24 January 2020

SEC and FINRA Issue 2020 Examination Priorities (Including Cybersecurity) for Broker-Dealers and Investment Advisers

The U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) and the Financial Industry Regulatory Authority (FINRA) recently published their examination priorities (together, the Examination Priorities) for the 2020 calendar year.1 In general, the 2020 Examination Priorities continue recurring themes from recent prior years.

OCIE’s 2020 Examination Priorities for broker-dealers and investment advisers include the protection of retail investors (including compliance with new standard of care requirements and interpretations), cyber and information security risks, anti-money laundering compliance, firms engaging in the digital asset space and the provision of electronic investment advice.

FINRA’s 2020 Examination Priorities for member firms include those generally identified by OCIE for registered broker-dealers, as well as cash management and bank sweep programs, initial public offerings, liquidity management, trading authorizations and order routing and vendor display rule requirements, among others.

This post summarizes selected aspects of the Examination Priorities that may be of particular interest to broker-dealers and investment advisers. As always, firms should use the 2020 Examination Priorities to review their compliance and supervisory procedures carefully and make any necessary revisions. Firms also should be prepared to explain their compliance and supervisory policies in these areas in their upcoming SEC and/or FINRA examinations, as applicable, and provide documentation of relevant reviews.

HIGHLIGHTS OF THE SEC’S EXAMINATION PRIORITIES FOR BROKER-DEALERS AND INVESTMENT ADVISERS

Following are the highlights of OCIE’s 2020 Examination Priorities for broker-dealers and investment advisers.

Focus Areas for Both Broker-Dealers and Investment Advisers

The following core areas of focus are common to both SEC registered broker-dealers and SEC registered investment advisers (RIAs), although the specifics of what OCIE examines for will depend on a firm’s registration status and the nature of its business.

Protection of Retail Investors 

 For both broker-dealers and investment advisers, OCIE will continue to emphasize the protection of retail investors, particularly seniors and those saving for retirement. In particular, firms can expect OCIE examinations to focus on the following core areas with respect to retail investors (which may include retail customers, clients and fund investors):

  • Fraud, Sales Practices and Conflicts of Interest
    OCIE will look for compliance with requirements regarding disclosures to investors (including those relating to fees and expenses, conflicts of interest and employees’ outside business activities), as well as the implementation of supervisory systems and controls designed to oversee activities and ensure that required disclosures are timely and accurate.
    OCIE also will focus on recommendations and advice provided to retail investors, with a particular emphasis on seniors, retirees, teachers and military personnel, as well as products that the SEC considers higher risk (e.g., products that carry higher fees and expenses, are complex or nontransparent, and situations in which the issuer is affiliated with the firm making the recommendation).
    In addition, for RIAs, OCIE will continue to examine for fulfillment of a firm’s duties of care and loyalty under the Investment Advisers Act of 1940, as amended (Advisers Act), with a particular focus on whether a firm’s advice is in the best interest of its clients and whether the firm has eliminated or at least appropriately disclosed all conflicts of interest.
  • Retail-Targeted Investments
    OCIE will continue to focus on investment products marketed and sold to retail investors, including mutual and exchange-traded funds, municipal and other fixed income securities and microcap securities.
    Among other things, examiners will look for financial incentives that may influence the selection of particular mutual fund share classes and will seek to ensure that investors are receiving fee discounts consistent with applicable requirements, including a firm’s policies, contractual commitments and disclosed breakpoints.

    Broker-dealers 
    can also expect to have their trading activity in municipal and corporate bonds examined for compliance with (i) best execution obligations, (ii) fair pricing, commissions and mark-ups/mark-downs, and (iii) confirmation disclosure requirements.
    With respect to microcap securities, OCIE will seek to identify broker-dealers that may be engaged in, or aiding and abetting, pump and dump or other market manipulation schemes, as well as illegal distributions of securities of smaller cap companies. Broker-dealers may be selected for examination based on their market making or other significant trading activity in unlisted securities, as well as employing registered personnel with disciplinary history. Focus areas for such examinations will include sales practices, supervision of high-risk personnel and compliance with key regulatory requirements (including Rule 15c2-11 under the Securities Exchange Act of 1934, as amended (Exchange Act), the locate requirement of Regulation SHO and the obligation to file suspicious activity reports (SARs)).
  • Standards of Care (Including New Regulation Best Interest and Form CRS)
    OCIE examiners will focus on firms’ preparedness for, and compliance with, applicable standard of care requirements.

