It’s important for successful compliance leaders to keep an eye on the regulatory landscape. Priorities and strategies can be driven by past reporting and the guidance released by organizations like the SEC, FINRA, and more.
The recently published 2022 Report on FINRA’s Examination and Risk Monitoring Program replaces FINRA’s traditional priorities letter and findings letter and is designed to be a reference document to inform compliance programs of their priorities or areas of focus. This year, FINRA has defined 21 topical areas of interest. The report also seeks to highlight key considerations as well as share effective practices in an effort to support compliance obligations.
While the total number of FINRA enforcement actions in 2021 remained nearly static, the same number of actions resulted in a 60 percent increase in the monetary value of the fines. It’s clear that the price of misconduct is rising.
Among the broad array of areas covered in the report, these are some of the notable highlights that compliance monitoring professionals should note.
1. AML: Not unexpectedly, anti-money laundering (AML) risks remain a priority for market participants. A particular focus area is around tailoring supervision of risks by products, customer business lines, and transactions, including where change to a business has taken place. Despite historical efforts, this risk remains pertinent for compliance teams to address. This year’s report notes an additional focus on low-priced securities that could be indicative of fraud, in particular where activity coincides with sudden price increases. This likely refers to penny or small-cap equities where anomalously volatile price movements follow a transaction, which could be related to insider knowledge or “pump and dump”-type activity. Since AML consistently appears in every regulatory priority list, it’s clear the challenge of tracking the proceeds of any serious crime that has a significant financial payout has not been resolved. The noted increase in number and variety of fraud schemes, including those conducted digitally or via cyber activity, heightens the risks. The report also mentions “omnibus” accounts set up through financial institutions outside the US. Trading from these accounts can be carried out in the name of the broker and not the individual or entity which originated the trade, making specific identification challenging or even ineffective.
2. Cyber crime and tech governance: Inclusion of this risk category is similarly unsurprising, especially given the present geopolitical situation. All compliance teams are already wrestling with these challenges. Identity theft, customer account takeovers, illegal transfers of funds, phishing campaigns, and more are frequent, with crypto assets providing a convenient, anonymous means to launder money or to fund terrorist organizations. Cyber crime has also targeted areas which maintain sensitive or confidential data for the purposes of insider dealing. This is all in addition to the recent sanctions prohibiting trading and transfer of funds of those entities involved, which is not always transparent due to deliberately misleading identifiers like nominee shareholding structures or the use of powers of attorney or similar. The report suggests more detailed processes, governance controls, and inspections to reduce cyber crime and increase adherence to tech governance.
Communication Surveillance-Specific Risk
3. Public information: More specific to electronic communications monitoring is a focus on standards when communicating with the public via any medium. Communications, including mobile apps, must ensure messages do not contain false and misleading information. This is a not a new requirement, and Reg BI aims to ensure that a client's “best interest” is represented and transparent messages are articulated. However, the guidance in this report reminds us that the regulation now clearly refers to all forms of communication, including digital, and also notes that capture should be comprehensive for recording, even where not formally authorized.
4. Digital communication: With regards to reporting obligations, firms are reminded to ensure monitoring for unreported complaints. This includes specific mention of “conducting email surveillance targeted to identify unreported written customer complaints (by, for example, including complaint-related words in their keyword lexicons, reviewing for unknown email addresses and conducting random email checks).” Complaints can certainly be identified through strong electronic communications monitoring that includes AI to help identify risk. Regulatory reporting of complaints remains a key stat that FINRA collects quarterly, and they have doubled down on their reminders that all new tools and features are included, such as “new communication channels, apps, and features available to their associated persons and customers.” It would be fair to say this further emphasizes the focus on capture and recording of all communications including complaints, and that relevant surveillance and monitoring is the only way of effective risk management in this space. In addition, firms need to remain vigilant around the needs of their customers, many of which will be expressed through effective management and response to complaints received.
New, Innovation-Driven Risk
5. Outside Business Activities (OBA): In a more surprising addition, FINRA notes where relevant professionals must notify employers of any other business activity participation. While this requirement is not new, this year’s guidance includes evaluating digital asset activities, like crypto, which is a development that recognizes the more mainstream adoption of these asset types. The further potential impact or risk of crypto is still to be determined, including from a conflicts of interest perspective.
6. Mobile apps and gamification: Also noted within the report, likely as a follow-up to Gamestop, were gamification recommendations that dive into the ways firms encourage newer and younger customers to engage in trading that is inconsistent with their investment goals or risk appetite. The Gamestop issue is now just over a year old, so this is likely to be a reaction to what has been observed through subsequent exams. Judging by the increased and subsequent regulatory focus on trading apps, more scrutiny around associated risks and greater oversight and monitoring are likely to be required. This includes any communication feed associated with the platform which encourages sharing of trading strategies and ideas.
7. Books and records (record keeping): A recent report from GreySpark found that 76 percent of financial firms surveyed were currently using at least one cloud-based surveillance platform, and the rising use of cloud services will continue to be a focus for FINRA. This focus area now includes cloud vendors who are also required to comply with record keeping requirements. Ensuring that third-party due diligence is performed where these efforts are outsourced using the cloud is necessary to ensure storage and retention compliance. With recent updates and innovation, newer areas of concern have surfaced, and as such, firms will need to update previous risk assessments and policies to ensure appropriate oversight of these risks is deployed where relevant.
At a time when financial institutions may already feel that the bureaucratic “red tape” burden is high, the guidance issued in this report may feel like more of the same, but analysis proves there are definitive guidelines and actions that teams can take. In summary, much of the guidance within this report serves as a reminder of the importance of defining and applying appropriate governance, policy, and procedures.
While this would be the general regulatory expectation, there are new areas to consider and acknowledgement of business and technology innovations to address, alongside the respective risks that these present. Financial firms’ compliance teams will need to continue to adapt and innovate to avoid the wrath of the regulator.