Compliance Highlight: FINRA Issues 2024 Regulatory Oversight Report

Today FINRA issued its latest iterative report on its examination and risk monitoring program. This article focuses on the new topics and material introduced this year, specifically selected examination findings. It also covers topics that FINRA noted in the report as “Emerging Risks,” which represent potentially concerning practices that may pose new or additional risk. Lastly, several targeted exam or sweep updates are referenced from the report.

New Topics for 2024 – Selected Examination, Surveillance, Investigation, or Enforcement Findings

1. Crypto Asset Developments
   1. Failing to appropriately and accurately address relevant risks and include appropriate disclosures in communications with the public.
   1. Disseminating promotional materials that contain material misstatements or omissions in connection with securities offerings.
   1. Failing to conduct appropriate due diligence on crypto asset private placements recommended to customers.
   1. Failing to establish and implement AML programs reasonably designed to detect and cause the reporting of:
      1. suspicious crypto asset transactions occurring by, at or through the broker-dealer; and
      1. suspicious trading involving issuers with a purported involvement in crypto asset-related activities.
   1. Related new crypto asset communications findings:
      1. Failing to clearly differentiate in communications, including those on mobile apps, between crypto assets offered through an affiliate of the member or another third party, and products and services offered directly by the member itself.
      1. Making false statements or implications that crypto assets functioned like cash or cash-equivalent instruments, or making other false or misleading statements or claims regarding crypto assets.
      1. Comparing crypto assets to other assets (e.g., stock investments or cash) without providing a sound basis to compare the varying features and risks of these investments.
      1. Providing misleading explanations of how crypto assets work and their core features and risks.
      1. Failing to provide a sound basis to evaluate crypto assets by omitting explanations of how crypto assets are issued, held, transferred or sold.
      1. Misrepresenting the extent to which the federal securities laws or FINRA rules apply to crypto assets.
      1. Making misleading statements about the extent to which certain crypto assets are protected by SIPC under the SIPA.

• OTC Quotations in Fixed Income Securities
  • Not maintaining controls and procedures reasonably designed to monitor quoting activity in fixed income securities; and not reviewing the firm’s activity to determine applicability of the Exchange Act Rule 15c2-1.
  • Stating that the firm only quotes in exempt securities without conducting an analysis.
  • Not implementing procedures and controls—including a process for complying with the Exchange Act Rule 15c2-1—to ensure that the firm does not quote a covered security prior to confirming the availability of public financial information (unless an exception under Exchange Act Rule 15c2-1 is available).

• Advertised Volume
• Overstating, or inflating, the firm’s trading volume due to technological or procedural failures or errors.
• Failing to establish and maintain supervisory systems that are reasonably designed to achieve compliance with Rule 5210, including with respect to trading information disseminated by third-party service providers.

• Market Access Rule
  • Not establishing pre-trade order limits, pre-set capital thresholds and duplicative and erroneous order controls for accessing ATSs, including those that transact fixed income transactions.
    • Setting pre-trade order limits at unreasonable thresholds based on a firm’s business model.
    • Not demonstrating, and failing to maintain, documentation demonstrating the reasonability of assigned capital, credit and erroneous order pre-trade financial controls.
    • Not establishing adequate policies and procedures to govern intra-day changes to firms’ credit and capital thresholds, including requiring or obtaining approval prior to adjusting credit or capital thresholds, documenting justifications for any adjustments and ensuring thresholds for temporary adjustments revert back to their pre-adjusted values.
  • Failing to consider a firm’s business model when setting pre-trade order limits or other regulatory requirements (e.g., Limit Up-Limit Down (LULD) thresholds and exchanges’ Limit Order Price Protection thresholds), as well as historical and available liquidity, and the time required for liquidity replenishment, when determining erroneous price and size control thresholds.
  • Excluding certain orders from a firm’s pre-trade erroneous controls based on order types (e.g., excluding limit on close orders from a firm’s price controls).
  • For firms with market access, or those that provide it, unreasonable capital thresholds for trading desks and unreasonable aggregate daily limits or credit limits for institutional customers and counterparties.
  • Relying on third-party vendors’ tools, including those of an ATS or exchange, to apply their financial controls without performing adequate due diligence, not understanding how vendors’ controls operate, or both; and not maintaining direct and exclusive control over controls by allowing the ATS to unilaterally set financial thresholds for firms’ fixed income orders without the involvement of the firm, instead of establishing their own thresholds.
  • Failure to document the firm’s review, conducted at least annually, of the effectiveness of its risk management controls and supervisory procedures (e.g., no inventory of the specific systems, controls, thresholds or functionality that were reviewed), including the reasonableness of the firm’s market access controls applicable to each business/product line in which the firm provides market access.

