United States: SEC And FINRA Broker-Dealer Enforcement: Recapping 2023 And Previewing 2024

With the close of FINRA's fiscal year comes the opportunity for broker-dealer firms to consider where regulators have focused their enforcement efforts and also what can be expected in the coming year. Fortunately, FINRA has provided some insights on what it is thinking by issuing its newly renamed FINRA Annual Regulatory Oversight Report (FINRA Report), and we are able to distill certain relevant insights regarding FINRA's enforcement priorities.¹Also of relevance, the US Securities and Exchange Commission's (SEC) Division of Examinations issued its 2024 Examination Priorities, shortly after the close of the SEC's fiscal year on 30 September.²

This alert will take a look at where the regulators focused their enforcement efforts against broker-dealers in 2023 and what firms can expect to see in 2024.

The SEC Lead Story is Off-Channel Communications

Let's turn to the SEC matters first, since they are relatively limited. By way of background, the SEC largely leaves broker-dealer examinations and discipline to FINRA,³except for the larger institutions; follow-on administrative proceedings (APs) that seek bars and suspensions for registered persons (follow-on APs); and offering frauds by unregistered individuals and entities, which are included among the broker-dealer matters, presumably because they should have been registered as such. According to the SEC, it brought 60 cases involving broker-dealers in FY 2023 that were not follow-on APs,⁴but once cases solely against individuals are excluded, that number drops to 44, which total includes the unregistered entity offering frauds. About 40% of those remaining matters were recordkeeping cases, as further described below. So, overall, at least in terms of numbers, the count of broker-dealer cases brought by the SEC is not significant.⁵

Many of the broker-dealer enforcement cases brought this past year were so-called "off channel communication" cases. In FY 2023, the SEC collected an "astonishing" hundreds of millions of dollars from firms alleged to have violated recordkeeping requirements under the securities laws, including those enumerated in the Exchange Act Rule 17a-4, by failing to retain business-related communications, either because the data was never captured or because systems deleted material that should have been preserved.⁶Those investigations are continuing and we can expect more cases in 2024.

A number of other matters also concerned reporting obligations, which the Commission described as misconduct making its oversight of the markets more difficult, and these included enforcement actions for inaccurate and incomplete blue sheet data; for mismarking of order data in violation of Regulation SHO; for failing to identify customers as large traders under Rule 13(h); and there were multiple matters concerning the failure to file Suspicious Activity Reports (SARs), a couple of which specifically related to transactions in low-priced securities. Several of these categories of enforcement action also appeared on FINRA's disciplinary docket.

Another topic of interest during the SEC's most recent fiscal year, and which continues to be the subject of enforcement focus, is how firms protect customer trading information, or allegedly fail to protect this data, and what information barriers are in place to prevent, for example, proprietary trading desks from seeing and capitalizing on trades being executed for customers, as well as what customers are told about the protections that are, or are supposed to be, in place. The SEC also brought several other actions that one might expect to see among the FINRA disciplinary orders but perhaps as a result of firm size or the fact that the entity was dually registered, the issue came to the attention of the SEC's Division of Enforcement; by way of some examples:

• Regulation SHO violations based on locate failures;
• Regulation Best Interest (Reg BI)/Form CRS failures, which appeared to be timing related, in that the firm failed to timely put into place the necessary policies and procedures to comply with Reg BI or send Form CRS (Client Relationship Summary) to customers in advance of making investment recommendations;
• Net capital requirement violations; and
• Failure to have and to implement policies and procedures to calculate indirect underwriting expenses in connection with securities offerings.

FINRA Asserts Itself as a Jack of All Trades—New Areas and the Usual Suspects

New Areas of FINRA Focus

FINRA bolstered this year's FINRA Report with a slate of new topics covered, specifically: (1) crypto assets; (2) new market integrity items related to over the counter (OTC) quotation in fixed income securities, advertised volume, and the Market Access Rule (Exchange Act Rule 15c3-5); (3) artificial intelligence (AI); and (4) guidance regarding off-channel communications. Although some of these newcomer topics were subjects of disciplinary actions during 2023, others were not.⁷

With respect to crypto assets, although there are notable takeaways from FINRA's published findings of a 2022 targeted exam sweep of broker-dealer communications regarding digital asset offerings,⁸FINRA's purported focus on digital assets did not lead to any disciplinary actions by FINRA during 2023. It remains to be seen if that changes during 2024, if perhaps those findings are referred to FINRA enforcement.

