It Appears Everything Is a Risk: FINRA Issues 90-page 2024 Regulatory Oversight Report

The Financial Industry Regulatory Authority (FINRA) recently published its 2024 Annual Regulatory Oversight Report (the Report).¹ The 90-page Report hits on many familiar themes and adds several new sections including a section on cryptoasset developments (particularly interesting given FINRA’s jurisdictional limitations on crypto-related assets) and three topics related to market integrity, including one devoted to the Securities and Exchange Commission (SEC) Market Access Rule.

Takeaways

Cryptoassets-Related Activities

• Even if the broker-dealer is not involved in cryptoassets-related activities, the Report underscores the importance of monitoring associated persons’ involvement in cryptoasset-related outside business activities (OBA) and private securities transactions (PST). Given the regulatory appetite for everything crypto, broker-dealers should be looking closely at whether financial advisers are reporting their OBAs and/or making requests for PST approvals.
• Cryptoasset retail communications are a key focus. Firms should assess whether they have taken reasonable steps so that their messaging contains a fair and balanced presentation of the risks associated with the underlying assets (e.g., speculative nature of the cryptoassets and the lack of legal or regulatory protections for most of these assets).
• The cryptoasset retail communication focus is front and center in that FINRA has an ongoing target sweep examination initiative relating to cryptoasset communications, which FINRA recently published and noted that it identified substantiative violations in approximately 70% of the communications and which also provides an overview of effective practices as further guidance for firms in this area.²
• FINRA’s focus on cryptoassets is consistent with its establishment of a specialized crypto team within Member Supervision’s exam program. Indeed, FINRA has approved certain firms for such activities as serving as placement agents in private placements of cryptoasset securities, operating alternative trading systems (ATS) for these securities, and providing custodial services under SEC guidelines.
• FINRA requests firms to inform FINRA about their engagement in cryptoasset activities, including activities involving cryptoassets not considered to be securities under U.S. securities laws.
• Broker-dealers engaged in cryptoasset-related activities should review and enhance their supervisory programs and compliance policies. This includes addressing challenges in areas such as cybersecurity, anti-money-laundering (AML) compliance, customer communications, and due diligence on cryptoasset private placements.
• The Report also focuses on the theme of market abuse involving cryptoassets, warning against potentially manipulative schemes such as those in the equities market. These include pump-and-dump schemes, which may be exacerbated by social media promotions.
• Surveillance themes and effective practices remain perennial issues if the broker-dealer is involved in this asset class. FINRA has seen common violations involving cryptoassets, including insufficient due diligence in cryptoasset private placements and inadequate AML programs. Effective practices that are recommended include thorough due diligence of unregistered offerings and clear customer communication regarding differences between brokerage accounts and crypto accounts.
• Conducting risk assessments of blockchain data, referred to as “on-chain assessments,” is on FINRA’s list of effective practice, and FINRA recommends that firms establish procedures on when to conduct such on-chain evaluations.

Reg BI and Form CRS

• Firms should be looking to follow best practices related to the duty of care, conflict of interest, compliance, and disclosure obligations, including the following:
  • provide guidance to associated persons on how to evaluate costs and reasonably available alternatives when making securities recommendations and, to the extent required by a firm’s policies and procedures, when to document these considerations
  • establish written policies and procedures tailored to the firm’s business model
  • assess whether the firm’s compensation practices for associated persons create conflicts of interest or otherwise incentivize associated persons to offer recommendation not in their customers’ best interests
• Private placement firms should adequately identify, disclose, and, where required, mitigate conflicts of interest associated with recommendations of private placements consistent with Reg BI’s conflicts of interest obligation.

Market Integrity

Over-the-Counter Quotations in Fixed-Income Securities — New Area of Focus

• FINRA expects firms to maintain a reasonable system of supervisory controls and procedures to comply with SEC Rule 15c2-11 regarding the publication or submission of quotations by broker-dealers for fixed-income securities on over-the-counter markets.
• Achieving a reasonable system of controls and procedures includes front-end surveillance to identify nonexempt securities and quotation mediums, self-assessment of the firm’s business related to quoting fixed-income securities, and use of third-party vendors to implement certain controls.
• FINRA’s expectations also include that firms
  • maintain controls and procedures reasonably designed to monitor quoting activity in fixed-income securities
  • review their own activity to determine applicability of Exchange Act Rule 15c2-11
  • conduct an analysis to confirm the accuracy of the firm’s representation that it quotes only in exempt securities
  • implement procedures and controls, including a process for complying with Exchange Act Rule 15c2-11, so that the firm does not quote a covered security prior to confirming the availability of publicly available financial information

Advertised Market Volume

• Firms should monitor technological and procedural processes for their internal systems, and the underlying trade volume information so that trade volumes disseminated by either the firm or third parties is complete, accurate, and not overstated or otherwise misleading.
• Maintain reasonably designed written supervisory procedures with respect to the verification and assessment of the accuracy of its published trading volume, including when such trading volume is disseminated through a third-party service provider.

