The Exam Priorities document serves as a report on the Division of Examinations’ activities and accomplishments over the last fiscal year, as well as a look ahead at key risks, trends and examination priorities, and is similar to other SEC division or office published reports in its content and tone. In contrast, the new format FINRA Report combines a variety of prior FINRA materials and promises to be a “living document,” to be updated each year, considering perennial topics, as well as adding new risks and resources for members to consider. The FINRA Report offers, not only member obligations under the FINRA rule(s), but also what FINRA has seen in recent exams, and what the FINRA staff views as effective compliance practices in the area.
Retail investor protection
Not surprisingly, both the SEC and FINRA focused on retail investors in their documents. In its Exam Priorities, retail investor protection was addressed by the Division of Examinations in connection with the standards of conduct for broker-dealers and investment advisers, disclosure of conflicts of interest, and disclosure of fees and expenses, as discussed below. In addition to these priorities, the Division of Examinations also noted its specific focus on recommendations to senior citizens, and on registered persons who target retirement communities, as well as teachers and military personnel. Moreover, the retail investor protection theme comes through loudly in the Exam Priorities discussion of retail account conversions and rollovers, as well as the staff’s consideration of certain investment strategies and product types, like complex strategies or products, high-risk products, or more opaque, non-traded or illiquid products, or products that come with high commissions. The Division will be reviewing to ensure that sales practices meet obligations under the appropriate standards of conduct, and that firms’ disclosures of risks, fees, and sales incentives and other compensation are similarly compliant.
The FINRA Report does not include a separate section on retail investor protection. Rather, protecting retail investors is addressed through the prism of the FINRA rule set and many of the key areas that FINRA highlights directly affect retail investors. These areas include: compliance with Reg BI and Form CRS, best execution and the focus on “zero commission” trading, and variable annuity sales practices such as exchanges and buyout offers. Retail investor concepts are also embedded in the continued focus on communications with the public, including risks relating to new digital communication channels, the increasing use of interactive and “game-like” features in online apps, and the promotion of cash management accounts. FINRA also emphasized that it remains “highly focused on” protecting senior and vulnerable investors, particularly as it relates to reviews of communications, recommendations of certain products, and sales practice conduct.
Standards of conduct
As expected in light of the SEC’s continued focus on retail investors, the Exam Priorities led with Regulation Best Interest, Form CRS and fiduciary duty under the Advisers Act. With regard to Reg BI and Form CRS, the Exam Priorities and the FINRA Report align, highlighting compliance, as opposed to focusing solely on implementation and readiness, which was central in 2020 for both the SEC and FINRA. The Exam Priorities also address the fiduciary obligations of investment advisers, with a focus on the 2019 Commission Interpretation Regarding the Standard of Conduct for Investment Advisers (IA Interpretation).
The Exam Priorities reiterate Reg BI’s best interest obligation― including the four component obligations of Disclosure, Care, Conflicts of Interest and Compliance―as they apply to broker-dealers and their associated persons when making a recommendation to retail customers of any securities transaction or investment strategy involving securities. Unlike prior examinations, which focused on preparation and implementation of Reg BI, the examination priorities for 2021 center on compliance with the rule. Examinations will focus on transaction testing, assessing whether broker-dealers’ recommendations are based on their reasonable belief that the recommendations are in clients’ best interest, existing processes for compliance, and alterations made to product offerings. The Exam Priorities also highlight rollovers, complex product recommendations, reasonably available alternatives, and how sales-based fees impact recommendations, and policies and procedures to identify and address conflicts of interest.
Investment advisers - fiduciary duty
The Exam Priorities highlights the IA Interpretation, noting that examinations will focus on whether advisers are fulfilling their duty of care and duty of loyalty, including with respect to the elimination or disclosure of conflicts of interest. The Exam Priorities highlights the staff’s continued focus on fees and expenses, complex products, best execution and undisclosed, or inadequately disclosed, compensation arrangements. Although the Interpretation did not purport to replace or expand existing interpretations of fiduciary duty, an examiner could, and likely will, ask questions beyond the four corners of the IA Interpretation, including with regard to financial conflicts of interest.
