Financial Industry Regulatory Authority (FINRA) annual report on examination and risk monitoring priorities, released just a few days ago, sets the tone for the regulatory year ahead in financial services. With ongoing uncertainty about the pandemic, digital and cybersecurity issues that have arisen due to virtual work, unusual market developments, and a new federal administration, regulators are contending with a unique set of factors this year as they plot their examination plans.
While the report addresses a variety of priorities including firm operations, market integrity, and financial management, there is no shortage of areas that impact communications and sales practices. These include emerging trends such as “game-like” trading applications, video content, and undisclosed outside business activities (OBA) as top FINRA priorities in the year ahead. Here are some of the priorities pertaining to communications compliance in 2021:
- Books and Records
- Communications with the Public
- Cybersecurity and Technology Governance
- Outside Business Activities (OBA)
- Regulation Best Interest and Form CRS
#1 Books and Records
Exchange Act Rules 17a-3 and 17a-4, FINRA Rule 3110(b)(4) and FINRA Rule Series 4510
With reps working from home with new collaboration, conferencing and messaging tools consistently being introduced, the existing Books and Records Rules are introduced to new complexities. FINRA has reiterated the requirement that firms are required to create and preserve, in an easily accessible place, all business-related communications. Specifically, FINRA has asked firms to consider the following:
- What kind of vendors, such as cloud service providers, does your firm use to comply with Books and Records rule requirements, including storing required records on electronic storage media (ESM)? How does it confirm compliance with the Books and Records Rules, ESM Standards and ESM Notification Requirements?
- Has your firm reviewed its Books and Records rule policies and procedures to confirm they address all vendors?
While books and records requirements do not call out individual communications tools, it is more important than ever that firms capture, archive and index new communications for quick search and retrieval. This is true regardless of whether that tool resides in the cloud, contains interactive content, or consists of persistent chats, voice, video, whiteboards or other collaborative capabilities.
#2 Communications with the Public
FINRA Rule 2210
According to the letter, FINRA will focus on communications relating to certain new products, and how member firms supervise, comply with recordkeeping obligations, and address risks relating to new digital communication channels. FINRA highlighted video content protocols and advised developing written supervisory procedures (WSPs) and controls for live-streamed public appearances, scripted presentations or video blogs. Some considerations for firms to review include:
- Does your firm’s digital communication policy address all permitted and prohibited digital communication channels and features available to your customers and associated persons?
- Does your firm review for red flags that may indicate a registered representative is communicating through unapproved communication channels, and does your firm follow up on such red flags? For example, red flags might include email chains that copy unapproved representative email addresses, references in emails to communications that occurred outside approved firm channels, or customer complaints mentioning such communications.
- How does your firm supervise and maintain books and records in accordance with SEC and FINRA rules for all approved digital communications?
- If your firm’s app platform design includes “game-like” aspects that are intended to influence customers to engage in certain trading or other activities, how does your firm address and disclose the associated potential risks to your customers?
- Do your firm’s communications — regardless of the platform through which they are made — comply with the content standards set forth in FINRA Rule 2210?
Smarsh dependence on video conferencing and collaborative platforms to engage with clients was a topic ripe for regulatory commentary. What’s clear is that FINRA is now viewing these tools as more than just spaces to gather; they are sources where records can be created, shared, or altered and need to be governed and supervised like any other form of communication subject to FINRA rules.
#3 Cybersecurity and Technology Governance
SEC Regulation S-P Rule 30; FINRA Rules 4370, 3110, 4511; SEC Exchange Act Rules 17a-3 and 17a-4
As expected, cybersecurity will remain a central focus for regulatory examinations. This includes recent risks relating to cybersecurity-enabled fraud and crime and those related to the pandemic. Given the increase in remote work and virtual client interactions, combined with an increase in cyber-related crimes, here are a few questions the report encourages firms to consider:
- What kind of governance structure has your firm developed to identify and respond to cybersecurity risks?
- What is the scope of your firm’s Data Loss Prevention program, including encryption controls?
- What kind of training does your firm conduct on cybersecurity, including phishing?
- What process does your firm have to evaluate your firm’s vendors’ cybersecurity controls?
- What controls does your firm implement to mitigate system capacity performance and integrity issues that may undermine its ability to conduct business and operations, monitor risk or report key information?