Market Access Rule

FINRA raised several considerations related to compliance with the Market Access Rule, designed to help avoid a breakdown of a firm’s financial condition, that of other market participants, the integrity of trading on the securities markets, and the stability of the overall financial system:

• Maintain reasonably designed risk-management controls and written supervisory procedures to manage the financial, regulatory, or other risks associated with this business activity.
• Assess due diligence obligations when third-party service providers or tools are used to comply with market access regulatory obligations.
• Document the firm’s review of the effectiveness of its risk management framework.
• Establish pretrade order limits and preset capital thresholds as well as duplicative and erroneous order controls for accessing automated trading systems, including fixed-income ATSs.
• Establish adequate policies and procedures to govern intraday changes to firms’ credit and capital thresholds, including requiring or obtaining approval prior to adjusting credit or capital thresholds and ensuring thresholds for temporary adjustments revert to their preadjusted values.
• Do not unreasonably exclude certain orders from a firm’s pretrade erroneous controls based on order types.
• Do not set unreasonable capital thresholds for trading desks and unreasonable aggregate daily limits or credit limits for institutional customers and counterparties.
• Perform adequate due diligence of third-party vendor financial controls, whether with respect to an ATS or an exchange, and maintain direct and exclusive control over those controls such as individually setting certain financial thresholds for various orders.
• Document the firm’s annual review of the effectiveness of its risk management controls and supervisory procedures, including the reasonableness of the firm’s market access controls applicable to each business/product line in which the firm provides market access.
• Document the reasonableness of a firm’s controls and corresponding parameters.
• Develop reasonable complementary controls based on the firm’s business model and historical order flow.
• Conduct holistic post-trade and supervisory reviews for, among other things, potentially manipulative trading patterns.
• Test on a regular basis market access risk management controls and the reasonability of parameters for those controls, and document those reviews.

Cybersecurity and Technology Management

• Be cognizant that cybersecurity incidents can also trigger disclosure under broker-dealer-specific reporting rules, such as FINRA Rule 4530(b).
• Stay informed on the SEC’s proposed rule that would require broker-dealers and other market participants to establish, maintain, and enforce written policies and procedures reasonably designed to address cybersecurity risks and provide the SEC with immediate written electronic notice of significant cybersecurity incidents.
• Artificial Intelligence (AI) usage should account for accuracy, privacy, bias, and intellectual property.
• The use of AI tools could affect virtually every aspect of a firm’s regulatory obligations, including AML, cybersecurity, and communications with the public.

AML, Fraud, and Sanctions

• Develop an appropriately tailored surveillance program and supervisory system designed to detect a variety of manipulative schemes across various product types including correlated products.
• Beware of an emerging risk related to a recent surge in New Account Fraud (NAF), where criminals use stolen or synthetic identities to open fraudulent accounts. This trend is fueled by the easy availability of personal data from data breaches, often traded on the dark web, and the rise of online account opening that involves reduced human oversight. NAF not only facilitates direct theft from the fraudulent accounts but can also lead to more complex schemes involving asset theft and illegal fund transfers.
• Firms, especially those with automated online services, should look to enhance their monitoring and review processes to detect NAF and comply with regulatory requirements, offering additional guidance through several regulatory notices.

Financial Management

Liquidity Risk Management

• Effective liquidity controls are critical elements of a firm risk management framework.
• Beware that stress testing clearing deposit requirements on information reported on FOCUS reports may not represent actual fluctuations in deposit requirements that occur intramonth.
• Have contingency funding plans to provide liquidity under market or idiosyncratic stress conditions.
• Develop contingency funding plans that would provide sources of liquidity for operating under actual market stress conditions, and provide accurate and complete information on the firm’s supplemental liquidity schedules.
• Beware that FINRA may call for supplemental FOCUS liquidity risk-related information pursuant to Rule 4524 such as additional financial or operational schedules to the extent necessary to serve its investor protection objectives.

Communications With the Public — Mobile Apps

• Consider whether the firm’s mobile apps include appropriate risk disclosure at account opening or before a customer transaction.
• Fully explain and clearly and prominently disclose risks associated with options trading, use of margin, and cryptoassets.

Some of the emerging or newer risks are highlighted here. However, the Report covers more than 20 regulatory areas and continued the trend from last year of increasing emphasis on topic areas involving cybersecurity, market integrity, regulatory risk reporting, mobile app risk disclosures, routing information disclosures, Consolidated Audit Trail and the related Customer and Account Information System reporting deadlines. Because all these areas can create unique risks, a more fulsome read of the lengthy Report provides even more granular information for broker-dealers. 

¹ A copy of the complete Report is available at https://www.finra.org/rules-guidance/guidance/reports/2024-finra-annual-regulatory-oversight-report.
² The Crypto Asset Communications Sweep Update, which was published on January 23, 2024, and is available at https://www.finra.org/rules-guidance/guidance/targeted-examination-letters/sweep-update-jan2024.