Every year, FINRA releases a report on its Examination and Risk Monitoring Program to help firms strengthen their compliance processes by providing insights into the key findings from their regulatory activities. This year, a new Financial Crimes section was introduced as part of the regulator’s efforts to protect investors and safeguard market integrity from ongoing threats in three areas:
- Cybersecurity and Technology Governance
- Anti-Money Laundering, Fraud and Sanctions
- Manipulative Trading
As each topic is quite extensive and relates to various business functions, it can be challenging for compliance professionals to fully understand their obligations and how they can take effective action to mitigate risks of non-compliance. To help with understanding their implications on employee compliance processes, we went through the report to provide you with the most pertinent information that you need to be made aware of:
As businesses continue to adopt technology and accelerate their digital transformation strategies, cybersecurity has become vital for protecting organizations from unauthorized access to their systems and data. To help ensure that businesses put sufficient measures in place. The U.S. Securities and Exchange Commission (SEC) and FINRA have implemented various regulatory obligations that must be followed:
- Rule 30 of SEC Regulation S-P requires FINRA members to have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.
- Regulation S-ID (Identity Theft Red Flags) requires member firms to develop and implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of “covered accounts.”
- FINRA Rule 4370 requires members to have written business continuity plans, which applies to denials of service and other interruptions to member firms’ operations.
The 2023 report reminds firms about how cybersecurity incidents can expose members to financial losses, reputational damage and operational risks if they are unable to comply with a range of rules and regulations. FINRA puts forward various considerations to help businesses stay complaint, including:
- Steps taken to prevent a cybersecurity intrusion and measures in place to protect sensitive customer/firm information
- Establishing risk frameworks for third-party vendors and authorized employees
- Ensuring that all staff receive the necessary training, not just FINRA registered persons
- Maintaining adequate controls on a branch office and its personnel
Failure to comply with anti-money laundering (AML) regulations can have significant consequences. In 2020, Interactive Brokers was fined $15 million over AML issues after maintaining inadequate compliance measures.
As such, FINRA-regulated firms must comply with Rule 3310, which requires firms to develop and implement an AML program containing reasonable measures to monitor and maintain accurate records of the firm’s compliance in accordance with the Bank Secrecy Act (BSA). As part of the regulation, member firms are expected to:
- Detect and report suspicious transactions (including insider trading)
- Conduct independent testing for compliance each calendar year
- Provide ongoing training for appropriate personnel
- Include risk-based procedures for conducting ongoing customer due diligence
However, findings from the 2023 report saw many firms falling short of their obligations. Firms would often have inadequate verifications of customer identities and would fail to conduct proper customer due diligence to understand the nature of the relationship and develop appropriate risk profiles. FINRA also found that the necessary steps to monitor and report suspicious transactions were insufficient across various business functions, with firms not regularly conducting independent testing of their AML programs to assess their reliability. Additionally, firms failed to keep up with information requests from FinCEN over issues pursuant to Section 314(a) of the Patriot Act.
To help firms more effectively meet their AML, fraud and sanctions obligations, FINRA set out various best practices for firms to deploy. These include:
- Regularly reviewing regulatory updates from the SEC, FinCEN, FINRA and other regulators
- Conducting regular risk assessments of AML frameworks
- Incorporating additional methods of verifying customer identities
- Delegating AML responsibilities to business units in the best position to detect and report on suspicious activities
- Establishing and maintaining an AML training program for employees
Although a number of rules outline trading practices that are impermissible for FINRA member firms, they are also required to supervise their associated persons’ trading activities under Rule 3110. A firm’s supervisory procedures need to include a process for the review of securities transactions to help identify trades that may violate the Exchange Act, SEC Rules or FINRA rules.
At the same time, FINRA prohibits member firms from: circulating communications regarding transactions and quotations; and trading in a security subject to an imminent customer block transaction while in possession of material, nonpublic market information (MNPI). Additional requirements are also enforced by FINRA to ensure the promptness, accuracy and completeness of last-sale information for stocks.
Nevertheless, the FINRA report showed that many firms were still struggling to comply with their regulatory obligations. Some had inadequate written supervisory procedures for monitoring manipulative conduct and did not have escalation processes outlined. Others had insufficient surveillance controls to capture manipulative trading, with deficiencies surrounding the monitoring of customer activity for patterns of potential manipulation. FINRA recommends implementing various practices to comply more effectively with manipulative trading regulations. These include:
- Maintaining and reviewing customer and proprietary data to detect manipulative trading schemes
- Monitoring activity across multiple platforms that may involve related financial instruments
- Designing surveillance programs to detect momentum ignition trading
- Developing supervisory systems for safeguarding MNPI
- Reviewing trading activity to identify customers engaging in wash trading activities
4. OUTSIDE BUSINESS ACTIVITIES (OBA AND CRYPTO)
While not part of FINRA’s 2023 Report, crypto has definitely been on the radar of the SEC and FINRA. We understand that FINRA has recently received numerous questions as a result of the SEC’s lawsuits with Binance and CoinBase. For firms looking to get a firmer grasp on the regulators’ stance, they should be reminded of a case against a former Merrill Lynch employee in 2018 for not disclosing their outside business activities involving crypto.
In a letter of acceptance, waiver and consent, FINRA stated that Kyung Soo Kim had been registered with them from March 2014 to April 2018 as an investment company and variable contracts products representative and as a general securities representative through his job at Merrill Lynch. However, Kim failed to provide written notice to Merrill Lynch for his outside business crypto activities, after forming and incorporating an entity called S Corporation in December 2017.
According to FINRA, Kim opened and funded a bank account for S Corporation, entered into a contract on its behalf with an entity to build and operate computer hardware and software for its crypto activities and transferred funds to that entity from S Corporation. This was found to be in breach of FINRA's Rules 3270 and 2010, which require:
- Rule 3270: FINRA-registered persons must notify their employers in writing of any business activity "outside the scope of the relationship with his or her member firm."
- Rule 2010: FINRA-associated persons to "observe high standards of commercial honor and just and equitable principles of trade."
Fortunately, software solutions exist to help firms keep up-to-date with the latest changes to FINRA regulations. The Employee Conflicts of Interest (ECOI) solution suite from StarCompliance makes it easy for compliance professionals to monitor and detect suspicious activity arising from employees' personal trading and investment activities through automated surveillance and a highly configurable rules engine. Our Compliance Control Room also helps firms gain greater transparency over the flow of MNPI by tracking and recording employee, firm and customer trading activities for manipulation, with centralized list management to help protect market integrity.
Additionally, the STAR platform has been built from the ground up with a focus on security across every product and feature of the application, with our team ensuring that strict policies and procedures are implemented in relation to best practice regulatory requirements. Our platform is ISO 27001, ISO 9001 and SOC2 Type II compliant – and has a proven record of passing annual external audits led by independent, third parties. With all these measures, firms can comply confidently with their FINRA obligations
To find out how Star's innovative employee compliance solutions can help you meet the rules set out in the Financial Crimes section of FINRA’s 2023 report and their scrutiny of outside business crypto activities, please reach out to a Star professional today.