December 19, 2017 / 10:03 PM / 10 months ago

Six red flags from first-ever FINRA early exam results: Cyber security No. 1

NEW YORK (Thomson Reuters Regulatory Intelligence) - The Financial Industry Regulatory Authority for the first time has released an interim report on findings of early broker-dealer compliance exams, as the industry self regulator works to examine every firm over the next four years.

A sign for the Financial Industry Regulatory Authority (FINRA) is seen outside the offices in New York's financial district July 22, 2015.

The new early look at exams(here) was instituted at the start of the year by CEO Robert Cook when he took over as head of FINRA with an agenda of getting closer to members’ practices to institute changes in service and oversight. The interim report is aimed at giving firms more guidance on how to strengthen compliance.

The initial round of inspections found several areas of elevated concern, although FINRA cautioned firms against limiting their risk assessments just to high-priority items.

Here are the top six items cited — and action points based on what leading firms are doing in forward-looking compliance programs:


Firms are keeping up with evolving challenges to securing clients’ personal information and sensitive firm data. Deficiencies were seen(here) in managing access and verifying identities, analyzing firm-specific risk factors, and supervision of vendors. Security of branch offices remains a large problem.

Action points: Leading firms are going beyond merely protecting data to anticipating and responding to network intrusions and suspicious activity. They are using behavioral analytics to train staff to detect and respond to threats. Increasingly, penetration testing is becoming a basic requirement.


Supervision has not kept pace with the vast expansion of the private securities sector(here). Frequent problems arise after outside roles expand without firms knowledge. Firm's requirements on compensation disclosures were often unclear.

Action points: Legacy processes based on cookie-cutter forms and notifications need to reflect the complexity of private transactions. Firms need to anticipate complex securities transactions and their representatives’ exposures to sales networks such as crowdfunding.


Money launderers have sought new alternatives to heavily monitored bank accounts, and regulators have sharpened their focus on securities transactions(here). FINRA has clamped down on inadequate AML supervisory processes. With multiple channels for transactions, gaps are appearing in monitoring for suspicious activity on some feeds.

Action points: As with cyber protection, firms need to test for vulnerabilities. In addition to monitoring feeds, firms need to perform due diligence on the account level for higher risk clients.


Problems have arisen(here) around structured products, complex alternative investments and mutual fund share classes designed for different client populations. Firms have launched products without adequate training for sales teams.

Action points: Firms are learning the tools of regulators who increasingly use data analytics to spot concentration of risky securities and identify the special disclosures and training such securities require.


An increase of trading venues has complicated the task of providing best execution and exams are turning up more potential violations(here). Some firms are failing to review best execution to make sure speed and price considerations are tailored to clients needs. Some firms have failed to do adequate comparisons and documentation of order execution.

Action points: Firms are taking special precautions when orders are in-house instead of transacting on competing market, given the potential conflict of interest. FINRA has conducted sweeps on execution through firms that pay for order flow, pointing to need for additional oversight.


Firms are skimping on putting controls(here) by firms offering customers’ direct access to trade, the report said. It cited areas such as high speed trading where vulnerabilities arise over market manipulation through spoofing and other fraudulent practices. Some firms have fallen prey to clients who use multiple platforms. To handle such accounts, some have lacked advanced surveillance tools.

Action points: Firms are establishing pre-trade financial thresholds, monitoring tools for capital adequacy or credit exposure tailored to risk. Firms with small fixed-income exposure over direct access are monitoring their controls for the niche business.

The key findings are meant as a guide for firms in bringing compliance programs in line with FINRA requirements and also as a way to benchmark their effort on the best practices of leading firms.

In addition to the six top items, FINRA added a “summary of additional observations.” These include alternative investments in individual retirement accounts, net capital and credit risk assessments, order capacity, regulation SHO (rules governing short selling “locates” and “close-outs” covering short sales and TRACE (Trade Reporting and Compliance Engine) reporting as FINRA’s monitoring prepares for the emergence of the CAT (Consolidated Audit Trail) system that will replace it.

(Richard Satran is a financial journalist covering daily and emerging issues for Thomson Reuters Regulatory Intelligence.)

This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Dec. 11. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters

0 : 0
  • narrow-browser-and-phone
  • medium-browser-and-portrait-tablet
  • landscape-tablet
  • medium-wide-browser
  • wide-browser-and-larger
  • medium-browser-and-landscape-tablet
  • medium-wide-browser-and-larger
  • above-phone
  • portrait-tablet-and-above
  • above-portrait-tablet
  • landscape-tablet-and-above
  • landscape-tablet-and-medium-wide-browser
  • portrait-tablet-and-below
  • landscape-tablet-and-below