FINRA Issues 2021 Report on its Examination and Risk Monitoring Program

Released on February 1, the Financial Industry Regulatory Authority (FINRA) 2021 Report on its Examination and Risk Monitoring Program (Report) provides a roadmap for member firms to use to prepare for examinations and to review and assess compliance and supervisory procedures related to business practices, compliance, and operations. The Report replaces two of FINRA’s prior annual publications: (1) the Report on Examination Findings and Observations, which provided an analysis of prior examination results, and (2) the Risk Monitoring and Examination Program Priorities Letter, which highlighted areas FINRA planned to review in the coming year.

This year’s Report covers four major areas: (i) firm operations, (ii) communications and sales, (iii) market integrity, and (iv) financial management.

For each regulatory obligation discussed, the Report (1) identifies the applicable rule and key related considerations for member firm compliance programs, (2) summarizes noteworthy findings from recent examinations and outlines effective practices that FINRA observed during its oversight, and (3) provides additional resources that may be helpful to member firms.

Firms should review the Report in connection with their compliance and supervisory procedures and consider enhancements as appropriate. Firms should be prepared to explain their compliance and supervisory policies in these areas in their upcoming FINRA examinations and provide documentation of relevant reviews. The following discussion focuses on FINRA’s most notable exam findings and recommended practices.

Firm operations

The first section of the Report covers operations issues related to anti-money-laundering (AML), cybersecurity and technology governance, outside business activities, books and records, regulatory event reporting, and fixed income markup disclosure.

FINRA identifies that many firms employed inadequate AML transaction monitoring and failed to account for AML risks relating to cash management accounts, which led to issues in monitoring, investigating, and reporting suspicious activities related to money movement. Investments in issuers based in restricted markets, microcap and penny stocks, and special-purpose acquisition companies (SPACs) were identified as emerging AML or financial crime risks. FINRA suggests that firms, as an initial matter, should bolster their customer identification programs by confirming customers’ identification using multiple methods. In addition, firms should increase their focus on testing AML procedures and provide appropriate training to their AML personnel. FINRA also observed that some introducing firms improperly relied on their clearing firms for transaction monitoring and suspicious activity reporting; FINRA suggests that introducing firms should ensure they have a complete understanding regarding which responsibilities have been allocated to their clearing firms and should establish policies and procedures to comply with the obligations that remain with the introducing firm.

Cybersecurity has been a perennial emphasis for FINRA, and even more so in this remote work environment. In recent exams, FINRA observed inadequate access controls that led to unauthorized access to critical systems and confidential data. In addition, FINRA observed issues related to insufficient oversight for technology changes and insufficient policies to review the cybersecurity controls of existing technology vendors. FINRA suggests that firms put additional resources into collaborating across technology, risk, compliance, fraud, and internal investigations/conduct departments to assess key risk areas, monitor access and entitlements, and investigate potential violations of firm rules or policies with regard to data access by firm personnel or outside vendors.

One notable observation from the Report related to outside business activities (OBAs) and private securities transactions (PSTs) is that many firms incorrectly assume that all digital assets are not securities and therefore firms do not evaluate or supervise such activities for associated persons who engage in OBAs relating to digital assets that do qualify as securities. FINRA suggests that firms create checklists with a list of considerations to confirm whether digital asset activities would be considered OBAs or PSTs, including reviewing private placement memoranda or other materials and analyzing the underlying products and investment vehicle structures. FINRA further encourages firms to conduct thorough reviews of publicly available data in supervising OBAs, noting that some financial advisers have obtained Paycheck Protection Program loans for undisclosed outside business activities and that this information could be identified through public records.

FINRA also observes that many firms have not performed due diligence to verify their vendors’ ability to comply with books and records requirements. FINRA suggests that firms review their vendor contracts and test the capabilities of each of their vendors. Further, on the topic of regulatory events reporting, FINRA notes that the associated persons of many firms have failed to report complaints or other events to their firms’ compliance departments. To address these issues, firms should use email surveillance techniques and review publicly available information to identify relevant issues.

The Report also addresses recent amendments to FINRA Rule 2232 and the Municipal Securities Rulemaking Board’s Rule G-15, which have required firms to provide additional transaction-related information to retail customers for certain trades in corporate, agency, and municipal debt securities (other than municipal fund securities). FINRA has observed various types of incorrect disclosures and other practices inconsistent with these recently amended rules. Firms should review their confirmation systems and collaborate with their clearing firms to formulate processes that result in proper and accurate disclosures.

Communications and sales

The Report addresses Regulation BI (Reg BI) and Form CRS, communications with the public, private placements, and variable annuities.

In its recent exams, FINRA has found many instances of firms making misrepresentations related to cash management accounts and digital assets. FINRA advises firms to implement comprehensive procedures for its communications, including with respect to certain products such as digital assets. Regarding private placements, FINRA has found that many firms have participated in offerings without performing the necessary due diligence, and FINRA suggests that firms create private placement checklists and perform independent research on the material aspects of each private placement offering including procedures to determine compliance with FINRA Rules 5122 and 5123, which could trigger filings with FINRA. In addition, FINRA notes that firms should evaluate whether participating in certain offerings, such as Regulation A offerings or SPACs, may require the firm to file a continuing membership application with FINRA and obtain its preapproval. FINRA will also focus on app-based platforms with interactive or “gamelike” features that are intended to influence customers and the appropriateness of the activity that they are approving clients to undertake through those platforms.

