FinregE RIG Insights: 2025 FINRA Annual Regulatory Oversight Report

KEY REQUIREMENTS AND OBLIGATIONS

RELATED CONSIDERATIONS AND EFFECTIVE PRACTICES

FINDINGS

FINANCIAL CRIMES PREVENTION

Anti-Money Laundering (AML) Compliance Program:

·        FINRA Rule 3310 mandates that each firm develop and implement a written AML program approved by senior management, designed to comply with the Bank Secrecy Act (BSA) and its regulations.

·        CIP and CDD: Firms must establish and implement policies and procedures to detect and report suspicious transactions, conduct independent testing for compliance, provide ongoing training, and implement risk-based procedures for ongoing customer due diligence (CDD).

Customer Identification Program (CIP):

Firms are required to verify the identity of customers and beneficial owners of legal entity customers.

Reporting Obligations:

Firms must file Suspicious Activity Reports (SARs) when suspicious transactions are detected and respond to information requests from the Financial Crimes Enforcement Network (FinCEN) within specified timeframes.

Related Considerations

·        Firms should stay updated on new or amended laws, rules, and regulations, and adjust their written supervisory procedures (WSPs) and compliance programs accordingly.

·        The evolving landscape of financial crimes necessitates continuous monitoring and adaptation of compliance practices.

Effective Practices

·        Education and Training: Educating firm personnel on recognizing red flags and how to communicate with customers suspected of being victims of fraud.

·        Monitoring Customer Behaviour: Monitoring for abrupt changes in customer behaviour, such as unusual withdrawal requests, which may indicate potential fraud.

·        Developing Response Plans: Creating response plans for situations where a customer has been victimized, including notifying trusted contacts and relevant authorities.

·        Conducting Risk Assessments: Performing formal, written AML risk assessments that are updated based on findings from independent tests, changes in the firm’s risk profile, or significant macroeconomic events.

·        Reviewing Regulatory Updates: Regularly reviewing alerts, advisories, and updates from regulatory bodies and incorporating relevant information into AML systems and procedures.

·        Limiting Outbound Transfers: Implementing limits on the amount and number of outbound transfers from brokerage accounts to mitigate risks of fraud.

·        Misconstruing Obligations: Firms may fail to recognize certain formal relationships as customer relationships, leading to inadequate CIP and CDD.

·        Inadequate Policies and Procedures: Some firms do not establish clear and detailed policies regarding CIP and CDD requirements.

·        Verification Failures: Inadequate verification of customer identities, including not collecting necessary identifying information at account opening or failing to reevaluate information when suspicious activity is detected.

·        Inadequate Responses to Red Flags: Auto-approving customer accounts despite the presence of red flags, such as invalid Social Security numbers.

FIRM OPERATIONS

·        Written Supervisory Procedures (WSPs): Firms are required to establish and maintain WSPs that are reasonably designed to achieve compliance with applicable securities laws and regulations, including those related to outside business activities (OBAs) and private securities transactions (PSTs).

·        Monitoring and Surveillance: Firms must implement monitoring systems to detect and prevent violations of securities laws, including the use of off-channel communications by associated persons.

·        Recordkeeping: Compliance with recordkeeping requirements under the Securities Exchange Act, including maintaining accurate and complete books and records.

·        Designating Qualified Personnel: Firms must designate qualified individuals, such as a Financial and Operations Principal (FINOP), to oversee compliance with financial and operational obligations.

Related Considerations

·        Firms should regularly review and update their WSPs to reflect changes in regulations, business models, and operational practices.

·        The importance of conducting periodic training for employees on compliance obligations and the implications of non-compliance.

Effective Practices

·    Testing and Verification: Firms should test the capabilities of recordkeeping third-party vendors to ensure they can fulfil regulatory obligations, including simulating regulatory examinations.

·    Access to Books and Records: Ensuring that all personnel, including part-time FINOPs, have appropriate access to the firm’s books and records to fulfil their regulatory responsibilities.

