A summary of the 2024 FINRA Annual Regulatory Oversight Report

Relevant rules:

• Reg S-P Rule 30; Reg S-ID; FINRA Rule 4370
• Any cyber incidents could implicate Rules 4370, 3110, 3129, 17a-3, 17a-4, Reg S-P and Reg S-ID
• The U.S. Securities and Exchange Commission (SEC) adopted rules for public reporting companies in July 2023

In addition, in March 2023, the SEC proposed a cybersecurity risk management rule that, if adopted, would require member firms and other market participants to address cybersecurity risks by:

• Establishing, maintaining and enforcing written policies and procedures that are reasonably designed to address cybersecurity risks
• Providing the SEC with immediate written electronic notice of significant cybersecurity incidents

Member firms that are “covered entities” would further be required to:

• Include minimum specified elements in their written cybersecurity policies and procedures
• Report to the SEC and update information about significant cybersecurity incidents
• Publicly disclose summary descriptions of their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar years

Things to consider

Ensure your firm has processes and procedures for:

• Technology, vendor and change management
• Business continuity
• Prevention of and response to intrusions and attacks
• Protection of customer and confidential data
• Multifactor authentication and unauthorized use of resources
• Regular penetration and other testing

Relevant rules

• FINRA Rule 3310; Bank Secrecy Act; FinCEN’s Customer Due Diligence (“CDD”) Rule

Things to consider

• Ensure your anti-money laundering compliance program (AMLCP) is signed by the anti-money laundering council (AMLCO)
• Ensure you have considered the specific anti-money laundering (AML) red flags that apply to your firm and that you have processes in place to monitor for and respond to any red flags noted
• You are collecting the necessary customer identification information and/or documentation during client onboarding

Crypto (digital) assets are a new topic for 2024. This topic applies to firms that serve as placement agents for crypto assets, alternative trading systems and custodial services providers. While this topic isn’t relevant to the majority of member firms, there are still risks that all firms should consider, including affiliates’ activities and outside business activities of associated persons. If your firm or its affiliates or its associated persons conduct any crypto business, you should read the report in detail.

OBAs and PSTs have always been and will likely always be a topic on the report, and a top priority in almost every FINRA exam. Registered people are required to notify their firms anytime they intend to start or end an OBA, and all associated people (whether registered or not) are required to notify their firms of any proposed PST. Firms are required to review the submissions and determine whether to approve, limit or prohibit the activity, and whether the firm is required to supervise the activity as a PST. Firms should also have processes and procedures to monitor for unreported OBAs and PSTs.

Many firms misunderstand what is and isn’t a PST. Sometimes referred to as “selling away”, the definition of a PST goes deeper. The definition includes not only selling securities outside the firm’s platform, but also includes any investment a person makes into a private security. Firms must ensure their people understand the definition and have clear instructions on when and how to report PSTs.

Relevant rules

• FINRA Rules 3270, 3280 and 3110

Things to consider

• Ensure OBA/PST questionnaires are completed at new hire and at least annually thereafter
• Ensure each OBA/PST disclosure is subject to adequate due diligence to determine whether disclosure on Form U4 is required and what type of ongoing supervision (if any) is required
• Ensure your firm has an effective monitoring process in place and adequate evidence of review is created and maintained
• Remember that activities conducted at affiliates are OBAs
• Ensure WSPs are strong in this area as FINRA will almost always ask about it in exams

Relevant rules

• SEC Rules 17a-3 and 17a-4; FINRA Rules 4511, 3110, 2210

Things to consider

• SEC Rule 17a-4 changed in January 2023, which gave firms more flexibility in how they maintain data, but also changed the undertaking required. If you haven’t done so already, you need to obtain a new undertaking from the service provider or a “designated executive officer” and submit it in the financial notifications section of Gateway. This requirement includes all providers where data is kept, not just email providers
• Many items in data rooms must be retained after the data room is closed
• External and internal communications must be archived

If your firm or its people are using off-channel communications for business purposes, such as WhatsApp, text, etc., you must ensure that:

• The data is properly archived
• You have procedures to limit, prohibit and/or supervise all off-channel communications, including monitoring for unapproved communication methods

Relevant rules

• FINRA Rule 2210

Things to consider

The letter primarily focuses on crypto, mobile apps and municipal securities communications, but the following are some general considerations:

• Pre-approval of institutional communications is not required, but personnel must be trained
• Content standards apply to all communications, not just retail
• Websites are retail communications, regardless of the target market

Relevant rules

• Reg BI; FINRA Rule 2111

Things to consider

Most of our clients are generally not subject to Reg BI because they do not make recommendations to retail customers (as defined by the rule), but firms can unwittingly subject themselves to the rule by having a “friends and family” program or completing one-off transactions with individuals.

For transactions subject to the rule:

• Form CRS must be provided
• The firm has four obligations: care, conflicts of interest, disclosure (not just the Form CRS) and compliance

Relevant rules

• FINRA Rules 2111, 2210, 3110, 3280, 5122 and 5123; SEC Rules 10b-9 and 15c2-4

Things to consider

• Reg Notice 23-08 updated and supplemented 10-22. Due diligence of all offerings is required
• Rule 2111 applies to non-retail customers and Reg BI applies to retail investors
• Unless an exemption applies, filings under Rules 5122 or 5123 are required
• Does your WSP contain procedures for contingent offerings, if required
• Ensure adequate due diligence is conducted and evidence supervisory review is maintained

Relevant rules

• Exchange Act Rule 613 and the CAT NMS Plan FINRA Rule 6800 Series; FINRA Rule 3110

Things to consider

• Do your firm’s CAT-related WSPs: 1) identify the individual, by name or title, responsible for the review of CAT reporting; 2) describe specifically what type of review(s) your firm will conduct of the data posted on the CAT reporter portal; 3) specify how often your firm will conduct the review(s); and 4) describe how your firm will evidence the review(s)
• Recordkeeping of CAT order information is required by Rule 6890
• Reporting errors are required to be repaired by T+3

Relevant rules

• SEC Rules 15c3-1 and 17a-11; FINRA Regulatory Notice 03-63; ASC606

Things to consider

• ASC606 is a hot topic with FINRA’s membership application program and exam teams. If your firm receives retainer revenue, ensure adequate documentation of the methodology to recognize the revenue
• Ensure any expense sharing agreement addresses the items contained in RN 03-63