FINRA brought several cases in connection with misstatements related to advertised trade volume. In one instance, the firm overstated its advertised trade volume on two third-party private subscription-based providers of market data. The findings stated that the firm configured its systems to automatically advertise daily trading volume in numerous securities through the two third-party service providers. However, two distinct technological misconfigurations within the firm's systems caused it to overstate its executed trade volume. In another similar instance, the firm overstated its advertised trading volume on thousands of occasions and by approximately 147 million shares. The findings stated that the firm used a proprietary system to calculate the volume of the firm's trades and transmit that information to a publisher of market data. This system suffered from several technology flaws causing various errors that led to inflated calculations of the firm's trade volume. In both cases, FINRA noted that, among other things, the firms should have conducted more regular testing and should have included more specific procedures relating to calculating trade volumes, and monitoring the systems for accuracy, in its Written Supervisory Procedures (WSPs).

With respect to Market Access Rule violations—a common area of FINRA focus—in one case against a firm that provided market access for certain customers, FINRA found that trading limits and controls were set in a manner that failed to consider clients' businesses, financial condition, and trading history, and failed to take into account the characteristics of individual securities; therefore, the limits and controls were unreasonable; and in another, where the Acceptance, Waiver, and Consent agreement (AWC) references resulting trade errors, the single order notional value limits, single order quantity, and average daily value thresholds were all too high to be effective. In each case, so-called "soft blocks" were overridden because the firms lacked reasonable policies to address or review such overrides. In a third, where there was also mention of erroneous orders, limits and controls, again, were unreasonable in that they were static and did not consider individual customers or securities, and the firm did not evaluate the controls once triggered, nor did it stop orders from being routed to the market; the firm also failed to document or maintain documentation related to its market access compliance.

FINRA's Recordkeeping Focus

Although the SEC took the headlines last year with its "off-channel" communications cases, plainly, books and records are also a FINRA priority. This can be seen in the additions and modifications to the FINRA Report on this topic, and by the several disciplinary actions in the area. By way of example, FINRA brought an action against one firm for failing to retain business-related iPhone messages and not having an appropriate system in place to retain the messages; another firm was disciplined for failing to promptly and accurately provide telephone records in response to a FINRA request for those records; and there was an action against another firm for failing to establish, maintain, and enforce a supervisory system to review electronic communications of its registered persons. In each of these cases, the relevant firm had something in place, or had started to implement a process, but personnel transition, incomplete implementation, or similar issues resulted in compliance failures. The box-checking exercise of "we hired a vendor," or "we have a policy," is plainly insufficient if implementation is not completed, regularly tested, and revised.

A Wide Range of Reporting Inaccuracies

The 2023 FINRA disciplinary orders also included matters citing a wide range of reporting inaccuracies, including actions citing inaccurate and incomplete reporting on the handling of customer orders in National Market System securities in violation of Rule 606, including the failure to disclose payment for order flow and profit-sharing information, as well as inaccurate reporting of statistics regarding covered order executions in violation of Rule 605.

FINRA also brought disciplinary proceedings against firms for inaccurate capacity reporting; that is, reporting principal trades as agency trades, or vice-versa; in one matter, in connection with more than a billion orders, racking up a pretty significant fine. As one might imagine, like so many disciplinary matters that do not involve sales practices, these errors often result fromsome computer coding error that goes unchecked and undiscovered for an extended period, piling up the violations. And, as the SEC noted, the regulators view these violations as making their job of market oversight and protection more difficult, so they take these matters very seriously.

Notably, a multi-million dollar penalty was imposed on a firm for failing to timely and accurately report tens of billions of order events to the Consolidated Audit Trail (CAT) central repository. Although the firm had hired a vendor to assist with its CAT reporting, from the beginning even the firm's technical specifications for the process were not successful, to the point that it notified FINRA of expected compliance problems. The AWC in this matter recounts data issues, late reporting issues, and 180 different CAT reporting errors among the problems the firm encountered. FINRA was particularly concerned about a perceived lack of reasonable diligence in remediating the issues, such that the sanctions also included the retention of an independent consultant to evaluate and report on the firm's compliance.

Among these enforcement proceedings are also actions involving errors reported less broadly—to specific customers rather than to the broader market. FINRA brought actions against firms for trade confirmations or account statements sent to customers with inaccurate or incomplete information about a security purchased or held. And, again, as with most of these proceedings, the failure to have and to implement a supervisory system in place to ensure this did not occur is part of the basis for the action and the penalty.

Failure to Detect Manipulative Trading

In 2023, FINRA brought multiple cases for failure to establish and maintain a supervisory system reasonably designed to detect potential or actual manipulative trading, such as potential spoofing and layering in equity securities, as well as surveillance failures related to marking the open or close, prearranged trading, and wash sales.

Similar to the circumstances noted in the books and records matters, in some instances, some firms had begun to implement surveillance systems or put into place surveillance systems with parameters found to be unreasonable given the firm's business. Further, in addition to having these systems, such surveillance, and the alerts these systems trigger, must be appropriately reviewed. Thus, in addition to the failures to detect or reasonably surveil, these cases often include violations for failure to reasonably review and resolve alerts or other red flags related to trading.

