Earlier this year, the Financial Industry Regulatory Authority released its 2019 Annual Risk Monitoring and Examination Priorities Letter. These published priorities, together with the U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examinations' 2019 examination priorities, furnish broker-dealers and other securities market participants with a non-exhaustive list of areas that each regulator plans to prioritize in the year ahead as part of its respective examination activities.

This White Paper provides an overview of the notable aspects of both regulators' examination priorities that are particularly relevant to broker-dealers and suggests ways that broker-dealers can prepare for examinations on those topics.

INTRODUCTION

Earlier this year, the Financial Industry Regulatory Authority ("FINRA") released its 2019 Annual Risk Monitoring and Examination Priorities Letter. These published priorities, together with the U.S. Securities and Exchange Commission's ("SEC") Office of Compliance Inspections and Examinations' ("OCIE") 2019 examination priorities, furnish broker-dealers and other securities market participants with a non-exhaustive list of areas that each regulator plans to prioritize in the year ahead as part of its respective examination activities.

As in years past, OCIE's published priorities for 2019 include the broad thematic categories of retail investors, compliance and risk in registrants responsible for critical market infrastructure, the operations of FINRA and the Municipal Securities Rulemaking Board ("MSRB"), cybersecurity, and anti-money laundering ("AML") programs. This year, however, OCIE added the new thematic category of digital assets, signaling the SEC's heightened attention to the risks posed to retail investors by the dramatic increase in market activity relating to the offer, sale and trading of cryptocurrencies, coins and tokens. Because the SEC has ceded most responsibility for broker-dealer examinations to FINRA staff, broker-dealers should expect FINRA exams to cover areas identified as OCIE examination priorities.

In a departure from prior years, this year's FINRA examination priorities letter highlights materially new areas of attention—i.e., online distribution platforms, fixed income markup disclosure, and regulatory technology ("RegTech")—and does not restate topics that have been staples of previously issued priorities letters. FINRA does indicate, however, that it intends to continue to pay particular attention to sales practice, operational, market and financial risks posed by specified broker-dealer operations. Moreover, the priorities for this year have been expanded to emphasize FINRA's risk monitoring activities, a change that is reflected in the new title of its priorities letter.

This White Paper provides an overview of the notable aspects of both regulators' examination priorities that are particularly relevant to broker-dealers and suggests ways that broker-dealers can prepare for examinations on those topics.

OCIE EXAMINATION PRIORITIES

Retail Investors

  • Conflicts of Interest. Consistent with OCIE's long-standing emphasis on investor protection, OCIE intends to focus on certain conflicts of interest that may incentivize broker-dealers to recommend particular products or services. In this regard, OCIE will review policies and procedures related to securities-backed, non-purpose loans and lines of credit to determine whether broker-dealers and their employees receive financial incentives for recommending these products to their customers. In addition, OCIE plans to review the extent to which broker-dealers are sufficiently disclosing to their customers any conflicts of interest and risks associated with recommendations for such products.
  • Practice Note: Broker-dealers should review their referral arrangements with other financial service providers to analyze whether those referrals constitute recommendations and present conflicts that should be disclosed to their customers.
  • Senior Investors and Retirement Accounts and Products. OCIE intends to review how broker-dealers oversee their interactions with senior investors, including their ability to identify financial exploitation of seniors.
  • Practice Note: This has been a FINRA exam priority for several years. To prepare for questions in this area, firms should review their procedures and controls relating to senior investor accounts, including those relating to the suitability of recommendations to senior investors, communications targeting older investors, and potentially abusive or unscrupulous sales practices or fraudulent activities targeting senior investors. Among other things, firms should have specific procedures for responding to suspected senior abuse, including the ability to contact a customer's designated trusted contact person and, when appropriate, place a temporary hold on a disbursement of funds or securities from a customer's account. FINRA has a webpage and resources for firms directed at protecting senior investors.
  • Protection of Customer Assets. OCIE will also prioritize its examination of "select broker-dealers" to determine compliance with Rule 15c3-3 under the Securities Exchange Act of 1934 (the "Exchange Act"), the Customer Protection Rule. Under this Rule, broker-dealers are required to periodically calculate the net amount of cash they owe their customers and deposit that amount into a segregated bank account known as the Reserve Account. Firms are prohibited from misallocating or misusing customer funds or securities in their possession, including using such customer assets as broker-dealer working capital. OCIE will review whether broker-dealers have adequate procedures and controls in place to foster compliance with the Rule.
  • Practice Note: Firms that have custody of customer assets should review their Written Supervisory Procedures ("WSPs") to ensure that they are appropriately safeguarding the cash and securities of their customers, including their procedures for periodically calculating the amounts required to be deposited into the Reserve Account and ensuring that the calculations are correct. Firms may want to consider undertaking a retroactive review of the Reserve Account calculations prior to any exam to identify potential errors.
  • Microcap Securities. In 2019, OCIE will examine the activities of broker-dealers that effect transactions in microcap securities (i.e., stock of companies that have a market capitalization under $250 million). In this regard, OCIE intends to evaluate: (i) market manipulations; (ii) compliance with Regulation SHO with respect to short sales in microcap stocks; and (iii) compliance with Exchange Act Rule 15c2-11 with respect to the submission and publication of quotations in microcap securities trading over-the-counter.
  • Practice Note: Trading in microcap securities has been a focus of regulatory examinations (and related enforcement actions) for many years. In addition to ensuring that it has policies and procedures to identity potential pump-and-dump and other fraudulent schemes, broker-dealers must have procedures to ensure that, before they accept or publish quotations for nonlisted microcap securities, they comply with Rule 15c2-11 or can claim a valid exemption therefrom.