Both broker-dealers and SEC-registered investment advisers are subject to a Form CRS requirement. Despite extensive SEC messaging, leading up to and since the June 30 implementation deadline, apparently, based on the Exam Priorities, a significant number of firms have not yet begun to use Form CRS, or have not completed a Form CRS accurately, particularly with regard to disciplinary information. While the number of firms with incomplete or missing information on their Form CRS should decrease based on greater regulatory outreach, we note the importance of regular review and update of Form CRS to ensure accuracy and timely delivery to clients. For investment advisers, changes to an adviser’s Form ADV may result in changes in its Form CRS. For both broker-dealers and investment advisers, changes to certain elements of a firm’s business model (including conflicts of interest or revenue sharing relationships) may also require updates and redelivery of Form CRS. The Exam Priorities expressly notes that the “Division will prioritize examinations of broker-dealers and RIAs to assess compliance with Form CRS,” indicating that both investment advisers and broker-dealers can expect Form CRS examinations in this year.
Fintech and digital assets
Financial and regulatory technology are broad categories, which include financial institution offerings, as well as new technologies offered by service providers to the firms. Technology has altered how firms relate to their customers and clients, and what resources are available to the firm, both to provide more and better services, as well as to ease compliance burdens.
The FINRA Report identifies concerns about regulatory technology providers and third party vendors, including “Cloud Vendors,” in the context of books and records requirements. The FINRA Report also poses specific questions for its members to consider about how they use digital communications channels and whether those communications are compliant, not only with Rule 2210, but also with policies and procedures that have been updated to contemplate these new forms of communication, and all recordkeeping mandates. The FINRA Report expends significant effort on issues related to the so-called “gamification” of investments and expresses concerns about the risks of such platforms and whether these new technologies meet compliance requirements for customer communications. Along the same lines, the inquiries included in the FINRA Report on digital assets seek to ensure that information about these products, particularly provided to retail investors, is not misleading and addresses all of the relevant risks.
Similarly, the SEC’s Exam Priorities also discusses how financial technology has altered the engagement between firms and their clients, including through automated investment platforms, fractional share purchase opportunities, mobile applications for trading and other interactions. The Exam Priorities specifically identifies these issues as priorities for review, to ensure that firms are meeting their compliance obligations and conforming to whatever representations they have made to clients and customers. Further, the Division of Examinations warns about the opacity of some regulatory technology (RegTech) offerings and confirms that this is both an area of focus for examination and a potential area where firms may have inadvertent compliance deficiencies for example in the case of misused or improperly configured RegTech. This focus on RegTech is a reminder to firms that relying on automated tools from third-party vendors does not fully replace existing compliance processes. Finally, the Exam Priorities also identifies digital assets as an area for exam focus, with the staff looking not only at disclosures and compliance programs related to investments in digital assets, but also at valuation and safety of client assets.
Cybersecurity and operational resiliency
Registrants should continue to monitor their operational cybersecurity compliance and business continuity plans in light of the effects of the ongoing pandemic. They also should take into account the effects of climate change on their business continuity plans.
The effects of the pandemic and the resulting risks from remote work and operations environment
As described in each of their recent examinations documents, both the SEC and FINRA expect registrants to calibrate their cybersecurity compliance and business continuity plans to take into account the greater risks from a remote work and operations environment.
For instance, according to the SEC Exam Priorities, the pandemic has heightened the SEC’s concern with endpoint security, data loss, remote access, use of third-party communication systems, and vendor management. Similarly, the FINRA Report disclosed greater concerns with cybersecurity risks associated with the remote work environment combined with what FINRA observed to be an increase in cyber-related crimes. In particular, FINRA observed higher numbers of cybersecurity incidents including system-wide outages, email and account takeovers, fraudulent wire requests, imposter websites and ransomware.
With these concerns in mind, in the upcoming year, the SEC Examination Staff will review whether firms have taken appropriate steps to:
- safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;
- oversee vendors and service providers;
- address malicious email activities, such as phishing or account intrusions;
- respond to incidents, including those related to ransomware attacks; and
- manage operational risk as a result of dispersed employees in a work-from-home environment.
FINRA will similarly review cybersecurity programs for compliance with business continuity plan requirements, as well as the SEC’s Regulation S-P Rule 30, which requires maintenance of policies and procedures for the protection of customer records and information.
Climate change and business continuity plans
Consistent with its multiple recent statements on ESG issues, according to the Exam Priorities, the SEC will examine whether registrants are reasonably prepared for the effects of climate change on their businesses and operations. The SEC will build on its efforts in gathering information regarding business continuity plan in relationship to the pandemic. In particular, the SEC Examination Staff will evaluate whether such plans, particularly those of systemically important registrants, take into account the growing physical and other relevant risks associated with climate change. Similar to its post-Hurricane Sandy work, the SEC Examination Staff will look for appropriate improvement to these plans in response to the effects of climate change over the years. The Division’s interest in systematically important registrants’ operational resilience shows that it is not just interested in individual firms’ compliance practices, but also financial markets’ overall ability to adapt to the increasing risks of climate change.
