
We selected the topics in this Report for their interest to the largest number of member firms; consequently,
they may include areas that are not relevant to an individual member firm and omit other areas that are
applicable.
FINRA advises each member firm to review the Report and consider incorporating relevant elements into its
compliance program in a manner tailored to its activities. The Report is intended to be just one of the tools a
member firm can use to help inform the development and operation of its compliance program; it does not
represent a complete inventory of regulatory obligations, compliance considerations, findings, effective practices
or topics that FINRA will examine.
FINRA also reminds member firms to stay apprised of new or amended laws, rules and regulations, and update
their WSPs and compliance programs on an ongoing basis. FINRA encourages member firms to reach out to their
designated Risk Monitoring Analyst if they have any questions about the considerations, findings and effective
practices described in this Report.
Each area of regulatory obligations is set forth as follows:
Regulatory Obligations and Related Considerations
A brief description of:
X
relevant federal securities laws, regulations and FINRA rules; and
X
questions FINRA may ask or consider when examining your firm for compliance with such obligations.
Findings and Effective Practices
X
Noteworthy findings that FINRA has noted at some—but not all—member firms, including:
z new findings from recent examinations, market surveillance, investigations or enforcement activities;
z findings we highlighted in prior Reports and that we continue to note in recent oversight activities;
z in certain sections, topics noted as Emerging Risks representing potentially concerning practices that
FINRA has observed and which may receive increased scrutiny going forward; and
z for certain topics—such as Cybersecurity, Liquidity Management and Credit Risk—observations that
suggested improvements to a firm’s control environment to address potential weaknesses that elevate
risk, but for which there were not specific rule violations.
X
Select effective practices FINRA observed through our oversight activities, as well as those we noted in prior
Reports and which we continue to see, that may help member firms, depending on their business model,
evaluate their own programs.
Additional Resources
A list of relevant FINRA Notices, other reports, tools and online resources.
The Report also includes an Appendix that outlines how member firms have used similar FINRA reports (e.g.,
Findings Reports, Priorities Letters) in their compliance programs.
As a reminder, the Report—like our previous Exam and Risk Monitoring Reports, Findings Reports and
Priorities Letters—does not create any new legal or regulatory requirements or new interpretations of existing
requirements, or relieve member firms of any existing obligations under federal securities laws and regulations.
You should not infer that FINRA requires member firms to implement any specific practices described in this
Report that extend beyond the requirements of existing federal securities provisions or FINRA rules. Rather,
member firms may consider the information in this Report in developing new, or modifying existing, practices
that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member
firm’s size and business model. Moreover, some questions may not be relevant due to certain member firms’
business models, size or practices.
INTRODUCTION
I
HOW TO USE THIS REPORT
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
5
Financial Crimes NEW FOR 2023
Cybersecurity and Technology Governance
Regulatory Obligations and Related Considerations
Regulatory Obligations
Rule 30 of SEC Regulation S-P requires member firms to have written policies and procedures that address
administrative, technical and physical safeguards for the protection of customer records and information.
Regulation S-ID (Identity Theft Red Flags) requires member firms to develop and implement a written
program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of
“covered accounts.”
2
FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also
applies to denials of service and other interruptions to member firms’ operations. In addition to member
firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal
operational risks facing broker-dealers and expects firms to develop and maintain reasonably designed
cybersecurity programs and controls that are consistent with their risk profile, business model and scale of
operations.
Cybersecurity incidents, such as account takeovers, ransomware or network intrusions, and any related exposure
of customer information or fraudulent financial activity can expose member firms to financial losses, reputational
risks and operational failures that may compromise firms’ ability to comply with a range of rules and regulations,
including FINRA Rules 4370, 3110 (Supervision) and 3120 (Supervisory Control System), as well as Exchange Act
Rules 17a-3 and 17a-4.
Related Considerations
Cybersecurity
X
What steps has your firm taken to prevent a cybersecurity intrusion, such as a ransomware attack? In
the event your firm experiences an intrusion, how will it restore critical data from backups, as well as
identify and recover customer information that was exfiltrated?
X
How does your firm protect sensitive customer information or confidential firm data from being
exposed to, or copied by, nonauthorized individuals or threat actors, including blocking unauthorized
copying and monitoring sensitive data in outbound emails?
X
How does your firm monitor for imposter websites that may be impersonating your firm or your registered
representatives? How does your firm address imposter websites once they are identified?
X
What process has your firm established to assess the risks associated with third-party vendors during
the initial onboarding and on a regular basis thereafter? In the event there is a report of a security
breach at a vendor, can your firm identify all components and services third parties provide?
X
What steps do your firm take to ensure only authorized employees, customers or contractors receive
authenticated access to firm systems, such as account management, trading and email?
X
How does your firm verify the identity of an individual when creating a new account or accessing an
existing account?
X
What kind of security training does your firm conduct, such as email best practices and phishing? Does your
firm provide training to all staff, and not just to registered persons?
X
What are your firm’s procedures to communicate cyber events to AML or compliance staff related to meeting
regulatory obligations, such as filing of SARs and reviewing potentially impacted customer accounts?
X
Does your firm maintain an Incident Response Plan (IRP) that includes guidance, or play books, for
common cybersecurity incidents (e.g., data breaches, ransomware infections, account takeovers)?
FINANCIAL CRIMES
I
CYBERSECURITY AND TECHNOLOGY GOVERNANCE
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
6
FINANCIAL CRIMES
I
CYBERSECURITY AND TECHNOLOGY GOVERNANCE
FINRA Cybersecurity Alerts
X
In 2022, FINRA supplemented our method of alerting firms to cybersecurity threats to include sending
email alerts to firms’ CISOs and CCOs. This approach allows us to notify firms more directly and quickly
when we identify certain cyber threats—typically a phishing email purporting to be from FINRA—or other
significant industrywide cybersecurity threats or developments. Firms can also find these alerts under the
“Most Recent” heading on the FINRA Cybersecurity topic page as well as on its Guidance tab. Note that
FINRA will continue to publish cyber-related Regulatory Notices as required in addition to the email alerts.
X
To further support firms’ efforts to identify imposter sites, FINRA is proactively notifying firms when we
identify website(s) or social media profiles that may be attempting to impersonate that firm, one or more
of its current or previous registered representatives, or individuals purporting to be associated with a
firm.
Branch Controls
X
How does your firm identify and address branch-specific cybersecurity risks, including those
associated with branch-hosted email or other software systems and servers?
X
If your firm permits registered representatives to use personal devices for business, how does your
firm ensure its foundational security controls are implemented (e.g., security patches, anti-virus
software)?
X
Does your firm maintain an inventory of all technology assets branch office staff use to access your
firm’s systems or data, including personal computers and servers?
X
How does your firm review branch office security controls to ensure compliance with required
standards established in your firm’s written policies and procedures?
X
Do branch office personnel know how to respond to cybersecurity incidents in the branch, including
when to report the incident to the home office?
Observations and Effective Practices
Observations
X
Account Access Authentication: Lack of multifactor authentication (MFA) for login access to the firm’s
operational, email and registered representative systems for employees, contractors and customers.
X
New Account Opening Identity Validation: Ineffective processes and tools for validating the identity of
customers opening new accounts or detecting suspicious activity associated with the opening of new
accounts (e.g., multiple new accounts opened from the same internet protocol (IP) address).
X
Identity Theft Prevention Program (ITPP): Implementing a generic ITPP that is not appropriate to
the firm’s size and complexity, and the nature and scope of the firm’s activities; and not periodically
updating the firm’s ITPP to reflect changes in identity theft risks.
X
Data Loss Prevention (DLP) Monitoring: Not monitoring network activity to identify unauthorized copying or
deletion of customer or firm data; and not monitoring outbound emails to identify sensitive customer data in
text or attachments.
X
Branch Office Security Controls: Not establishing security controls that branch offices must follow when
they maintain their own email systems or other application systems or servers; and failing to respond when
a branch office is not compliant with established security controls for maintaining a branch hosted
email or application server.
X
Third-Party Vendor Supply Chain Management: Not maintaining a list of all third-party services
or hardware and software components the vendor provides and which the firm’s technology
infrastructure uses.
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
7
FINANCIAL CRIMES
I
CYBERSECURITY AND TECHNOLOGY GOVERNANCE
X
Digital Transformation and the Adoption of Cloud: Inadequate planning and design when adopting the
use of cloud-based systems or technology.
X
Log Management Practices: Not sufficiently logging or retaining data related to business or technical
activities to effectively assist with the forensic analysis of cybersecurity incidents (e.g., determining
the entry point and scope of an attack).
X
WSPs: Not updating WSPs to reflect the firm’s current cybersecurity practices; and not enforcing the
firm’s WSPs related to cybersecurity.
X
Suspicious Activity Report (SAR) Filings: Not having reasonably designed procedures for investigating
cyber events and considering whether a SAR filing is required, or not following applicable guidance
from the Financial Crimes Enforcement Network (FinCEN) when evaluating whether a cyber event
requires the filing of a SAR.
Adoption of Cloud Computing
X
FINRA has observed that many firms are moving existing applications or infrastructure systems—such as
file storage, email systems, hosting and servers—to a cloud computing environment.
X
Cloud computing providers enforce a shared security model. Proper planning, design and implementation
of security controls and configurations are key to a successful cloud implementation.
X
Firms can find guidance related to the adoption of cloud computing in an August 2021 FINRA Key Topics
Article, Cloud Computing In The Securities Industry.
Effective Practices
X
Data Backups: Completing regular backups of critical data and systems and ensuring the backup
copies are encrypted and stored off-network; and regularly testing the recovery of data from backups
to ensure information can be restored from backup tapes.
X
Branch Office Procedures: Limiting the use of branch-managed servers for email or other applications
(e.g., customer relationship management, reporting) and, if branch-managed servers are permitted,
ensuring adequate security controls are maintained.
X
Risk Assessments: Regularly assessing the firm’s cybersecurity risk profile based on changes in
the firm’s size and business model and newly identified threats; and regularly updating the firm’s
cybersecurity program and AML program based on those assessments.
X
Account Intrusion: Reviewing potentially violative activity when identified to determine whether
further action (e.g., trading and fund restrictions on the accounts) is appropriate.
X
Imposter Domains: Monitoring the internet for any new imposter domains that pretend to represent
the firm or a registered representative; and maintaining written procedures for responding to reports
of imposter domains that include reporting the domains and notifying impacting customers or
business partners.
X
Outbound Email Monitoring: Implementing systems that scan outbound email text and attachments
to identify and potentially block sensitive customer information or confidential firm data.
X
Vendor Management: Maintaining a list of all third-party-provided services, systems and software
components that can be leveraged (in the event of a cybersecurity incident at one of the firm’s third-
party vendors).
X
Identity Verification: For firms that allow new accounts to be opened online, developing a
comprehensive process for validating the identity of new clients; and using third parties that can
verify identities and provide a score related to the level of risk associated with a new account (to help
firms determine if additional verification is required).
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
8
FINANCIAL CRIMES
I
CYBERSECURITY AND TECHNOLOGY GOVERNANCE
X
Secure Configurations: Confirming that desktops, laptops and servers are using current software
systems with secure settings that expose only required services to reduce system vulnerabilities; and
implementing timely application of systems security patches.
X
Log Management: Capturing log data from a broad set of sources and retaining it for a sufficient
amount of time (e.g., a minimum of twenty-four months).
X
Potential Intrusion Report Card: Leveraging the FINRA Cross Market Options Supervision: Potential
Intrusion Report Card, which provides lists of trades related to potentially fraudulent options
transactions facilitated by account takeover schemes.
Additional Resources
X
FINRA
z Cybersecurity Topic Page, including:
z Core Cybersecurity Threats and Effective Controls for Small Firms
z Cross-Market Options Supervision: Potential Intrusions Report Card
z Customer Information Protection Topic Page
z Firm Checklist for Compromised Accounts
z List of Non-FINRA Cybersecurity Resources
z Report on Selected Cybersecurity Practices – 2018
z Report on Cybersecurity Practices – 2015
z Small Firm Cybersecurity Checklist
X
Regulatory Notices
z Regulatory Notice 22-29 (FINRA Alerts Firms to Increased Ransomware Risks)
z Regulatory Notice 22-18 (FINRA Reminds Firms of Their Obligation to Supervise for Digital Signature
Forgery and Falsification)
z Regulatory Notice 21-42 (FINRA Alerts Firms to “Log4Shell” Vulnerability in Apache Log4j Software)
z Regulatory Notice 21-30 (FINRA Alerts Firms to a Phishing Email Campaign Using Multiple Imposter
FINRA Domain Names)
z Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to
Third-Party Vendors)
z Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers From Online Account
Takeover Attempts)
z Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection
With Potential Account Takeovers and New Account Fraud)
z Regulatory Notice 20-30 (Fraudsters Using Registered Representatives Names to Establish Imposter
Websites)
z Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19)
Pandemic)
z Information Notice 03/26/20 (Measures to Consider as Firms Respond to the Coronavirus Pandemic (COVID-
19))
X
FinCEN
z Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
9
FINANCIAL CRIMES
I
ANTI-MONEY LAUNDERING, FRAUD AND SANCTIONS
Anti-Money Laundering, Fraud and Sanctions
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA Rule 3310 (Anti-Money Laundering Compliance Program)
requires that each member firm develop and
implement a written AML program that is approved in writing by senior management and is reasonably designed
to achieve and monitor the firm’s compliance with the Bank Secrecy Act (BSA) and its implementing regulations.
3
FINRA Rule 3310(a) requires that member firms establish and implement AML policies and procedures
that can be reasonably expected to detect and cause the reporting of suspicious transactions;
4
FINRA
Rule 3310(c) requires that the AML program provide for independent testing for compliance each
calendar year (or every two years in some specialized cases); FINRA Rule 3310(e) requires that the
program provide ongoing training for appropriate personnel; and FINRA Rule 3310(f) requires that
member firms’ AML programs include appropriate risk-based procedures for conducting ongoing
customer due diligence.
Other requirements contained in the BSA’s implementing regulations include maintaining a Customer
Identification Program (CIP); verifying the identity of legal entity customers; establishing due diligence programs
to assess the money laundering risk presented by correspondent accounts maintained for foreign financial
institutions; and responding to information requests from FinCEN within specified timeframes.
5
Anti-Money Laundering Act of 2020
On January 1, 2021, Congress passed the FY2021 National Defense Authorization Act (NDAA), which included
the Anti-Money Laundering Act of 2020 (AML Act) and, within the AML Act, the Corporate Transparency Act
(CTA). Many provisions of the AML Act and the CTA require rulemaking or periodic reporting to Congress on
implementation efforts, assessments and findings. Firms should stay apprised of progress being made to
implement the AML Act, which is described on the FinCEN website.
Related Considerations
X
Does your firm’s AML program reasonably address the AML risks associated with its business model, including
new and existing business lines, products and services offered, customers and the geographic area in which
your firm operates?
X
Has your firm experienced substantial growth or changes to its business? If so, has your firm’s AML program
evolved alongside the business?
X
Does your firm have reasonably designed AML procedures to collect identifying information and verify the
identity of its customers under the CIP Rule, and the beneficial owners of its legal entity customers under the
Customer Due Diligence (CDD) Rule?
6
X
Does your firm have reasonably designed AML procedures to detect red flags of identity theft or
synthetic identity fraud in connection with account openings?
X
Has your firm implemented Regulation S-ID (the SEC Identity Theft Red Flags Rule) and considered
relevant identity theft red flags (particularly if your firm offers account openings online or through
mobile apps)?
X
Do your firm’s AML procedures recognize that suspicious activity reporting obligations may apply to any
transactions conducted by, at or through your firm?
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
10
X
Does your firm have reasonably designed AML procedures to identify and respond to red flags relevant to its
business model, such as those detailed in:
z Regulatory Notices 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and
Reporting Obligations) and 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to
Red Flags of Potential Securities Fraud Involving Low-Priced Securities); and
z the FinCEN Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime and
Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime,
and Cyber-Related Information through Suspicious Activity Reports (SARs)?
X
Does your firm have reasonably designed AML procedures to identify and respond to red flags of
sanctions evasion?
X
Does your firm comply with FinCEN’s guidance on reporting sanctions-related suspicious activity on
Suspicious Activity Reports (SARs), including reporting information that it has not separately included
in a blocking report filed with the U.S. Department of the Treasury’s (Treasury) Office of Foreign Assets
Control (OFAC)?
X
If your firm uses automated surveillance systems for suspicious activity detection and reporting, does your
firm review the integrity of its data feeds and assess scenario parameters as needed?
X
If your firm introduces customers and activity to a clearing firm, do your AML procedures reasonably address
how your firm will coordinate with your clearing firm with respect to the filing of SARs?
X
Has your firm established and implemented reasonable written procedures to:
z communicate cyber events to your firm’s AML department, compliance department or both;
z fulfill regulatory obligations, such as the filing of SARs; and
z inform reviews of potentially impacted customer accounts?
X
Does your firm’s independent AML testing confirm that your firm has established and implemented
reasonably designed procedures for customer identification and verification, customer due diligence
and suspicious activity reporting?
X
Does your firm maintain appropriate risk-based procedures for conducting ongoing CDD to:
z understand the nature and purpose of customer relationships; and
z to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to
maintain and update customer information?
X
Has your firm reviewed Treasury’s National Risk Assessments (NRAs) on Money Laundering, Terrorist
Financing and Proliferation Financing, as well as FinCEN’s AML and countering the financing of terrorism
priorities (AML/CFT Priorities), and considered incorporating this guidance into its risk-based AML program?
Findings and Effective Practices
Findings
X
Misconstruing Obligation to Conduct CIP and CDD: Failing to recognize that certain formal
relationships established with the firm to effect securities transactions are customer relationships
(and, consequently, not conducting CIP or CDD as required).
X
Inadequate Verification of Customer Identities: Failing to collect identifying information at the time
of account opening and verify the identity of both customers and the beneficial owners of legal entity
customers within a reasonable timeframe.
X
Identity Theft: Failing to detect and respond to red flags of identity theft or synthetic identity fraud in
connection with account opening.
FINANCIAL CRIMES
I
ANTI-MONEY LAUNDERING, FRAUD AND SANCTIONS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
11
Emerging Risk Area: Manipulative Trading in Small Cap IPOs
X
FINRA, NASDAQ and NYSE have recently observed that initial public offerings (IPOs) for certain small cap,
exchange-listed issuers may be the subject of market manipulation schemes, similar to so-called “ramp
and dump” schemes.
X
FINRA has observed significant unexplained price increases on the day of or shortly after the IPO of
certain small cap issuers. These price increases appear to be associated with trading by apparent
nominee accounts that invest in the small cap IPO and subsequently engage in apparent manipulative
orders and trading activity.
7
X
Some of the victims of ramp and dump schemes appear to be victims of social media scams such as “pig
butchering,” a scheme previously associated with fraudulent crypto-related investment schemes.
X
FINRA encourages firms to review Regulatory Notice 22-25 (Heightened Threat of Fraud: FINRA Alerts Firms
to Recent Trend in Small Capitalization (Small Cap) IPOs) for potential indicators of these schemes and
evaluate their compliance and risk management programs to confirm that they are monitoring for and
addressing this threat.
X
Additional findings and effective practices related to this topic can be found in the 2023 Report’s
Manipulative Trading section.
X
Inadequate Due Diligence: Failing to conduct initial and ongoing risk-based CDD to understand the
nature and purpose of customer relationships to develop a customer risk profile, or conduct due
diligence on correspondent accounts of foreign financial institutions in compliance with FINRA Rule 3310(b).
X
Inadequate Ongoing Monitoring and Reporting of Suspicious Transactions:
z Failing to establish and implement written AML procedures that can reasonably be expected to
detect and cause the reporting of suspicious activity.
z Failing to reasonably review for and respond to red flags associated with:
z the movement or settlement of cash or securities (e.g., wire and ACH transfers, debit card and
ATM transactions, securities trading (including order entry), journal transfers);
z the member’s business operations, including activity related to high-risk products and services
(e.g., cash management products and services; trading of low-priced, thinly traded securities);
and
z suspicious activity introduced to the member by other FINRA member broker-dealers.
z Failing to notify the AML department of events that may require the reporting of a SAR, including
cybersecurity events, account compromise or takeovers, or fraudulent wire or ACH transfers.
z Failing to reasonably investigate inquiries from law enforcement, clearing firms, regulators or
other federal and state agencies that concern red flags of suspicious activity.
X
Inadequate Handling of FinCEN Information Requests: Failing to review and respond to information
requests from FinCEN issued pursuant to Section 314(a) of the Patriot Act, or not doing so within the
required two-week timeframe.
FINANCIAL CRIMES
I
ANTI-MONEY LAUNDERING, FRAUD AND SANCTIONS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
12
FINANCIAL CRIMES
I
ANTI-MONEY LAUNDERING, FRAUD AND SANCTIONS
Emerging Risk Area: Sanctions Evasion
X
Since February 2022, OFAC has taken several significant sanctions actions related to the Russian financial
services sector in response to Russia’s actions in Ukraine. In response, on February 25, 2022, FINRA issued
Regulatory Notice 22-06 (U.S. Imposes Sanctions on Russian Entities and Individuals) to provide firms with
information about these actions, and to encourage firms to continue to monitor the OFAC website for
relevant information. Firms should familiarize themselves with these sanctioned entities and individuals,
and take steps to comply with OFAC’s regulations. (Questions about the details of OFAC’s sanctions
should be directed to OFAC at (800) 540-6322.)
X
On March 7, 2022, FinCEN issued alert FIN-2022-Alert001 (FinCEN Advises Increased Vigilance for Potential
Russian Sanctions Evasion Attempts) to warn financial institutions of efforts to evade these sanctions and
other U.S.-imposed restrictions implemented in connection with Russia’s actions in Ukraine. As FINRA
has observed red flags of Russian sanctions evasion in its investigations involving activity in customer
accounts (e.g., material changes in the type or volume of activity in such accounts after sanctions were
announced) firms should consider how to appropriately monitor activity in customer accounts for Russian
sanctions evasion.
