Welcome to the latest issue of Bracewell’s FINRA Facts and Trends, a monthly newsletter devoted to condensing and digesting recent FINRA developments in the areas of enforcement, regulation and dispute resolution. We dedicate this month’s issue to FINRA’s 2024 Annual Regulatory Oversight Report. Read about the Report’s findings and observations, below.
FINRA Issues 2024 Regulatory Oversight Report
On January 9, 2024, FINRA published its 2024 Annual Regulatory Oversight Report (the Report), formerly known as the Report on FINRA’s Examination and Risk Monitoring Program. As in past years, the Report is intended to offer insights and observations on key regulatory topics and emerging risks that firms should consider when evaluating their compliance programs and procedures. Broadly speaking, the Report identifies relevant rules, summarizes noteworthy findings, highlights key considerations for member firms’ compliance programs, and provides helpful and practical considerations as member firms analyze their existing procedures and controls.
The 2024 Report discusses 26 topics relevant to the securities industry. While many of these are perennially important topics, the Report also includes a new section on crypto asset developments and three newly identified priorities: OTC quotations in fixed income securities, advertised volume, and the market access rule. Below, we provide an overview of the Report’s new priorities, together with certain continuing priorities highlighted in the Report.
Newly Identified Priorities
- Crypto Asset Developments: The most significant addition to the Report is a new top-level section on Crypto Asset Developments. As the broad heading indicates, the newly added material primarily gathers information and findings regarding cryptocurrency, which touch various other areas of the Report. Accordingly, firms participating (or expecting to participate) in the cryptocurrency economy are advised to evaluate their supervisory and compliance procedures in such diverse areas as cybersecurity, anti-money laundering compliance, customer communications, manipulative trading, private placement due diligence, and crypto-related outside business activities and private securities transactions of their employees.
The Report also outlines steps to be taken by firms submitting New Membership Applications to engage in crypto asset securities business, such as providing placement or custodial services, or operating an Alternative Trading System. New members must ensure their proposed business plans comply with published SEC guidance and customer protection rules.
FINRA also instructs firms to: promulgate written policies regarding all aspects of crypto trading and custody; establish guidelines to determine whether particular digital assets constitute securities and, if so, whether such crypto securities fall within an exemption for registration; ensure the firm’s AML compliance program accounts for crypto asset trading; and test for potential cybersecurity weaknesses in crypto asset business lines.
Finally, the Report provides a summary of FINRA’s findings concerning crypto-related market abuse (like pump-and-dump schemes), as well as an interim report on FINRA’s sweep of retail crypto-related communications, which we first reported on in November 2022. On January 23, 2024, shortly after the Report was released, FINRA announced the results of the communications sweep. It identified potential Rule 2210 (Communications with the Public) violations in 70 percent of the more than 500 crypto asset communications it reviewed. Potential violations included failure to distinguish between products offered by the member and those offered by an affiliate or third party; statements that cryptocurrencies functioned like cash or cash equivalents; improper comparisons of crypto assets to traditional assets; other unclear or false statements or claims regarding digital assets; and misrepresentations relating to the applicability of securities laws and consumer protection laws to crypto investments.
- OTC Quotations in Fixed Income Securities: The Report signals FINRA’s recent application of Exchange Act Rule 15c2-11 in the context of fixed income securities. Rule 15c2-11 generally prohibits a broker-dealer from publishing a quotation for any security in a quotation medium other than a national securities exchange — that is, the OTC market — unless the broker-dealer has first reviewed issuer information and confirmed its accuracy, or unless the security is exempt. Importantly, certain fixed income securities with defined criteria were the subject of a series of no-action letters between 2020 and 2022, which are currently applicable to third parties. This relief, however, will expire on January 4, 2025. Given FINRA’s increased regulatory focus on this topic, firms are advised to: establish written procedures addressing the publication of fixed income security quotations; confirm that any review of issuer information is thorough and accurate; and ensure the availability of a proper exemption for all “exempt” securities.
- Advertised Volume: In a brief new section on Advertised Volume, FINRA reminds firms that the publication or circulation of inflated trading activity violates FINRA Rule 5210 and is sanctionable. Firms are advised to establish supervisory procedures to verify the accuracy of published trading volume, including where they advertise their trading activity to the market through one or more service providers.
- Market Access Rule: In a final new section, FINRA highlights the Market Access Rule (Exchange Act Rule 15c3-5), which requires firms offering market access to their customers to implement robust controls designed to mitigate risks to the firms itself, to other market participants, to the securities markets, and to the country’s overall financial system.
To address the risks of running afoul of the Market Access Rule, firms should: implement systemic pre-trade hard blocks on orders that would breach a predetermined threshold; institute procedures for ad hoc credit threshold increases; implement soft blocks where appropriate; calibrate order controls to particular products, situations or order types; monitor the cumulative market impact of associated orders; employ post-trade controls and surveillance to monitor for potentially manipulative trading patterns; and regularly test market access controls.
