FINRA 2017 Regulatory and Examination Priorities

On January 4th, 2017, the Financial Industry Regulatory Authority (FINRA) published its Annual Regulatory and Examination Priorities Letter to highlight issues of importance to FINRA's regulatory programs. 

The letter can be found by selecting this link:  http://www.finra.org/industry/2017-regulatory-and-examination-priorities-letter#1

Below are some notable points from the FINRA letter:

SOCIAL MEDIA AND ELECTRONIC COMMUNICATIONS RETENTION AND SUPERVISION

FINRA will review firms’ compliance with their supervisory and record retention obligations with respect to social media and other electronic communications in light of the increasingly important role they play in the securities business.

CYBERSECURITY

Cybersecurity threats remain one of the most significant risks many firms face. FINRA will continue to assess firms’ programs to mitigate those risks. FINRA recognizes there is no one-size-fits-all approach to cybersecurity, and will tailor their assessment of cybersecurity programs to each firm based on a variety of factors, including its business model, size, and risk profile.

  •  Among the areas FINRA may review are firms’ methods for preventing data loss, including understanding their data (e.g., its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors.
  • FINRA may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools. In some instances, they will review how firms manage their vendor relationships, including the controls to manage those relationships. The controls should be informed by a number of factors, including a clear understanding of any customer or employee personally identifiable information or sensitive firm information to which vendors have access.
  • They may also examine firms’ controls to protect sensitive information from insider threats. The nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources.
  • FINRA will also draw firms’ attention to two areas in which they have observed repeated shortcomings in controls.
    • First, cybersecurity controls at branch offices, particularly independent contractor branch offices, tend to be weaker than those at firms’ home offices. They have observed poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data.
    • Second, in multiple instances, firms have failed to fulfill one or more of their obligations under Securities Exchange Act (SEA) Rule 17a-4(f) that requires firms to, among other things, preserve certain records in a non-rewriteable, non-erasable format, commonly known as write once, read many (WORM) format. This includes situations where vendor-provided email review and retention services did not fulfill SEA Rule 17a-4(f) requirements. FINRA recently announced enforcement actions against 12 firms for, among other things, failure to preserve broker-dealer and customer records in WORM format.

SUPERVISORY CONTROLS TESTING

FINRA will assess firms’ testing of their internal supervisory controls. Regular testing is critical to enabling firms to identify and mitigate gaps or inadequate controls (e.g., poorly set parameters in automated compliance systems) that, left undetected, may lead to significant, systemic control breakdowns. These problems arise in firms’ day- to-day operations, but FINRA has observed that they can be more prevalent when firms increase the scale or scope of their business or change from legacy to new compliance systems.

  • Control breakdowns can include record-retention omissions and failures to deliver requisite disclosure or other documents to clients. In addition, FINRA has observed situations where data is inaccurate, for example, with respect to product or order types. This can lead to situations where automated alerts fail to identify activity in client accounts for further review or where extensive manual intervention is necessary to make the data useable. FINRA reminds firms of their obligations with respect to supervisory controls testing and chief executive officer certifications pursuant to FINRA Rules 3120 and 3130.

CONCLUSION

FINRA urges compliance staff, supervisors, and senior business leaders to consider the topics addressed in this letter. Using the information as part of firms’ compliance, supervision and risk management practices can better protect investors, the markets, and firms themselves.