Emerging Risks That May Receive Increased Scrutiny by FINRA

1. Artificial Intelligence (AI)

FINRA noted that the development of AI tools has been marked by concerns about accuracy, privacy, bias and intellectual property, among others. FINRA encouraged member firms to be mindful of how these new technologies, including generative AI tools, may implicate their regulatory obligations.

• Before deploying AI technologies member firms may consider paying particular attention to the following areas:
  • Anti-Money Laundering
  • Books and Records
  • Business Continuity
  • Communications With the Public
  • Customer Information Protection
  • Cybersecurity
  • Model Risk Management (including testing, data integrity and governance, and explainability)
  • Research
  • SEC Regulation Best Interest
  • Supervision
  • Vendor Management

• New Account Fraud

FINRA has observed an increase in suspicious and fraudulent activity related to new account fraud (NAF), which occurs when a bad actor uses stolen or synthetic identification14 information to fraudulently open an account.

• NAF may be a precursor to other fraud schemes. Examples observed in FINRA examinations and investigations include, but are not limited to:
  • fraudulent requests to the ACATS to steal securities and other assets from an investor;
  • fraudulent ACH transfers and wire transfers, including instances in which accounts opened through NAF were used as conduits to steal money from customers at other financial institutions; and
  • deposit or movement of fraudulently obtained funds from government benefit programs (e.g., fraudulently obtained COVID-relief funds).
• FINRA encourages firms, especially those that offer fully online account opening services and rely on automated account opening or customer verification services, to:
  • evaluate their review of red flags of NAF during the account opening process;
  • evaluate their monitoring of ongoing customer account activity for NAF and other known fraud schemes; and
  • enhance these processes, as needed, to ensure compliance with Regulation S-ID and other applicable rules.

FINRA Targeted Exam (Sweep) Mentions & Updates

1. FINRA Provides Update on Sweep: Special Purpose Acquisition Companies (SPACs)
2. FINRA’s review focuses on a cross-section of firms that participated in SPAC offerings and included, among other things, reasonable investigation, best interest, disclosure of outside activities or potential conflicts, net capital and supervision.
3. The update highlights several initial themes from our reviews of firms’ offering of, and services provided to, SPACs and their affiliates (e.g., sponsors, principal stockholders, board members and related parties), and includes questions for firms to consider as they evaluate whether their supervisory systems are reasonably designed to address risks of their SPAC-related activities, including:
   1. reasonable investigation of the issuers and the securities they recommend, including SPACs;
   1. underwriting compensation and disclosures;
   1. identifying, addressing and disclosing potential or actual conflicts of interest when underwriting or
   1. recommending transactions in SPACs; and
   1. firms’ supervisory systems, procedures, processes and controls for underwriting and recommending transactions in SPACs.

• FINRA Provides Update on Sweep: Social Media Influencers, Customer Acquisition and Related Information Protection

In September 2021, FINRA launched a sweep to review firms’ practices related to their acquisition of customers through social media channels, as well as firms' sharing of customers’ usage information with affiliates and non-affiliated third parties. The first part of the review focuses on firms’ use of social media influencers and referral programs to promote their products and services and recruit new customers. The second part of the review addresses firms’ privacy notices (and options to opt-out) regarding the collection and sharing of their usage information.

• FINRA Provides Update on Sweep: Option Account Opening, Supervision and Related Areas

In August 2021, FINRA launched a sweep to review firms’ practices and controls related to the opening of options accounts and related areas, including account supervision, communications and diligence. FINRA’s review focuses on a cross-section of retail and diversified firms that offer options trading to their customers.

• Sweep Letter: Crypto Asset Communications
• Crypto asset-related retail communications reviewed by FINRA’s Advertising Regulation Department have had a non-compliance rate that is significantly higher than that of other products.
• As a result, in November 2022, FINRA launched a targeted exam to review practices of certain member firms that actively communicate with retail customers concerning crypto assets and crypto asset-related services.
• FINRA is working to complete this review and publish an update on findings and effective practices.