In one matter, the firm failed to surveil its customers' trading for potential manipulative practices, because it provided certain customers with access to third-party electronic trading platforms, which in turn routed their orders to other executing broker-dealers; given these circumstances, the firm mistakenly believed that the obligation to review rested solely with the executing firm. Because of this failure, millions of orders went unreviewed, and those orders included manipulative conduct.

Violations in Connection with Private Placement Offerings

A number of disciplinary matters related to private placements offerings, including failure to collect required information from customers and to file required corporate offerings, violations of the rules related to general solicitations, and failures to provide information to investors.

In the general solicitation matters, firms were found to have violated Section 5 of the Securities Act by selling Regulation D private placements and asserting they were exempt from registration, but offering these interests to prospects without having established relationships with those investors prior to the firm's participation in the offering, or otherwise being able to demonstrate the lack of a general solicitation.

Another issue that arose in multiple matters was the firm failing to apprise investors of material information of which it was aware related to the offering, including issues like the underlying company's failures to make required filings with the SEC, failure to complete annual audits, or to file those documents; in one case, by its terms, the offering would not close until a minimum contingency of investment was met, and the firm failed to advise investors that this number was later reduced due to lack of investment interest. In these instances, in addition to fines, restitution was ordered for those customers who purchased the interests.

Regulation SHO Violations

Regulation SHO imposes four general requirements with respect to short sales of equity securities: a marking requirement, a short sale price test circuit breaker, a locate requirement, and a close-out requirement. FINRA targeted a variety of firms' deficiencies with respect to compliance with Regulation SHO: in one instance, inaccurate short interest reporting occurred due to overinclusion of positions that should not have been reported as short positions; in another case, the failure to include certain proprietary accounts when calculating the firm's overall net equity position caused certain orders to be mismarked under Regulation SHO; in another matter, the mismarking of tens of millions of short sell orders as long, over a period of years, resulted from a coding error; and finally, in another instance, based on the firm's erroneous understanding of its contract with its customers, the firm mishandled customer orders by effecting customer sell orders on a net basis and then mismarking principal short sell orders as long.

Low Hanging Fruit: Form CRS and Reg BI

As the industry knows, the SEC's Reg BI establishes a "best interest" standard of conduct for firms and associated persons with respect to recommendations to retail customers of any securities transactions or investment strategies involving securities. And—whether or not the firms make such recommendations—member firms that serve retail investors must file and provide retail investors with a Form CRS, which provides a summary of certain key information regarding the firm. Since Reg BI and Form CRS became effective on 30 June 2020, FINRA has been monitoring firms' implementation of the associated requirements.

A review of 2023 disciplinary proceedings revealed that one firm failed to timely deliver Form CRS, another firm failed to deliver a compliant Form CRS that accurately included all of the necessary information, and other firms failed to properly disclose the firms' disciplinary history in Form CRS. With respect to Reg BI, one firm was fined because, among other things, it failed to implement written policies and procedures reasonably designed to comply with Reg BI. Failures to comply with Reg BI and Form CRS requirements are low hanging fruit for FINRA, and basic compliance requires relatively minimal effort from member firms.

AML Policies and Procedures

FINRA also brought quite a few cases based on firms' failures related to implementation of reasonably designed anti-money laundering (AML) policies and procedures, which often results in the firms' failure to file SARs. These failures are often related to manipulative trading and, in some cases, trading in low priced securities. These matters may stem from too-small staffs overwhelmed with other things to do, but at other times, the firm's systems are simply not designed for the business they are doing. In one case, the firm's AML program failed to detect and report suspicious cyber-related events. In another matter, the firm only conducted AML reviews for securities actually deposited at the firm and for Delivery versus Payment/Receive versus Payment (DVP/RVP) accounts, the firm relied on those firms holding the securities as agent to conduct diligence for AML and compliance with Section 5 of the Securities Act purposes. The firm lacked both information and procedures to do the necessary review, even in the face of red flags. In the largest of these AML matters, the firm's electronic system was simply set to the wrong SAR filing threshold, another coding error—for more than a decade—resulting in a multi-million dollar fine paid to FINRA (and an even larger civil penalty paid to the SEC), for failure to file about 1,500 SARs.

Misuse of Material Non Public Information

Another notable settlement involved a firm's failure to establish, maintain, and enforce a reasonably designed supervisory system to prevent the misuse of material nonpublic information (MNPI). In that case, supervisors reviewing the emails of those who had been granted access to MNPI had not, themselves, been granted access, and in the same matter, the securities at issue were not timely added to the firm's watch list, and the firm did not have a sufficient process for reviewing employee trading in outside accounts.