    Regulation Best Interest. Prior to the June 30, 2020 compliance date for new Regulation Best Interest (Regulation BI), OCIE will engage with broker-dealers regarding their preparedness to comply with the new requirements.2 After the compliance date, OCIE will examine for implementation of the new requirements, including for policies and procedures regarding conflicts of interest and the content and delivery of Form CRS.3
    Interpretation Regarding Standard of Conduct for Investment Advisers. As previously noted, OCIE will continue to examine RIAs for compliance with their fiduciary obligations. This will include reviewing firms’ conduct in light of the SEC’s 2019 Interpretation Regarding Standards of Conduct for Investment Advisers, as well as the content and delivery of Form CRS.4

Information Security 

OCIE will continue to focus on information security, including with respect to governance and risk management issues (particularly with respect to oversight of third-party service providers), retail trading and compliance with Regulations S-P and S-ID, the configuration of network storage devices and the proper disposal of retired hardware to protect client and firm information. OCIE will also continue to focus on broker-dealers’ controls surrounding mobile and online access to customer brokerage account information, as well as RIAs’ protection of their clients’ personal financial information (with respect, for example, to access controls, data loss prevention, training, and incidence response and resiliency).

Financial Technology (FinTech) and Digital Assets

One notable addition to OCIE’s Examination Priorities this year is a focus on FinTech and innovation. The addition of FinTech to the 2020 priorities highlights OCIE’s commitment to keep up with the rapid pace of developments in the FinTech space and with the attendant risks to investors. Specifically, OCIE will continue to assess the effectiveness of compliance and controls related to firms’ use of alternative data and technologies.

The digital asset market, which includes cryptocurrencies, coins and tokens, has grown rapidly and continues to be an area of focus for OCIE. Areas of exam focus will include investment suitability, portfolio management and trading practices, safety of client funds and assets, pricing and valuation, effectiveness of compliance programs and controls, and supervision of employees’ outside business activities.

Firms Registered as Municipal Advisors 

OCIE will continue to examine municipal advisors (including broker-dealers and RIAs dually registered as municipal advisors) for compliance with registration, professional qualification and continuing education requirements. OCIE will also focus on municipal advisors’ fulfillment of applicable standards of care and the management and disclosure of conflicts of interest.

Additional Focus Areas Specific to Broker-Dealers

Broker-dealer examinations will also focus on the following additional areas, as applicable to a firm’s business:

  • Financial Responsibility
    For broker-dealers that hold customer assets, OCIE will examine for proper safeguarding of customer cash and securities in accordance with the customer protection rule (Exchange Act Rule 15c3-3) and the net capital rule (Exchange Act Rule 15c3-1), including assessing the adequacy of a firm’s processes, procedures and controls related thereto.
  • Trading and Risk Management Practices (Including Best Execution)
    Examiners will focus on broker-dealers’ trading and risk management practices, including with respect to “odd lots” and best execution obligations. OCIE will also examine broker-dealers’ controls relating to the use and supervision of automated trading algorithms, as well as firms’ internal procedures and controls to manage trading risk generally.
  • AML Programs
    OCIE will continue to prioritize broker-dealers’ anti-money laundering compliance, including an assessment of whether firms are appropriately satisfying customer identification and due diligence obligations and filing SARs as required.

Additional Focus Areas Specific to Investment Advisers

Investment adviser examinations will also focus on the following additional areas, as applicable:

  • Never-Before-Examined RIAs and Private Fund Advisers
    OCIE will continue to prioritize risk-based examinations of RIAs that have never been examined, including newly-registered advisers. OCIE also will prioritize examinations of certain investment advisers that have not been examined for a number of years, focused on whether their compliance programs are being appropriately kept up to date with growth and changes to their business.  Examinations of RIAs to private funds will focus on those having a greater retail impact, such as firms that manage separately managed accounts side-by-side with private funds, as well as on compliance risks such as misuse of material, non-public information, conflicts of interest and related disclosure, and the use of adviser affiliates for client services.
  • Advisers to Mutual Funds and ETFs
    OCIE will prioritize examinations of RIAs that advise mutual funds and ETFs. Exam focus areas include (i) RIAs that use third-party administrators to sponsor the mutual funds they advise or are affiliated with and (ii) RIAs to private funds that also manage a registered investment company with a similar investment strategy.
  • Dually-registered Advisers and Use of Third-Party Asset Managers
    OCIE will continue to prioritize examinations of RIAs that are dually registered as, or are affiliated with, broker-dealers, or have supervised persons who are registered representatives of unaffiliated broker-dealers. OCIE also will prioritize examining firms that utilize the services of third-party asset managers to advise clients’ investments.
  • Electronic Investment Advice
    Examinations of RIAs that provide services to clients through automated investment tools and platforms (often referred to as robo-advisers) will focus on, among other things, SEC registration eligibility, cybersecurity policies and procedures, marketing practices, adherence to fiduciary duty (including adequacy of disclosures) and effectiveness of compliance programs.

OCIE Examination Trends

OCIE completed 3,089 examinations in FY 2019. While this represents a 2.7% decrease from FY 2018, OCIE attributes the relatively small decrease to the month long suspension of examinations during the 2019 government shutdown. Compared with FY 2017, the number of examinations has increased almost 7%. FY 2019 continued the trend of devoting resources to examine RIAs. OCIE has increased its examination coverage of RIAs over the past several years from 10% in FY 2014 to a high of 17% in FY 2018. In FY 2019, OCIE examined approximately 15% of all RIAs, notwithstanding the government shutdown in early 2019. OCIE also completed over 350 examinations of broker-dealers and over 160 examinations of FINRA, including examinations of critical FINRA program areas, as well as oversight reviews of FINRA examinations.

HIGHLIGHTS OF FINRA’S EXAMINATION PRIORITIES FOR MEMBER FIRMS

FINRA’s annual Risk Monitoring and Examination Priorities Letter (Letter) identifies topics on which its risk monitoring, surveillance and examination programs will focus in 2020. Continuing the approach commenced in 2019, the Letter primarily discusses new and emerging areas in greater depth and ongoing priorities with shorter summaries, while not repeating topics that have been at the center of FINRA’s attention in the past.

This is the first priorities letter issued since FINRA announced that it has integrated three different examination programs into a single framework designed to better direct and align examination resources to the risk profiles and business models of member firms. Under the framework, all FINRA member firms are grouped into one of five main firm business models: Retail, Capital Markets, Carrying and Clearing, Trading and Execution, and Diversified. In addition, each firm will be assigned a single point of accountability, a senior leader who has ultimate responsibility for the ongoing risk monitoring, risk assessment, planning and scoping of examinations tailored to the risks of the firm’s business activities. This initiative should make the examination process more efficient because the number of examinations a firm is subject to should be lessened and examination teams should be more knowledgeable and familiar with a firm’s businesses policies and culture.

The restructuring of FINRA’s examination program and the restructured Letter are a result of the FINRA360 review, and FINRA should be commended for its efforts in this regard. Consistent with this initiative, to support firms in their efforts to comply with the federal securities laws and regulations and FINRA rules, the practitioner-friendly Letter includes practical considerations and questions for each topic and contains an appendix that provides citations to additional resources applicable to those topics.
The following is a discussion of salient points in the FINRA Letter.

Sales Practice and Supervision

FINRA will continue to examine for firms’ compliance with sales practice obligations discussed in previous annual priorities letters — for example, complex products, variable annuities, private placements, fixed income mark-up/mark-down disclosures, representatives acting in certain positions of trust or authority, and senior investors. For the coming year, the identified new and emerging areas are discussed below.

Regulation BI and Form CRS

Like the SEC, FINRA will review firms’ preparedness for Regulation BI to gain an understanding of implementation challenges they face. After the compliance date, FINRA will examine firms’ compliance with Regulation BI, Form CRS and related SEC guidance and interpretations. The Letter states that FINRA and SEC staff expect to work together to ensure consistency in examining firms for compliance with Regulation BI and Form CRS. In addition, the Letter lists a number of factors that examiners will consider when testing for compliance with Regulation BI.