Compliance and Risk in Registrants Responsible for Critical Market Infrastructure

  • Compliance with Regulation SCI. In addition to examining clearing agencies, transfer agents and national securities exchanges for compliance with their respective regulatory obligations, OCIE intends to examine entities subject to Regulation SCI, the SEC rules designed to improve the technology infrastructure of the securities markets, for compliance with that Regulation. In addition to exchanges and other SROs, entities subject to the Regulation ("SCI entities") include certain alternative trading systems ("ATSs") operated by broker-dealers. OCIE plans to review if SCI entities have implemented the written policies and procedures required thereunder. Among other things, OCIE also plans to examine controls regarding the life cycles of software development and governance procedures, as well as the efficacy of internal audits, inventory management, and threat management.
  • Practice Note: An ATS subject to Regulation SCI should conduct periodic reviews of its system functionalities and its software change approval processes to ensure that all of its trading systems have been appropriately tested prior to implementation. It also should review how firm personnel responded to indications of potential or actual security threats to ensure that firm policies and procedures were followed.

Digital Assets

OCIE will continue to assess the offer, sale, trading, and management of digital assets while also examining compliance with the securities laws when such assets are deemed to be securities. Further, OCIE plans to evaluate entities that are actively engaged in this market, particularly focusing on portfolio management, trading safety of customer funds and assets, customer portfolio pricing, compliance and internal controls. While OCIE noted in its 2018 examination priorities that it planned to address risks associated with investments in cryptocurrencies and initial coin offerings, the 2019 examination priorities appear to signal that OCIE intends to broaden its examination activities with respect to the nascent and rapidly growing digital asset markets.

Practice Note: The trading of digital securities presents many unique challenges, including, among others, issues relating to whether a broker-dealer facilitating such trading has appropriate custody and control of the digital assets of its customers. Through its FinHub website, the SEC staff has expressed its willingness to meet with firms and provide other assistance relating to FinTech issues arising under the federal securities laws.

Cybersecurity

In 2019, OCIE plans to address the growing prominence and frequency of cyberattacks by focusing its inspections on the configuration of network storage devices, information security governance, as well as policies and procedures concerning the security of retail trading data.

Practice Note: In December 2018, FINRA published a Report on Selected Cybersecurity Practices in an effort to help broker-dealers further develop their cybersecurity programs. In the Report, FINRA noted not only effective practices used by firms to address cybersecurity risks but also problematic cybersecurity practices. Firms would be well served to review this Report and implement those effective practices that would strengthen their programs and revise any of their practices that FINRA has identified as problematic.

AML Programs

As in prior years, OCIE will continue to review broker-dealer compliance with the requirement under the Bank Secrecy Act to establish and implement AML programs. For broker-dealers, OCIE plans to examine, among other things: (i) adherence to requirements concerning the filing of suspicious activity reports ("SARs") with the Financial Crimes Enforcement Network; (ii) the broker-dealer's implementation of all aspects of its AML program; and (iii) completion in a timely manner of independent assessments of such programs.

