On January 22, 2019, FINRA published its 2019 Risk Monitoring and Examination Priorities Letter. Released several weeks later than usual, FINRA’s letter follows the December 10, 2018 publication of the 2019 Examination Priorities Letter by the SEC’s Office of Compliance Inspections and Examinations (OCIE).
Although neither list of priorities is entirely unexpected, it helps to have a roadmap as to each regulator’s focus, particularly for those firms that will be examined this year by one or both regulators.
FINRA’s 2019 Priorities
FINRA’s letter is notable for its new approach: rather than resuscitating old priorities as the letter had in years past, the 2019 letter seeks to highlight topics that are materially new. Specifically, the letter identifies four emerging areas for focus for FINRA:
-
Online distribution platforms – FINRA states that it is “concerned” that broker-dealers may effectively be selling securities through their involvement in online distribution platforms, despite firms’ assertions to the contrary. FINRA states that it will be evaluating how firms address various risks in the use of such platforms, and will likely expect firms who incorporate online distribution platforms into their distribution networks to check and confirm that the platforms have as robust controls (with regard to suitability, AML, disclosure obligations, etc.) as the firms do internally.
-
Mark-up or mark-down disclosure obligations on fixed income transactions – FINRA highlighted two tools (an analysis report and an online proprietary information tool called the “Bond Facts Tool”) which it will likely expect firms to utilize in examining their compliance with such obligations. FINRA also signaled that it will be on the lookout for any changes in behavior that signal an attempt to dodge such disclosure obligations, although it provided no examples of what types of behavioral changes would raise red flags.
-
RegTech – FINRA recognized firms’ increased use of innovative technology to satisfy their compliance obligations. FINRA, not surprisingly, noted in the letter that it is still evaluating the efficacy and utilization of such tools, but its interest in this technology is likely a signal that limitations of such tools will not be a defense available to firms facing scrutiny.
-
Compliance with FinCEN’s Customer Due Diligence rule – FINRA noted that it will be evaluating member firms’ compliance with the Customer Due Diligence rule that was enacted by FinCEN in 2016 to clarify and strengthen customer due diligence for covered financial institutions, including broker-dealers. To enforce FinCEN’s rule, FINRA last year amended its Rule 3310 (Anti-Money Laundering Compliance Program) to require member firms’ AML programs to include appropriate risk-based procedures for conducting ongoing customer due diligence. FINRA also indicated that it will hone in on the “data integrity” of firms’ systems for monitoring suspicious activity. Note that the customer due diligence rules are particularly relevant in the context of transactions in cryptocurrency, and firms can anticipate that FINRA will look at customer identification procedures and suspicious activity monitoring for accounts opened to transact in crypto.
Member firms should also expect a continuing review of compliance in areas identified in prior letters. The introduction to the 2019 priorities letter specifically identifies both the hiring of persons with “problematic regulatory history” (i.e. “bad brokers”), and continued scrutiny of firm’s cybersecurity measures as continuing areas of interest for FINRA. Members should expect that FINRA examiners’ focus on these topics will increase from prior years. Another perennial area of focus is suitability: This year, FINRA anticipates targeting deficient quantitative suitability determinations (that is, potential churning), overconcentration of illiquid securities, and recommendations of investments whose time horizon does not equate to the investor’s goals. Concern for senior investors also has not gone away – after all, nobody has gotten younger this year – and FINRA will be looking for compliance with new rules designed to mitigate exploitation of these vulnerable investors. Cryptocurrencies and other digital assets will also, not surprisingly, remain a focus for FINRA and will include increased coordination with the SEC. (For additional information on regulatory focus on digital assets, see Orrick’s post in its digital currency blog, On The Chain.)
Last, it’s worth noting that FINRA’s priorities letter has been renamed the “Risk Monitoring and Examination” letter from the “Regulatory and Examination” letter. This is potentially a good sign for member firms, as this new title reflects FINRA CEO Robert Cook’s prior representations to the market that FINRA’s regulatory responsibilities should be an iterative process, by which FINRA constantly analyzes the identity, prevalence and impact of risk in order to continually evaluate the effectiveness of FINRA’s regulatory regime. This new title is also consistent with, and potentially shows a strengthened institutional commitment to, Cook’s messaging since becoming CEO that FINRA will actively seek and respond to critiques and comments from members, although time will certainly be the judge.
OCIE’s 2019 Priorities
OCIE’s list of six priorities for 2019 encompasses all five of its priorities from 2018, and then also adds a new one: digital assets. Unsurprisingly, OCIE’s priorities are largely in line with FINRA’s. As with FINRA’s priorities, protection of senior and other vulnerable retail investors is a repeated theme in OCIE’s priorities. In this regard, OCIE stated a new focus on conflicts of interest that may exist when advisors (1) utilize services provided by an outside affiliate, (2) receive a financial incentive for recommending that investors use securities in their brokerage accounts as collateral to obtain a loan, or (3) borrow funds from clients. (Note that Conflicts of Interest has been a focus of FINRA’s review of broker-dealers’ controls and procedures for several years.)
Other 2019 OCIE priorities include ensuring the effectiveness of FINRA and MSRB (two self-regulatory organizations that the SEC oversees), anti-money laundering programs, market infrastructure, cybersecurity and digital assets. The articulated focus on these areas remains largely the same from last year, although, similar to assertions in FINRA’s letter, OCIE stated that it will be examining software utilized by the entities it regulates to ensure capabilities and effectiveness. In addition, many of the priorities regarding retail investors focus on the conduct of investment advisers, or products managed by investment advisers such as mutual funds and ETFs, suggesting that the SEC is trying to catch up on many years of examinations of a very small percentage of registered investment advisers.
OCIE’s ongoing focus on cybersecurity is also consistent with the SEC’s overall focus on cybersecurity: In a December 6, 2018 speech, the SEC Chairman Jay Clayton held nothing back when he stated that the SEC will treat cyber-related violations like “intrusions into retail brokerage accounts, the submission of false regulatory filings and hackings to obtain material nonpublic information.” Likewise, in the same speech, Chairman Clayton, previewing OCIE’s priorities letter, stated that he expects digital assets to occupy a “significant” amount of the SEC’s time. Also worth noting is that OCIE’s letter includes a more comprehensive introduction than we have seen in years past. For the first time, OCIE’s introduction provides an overview of the 2018 year, including statistics of the number of exams, a list of relevant alerts put out by the SEC, and monetary recoveries. The inclusion of such statistical information may signal a renewed focus on results at the SEC.
Tips and Best Practices
OCIE’s and FINRA’s letters should be viewed as a “heads-up” to members of the likely focus of regulators during exams. As in years past, both OCIE and FINRA have emphasized that their lists of priorities are not exhaustive, and neither regulatory body is bound by them. But for planning purposes, firms should assume that OCIE and FINRA will take a special interest in the areas that correspond to the stated priorities in the coming year. Companies and individuals would thus be well advised to focus efforts on ensuring that their compliance infrastructure and technology is strong, particularly in announced areas of OCIE focus. Monitoring and integration of guidance, protocols and risk alerts published by FINRA or OCIE on emerging issues would also be well advised, as these areas are susceptible to fast developments.
One best practice for ensuring that a firm is in shape to address OCIE’s or FINRA’s priority issues and pass an exam is to conduct a mock exam. Entities and individuals who have previously been the subjects of OCIE exams have reported that conducting mock exams focusing on the identified areas – often under the supervision of counsel, thus protecting the results under privilege – has prepared them for actual regulatory exams.