X
Inadequate Testing: Failing to conduct adequate independent testing of their AML program by:
z not providing for annual testing of the program on a calendar year basis (or every two years in
specialized circumstances);
z not testing critical aspects of the AML program for reasonableness (e.g., suspicious activity
detection and reporting), especially where firms have taken on new products, services or client
bases that may have materially shifted the firm’s AML risk profile or situations where new threats
to the industry are applicable to the firm;
z conducting testing that is not reasonably designed, such as testing that fails to consider whether
AML reports and systems are accurately and reasonably capturing suspicious transactions and are
reasonably tailored to the AML risks of the member’s business; and
z not confirming that persons with the requisite independence and qualifications perform the
testing.
Effective Practices
X
Regulatory Updates: Reviewing alerts, advisories, significant cases and other updates from the SEC,
FinCEN, FINRA, and other regulators and agencies.
X
Risk Assessments: Conducting formal, written AML risk assessments that are updated in appropriate
situations, such as the findings of its independent AML test or other internal or external audits; changes
in size or risk profile of the firm (e.g., changes to business lines, products and services, registered
representatives, customers or geographic areas in which the firm operates); or material macroeconomic or
geopolitical events.
X
Verifying Customers’ Identities When Establishing Online Accounts: Incorporating additional methods
for verifying customer identities as part of the firm’s CIP through, for example, methods such as:
z requiring both documentary (e.g., drivers’ license) and non-documentary identifying information, or
multiple forms of documentary information;
z asking follow-up questions or requesting additional documents based on information from credit bureaus,
credit reporting agencies or digital identity intelligence (e.g., automobile and home purchases);
z contracting third-party vendors to help verify the legitimacy of suspicious information in customer
applications;
z validating identifying information that applicants provide through likeness checks;
8
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
13
z reviewing the IP address of:
z new online account applications for consistency with the customer’s home address; and
z transfer requests (for consistency with locations from which the firm has previously received
legitimate customer communications);
z obtaining a copy of the account statement from the account slated to be transferred before
sending an Automated Customer Account Transfer Service (ACATS) request;
z delivering firms sending notifications to account owners (e.g., “push” notifications on mobile apps,
emails, phone calls), contacting any broker(s) assigned to the account or both when an ACATS
transfer is initiated;
z ensuring that any tools used for automated customer verification are reasonably designed to
detect red flags of identity theft and synthetic identity fraud;
z limiting automated approval of multiple accounts for a single customer;
z reviewing account applications for common identifiers (e.g., email address, phone number, physical
address) present in other applications and in existing accounts, especially seemingly unrelated
accounts; and
z reviewing account applications for use of temporary or fictitious email addresses (e.g., @
temporaryemail.org) or phone number (e.g., 555-555-5555, 999-999-9999).
Emerging Risk Area: ACATS Fraud
As noted in Regulatory Notice 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts
Through ACATS), FINRA has observed an increased number of fraudulent transfers of customer accounts
through ACATS, in which a bad actor will use the stolen identity of a legitimate customer to open an online
brokerage account. Shortly after successfully opening this account—generally, within a few days or weeks—
the bad actor will submit an ACATS request to transfer assets out of an account the legitimate customer
holds at a different firm. Once the ACATS request is processed and the legitimate customers’ assets are
transferred, the bad actor will subsequently (i.e., within a short period of time) attempt to move the ill-gotten
assets to an external account at another financial institution by:
X
transferring the account assets (i.e., cash and securities) to an account at another financial institution;
X
liquidating the securities or a portion of the securities transferred into the new account, then transferring
any realized proceeds (along with any cash that was transferred to the new account) to an account at
another financial institution; or
X
purchasing additional securities using the transferred cash and then transferring those securities to an
account at another financial institution.
FINRA encourages firms, especially those that offer online account opening services, to confirm that their
reviews of red flags of new account fraud are incorporated into their customer onboarding process.
X
Delegation and Communication of AML Responsibilities: Delegating AML duties to business units
in the best position to detect and escalate red flags of certain suspicious activities; and establishing
written escalation procedures and recurring cross-department communication between AML, compliance and
relevant business unit(s).
X
Training: Establishing and maintaining an AML training program for appropriate personnel that is
tailored to the individuals’ roles and responsibilities, addresses industry developments impacting
AML risk and regulatory developments, and, where applicable, leverages trends and findings from the
firm’s QA controls and independent AML testing.
FINANCIAL CRIMES
I
ANTI-MONEY LAUNDERING, FRAUD AND SANCTIONS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
14
Additional Resources
FINRA Resources
X
Anti-Money Laundering (AML) Topic Page
X
Anti-Money Laundering (AML) Template for Small Firms
X
Frequently Asked Questions (FAQ) regarding Anti Money Laundering (AML)
X
Regulatory Notices:
z Regulatory Notice 22-25 (Heightened Threat of Fraud: FINRA Alerts Firms to Recent Trend in Small
Capitalization (“Small Cap”) IPOs)
z Regulatory Notice 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts
Through ACATS)
z Regulatory Notice 22-06 (U.S. Imposes Sanctions on Russian Entities and Individuals)
z Regulatory Notice 21-36 (FINRA Encourages Firms to Consider How to Incorporate the Government-Wide
Anti-Money Laundering and Countering the Financing of Terrorism Priorities Into Their AML Programs)
z Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account
Takeover Attempts)
z Regulatory Notice 21-14 (FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse)
z Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of
Potential Securities Fraud Involving Low-Priced Securities)
z Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection
with Potential Account Takeovers and New Account Fraud)
z Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19)
Pandemic)
z Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and
Reporting Obligations)
FINRA Unscripted Podcasts
X
AML Update: The Latest Trends and Effective Practices (May 2022)
X
At, By or Through: Fraud in the Broker-Dealer Industry (April 2021)
X
Overlapping Risks, Part 2: Anti-Money Laundering and Elder Exploitation (November 2020)
X
Overlapping Risks, Part 1: Anti-Money Laundering and Cybersecurity (October 2020)
X
Beyond Hollywood, Part II: AML Priorities and Best Practices (May 2019)
X
Beyond Hollywood, Part I: Money Laundering in the Security Industry (April 2019)
SEC Resources
X
Anti-Money Laundering (AML) Source Tool for Broker-Dealers
X
Risk Alert: Compliance Issues Related to Suspicious Activity Monitoring and Reporting
X
Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities
Treasury and FinCEN Resources
X
Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime
X
Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19)
Pandemic
X
Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments
FINANCIAL CRIMES
I
ANTI-MONEY LAUNDERING, FRAUD AND SANCTIONS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
15
X
Advisory on Elder Financial Exploitation
X
Advisory on Kleptocracy and Foreign Public Corruption
X
Alert: FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts
X
Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting and Other Anti-Money
Laundering Considerations
X
The Anti-Money Laundering Act of 2020
X
Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-
Related Information through Suspicious Activity Reports (SARs)
X
FIN-2022-Alert001 (FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion
Attempts)
X
FinCEN 314(a) Fact Sheet
X
The SAR Activity Review, Issue 8, Section 5 “Revised Guidance on Filing Suspicious Activity Reports
Relating to the Office of Foreign Assets Control List of Specially Designated Nationals and Blocked
Persons” (April 2005)
Treasury NRAs on Money Laundering, Terrorist Financing and Proliferation
Financing
X
In March 2022, the Treasury issued the 2022 NRAs on Money Laundering, Terrorist Financing and
Proliferation Financing, which highlights the most significant illicit finance threats, vulnerabilities and
risks facing the United States. The NRAs are an important resource that firms can use to understand the
current illicit finance environment and inform their own risk mitigation strategies.
X
The findings within the NRAs align with the AML/CFT Priorities FinCEN issued in June 2021.
Other Resources
X
Financial Action Task Force: Risk-based Approach Guidance for the Securities Sector (October 2018)
X
Financial Action Task Force: Money Laundering and Terrorist Financing in the Securities Sector
(October 2009)
Manipulative Trading NEW FOR 2023
Regulatory Obligations and Related Considerations
Regulatory Obligations
A number of FINRA rules prohibit member firms from engaging in impermissible trading practices, including
manipulative trading—for example, Rules 2010 (Standards of Commercial Honor and Principles of Trade), 2020
(Use of Manipulative, Deceptive or Other Fraudulent Devices), 5210 (Publication of Transactions and Quotations),
5220 (Offers at Stated Prices), 5230 (Payments Involving Publications that Influence the Market Price of a
Security), 5240 (Anti-Intimidation/Coordination), 5270 (Front Running of Block Transactions), 5290 (Order Entry
and Execution Practices) and 6140 (Other Trading Practices).
Under Rule 3110 (Supervision), member firms are required to supervise their associated persons’ trading
activities, and a firm’s supervisory procedures must include a process for the review of securities transactions
that is reasonably designed to identify trades that may violate the Exchange Act, SEC rules or FINRA rules
prohibiting insider trading and manipulative and deceptive devices.
FINANCIAL CRIMES
I
MANIPULATIVE TRADING
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
16
Among other obligations, FINRA Rule 5210 prohibits member firms from publishing or circulating
communications regarding transactions and quotations unless they believe the information is bona fide; Rule
5270 prohibits trading in a security that is the subject of an imminent customer block transaction while in
possession of material, non-public market information concerning that transaction; and Rule 6140 contains a
number of requirements to ensure the promptness, accuracy and completeness of last sale information for
NMS stocks and to prevent that information from being publicly trade reported in a fraudulent or manipulative
manner.
Related Considerations
X
Do your firm’s surveillance systems monitor for patterns of suspicious order entries and trading activity
across multiple customers, multiple days or both? Does the surveillance system identify trading that appears
to lack legitimate economic sense?
X
Does your firm monitor for red flags of potential coordination among customers (e.g., numerous unrelated
accounts being opened or depositing shares at the same time, multiple customers being referred to a firm by
an issuer or third-party representative, multiple customer accounts accessed from the same IP address)?
X
How does your firm determine thresholds for its surveillance controls to detect potentially manipulative
trading?
X
Does your firm take into consideration its business, client base and structure when establishing its
surveillance thresholds?
X
Do your firm’s supervisory procedures adequately address steps to analyze, document the review of, and
escalate surveillance alerts where appropriate?
X
What processes and procedures does your firm have in place to regularly assess whether changes in its
business model or the addition of new customers require changes in supervisory controls to detect possible
manipulation?
X
Does your firm test changes to its surveillance controls before placing them into production, and monitor the
changes for unanticipated impacts?
X
Does your firm document changes to surveillance controls and the rationale for such changes?
Findings and Effective Practices
Findings
X
Inadequate WSPs: Not identifying specific steps and individuals responsible for monitoring for manipulative
conduct; and not outlining escalation processes for detected manipulative conduct.
X
Non-Specific Surveillance Thresholds: Not reasonably designing and establishing surveillance controls
to capture manipulative trading (e.g., thresholds not designed to capture the appropriate market class of
securities or type of securities, or include both customer and proprietary trading; thresholds set too low or
too high to identify meaningful activity).
X
Surveillance Deficiencies: Not adequately monitoring customer activity for patterns of potential
manipulation; not reviewing surveillance exception reports; not documenting review findings; not considering
non-surveillance sources for red flags (e.g., inquiries from regulators or service providers; not training
responsible staff).
Effective Practices
X
Manipulative Schemes: Maintaining and reviewing customer and proprietary data to detect manipulative
trading schemes (e.g., momentum ignition, layering, front running, trading ahead, spoofing, wash sales,
prearranged trading), including those that involve correlated securities, such as stocks, exchange-traded
products (ETPs) and options.
FINANCIAL CRIMES
I
MANIPULATIVE TRADING
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
17
X
Multiple Platform and Product Monitoring: Monitoring activity occurring across multiple platforms that
also may involve related financial instruments or multiple correlated products.
X
Algorithmic Trading: Using Regulatory Notice 15-09 (Guidance on Effective Supervision and Control Practices
for Firms Engaging in Algorithmic Trading Strategies) to inform a firm’s surveillance program in areas such as
general risk assessment and response; software/code development and implementation; software testing and
system validation; trading systems; and compliance.
X
Momentum Ignition Trading: Designing a robust surveillance program to detect firms’ customers engaging
in potential momentum ignition trading, including:
z layering and spoofing activity in which a customer places a non-bona fide order on one side of the market
(e.g., above the offer or below the bid) to bait other market participants to react and trade with an order
on the other side of the market; and
z transactions in cross-product securities that manipulate the price of an underlying security, thereby
influencing the price at which a market participant can either establish or close an overlying options
position (e.g., marking the close, mini-manipulation).
X
ETPs: Developing and maintaining a robust supervisory system to safeguard material, non-public information
to prevent front running and trading ahead by:
z establishing effective information barriers and controls to prevent information leakage and the misuse of
material, non-public information;
z reviewing for manipulative strategies that exploit the unique characteristics of ETPs (e.g., their creation and
redemption processes) and strategies that exploit information leakage related to portfolio composition
files; and
z tailoring the firm’s compliance program to align with how the firm trades ETPs.
X
Wash Trading: Monitoring activity to identify firms’ customers engaging in wash trading to collect liquidity
rebates from exchanges by:
z monitoring accounts identified as related (or in concert) in the firm’s wash/pre-arranged trading
surveillance reports; and
z reviewing trading activity that relates to information provided on account opening documents.
Additional Resources
X
Algorithmic Trading Key Topic Page
X
Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of
Potential Securities Fraud Involving Low-Priced Securities)
X
Regulatory Notice 18-25 (FINRA Reminds Alternative Trading Systems of Their Obligations to Supervise Activity
on Their Platforms)
X
Regulatory Notice 17-22 (FINRA Adopts Rules on Disruptive Quoting and Trading Activity and Expedited
Proceedings)
X
Regulatory Notice 16-21 (Qualification and Registration of Associated Persons Relating to Algorithmic Trading)
X
Regulatory Notice 15-09 (Guidance on Effective Supervision and Control Practices for Firms Engaging in
Algorithmic Trading Strategies)
FINANCIAL CRIMES
I
MANIPULATIVE TRADING
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
18
Firm Operations
Outside Business Activities and Private Securities Transactions
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA Rules 3270 (Outside Business Activities of Registered Persons) and 3280 (Private Securities Transactions
of an Associated Person) require registered persons to notify their member firms in writing of proposed outside
business activities (OBAs), and all associated persons to notify their firms in writing of proposed private securities
transactions (PSTs), so firms can determine whether to prohibit, limit or allow those activities. A member
firm approving a PST where the associated person has or may receive selling compensation must record and
supervise the transaction as if it were executed on behalf of the firm.
Related Considerations
X
What methods does your firm use to identify individuals involved in undisclosed OBAs and PSTs?
X
Do your firm’s WSPs explicitly state when and how registered persons must notify your firm of a proposed
OBA or PST?
X
Does your firm require associated persons or registered persons to complete and update, as needed,
questionnaires and attestations regarding their involvement—or potential involvement—in OBAs and PSTs;
and if yes, how often?
X
Does your firm monitor whether a previously approved OBA may have changed over time and
potentially created new conflicts or issues; evolved into a PST requiring firm approval, supervising and
recording of compensation; or both?
X
Upon receipt of a written notice of proposed OBAs, does your firm consider whether they will interfere with
or otherwise compromise the registered person’s responsibilities to your firm and its customers, be viewed
by customers or the public as part of the member’s business or both? Does your firm also determine whether
such activities should be treated as a PST (subject to the requirements of FINRA Rule 3280)?
X
Does your firm have a process in place to update a registered person’s Form U4 with activities that meet the
disclosure requirements of that form?
X
Does your firm take into account the unique regulatory considerations and characteristics of digital assets
when reviewing digital asset OBAs and PSTs?
X
Does your firm record PSTs for compensation on its books and records, including PSTs involving new or
unique products and services?
X
How does your firm supervise activities that are PSTs, including digital asset PSTs, and document its
compliance with the supervisory obligations?
X
What training and guidance does your firm provide registered persons and associated persons, during
onboarding and periodically thereafter, with regards to their potential engagement in OBAs and PSTs?
Findings and Effective Practices
Findings
X
Incorrect Interpretation of Compensation: Interpreting “compensation” too narrowly (by focusing on only
direct compensation, such as salary or commissions, rather than evaluating all direct and indirect financial
benefits from PSTs, such as membership interests, receipt of preferred securities and tax benefits); and, as a
result, erroneously determining that certain activities were not PSTs for compensation.
FIRM OPERATIONS
I
OUTSIDE BUSINESS ACTIVITIES AND PRIVATE SECURITIES TRANSACTIONS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
19
X
Inadequate Approval Process for Potential PSTs: Approving participation in proposed PSTs for
compensation without adequately considering how the proposed PSTs would be supervised as if they were
executed on the firms’ behalf.
X
No Documentation: Not retaining the documentation necessary to demonstrate the firm’s compliance with
the supervisory obligations for PSTs and not recording the transactions on the firm’s books and records
because certain PSTs were not consistent with the firm’s electronic systems (such as where securities
businesses conducted by a registered person would not be captured in their clearing firm’s feed of purchases
and sales activity).
X
No or Insufficient Notice and Notice Reviews: Registered persons failing to notify their firms in writing
of OBAs or, for associated persons, of PSTs; and WSPs not requiring the review of such notices, or the
documentation that such reviews had taken place.
X
Inadequate Controls: Inadequate controls to confirm adherence to limitations placed on OBAs or PSTs, such
as prohibiting registered persons from soliciting firm clients to participate in an OBA or PST.
X
No Review and Recordkeeping of Digital Asset Activities: Failing to conduct the required assessment of
OBAs that involve digital assets or incorrectly assuming all digital assets are not securities and therefore not
evaluating digital asset activities, including activities performed through affiliates, to determine whether they
are more appropriately treated as PSTs; and for certain digital asset or other activities that were deemed to
be PSTs for compensation, not supervising such activities or recording such transactions on the firm’s books
and records.
Effective Practices
X
Questionnaires: Requiring registered persons and other associated persons to complete upon hire, and
periodically thereafter, detailed, open-ended questionnaires with regular attestations regarding their
involvement—or potential involvement—in new or previously disclosed OBAs and PSTs (including asking
questions relating to any other businesses where they are owners or employees; whether they are raising
money for any outside activity; whether they act as “finders” for issuers seeking new investors; and any
expected revenues or other payments they receive from any entities other than the firm, including affiliates).
X
Due Diligence: Conducting due diligence to learn about all OBAs and PSTs at the time of a registered person’s
initial disclosure to the firm and periodically thereafter, including interviewing the registered person and
thoroughly reviewing:
z social media, professional networking and other publicly available websites, and other sources (such as
legal research databases and court records);
z email and other communications;
z documentation supporting the activity (such as organizational documents); and
z OBAs that involve raising capital or directing securities transactions with investment advisers or fund
companies in order to identify potential PSTs.
X
Monitoring: Monitoring significant changes in, or other red flags relating to, registered persons’ or
associated persons’ performance, production levels or lifestyle that may indicate involvement in undisclosed
or prohibited OBAs and PSTs (or other business or financial arrangements with their customers, such as
borrowing or lending), including conducting regular, periodic background checks and reviews of:
z correspondence (including social media);
z fund movements;
z marketing materials;
z online activities;
z customer complaints;
FIRM OPERATIONS
I
OUTSIDE BUSINESS ACTIVITIES AND PRIVATE SECURITIES TRANSACTIONS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
20
z financial records (including bank statements and tax returns);
z branch office activities; and
z gifts and gratuities logs.
X
Affiliate Activities: Considering whether registered persons’ and other associated persons’ activities with
affiliates, especially self-offerings, may implicate FINRA Rules 3270 and 3280.
X
WSPs: Clearly identifying types of activities or investments that would constitute an OBA or PST, as well as
defining selling compensation and in some cases providing FAQs to remind employees of scenarios that they
might not otherwise consider to implicate these rules.
X
Training: Conducting training on OBAs and PSTs during registered person and associated person onboarding
and periodically thereafter, including regular reminders of written notice requirements and for registered
persons to update their public disclosures.
X
Disciplinary Action: Imposing significant consequences—including heightened supervision, fines or
termination—for persons who fail to notify firms in writing of their OBAs and PSTs, or fail to receive approval
of their PSTs for compensation.
X
Digital Asset Checklists: Creating checklists with a list of considerations to confirm whether digital asset
activities would be considered OBAs or PSTs (including reviewing private placement memoranda or other
materials and analyzing the underlying products and investment vehicle structures).
Additional Resources
X
Regulatory Notice 21-25 (FINRA Continues to Encourage Firms to Notify FINRA if They Engage in Activities
Related to Digital Assets)
X
Regulatory Notice 18-08 (FINRA Requests Comment on Proposed New Rule Governing Outside Business
Activities and Private Securities Transactions)
X
Notice to Members 96-33 (NASD Clarifies Rules Governing RRs/IAs)
X
Notice to Members 94-44 (Board Approves Clarification on Applicability of Article III, Section 40 of Rules of Fair
Practice to Investment Advisory Activities of Registered Representatives)
Books and Records
Regulatory Obligations and Related Considerations
Regulatory Obligations
Exchange Act Rules 17a-3 and 17a-4, as well as FINRA Rule 3110(b)(4) (Review of Correspondence and Internal
Communications) and FINRA Rule 4511 (General Requirements) (collectively, Books and Records Rules) require
member firms to, among other things, create and preserve, in an easily accessible place, originals of all
communications received and sent relating to their “business as such” (e.g., emails, instant messages, text
messages, chat messages, interactive blogs). This obligation applies to all member firms, including those
that permit staff to use a non-firm or third-party digital communications channels to conduct firm
business.
FIRM OPERATIONS
I
BOOKS AND RECORDS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
21
Recent Amendments to Exchange Act Rule 17a-4’s Electronic Recordkeeping
Requirements
The SEC has recently adopted amendments to Exchange Act Rule 17a-4 that modernize electronic
recordkeeping requirements for broker-dealers and make them adaptable to new technologies in electronic
recordkeeping.
