4 Key Issues and How to Address Them

During Reg BI’s and Form CRS’ first full calendar year of implementation in 2021, FINRA expanded the scope of its reviews and testing relative to 2020 “to execute a more comprehensive review of firms’ processes, practices and conduct in areas such as establishing and enforcing adequate written supervisory procedures (WSPs); filing, delivering and tracking accurate Forms CRS; making recommendations that adhere with Reg BI’s Care Obligation; identifying and mitigating conflicts of interest; and providing effective training to staff,” according to FINRA’s 2022 exam report.

Exam Findings

FINRA observed the following noteworthy findings from examinations for compliance with Reg BI and Form CRS.

• Written supervisory procedures (WSPs) that were not reasonably designed to achieve compliance with Reg BI and Form CRS
• Inadequate staff training
• Failure to comply with care obligation
• Insufficient Reg BI disclosures
• Deficient Form CRS filings

Considerations for Reviewing Current Practices

FINRA says that member firms should ask themselves these questions among others, when reviewing current Reg BI compliance practices.

• Do your firm and your associated persons consider costs and reasonably available alternatives when making recommendations to retail customers?
• Are your firm’s policies and procedures reasonably designed to identify and disclose or eliminate conflicts, as well as to mitigate conflicts that create an incentive for an associated person of the firm to place his or her interests or the interest of the firm ahead of the retail customer’s interest?
• How does your firm test its policies and procedures to determine if they are adequate and performing as expected?
• What controls does your firm have to assess whether disclosures are provided timely, and if provided electronically, in compliance with the SEC’s electronic delivery guidance?
• Do your firm’s policies and procedures address Reg BI, including new obligations that did not exist before Reg BI?

Effective Practices

FINRA noted the following effective practices, learned from its examination of member firms.

• Establishing and implementing policies and procedures to identify and address conflicts of interest across business lines, compensation arrangements, relationships or agreements with affiliates, and activities of their associated persons.
• Establishing product review processes to identify and categorize risk and complexity levels for existing and new products to mitigate the risk of making recommendations that might not be in a retail customer’s best interest.
• Enhancing systems to track and deliver Form CRS and Reg BI-related documents to retail investors and retail customers.
• Monitoring associated persons’ compliance with Reg BI by conducting monthly reviews to confirm that their recommendations meet Care Obligation requirements, including system-driven alerts or trend criteria.
• Incorporating Reg BI-specific reviews into the branch exam program as part of overall Reg BI compliance efforts, focusing on areas such as documenting Reg BI compliance and following the firm’s Reg BI protocols.
• Preparing associated persons to comply with the requirements of Reg BI beyond previous suitability obligations or Form CRS.

Confirming that associated persons, firms or both, use the terms “advisor” or “adviser” in their titles or firm names correctly, based on whether they have the appropriate registration.

How RegEd Helps

RegEd offers the following solutions to improve compliance with Reg BI and Form CRS requirements.

• Advertising Review
• Annual Compliance Meeting On-Demand
• Branch Audit Management
• Compliance Questionnaires
• Education & Training
• Policies & Procedures Management

FINRA has continued to see increases in the number and sophistication of cybersecurity threats. As such, it will “continue to assess firms’ programs to protect sensitive customer and firm information.” Regulatory obligations and related considerations for cybersecurity and technology governance include:

Rule 30 of the SEC’s Regulation S-P, which requires WSPs for safeguarding customer records and information; and FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information), which applies to denials of service and other interruptions to members’ operations.

“In addition to firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers and expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations,” according to the report.

Exam Findings

FINRA’s findings from recent examinations included:

• Inadequate risk assessment processes
• Not encrypting all confidential data and sensitive firm information
• Not maintaining branch-level written cybersecurity policies
• Not implementing access controls
• Inadequate change management supervision

Considerations for Reviewing Current Practices

FINRA says that member firms should ask themselves these questions among others, when reviewing cybersecurity program effectiveness.

• What is the firm’s process for continuously assessing cybersecurity and technology risk?
• What kind of training does your firm conduct on cybersecurity, including phishing?
• What are your firm’s procedures to communicate cyber events to anti-money laundering (AML) or compliance staff related to meeting regulatory obligations, such as the filing of suspicious activity reports (SARs) and informing reviews of potentially impacted customer accounts?
• How does your firm document system change requests and approvals?
• What are your firm’s procedures for tracking information technology problems and their remediation? Does your firm categorize problems based on their business impact?

Effective Practices

FINRA noted the following effective practices, learned from its examination of member firms.