·    Supervisory Procedures: Implementing robust supervisory procedures to monitor for signs of off-channel communications, including revising keyword searches regularly to adapt to business models.

·    Interdisciplinary Project Teams: Creating project teams that include staff from various departments (compliance, operations, legal) to address compliance gaps and implement effective practices.

·    Training and Awareness: Conducting regular training sessions for employees on the importance of compliance with WSPs and the implications of using off-channel communications.

·    Regular Compliance Reviews: Performing regular reviews of compliance programs and WSPs to identify gaps and areas for improvement based on findings from regulatory reports.

·        Inadequate Reviews of Communications: Firms have been found to conduct inadequate reviews of electronic communications, failing to select appropriate samples or utilize targeted keyword searches.

·        Use of Off-Channel Communications: Associated persons using personal email accounts and other off-channel platforms to communicate with customers, which can lead to compliance risks.

·        Third-Party Vendor Supervision: Insufficient supervision of third-party vendors that support firms’ monitoring of electronic communications, resulting in lapses in compliance.

·        Failure to Identify Red Flags: Firms may not adequately monitor for indications that associated persons are using off-channel communications, leading to potential compliance breaches.

MEMBER FIRMS’ NEXUS TO CRYPTO

·        Regulatory Compliance: Member firms must comply with federal securities laws and FINRA rules that apply to activities involving crypto assets that are classified as securities, including those offered and sold as investment contracts.

·        Communications with the Public: Under FINRA Rule 2210, firms are required to ensure that communications regarding crypto assets are accurate, not misleading, and include appropriate disclosures about the risks involved.

·        Supervision and Due Diligence: Firms must conduct appropriate due diligence on crypto asset private placements and ensure that they have adequate supervisory procedures in place to monitor these activities.

·        Anti-Money Laundering (AML) Compliance: Firms are obligated to establish and implement AML programs that are designed to detect and report suspicious transactions involving crypto assets.

Related Considerations

·        Firms should differentiate between crypto asset products and traditional broker-dealer products in their communications to avoid misleading customers.

·        The evolving nature of crypto assets necessitates continuous updates to compliance programs and training for personnel on the unique risks associated with these assets.

Effective Practices

·        Due Diligence of Unregistered Offerings: Before offering crypto assets that are securities, firms should understand the exemption from registration, the custody of assets, and the mechanics of the crypto asset being offered.

·        On-Chain Reviews: Conducting risk-based on-chain assessments when accepting, trading, or transferring crypto assets, and establishing procedures for documenting these reviews.

·        Customer Outreach: Ensuring that customers understand the differences between brokerage accounts and linked crypto accounts, including the regulatory protections applicable to each.

·        Reviewing Retail Communications: Ensuring that retail communications about crypto assets provide a balanced presentation of risks, including the speculative nature of these assets and the lack of traditional regulatory protections.

·        Monitoring for Market Abuse: Implementing systems to monitor for manipulative trading practices associated with crypto assets, including pump-and-dump schemes and other forms of market abuse.

·        Training and Awareness: Providing ongoing training for employees on the unique risks associated with crypto assets and the importance of compliance with applicable regulations.

·        Misleading Communications: Firms have been found to disseminate promotional materials that contain false or misleading statements regarding crypto assets, including failing to differentiate between crypto assets offered through affiliates and those offered directly by the firm.

·        Inadequate Due Diligence: Some firms did not conduct sufficient due diligence on crypto asset private placements, leading to potential compliance risks.

·        Failure to Address Risks: Firms often failed to appropriately address and disclose the risks associated with crypto assets in their communications with the public.

·        Lack of AML Programs: Inadequate establishment and implementation of AML programs designed to detect suspicious crypto asset transactions.

COMMUNICATION AND SALES

·        FINRA Rule 2210 (Communications with the Public): Firms must adhere to principles-based content standards for written communications, which include correspondence, retail communications, and institutional communications.