Regarding variable annuities, FINRA has observed that firms have not adequately addressed issues where customers that accept buyouts may be losing valuable benefits or instances where customers receive recommendations that are inconsistent with their investment objectives. FINRA suggests that firms perform holistic reviews of their supervision over buyouts and recommendations and offer additional training to all registered representative regarding these issues.

Further, while the Report briefly discusses Reg BI, FINRA states that it is in the early stages of reviewing for compliance with these new obligations and that the Report does not include exam findings or effective practices relating to Reg BI and Form CRS. However, FINRA states that it intends to expand its testing of Reg BI and Form CRS in 2021 to give it a more comprehensive view of firms’ implementation of those rules.

Market integrity

The market integrity section of the Report covers the Consolidated Audit Trail (CAT), best execution, large-trader reporting, market access, and the vendor display rule.

FINRA has observed firms inadequately tracking and reviewing execution quality versus competing market execution quality, performance of certain order types, and certain metrics such as speed of execution and price improvement. As a related issue, FINRA has observed firms providing inadequate Rule 606 disclosures. FINRA emphasizes that firms should conduct regular and rigorous reviews of execution quality on a quarterly basis or more often if required by the firm’s business model. In particular, FINRA has focused on “zero commission” trading and any impact on order-routing practices. Firms should also update their procedures to account for market and technology changes.

Concerning large trader, the report states that firms have simply failed to create procedures to address the relevant requirements, including timely filing of Form 13H. FINRA reminds firms to review their procedures to ensure that the relevant requirements are addressed and to complete daily large-trader calculations to monitor for large-trader status.

Market access is often a focus of FINRA exams. Recently, FINRA has found many firms using insufficient controls and limits in addition to overreliance on third-party vendor tools to effect the required financial controls. To account for these issues, FINRA suggests that firms use rigorous testing of their controls and holistic supervision to monitor for potential manipulative trading patterns, among other things.

Regarding vendor display, FINRA observes that firms have provided inaccurate information or failed to provide the required elements under Rule 603 and suggests that firms focus on performing comprehensive review of their data display systems and validation of information against publicly available sources. Further, regarding the recently adopted CAT rules, the Report states that FINRA is in the early stages of reviewing for compliance with certain CAT rules and therefore does not yet have findings to report.

Financial management

The financial management section of the Report covers net capital, liquidity management, credit risk management, and segregation of assets and customer protection.

The Report details various issues related to net capital, such as incorrect classification of assets (including receivables), liabilities, and revenue, in addition to incorrect capital charges for certain items and inaccurate recording of revenue and expenses. FINRA suggests that firms develop more robust training programs and perform periodic assessments of their net capital treatment with respect to various items, including assets such as CD products, specifically whether account agreements for CDs contain stipulations restricting withdrawals before maturity. FINRA notes that for firms with expense sharing agreements, firms should carefully review their allocation methodology and documentation to support their allocations.

FINRA notes that firms should ensure that if they are acting as chaperones under SEC Rule 15a-6(b)(3), they are appropriately taking required fail net capital charges and that they maintain appropriate blotters reflecting fails.

FINRA notes that firms should review their policies and procedures to ensure that they are reflecting moment-to-moment and open contractual commitment charges on firm commitment underwritings and that firms understand their role in an offering as “best efforts” or firm commitment.

FINRA has observed firms inadequately adjusting their liquidity controls, which has led to difficulties in accounting for their business. FINRA reminds firms that they should continue to update their liquidity risk management practices to account for factors such as quality of funding sources, potential mismatches in duration between liquidity sources and uses, and potential losses of counterparties. FINRA notes that firms should review their policies and procedures to ensure compliance with SEC Rule 17a-3(a)(23) to make and keep records documenting that they maintain adequate credit, market, and liquidity risk management controls.

Many firms have implemented deficient processes related to credit risk management by performing no credit risk management reviews or by not monitoring exposure to affiliated counterparties. FINRA recommends that firms develop comprehensive controls to capture, measure, and manage relevant factors related to their credit risk.

Finally, the Report addresses failures with respect to remediating segregation deficits (in possession or control of customers’ fully paid securities or excess margin securities), including understanding the cause of the deficit and appropriate resolution and ensuring control locations are appropriately coded as “good” or non-good . FINRA notes that some firms have inadequate policies and procedures with respect to determining whether the firm is acting as custodian with respect to digital securities. FINRA also notes that some firms that operate under an exemption from the customer protection rule do not transmit (in a timely manner) customer checks that they receive to their clearing firms. Moreover, FINRA has observed that some firms have inaccurate reserve formula calculations due to errors in coding arising from limited personnel training and staff turnover as well as from inadequate communication within the firm and gaps in reconciliation calculations. As such, FINRA states that firms should ensure that the proper departments within each firm are coordinating appropriately and that the relevant personnel receive appropriate training.


The Report covers a wide array of topics and discusses themes that were commonly found in past versions of FINRA’s Risk Monitoring and Examination Program Priorities Letter and its Report on Examination Findings and Observations. In addition, the Report speaks to some newer areas of focus, including Reg BI, CAT, and the marketing and monitoring of digital asset activity. As detailed here, firms should review their practices and procedures in each of the areas and be prepared to address these areas in future examinations.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.