Although it was not addressed in the FINRA Report, it is worth noting that the SEC Exam Priorities also emphasized that registrants should be vigilant with compliance surrounding ESG investing. Specifically, the Division of Examination will be reviewing the consistency and adequacy of disclosures regarding ESG strategies and investments that asset managers and funds provide to their clients and investors, advertising that may contain false or misleading statements relating to ESG claims, and the degree to which proxy voting policies and procedures and actual voting align with stated ESG strategies.
Although the Exam Priorities devotes only two paragraphs to anti-money laundering priorities – indicating that the Division of Examinations will continue to prioritize assessments of broker-dealers and registered investment companies for compliance with anti-money laundering requirements – the FINRA Report provides a more fulsome discussion of exam observations during 2020 and best practices for compliance with FINRA Rule 3310.
Several of the exam observations are worthy of note:
- Inadequate AML framework for cash management accounts – FINRA has identified cash management accounts as a product area where firms have not adequately adapted their AML programs to address the unique money laundering risk associated with these accounts as compared to brokerage or other types of accounts, and to implement a tailored, risk-based approach.
- Data integrity gaps – FINRA noted that firms had excluded certain types of data and accounts from monitoring programs due to issues with ingesting certain data, and observed inaccuracies and missing information in transaction monitoring data feeds. FINRA’s focus on data integrity follows the 2018 implementation of the New York State Department of Financial Services’ Part 504, which requires regulated financial institutions in New York to validate the integrity and accuracy of data feeds used in transaction monitoring activities.
- Concerns about high-risk trading by foreign legal entity accounts – FINRA observed a failure of firms to identify or investigate increased trading by foreign legal entity accounts in low-float and low-priced securities. Firms already are required under the Bank Secrecy Act (and its implementing FinCEN regulations) to develop a special due diligence program for certain foreign financial institution account holders, which includes a periodic review of account activity. FINRA’s observation with respect to foreign legal entity accounts makes clear the regulatory focus on all types of foreign accountholders.
- Improper reliance on clearing firms – FINRA also observed reliance by introducing firms on their clearing firms for transaction monitoring and suspicious activity reporting, notwithstanding introducing firms’ independent obligation under the Bank Secrecy Act (and FINRA Rule 3310) to detect and report suspicious activity to FinCEN.
The FINRA Report also highlighted the following emerging AML and other financial crime risks: (i) microcap and other fraud, (ii) issuers based in restricted markets, and (iii) risks related to special purpose acquisition companies (SPACs). In regards to microcap fraud, FINRA directs firms to the SEC Staff Bulletin on Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities, which highlights a number of financial crime risks associated with trading in low-priced securities. In addition, FINRA flagged the prevalence of account openings by foreign nationals and entities for participating in initial public offerings in jurisdictions like China and related aftermarket trading. FINRA has identified red flags in connection with these accounts, specifically instances where multiple accounts were opened by or on behalf of the same beneficial owners and engaged in trading indicative of market manipulation of the relevant securities issued in high-risk jurisdictions.
Finally, FINRA highlighted that a number of firms are engaged in the formation and offering of SPACs without having adequate procedures in place to address the financial crime risk associated with SPACs, which include potential misrepresentations and omissions in offering documents, fees associated with SPAC transactions, control of funds raised in SPAC offerings, and insider trading.
Although only briefly mentioned in its Exam Priorities, the SEC specifically noted that examinations will focus on compliance with best execution, given the low and zero cost commission environment, and stated further that the staff will continue to examine payment for order flow and compliance with Regulation SHO. This masterful understatement, in the face of Congressional hearings on the recent GameStop stock volatility and the publicity that has surrounded these issues, as well as the outcries in favor of and opposed to additional regulation related to the same, is perhaps the best and only response that a Division of the SEC could offer. We do expect more to come on all of these topics. We anticipate the SEC to take a closer look at the impact on retail investors of zero-commission trading, and how platforms offering that service manage and disclose any payment for their order flow, while also achieving best execution for their customers. To the extent these issues, as well as Reg SHO compliance, are relevant to their business operations, firms should prepare for significant evaluations in these areas during exams.
Because of the very nature of the FINRA Report, FINRA offers specific considerations and inquiries on the topic of best execution, which offer a helpful framework to analyze Rule 5310, as well as to prepare for an examination in this area or really just consider compliance readiness. Helpfully, the FINRA Report also identifies what examiners have seen in recent examinations, in way of best execution findings, and what FINRA is evaluating through its “zero commissions” targeted examination letter, the results of which, the staff promises to share when the review is completed.