Notably, the SEC is adding an audit-trail alternative to the existing requirement that firms preserve electronic
records exclusively in a non-rewriteable, non-erasable format—allowing firms to retain these records in a
manner that permits the recreation of an original record if it is altered, over-written or erased.
Other amendments to Exchange Act Rule 17a-4 include:
X
allowing firms to designate an executive officer, rather than an independent third party, to execute an
undertaking that provides regulators with access to the firm’s electronic records;
X
allowing an alternative undertaking for cloud service providers that is tailored to how they retain
electronic records;
X
eliminating the requirement that a broker-dealer notify its designated examining authority before
employing an electronic recordkeeping system for the first time; and
X
requiring that broker-dealers be able to produce electronic records in a reasonably usable electronic
format that allows regulators to search and sort information on the records.
Firms should be aware that the amendments modify the language of the required undertakings
under Exchange Act Rule 17a-4(f). As a result, all firms relying on Rule 17a-4(f) to preserve required
records electronically must file new undertakings that include the new language with FINRA,
including firms that elect to continue using their current third-party access arrangements.
For additional guidance, please see the “Exchange Act Rule 17a-4 Amendments: Chart of Significant Changes”
link in this section’s Additional Resources.
Related Considerations
X
Does your firm’s digital communication policy address all permitted and prohibited digital
communication channels and features available to your customers and associated persons, including:
z procedures and controls to retain all correspondence by staff conducting firm business via third-
party digital communications channels;
z processes and procedures to monitor for new communications methods available to customers
and associated persons; and
z training and guidance your firm’s associated persons have to complete before they are permitted
access to firm-approved communication channels?
X
Does your firm review for red flags that may indicate a registered representative is communicating
through an unapproved communication channel, and does your firm follow up on such red flags
(e.g., email chains that copy unapproved representative email addresses, references in emails to
communications that occurred outside approved firm channels or customer complaints mentioning
such communications)?
X
If your firm emails its clients and customers links to Virtual Data Rooms (VDRs)—online data
repositories that secure and distribute confidential information—does your firm retain and store
documents embedded in those links once the VDRs are closed?
X
If your firm is converting paper records to electronic records, does it maintain procedures and
controls to verify the conversion process (i.e., comparing electronic and original records) to confirm
that the electronic records are accurate, complete and readable?
FIRM OPERATIONS
I
BOOKS AND RECORDS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
22
FIRM OPERATIONS
I
REGULATORY EVENTS REPORTING
Findings and Effective Practices
Findings
X
Misinterpreted Obligations: Not performing due diligence to verify vendors’ ability to comply with Books
and Records Rules requirements; or not confirming that service contracts and agreements comply with the
recordkeeping requirement because firms did not understand that all required records must comply with the
Books and Records Rules, including records vendors store.
X
Failure to Maintain Email Correspondence: Failing to maintain email correspondence of registered
representatives, or outside or part-time CCOs and Financial and Operations Principals (FinOps),
conducting firm business via third-party vendor email addresses, because vendors failed to
automatically archive this correspondence, and staff failed to follow firms’ procedures to copy their
firm email addresses on all business-related email correspondence.
X
Failure to Maintain Converted Records: Failing to maintain policies and procedures and related
controls to protect the integrity of records from the time the records were created or received
throughout the applicable retention period and confirm physical books and records converted to
electronic records were accurate, complete and readable.
Effective Practices
X
Contract Review: Reviewing vendors’ contracts and agreements to assess whether firms will be able to
comply with the recordkeeping requirements.
X
Testing and Verification: Testing recordkeeping vendors’ capabilities to fulfill regulatory obligations by, for
example, simulating a regulator’s examinations by requesting records and engaging regulatory or compliance
consultants to confirm compliance with the recordkeeping requirements.
Additional Resources
FINRA
X
Books and Records Topic Page
X
Books and Records Requirements Checklist
X
Exchange Act Rule 17a-4 Amendments: Chart of Significant Changes
X
Frequently Asked Questions about the 2001 Amendments to Broker-Dealer Books and Records Rules Under
the Securities Exchange Act of 1934
SEC
X
Fact Sheet: Final Amendments to Electronic Recordkeeping Requirements
Regulatory Events Reporting
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA Rule 4530 (Reporting Requirements) requires member firms to promptly report to FINRA, and associated
persons to promptly report to firms, specified events, including, for example, violations of securities laws and
FINRA rules, certain written customer complaints, certain disciplinary actions the firm takes and certain internal
conclusions of violations. Member firms must also report quarterly to FINRA statistical and summary information
regarding certain written customer complaints. In addition, Rule 4530 requires member firms to file with
FINRA copies of specified criminal actions, civil complaints and arbitration claims.
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
23
Related Considerations
X
Does your firm provide periodic reminders or training on such requirements, and what consequences does
your firm impose on those persons who do not comply?
X
How does your firm monitor for red flags of unreported written customer complaints and other reportable
events?
X
How does your firm confirm that it accurately and timely reports to FINRA written customer complaints,
including ones that associated persons reported to your firm’s compliance department?
X
How does your firm determine the problem and product codes it uses for its statistical reporting of written
customer complaints to FINRA?
X
Does your firm look for trends in events and written customer complaints required to be reported
pursuant to Rule 4530? How is information on trends raised to relevant business and compliance
management?
X
Do your firm’s procedures for reporting internal conclusions of violations:
z identify the person(s)—or, if applicable, the members of a committee—responsible for determining
whether violations have occurred and, if so, whether they must be reported under FINRA Rule
4530(b), as well as the level of seniority of such person(s);
z provide protocols for escalating both violations and potential violations to such person(s), as well
as for reporting internal conclusions of violations to FINRA (within 30 calendar days after your firm
has concluded, or reasonably should have concluded, that a violation has occurred)?
Findings and Effective Practices
Findings
X
No Reporting to the Firm: Associated persons not reporting written customer complaints, judgments
concerning securities-, commodities- or financial-related insurance civil litigation and other events to the
firms’ compliance departments because they were not aware of firm requirements.
X
Inadequate Surveillance: Firms not conducting regular email and other surveillance for unreported events
and written customer complaints.
X
No Reporting to FINRA: Failing to report to FINRA written customer complaints that associated persons
reported to the firms’ compliance departments.
X
Incorrect Rule 4530 Product/Problem Codes: As part of the statistical reporting to FINRA, failing to use
codes that correlated to the most prominent product or the most egregious problem alleged in the written
customer complaints, but instead reporting less prominent or severe codes or other codes based on the
firms’ investigations or other information.
Effective Practices
X
Compliance Questionnaires: Developing detailed annual compliance questionnaires to verify the accuracy
of associated persons’ disclosures, including follow-up questions (such as whether they are the subject of any
pending lawsuits or arbitration claims or have received any written customer complaints).
X
Email Surveillance: Conducting email surveillance targeted to identify unreported written customer
complaints (by, for example, including complaint-related words in their keyword lexicons, reviewing for
unknown email addresses and conducting random email checks).
X
Review of Registered Representatives’ Financial Condition: Identifying expenses, settlements and other
payments that may indicate unreported events by conducting periodic reviews of their associated persons’
financial condition, including background checks and credit reports.
FIRM OPERATIONS
I
REGULATORY EVENTS REPORTING
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
24
X
Review of Publicly Available Information: Conducting periodic searches of associated persons’ names
on web forums, court filings and other publicly available databases, including reviewing for any judgments
concerning securities, commodities- or financial-related insurance civil litigation and other reportable events.
Additional Resources
X
Rule 4530 Reporting Requirements Topic Page
X
FINRA Report Center – 4530 Disclosure Timeliness Report Card
X
Rule 4530 Frequently Asked Questions
X
Rule 4530 Product and Problem Codes
X
Regulatory Notice 20-17 (FINRA Revises Rule 4530 Problem Codes for Reporting Customer Complaints and for
Filing Documents Online)
X
Regulatory Notice 20-02 (FINRA Requests Comment on the Effectiveness and Efficiency of Its Reporting
Requirements Rule)
X
Regulatory Notice 13-08 (FINRA Amends Rule 4530 to Eliminate Duplicative Reporting and Provide the Option
to File Required Documents Online Using a New Form)
X
Regulatory Notice 11-06 (SEC Approved Consolidated FINRA Rule Governing Reporting Requirements
Firm Short Positions and Fails-to-Receive in Municipal Securities
Regulatory Obligations and Related Considerations
Regulatory Obligations
As detailed in Regulatory Notice 15-27 (Guidance Relating to Firm Short Positions and Fails-to-Receive in Municipal
Securities), customers may receive taxable, substitute interest instead of the tax-exempt interest they were
expecting when a member firm effects sales to customers of municipal securities that are not under the firm’s
possession or control.
9
This can occur when firm trading activity inadvertently results in a short position or a firm
fails to receive municipal securities it purchases to fulfill a customer’s order.
Member firms must develop and implement adequate controls and procedures for detecting, resolving and
preventing these adverse tax consequences to customers. Such procedures must include closing out fails-to-
receive within the time frame prescribed within Municipal Securities Rulemaking Board (MSRB) Rule G-12(h);
taking prompt steps to obtain physical possession or control of municipal securities that are short
more than 30 calendar days in accordance with Exchange Act Rule 15c3-3(d)(4);
10
and confirming that
their communications with customers regarding the tax status of paid or accrued interest for municipal
securities are neither false nor misleading, in accordance with MSRB Rule G-17.
Related Considerations
X
Does your firm use exception reports to monitor its municipal securities’ short positions, fails-to-receive and
fails-to-deliver? If so, how does your firm use such reports, and which departments are responsible for
monitoring and responding to them?
X
When municipal securities short positions are identified, does your firm start the process of covering the
shorts, or does your firm wait until the trades have settled?
X
What is your firm’s process to close out fails-to-receive and fails-to-deliver in accordance with the methods
and time frame prescribed under MSRB G-12(h)?
FIRM OPERATIONS
I
FIRM SHORT POSITIONS AND FAILS-TO-RECEIVE IN MUNICIPAL SECURITIES
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
25
X
How does your firm detect instances that would require them to pay customers substitute interest? In those
circumstances, what is your firm’s process for notifying impacted customers and paying them substitute
interest in a timely manner? If a customer does not want to receive substitute interest, what alternatives does
your firm offer (e.g., offering to cancel the transaction and purchase a comparable security that would provide
tax-exempt interest)?
X
How does your firm handle inbound or outbound account transfers sent through ACATS that are
delivered with no corresponding municipal bonds in possession or control?
Findings and Effective Practices
Findings
X
Inadequate Supervisory Controls and Procedures: Not maintaining procedures and controls reasonably
designed to prevent, identify and resolve short positions in municipal securities and the potential adverse
consequences to customers when a firm does not maintain possession or control of municipal securities that
a customer owns.
X
Inadequate Lottery Systems: Opting to use a random lottery system as its primary means for
addressing the consequences of existing short positions, given that these systems may not fairly or
reasonably account for or allocate the associated and accrued substitute interest, or may result in the
random allocation of the substitute interest to customer accounts that may not have contributed to
the short position.
X
Not Complying with the Prescribed Close-Out Timing: Failing to follow the close-out timeline under
MSRB Rule G-12(h)—including the initial 10 days, the 10-day extension and the maximum close-out
period of 20 days—and under Exchange Act Rule 15c3-3(d)(4), which requires a firm to take possession
and control of such instruments within 30 days.
X
Excluding Institutional Customers: Operating under the erroneous assumption that firms are not
required to provide institutional (i.e., Delivery-versus-Payment or DVP) customers with the same level
of care in preventing, detecting and resolving adverse tax consequences when the firm does not have
possession and control of a tax-exempt municipal security (e.g., not addressing these customers in
firm controls, procedures, WSPs or exception reports).
Effective Practices
X
Preventative Controls: Maintaining processes to prevent or timely remediate municipal positions from
settling short (e.g., covering these positions, finding a suitable alternative, cancelling the customer’s purchase)
and reviewing or auditing the effectiveness of the processes.
X
Review of Fail Reports: Municipal securities principals performing regular, periodic reviews of Fail Reports as
part of firms’ efforts to comply with the close-out requirements of MSRB Rule G-12(h).
Additional Resource
X
Regulatory Notice 15-27 (Guidance Relating to Firm Short Positions and Fails-to-Receive in Municipal Securities)
FIRM OPERATIONS
I
FIRM SHORT POSITIONS AND FAILS-TO-RECEIVE IN MUNICIPAL SECURITIES
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
26
Trusted Contact Persons
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA Rule 4512(a)(1)(F) (Customer Account Information) requires member firms, for each of their non-
institutional customer accounts, to make a reasonable effort to obtain the name and contact information for
a trusted contact person (TCP) age 18 or older. FINRA Rule 4512 also describes the circumstances in which
member firms and their associated persons are authorized to contact the TCP and disclose information about
the customer account.
FINRA Rule 3241 (Registered Person Being Named a Customer’s Beneficiary or Holding a Position of Trust
for a Customer) requires a registered person to decline being named a beneficiary of a customer’s estate,
executor or trustee, or to have a power of attorney for a customer unless certain conditions are met,
including providing written notice to the member firm and receiving approval. The rule requires the
member firm with which the registered person is associated, upon receiving required written notice from
the registered person, to review and approve or disapprove the registered person assuming such status
or acting in such capacity.
FINRA Rule 2165 (Financial Exploitation of Specified Adults) permits member firms to place temporary
holds on a disbursement of funds or securities and—as of March 2022, securities transactions—when
firms reasonably believe that financial exploitation has occurred, is occurring, has been attempted or will
be attempted and requires firms to notify the TCP, if available, when placing temporary holds.
Related Considerations
X
Has your firm established an adequate supervisory system, including WSPs, related to seeking to
obtain and using the names and contact information for TCPs and, if relying on Rule 2165, placing
temporary holds to address risks relating to financial exploitations?
X
Does your firm educate registered representatives about the importance of collecting and using trusted
contact information, where possible?
Findings and Effective Practices
Findings
X
No Reasonable Attempt to Obtain TCP Information: Not making a reasonable attempt to obtain the name
and contact information of a TCP for all non-institutional customers (e.g., seeking to obtain this information
only from senior non-institutional customers, not requesting this information within firm’s regularly scheduled
36-month customer account records update letter).
X
No Written Disclosures: Not providing a written disclosure explaining the circumstances under which the
firm may contact a TCP when seeking to obtain TCP information (e.g., when a customer opens a new non-
institutional account or when the firm updates an existing account’s information (in accordance with FINRA
Rule 4512(b)).
X
No Documented Training: Relying on Rule 2165 but not developing and documenting training policies
or programs reasonably designed to ensure associated persons comply with the requirements of Rule
2165.
X
No Documented Internal Review: Relying on Rule 2165 but not retaining records that document
the firm’s internal review underlying the decision to place a temporary hold on a disbursement or
transaction.
FIRM OPERATIONS
I
TRUSTED CONTACT PERSONS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
27
Effective Practices
X
Training: Conducting training, for both front office and back office staff, on the warning signs of potential: (1)
customer exploitation; (2) diminished capacity; or (3) fraud perpetrated on the customer.
X
Escalation Process: Implementing and training registered representatives to use a comprehensive
process to escalate issues relating to seniors, including but not limited to concerns about financial
exploitation, diminished capacity or cognitive decline.
X
Emphasizing the Importance of TCP and Promoting Effective Practices:
z Emphasizing at the senior-management level on down the importance of collecting TCP information.
z Using innovative practices, such as creating target goals for collecting TCP and internally publicizing results
among branch offices or regions.
z Promoting effective ways of asking for TCP information and seeking feedback from registered
representatives and supervisors on techniques that they have successfully used that have not already
been publicized across the organization.
z Establishing a system that notifies registered representatives when accessing non-institutional customer
accounts that do not have a TCP listed and reminds them to request that information from customers.
z Providing guidance to registered representatives regarding contacting TCPs when the firm places a
temporary hold.
X
Senior Investor Specialists: Establishing specialized groups or appointing individuals to handle situations
involving elder abuse or diminished capacity; contact customers’ TCPs—as well as Adult Protective Services,
regulators and law enforcement, when necessary—and guiding the development of products and practices
focused on senior customers.
X
Firm Outreach: Hosting conferences or joining industry groups focused on protecting senior customers.
Additional Resources
X
FINRA
z Frequently Asked Questions Regarding FINRA Rules Relating to Financial Exploitation of Senior Investors
z Protecting Senior Investors 2015-2020 (April 30, 2020)
z Regulatory Notice 22-05 (FINRA Adopts Amendments to Rule 2165)
z Regulatory Notice 20-34 (Proposed Amendments to FINRA Rule 2165 and Retrospective Rule Review Report)
X
FINRA, NASAA and SEC
z Investor Resources for Establishing a Trusted Contact
FIRM OPERATIONS
I
TRUSTED CONTACT PERSONS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
28
Emerging Financial Crime Risk: Senior Investors
Senior investors can be vulnerable to fraud, theft, scams and exploitation. When your firm is assessing
how it monitors customer account activity for red flags of financial crimes to which senior investors may be
vulnerable, consider these questions:
X
Does your firm maintain specialized senior investor-focused or other exception reporting or surveillance
that is reasonably designed to detect and report suspicious activity related to financial crimes to which
senior investors are vulnerable?
X
Does your firm’s monitoring program incorporate red flags of elder financial exploitation, such as those
described in FinCEN’s June 15, 2022, advisory, which include:
z dormant accounts with large balances begin to show constant withdrawals;
z uncharacteristic, sudden, abnormally frequent or significant withdrawals of cash or transfers of assets
from an older customer’s account;
z uncharacteristic attempts to wire large sums of money; and
z closing of accounts without regard to penalties?
X
Additional resources that address potential warning signs of financial crimes relevant to senior investors
include:
z Regulatory Notice 20-30 (Fraudsters Using Registered Representatives Names to Establish Imposter
Websites)
z Regulatory Notice 19-18 (Suspicious Activity Monitoring and Reporting Obligations)
z FinCEN Advisory: Advisory on Elder Financial Exploitation (June 15, 2022)
z FinCEN Advisory: Imposter Scams and Money Mule Schemes Related to COVID-19
z U.S. Law Enforcement Takes Action Against Approximately 2,300 Money Mules In Global Crackdown
On Money Laundering
z Old Trick, New Victims: The Rise of Money Mules During the Pandemic
Funding Portals and Crowdfunding Offerings
Regulatory Obligations and Related Considerations
Regulatory Obligations
Title III of the Jumpstart Our Business Startups (JOBS) Act enacted in 2012 contains provisions relating to
securities offered or sold through crowdfunding. The SEC’s Regulation Crowdfunding and FINRA’s corresponding
set of Funding Portal Rules set forth the principal requirements that apply to funding portal members. Funding
portals must register with the SEC and become a member of FINRA. Broker-dealers contemplating engaging in
the sale of securities in reliance on Title III of the JOBS Act must notify FINRA in accordance with FINRA Rule 4518
(Notification to FINRA in Connection with the JOBS Act).
FIRM OPERATIONS
I
FUNDING PORTALS AND CROWDFUNDING OFFERINGS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
29
Regulation Crowdfunding imposes certain gatekeeper responsibilities on intermediaries (i.e., both
funding portals and broker-dealers that engage in Regulation Crowdfunding transactions). Rule 301(a)
under Regulation Crowdfunding provides in part that an intermediary must have a reasonable basis for
believing that an issuer seeking to offer and sell securities through the intermediary’s platform complies
with the requirements of Regulation Crowdfunding. Furthermore, Rule 301(c)(2) requires an intermediary
to deny access to its platform if it has a reasonable basis for believing the issuer or the offering presents
the potential for fraud or otherwise raises concerns about investor protection.
Additionally, Rule 404 under Regulation Crowdfunding imposes certain recordkeeping requirements
on funding portals. (Broker-dealer members that engage in Regulation Crowdfunding transactions are
subject to the full recordkeeping requirements under Exchange Act Rules 17a-3 and 17a-4, as well as
FINRA Rule 3110(b) and the 4510 Rule Series.) Rule 404 requires funding portal members to maintain
certain books and records relating to their funding portal activities. Using a third party to prepare and
maintain records on behalf of a funding portal does not relieve the funding portal of its recordkeeping
responsibilities.
Related Considerations
X
What steps is your funding portal taking to ensure it maintains all required books and records in
accordance with Regulation Crowdfunding Rule 404?
X
What steps is your funding portal taking to ensure on and off platform communications (including
social media) do not offer or contain recommendations, solicitations or investment advice?
Findings and Effective Practices for Funding Portals
11
Findings
X
Failure to Obtain Attestation: Not obtaining the attestation required by Regulation Crowdfunding Rule 404
when using a third-party vendor to store the required records.
X
Missing Disclosures: Offerings on the platform do not contain all required disclosures as codified in
Regulation Crowdfunding, in particular:
z names of officers and directors of the issuer, and the positions these individuals held for the past three
years;
z descriptions of the purpose and intended use of proceeds, the process to complete the offering
transaction or cancel an investment commitment, the ownership and capital structure, the material terms
of any indebtedness of the issuer; and
z financial statements, as required by Regulation Crowdfunding Rule 201(t).
X
Failure to Report Customer Complaints: Not reporting written customer complaints, as required by Funding
Portal Rule 300(c).
X
Untimely Required Filings: Not making required filings in a timely manner—such as filing the funding
portal’s Statement of Gross Revenue by the deadline of March 1—and not filing updates or changes to contact
information within 30 days of the change.
X
Not Filing CMAs: Funding portals effecting changes in ownership without obtaining prior approval from
FINRA, as required by Funding Portal Rule 110(a)(4).
X
Offering Investment Advice or Recommendations; Soliciting Purchases, Sales or Offers: Sending
electronic correspondence to customers that recommended investments or otherwise solicited
purchases of securities, thereby violating the prohibitions under Regulation Crowdfunding Rule 402(a)
against funding portals engaging in such activity.
X
Misleading Statements: Failing to correct misleading statements that appeared on funding portals’
websites for offerings on their platforms.