·        Disclosure Requirements: Communications must clearly disclose risks associated with investment products, including fees, potential losses, and other material information.

·        Filing Requirements: New firms are required to file all widely disseminated retail communications with FINRA’s Advertising Regulation Department during their first year of membership, and all firms must comply with specified filing requirements based on content.

·        Supervision of Communications: Firms must establish and maintain a system for supervising communications disseminated on their behalf, including those made through social media and other digital platforms.

Related Considerations

·        Firms should ensure that all communications are accurate and not misleading, particularly in the context of emerging products such as crypto assets and complex financial instruments.

·        The importance of training employees on compliance with communication standards and the implications of non-compliance.

Effective Practices

·        Procedures for Digital Communications: Establishing and enforcing procedures for the supervision of digital communication channels, including monitoring new tools and features available to associated persons and customers.

·        Training Programs: Implementing mandatory training programs for employees on the expectations for business and personal digital communications, including guidance on using firm-approved channels.

·        Monitoring and Review: Regularly monitoring communications for compliance with regulatory standards and conducting reviews of social media content to ensure adherence to FINRA rules.

·        Clear Risk Disclosures: Ensuring that all communications, especially those promoting complex products, include clear and prominent risk disclosures to balance promotional claims.

·        Gen AI Technology Compliance: When using generative AI technology for customer communications, firms should ensure compliance with applicable federal securities laws and FINRA rules, including appropriate supervision and retention of communications.

·        Disciplinary Actions: Implementing disciplinary measures for registered representatives who fail to comply with communication policies, including additional training requirements before regaining access to digital channels.

·        Inadequate Supervision of Social Media Influencers: Firms have been found to lack adequate systems to supervise communications made by influencers on social media, including not reviewing or retaining influencer-generated content.

·        False and Misleading Information: Instances of firms distributing false or misleading promotions through various channels, including mobile apps and social media, which failed to disclose risks or made exaggerated claims.

·        Emerging Trends in Retail Communications: Findings related to registered index-linked annuities (RILAs) indicated inadequate explanations of how these products function, insufficient risk disclosures, and misleading statements regarding potential returns.

·        Failure to Comply with Regulatory Standards: Firms have been noted for not fully explaining the risks associated with options trading and other complex products, leading to potential investor misunderstandings.

MARKET INTEGRITY

·        Market Access Rule (SEA Rule 15c3-5): Firms with market access must implement controls to manage the risks associated with market access to ensure the integrity of trading and the stability of the financial system.

·        Post-Trade Surveillance: Firms are required to conduct post-trade reviews to identify potentially manipulative trading patterns and ensure compliance with applicable regulations.

·        Consolidated Audit Trail (CAT): Member firms must comply with SEA Rule 613 and the CAT NMS Plan, which includes requirements for reporting to the CAT, maintaining accurate time stamps, and ensuring the completeness and timeliness of data.

·        Written Supervisory Procedures (WSPs): Firms must establish and maintain WSPs that are reasonably designed to ensure compliance with market integrity regulations, including those related to CAT reporting and market access controls.

Related Considerations

·        Firms should consider the unique risks associated with different trading environments, including extended hours trading and the use of alternative trading systems (ATS).

·        The importance of maintaining robust systems for monitoring trading activity and ensuring that controls are effective in preventing market manipulation.

Effective Practices

·        Pre-Trade Financial Controls: Implementing systemic pre-trade “hard” blocks to prevent orders from reaching an ATS that would breach a threshold, along with tailored controls to prevent erroneous or duplicative orders.

·        Holistic Post-Trade Reviews: Conducting comprehensive post-trade and supervisory reviews to identify potentially manipulative trading patterns and ensure that all systems’ records are aggregated and integrated in a timely manner.

·        Regular Testing of Risk Management Controls: Firms should regularly test their market access controls, including performing annual reviews of business activity and maintaining documentation that evidences the rationale for continued use of implemented controls.

