Welcome to the Regulatory Roundup. Each month, Eversheds Sutherland Investment Services attorneys review significant regulatory developments (including notable rulemakings and guidance from securities regulators) from the previous month that are of interest to retail broker-dealer and investment adviser firms.
FINRA Adds New “RSL Question” to Form U4 and Modifies the Deadline to Report RSLs.
- On September 13, FINRA filed with the SEC for immediate effectiveness a rule change that would amend Form U4 to add a new Residential Supervisory Location Question (RSL Question). The rule change would require firms to indicate whether a non-registered location that is identified on Form U4 as a private residence is an RSL by responding “Yes” or “No.” The rule change is intended to facilitate the reporting of offices or locations designated as RSLs to FINRA.
- As part of this rule change, FINRA is also amending FINRA Rule 3110.19(d) to remove the requirement for firms to provide FINRA with a list of locations designated as RSLs on a quarterly basis. Because RSLs will be reported on Form U4, FINRA has determined that the quarterly reporting originally required by the rule would be redundant. Therefore, firms will not be required to provide FINRA with a list of their RSLs by October 15.
- The implementation date of the proposed rule change is November 26, 2024. Therefore, firms will have until December 26 (30 days after the November 26 implementation date) to amend Form U4 for their associated persons who have indicated that their office of employment is a non-registered location and checked the private residence checkbox.
SEC Approves Amendment to FINRA Rule 3240 (Borrowing From or Lending to Customers)
- On September 23, the SEC approved FINRA’s proposed amendments to FINRA Rule 3240. Rule 3240 generally prohibits, with limited exception, registered persons from borrowing money from, or lending money to, their customers. The Rule has five exceptions, available only when: (1) the registered person’s member firm has written procedures allowing the borrowing and lending of money between registered persons and customers of the firm; (2) the arrangement meets the conditions applicable to the particular exception, and (3) the registered person receives the firm’s pre-approval in writing.
- FINRA’s amendments to Rule 3240 will extend application of the Rule to: (1) borrowing or lending arrangements that pre-exist the initiation of a broker-customer relationship; (2) borrowing or lending arrangements entered into within six (6) months after a broker-customer relationship ends; (3) indirect borrowing or lending arrangements with related parties of the registered person or the customer, and (4) owner-financing arrangements.
- The amendments will also modify the “immediate family exception” and the “personal relationship” and “business relationship” exceptions.
FINRA Warns of Increasing Cybersecurity Risks at Third-Party Providers
- On September 9, FINRA’s Cyber and Analytics Unit within FINRA’s Member Supervision program issued a cybersecurity advisory highlighting cybersecurity risks caused by member firms’ use of third-party service providers. In the guidance, FINRA noted that, since 2023, there has been a significant rise in cyberattacks and outages at third-party providers used by member firms. More specifically, FINRA noted the risk of data breaches, zero-day vulnerabilities, weather-related outages and social engineering campaigns.
- The advisory reminds member firms that they have an obligation to establish and maintain a supervisory system, including written supervisory procedures, for any activities or functions performed by third-party providers that are reasonably designed to achieve compliance with applicable securities laws and regulations and with applicable FINRA rules.
- Finally, FINRA outlines effective practices for mitigating risks, such as conducting ongoing monitoring and risk assessments of third-party providers, prioritizing patching efforts and implementing fixes to address high-risk vulnerabilities, proactively assessing whether third-parties have access to personally identifiable information or firm-sensitive information, and refining incident response and business continuity plans in the event a third-party provider is taken offline or otherwise unable to operate.
[View source.]