FIRM OPERATIONS
I
FUNDING PORTALS AND CROWDFUNDING OFFERINGS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
30
X
Failing to Transmit Funds: Failing to promptly direct the transmission of funds to the issuers upon
the successful completion of the offerings or to return funds to investors upon cancellation of the
offerings or in the event of oversubscription.
X
Failing to Take Measures to Reduce Risk of Fraud: Not denying issuers or offerings access to funding
portals’ platforms, after funding portals had become aware of warning signs of potentially fraudulent
activity during the onboarding process and during issuers’ campaigns.
Effective Practices
X
Compliance Resources: Developing annual compliance questionnaires to verify the accuracy of associated
persons’ disclosures, including follow-up questions (such as whether they have ever filed for bankruptcy,
have any pending lawsuits, are subject to unsatisfied judgments or liens or received any written customer
complaints), as well as compliance checklists and schedules to confirm that required obligations are being
met in a timely manner, such as providing all issuer disclosure requirements of Regulation Crowdfunding Rule
201.
X
Supervision: Implementing supervisory review procedures tailored to funding portal communications
requirements that, for example, clearly define permissible and prohibited communications and identify
whether any contemplated structural or organizational changes necessitate the filing of a CMA.
Additional Resources
X
Funding Portals Topic Page, including:
z Funding Portal Checklist
z Written Supervisory Checklist for Funding Portals
FIRM OPERATIONS
I
FUNDING PORTALS AND CROWDFUNDING OFFERINGS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
31
Communications and Sales
Reg BI and Form CRS
Regulatory Obligations and Related Considerations
Regulatory Obligations
The SEC’s Regulation Best Interest (Reg BI) establishes a “best interest” standard of conduct for broker-dealers
and associated persons when they make recommendations to retail customers of any securities transaction
or investment strategy involving securities, including account recommendations. Pursuant to this standard, a
broker-dealer and its associated persons must not put their financial or other interests ahead of the interests of
a retail customer.
Separately, whether they make recommendations or not, member firms that offer services to retail investors
must file and provide retail investors with a Form CRS, a brief relationship summary that discloses material
information about the firm in plain language (e.g., investment services provided, fees, conflicts of interest, legal
and disciplinary history of the firms and financial professionals).
Reg BI and Form CRS became effective on June 30, 2020, and FINRA has been examining member firms’
implementation of related obligations throughout 2021–2022. FINRA will continue to share further findings as
we continue to conduct exams and gather additional information on member firms’ practices.
Related Considerations
Care Obligation
X
When your firm makes a recommendation to a retail customer, does it exercise reasonable diligence,
care and skill to:
z understand the potential risks, rewards and costs associated with the recommendation;
z form a reasonable basis to believe that the recommendation could be in the best interest of at
least some retail customers; and
z form a reasonable basis to believe that the recommendation is in the best interest of that
particular retail customer by:
z understanding and considering the potential risks, rewards and costs associated with the
recommendation;
z obtaining and analyzing sufficient information about the retail customer’s investment profile;
and
z considering a sufficient array of reasonably available alternatives, including lower cost or lower
risk alternatives, if any, your firm offers?
X
Has your firm considered applying heightened scrutiny as to whether recommended investments that
are high-risk, high-cost, complex or represent a high conflict of interest are in a retail customer’s best
interest?
X
For recommendations of types of accounts, does your firm:
z establish a reasonable understanding of the characteristics of a particular type of account by
considering factors such as:
z the services and products provided in the account (including ancillary services provided in
conjunction with an account type, such as account monitoring services);
z alternative account types available;
COMMUNICATIONS AND SALES
I
REG BI AND FORM CRS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
32
z whether the account offers the services requested by the retail customer; and
z whether these factors are consistent with the retail customer’s investment profile and stated
investment goals?
z consider the projected costs of the recommended account, including, for example, account fees
(e.g., asset-based, engagement, hourly), commissions and transaction costs (e.g., markups and
markdowns), tax considerations, as well as indirect costs, such as those associated with payment
for order flow and cash sweep programs?
X
When making account rollover or transfer recommendations, including retirement accounts:
z Does your firm ensure that it has a reasonable basis to believe that the rollover or transfer itself,
the account type being recommended, and any securities or investment strategies recommended
are in the retail customer’s best interest?
z Does your firm consider, in addition to the general considerations for all account and securities
recommendations, specific factors potentially relevant to rollovers or transfers, such as costs (e.g.,
costs associated with closing out securities, if the customer has to sell them as a result of the
recommendation to transfer), level of services available, features of the existing account, available
investment options, ability to take penalty-free withdrawals, application of required minimum
distributions, protection from creditors and legal judgments, and holdings of employer stock?
Conflict of Interest Obligation
X
Are your firm’s policies and procedures reasonably designed to prevent your firm or its associated persons
from placing their interests ahead of the retail customers’ interests by:
z identifying and, at a minimum, disclosing or eliminating conflicts associated with recommendations;
z identifying and mitigating (i.e., modifying practices to reduce) conflicts that create an incentive for an
associated person of your firm to place his or her interests or the interest of your firm ahead of the retail
customer’s interest;
z identifying and disclosing any material limitations placed on the securities or investment strategies
involving securities that may be recommended to a retail customer (e.g., only making recommendations
of your firm’s proprietary products) and any conflicts of interest associated with such limitations, and
preventing such limitations and associated conflicts of interest from causing your firm or its associated
persons to make recommendations that place the interests of your firm or the associated persons ahead
of the retail customers’ interests; and
z identifying and eliminating sales contests, sales quotas, bonuses and non-cash compensation that are
based on the sales of specific securities or specific types of securities within a limited period of time?
X
With respect to account recommendations, does your firm consider the following non-exhaustive list
of practices that can help your firm meet its obligations with respect to conflicts of interest by:
z avoiding compensation thresholds that disproportionately increase compensation through
openings of certain account types;
z adopting and implementing policies and procedures reasonably designed to minimize or eliminate
incentives, including both compensation and non-compensation incentives, for employees to favor
one type of account over another;
z implementing supervisory procedures to monitor recommendations that involve the roll over or
transfer of assets from one type of account to another (such as recommendations to roll over or
transfer assets in an ERISA account to an IRA);
z adjusting compensation for financial professionals who fail to adequately manage conflicts of
interest associated with account recommendations?
COMMUNICATIONS AND SALES
I
REG BI AND FORM CRS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
33
Disclosure Obligation
X
Do your firm’s disclosures include full and fair disclosure of all material facts relating to the scope and terms
of your firm’s relationship with retail customers (e.g., material fees and costs associated with transactions or
accounts, material limitations involving securities recommendations, minimum account size required to open
or maintain an account or establish a relationship, the investment approach, philosophy, or strategy that
forms the general basis of your firm’s recommendations)?
X
Prior to, or at the time of the recommendation, has your firm provided full and fair disclosure to the
retail customer regarding all material facts relating to conflicts of interest that are associated with
the recommendation?
X
Does your firm have adequate controls to assess whether it provides disclosures in a timely manner, and, if
provided electronically, in compliance with the SEC’s electronic delivery guidance?
X
Does your firm provide dually registered associated persons with adequate guidance on how to determine
and disclose the capacity in which they are acting?
X
Do your associated persons supplement firm disclosures when appropriate (e.g., an associated person’s
licensure only permits them to recommend a limited range of securities products offered by your firm, an
associated person who is a dual-registrant disclosing the capacity in which he or she is acting at the time
of the recommendation, an associated person has additional material conflicts of interest related to the
recommendation beyond those disclosed by your firm)?
X
Do your associated persons periodically evaluate the materiality of any changes related to the scope and
terms of their relationship with their customer to determine whether they are required to update the
disclosures they provided to their retail customers?
Compliance Obligation
X
Are your firm’s policies and procedures tailored to address your firm’s business lines, products and services,
and customer base?
X
Has your firm updated its existing policies and procedures to address all aspects of Reg BI, including
aspects that go beyond suitability obligations (e.g., account-type recommendations, consideration of costs
and reasonably available alternatives, elimination of the “control” element for assessing excessive trading,
addressing conflicts, making required disclosures)?
X
Do your firm’s policies and procedures:
z identify specific individual(s) who are responsible for supervising compliance with Reg BI;
z specify the supervisory steps and reviews appropriate supervisor(s) should take and their frequency; and
z note how supervisory reviews should be documented?
X
Does your firm evaluate and test the adequacy of its systems and controls considered to be critical in
supporting compliance with Reg BI? For example:
z How does your firm test its policies and procedures to determine if they are adequate and
performing as expected?
z Does your firm make enhancements to its supervisory system, procedures and processes based on
feedback it has received from internal reviews, regulatory examinations or SEC and FINRA guidance
concerning Reg BI compliance? If so, does your firm incorporate these enhancements into timely
training provided to associated persons?
z Does your firm continue to periodically re-evaluate its conflicts of interest, and the adequacy of
its policies and procedures and related processes to prevent your firm from placing its interests
ahead of the retail customer’s interests, in connection with changes to its product mix or business
activities?
COMMUNICATIONS AND SALES
I
REG BI AND FORM CRS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
34
X
If your firm initially determined that it had no obligation to comply with Reg BI, has it periodically
re-evaluated its initial determination in light of any changes to its business practices (i.e., making
recommendations to retail customers)?
X
Has your firm considered how it will demonstrate (via documentation or otherwise) that it has met its
obligations with respect to the basis for recommendations, particularly, though not exclusively:
z recommendations of account types;
z recommendations of complex, risky, or illiquid securities; or
z recommendations that appear inconsistent with a retail customer’s investment profile?
Form CRS
X
Does your firm prominently post the current Form CRS on its website?
X
Does your firm periodically evaluate changes to its business mix or products or services offered, or
otherwise periodically re-evaluate the accuracy of information (e.g., disciplinary history) in its Form
CRS, to determine whether it is required to update and file an amended Form CRS? Does your firm
have processes in place to communicate (without charge) any changes made to the Form CRS to retail
investors who are existing customers?
X
How does your firm track and memorialize the delivery of Form CRS and Reg BI-related disclosure
documents to retail investors and retail customers?
Findings and Effective Practices
Findings
Reg BI
X
Failure to Comply With Care Obligation:
z Making recommendations of securities or investment strategies involving securities (including account
type) without a reasonable basis to believe that they were in the best interest of a particular retail
customer.
z Recommending a series of transactions that were excessive in light of retail customers’ investment
profiles and factors such as high cost-to-equity ratios and high turnover ratios.
z Limiting consideration of cost solely to sales charges instead of also considering other relevant
costs and fees, such as product- or account-level fees, when recommending a product.
z Not maintaining profile information for retail customers in accordance with Exchange Act Rule
17a-3(a)(35), undermining the firm’s ability to demonstrate compliance with the Care obligation
(e.g., not obtaining complete or current customer profile information for new or existing retail
customers).
z Failing to conduct a reasonable investigation of offerings prior to recommending them to retail
customers (e.g., unable to reasonably evidence due diligence efforts regarding the issuer; relying
solely on the firm’s past experience and knowledge with an issuer based on previously completed
offerings).
12
X
Failure to Comply with Conflict of Interest Obligation:
z Not identifying conflicts and disclosing or, if necessary, eliminating conflicts of interest associated
with recommendations of securities transactions or investment strategies involving securities.
z Not identifying and mitigating (i.e., modifying practices to reduce) conflicts of interest that create
an incentive for an associated person to make securities recommendations that place the interests
of the associated person or the firm ahead of the interests of the retail customer, including:
COMMUNICATIONS AND SALES
I
REG BI AND FORM CRS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
35
z not properly supervising or enforcing policy restrictions on certain types of recommendations
(e.g., transactions in affiliated private funds) intended to mitigate or eliminate potential
conflicts; and
z not identifying and mitigating potential conflicts regarding revenue or fee sharing arrangements
with fund managers for offerings that were recommended to retail customers.
X
Not identifying and addressing all potential conflicts of interest relevant to a firm’s business model,
including, but not limited to, material limitations on securities or investment strategies and conflicts
associated with these limitations.
X
Failure to Comply with Disclosure Obligation:
z Not providing retail customers with “full and fair” disclosures of all material facts related to the scope and
terms of their relationship with these retail customers or related to conflicts of interest that are associated
with the recommendation, including:
z material fees received as a result of recommendations made (e.g., revenue sharing, or other payments
received from product providers or issuers, as well as other fees tied to recommendations to rollover
qualified accounts);
z potential conflicts of interest;
z material limitations in securities offerings; and
z transaction-based fees that were inconsistent with—and, in some cases, materially higher
than—those outlined in Reg BI customer disclosures.
z Associated persons, firms, or both, improperly using the terms “advisor” or “adviser” in their titles or firm
names, even though they lack the appropriate registration.
X
Failure to Comply with Compliance Obligation:
z Failing to adopt and implement written policies and procedures that are reasonably designed to achieve
compliance with Reg BI by:
z not identifying the specific individuals responsible for supervising for compliance with Reg BI; and
z stating the rule requirements but failing to identify how the firm will comply with those requirements
(e.g., requiring associated persons to consider costs and reasonably available alternatives when
making recommendations, but not specifically addressing or detailing how associated persons
should do so).
z Failing to modify existing policies and procedures to reflect Reg BI’s requirements by:
z not tailoring these procedures to firms’ business models;
z limiting the applicability of procedures to only specific types of recommendations to retail
customers (e.g., those involving account rollovers) rather than all types of recommendations to
retail customers of any securities transaction or investment strategy involving securities;
z not addressing conflicts that create an incentive for associated persons to place their interest or the
firm’s interest ahead of those of retail customers; and
z not including provisions to address Reg BI-related recordkeeping obligations.
z Failing to develop adequate controls or developing adequate controls but not memorializing these
processes in their WSPs.
z Failing to enforce Reg BI procedures or supervisory processes for compliance, such as outlining
documentation requirements but failing to implement any process to confirm associated persons
are complying with those requirements.
COMMUNICATIONS AND SALES
I
REG BI AND FORM CRS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
36
z Failing to maintain sufficient systems or controls supporting firms’ ongoing trade surveillance
to identify potential non-compliance with Reg BI, such as relying on manual review methods
that were inconsistently performed or controls that were not reasonable given firms’ volume of
transactions.
z Failing to conduct adequate or ongoing training of associated persons regarding the use of systems
and processes established to support Reg BI compliance.
z Failing to ensure that recommendations involving variable annuities were compliant with Reg BI
(e.g., not adequately collecting and retaining key information on variable annuity transactions, and
not sufficiently training registered representatives and supervisors to determine whether variable
annuity exchanges complied with the standards of Reg BI).
13
Form CRS
X
Deficient Form CRS Filings: Firms’ Form CRS filings significantly departing from the Form CRS instructions or
SEC guidance by:
z exceeding prescribed page lengths;
z omitting material facts (e.g., description of services offered, limitations of the firm’s investment services,
incomplete or inaccurate cost disclosures);
z inaccurately representing the firm’s or its financial professionals’ disciplinary histories, including
inappropriate qualifying language to explain disciplinary history;
z failing to describe types of compensation and compensation-related conflicts;
z incorrectly stating that the firm does not provide recommendations;
z changing or excluding language required by Form CRS; and
z not resembling a relationship summary, as required by Form CRS.
14
X
Failing to Properly Deliver Form CRS: Failing to deliver or not creating a record of the date on which
your firm provided each Form CRS to each retail investor, including any Form CRS provided before
such retail investor opened an account.
X
Failing to Properly Post Form CRS: For firms that have a public website, failing to post or failing to post
prominently, in a location and format that is easily accessible to retail investors, the current Form CRS (e.g.,
requiring multiple click-throughs or using confusing descriptions to navigate to the Form CRS).
X
Failing to Adequately Amend Form CRS: Firms not in compliance with Form CRS in relation to material
changes because they:
z failed to timely re-file in CRD (i.e., within 30 days of the date when Form CRS became materially
inaccurate); or
z failed to communicate or timely communicate changes to existing retail investor customers (e.g., delivering
amended summary, with required exhibits, showing revised text or summarizing material changes or
communicating the information through another disclosure within 60 days after the updates are required
to be made—90 days total from the date when Form CRS became materially inaccurate).
X
Misconstruing Obligation to File and Deliver Form CRS
z Incorrectly assuming that the requirement to file and deliver a Form CRS hinges solely on making
recommendations, rather than also when placing an order or opening a brokerage account for a retail
investor.
z Incorrectly assuming a firm is not subject to the Form CRS delivery obligation because of, among other
things, their customer base (e.g., retail investors who are high-net-worth individuals) or the services they
offer (e.g., selling investment company products held directly by an issuer, self-directed accounts).
COMMUNICATIONS AND SALES
I
REG BI AND FORM CRS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
37
Effective Practices
Care Obligation
X
Costs and Reasonably Available Alternatives: Including in procedures and processes specific factors
related to evaluating costs and reasonably available alternatives to recommended products, including
but not limited to:
z outlining firm documentation practices;
z discussing limitations on complex or higher-risk products, such as firm concentration guidelines or
minimum liquid net worth requirements;
z clear supervisory processes that address reviews and documentation required by principals;
z sampling recommended transactions to evaluate how costs and reasonably available alternatives were
considered;
z providing clear guidance to associated persons making recommendations on how to evaluate costs and
reasonably available alternatives, such as by:
z using worksheets, in paper or electronic form, to compare costs and reasonably available alternatives;
or
z specifying the relevant factors to consider when evaluating costs (e.g., deferred sales charges) and
reasonably available alternatives (e.g., similar investment types from the issuer or less complex or risky
products available at the firm); and
z updating client relationship management (CRM) tools that automatically compare recommended products
to reasonably available alternatives.
X
Heightened Scrutiny of Investments for Retail Customers: Mitigating the risk of making recommendations
that might not be in a retail customer’s best interest by:
z establishing product review processes to identify and categorize risk and complexity levels for existing and
new products; and
z applying heightened supervision to recommendations of products, or investment strategies involving
securities, that are high-risk, high-cost, complex or represent a high conflict of interest, or limiting such
recommendations to specific customer types.
Conflict of Interest Obligation
X
Policies and Procedures: Establishing and implementing policies and procedures to address conflicts of
interest across business lines, compensation arrangements, relationships or agreements with affiliates, and
activities of their associated persons by:
z using conflicts committees or other mechanisms, or creating conflicts matrices tailored to the specifics
of the firm’s business that address, for example, conflicts across business lines and how to eliminate,
mitigate or disclose those conflicts;
z revising commission schedules for recommendations within product types to flatten the percentage
payout rate to employees; and
z broadly prohibiting all sales contests, regardless of whether they are based on the sale of specific
securities, or specific types of securities, within a limited period of time.
COMMUNICATIONS AND SALES
I
REG BI AND FORM CRS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
38
Disclosure Obligation
X
Implementing Systems Enhancements for Tracking Delivery of Required Customer Documents: Tracking
and delivering Form CRS and Reg BI-related documents to retail investors and retail customers in a timely
manner by:
z automating tracking mechanisms to evidence delivery of Form CRS and other relevant disclosures; and
z memorializing delivery of required disclosures at the earliest triggering event.
Compliance Obligation
X
Implementing New Surveillance Processes: Monitoring associated persons’ compliance with Reg BI by:
z conducting at least monthly reviews to confirm that their recommendations meet Care Obligation
requirements, including system-driven alerts or trend criteria to identify:
z account type or rollover or transfer recommendations that may be inconsistent with a retail customer’s
best interest;
z products that are high-risk, high-cost, complex or represent a high conflict of interest;
z excessive trading; and
z sale of same product(s) to a high number of retail customers.
z monitoring communication channels (e.g., email, social media) to confirm that associated persons who
were not investment adviser representatives (IARs) were not using the word “adviser” or “advisor” in their
titles.
X
Incorporating Reg BI-specific reviews into the branch exam program, in addition to other ongoing monitoring
and surveillance.
X
Focusing on areas such as documenting Reg BI compliance and following the firms’ Reg BI protocols (as part
of overall Reg BI compliance efforts).
Additional Resources
X
FINRA
z SEC Regulation Best Interest Key Topics Page
z 2022 FINRA Annual Conference: Regulation Best Interest and Form CRS: Recent Observations and What to
Expect Panel
X
FINRA Podcast – Regulation Best Interest and Form CRS: Two Years In
X
SEC
z Regulation Best Interest Guidance Page
z Staff Bulletin: Standards of Conduct for Broker-Dealers and Investment Advisers Conflicts of Interest (Aug.
3, 2022)
z Staff Bulletin: Standards of Conduct for Broker-Dealers and Investment Advisers Account
Recommendations for Retail Investors (Mar. 30, 2022)
z Staff Statement Regarding Form CRS Disclosure
z You may submit a question by email to [email protected]. Additionally, you may contact the
SEC’s Division of Trading and Markets’ Office of Interpretation and Guidance at (202) 551-5777.
COMMUNICATIONS AND SALES
I
REG BI AND FORM CRS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
39
Communications with the Public
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA Rule 2210 (Communications with the Public) defines all communications into one of three categories—
correspondence, retail communications, or institutional communications—and sets principles-based content
standards that are designed to apply to ongoing developments in communications technology and practices.
New member firms are required to file all widely disseminated retail communications with FINRA’s Advertising
Regulation Department during their first year of membership, and all member firms are subject to filing
requirements for specified retail communications depending on their content.
FINRA Rule 2220 (Options Communications) governs member firms’ communications with the public concerning
options. Additionally, MSRB Rule G-21 (Advertising by Brokers, Dealers or Municipal Securities Dealers) contains
similar content standards relating to municipal securities or concerning the facilities, services or skills of any
municipal dealer.
Related Considerations
General Content Standards
X
Do your firm’s communications contain false, misleading, or promissory statements or claims?
X
Do your firm’s communications include material information necessary to make them fair, balanced and not
misleading? For example, if a communication promotes the benefits of a high-risk or illiquid security, does it
explain the associated risks?
X
Do your firm’s communications balance specific claims of benefits from a product or service (especially
complex products) with the key risks specific to that product or service?