• Assessing key risk areas, monitoring access and entitlements, and investigating potential violations of firm rules or policies regarding data access or data accumulation by collaborating across technology, risk, compliance, fraud, and internal investigations/conduct departments.
• Establishing and regularly testing (often using tabletop exercises) a written formal incident response plan that outlines procedures for responding to cybersecurity and information security incidents; and developing frameworks to identify, classify, prioritize, track and close cybersecurity-related incidents.
• Implementing change management procedures to document, review, prioritize, test, approve, and manage internal and third-party hardware and software changes, as well as system capacity, to protect non-public information and firm services.

How RegEd Helps

RegEd offers the following solutions to improve compliance with cybersecurity and technology governance regulations.

• Branch Audit Management
• Education & Training
• Incident Management
• Policies & Procedures Management

FINRA Rule 2210 (Communications with the Public) defines all communications into three categories—correspondence, retail communications, or institutional communications—and sets principles-based content standards that are designed to apply to ongoing developments in communications technology and practices. It also requires firms to file retail communications with FINRA’s Advertising Regulation Department during their first year of FINRA membership.

FINRA Rule 2220 (Options Communications) governs members’ communications with the public concerning options. Additionally, MSRB Rule G-21 (Advertising by Brokers, Dealers, or Municipal Securities Dealers) contains similar content standards relating to municipal securities or concerning the facilities, services, or skills of any municipal dealer.

Exam Findings

FINRA observed the following noteworthy findings from recent examinations for compliance with Communications with the Public regulations.

• Deficient communications promoting digital assets
• Insufficient supervision and recordkeeping for digital communications
• No written supervisory procedures (WSPs) and controls for communication that use non-member names (so-called “doing business as” or “dba” names)
• Misrepresentations in cash management account communications
• False, misleading, and inaccurate information in mobile apps

Considerations for Reviewing Current Practices

FINRA says that member firms should ask themselves these questions among others when reviewing for compliance with communications standards.

• Do your firm’s communications contain false, misleading, or promissory statements or claims?
• Do your firm’s communications include material information necessary to make them fair, balanced, and not misleading?
• Has your firm established and implemented a comprehensive supervisory system for communications through mobile apps?
• Does your firm’s digital communication policy address all permitted and prohibited digital communication channels and features available to your customers and associated persons?
• How does your firm supervise and maintain books and records in accordance with SEC and FINRA Books and Records Rules for all approved digital communications?

Effective Practices

FINRA noted the following effective practices, learned from its examination of member firms.

• Maintaining and implementing procedures for supervision of digital communication channels.
• Implementing supervisory review procedures tailored to each digital channel, tool, and feature.
• Developing WSPs and controls for live-streamed public appearances, scripted presentations, or video blogs.
• Implementing mandatory training programs before giving access to firm-approved digital channels, including expectations for business and personal digital communications and guidance for using all permitted features of each channel.
• Maintaining and implementing procedures for outside business activity (OBA) names.

How RegEd Helps

RegEd offers the following solutions to improve compliance with regulations for communications with the public.

• Advertising Review
• Education & Training
• Outside Business Activities Questionnaires
• Policies & Procedures Management

FINRA Rule 4512(a)(1)(F) (Customer Account Information) requires firms to make a reasonable effort to obtain the name and contact information for a trusted contact person (TCP) for each non-institutional customer account. FINRA Rule 4512 also describes the circumstances in which firms and their associated persons are authorized to contact the TCP and disclose information about the customer account.

Exam Findings

FINRA observed the following noteworthy findings from recent examinations for compliance with requirements for trusted contact persons.

• Not making a reasonable attempt to obtain the name and contact information of a TCP for all non-institutional customers
• Not providing a written disclosure explaining the circumstances under which the firm may contact a TCP when seeking to obtain TCP information

Considerations for Reviewing Current Practices

FINRA says that member firms should ask themselves these questions among others when reviewing for compliance with TCP requirements.

• Has your firm established an adequate supervisory system, including WSPs, for seeking to obtain and use the names and contact information for TCPs?
• Does your firm educate registered representatives about the importance of collecting and using trusted contact information, where possible?

Effective Practices

FINRA noted the following effective practices, learned from its examination of member firms.

• Conducting training, for both front-office and back-office staff, on the warning signs of potential customer exploitation, diminished capacity, and fraud perpetrated on the customer.
• Emphasizing from the senior-management level on down the importance of collecting TCP information.
• Establishing a system that notifies registered representatives when accessing non-institutional customer accounts that do not have a TCP listed and reminds them to request that information from customers.

How RegEd Helps

RegEd offers the following solutions to improve compliance with TPC requirements.

• Education & Training
• Incident Management
• Policies & Procedures Management