Introduction
On January 22nd, the Financial Industry Regulatory Authority (FINRA) issued its newly titled “Risk Monitoring and Examination Priorities Letter” to announce its 2019 priorities. FINRA uses annual priorities letters to alert member firms to current and emerging areas of focus. This year, FINRA has re-named its annual priorities letter and amended its scope to include priorities for risk monitoring. In addition, FINRA reaffirmed its focus on traditional regulatory issues and highlighted three emerging issues: online platforms used for the distribution of securities; fixed income mark-up and mark-down disclosure obligations; and regulatory technology. This Client Alert summarizes the letter and highlights areas likely to grow in importance.
Perennial Concerns
FINRA’s letter focuses on “materially new priorities” and “aspects of [areas of ongoing concern] not articulated in prior letters,” while not repeating “mainstays of FINRA’s attention,” such as suitability, outside business activities, anti-money laundering, best execution, fraud and market manipulation. FINRA nevertheless singles out two perennial issues — hiring practices and supervision over associated persons with problematic regulatory histories, and the adequacy of cybersecurity programs. Notably, FINRA issued new cybersecurity guidance in December.[1] Given sustained attention by both FINRA and the Securities and Exchange Commission (SEC), it is likely that cybersecurity reviews will become more prevalent and demanding.
New Areas
Three materially new priorities for FINRA are (1) the distribution of securities through online platforms, (2) mark-up and mark-down disclosures on fixed income transactions, and (3) the use of regulatory technology tools. Of these three, FINRA focuses most heavily on online platforms. FINRA is concerned that firms are not treating exempt offerings (under Regulations D and A of the Securities Act of 1933) made through online platforms as securities transactions. Based on its view, FINRA intends to scrutinize all aspects of such transactions, including suitability, public communications, AML requirements, accuracy of disclosures, and sales to non-accredited investors. This area ties in with FINRA’s ongoing concerns regarding digital assets (discussed below), another area of acute focus for regulators.
Sales Practice Risks
FINRA identifies particular sales practice risks related to suitability, senior investors, outside business activities, and private securities transactions. With respect to suitability, the letter singles out deficient quantitative suitability determinations, overconcentration in illiquid securities, and recommendations to purchase share classes not in line with a customer’s investment time horizon. FINRA will also scrutinize complex products, including: leveraged, inverse and floating rate loan ETFs; mutual funds holding lower quality debt; and collateralized loan obligations.
A concern that has escalated over the last few years, and that seems likely to be an enduring issue, is the protection of senior investors. Last year, FINRA amended Rule 4512 to require firms to make reasonable efforts to find trusted contact persons when opening individual accounts, and adopted Rule 2165 to create a safe harbor to allow firms to place temporary holds on distributions when they are concerned about exploitation of senior investors or other persons who may be unable to protect their own interests. FINRA expects firms to have clear policies and procedures or practices for such holds. The SEC has also made the protection of senior investors an examination and enforcement priority. A sustained focus in this area is expected as more workers retire and become dependent on investment income.
Last, FINRA notes its concern with associated persons raising money from their customers away from their firms and outside of their firms’ supervision. In particular, FINRA is concerned with deceptions where such fundraising involves entities with potentially misleading names that are similar to established issuers.[2]
Operational Risks
FINRA intends to focus on how firms handle digital assets, whether they are compliant with the Financial Crimes Enforcement Network’s (FinCEN) customer due diligence rule which became effective on May 11, 2018,[3] and the quality of their suspicious activity monitoring systems. Of these risks, digital asset handling is the most intense area of current scrutiny given widespread concerns over abuses. The SEC brought an action last year against an entity for not registering as a broker-dealer while trading digital tokens[4] and SEC Chairman Jay Clayton indicated that the SEC will police the efforts of “gatekeepers” who handle digital offerings.[5] FINRA encourages firms to notify FINRA if they plan to engage in digital asset activities, and it intends to consider how firms determine whether digital assets are securities, as well as how they are handling related issues such as marketing, sales, execution, control, clearance, recordkeeping, valuation, and AML/BSA rules and regulations.
Market Risks
FINRA provides both guidance and warnings to firms with respect to activities that can affect trading markets. FINRA notes that it will review best execution practices in situations that might involve conflicts of interest, such as routing customer orders to market makers who pay for order flow, or to affiliated broker-dealers or to alternative trading systems in which they have financial interests.
FINRA notes that its market surveillance capabilities are improving, and that it is searching for market manipulations involving exchange-traded products and correlated options products.
FINRA also expects that firms will monitor arrangements where they allow parties to trade through sponsored access orders to make sure that they comply with Exchange Act Rule 15c3-5, and to ensure they have measures to detect and prevent potentially manipulative or prohibited trading activities.
With respect to short trading, FINRA notes that it will review how firms account for certain call options issued after tender offers in which the firms participate, as well as how firms structure aggregation units in order to ensure compliance with net position determination rules under Exchange Act Rule 200(f).
Financial Risks
FINRA wants firms to think comprehensively about indirect threats to their financial health. To that end, FINRA will review whether firms are considering credit risks “not readily apparent,” such as those that can be created by customers and correspondents who execute trades away from the firm. Firms should also be careful when extending credit against securities that are or may become illiquid. FINRA cautions that firms’ liquidity stress test assumptions should be updated to account for increased volatility, such as that experienced during various points in 2018. The import of FINRA’s guidance in this area is that firms should be able to show that their planning for financial risks is thoughtful and forward-looking.
Conclusion
FINRA’s risk monitoring and examination priorities emphasize its continued focus on traditional risk areas for the securities industry and provide notice of emerging areas of regulatory focus in 2019. Material deficiencies discovered in the examination process in these areas may be more likely to lead to investigations by FINRA’s Enforcement staff, so firms should take heed of these priorities and assess their compliance and supervisory programs in connection with these identified risks.
Notes:
[1] See FINRA, "Report on Selected Cybersecurity Practices – 2018," (December 2018), http://www.finra.org/sites/default/files/Cybersecurity_Report_2018.pdf.
[2] In February 2018, following a retrospective review of the outside business activities and private securities transactions rules, FINRA published Regulatory Notice 18-08, soliciting comment on proposed FINRA Rule 3290, which would replace current FINRA Rules 3270 (Outside Business Activities of Registered Persons) and 3280 (Private Securities Transactions of an Associated Person). FINRA is reviewing comments.
[3] As FINRA notes, FinCEN’s “CDD rule” requires that firms “identify beneficial owners of legal entity customers, understand the nature and purpose of customer accounts, conduct ongoing monitoring of customer accounts to identify and report suspicious transactions, and, on a risk basis, update customer information.”
[4] See In re TokenLot, LLC et al., Exchange Act Rel. No. 84075 (Sept. 11, 2018), https://www.sec.gov/litigation/admin/2018/33-10543.pdf.
[5] See Jay Clayton, Statement on Cryptocurrencies and Initial Coin Offerings (Dec. 11, 2017), https://www.sec.gov/news/public-statement/statement-clayton-2017-12-11.