X
Do your firm’s communications contain predictions or projections of investment performance to investors
that are generally prohibited by FINRA Rule 2210(d)(1)(F)?
Mobile Apps
X
At account opening, do your mobile apps clearly disclose applicable risks and adequately explain other
features such as margin or options accounts?
X
Do your mobile apps consider detailed customer information—including the customer’s knowledge,
investment experience, age, financial situation and investment objectives—when approving access to
options or other complex products?
X
Do your mobile apps adequately distinguish between products and services of the broker-dealer and
those of affiliates or third parties?
X
Has your firm established and implemented a reasonably designed supervisory system for communications
through mobile apps?
X
Have you tested the accuracy of account information, including labels and data, displayed in your mobile
apps?
X
Do your mobile apps accurately describe how their features work?
X
Do your mobile apps identify information in ways that are easily understandable, based on the experience
level of your customers?
X
Do your mobile apps provide investors with readily available information to explain complex strategies and
investments and associated risks?
COMMUNICATIONS AND SALES
I
COMMUNICATIONS WITH THE PUBLIC
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
40
COMMUNICATIONS AND SALES
I
COMMUNICATIONS WITH THE PUBLIC
X
Does any information provided to retail customers through your mobile apps constitute a “recommendation”
that would be covered by Reg BI, and in the case of recommendations of options or variable annuities, FINRA
Rules 2360 (Options) or 2330 (Members’ Responsibilities Regarding Deferred Variable Annuities)? If so, how
does your firm comply with the related obligations?
Digital Communication Channels
X
Does your firm’s digital communication policy address all permitted and prohibited digital communication
channels and features available to your customers and associated persons?
X
Does your firm review for red flags that may indicate a registered representative is communicating through
an unapproved communication channel, and does your firm follow up on such red flags (e.g., email chains
that copy unapproved representative email addresses, references in emails to communications that occurred
outside approved firm channels or customer complaints mentioning such communications)?
X
How does your firm supervise and maintain books and records in accordance with SEC and FINRA Books and
Records Rules for all digital communications with the public?
X
Does your firm have a process to confirm that all business-related communications with the public comply
with the content standards set forth in FINRA Rule 2210?
X
Crypto Asset Communications: If your firm communicates regarding crypto asset activities:
z Does your firm provide a fair and balanced presentation of the extent to which the federal
securities laws or FINRA rules apply to the crypto asset products or services, including with respect
to the application of protections afforded under the Securities Investor Protection Act of 1970
(SIPA)?
z Do your firm’s communications misleadingly state or suggest that FINRA or any other regulator has
approved, endorsed or guaranteed a crypto asset or service?
z Does your firm accurately describe the risks associated with the manner in which the crypto asset
is issued, held or transferred?
z Do your firm’s communications misleadingly imply that crypto asset services offered through
an affiliated entity are offered through and under the supervision, clearance and custody of a
registered broker-dealer?
X
Municipal Securities Communications: If your firm offers municipal securities, does it confirm that
“advertisements” for such securities—as defined under MSRB Rule G-21—include the necessary information
to be fair, balanced and not misleading, and do not include:
z exaggerated claims about safety or misleading comparisons to U.S. Treasury securities;
z statements claiming “direct access” to bonds in the primary market if your firm is not an underwriter; or
z unwarranted claims about the predictability or consistency of growth or payments?
X
If an advertisement includes claims of municipal securities being “tax free,” does it also explain any applicable
state, local, alternative minimum tax, capital gains or other tax consequences?
X
If an advertisement includes a “taxable equivalent” yield on a municipal security offering, does it provide
sufficient information regarding the tax bracket used to make the calculation?
X
Communications Promoting Revenue Sharing Programs: If your firm distributes or makes available
communications that promote or recommend revenue sharing programs to retail investors (e.g., fully
paid securities lending programs), do the communications accurately and clearly disclose the terms
and conditions of the program, including the portion of fees customers would receive?
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
41
X
Communications Promoting ESG Factors: If your firm offers products that promote Environmental,
Social and Governance (ESG) factors, do your communications:
z contain claims that are unsupported by or inconsistent with information contained in the product’s
offering documents;
z lack risk disclosure or language necessary to balance any promotional claims regarding ESG; or
z use rankings, ratings or awards that lack a sound basis or are unwarranted or misleading based on
the criteria used or factors considered?
Findings and Effective Practices
Findings
False, Misleading and Inaccurate Information in Mobile Apps:
X
Incorrect or misleading account balances or inaccurate information regarding accounts’ historical
performance.
X
Sending margin call warnings to customers whose account balances were not approaching, or were below,
minimum maintenance requirements.
X
Falsely informing customers that their accounts were not enabled to trade on margin, when the accounts
were, in fact, margin enabled.
X
Misstating the risk of loss associated with certain options transactions.
X
Distributing false and misleading promotions through social media and “push” notifications on mobile apps
that made promissory claims or omitted material information.
X
Insufficient Supervision of and Recordkeeping for Digital Communications: Not maintaining
reasonably designed policies and procedures to identify and respond to red flags—such as those
arising from customer complaints, representatives’ emails, OBA reviews or advertising reviews—that
registered representatives may be making business-related digital communications to firm customers
using channels not approved and controlled by the firm, including texting, messaging, social media,
collaboration apps or “electronic sales seminars” in chatrooms.
X
Deficient Communications Promoting Crypto Assets:
z Failing to adequately disclose that crypto assets or services may not be covered under the federal
securities laws or SIPA.
z Falsely implying that crypto assets or services are covered by SIPA or the federal securities laws.
z Falsely identifying the broker-dealer as the entity from which crypto assets may be purchased or creating
confusion about which entity is offering crypto assets where the entity offering the crypto assets uses an
identical or substantially similar name to the broker-dealer’s name.
X
Municipal Securities Advertisements: Making false and misleading statements or claims about safety,
unqualified or unwarranted claims regarding the expertise of the firm, and promissory statements and claims
regarding portfolio growth.
X
Communications Promoting ESG Factors:
z Using fund communications that contain claims that are inconsistent with or unsupported by the
fund’s offering documents.
z Including rankings, ratings, or awards that lack a sound basis or are unwarranted or misleading
based on the criteria used or factors considered.
COMMUNICATIONS AND SALES
I
COMMUNICATIONS WITH THE PUBLIC
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
42
Effective Practices
X
Reasonably Designed Procedures for Mobile Apps: Maintaining and implementing procedures for the
supervision of mobile apps, for example, that confirm:
z data displayed to customers is accurate; and
z information about mobile apps’ tools and features complies with FINRA’s communications and other
relevant rules before it is posted to investors.
X
Reasonably Designed Procedures for Digital Communications: Maintaining and implementing procedures
for supervision of digital communication channels, including:
z Monitoring of New Tools and Features: Monitoring new communication channels, apps and features
available to associated persons and customers.
z Defining and Enforcing What is Permissible and Prohibited: Clearly defining permissible and prohibited
digital communication channels, tools and features, and blocking those prohibited channels, tools and
features that prevent firms from complying with their recordkeeping requirements.
z Supervision: Implementing supervisory review procedures tailored to each digital channel, tool and
feature.
z Video Content Protocols: Developing WSPs and controls for live-streamed public appearances, scripted
presentations or video blogs.
z Training: Implementing mandatory training programs prior to providing access to firm-approved digital
channels, including expectations for business and personal digital communications and guidance for using
all permitted features of each channel.
z Disciplinary Action: Temporarily suspending or permanently blocking from certain digital channels or
features those registered representatives who did not comply with the policies and requiring them to take
additional digital communications training before resuming use.
X
Crypto Asset Communications: Maintaining and implementing procedures for firm crypto asset
communications, including:
z Risk Disclosure: Prominently describing the risks associated with the manner in which the crypto asset
is issued, held or transferred; and balancing any statements or claims contained in a crypto asset
communication with a discussion of related risks, including that such investments are speculative, may
have no value, involve a high degree of risk, are generally illiquid, have uncertain regulatory protections,
are subject to potential market manipulation risks and may expose investors to loss of principal.
z Communications Review: Reviewing firms’ communications to confirm that they are not exaggerating
the potential benefits of crypto assets or overstating the current or future status of crypto asset projects
or platforms.
X
Differentiating Crypto Asset Products Communications From Broker-Dealer Products Communications:
Identifying, segregating and differentiating firms’ communications related to broker-dealer products
and services from those related to offerings by affiliates or third parties, including crypto asset
affiliates; and clearly and prominently identifying in communications entities responsible for non-
securities crypto assets businesses (and explaining that such services were not offered by the broker-
dealer or subject to the same regulatory protections as those available for securities).
COMMUNICATIONS AND SALES
I
COMMUNICATIONS WITH THE PUBLIC
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
43
Targeted Examination Letter on Crypto Asset Retail Communications
As part of FINRA’s recently announced 2022 targeted review of firms’ crypto asset retail communications, we
are evaluating if such communications:
X
contain false or misleading statements or claims;
X
misrepresent the extent to which the federal securities laws or FINRA rules apply to a crypto asset
product or service, including with respect to the application of protections afforded under SIPA;
X
include prohibiting projections of investment performance or a misleading forecast; or
X
omit material information or fail to provide a sound basis to evaluate the facts with respect to the
product in that the benefits articulated in the marketing materials are not balanced by key specific risks
associated with investing in the product.
FINRA will share the findings from this targeted review with firms in a future publication once the review is
complete.
X
Municipal Securities Advertisements: Maintaining and implementing reasonably designed procedures for
firm municipal securities communications, including:
z requiring prior approval of all advertisements concerning municipal securities by an appropriately
qualified principal to confirm the content complies with applicable content standards;
z providing education and training for firm personnel on applicable FINRA and MSRB rules and firm policies;
z balancing statements concerning the benefits of municipal securities by prominently describing the risks
associated with municipal securities, including credit risk, market risk and interest rate risk; and
z reviewing firms’ communications to confirm that the potential benefits of tax features are accurate and
not exaggerated.
X
Communications Promoting ESG Factors: Implementing and maintaining reasonably designed
procedures for communications promoting ESG factors, including:
z reviewing communications to ensure that ESG-related claims are consistent with and supported by
applicable offering documents;
z balancing statements promoting ESG factors by prominently describing the risks associated with
ESG funds, including that:
z ESG-related strategies may not result in favorable investment performance;
z there is no guarantee that the fund’s ESG-related strategy will be successful; and
z the fund may forego favorable market opportunities in order to adhere to ESG-related strategies
or mandates.
Additional Resources
X
FINRA
z Advertising Regulation Topic Page
z Social Media Topic Page
z Regulatory Notice 21-25 (FINRA Continues to Encourage Firms to Notify FINRA if They Engage in Activities
Related to Digital Assets)
z Regulatory Notice 20-21 (FINRA Provides Guidance on Retail Communications Concerning Private Placement
Offerings)
z Regulatory Notice 19-31 (Disclosure Innovations in Advertising and Other Communications with the Public)
COMMUNICATIONS AND SALES
I
COMMUNICATIONS WITH THE PUBLIC
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
44
z Regulatory Notice 17-18 (Guidance on Social Networking Websites and Business Communications)
z Regulatory Notice 11-39 (Social Media Websites and the Use of Personal Devices for Business
Communications)
z Regulatory Notice 10-06 (Guidance on Blogs and Social Networking Web Sites)
X
MSRB
z MSRB Notice 2019-07
z MSRB Notice 2018-18
Private Placements
Regulatory Obligations and Related Considerations
Regulatory Obligations
InRegulatory Notice10-22(Obligations of Broker-Dealers to Conduct Reasonable Investigations in Regulation
D Offerings), FINRA noted that member firms that recommend private offerings have obligations under FINRA
Rule2111(Suitability) and FINRA Rule3110(Supervision) to conduct reasonable diligence by evaluating, at a
minimum, “the issuer and its management; the business prospects of the issuer; the assets held by or to be
acquired by the issuer; the claims being made; and the intended use of proceeds of the offering.”
Although FINRA’s Suitability Rule continues to apply to recommendations to non-retail customers, it no longer
applies to recommendations to retail customers. Instead, the SEC’s Reg BI applies to recommendations
to retail customers of any securities transaction or investment strategy involving securities, including
recommendations of private offerings. Among other things, Reg BI requires that a broker-dealer exercise
reasonable diligence, care and skill to understand the potential risks and rewards associated with the
recommendation, and have a reasonable basis to believe that the recommendation could be in the best
interest of at least some retail customers. A broker-dealer could violate the reasonable basis portion of
Reg BI’s Care Obligation by not fully understanding the recommended security, even if the security could
have been in the best interest of at least some retail customers.
Additionally, FINRA Rules 5122 (Private Placements of Securities Issued by Members) and 5123 (Private
Placements of Securities) require member firms to timely file offering documents and information for the private
placement offerings they sell, including retail communications that promote or recommend an offering, with
FINRA’s Corporate Financing Department, unless there is an available exemption.
Related Considerations
X
Does your firm have policies and procedures reasonably designed to achieve compliance with Reg BI
when making recommendations of private placements to retail customers?
X
Do your firm’s promotional communications for its private placements balance the potential benefits
of the investment with a disclosure of the potential risks, such as the potential for private placement
investments to lose value, their lack of liquidity and their speculative nature?
X
What policies and procedures does your firm have to address filing requirements and timelines under FINRA
Rules 5122 and 5123? How does it review for compliance with such policies?
X
How does your firm confirm that associated persons conduct reasonable investigations prior to
recommending private placement offerings, including conducting further inquiry into red flags?
X
How does your firm address conflicts of interest identified during the reasonable investigation process and in
third-party due diligence reports?
COMMUNICATIONS AND SALES
I
PRIVATE PLACEMENTS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
45
X
How does your firm manage contingency offerings, including the transmission of funds, review of the
contingency terms and determination of the appropriate steps upon any amendments to the terms of
the contingency, in order to ensure compliance with Exchange Act Rules 10b-9 and 15c2-4, as applicable?
Findings and Effective Practices
Findings
X
Late Filings: Not maintaining policies and procedures, processes and supervisory programs to comply with
filing requirements; and failing to make timely filings (with, in some cases, delays lasting as long as six to 12
months after the offering’s first date of sale).
X
Lack of Reasonable Basis: Failing to conduct a reasonable investigation of private placement offerings prior
to recommending them to retail investors, including:
z failing to conduct an appropriate level of research, particularly when the firm lacks experience or
specialized knowledge pertaining to an issuer’s underlying business or there is a lack of operating history;
z relying solely on the firm’s past experience and knowledge with an issuer based on previously completed
offerings;
z failing to inquire into, analyze and resolve red flags identified during the reasonable investigation
process or in third-party due diligence reports;
z failing to maintain records of or otherwise evidence or reasonably explain the firm’s due diligence
efforts into the accounting procedures, operations, historical performance and financial condition
of the issuer, questionable representations by the issuer or litigation involving the issuer;
z failing to monitor and supervise the escrow process in connection with contingency offerings,
including not ensuring funds are deposited in an appropriate escrow or segregated account prior
to being released to the issuer, or failing to return funds to subscribers when contingencies are not
met or when the minimum offering amount is amended; and
z failing to adopt adequate procedures to address all aspects of the firm’s private placement
business, failing to adhere to the firm’s WSPs or both.
Effective Practices
X
Private Placement Checklist: Creating reasonably designed checklists with—or adding to existing due
diligence checklists—articulated processes, requirements for filing and related documentation, assignment of
staff responsible for performing functions and tasks, and evidence of supervisory principal approval for the
reasonable investigation process.
X
Independent Research: Conducting and documenting independent research on material aspects of the
offering; verifying representations and claims made by the issuer that are crucial to the performance
of the offering (e.g., unrealistic costs projected to execute the business plan, coupled with
unsupported projected timing and overall rate of return for investors); identifying any red flags with the
offering or the issuer, such as questionable business plans or unlikely projections or results); and addressing
and, if possible, resolving concerns that would be deemed material to a potential investor, such as liquidity
restrictions.
X
Identifying Conflicts of Interest: Identifying conflicts of interest (e.g., firm affiliates or issuers whose control
persons were also employed by the firm) and then addressing such conflicts (such as by confirming that the
issuer prominently and comprehensively discloses these conflicts in offering documents or mitigating them by
removing financial incentives to recommend a private offering over other more appropriate investments).
X
Responsibility for Reasonable Investigation and Compliance: Assigning responsibility for private
placement reasonable investigation and compliance with filing requirements to specific individual(s) or
team(s) and conducting targeted, in-depth training about the firms’ policies, process and filing requirements.
COMMUNICATIONS AND SALES
I
PRIVATE PLACEMENTS
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
46
X
Alert System: Creating a system that alerts responsible individual(s) and supervisory principal(s) about
upcoming and missed filing deadlines.
X
Post-Closing Assessment: When reasonable, conducting reviews after the offering closes to ascertain
whether offering proceeds were used in a manner consistent with the offering memorandum and maintain
supporting records of the firm’s reasonable investigation efforts.
Additional Resources
X
FINRA
z Private Placements Topic Page
z Corporate Financing Private Placement Filing System User Guide
z FAQs about Private Placements
z Regulation Best Interest Key Topics Page
z Report Center–CorporateFinancing Report Cards
z Regulatory Notice 21-26 (FINRA Amends Rules 5122 and 5123 Filing Requirements to Include Retail
Communications That Promote or Recommend Private Placements)
z Regulatory Notice 21-10 (FINRA Updates Private Placement Filer Form Pursuant to FINRA Rules 5122 and
5123)
z Regulatory Notice20-21(FINRA Provides Guidance on Retail Communications Concerning Private Placement
Offerings)
z Regulatory Notice10-22(Obligations of Broker-Dealers to Conduct Reasonable Investigations in Regulation
D Offerings)
X
SEC
z Regulation Best Interest Guidance Page
Variable Annuities
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA Rule 2330 (Members’ Responsibilities Regarding Deferred Variable Annuities) establishes sales practice
standards regarding recommended purchases and exchanges of deferred variable annuities. To the extent that a
broker-dealer or associated person is recommending a purchase, surrender or exchange of a deferred variable
annuity to a retail customer, Reg BI’s obligations, discussed above, also would apply.
In addition, Rule 2330 requires member firms to establish and maintain specific written supervisory procedures
reasonably designed to achieve compliance with the rule. Member firms must implement surveillance
procedures to determine if any associated person is effecting deferred variable annuity exchanges at a rate that
might suggest conduct inconsistent with FINRA Rule 2330 and any other applicable FINRA rules or the federal
securities laws.
Related Considerations
X
How does your firm review for rates of variable annuity exchanges (e.g., does your firm use any automated
tools, exception reports or surveillance reports)?
X
Does your firm have standardized review thresholds for rates of variable annuity exchanges?
COMMUNICATIONS AND SALES
I
VARIABLE ANNUITIES
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
47
X
Does your firm have a process to confirm its variable annuity data integrity with insurance carriers and third-
party data providers?
X
How do your firm’s WSPs support a determination that a recommendation of a variable annuity exchange has
a reasonable basis? How do you obtain, evaluate and record relevant information, such as:
z loss of existing benefits;
z increased fees or charges;
z surrender charges, or the establishment or creation of a new surrender period;
z consistency of customer liquid net worth invested in the variable annuity with their liquidity needs;
z whether a share class is in the customer’s best interest, given his or her financial needs, time horizon and
riders included with the contract; and
z prior exchanges within the preceding 36 months?
X
Do your firm’s policies and procedures require registered representatives to inform customers of the various
features of recommended variable annuities, such as surrender charges, potential tax penalties, various fees
and costs, and market risk?
X
What is the role of your registered principals in supervising variable annuity transactions, including verifying
how the customer would benefit from certain features of deferred variable annuities (e.g., tax-deferral,
annuitization, a death or living benefit)? What processes, forms, documents and information do your firm’s
registered principals rely on to make such determinations?
X
What is your firm’s process to supervise registered representatives who make recommendations regarding
buyout offers?
X
What is your firm’s process for supervisory review when a registered representative recommends
additional deposits into existing variable annuity contracts? What is your firm’s process for
documenting the rationale for the additional deposit?
X
If your firm offers registered indexed-linked annuities (RILAs), do the products’ disclosures address
buffer and cap rates, as well as market value adjustment risks?
X
Does your firm maintain records of retail customers’ investment objectives, risk tolerance and other
information that support the rationale for recommending particular investment options?
Findings and Effective Practices
Findings
X
Exchanges: Not reasonably supervising recommendations of exchanges for compliance with FINRA Rule 2330
and Reg BI, leading to exchanges that were inconsistent with the customer’s investment objectives and time
horizon and resulted in, among other consequences, increased fees to the customer or the loss of material,
paid-for accrued benefits.
X
Insufficient Training: Not conducting training for registered representatives and supervisors regarding how
to assess and compare costs and fees, surrender charges and long-term income riders to determine whether
exchanges complied with the standards of FINRA Rule 2330 and Reg BI.
X
Poor and Insufficient Data Quality: Not collecting and retaining key information on variable annuity
transactions, particularly in connection with exchange transactions; relying on processes for data collection
and retention in situations where the volume of variable annuity transactions renders these processes
ineffective; and failing to address inconsistencies in available data for variable annuities, as well as data
formats and reporting processes.
X
Issuer Buyouts: Not reasonably supervising recommendations related to issuer buyout offers (e.g., registered
representatives’ recommendations that investors surrender the contract in order to generate an exchange or
new purchase) for compliance with FINRA Rule 2330 and Reg BI.
COMMUNICATIONS AND SALES
I
VARIABLE ANNUITIES
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
48
X
Additional Deposits: Failing to evaluate and supervise registered representatives’ recommendations of
additional deposits into existing VA contracts, including review of disclosure, any applicable surrender
fees related to this transaction and rationale for the addition.
X
Reasonably Available Alternatives: Pursuant to Reg BI, insufficient consideration of reasonably
available alternatives to the recommended VA purchase, surrender or exchange.
Effective Practices
X
Automated Surveillance: Using automated tools, exception reports and surveillance to review variable
annuity exchanges; and implementing second-level supervision of supervisory reviews of exchange-related
exception reports and account applications.