In addition to the Report’s new topics, the Report places special emphasis on certain continuing priorities that will remain key focus areas for FINRA in 2024:
- Cybersecurity and Technology Management: Although previous versions of the Report included a section on Cybersecurity and Technology Management, there are several important additions in 2024.
First, the Report reminds firms of new rules adopted by the SEC in July 2023 requiring public reporting companies to disclose specific information regarding cybersecurity incidents they experience. The new SEC rules, which add a new Item 1.05 to Form 8-K, primarily reinforce and standardize existing disclosure requirements by imposing specific timing obligations, clarifying the range of disclosable information, and requiring amendments to previous disclosures to address previously incomplete or unavailable information. The SEC also proposed rules in March 2023 that, if adopted, would require member firms to establish, maintain and enforce written policies and procedures with respect to cybersecurity risks, with more stringent guidelines for larger entities. Although the March 2023 rules have not yet been adopted, firms are well advised to establish sufficient internal controls to prevent and respond to cybersecurity incidents.
Second, FINRA reports on an increase in the variety, frequency and sophistication of such cybersecurity incidents as imposter websites, insider threats, ransomware and incidents affecting critical vendors. The Report compiles resources for firms to identify, prevent and mitigate these risks.
Third, the Report notes that the recent explosion of artificial intelligence (AI) comes with risks. FINRA warns member firms to consider AI’s impact on virtually all aspects of their regulatory obligations before deploying this new technology.
- Anti-Money Laundering (AML): FINRA Rule 3310 requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act and its implementing regulations.
The Report identifies one emerging risk of particular note: an increase in suspicious and fraudulent activity related to new account fraud, which occurs when an account is opened fraudulently using synthetic or stolen identities. New account fraud can create an opening for other types of fraud, such as fraudulent ACATS requests to steal securities and other assets from an investor. FINRA encourages firms to evaluate and enhance their processes for reviewing red flags during the account opening process, and for monitoring ongoing customer account activity.
- Outside Business Activities and Private Securities Transactions: Under FINRA Rules 3270 and 3280, registered persons are required to notify their member firms of proposed Outside Business Activities (OBAs), and associated persons are required to notify their firms of proposed Private Securities Transactions (PSTs). The Report provides several relevant considerations for firms to review on this topic, including the methods used by a firm to identify individuals involved in undisclosed OBAs and PSTs, and the firm’s process for reviewing and supervising disclosed OBAs and PSTs.
One of the current areas of focus raised in the Report’s review of noteworthy findings involves potential failures of review and recordkeeping of crypto asset-related activities, including failures to disclose, approve or follow required steps for crypto asset-related OBAs and PSTs. The Report also provides member firms with effective practices for complying with obligations related to OBAs and PSTs.
- Books and Records: FINRA Rule 4511(a) requires member firms to make and preserve books and records, as required under FINRA Rules 3110(b)(1), 3110.09 and 2210(b)(4), and Exchange Act Rules 17a-3 and 17a-4. These Rules require members to establish, maintain and enforce written supervisory procedures (WSPs) that are reasonably designed to preserve all communications received and sent relating to the firm’s business, including emails, instant messages and text messages, among other things.
The 2024 Report places particular emphasis on the potential use of off-channel communications — i.e., those that occur on non-firm platforms or devices. FINRA notes that the risk of not maintaining such communications “has become a particular area of focus for regulators.” In addition to establishing procedures, controls and required training programs aimed at preserving and monitoring all business-related correspondence, including off-channel communications, the Report also recommends that firms surveil for compliance with the prohibition against using unapproved off-channel communication methods. The Report suggests that firms monitor approved channels of communication for signs that off-channel communications may be occurring — including, for example, email chains that copy a registered representative’s non-firm email address, or signs that a registered representative is underutilizing approved channels of communication. The Report also suggests that firms review their disciplinary measures designed to deter associated persons from circumventing the prohibition against off-channel communications.
- Regulatory Events Reporting: Member firms are required, pursuant to FINRA Rule 4530 (Reporting Requirements) to promptly report to FINRA certain specified events, such as customer complaints or violations of securities laws and/or FINRA Rules. The Report reminds member firms that they must also promptly report certain internal conclusions of violations. Recommended practices for complying with these obligations include maintaining WSPs that address how associated persons should report customer complaints they receive, and how compliance departments should proceed on such complaints — as well as a variety of other measures detailed in the full Report.
The Report also provides guidance for Form U5 filings (Uniform Termination Notice). FINRA cautions firms to carefully read and respond to each question, and that reporting the reason for termination in Section 3 of the Form U5 does not obviate the need to answer the questions in Section 7, such as Question 7B (Internal Review Disclosure). Additionally, firms must provide sufficient detail in their responses to allow a reasonable person to understand the circumstances behind the reason for termination.
- Communications with the Public: The Report details certain general standards applicable to all public communications, including the need for firms’ communications to be free of false, misleading, unwarranted, or promissory statements or claims.