Communications with the Public

FINRA will continue to review for firms’ compliance with core obligations under FINRA and SEC rules governing communications with the public, supervision, and books and records requirements. In addition, FINRA will focus on the review, approval and supervision of:

  • retail communications regarding private placement securities; and
  • communications via digital communication channels (e.g., texting, messaging, social media or collaboration applications).

Cash Management and Bank Sweep Programs

FINRA recognizes that because many firms have altered their commission practices, including some firms’ eliminating commissions altogether, cash management services that sweep investor cash into firms’ affiliated or partner banks or money market funds (Bank Sweep Programs) have taken on a greater significance. Firms’ Bank Sweep Programs may offer retail investors a variety of additional services, such as check writing, debit cards and ATM withdrawals.

FINRA notes that Bank Sweep Programs raise several concerns about firms’ compliance with a range of FINRA and SEC rules. FINRA will evaluate these firms’ compliance with, for example, FINRA Rules 1017 (Application for Approval of Change in Ownership, Control, or Business Operations), 2010 (Standards of Commercial Honor and Principles of Trade), and 2210 (Communications with the Public), as well as Exchange Act Rule 15c3-1 (Net Capital Rule) and Exchange Act Rule 15c3-3 (Customer Protection Rule).

Sales of Initial Public Offering Shares

FINRA is focusing its attention on firms’ obligations under FINRA Rules 5130 (Restrictions on the Purchase and Sale of Initial Equity Public Offerings) and 5131 (New Issue Allocations and Distributions).

Trading Authorization

FINRA will assess whether firms maintain reasonably designed supervisory systems relating to trading authorization, discretionary accounts and key transaction descriptors, such as solicitation indicators. FINRA will review whether firms have reasonably designed supervisory systems to detect and address registered representatives exercising discretion without written authorization from the client, as required under FINRA Rule 3260 (Discretionary Accounts).

Market Integrity

FINRA notes that its examiners will continue to review firms’ compliance with the obligations discussed in prior years’ letters, such as market manipulation, Trade Reporting and Compliance Engine (TRACE) reporting, short sales and short tenders. Additionally, FINRA reminds firms of the upcoming implementation of Consolidated Audit Trail (CAT) reporting and that firms need to remain diligent in their compliance with the Order Audit Trail System (OATS) rules during the phased implementation of CAT. While not specifically referenced in the Letter, FINRA remains active in pursuing matters involving Electronic Blue Sheet reporting.

Direct Market Access Controls

The continued growth in automated and high-speed trading increases potential risks to the financial condition of firms, the integrity of trading on the securities markets and the stability of the financial system. FINRA, like the SEC and other self-regulatory organizations (SROs), will continue to examine for compliance with the market access rule. The examiners’ approach in this area continues to evolve and be somewhat subjective, with findings of exam staff varying from year to year.

Best Execution

Best execution continues to be a primary focus of FINRA. Its examinations and surveillance will focus on whether firms use reasonable diligence to determine whether their customer order flow is directed to the best market given the size and types of orders, the terms and conditions of orders, and other factors as required by FINRA Rule 5310 (Best Execution and Interpositioning). In addition to a focus on U.S. Treasury securities and options executions, FINRA will focus on:

  • conflicts of interest and disclosures in connection with order routing decisions (including with respect to the recent increase in zero-commission brokerage activity); and
  • the handling of odd-lot orders (including whether firms are filling customer odd-lot orders at the National Best Bid and Offer (NBBO) disseminated by the securities information processors (SIPs) and offsetting these trades with odd-lot executions at superior prices reflected in the exchanges’ proprietary data feeds).

Disclosure of Order Routing Information

FINRA will examine for firms’ compliance with amended Regulation National Market System (NMS) Rule 606. The amended rule requires, among other enhancements, broker-dealers to provide new customer-specific reports for “not held” orders in NMS stocks. These disclosures serve an important role in enhancing the transparency of the U.S. securities markets with respect to broker-dealers’ handling and routing practices for both institutional and retail customer orders.

Vendor Display Rule

Rule 603 of Regulation NMS (Vendor Display Rule) generally requires broker-dealers to provide a consolidated display of market data for NMS stocks for which they provide quotation information to customers. FINRA will evaluate the adequacy of firms’ controls and supervisory systems to provide their customers with the current consolidated NBBO as required by the Vendor Display Rule.