·        Mapping Internal Records to CAT Data: Maintaining a “map” that shows how the firm’s internal records correspond to various fields reported to CAT, ensuring accuracy and completeness in reporting.

·        Supervisory Processes for Extended Hours Trading: Establishing supervisory processes that address the unique characteristics and risks of extended hours trading, including customer order handling and volatile market conditions.

·        Training and Awareness Programs: Providing ongoing training for employees on market integrity regulations, the importance of compliance, and the identification of potentially manipulative trading practices.

·        Inadequate Post-Trade Surveillance: Firms have been found to fail in conducting adequate post-trade reviews for potential manipulation, leading to gaps in compliance and oversight.

·        Failure to Document Annual Reviews: Instances of firms not documenting their annual reviews of the effectiveness of risk management controls and supervisory procedures, which is essential for compliance.

·        Incomplete Reporting to CAT: Findings indicate that firms have failed to report certain reportable events to the CAT in a timely manner, including new order events and execution events.

·        Insufficient Controls for Market Access: Firms have been noted for not establishing adequate pre-trade order limits and controls to prevent erroneous or duplicative orders, which can jeopardize market integrity.

FINANCIAL MANAGEMENT

·        Designation of Financial and Operations Principal (FINOP): Firms are required to designate a qualified Financial and Operations Principal (FINOP) as per FINRA Rule 1220(a)(4). The FINOP is responsible for the accuracy of financial reports and the supervision of individuals involved in the maintenance of the firm’s books and records.

·        Compliance with SEA Rule 15c3-1: Firms must comply with the net capital rule, which requires maintaining sufficient liquid assets to meet obligations and protect customer funds.

·        Segregation of Customer Assets: Firms must ensure the proper segregation of customer assets in accordance with regulatory requirements to protect customer funds and maintain financial integrity.

·        Liquidity Risk Management: Effective monitoring of liquidity and funding risks is essential, and firms must have practices in place to manage these risks, particularly during extreme market conditions.

Related Considerations

·        Firms should consider the implications of using part-time FINOPs, ensuring they have adequate access to the firm’s books and records and that their responsibilities are clearly defined.

·        The importance of maintaining robust financial reporting processes and ensuring that all financial reports are accurate and submitted in a timely manner.

Effective Practices

·        Comprehensive Training for FINOPs: Providing comprehensive training for FINOPs, especially those working part-time, to ensure they understand their responsibilities and have access to all necessary information.

·        Regular Financial Reporting Reviews: Conducting regular reviews of financial reports and ensuring that all financial data is accurate and reconciled in a timely manner.

·        Liquidity Stress Testing: Implementing robust liquidity stress testing practices that account for various market scenarios and ensure that firms can meet their obligations under adverse conditions.

·        Documentation of Procedures: Maintaining thorough documentation of financial management procedures, including the rationale for financial decisions and the processes for monitoring compliance with financial regulations.

·        Supervisory Controls for Financial Operations: Establishing strong supervisory controls over financial operations, including regular audits and assessments of financial practices to ensure compliance with regulatory requirements.

·        Utilization of Technology for Financial Management: Leveraging technology to enhance financial reporting, monitoring, and compliance processes, ensuring that firms can efficiently manage their financial obligations.

·        Inadequate Supervision of Part-Time FINOPs: Observations indicated that some firms employing part-time FINOPs did not provide them with adequate access to necessary records or did not supervise them effectively, leading to potential compliance issues.

·        Insufficient Liquidity Risk Management Practices: Findings revealed that some firms did not adequately stress-test their liquidity positions or account for material fluctuations in deposit requirements, which could jeopardize their financial stability.

·        Failure to Maintain Accurate Financial Records: Instances of firms failing to maintain accurate and complete financial records, which are essential for compliance with regulatory obligations.

·        Non-Compliance with Net Capital Requirements: Some firms were found to be non-compliant with net capital requirements, which could expose them to financial risks and regulatory penalties.