Practice Note: In recent years, the SEC has cracked down on some firms' failure to file SARs despite the existence of clear red flags. Among other things, firms should review their responses to potential suspicious activity identified through firm trading activity surveillance reports to determine whether appropriate SAR reporting took place. In addition, as with all of its WSPs, a firm should assess whether it is complying with all of the requirements of its AML programs, including memorializing required meetings to discuss AML-related issues and other activities. Firms should understand that, if there is no written record of an activity, regulators will presume that it did not occur.

FINRA EXAMINATION PRIORITIES

Highlighted Priorities

  • Online Distribution Platforms. FINRA plans to be particularly attentive to the involvement of broker-dealer firms in the distribution of securities using online platforms in reliance on Regulation D and Regulation A under the Securities Act of 1933. In this regard, FINRA notes its concerns about broker-dealers that claim not to be selling or recommending securities distributed through online distribution platforms, when they are in fact handling customer accounts or receiving transaction-related compensation. Among other things, FINRA will examine how broker-dealers engage in reasonable basis and customer-specific suitability analyses, oversee communications with the public and comply with AML obligations.
  • Practice Note: In addition to the issues noted by FINRA in the priorities letter, broker-dealers participating in online distribution platforms should be careful not to share transaction- related compensation with any unregistered entities, including platform operators. They also should ensure that investors accessing issuer offerings on the platforms are appropriately accredited where necessary.
  • Fixed-Income Mark-Up Disclosure. There will also be an emphasis on firm compliance with FINRA Rule 2232 and MSRB Rule G-15, which require firms to disclose the amount of markup or markdown applied to customer trades in certain fixed-income securities. FINRA will also review changes in firm conduct that may have occurred to evade these disclosure obligations.
  • Practice Note: In its priorities letter, FINRA suggests that firms review the Markup/Markdown Analysis Report that FINRA makes available to individual firms. This report provides a markup summary (including median and mean percentage markups), as well as detailed information, such as trade details (e.g., FINRA's calculated markup percentage and dollar profit). It also would behoove firms to consult FINRA's Bond Facts Tool, which allows investors to compare their fixed income transactions with other transactions in the same security by time, price and size. If a firm's report or information provided by the Bond Facts Tool indicate that its markups and markdowns may be excessive when compared to other firms, the broker-dealer should take steps to promptly address that situation.
  • RegTech. In response to firms' increasing use of emerging and novel regulatory technologies to more efficiently and effectively comply with their regulatory requirements, FINRA will seek to gain a better understanding of how firms use RegTech and deal with certain related risks. FINRA will, for instance, examine how the use of these new technologies impacts supervision and governance controls, third-party vendor management and customer data protection.
  • Practice Note: A firm using third-party regulatory technologies to perform a regulatory function should be able to accurately describe the functionalities of that technology to an examiner and be able to demonstrate that they are supervising the application of such technology to the firm's activities. It also should ensure that records and reports produced through use of the technology are maintained in accordance with applicable books and records rules.

Sales Practice Risks

  • Suitability. As in years past, FINRA anticipates that it will continue to prioritize compliance with customer-specific suitability obligations. Among others, FINRA will review whether firms are meeting their suitability obligations and making required risk disclosures when recommending certain exchange-traded products, including leveraged and inverse exchange-traded funds ("ETFs"), floating rate loan ETFs and mutual funds that invest in loans extended to highly indebted companies of lower credit quality. In addition, FINRA will also examine if firms are ensuring that collateralized loan obligations and certain other structured products sold to retail investors comply with applicable sales restrictions.
  • Practice Note: As investment products become more complex, firms face more difficulties in ensuring that their sale to retail investors remain compliant with applicable regulatory requirements and that appropriate and clear disclosures are provided to their customers. A prime example of the problem facing the "retailization" of complex products was the sale of auction rate securities ("ARS") to retail investors. Despite the fact that the ARS auction process was complicated and contained numerous risks, many representatives selling them to customers did not themselves understand ARS and therefore described them to investors as just like money market funds, ultimately resulting in their firms incurring significant liabilities. To avoid a similar problem, firms recommending complex products should be able to show examiners that they conducted extensive due diligence before offering the securities to customers and conducted training of their representatives on the products. Firms should review their new product-related procedures to ensure that they are following those procedures for any new and complex investment product sold to customers.
  • Outside Business Activities ("OBAs"). FINRA expresses concerns about the practice of firm associated persons raising funds from their customers outside of their firm's supervision for entities that the associated person controls or in which he or she has an interest. Accordingly, FINRA will also continue to evaluate the controls that firms have in place with respect to the OBAs of their associated persons.
  • Practice Note: Firms should be on the lookout for red flags that a representative could be selling away, such as through social media links or other statements contained in firm electronic communications. As part of the OBA approval process, a firm also should reinforce to its associated person that selling away is strictly prohibited.