X
Detailed Rationales for VA Exchanges: Confirming that registered representatives’—and, where applicable,
supervisory principals’—written rationales for variable annuity exchanges for each customer address the
specific circumstances for each customer and do not replicate rationales provided for other customers; and
requiring supervisory principals to verify the information in these rationales that registered representatives
provide, including product fees, costs, rider benefits and existing product values.
X
Review Thresholds: Standardizing review thresholds for rates of variable annuity exchanges; and monitoring
for emerging trends across registered representatives, customers, products and branches.
X
Automated Data Supervision: Creating automated solutions to synthesize variable annuity data (including
general product information, share class, riders and exchange-based activity) in situations warranted by the
volume of variable annuity transactions.
X
Data Integrity: Engaging with insurance carriers (affiliated and non-affiliated) and third-party data providers
(e.g., Depository Trust and Clearing Corporation (DTCC), consolidated account report providers) to:
z confirm its variable annuity data integrity (including general product information, share class, riders and
exchange-based activity); and
z address inconsistencies in available data, data formats and reporting processes for variable annuities.
X
Data Acquisition: Establishing a supervisory system that collects and uses key transaction data, including,
but not limited to:
z transaction date;
z representative name;
z customer name;
z customer age;
z investment amount;
z whether the transaction is a new contract or an additional investment;
z contract type (qualified vs. non-qualified);
z contract number;
z product issuer;
z product name;
z source of funds;
z exchange identifier;
z share class; and
z commissions.
COMMUNICATIONS AND SALES
I
VARIABLE ANNUITIES
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
49
X
Data Analysis: Considering the following data points when conducting a review of a recommended exchange
transaction under FINRA Rule 2330 and Reg BI:
z branch location;
z customer state of residence;
z policy riders;
z policy fees;
z issuer of exchanged policy;
z exchanged policy product name;
z date exchanged policy was purchased;
z living benefit value, death benefit value or both, that was forfeited;
z surrender charges incurred; and
z any additional benefits surrendered with forfeiture.
Additional Resources
X
FINRA
z Variable Annuities Topic Page
z Regulation Best Interest (Reg BI) Topic Page
z Regulatory Notice 20-18 (FINRA Amends Its Suitability, Non-Cash Compensation and Capital Acquisition
Broker (CAB) Rules in Response to Regulation Best Interest)
z Regulatory Notice 20-17 (FINRA Revises Rule 4530 Problem Codes for Reporting Customer Complaints and
for Filing Documents Online)
z Regulatory Notice 10-05 (FINRA Reminds Firms of Their Responsibilities Under FINRA Rule 2330 for
Recommended Purchases or Exchanges of Deferred Variable Annuities)
z Notice to Members 07-06 (Special Considerations When Supervising Recommendations of Newly Associated
Registered Representatives to Replace Mutual Funds and Variable Products)
z Notice to Members 99-35 (The NASD Reminds Members of Their Responsibilities Regarding the Sales of
Variable Annuities)
X
SEC
z Regulation Best Interest, Form CRS and Related Interpretations
COMMUNICATIONS AND SALES
I
VARIABLE ANNUITIES
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
50
MARKET INTEGRITY
I
CONSOLIDATED AUDIT TRAIL (CAT)
Market Integrity
Consolidated Audit Trail (CAT)
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA and the national securities exchanges have adopted rules requiring their members to comply with
Exchange Act Rule 613 and the CAT NMS PlanFINRA Rule 6800 Series (Consolidated Audit Trail Compliance Rule)
(collectively, CAT Rules), which cover reporting to the CAT; clock synchronization; time stamps; connectivity and
data transmission; development and testing; recordkeeping; and timeliness, accuracy and completeness of data
requirements.Regulatory Notice 20-31 (FINRA Reminds Firms of Their Supervisory Responsibilities Relating to CAT)
describes practices and recommended steps member firms should consider when developing and implementing
their CAT Rules compliance program.
Related Considerations
X
Do your firm’s CAT-related WSPs: (1) identify the individual, by name or title, responsible for the review of CAT
reporting; (2) describe specifically what type of review(s) your firm will conduct of the data posted on the CAT
Reporter Portal; (3) specify how often your firm will conduct the review(s); and (4) describe how your firm will
evidence the review(s)?
X
How does your firm confirm that the data your firm reports, or that is reported on your firm’s behalf, is
transmitted in a timely fashion and is complete and accurate?
X
How does your firm determine how and when clocks are synchronized, who is responsible for clock
synchronization, how does your firm evidence that clocks have been synchronized and how will your firm self-
report clock synchronization violations?
X
Does your firm conduct daily reviews of theIndustry Member CAT Reporter Portal (CAT Reporter Portal)to
review its file status to confirm the file(s) sent by the member or by its reporting agent was accepted by CAT
and to identify and address any file submission or integrity errors?
X
Does your firm conduct periodic comparative reviews of accepted CAT data against order and trade records
and theCAT Reporting Technical Specifications?
X
Does your firm communicate regularly with its CAT reporting agent, review relevant CAT guidance and
announcements and report CAT reporting issues to the FINRA CAT Help Desk?
X
For any firms that have an agreement with a CAT Reporting Agent, have you confirmed that such agreement
is evidenced in a writing that specifies the respective functions and responsibilities of each party?
X
Does your firm maintain the required CAT order information as part of its books and records and in
compliance with FINRA Rule 6890 (Recordkeeping)?
X
How does your firm oversee its clearing firm and third-party vendors to maintain CAT compliance, including
clock synchronization?
X
When your firm identifies a reporting issue (e.g., inaccurately reported data, failure to report CAT
data, submission of late data), does your firm self-report the issue identified via the Self-Reporting
Erroneous Events form?
X
Does your firm conduct periodic reviews of its compliance metrics (e.g., CAT report cards, error rates,
CAT Compliance Thresholds)?
X
Does your firm participate in testing related to the Central Repository, including any industry-wide disaster
recovery testing following the schedule established under the CAT NMS Plan?
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
51
MARKET INTEGRITY
I
CONSOLIDATED AUDIT TRAIL (CAT)
FINRA’s Rapid Remediation Review Process
FINRA’s Rapid Remediation review process enables FINRA to identify reporting deficiencies early and to
alert firms quickly and informally about potential CAT reporting rule violations. FINRA generally conducts
these reviews weekly or monthly, allowing staff to identify potential systemic issues at an early stage. FINRA
expects firms to respond to a Rapid Remediation inquiry by quickly addressing and correcting the identified
issues. This is important because inaccurate or untimely transaction and order reporting can negatively
affect the regulatory audit trail and the quality of FINRA’s surveillance patterns, as well as FINRA’s ability to
accurately reconstruct market events. When firms address CAT reporting issues promptly, FINRA’s audit trails
are more accurate, allowing FINRA’s surveillance groups to monitor more effectively for issues such as best
execution and market manipulation.
Findings and Effective Practices
Findings
X
Incomplete Submission of Reportable Events: Failing to report certain Reportable Events, as defined
by CAT, in a timely manner to the Central Repository (e.g., new order events, route events, execution
events).
X
Failure to Repair Errors Timely: Not repairing errors by the T+3 correction deadline.
X
Failure to Submit Corrections: Not submitting corrections for previously inaccurately reported data,
including data that did not generate error feedback from CAT.
X
Inaccurate or Incomplete Reporting of CAT Orders: Submitting information that was incorrect,
incomplete or both to the Central Repository, including but not limited to Event Timestamp, Event
Type Code, Time in Force, Account Holder Type, Handling Instructions, Trading Session ID and Firm
Designated ID (FDID).
X
Unreasonable Vendor Supervision: Not establishing and maintaining reasonable WSPs or supervisory
controls regarding both CAT reporting and clock synchronization that are performed by third-party
vendors.
X
Recordkeeping: Not maintaining or providing to regulators upon request, data reported to CAT,
including but not limited to Time in Force (TIF), Customer Handling Instructions, Department Type,
Trading Session, Firm Designated ID, Order ID and Route Destination.
Effective Practices
X
Mapping Internal Records to CAT-Reported Data: Maintaining a “map” that shows how the firm’s
internal records and blotters correspond to various fields reported to CAT.
X
Archiving CAT Feedback: Archiving CAT feedback within a 90-day window so that firms can submit
corrections, if necessary.
X
CAT Supervision: Implementing WSPs requiring a comparative review of CAT submissions versus firm
order records (including for firms that rely on third party submitters), conducting a daily review of the
CAT Reporter Portal, regardless of the error rate percentage; and utilizing CAT Report Cards and CAT
FAQs to design an effective and reasonable supervision process.
X
Customer and Account Information System (CAIS) Supervision: Establishing reasonable supervisory
processes and procedures that address, for example:
z monitoring both CAIS Reporter Portal and CAIS notifications for data formatting and
inconsistencies;
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
52
MARKET INTEGRITY
I
CONSOLIDATED AUDIT TRAIL (CAT)
z monitoring that customer and account information is reported in an appropriately secure manner
pursuant to CAT reporting requirements (e.g., customer input identifiers are not submitted to CAT
or CAIS unless they have been properly transformed into a “hashed” Transformed Input ID (TID)
prior to submission, customer account identifiers (FDIDs) do not reflect actual account numbers);
z confirming that CAIS data is consistent with prior submissions for the same customer; and
z repairing CAIS inconsistencies within the required time period (i.e., no later than 5 p.m. ET on the
third CAT Trading Day after the Customer or Account Information became available to the firm).
CAIS Reporting Deadline Extension
X
In November 2022, the CAT Plan Participants announced an extension to the CAIS reporting deadlines.
X
Firms can find updates and additional information related to the CAIS reporting and compliance schedule
on the CAT NMS Plan website.
X
Clock Synchronization Related to Third Parties: Obtaining adequate information from third parties to meet
applicable clock synchronization requirements.
15
X
Self-Reporting: Self-reporting CAT reporting issues when your firm discovers them via the FINRA CAT
Self-Reporting Erroneous Events Form or through the FINRA CAT Help Desk.
Additional Resources
X
Consolidated Audit Trail (CAT) Topic Page
X
Equity Report Cards
X
Regulatory Notice 21-21 (FINRA Eliminates the Order Audit Trail System (OATS) Rules)
X
Regulatory Notice 20-41 (FINRA Amends Its Equity Trade Reporting Rules Relating to Timestamp
Granularity)
X
Regulatory Notice 20-31 (FINRA Reminds Firms of Their Supervisory Responsibilities Relating to CAT)
X
Regulatory Notice 20-20 (FINRA Provides Updates on Regulatory Coordination Concerning CAT Reporting
Compliance)
X
Regulatory Notice 19-19 (FINRA Reminds Firms to Register for CAT Reporting by June 27, 2019)
X
Regulatory Notice 17-09 (The National Securities Exchanges and FINRA Issue Joint Guidance on Clock
Synchronization and Certification Requirements Under the CAT NMS Plan)
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
53
MARKET INTEGRITY
I
BEST EXECUTION
Best Execution
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA Rule 5310 (Best Execution and Interpositioning) requires that, in any transaction for or with a customer
or a customer of another broker-dealer, a member firm and persons associated with a member firm shall use
reasonable diligence to ascertain the best market for the subject security and buy or sell in such market so that
the resultant price to the customer is as favorable as possible under prevailing market conditions. A member
firm must have procedures in place to ensure it conducts “regular and rigorous” reviews of the execution quality
of its customers’ orders if it doesn’t conduct an order-by-order review.
Best execution obligations apply to any member firm that receives customer orders for purposes of handling
and execution, including firms that receive customer orders from other firms for handling and execution.
16
These obligations apply whether a member firm acts in a principal or an agency capacity. A member firm
cannot transfer its duty of best execution to another person. Additionally, any member firm that routes all of its
customer orders to another firm without conducting an independent review of execution quality would violate its
duty of best execution.
Related Considerations
Execution Quality Reviews
X
How does your firm determine the appropriate method and frequency of its execution quality reviews?
X
If applicable, does your firm conduct “regular and rigorous” reviews of the quality of the executions of its
customers’ orders and customer orders from other broker-dealers, including a comparison of the execution
quality available at competing markets?
X
If applicable, how does your firm document its “regular and rigorous” reviews, including the data and other
information considered, order routing decisions and the rationale for such decisions, and actions to address
any deficiencies?
Payment for Order Flow
X
If your firm provides PFOF to, or receives PFOF from, another broker-dealer, how does your firm prevent
those payments from interfering with your firm’s best execution obligations?
Fixed Income and Options Trading
X
If your firm engages in fixed income and options trading, has it established targeted policies and procedures
to address its best execution obligations for these products?
X
Does your firm consider differences among security types within these products, such as the different
characteristics and liquidity of U.S. Treasury securities compared to other fixed income securities?
Other Best Execution Considerations
X
How does your firm meet its best execution obligations with respect to trading conducted in both regular and
extended trading hours?
X
What data sources does your firm use for its routing decisions and execution quality reviews for different
order types and sizes, including odd lots?
X
How does your firm handle fractional share investing in the context of its best execution obligations?
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
54
MARKET INTEGRITY
I
BEST EXECUTION
Findings and Effective Practices
Findings
X
No Assessment of Execution in Competing Markets: Not comparing the quality of the execution obtained
via firms’ existing order-routing and execution arrangements against the quality of execution they could
have obtained from competing markets; failing to modify routing arrangements or justify why routing
arrangements are not being modified; and using routing logic that is not based on execution quality.
X
No Review of Certain Order Types: Not conducting adequate reviews on a type-of-order basis, including, for
example, for market, marketable limit, or non-marketable limit orders.
X
Unreasonable “Regular and Rigorous Reviews”: Not conducting periodic “regular and rigorous reviews”
or, when conducting such reviews, not considering certain execution quality factors set forth in Rule
5310, Supplementary Material .09.
X
Conflicts of Interest: Not considering and addressing potential conflicts of interest relating to routing orders
to affiliated broker-dealers, affiliated ATSs, or market centers that provide routing inducements, such as PFOF
from wholesale market makers and exchange liquidity rebates.
Effective Practices
X
Exception Reports: Using exception reports and surveillance reports to support firms’ efforts to meet their
best execution obligations.
X
Full and Prompt Execution of Marketable Customer Orders: Regularly evaluating the thresholds
your firm uses to generate exceptions as part of the firm’s supervisory systems designed to achieve
compliance with the firm’s “full and prompt” obligations, and modifying such thresholds to reflect
current promptness standards for marketable order execution, including statistics available from
FINRA, other relevant indicators of industry standards and the firm’s internal data.
Market Order Timeliness Statistical Report
Firms may access their Market Order Timeliness Statistical Report via FINRA’s Report Center. Firms can use
the report to assist firms’ compliance with and supervision of the obligation to execute marketable customer
orders fully and promptly. The report provides firms that execute customer market orders with six months
of rolling data on the execution time frames for market orders for their firm, peer firms and the industry.
X
PFOF Order Handling Impact Review: Reviewing how PFOF affects the order-handling process, including the
following factors: any explicit or implicit contractual arrangement to send order flow to a third-party broker-
dealer; terms of these agreements; whether it is on a per-share basis or per-order basis; and whether it is
based upon the type of order, size of order, type of customer or the market class of the security.
X
Risk-Based “Regular and Rigorous Reviews”: Conducting “regular and rigorous” reviews, at a minimum, on
a quarterly or more frequent basis (such as monthly), depending on the firm’s business model, that consider
the potential execution quality available at various trading centers, including those to which a firm
does not send order flow.
X
Support of Analysis: Being prepared to explain and evidence the firm’s best execution analysis,
including internalized orders, on a “regular and rigorous” or order-by-order basis, as applicable.
X
Continuous Updates: Updating WSPs and best execution analysis to address market and technology
changes.
X
Best Execution Committees: Establishing committees that meet quarterly or more frequently to
conduct “regular and rigorous” reviews and determine, if necessary, to modify the firm’s order routing
and execution arrangements.
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
55
X
Supervision: Ensuring supervisory procedures, systems and controls address the execution of the
entirety of the firm’s marketable order flow, including order types such as activated stop orders; all or
none orders; and odd lot orders.
X
Monitoring Orders: Monitoring the handling of marketable orders of all types fully and promptly,
including market orders; marketable limit orders; activated stop orders; all or none orders; odd lot
orders; marketable orders in illiquid securities; and marketable orders in preferred securities.
Additional Resources
X
FINRA
z FINRA Report Center
z Equity Report Cards
z Best Execution Outside-of-the-Inside Report Card
z Regulatory Notice 22-04 (FINRA Reminds Member Firms of Obligation to Execute Marketable
Customer Orders Fully and Promptly)
z Regulatory Notice 21-23 (FINRA Reminds Member Firms of Requirements Concerning Best Execution and
Payment for Order Flow)
z Regulatory Notice 21-12 (FINRA Reminds Member Firms of Their Obligations Regarding Customer Order
Handling, Margin Requirements and Effective Liquidity Management Practices During Extreme Market
Conditions)
z Regulatory Notice 15-46 (Guidance on Best Execution Obligations in Equity, Options and Fixed Income
Markets)
z Notice to Members 01-22 (NASD Regulation Reiterates Member Firm Best Execution Obligations And
Provides Guidance to Members Concerning Compliance)
X
SEC
z Proposed Rules and Amendments to Regulation NMS (December 14, 2022)
z SEC Proposes Amendments to Enhance Disclosure of Order Execution Information
z SEC Proposes Rules to Amend Minimum Pricing Increments and Access Fee Caps and to Enhance the
Transparency of Better Priced Orders
z SEC Proposes Rule to Enhance Competition for Individual Investor Order Execution
z SEC Proposes Regulation Best Execution
Disclosure of Routing Information
Regulatory Obligations and Related Considerations
Regulatory Obligations
Rule 606 of Regulation NMS requires broker-dealers to disclose information regarding the handling of their
customers’ orders in NMS stocks and listed options. These disclosures are designed to help customers better
understand how their firm routes and handles their orders; assess the quality of order handling services
provided by their firm; and ascertain whether the firm is effectively managing potential conflicts of interest that
may impact their firm’s routing decisions.
MARKET INTEGRITY
I
DISCLOSURE OF ROUTING INFORMATION
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
56
Related Considerations
X
Does your firm publish accurate, properly formatted quarterly routing reports on its website for the required
retention period as specified under Rule 606(a), including use of the SEC’s most recently published PDF and
XML schema?
X
If your firm is not required to publish a quarterly report under Rule 606(a), does the firm have an effective
supervisory system to periodically confirm that your firm has no orders subject to quarterly reporting?
X
If, pursuant to SEC guidance, your firm adopts by reference the Rule 606(a) report of another firm,
such as your firm’s clearing firm, does your firm have an effective supervisory system to ensure that
it meets the requirements of the SEC’s guidance (including examining such report and not having a
reason to believe it materially misrepresents the order routing practices)?
X
If your firm routes orders to non-exchange venues, does your firm adequately assess whether such venues
are venues to which orders are “routed for execution” under Rule 606(a)?
X
Does your firm obtain and retain sufficient information to properly report the material terms of its
relationships with venues to which it routes orders for execution, including specific quantitative and
qualitative information regarding PFOF and any profit-sharing relationship?
X
If your firm claims an exemption from providing not held order reports under Rule 606(b)(3) (pursuant to
Rule 606(b)(4) or (5)), what supervisory system does your firm have in place to determine if your firm’s or a
customer’s order activity falls below the relevant de minimis thresholds?
X
If your firm is required to provide customer-specific disclosures for not held orders in NMS stocks under
Rule 606(b)(3), does your firm provide accurate, properly formatted disclosures for the prior six months to
requesting customers within seven business days of receiving the request?
Findings and Effective Practices
Findings
X
Inaccurate Quarterly Reports: Publishing incomplete or otherwise inaccurate information in the quarterly
report on order routing, such as:
z reporting only held orders in listed options, instead of both held and not held orders;
z inaccurately classifying orders (e.g., classifying orders as “other orders” without considering
whether such orders involve a customer request for special handling);
17
z incorrectly stating that the firm does not receive PFOF from execution venues;
z not including payments, credits or rebates (whether received directly from an exchange or through a pass-
through arrangement) in the “Net Payment Paid/Received” and “Material Aspects” sections of the quarterly
report;
z not including exchange pricing arrangements (e.g., tiered pricing) in the “Net Payment Paid/Received” and
“Material Aspects” sections of the quarterly report;
z not disclosing any amounts of “Net Payment Paid/Received,” when the firm receives PFOF for at least one
of the four order types (i.e., Market Orders, Marketable Limit Orders, Non-Marketable Limit Orders, Other
Orders);
z inaccurately identifying reported execution venues as “Unknown”;
z inaccurately identifying an entity as an execution venue when that entity does not execute trades (e.g.,
identifying a routing broker-dealer as an execution venue, where the broker-dealer re-routes but does not
execute orders; options consolidator that does not provide liquidity); and
z not posting the quarterly report on their firm’s website in both required formats (i.e., PDF and XML
schema).
MARKET INTEGRITY
I
DISCLOSURE OF ROUTING INFORMATION
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
57
X
Incomplete Disclosures: Not adequately describing material aspects of their relationships with disclosed
venues in the Material Aspects disclosures portion of the quarterly report, such as:
z inadequate descriptions of specific terms of PFOF and other arrangements (e.g., “average” amounts of
PFOF rather than specific disclosure noting the payment types, specific amount received for each type of
payment, terms and conditions of each type of payment);
z ambiguous descriptions of receipt of PFOF (e.g., firm “may” receive payment);
z inadequate or incomplete descriptions of PFOF received through pass-through arrangements;
z incomplete descriptions of exchange credits or rebates; and
z incomplete descriptions of tiered pricing arrangements, including the specific pricing received by the firm.
