Thanks to Blaine for tackling FINRA’s annual list of things it is paying particular attention to in 2021. – Alan
The world has changed a lot in the last 12 months, but those in the securities industry can always rely on their trusty regulator, FINRA, to put out its annual priorities list to provide some semblance of consistency in the world. In a break from the past, however, this year FINRA has combined two annual reports – the Report on Examination Findings and Observations, and the aforementioned Risk Monitoring and Examination Program Priorities Letter – into one new document (the “Report”). The 46-page Report addresses 18 regulatory areas and organizes them into four categories (sadly, there is no mention of the ultra-recent GameStop saga).
Readers familiar with past priorities letters will recognize many of the issues raised in the current incarnation, and FINRA concedes that “many of the areas addressed in the publication represent ongoing core compliance responsibilities.” In other words, AML has always been a priority and continues to be a priority so nothing to see here.
Unfortunately, the subject that is likely to be of most interest, given the current state of affairs in the world, i.e., “Firms’ Practices During COVID-19,” is set off in blue because the “Report does not address exam findings, observations or effective practices specifically relating to how firms adjusted their operations during the pandemic.” Fortunately, FINRA promises, “those reviews are underway now and will be addressed in a future publication.” If we are lucky, said results will issued before the entire country is vaccinated while the results are still relevant. Stay tuned to the BD Law Corner blog for timely updates in relation to COVID guidance. With all of the above in mind, here are selected highlights from the new combined Report:
Regulation Best Interest (“BI”)
Regulation BI replaces the well-known and weathered suitability standard with one that requires broker-dealers and associated persons to make recommendations on transactions or investment strategies based on the best interests of their retail customers. While the standard sounds simple, its implementation has caused heartburn in CCOs across the country as they struggled to understand how FINRA will interpret BI differently than suitability. Unfortunately, CCOs will have to continue purchasing their extra-strength Tums. Because, while the Report lists some rather obvious guidance, such as, “Has your firm provided adequate Reg BI training to its sales and supervisory staff,” it punts on the all-important question of what firms are being disciplined for and, more importantly, what FINRA will look at in the upcoming year.
FINRA’s posture is likely due to the fact that Reg BI is relatively new, in conjunction with the difficulties of regulating during a world-wide pandemic. Notably, the Report does refer readers to a Roundtable that the SEC held on Reg BI that my colleague Heidi VonderHeide reviewed in another blog post. Speaking of which, Ms. VonderHeide will be discussing the ins and outs of Reg BI in a webcast later this month that interested readers can register for here.
As was the case with its COVID guidance, FINRA promises to update the industry as information is gathered and priorities determined. While we all hope COVID will soon be a distant memory, Reg BI is here to stay, so FINRA’s updates warrant further watching.
Another issue that is here to stay and promises, in fact, to increase in importance over the coming years is cybersecurity. The Report notes increased occurrences of cybersecurity related issues, including system wide outages; email and account takeovers; fraudulent wire requests; imposter websites; and ransomware. In addition, the Report indicated that data breaches remain an issue. The pandemic has brought this already important issue to the forefront as brokerage personnel increasingly work remotely, increasing the importance of home internet security for each and every employee touching private company data.
The limitation on personal interactions between brokerage employees and their customers has only exacerbated the problem and ensured that most, if not all, exchange of customer paperwork takes place over the internet. With such exchanges becoming the rule instead of the exception, FINRA has, not surprisingly, noted during its exams that firms have failed to encrypt customer personal information (which can be as simple as failing to encrypt and redact new account forms). Firms also failed to limit access to customer information (along with other sensitive data) and failed to train personnel and maintain adequate branch policies, amongst others. During compliance reviews, firms, naturally, tend to look within to figure out how they can improve internally. While it is not necessarily intuitive, FINRA notes that firms must institute proper policies to ensure that their vendors are taking all steps that the firm, itself, is taking to ensure data safety. This might be especially important for smaller firms that outsource their technological needs to vendors. During past roundtables with Regulators at the Chicago Bar Association, those Regulators have indicated that a firm blaming its vendor is not a valid excuse if a data breach occurs and the Report seems to confirm as much. The basic takeaway seems to be that internet technology is changing all of the time and the onus is on firms to keep pace in terms of protecting itself and its customers.
Communications with Public
As technology changes, the way that firms communicate with their customers has also changed. Late last year, the SEC revolutionized its marketing rules for RIAs bringing them out of the 1960s and into the digital age (my colleague, Denise Fesdjian wrote about it here.) While FINRA did not do anything near as exciting as the SEC, it is worth noting the issues it uncovered as well as what infractions might focus on in the future.
Some findings have been virtually unchanged over the years, with the exception that they are now more likely to be found on the internet instead of in print, e.g. failing to balance promotional statements with prominent risk disclosures, while others deal with newer technology, i.e., the failure to retain email and other digital communication. Once such technology that the Report sets off in blue (which apparently indicates that FINRA wants people to read it and, thus, will likely focus on it) is the emergence of new digital platforms with “Game-Like” features.” FINRA cautions that these platforms, which are reaching a new segment of retail investors and, thus, providing important access to the marketplace, can also represent danger. The message seems to be that firms can splash up their websites in order to appeal to new consumers but, in doing so, they are not relieved of any of their regulatory responsibilities. Substance over form when it comes to the rules, in other words.
Above is just a smattering of what is available in the Report and I encourage anyone with an interest to review it in detail to learn about all of the topics not discussed here.
 See FINRA Regulatory Notice 20-16 for guidance on operating during the pandemic.
 For those wishing to read the report in its entirety, it is available at https://www.finra.org/rules-guidance/guidance/reports/2021-finras-examination-and-risk-monitoring-program#top
 Technically, Regulation BI supplements the suitability standard but according to Regulatory Notice 20-18, “Reg BI’s Care Obligation addresses the same conduct with respect to retail customers that is addressed by Rule 2111, but employs a best interest, rather than a suitability, standard, in addition to other key enhancements. Absent action by FINRA, a broker-dealer would be required to comply with both Reg BI and Rule 2111 regarding recommendations to retail customers. In such circumstances, compliance with Reg BI would result in compliance with Rule 2111 because a broker-dealer that meets the best interest standard would necessarily meet the suitability standard.”
In other words, you have to follow Reg BI and if you follow Reg BI, you are meeting suitability so Reg BI is the determinative consideration.