Operational Risks

Like OCIE, FINRA will devote attention to the supervision of the digital asset markets. It intends to coordinate with the SEC to review how firms determine if a particular digital asset is a security under the U.S. securities laws. FINRA will also consider the extent to which broker-dealers have instituted sufficient controls and are supervising compliance with rules related to, among other things, the marketing, trading and recordkeeping of digital assets, as well as applicable AML rules.

Market Risks

  • Best Execution. FINRA expresses concerns about the failure of firms to use "reasonable diligence" to ensure that customer order flow is routed to the best market, in light of such factors as an order's size, type and terms and conditions. As such, FINRA will evaluate the best execution decisions of firms in circumstances where all or substantially all orders are routed to: (i) a small amount of wholesale market-makers from which the firm receives payment for customer order flow; (ii) an affiliated broker-dealer; or (iii) an ATS in which the firm has a financial interest. Among other things, FINRA intends to review firm management of conflicts of interest between their best execution obligations and any benefits received from routing or internalizing customer orders.
  • Practice Note: When fully implemented, the SEC's recent expansion of the order handling information required to be published and provided to investors under Rule 606 of Regulation NMS could help firms establish the "reasonable diligence" FINRA wants to see.
  • Market Access. This year, FINRA will continue to review firm compliance with SEC Rule 15c3-5, which requires firms with market access to establish certain controls and supervisory procedures to manage, among other things, the financial, regulatory and operational risks related to such access. FINRA anticipates that it will evaluate how firms apply and test controls and limits with respect to sponsored access orders. In addition, there will also be a focus on the steps taken by firms to prevent manipulative or other illegal trading activity.
  • Practice Note: Among other things, firms should document the reasons for changes to a customer's assigned credit limit, whether on a temporary or permanent basis, and establish who at the firm approved such changes.
  • Short Sales. FINRA intends to evaluate whether firms have structured their aggregation units to be consistent with Rule 200(f) of Regulation SHO and whether the aggregation units are, indeed, independent.
  • Practice Note: FINRA indicates that firms should be able to establish independence through measures, such as separate management structures, location, business purpose, ad profit and loss treatment. On a periodic basis, especially if there has been personnel turnover, a firm should review its aggregation units to ensure that management creep between aggregation units has not occurred.
  • Short Tenders. FINRA will continue to examine how firms account for options positions when tendering into an offer and whether they are complying with Exchange Act Rule 14e-4, which, after the announcement of a tender offer, requires a firm selling call options with a strike price less than the tender offer price to reduce its long position by the shares underlying the options for purposes of calculating its net long position.

Financial Risks

FINRA plans to evaluate how firms identify and manage credit risk, including potential exposure to losses from a firm's extension of credit to its customers and counterparties, give-up arrangements, prime brokerage and sponsored access arrangements, and their compliance with FINRA's margin rule (Rule 4210(f)). Additionally, FINRA will concentrate on the extent to which firms' liquidity planning includes a process to evaluate the sufficiency of liquidity pools and to regularly revise stress test assumptions to account for changes to the firm's business, products, customers, as well as changing market conditions.

KEY TAKEAWAYS

  1. As part of the ongoing effort to identify and rectify all deficiencies with respect to their operations and to anticipate and prepare for potential SEC and FINRA examinations in 2019, broker-dealers should review the examination priorities of both regulators, which detail the key areas where OCIE and FINRA intend to concentrate their respective resources in 2019.
  2. To the extent they were not explicitly addressed in connection with the firm's annual compliance review and certification, firms should review their policies and procedures in the areas highlighted by each regulator, not only to make sure that the procedures are in synch with current regulatory requirements but also to confirm that firm personnel are, in fact, complying with those policies and procedures. If the firm's practices have evolved over time, the policies and procedures should be amended to match existing practices.
  3. As is often the case, the subject matter areas addressed in an examination priorities letter may provide a clue to the next area of enforcement focus. Statements made in these announcements about what firms should be doing sometimes form the basis of the regulators' enforcement positions. For that reason, firms should be aware of the subject matters discussed in the respective published priorities and try to address problematic practices before an exam of the firm is announced.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.