Finra Red-Flags Cybersecurity, Product and Extracurricular Activities
The summary of compliance issues that the Financial Industry Regulatory Authority released this week as occurring with frequency or having disproportionate importance for investors and markets is a warning signal to advisors at large and small broker-dealers and independent advisory firms.
Observers of the fines and sanctions that the self-regulatory organization has imposed on firms and individuals in recent years for violating Securities and Exchange commission rules and federal securities laws will find few surprises in Finra’s first public summary of recent exam findings. Unit investment trust sales and brokers’ outside business activities are suitability and supervisory flashpoints for firms and individuals alike, while insufficient cybersecurity and anti-money laundering programs continue to be growing systemic concerns.
In highlighting UITs and complex products such as leveraged and inverse exchange-traded funds as product suitability issues uncovered in recent routine exams of broker-dealers, Finra said the problem was universal to large and small firms alike. Brokers may be tempted to recommend early rollover or exchanges of UITs to increase sales credits since they earn most of their fees and shortly after offerings of the closed-end funds.
“The concerns that Finra had during the course of examinations with regard to the suitability of certain products and their supervision did not vary materially by firm size, but did occur more frequently in connection with certain product classes,” the report said.
Noting its hope that the findings will help firms adopt best practices of their peers, Finra endorsed firms that alert customers to product risks “in a way those customers could understand,” noting in particular the value of telling potential buyers the “consequences of selling and reinvesting in a new UIT prior to the initial UIT’s maturity using negative or positive consent letters.”
Regarding cybersecurity, the Finra report observed areas of weakness ranging from basic issues such as failing to quickly terminate departing employees’ access to fir systems and having processes to review prospective vendors’ cybersecurity preparedness to the “greater challenges” that branch offices have in “managing passwords, implementing patches and software updates, updating anti-virus software, controlling removable storage devices, encrypting data and reporting incidents.
The report did not distinguish among issues found at independent broker-dealers versus conventional firms, but noted that “some medium- and small-sized firms” did not take best-practice procedures in controlling which employees and application developers can get access to sensitive data because of failure to assign responsibilities for requesting, implement and approving cybersecurity rules and systems changes.
Finra does not have supervisory authority over registered investment advisory firms, as opposed to broker-dealers, but observers said the report should be of interest to brokers considering moving to small RIAs that are, of course, subject to SEC rules.
Finra said it released its first summary of exam findings on Wednesday to help member firms perhaps “address potential areas of concern well before their own cycle examinations.” In the introduction to its summary of recent findings, it noted that the report “should not be read as creating new legal or regulatory requirements or new interpretations of existing requirements.”