The conduct of employees working remotely is less visible to compliance staff and could easily expose firms to risks through the use of personal computers or mobile devices, unsecured wifi networks, or out-of-date security updates. Firms are guided to proactively manage cybersecurity and compliance, and to implement solutions to automate security and compliance controls across devices, networks, users and vendors at once.
#4 Outside Business Activities (OBA)
FINRA Rules 3270 and 3280
The recent GameStop fiasco offers some initial lessons for compliance teams. If one of your registered representatives had been involved as a retail investor, how might that affect your firm’s compliance profile? With reduced visibility into employee behavior due to remote work, and an environment of unlimited collaboration and communication applications (rather than Reddit, this could have just as likely happened on WhatsApp, Twitter or any other platform), it could be tough to track this type of activity.
FINRA recommends the following as effective practices for avoiding violation of OBA regulations:
- Questionnaires for registered representatives and associated persons about their involvement with OBAs
- Thorough, regular reviews of representatives’ involvement with OBAs
- Monitoring correspondence and other activities to surface red flags that may indicate involvement in undisclosed or prohibited OBAs
- Review of affiliate activities for rule violations
- Written Supervisory Procedures (WSPs) that clearly identify activities or investments that would constitute an OBA subject to approval or disclosure
- Training staff on OBAs and how to properly inform the firm of relevant activities
- Disciplinary action, including heightened supervision, fines or termination, for failure to notify firms and receive approval for OBAs
- Digital asset checklists that lay out all considerations for digital asset activities
Smarsh has discussed other cautionary tales about unapproved OBAs before. In a case from last year, FINRA fined a financial advisor $5,000 for exceeding the scope of approved outside investment advisory business by charging asset-management fees. While the financial penalties in this instance were not catastrophic, it is noteworthy that the penalties applied only to the broker, with the brokerage firm escaping unscathed. Why? In this case, the broker’s email archives were sufficiently comprehensive and clear in shielding the firm from his undisclosed outside business activities.
#5 Regulation Best Interest (Reg BI) and Form CRS
Regulators noted their intention to expand the scope of Reg BI and Form CRS reviews and testing for a more comprehensive review of firm processes, practices and conduct. In the report, FINRA warned that they would take appropriate action if they observe conduct that violates these regulations.
Some of their proposed considerations for compliance with Reg BI and Form CRS:
- Does your firm have policies, procedures and controls addressing Reg BI’s recordkeeping requirements?
- Has your firm provided adequate Reg BI training to its sales and supervisory staff
- Does your firm have policies and procedures to provide the disclosures required by Reg BI?
- Does your firm have policies, procedures and controls in place regarding the filing, updating and delivery of Form CRS?
Future-proofing compliance with advanced technology
The recent FINRA report reinforces the regulatory obligation for firms to ensure that all communication channels approved for business purposes are included in their recordkeeping and supervisory processes.
Managing supervision and spotting infractions in the age of multiplying, disparate data sources has become significantly more complex. Firms should already be using automated lexicon policies for supervision but it’s also worth considering the addition of artificial intelligence and machine learning to their electronic correspondence review cache of tools. AI and ML won’t replace human review, but these advanced capabilities can help spot troublesome patterns that the human eye wouldn’t be able to see among growing volumes of heterogeneous data.
Clients have come to expect firms to use technology to make business more efficient. Staying available and in communication is critical for brokers and advisors, and not being allowed to do so on their desired platforms could be detrimental to their business. If brokers or advisors are prevented from using certain communication tools by the firm, they may choose to use personal devices or accounts to sidestep these controls — bringing risk to their own business and the firm. An advanced technology solution to meet compliance needs and enable brokers and advisors will be essential as electronic communication and business practices continue to evolve.
Author: Marianna Shafir Esq. Regulatory Advisor at Smarsh
Marianna Shafir, Regulatory Advisor at Smarsh, is responsible for regulatory affairs worldwide. With her expertise in financial services industry, compliance and e-discovery, Marianna counsels Smarsh clients on meeting regulatory obligations, leveraging technology and guidance on best practices related to electronic communications supervision. Prior to joining Smarsh, Marianna worked for BNY Mellon and Invesco where she was an instrumental member on compliance teams.Marianna has also served as an adjunct professor at New York Career Institute where she taught Law Office Management and Real Estate Law. She earned her Juris Doctorate from Nova Southeastern University. She is a frequent speaker at industry conferences and a contributor to various online publications.
Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.