Wednesday, January 18, 2023

FINRA adds financial crimes section to its annual examinations report

By John Filar Atwood

FINRA’s 2023 report on its examinations and risk monitoring program includes a new section on financial crimes with staff insights that originated from FINRA’s market surveillance activities. The report, which is intended to help member firms enhance their compliance programs, also covers the following topics that were not included in previous reports: manipulative trading, fractional shares, Regulation SHO, and fair pricing for fixed income securities.

The report covers 24 topics in total and identifies the applicable rules for member firm compliance programs, summarizes noteworthy findings from recent examinations, and outlines effective practices that FINRA observed. Along with the new topic areas, this year’s report highlights topics of perennial interest such as cybersecurity, the consolidated audit trail, and order handling and best execution.

Financial crimes. In the new financial crimes section, FINRA said that in the area of cybersecurity and technological governance it has observed instances of ineffective account access authentication, such as a lack of multifactor authentication for login access to the firm’s systems. It also has observed ineffective processes for validating the identity of customers opening new accounts or detecting suspicious activity associated with the opening of new accounts.

Other problems include firms implementing a generic identity theft prevention program that is not adequate for the firm’s size and complexity. In addition, the staff found instances where firms were notmonitoring network activity to identify unauthorized copying or deletion of customer or firm data, and not monitoring outbound emails to identify sensitive customer data in text or attachments.

Effective practices undertaken by firms include completing regular backups of critical data and systems and ensuring the backup copies are encrypted and stored off-network. Some firms regularly assess their cybersecurity risk profile based on changes in the firm’s size and business model and newly identified threats, and some monitor the internet for any new imposter domains that pretend to represent the firm or a registered representative, FINRA noted. The staff also approved of firms that have implemented systems that scan outbound email text and attachments to identify and potentially block sensitive customer information or confidential firm data.

Manipulative trading. In the area of manipulative trading, the staff observed instances where firms did not identify specific steps and individuals responsible for monitoring for manipulative conduct. Other firms did not design and establishing surveillance controls to capture manipulative trading or did not adequately monitor customer activity for patterns of potential manipulation, according to FINRA.

Effective practices identified by FINRA include maintaining and reviewing customer and proprietary data to detect manipulative trading schemes, and monitoring activity occurring across multiple platforms, that also may involve related financial instruments or multiple correlated products. The staff also observed instances where firms designed a robust surveillance program to detect firms’ customers engaging in potential momentum ignition trading, and developed a robust supervisory system to safeguard material, non-public information to prevent front running and trading ahead.

Fixed income fair pricing. In this section of the report, FINRA noted that some firms are determining the prevailing market price incorrectly by not following the contemporaneous cost presumption or the waterfall required by FINRA Rule 2121 and MSRB Rule G-30. Firms also are using mark-up/mark-down grids without periodically reviewing and updating them and charging substantial mark-ups in short-term fixed-income securities that may significantly reduce the yield received by the investor.

Appropriate practices in this area include documenting the prevailing market price for each transaction, even if it does not require a mark-up disclosure, and conducting periodic reviews of the firm’s mark-ups/mark-downs and comparing them with industry data provided in industry analysis reports. The staff also found the effective use of exception reports or outside vendor software to ensure compliance with FINRA Rule 2121 or MSRB G-30, including periodic reviews and updates of the reports’ parameters so they perform as intended as market conditions change.

Regulation SHO. On this topic, FINRA staff indicated that it has seen instances where firms have failed to distinguish bona fide market making from other proprietary trading activity that is not eligible to rely on Reg. SHO’s bona fide market making exceptions. Those have included quoting only at maximum allowable distances from the inside bid/offer, posting quotes at or near the inside ask but not at or near the inside bid, only posting bid and offer quotes near the inside market when in possession of an order, and displaying quotations that are not firm and are only accessible to a small set of subscribers to a firm’s trading platform.

The staff said that it has also seen firms relying on the guidance under Question 4.4 of the SEC’s Reg. SHO FAQ but not taking steps to confirm that locates are not reapplied to short sales of threshold or hard to borrow securities. Some firms do not have a process in place to prevent the execution of any short sale orders in threshold or hard to borrow securities that involve the application of locates, the staff added.

According to FINRA, effective practices include developing supervisory systems for, and conducting supervisory reviews of, market making activity to ensure that any reliance on Reg. SHO bona fide market making exceptions is appropriate. The staff also encouraged firms to develop appropriate policies and procedures to adhere to the guidance provided in Question 4.4 of the SEC’s Reg. SHO FAQ.