X
Incomplete Disclosure When Incorporating by Reference: Incorporating by reference another firm’s
Rule 606(a)(1) quarterly report with incomplete disclosure of:
z the firm’s relationship with the referenced firm, including clearing or execution relationship;
z payment for order flow received from the referenced firm;
z the amount and type of order flow sent to the reference firm;
z payment from any profit-sharing relationship received from the referenced firm;
z transaction fees paid to the referenced firm; and
z transaction rebates received from the referenced firm.
X
Deficient Communications: Not notifying customers in writing of the availability of information specified
under Rule 606(b)(1), as required by Rule 606(b)(2).
18
X
Not Held Customer Reports: Failing to provide Rule 606(b)(3) Not Held reports to customers in a timely
manner.
X
Insufficient WSPs: Either not establishing or not maintaining WSPs reasonably designed to achieve
compliance with the requirements of Rule 606, including:
z not updating Disclosure of Order Routing Information WSPs to include requirements detailed in Rule
606(a)(1) or Rule 606(b)(3);
z not describing the steps taken to review whether firms verified the integrity of information sent to, or
received from, their vendor—or not stating how the review would be evidenced by the reviewer;
z not articulating a supervisory method of review to verify the accuracy, format, completeness, timely
processing and details of the Rule 606(b)(3) report, if requested, as well as documenting the performance
of that review; and
z when incorporating by reference another firm’s Rule 606(a)(1) quarterly report, not examining the
report and having a reasonable basis to believe that the report does not materially misrepresent
the order routing practices.
Effective Practices
X
Supervision: Conducting regular, periodic supervisory reviews of the public quarterly reports and customer-
specific order disclosure reports, if applicable, for accuracy (e.g., assuring that per-venue disclosures of net
aggregate PFOF and other payments are accurately calculated) and completeness (e.g., assuring that the
Material Aspects section adequately describes the firm’s PFOF and other payment arrangement for each
execution venue, including all material aspects that may influence the firm’s order routing decisions).
MARKET INTEGRITY
I
DISCLOSURE OF ROUTING INFORMATION
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
58
X
Due Diligence on Vendors: Performing due diligence to assess the accuracy of public quarterly reports and
customer-specific order disclosure reports provided by third-party vendors by, for example, reviewing content
of reports, comparing order samples against vendor-provided information and confirming with the vendor
that all appropriate order information is being received (particularly when the firm has complex routing
arrangements with execution venues).
Additional Resources
X
SEC 2018 Amendments to Rule 606 of Regulation NMS
X
SEC Responses to Frequently Asked Questions Concerning Rule 606 of Regulation NMS
19
X
SEC Staff Legal Bulletin No. 13A: Frequently Asked Questions About Rule 11Ac1-6
Fixed Income — Fair Pricing NEW FOR 2023
Regulatory Obligations and Related Considerations
Regulatory Obligations
The fair pricing obligations under FINRA Rule 2121 (Fair Prices and Commissions) apply to transactions in all
securities—including fixed income securities—and MSRB Rule G-30 imposes similar obligations for transactions
in municipal securities. In addition, FINRA Rule 2121 and MSRB Rule G-30 also include specific requirements for
transactions in debt securities. These rules generally require a dealer that is acting in a principal capacity in a
debt security transaction with a customer, and charging a mark-up or mark-down, to mark-up or mark-down
the transaction from the prevailing market price (PMP). The PMP is presumptively established by referring to
the dealer’s contemporaneous cost as incurred or proceeds as obtained. Where the dealer’s cost is no longer
contemporaneous, or the dealer has overcome the contemporaneous cost presumption, member firms are
required to continue down the “waterfall” within FINRA Rule 2121 or MSRB Rule G-30, as applicable, to determine
the PMP.
Related Considerations
X
Does your firm have a reasonable supervisory system for compliance with the fair pricing rules tailored to
your firm’s specific business model for fixed income securities? Do your firm’s WSPs identify the personnel
responsible for compliance with the fair pricing rules for your firm’s fixed income business?
X
If your firm requires the use of exception reports to perform supervision for fair pricing of fixed income
products, do these reports include information sufficient to make such a determination (e.g., mark-up/mark-
down percentage, maturity, coupon, rating, yield)?
X
Does your firm conduct a reasonable supervisory review to confirm that mark-ups/mark-downs are not based
on expenses that are excessive?
X
If your firm sells bonds to customers from inventory, what methodology is your firm using to determine the
PMP for the security? Is the methodology employed consistent with the “waterfall” described in FINRA Rule
2121 and MSRB Rule G-30?
X
If your firm engages in transactions in different types of fixed income products, does your firm have targeted
fair pricing supervisory procedures to address its fair pricing obligations for each type of product?
MARKET INTEGRITY
I
FIXED INCOME — FAIR PRICING
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
59
Findings and Effective Practices
Findings
X
Incorrect Determination of PMP: Not following the contemporaneous cost presumption or the waterfall
required by FINRA Rule 2121 and MSRB Rule G-30, but rather:
z using other methods, such as obtaining quotations from a limited number of market participants without
considering contemporaneous inter-dealer or institutional transaction prices; or
z referring to acquisition costs that are no longer contemporaneous.
X
Outdated Mark-up/Mark-down Grids: Employing mark-up/mark-down grids without periodically reviewing
and updating them as needed.
X
Failure to Consider Impact of Mark-up on Yield to Maturity: Charging substantial mark-ups in short-term
fixed-income securities that may significantly reduce the yield received by the investor.
X
Unreasonable Supervision: Solely relying on grids or on fixed mark-up/mark-down thresholds in assessing
fair pricing in fixed income securities without performing a facts and circumstances analysis as required by
FINRA Rule 2121 or MSRB Rule G-30.
Effective Practices
X
PMP Documentation: Documenting the PMP for each transaction, even if it does not require a mark-up
disclosure pursuant to FINRA Rule 2232 (Customer Confirmations) or MSRB Rule G-15.
X
Mark-up/Mark-down Reviews: Conducting periodic reviews of the firm’s mark-ups/mark-downs and
comparing them with industry data provided in the TRACE and MSRB Mark-up/Mark-down Analysis Reports.
X
Exception Reports: Using exception reports or outside vendor software to ensure compliance with FINRA
Rule 2121 or MSRB G-30, and periodically reviewing and updating the reports’ parameters so they perform as
intended, even as market conditions change.
Additional Resources
X
FINRA
z Fixed Income Confirmation Disclosure: Frequently Asked Questions (FAQ)
z MSRB Markup/Markdown Analysis Report
z TRACE Markup/Markdown Analysis Report
z Regulatory Notice 21-29 (Vendor Management and Outsourcing)
z Regulatory Notice 17-08 (SEC Approves Amendments to Require Mark-Up/Mark-Down Disclosure on
Confirmations for Trades With Retail Investors in Corporate and Agency Bonds)
X
MSRB
z Confirmation Disclosure and Prevailing Market Price Guidance: Frequently Asked Questions
z Resource on Disclosing Mark-ups and Determining Prevailing Market Price
MARKET INTEGRITY
I
FIXED INCOME — FAIR PRICING
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
60
Fractional Shares—Reporting and Order Handling NEW FOR 2023
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA’s trade reporting rules generally require member firms to transmit last sale reports of transactions in equity
securities to a FINRA trade reporting facility (TRF) or FINRA’s over-the-counter trade reporting facility (ORF) as
applicable. Member firms must transmit these reports as soon as practicable, but no later than ten seconds after
execution.
20
Although the TRFs and the ORF do not currently support the entry of fractional share quantities, these trades are
required to be reported subject to FINRA guidance, which requires rounding quantities up to one if less than one
share and truncating the fractional quantity for transactions that involve both a whole-share and fractional-share
quantity.
21
Member firms are required to report order, route and trade events in NMS stocks and OTC equity
securities to the CAT Central Repository, including any fractional-share quantity.
Member firms that execute trades in fractional shares must also comply with other marketplace rules, including
FINRA Rules 6190 (Compliance with Regulation NMS Plan to Address Extraordinary Market Volatility) and 5260
(Prohibition on Transactions, Publication of Quotations, or Publication of Indications of Interest During Trading
Halts). Additionally, member firms must comply with FINRA’s order handling rules, including FINRA Rule 5310 (Best
Execution and Interpositioning), in handling and executing customer fractional share orders.
22
Related Considerations
X
How does your firm ensure that its required CAT, TRF and ORF reports involving fractional shares are
submitted in a timely manner, are complete and accurate, and reported in accordance with applicable
reporting requirements?
X
Does your firm assess whether it has provided adequate disclosure of its fractional share order handling
policies to customers?
X
If your firm participates in a Dividend Reinvestment Program, does it confirm that any resulting fractional share
activity is compliant with your firm’s regulatory obligations related to TRF, CAT and ORF reporting?
X
If your firm handles fractional or cash based orders on a Not Held basis, has it reviewed the SEC’s updated
Responses to Frequently Asked Questions Concerning Rule 606 of Regulation NMS regarding categorizing
customer orders as Held or Not Held?
Findings and Effective Practices
Findings
X
Reporting Failures: Failing to report fractional share orders, routes and trades to trade reporting facilities
as required (e.g., reporting orders, routes and trades to CAT but failing to report to a TRF or ORF an executed
transaction for a quantity of less than one share), or failing to report in an accurate, complete and timely
manner.
X
Inadequate Supervisory Systems and Procedures: Failing to establish and implement a reasonably designed
supervisory system and procedures to confirm that fractional share orders, routes and trades were accurately,
completely and timely reported as required to a TRF, the ORF and CAT.
Effective Practices
X
FINRA Resources: Reviewing FINRA’s guidance on fractional share executions and other events, including
FINRA’s CAT and Trade Reporting FAQs; and contacting FINRA with questions related to the reporting of
fractional share orders, routes or executions.
X
Dividend Reinvestment Programs: Reviewing how your firm or clearing firm processes dividend
reinvestments to ensure that fractional share transactions and other events are properly reported, as required.
MARKET INTEGRITY
I
FRACTIONAL SHARES—REPORTING AND ORDER HANDLING
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
61
X
Supervisory Processes: Establishing and maintaining reasonably designed best execution supervisory
processes that address fractional share orders, order routing and executions; and regularly evaluating
exception reports supporting the firm’s supervisory processes and modifying them, as appropriate, to reflect
current market circumstances.
X
System Capacity and Data Validation: Confirming there is adequate system capacity to report trades to a
TRF or ORF within ten seconds of execution; and verifying that the reported transaction data was reported
timely, accurately and completely in accordance with the requirements of the applicable facilities.
X
Best Execution Reviews: Including fractional share orders, routes and executions in regular and rigorous
best execution reviews to confirm that the firm’s practices are reasonably designed to achieve best execution.
Additional Resources
X
FINRA
z CAT FAQs
z CAT Industry Member Specifications
z Equity Report Cards
z Trade Reporting FAQs
X
SEC
z Responses to Frequently Asked Questions Concerning Rule 606 of Regulation NMS
Regulation SHO—Bona Fide Market Making Exemptions and Reuse of
Locates for Intraday Buy-to-Cover Trades NEW FOR 2023
Regulatory Obligations and Related Considerations
Regulatory Obligations
Rules 203(b) (Short sales) and 204 (Close-out requirement) of Regulation SHO provide exceptions for bona
fide market making activity. The SEC has provided guidance on what constitutes “bona fide market making
activities” as well as examples of what does not; member firms must also confirm and be able to demonstrate
that any transaction for which they rely on a Regulation SHO bona fide market making exception qualifies for
the exception, consistent with Regulation SHO and guidance.
23
For example, reliance on and compliance with an
exchange’s market making designation and quoting requirements does not per se qualify a market maker for the
bona fide market maker exception. Only market makers engaged in bona-fide market making in the security at
the time they effect the short sale may rely on the exception.
24
Rule 203(b)(1) of Regulation SHO requires that, prior to accepting a short sale order or effecting a short sale
order in an equity security for the broker-dealer’s own account, a broker or dealer must borrow the security,
enter into a bona fide arrangement to borrow the security or have reasonable grounds to believe that the
security can be borrowed so that it can be delivered on settlement date (i.e., receives a “locate”). Pursuant to SEC
guidance, if a broker-dealer receives a locate for a short sale order that is executed and subsequently covered
on the same day, the broker-dealer may reuse that locate for a subsequent short sale order, provided that the
subsequent short sale order is for a quantity no greater than the quantity of the original locate, and the original
locate was deemed by its source to be good for the entire trading day.
25
For a “hard to borrow” security or a
threshold security, however, a broker-dealer may not re-apply a locate for intraday buy to cover trades.
26
SEC
guidance has explained that, without obtaining locates prior to each short sale in hard to borrow or threshold
securities, it is unlikely that a broker-dealer executing short sales in such securities would have reasonable
grounds to believe that the securities can be borrowed so that they can be delivered on the date that delivery is
due on each trade.
27
MARKET INTEGRITY
I
REGULATION SHO — BONA FIDE MARKET MAKING EXEMPTIONS AND REUSE OF LOCATES FOR
INTRADAY BUY-TO-COVER TRADES
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
62
Related Considerations
X
How do your firm’s supervisory systems ensure that short sales your firm executes in reliance on a Regulation
SHO bona fide market making exception qualify for that exception?
X
What is your firm’s process for determining if it can reasonably satisfy Reg SHO’s locate requirement prior to
executing short sale transactions?
X
If applicable, when your firm reapplies a locate for short sales executed after intraday buy-to-cover trades in
reliance on Question 4.4 in the SEC Reg SHO FAQs, does it take steps to ensure that it doesn’t execute short
sales of threshold or hard-to-borrow securities?
Findings and Effective Practices
Findings
X
Non-Bona Fide Market Making: Failing to distinguish bona fide market making from other proprietary
trading activity that is not eligible to rely on Regulation SHO’s bona fide market making exceptions, which
includes:
z quoting only at maximum allowable distances from the inside bid/offer (e.g., using peg orders);
z posting quotes at or near the inside ask but not at or near the inside bid;
z only posting bid and offer quotes near the inside market when in possession of an order; and
z displaying quotations that are not firm and are only accessible to a small set of subscribers to a firm’s
trading platform.
X
Impermissible Reuse of Locates: Relying on the guidance under Question 4.4 of the SEC’s Reg SHO FAQ
but not taking steps to confirm that locates are not reapplied to short sales of threshold or hard to borrow
securities, or not having a process in place to prevent the execution of any short sale orders in threshold or
hard to borrow securities that involve the application of locates.
Effective Practices
X
Supervision of Bona Fide Market Making: Developing supervisory systems for, and conducting supervisory
reviews of, market making activity to ensure that any reliance on Regulation SHO bona fide market making
exceptions is appropriate by considering, for example:
z where the firm’s quotes are placed, and how (e.g., market participants vs. ATS visible or non-visible orders);
z the frequency or timing of the firm’s quoting activity (e.g., morning or evening vs. throughout the trading
day); and
z the level of the firm’s proprietary trades compared to customer transactions filled.
X
Supervision of Reuse of Locates: Developing appropriate policies and procedures to adhere to the guidance
provided in Question 4.4 of the SEC’s Regulation SHO FAQ, as applicable, such as:
z using hard blocks on threshold securities, or easy to borrow lists, as limits on reuse (e.g., setting systems
to check and allow reuse only in securities deemed easy to borrow, rejecting short sales in securities not
deemed easy to borrow without the locate); and
z confirming that agreements with locate providers specify for how long the locates are valid (e.g., only the
day issued).
Additional Resources
X
SEC Amendments to Regulation SHO, Exchange Act Rel. No. 34-58775 (Oct. 14, 2008)
X
SEC Reg SHO FAQs
MARKET INTEGRITY
I
REGULATION SHO — BONA FIDE MARKET MAKING EXEMPTIONS AND REUSE OF LOCATES FOR
INTRADAY BUY-TO-COVER TRADES
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
63
Financial Management
Net Capital
Regulatory Obligations and Related Considerations
Regulatory Obligations
Exchange Act Rule 15c3-1 (Net Capital Rule) requires that member firms must at all times have and maintain net
capital at no less than the levels specified pursuant to the rule to protect customers and creditors from monetary
losses that can occur when firms fail. Exchange Act Rule 17a-11 requires member firms to notify FINRA in the
event their net capital falls below the minimum amount required by the Net Capital Rule.
If member firms have an affiliate paying any of their expenses, Notice to Members 03-63 (SEC Issues Guidance
on the Recording of Expenses and Liabilities by Broker/Dealers) provides guidance for establishing an expense-
sharing agreement that meets the standards set forth in Exchange Act Rule 17a-3;
28
firms with office leases
should apply the guidance in Regulatory Notice 19-08 (Guidance on FOCUS Reporting for Operating Leases) for
reporting lease assets and lease liabilities on their FOCUS reports. Additionally, member firms must align their
revenue recognition practices with the requirements of the Financial Accounting Standards Board’s Topic 606
(Revenue from Contracts with Customers).
Related Considerations
X
How does your firm review its net capital treatment of assets to confirm that they are correctly classified for
net capital purposes?
X
How does your firm confirm that it has correctly identified and aged all failed to deliver contracts, properly
calculated the applicable net capital charges and correctly applied the deductions to its net capital calculation?
X
For firms with expense-sharing agreements, what kind of allocation methodology does your firm use and
what kind of documentation does your firm maintain to substantiate its methodology for allocating specific
broker-dealer costs to your firm or an affiliate?
X
How does your firm assess the potential impact to net capital for new, complex or atypical
transactions? Does your firm involve regulatory reporting staff in the process to assess these types of
transactions?
Findings and Effective Practices
Findings
X
Incorrect Capital Charges for Underwriting Commitments: Not maintaining an adequate process to
assess moment-to-moment net capital and open contractual commitment capital charges on underwriting
commitments; not establishing and maintaining WSPs for calculating and applying open contractual
commitment charges; failing to maintain an accurate record or log of underwritings in which the firm
is involved; and not understanding the firm’s role in the underwriting (i.e., best efforts or firm commitment).
X
Inaccurate Net Capital Deductions and Concentration Charges: Not maintaining an accurate process to
accurately determine allowability and valuation of non-marketable securities (marketplace blockage);
and not having an adequate process to conduct an internal credit analysis or an independent
creditworthiness analysis of corporate and nonconvertible debt securities.
X
Inadequate WSPs: Not maintaining adequate WSPs for calculating and applying haircuts for non-
marketable inventory and conducting internal credit analysis or conducting an independent
creditworthiness analysis of the firm’s holdings of corporate and nonconvertible debt securities.
FINANCIAL MANAGEMENT
I
NET CAPITAL
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
64
X
Inaccurate Recording of Revenue and Expenses: Using cash accounting to record revenue and expenses
as of the date the money changes hands, rather than accrual accounting (where firms would record revenue
and expenses as of the date that revenue is earned or expenses are incurred); and making ledger entries
as infrequently as once per month, resulting in firms not having adequate context to determine the proper
accrual-based transaction date.
Effective Practices
X
Net Capital Assessment: Performing an assessment of net capital treatment of assets, to confirm that they
were correctly classified for net capital purposes.
X
Moment-to-Moment and Net Capital Compliance for Underwriting Commitments: Establishing and
maintaining current WSPs for:
z calculating and applying open contractual commitment charges, as well as focusing on the product
and proper haircut percentage;
z ensuring the firm’s role is clear within the agreement as it relates to its role in the underwriting
(i.e., best efforts or firm commitment); and
z establishing a process to track open contractual commitments for which the firm is involved.
X
Net Capital Deductions: Establishing a process to determine creditworthiness of inventory products;
and maintaining WSPs for calculating and applying net capital deductions and haircuts for non-
marketable inventory.
Additional Resources
X
FINRA
z Funding and Liquidity Topic Page
z Interpretations to the SEC’s Financial and Operational Rules
z Regulatory Notice 21-27 (FINRA Announces Update of the Interpretations of Financial and Operation
Rules)
z Regulatory Notice 19-08 (Guidance on FOCUS Reporting for Operating Leases)
z Regulatory Notice 15-33 (Guidance on Liquidity Risk Management Practices)
z Regulatory Notice 10-57 (Funding and Liquidity Risk Management Practices)
z Notice to Members 03-63 (SEC Issues Guidance on the Recording of Expenses and Liabilities by Broker/
Dealers)
X
FASB
z Revenue from Contracts with Customers (Topic 606)
Liquidity Risk Management
Regulatory Obligations and Related Considerations
Regulatory Obligations
Effective liquidity controls are critical elements in a broker-dealer’s risk management framework. Exchange
Act Rule 17a-3(a)(23) requires member firms that meet specified thresholds to make and keep current records
documenting the credit, market and liquidity risk management controls established and maintained by your firm
to assist it in analyzing and managing the risks associated with its business.
FINANCIAL MANAGEMENT
I
LIQUIDITY RISK MANAGEMENT
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
65
FINRA routinely reviews and has shared observations on member firms’ liquidity risk management practices,
as discussed inRegulatory Notice15-33(Guidance on Liquidity Risk Management Practices) and Regulatory
Notice 21-12 (FINRA Reminds Member Firms of Their Obligations Regarding Customer Order Handling, Margin
Requirements and Effective Liquidity Management Practices During Extreme Market Conditions). Additionally,
FINRA has adopted a new filing requirement—the Supplemental Liquidity Schedule—for member firms with
the largest customer and counterparty exposures. As noted in Regulatory Notice 21-31 (FINRA Establishes New
Supplemental Liquidity Schedule (SLS)), the SLS is designed to improve FINRA’s ability to monitor for potential
adverse changes in these member firms’ liquidity risk.
Supplemental Liquidity Schedule
In 2022, FINRA began collecting specified liquidity information from certain firms on the new Supplemental
Liquidity Schedule (SLS), which larger firms file as a supplement to the FOCUS Report. The SLS is designed to
improve FINRA’s ability to monitor for events that signal an adverse change in the liquidity risk of firms with
the largest customer and counterparty exposures.
Related Considerations
X
What departments at your firm are responsible for liquidity management?
X
How often does your firm review and adjust its assumptions regarding clearing deposits in its liquidity
management plan and stress test framework?
X
Does your firm’s liquidity management practices include processes for:
z accessing liquidity during common stress conditions—such as increases in firm and client activities—as
well as “black swan” events;
z determining how the funding would be used; and
z using empirical data from recent stress events to increase the robustness of its stress testing?