The Usual Suspects: Suitability, Net Capital, and More

Last, but not of least importance, FINRA unsurprisingly continued to focus on the types of cases that have perennially been hallmarks of its enforcement activities.

Among the "usual suspects" you will find FINRA actions against firms for the offering and sale of unsuitable and complex investments. These types of cases take a number of different forms, with a number of different products, some of which, like variable annuities and non-traded Real Estate Investment Trusts (REITs), might be appropriate in certain circumstances, but require WSPs and the documentation to demonstrate that they are being followed to show the investment is suitable for the particular customer. In other examples, the question goes more to cost and complexity, for example, not using the least expensive share class of an investment, without a clear basis for doing so, or selling investments that FINRA has often found to be not the best option for the clients such as Unit Investment Trusts (UITs), variable interest rate structured products (VRSPs), and alternative mutual fund products. Again, firms must do the work in order to successfully demonstrate that their sales of these products are appropriate given the costs to the clients and the rewards to the firm.

In a twist on suitability, FINRA exacted a significant penalty from a firm for its failure to implement a reasonably designed system to review and approve options trading applications. The firm's systems were largely automated with an eventual human review, but the systems were inherently flawed in that they permitted customers to change the data to "game" the system by filing successive applications but did not compare those previously filed and allowed applicants who did not meet trading criteria, or whose accounts otherwise had red flags, to be approved.

Additionally, FINRA brought many disciplinary actions against firms, rather than individuals, and since they are perennials, we will not discuss them in detail, but they include TRACE and LOPR violations; net capital issues and blue sheet errors and omissions, which are only—sort of—interesting when the SEC gets involved; and failures of firms to document outside business activities of their registered persons. Although these matters certainly garner attention when the regulators turn their attention to your firm, like so many regulatory issues, regular testing of electronic and computer systems and compliance processes to ensure that they are actually functioning as anticipated and meeting the regulatory requirements likely could have avoided the disciplinary action.

Footntotes

1 Previously, this report was known as the Report on FINRA's Examination and Risk Monitoring Program.

2 Please see our prior client alert discussing the Exam Priorities release, here: https://www.klgates.com/The-SEC-Publishes-2024-Examination-Priorities-Ahead-of-Schedule-Previewing-Key-Areas-of-Focus-for-Registered-Entities-11-1-2023; and see also the K&L Gates US Asset Management Regulatory Year in Review 2023 https://www.klgates.com/US-Asset-Management-Regulatory-Year-in-Review-2023-1-17-2024 at p. 20.

3 Just by way of example, in its reporting to Congress, the SEC counts FINRA examinations of broker-dealers, and really all exams by SROs, when reporting total broker-dealer examinations accomplished in any given fiscal year. See, e.g., Fiscal Year 2024 Congressional Budget Justification and Annual Performance Plan; Fiscal Year 2022 Annual Performance Report, https://www.sec.gov/cj at p. 111. Of course, there is a currently pending constitutional challenge to FINRA's structure, which, if successful, could upend how examinations and enforcement is accomplished for broker-dealers. See, generally, Recent Cases, Alpine Securities Corp. v. Financial Industry Regulatory Authority, 137 Harv. L. Rev. 1042 (January 2024).

4 See SEC press release, "SEC Announces Enforcement Results for Fiscal Year 2023," available at https://www.sec.gov/news/press-release/2023-234, Addendum of Enforcement Statistics, available at www.sec.gov/files/fy23-enforcement-statistics.pdf.

5 As a percentage of the total enforcement actions, those 44 cases are 5.6%; as a total of the standalone cases (excluding follow APs and delinquent filing cases), those 44 cases are 8.8%. If we exclude the off-channel communications cases, those percentages reduce further to 3.4% and 5.4%, respectively. Plainly, broker-dealer enforcement cases are not a large part of the overall total.

6 Commissioner Mark T. Uyeda called the fines in these cases "astonishing," finding them to be particularly so where no investor harm was identified as a result of the conduct. See https://www.sec.gov/news/speech/uyeda-remarks-sec-reg-outside-us-5th-annual-scott-friestad-memorial-lecture.

7 All FINRA disciplinary actions may be found on the FINRA website, in the monthly disciplinary report located here: https://www.finra.org/rules-guidance/oversight-enforcement/disciplinary-actions or in searchable format, located here: https://www.finra.org/rules-guidance/oversight-enforcement/finra-disciplinary-actions-online.

8 See, generally, K&L Gates, FINRA's Findings: Member Firms Get Failing Grade in Crypto Communications (January 25, 2024), available at https://www.natlawreview.com/article/finras-findings-member-firms-get-failing-grade-crypto-communications.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.