Financial Management

FINRA will continue to evaluate firms’ compliance programs relating to Exchange Act Rule 15c3-3 (Customer Protection Rule) and Exchange Act Rule 15c3-1 (Net Capital Rule), as well as firms’ overall financial risk management programs.

Digital Assets

Digital assets raise novel and complex regulatory issues under federal securities laws and regulations, as well as FINRA rules. FINRA is receiving an increasing number of new member applications and continuing member applications from firms seeking to engage in business activities related to digital assets. FINRA continues to work closely with the SEC to understand firms’ business plans and determine how securities laws apply to those plans. Notably, FINRA issued Regulatory Notice 19-24 last year extending into 2020 its effort to encourage firms to keep their Regulatory Coordinator abreast of their activities related to digital assets.

Liquidity Management

FINRA will continue to review firms’ liquidity management practices, as they are a critical control function and should be documented in a firm’s books and records. FINRA will focus on areas it has addressed in Regulatory Notice 15-33 (Guidance on Liquidity Risk Management Practices), as well as those that may create challenges for clearing and carrying firms’ contingency funding plans.

Firm Operations

FINRA will continue to examine firms’ supervisory controls relating to Exchange Act Rule 10b-10 and FINRA Rule 2232 (Customer Confirmations) and firms’ compliance with FINRA Rule 3310 (Anti-Money Laundering Compliance Program).

Cybersecurity

Firms should expect that FINRA will thoroughly assess whether their policies and procedures are reasonably designed to protect customer records and information consistent with Regulation S-P Rule 30. FINRA recognizes that there is no one-size-fits-all approach to cybersecurity but expects firms to implement controls appropriate to their business model and scale of operations.

Technology Governance

Firms’ increasing reliance on technology for many aspects of their customer-facing activities, trading, operations, back-office and compliance programs creates a variety of potential benefits but also exposes firms to technology-related compliance and other risks. In particular, problems in firms’ change and problem-management practices, for example, can expose firms to operational failures that may compromise their ability to comply with a range of rules and regulations, including FINRA Rules 4370 (Business Continuity Plans and Emergency Contact Information), 3110 (Supervision) and 4511 (General Requirements), as well as Exchange Act Rules 17a-3 and 17a-4.

FINRA Examination Trends

Since the commencement of FINRA360, FINRA has made significant changes to its examination program and has been much more willing to provide guidance to its membership to assist firms and associated persons in complying with federal securities laws and FINRA rules. These are welcome developments, hopefully ones other SROs will also adopt.

That being said, broker-dealers should review their policies and procedures in the areas discussed in the Letter and be prepared to address these areas in future examinations.

CONCLUSION

The themes and specific points outlined in the Examination Priorities do not constitute an exhaustive list of OCIE’s or FINRA’s concerns, and actual examinations are likely to include a number of other topic areas. Nevertheless, the Examination Priorities are likely to drive many exams in the coming year, and investment advisers and broker-dealers are encouraged to review their policies, procedures and disclosures with these priorities in mind.


1 See OCIE’s 2020 Examination Priorities, available here, and FINRA’s 2020 Risk Monitoring and Examination Priorities Letter, available here.
2 Firms are encouraged to reach out to OCIE and other SEC staff members as they implement policies and procedures to comply with the new requirements. Questions may be submitted by email to IABDQuestions@sec.gov.
3 See Exchange Act Release Nos. 86031 (June 5, 2019) (adopting Regulation BI), available here and 86032 (June 5, 2019) (adopting new rules and forms regarding the broker-dealers’ and investment advisers delivery of a customer or client “relationship summary” or CRS), available here (the Form CRS Release). See also our June 2019 Sidley Update regarding Regulation BI, Form CRS and Interpretations under the Advisers Act.
4 See Advisers Act Release No. 5248 (June 5, 2019), available here (reaffirming and clarifying aspects of a registered investment adviser’s fiduciary duties), and the Form CRS Release, supra note 2; see also the June 2019 Sidley Update, supra note 2.

EmailShare
XSLT Plugin by BMI Calculator