X
Does your firm’s contingency funding plan take into consideration the amount of time needed to address
margin calls from both customers and counterparties? Does your firm also take into consideration the type of
transactions that are impacting your firm’s liquidity?
X
What kind of stress tests (e.g., market, idiosyncratic) does your firm conduct? Do these tests include
concentration limits within securities or sectors, and incorporate holdings across accounts held at other
financial institutions? Are these tests conducted and documented on a regular basis? Does your firm institute
changes to its funding plan as a result?
X
If your firm’s business has grown significantly or has materially changed, or your firm plans to
make a material change to its business, has your firm made commensurate changes to its liquidity
management and stress test practices and related policies and procedures?
Observations and Effective Practices
Observations
X
Not Modifying Business Models: Failing to incorporate the results of firms’ stress tests into their business
model.
X
Establishing Inaccurate Stresses on Clearing Deposit Requirements: As part of its stress testing, firms
are incorrectly basing stresses on clearing deposit requirements on information that doesn’t necessarily
represent the firm’s business operations (e.g., using the amounts reflected on FOCUS reports rather than
spikes in deposit requirements that may have occurred intra-month).
FINANCIAL MANAGEMENT
I
LIQUIDITY RISK MANAGEMENT
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
66
X
No Liquidity Contingency Plans: Failing to develop contingency plans for operating in a stressed
environment with specific steps to address certain stress conditions, including identifying the firm staff
responsible for enacting the plan and the process for accessing liquidity during a stress event, as well as
setting standards to determine how liquidity funding would be used.
Effective Practices
X
Liquidity Risk Management Updates: Updating liquidity risk management practices, policies and procedures
to take into account a firm’s current business activities, including:
z establishing governance around liquidity management, determining who is responsible for monitoring the
firm’s liquidity position, how often they monitor that position and how frequently they meet as a group;
and
z creating a liquidity management plan that considers:
z quality of funding sources;
z quality of collateral;
z potential mismatches in duration between liquidity sources and uses;
z potential losses of counterparties;
z how the firm obtains funding in a business-as-usual condition and stressed conditions;
z assumptions based on idiosyncratic and market-wide conditions;
z early warning indicators and escalation procedures if risk limits are neared or breached; and
z material changes in market value of firm inventory over a short period of time.
X
Stress Tests: Conducting stress tests in a manner and frequency that consider the complexity and risk of the
firm’s business model, including:
z assumptions specific to the firm’s business (e.g., increased haircuts on collateral pledged by firm,
availability of funding from a parent firm) and based on historical data;
z the firm’s sources and uses of liquidity, and if these sources can realistically fund its uses in a stressed
environment;
z the potential impact of off-balance sheet items (e.g., non-regular way settlement trades, forward contracts)
on liquidity; and
z periodic governance group review of stress tests.
Additional Resources
z Funding and Liquidity Topic Page
z Regulatory Notice 21-31 (FINRA Establishes New Supplemental Liquidity Schedule (SLS))
z Regulatory Notice 21-12 (FINRA Reminds Member Firms of Their Obligations Regarding Customer Order
Handling, Margin Requirements and Effective Liquidity Management Practices During Extreme Market
Conditions)
z Regulatory Notice 15-33 (Guidance on Liquidity Risk Management Practices)
z Regulatory Notice 10-57 (Funding and Liquidity Risk Management Practices)
FINANCIAL MANAGEMENT
I
LIQUIDITY RISK MANAGEMENT
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
67
Credit Risk Management
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA has consistently reminded member firms of the importance of properly managing credit risk and
published Notices that offer guidance on effective funding and liquidity risk management practices (which are
available in the “Additional Resources” section below). Material credit risk exposures can arise, for example,
from clearing arrangements, prime brokerage arrangements (especially fixed income prime brokerage), “give up”
arrangements and sponsored access arrangements.
Further, member firms should maintain a control framework where they manage credit risk and identify and
address all relevant risks covering the extension of credit to their customers and counterparties. Weaknesses
within the firm’s risk management and control processes could result in a member firm incorrectly capturing its
exposure to credit risk. In particular, Exchange Act Rule 17a-3(a)(23) requires member firms that meet specified
thresholds to make and keep current records documenting the credit, market and liquidity risk management
controls established and maintained by the firm to assist it in analyzing and managing the risks associated with
its business.
Related Considerations
X
Does your firm maintain a robust internal control framework to capture, measure, aggregate, manage,
supervise and report credit risk?
X
Does your firm review whether it is accurately capturing its credit risk exposure, maintain approval and
documented processes for increases or other changes to assigned credit limits, and monitor exposure to
affiliated counterparties?
X
Does your firm have a process to confirm it is managing the quality of collateral and monitoring for exposures
that would have an impact on capital?
X
If your firm engages in a fully paid securities lending program that enrolls retail customers (e.g.,
through auto-enrollment), how does your firm determine whether the program is appropriate for
the customer? Does it accurately disclose the portion of fees generated on loaned shares that these
customers would receive?
Observations and Effective Practices
Observations
X
No Credit Risk Management Reviews: Not evaluating firms’ risk management and control processes to
confirm whether they were accurately capturing their exposure to credit risk.
X
No Credit Limit Assignments: Not maintaining approval and documentation processes for assignment,
increases or other changes to credit limits.
X
Not Monitoring Exposure: Not monitoring exposure to firms’ affiliated counterparties.
X
Inadequate Systems to Monitor Customer and Counterparty Limits: Systems not designed to calculate
firm exposure to customers and counterparties that trade across multiple affiliated entities or across
multiple accounts within the same entity.
FINANCIAL MANAGEMENT
I
CREDIT RISK MANAGEMENT
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
68
Effective Practices
X
Credit Risk Framework: Developing comprehensive internal control frameworks to capture, measure,
aggregate, manage and report credit risk, including:
z establishing house margin requirements;
z identifying and assessing credit exposures in real-time environments;
z issuing margin calls and margin extensions (and resolving unmet margin calls);
z establishing the frequency and manner of stress testing for collateral held for margin loans and secured
financing transactions; and
z having a governance process for approving new, material margin loans.
X
Credit Risk Limit Changes: Maintaining approval and documentation processes for increases or other
changes to assigned credit limits, including:
z having processes for monitoring limits established at inception and on an ongoing basis, for customers
and counterparties;
z reviewing how customers and counterparties adhere to these credit limits and what happens if these
credit limits are breached; and
z maintaining a governance structure around credit limit approvals.
X
Counterparty Exposure: Monitoring exposure to affiliated counterparties, considering their:
z creditworthiness;
z liquidity and net worth;
z track record of past performance (e.g., traded products, regulatory history, past arbitration and litigation);
and
z internal risk controls.
Additional Resources
X
Funding and Liquidity Topic Page
X
Regulatory Notice 21-31 (FINRA Establishes New Supplemental Liquidity Schedule (SLS))
X
Regulatory Notice 21-12 (FINRA Reminds Member Firms of Their Obligations Regarding Customer Order
Handling, Margin Requirements and Effective Liquidity Management Practices During Extreme Market
Conditions)
Portfolio Margin and Intraday Trading
Regulatory Obligations and Related Considerations
Regulatory Obligations
FINRA Rule 4210(g) (Margin Requirements) permits member firms to apply portfolio margin requirements—
based on the composite risk of a portfolio’s holdings—in margin accounts held by certain investors as an
alternative to “strategy-based” margin requirements. Member firms are required to monitor the risk of the
positions held in these accounts during a specified range of possible market movements according to a
comprehensive written risk methodology.
FINANCIAL MANAGEMENT
I
PORTFOLIO MARGIN AND INTRADAY TRADING
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
69
Related Considerations
X
Do your firm’s policies and procedures for monitoring the risk of their investors’ portfolio margin accounts
comply with Rule 4210(g)(1), in particular:
z maintaining a comprehensive written risk methodology for assessing the potential risk to the member’s
capital during a specified range of possible market movements of positions maintained in such accounts;
z monitoring the credit risk exposure of portfolio margin accounts both intraday and end of day; and
z maintaining a robust internal control framework reasonably designed to capture, measure, aggregate,
manage, supervise and report credit risk exposure to portfolio margin accounts?
Findings and Effective Practices
Findings
X
Inadequate Monitoring Systems: Systems not designed to consistently identify credit risk exposure intraday
(e.g., do not include defined risk parameters required to produce notifications or exceptions reports to senior
management; require manual intervention to run effectively) or end of day (e.g., cannot monitor transactions
executed away in a timely manner).
X
Not Promptly Escalating Risk Exposures: Staff failing to promptly identify and escalate to management
incidents related to elevated risk exposure in portfolio margin accounts to senior management, in part due to
insufficient expertise.
X
Insufficient WSPs: Failing to maintain WSPs outlining intraday monitoring processes and controls.
X
Non-Eligible Products Included in the Portfolio Margin Methodology: Processes, controls or
frameworks not reasonably designed to identify and exclude non-eligible products from inclusion in
the risk-based margin value of the customers’ holding accounts with the firm.
Effective Practices
X
Internal Risk Framework: Developing and maintaining a robust internal risk framework to identify, monitor
and aggregate risk exposure within individual portfolio margin accounts and across all portfolio margin
accounts, including:
z increasing house margin requirements during volatile markets in real-time;
z conducting stress testing of client portfolios;
z closely monitoring client fund portfolios’ NAV, capital, profitability, client redemptions, liquidity, volatility
and leverage to determine if higher margin requirements or management actions are required; and
z monitoring and enforcing limits set by internal risk functions and considering trigger and termination
events set forth in the agreement with each client.
X
Concentration Risk: Maintaining and following reasonably designed processes (reflected in the firm’s
WSPs) and robust controls to monitor the credit exposure resulting from concentrated positions within both
individual portfolio margin accounts and across all portfolio margin accounts, including processes to:
z aggregate and monitor total exposure and liquidity risks with respect to accounts under common control;
z identify security concentration at the aggregate and single account level; and
z measure the impact of volatility risk at the individual security level.
X
Client Exposure: Clearly and proactively communicating with clients with large or significantly increasing
exposures, according to clearly delineated triggers and escalation channels established by the firm’s WSPs;
and requesting that clients provide their profit and loss position each month.
FINANCIAL MANAGEMENT
I
PORTFOLIO MARGIN AND INTRADAY TRADING
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
70
X
Reporting: Maintaining controls to ensure portfolio margin data reported to FINRA is accurate.
X
Global Margin Programs: For firms that holistically monitor and hedge portfolio margin account
exposure across affiliated entities, maintaining and enforcing appropriate inter-affiliate agreements
that document a global margin program and provide regulatory transparency regarding the firm’s
margin calculations.
X
Internal Audit Review of Portfolio Margin Process: Conducting an internal audit review of the portfolio
margin process as part of its regular schedule.
X
Staffing and Training: Maintaining a staff with sufficient subject matter expertise, and providing
training opportunities, related to portfolio margin.
Additional Resources
X
Portfolio Margin FAQ
Segregation of Assets and Customer Protection
Regulatory Obligations and Related Considerations
Regulatory Obligations
Exchange Act Rule 15c3-3 (Customer Protection Rule) imposes requirements on member firms that are designed
to protect customer funds and securities. Member firms are obligated to maintain custody of customers’
fully paid and excess margin securities, safeguard customer cash by segregating these assets from the firm’s
proprietary business activities and promptly delivering them to their owner upon request. Member firms can
satisfy these requirements by keeping customer funds in a special reserve bank account and by maintaining
customer securities in their physical possession or in a good control location that allows the firm to direct their
movements. Member firms are required to maintain a reserve of cash or qualified securities in the special
reserve bank account that is at least equal in value to the net cash owed to customers, including cash obtained
from the use of customer securities. The amount of net cash owed to customers is computed pursuant to the
formula set forth in Exhibit A to Rule 15c3-3.
Related Considerations
X
What is your firm’s process to prevent, identify, escalate and resolve new or increased deficits that are in
violation of the Customer Protection Rule?
X
What controls does your firm have in place to identify and monitor its possession or control deficits, including
the creation, cause and resolution?
X
If your firm claims an exemption from the Customer Protection Rule and it is required to forward customer
checks promptly to your firm’s clearing firm, how does your firm implement consistent processes for check
forwarding and maintain accurate blotters to document that checks were forwarded in a timely manner?
X
How does your firm train staff on Customer Protection Rule requirements?
X
What are your firm’s processes to confirm that it correctly completes its reserve formula computation and
maintains the amounts that must be deposited into the special reserve bank account(s)?
X
If your firm is engaging in digital asset transactions, what controls including systems and procedures has it
established to confirm compliance with the Customer Protection Rule? Has your firm analyzed these controls
and procedures to address potential concerns arising from acting as a custodian (i.e., holding or controlling
customer property)?
FINANCIAL MANAGEMENT
I
SEGREGATION OF ASSETS AND CUSTOMER PROTECTION
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
71
Findings and Effective Practices
Findings
X
Inconsistent Check Forwarding Processes: Failing to implement consistent processes for check forwarding
to comply with an exemption from the Customer Protection Rule.
X
Inaccurate Reserve Formula Computations: Failing to complete accurate reserve formula computations,
due to factors such as inadequate supervisory procedures and processes, limited coordination between
various internal departments and inaccurate account coding.
X
Inaccurate Segregation of Customer Securities: Failing to maintain possession or control of customer
fully paid and excess margin securities due to inadequate supervisory procedures and processes to identify,
monitor, and resolve possession or control deficits and inaccurate coding of good control locations.
Effective Practices
X
Confirming Control Agreements: Collaborating with legal and compliance departments to confirm that all
agreements supporting control locations are finalized and executed before the accounts are established and
accurately coded as good control accounts on firms’ books and records.
X
Addressing Conflicts of Interest: Confirming which staff have system access to establish a good new control
location and that they are independent from the business areas to avoid potential conflicts of interest; and
conducting ongoing review to address emerging conflicts of interest.
X
Reviews and Exception Reports for Good Control Locations: Conducting periodic review of and
implementing exception reports for existing control locations for potential miscoding, out-of-date paperwork
or inactivity.
X
Check Forwarding Blotter Review: Creating and reviewing your firm’s checks received and forwarded
blotters to confirm that they are up to date and include the information required to document compliance
with the Customer Protection Rule exemption.
Additional Resources
X
FINRA
z Customer Protection – Reserves and Custody of Securities (SEA Rule 15c3-3)
X
SEC
z Custody of Digital Asset Securities by Special Purpose Broker-Dealers, Exchange Act Release No. 34-90788
(Dec. 23, 2020)
z No-Action Letter to FINRA re: ATS Role in the Settlement of Digital Asset Security Trades (Sept. 25, 2020)
FINANCIAL MANAGEMENT
I
SEGREGATION OF ASSETS AND CUSTOMER PROTECTION
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
72
Appendix—Using FINRA Reports in Your Firm’s Compliance
Program
Firms have shared the following ways they have used prior FINRA publications, such as Exam Findings Reports,
Priorities Letters and Reports on FINRA’s Examination and Risk Monitoring Program to enhance their compliance
programs. We encourage firms to consider these practices, if relevant to their business model, and continue to
provide feedback on how they use FINRA publications.
X
Assessment of Applicability: Performed a comprehensive review of the findings, observations and effective
practices, and identified those that are relevant to their businesses.
X
Risk Assessment: Incorporated the topics highlighted in our reports into their overall risk assessment
process and paid special attention to those topics as they performed their compliance program review.
X
Gap Analysis: Conducted a gap analysis to evaluate how their compliance programs and WSPs address the
questions noted in Priorities Letters and the effective practices in Exam Findings Reports, and determined
whether their compliance programs have any gaps that could lead to the types of findings noted in Exam
Findings Reports.
X
Project Team: Created interdisciplinary project teams and workstreams (with staff from operations,
compliance, supervision, risk, business and legal departments, among other departments) to:
z assign compliance stakeholders and project owners;
z summarize current policies and control structures for each topic;
z engage the legal department for additional guidance regarding regulatory obligations;
z develop plans to address gaps; and
z implement effective practices that were not already part of their compliance program.
X
Circulation to Compliance Groups: Shared copies of the publications or summaries of relevant sections
with their compliance departments.
X
Presentation to Business Leaders: Presented to business leadership about their action plans to address
questions, findings, observations and effective practices from our reports.
X
Guidance: Used reports to prepare newsletters, internal knowledge-sharing sites or other notices for their
staff.
X
Training: Added questions, findings, observations and effective pratices from our reports, as well as
additional guidance from firms’ policies and procedures to their Firm Element and other firm training.
APPENDIX
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
73
Endnotes
1 These considerations are intended to serve as a possible starting point in considering a firm’s compliance
program related to a topic. Firms should review relevant rules to understand the full scope of their
obligations.
2 See 17 CFR 248.201(b)(3), which defines “covered account” as:
(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family,
or household purposes, that involves or is designed to permit multiple payments or transactions, such
as a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent)
that permits wire transfers or other payments to third parties; and
(ii) Any other account that the financial institution or creditor offers or maintains for which there is
a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution
or creditor from identity theft, including financial, operational, compliance, reputation, or litigation
risks.
3 Capital Acquisition Broker (CAB) Rule 331 applies these requirements on Capital Acquisitions Brokers.
4 Broker-dealers are required to file SARs for financial crimes such as money laundering, fraud and
sanctions violations in addition to other identified violations pursuant to31 U.S.C. 5318(g)and 31 CFR §
1023.320.
5 See 31 C.F.R. Part 1010 and 31 C.F.R. Part 1023.
6
31 C.F.R. § 1023.220 requires broker-dealers to conduct CIP on their “customers.”A “customer” is
defined by 31 C.F.R. § 1023.100(d) as “a person that opens a new account.” An “account” is, in turn,
defined by 31 C.F.R. § 1023.100(a)(1) as a “formal relationship with a broker-dealer established to effect
transactions in securities.”
Broker-dealers are also required to identify and verify the identity of the beneficial owners of its “legal entity
customers” when “a new account is opened.” 31 C.F.R. § 1010.230.A “legal entity customer” is defined as a
corporation, limited liability company, or other entity that is created by the filing of a public document with
a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of
a foreign jurisdiction that opens an account.31 C.F.R. § 1010.230(e). As under the CIP rule, an “account” is
defined as a “formal relationship with a broker-dealer established to effect transactions in securities.” 31
C.F.R. § 1010.230(c).
7 See the 2022 Report’s AML section for red flags of potentially manipulative trading associated with how
investors open new accounts and trade securities of China-based issuers after the IPO is completed.
8 An identity verification method where applicants upload a photo or video of themselves, which is then
compared with their recently submitted identity documents. (See Regulatory Notice 21-18 (FINRA Shares
Practices Firms Use to Protect Customers from Online Account Takeover Attempts.))
9 These regulatory obligations stem from Exchange Act Rule 15c3-3(d)(4) and MSRB Rules G-17 and G-27 (for firm
shorts), and MSRB Rule G-12(h) (for fails-to-receive).
10 Regulatory Notice 15-27 reminds firms that “[w]hile the 30-calendar-day period begins upon allocating the
security in deficit to a short position, firms should not view this 30-calendar-day period as a ‘safe harbor’
for resolving firm short positions in municipal securities.” If it were, the payment of taxable substitute
interest would be unavoidable.
11 This section’s findings and effective practices are based on observations regarding funding portals
rather than intermediaries.
ENDNOTES
>
<
Report on FINRA’s Examination and Risk Monitoring Program | January 2023
74
12 See the Report’s Private Placements section for additional findings related to firms recommending
private offerings without having a reasonable basis.
13 See the Report’s Variable Annuities section for additional findings related to firms not reasonably
supervising variable annuities recommendations for compliance with Reg BI.
14 See the SEC’s December 17, 2021, Staff Statement Regarding Form CRS Disclosures for additional
observations.
15 See CAT NMS Plan, FAQ R.2 for the types of information firms should obtain from third-party vendors to
satisfy these requirements.
16 In this situation, the routing firm and receiving firm may have different best execution obligations. See
Supplementary Material .09 to FINRA Rule 5310.
17 See SEC Division of Market Regulation, Staff Legal Bulletin No. 13A, Frequently Asked Questions About Rule
11Ac1-6, FAQ #9.
18 In addition to the order routing disclosures under Rule 606, Rule 607 of Regulation NMS requires firms to
disclose their policies regarding PFOF and order routing when customers open accounts, and on an annual
basis thereafter, so firms should consistently provide the same information in both types of disclosures.
19 See in particular SEC FAQ 12.01 regarding adopting another firm’s report by reference.
20 See FINRA Rules Series: 6200 (Alternative Display Facility); 6300A (FINRA/NASDAQ Trade Reporting Facilities);
6300B (FINRA/NYSE Trade Reporting Facility); 6620 (Reporting Transactions in OTC Equity Securities and
Restricted Equity Securities); 7100 (Alternative Display Facility); 7200A (FINRA/NASDAQ Trade Reporting
Facilities); 7200B (FINRA/NYSE Trade Reporting Facility); and 7300 (OTC Reporting Facility).
21 See Questions 101.14 and 101.15 of FINRA’s Trade Reporting Frequently Asked Questions.
22 See also the Best Execution section of this report.
23 See e.g., 69 FR 48008 at 48015; and Question 4.7 and 4.8 of the U.S. Securities and Exchange Commission,
Responses to Frequently Asked Questions Concerning Regulation SHO (Oct. 15, 2015) (SEC’s Reg SHO FAQs).
24 See Question 4.4 of the SEC Reg SHO FAQs.
25 See Question 4.4 of the SEC Reg SHO FAQs.
26 Id.
27 Id.
28 Firms are reminded that any affiliate obligated to pay firm expenses must have the independent financial
means to satisfy those obligations.
ENDNOTES
>
<
www.finra.org
© 2023 FINRA. All rights reserved.
FINRA and other trademarks of the
Financial Industry Regulatory
Authority, Inc. may not be used
without permission.
CCSD-3865—01/23