With respect to mobile apps, FINRA reminds member firms to be sure these apps contain the appropriate risk disclosures at account opening or before customer transactions. Firms must also make certain that they have implemented a reasonably designed supervisory system for communications through mobile apps. In the last year, FINRA has observed instances of false, misleading and inaccurate information in mobile apps, including by failing to fully explain and clearly and prominently disclose risks (where required by a specific rule or needed to balance promotional claims) associated with options trading, the use of margin, and crypto assets.
- Reg BI and Form CRS: Reg BI (which became effective on June 30, 2020) and Form CRS remain areas of focus for FINRA. For each of the four component obligations of Reg BI (Care, Conflict of Interest, Disclosure, and Compliance), the Report details a number of observations and effective practices. With respect to the Care Obligation, the Report reminds firms and registered representatives that all recommendations to retail customers require the exercise of reasonable diligence, care, and skill to form a reasonable basis to believe that the recommendation is in the best interest of that particular retail customer. For 2024, the Report emphasizes that this “best interest” standard includes providing guidance to associated persons on how to evaluate costs and reasonably available alternatives when making recommendations and evaluating the potential risks and rewards associated with such reasonably available alternatives.
In the Reg BI “Findings and Effective Practices” section, the Report includes a new finding that firms have violated the Care Obligation by recommending complex or illiquid products that are inconsistent with the customer’s investment profile by, for example, exceeding concentration limits specified in the firm’s policies, or comprising a sizable portion of a customer’s liquid net worth or securities holdings. Regarding the Conflict of Interest Obligation, member firms are reminded to identify conflicts of interest in a manner relevant to such member firms’ businesses; provide for ongoing processes to identify conflicts arising from changes in the firms’ businesses or structures, changes in compensation structures and changes in product offerings; and establish training programs regarding conflicts of interest that addresses roles and responsibilities. As it relates to Form CRS, the findings included deficient Form CRS filings (including by exceeding prescribed page lengths and omitting material facts) and failures to properly deliver Form CRS.
- Private Placements: The Report emphasizes member firms’ obligations to comply with FINRA’s Suitability Rule (Rule 2111) in recommending private placement investments to non-retail customers, as well as the more stringent requirements of Reg BI when making such recommendations to retail customers. In particular, the Report highlights Regulatory Notice 23-08, which (as we reported previously) reminded member firms of their obligation to conduct a reasonable investigation of private placement investments, including by investigating the issuer, its management and its business prospects, among other things.
FINRA’s 2024 Report also places special emphasis on firms’ obligations, in their promotional communications for private placements, to balance the potential benefits of the investment with discussion of the potential risks, including the risks of illiquidity and the lack of access to independently evaluated and comprehensive information, among other things.
In its discussion of its findings from targeted exams, FINRA’s Report highlights its review of firms’ failures to maintain sufficient records to evidence due diligence efforts; failures to conduct an appropriate level of review to satisfy their reasonable basis obligations; and failure to adequately identify and disclose conflicts of interest.
- Consolidated Audit Trail (CAT): The Market Integrity Section of the Report discusses certain regulatory obligations and related considerations for CAT, the central repository that was created by the SEC in the wake of the May 2010 “flash crash.” Here, FINRA reminds member firms to periodically evaluate their supervisory controls to ensure that such controls are reasonably designed to ensure compliance with CAT requirements, including, but not limited to, recordkeeping, reporting and clock synchronization. Further, when a firm does identify a reporting issue, firms should be sure to self-report the issues identified via the Self-Reporting Erroneous Events form. FINRA also encourages each member firm to review the rule changes related to the move to the T+1 settlement cycle and to take all steps necessary to ensure the firm is prepared to comply with such rules on May 28, 2024, the compliance date for the rules changes.
- Regulation SHO – Bona Fide Market Making Exemptions: After identifying Regulation SHO as a new priority last year, this year’s Report reminds firms and associated persons that they must be able to demonstrate that they qualify for the Reg SHO exception in any transaction for which they rely on it. The Report stresses that a bona fide market maker must regularly and continuously place quotations in a quotation medium on both the bid and ask side of the market.
As for recommended effective practices, the Report encourages firms to develop supervisory systems for, and conduct supervisory reviews of, market making activity to make sure that any reliance on Reg SHO’s bona fide market making exceptions is appropriate by considering: (i) where the firm’s quotes are placed and how; (ii) the frequency or timing of the firm’s quoting activity; and (iii) the level of the firm’s proprietary trades compared to customer transactions filled.
The Report’s findings and observations are intended to serve as a guide for member firms to assess their current compliance, supervisory, and risk management programs and note any perceived deficiencies that could result in scrutiny by FINRA. Member firms are encouraged to focus on the findings, observations, and effective practices relevant to their respective business models.
If you have any questions regarding the 2024 Report, please contact a Bracewell team member for more information.