FINRA is often accused (mostly rightfully, and certainly by me) of being a horse-is-already-out-of-the-barn sort of regulator, jumping on an issue only after the problem has already arisen and made it to the front page of the Wall Street Journal. But, that’s not always the case. Indeed, there are occasions when FINRA is out ahead of the curve, providing warnings of problems that may seem remote at the time, but which later manifest themselves.
Such is the case with FINRA’s approach to BCPs, or Business Continuity Plans. Following the horrific events of September 11, 2001, FINRA (well, NASD, at the time) created Rule 3510, now FINRA Rule 4370, to address the disruption created in the business of many broker-dealers located in Manhattan (and others, elsewhere, who did business with those downtown Manhattan firms). According to that rule, every BD must create and maintain a written BCP that is reasonably designed to enable the firm to meet its obligations to customers, among others, during an emergency or significant business disruption. Among the several things that must – by rule – be included in a BCP is an effort to address “[a]lternate communications between customers and the member.” In other words, how can customers reach the firm when circumstances render ordinary means of communications unavailable.
While the rule seems to have contemplated disasters, both natural and man-made, as the cause of such disruptions (e.g., all the cell phones stop working), ultimately the particular cause doesn’t matter. If, for whatever reason, a problem manifests itself that results in the phones/emails/faxes/instant messages being rendered useless, a BD needs to have a Plan B in place, to minimize the repercussions to investors. FINRA has offered pretty good guidance on this rule over the years, including a Report from 2019 on examination findings relating to BCPs, some FAQs, and even a Small Firm BCP Template.
One of the specific observations in that 2019 Report is this:
Insufficient Capacity – Some larger firms did not have sufficient capacity to handle substantially increased call volumes and online activity during a business disruption, which affected customers’ ability to access their accounts.
That is, the phones and internet are still working, but so many people are calling and emailing that they get busy signals, or their calls/emails are not returned promptly.
Let’s fast-forward to 2020 and Robinhood. Anyone who’s followed the markets even casually is aware of the multiple instances on which Robinhood’s customers were denied access to their accounts, or couldn’t reach Robinhood even to lodge complaints about their lack of access. That has resulted in both angry customers – read that as “arbitrations” – and angry regulators.
This is not me speculating about that last part. Just listen to this FINRA podcast, called “Exam and Risk Monitoring Program: Responding to COVID-19 and Looking Ahead.” It consisted of a conversation among three FINRA Senior Vice Presidents, including Bill St. Louis, SVP of the retail and capital markets firm groups (who is a certifiably nice guy). Bill was asked about the Report on FINRA’s Examination and Risk Monitoring Program, published earlier this year: “So, beyond Reg BI, does the report have any other priorities worth mentioning for Retail or the other firm grouping you work with, Capital Markets?” Here is his answer:
[T]here are a number of different priority areas in there that are relevant to Retail and Capital Markets firms. I’ll just touch on two very briefly.
One, I just want to remind everyone that there’s an intersection between cyber events and AML. So, account intrusions, takeovers, data breaches likely will be SAR reportable. So, I just wanted to remind firms of that. And that’s something that we pay quite a bit of attention to.
On tech governance, there are a number of firms that have platform outages in 2020, some of which related to market volatility. And the headline on outages, and like a lot of things on tech governance, is testing, testing, testing, capacity testing, vendor management, ongoing maintenance and testing of changes, new patches, scripts, new software, new hardware. Testing to see whether or not the linkages between systems are going to operate as expected when there are patches or changes to one part of the system.
And then the other thing about outages is we’re very focused on customer service during outages. Can firms handle the incoming calls from customers? Are there ways for customers to access and make transactions through other entry points if, for example, an app is down?
There’s actually a lot there, and I will break it down some, but let’s focus on the bit I highlighted. This is precisely the circumstance that FINRA previously cautioned its members to be aware of, and to prepare for. Look, I get that it’s more than a bit ironic for FINRA, of all people, to accuse others of not providing adequate customer service. But, at least in this one instance you cannot reasonably argue that FINRA was late to the party. It accurately anticipated a situation like those that Robinhood experienced, and gave fair warning. (I guess I ought not to pick on Robinhood, but it did garner the most headlines, and it has been reported that it may be fined as much as $26 million for, among other things, not providing its customers with access to their accounts.) That, ladies and gentlemen, is what FINRA is supposed to do, and when it manages actually to do it, it deserves the credit.
As for the other things Bill said, I think the most notable is his admonition that account intrusions and the like “likely will be SAR reportable.” That’s a big deal, as I see it, and here’s why: FINRA has made it clear that, historically, it is less interested in whether or not a SAR is actually filed than in whether or not a BD has a robust AML supervisory system, one that spots red flags, responds to them promptly, and takes appropriate action. That action may or may not be the filing of a SAR, depending on the firm’s analysis of the circumstances. But, as long as the firm DID spot the red flag, and DID respond, it is ok if the firm concludes that no SAR need be filed, as long as the decision not to file it was reasoned and supported by the facts.
Bill’s comment here, however, seems to suggest that contrary to FINRA’s prior guidance, they now seem willing – and maybe even looking forward to – second-guessing even a reasoned decision not to file a SAR. And that’s troubling. Filing a SAR is serious business, with potentially serious consequences. If FINRA is going to start holding against even firms with excellent AML supervisory systems the fact that they elected, after careful deliberation, not to file a SAR, then all that will accomplish is to cause firms simply to file SARs, period, regardless whether they’re truly mandated. If you know that no one gets in trouble for filing a SAR, or even too many SARs, then why not err on the side of over-disclosure, just to avoid becoming the subject of a FINRA exam?
Indeed, this phenomenon – called “defensive” filing, when a firm files a SAR simply to avoid being questioned why it didn’t – has been observed by many, and may account for the crazy number of SARs being filed. I came across an article that stated that in the first 11 months of 2020, 2.5 million SARs were filed with FinCEN. I am no expert on how FinCEN triages the SARs it receives, but I would venture go guess that there’s no way for it to be nearly as effective as it might be at its job if SARs were only filed when circumstances truly mandate such, not just as a matter of being cautious. I fear that if Bill meant what he said, things will only get worse.
So, you see? I still got to take a shot at FINRA, even in the same post that I complimented them on their prescience when it comes to BCPs. All is right with the world.