FINRA’s examination program has undergone its most significant reorganization in decades. As stated in a press release, Oct. 1, 2018, FINRA’s goal for the reorganization was to “consolidate its Examination and Risk Monitoring Programs, integrating three separate programs into a single, unified program to drive more effective oversight and greater consistency, eliminate duplication and create a single point of accountability for the examination of firms.” The new look of the examination program was released, along with new management, on Dec. 12, 2019.

FINRA launches its revamped examination program with its release of its 2020 Risk Monitoring and Examination Priorities, issued on January 9th.

In 2020, FINRA is prioritizing risk monitoring, surveillance, and examination programs to further its mission of investor protection and market integrity.  The examination priorities are organized around four themes, which build on FINRA’s priorities from prior years:

  1. Sales practice and supervision;
  2. Market integrity;
  3. Financial management; and
  4. Firm operations.

One significant change in this year’s priorities letter is FINRA’s focus on providing guidance to firms – practical considerations and questions that firms should be focused on as they review their program for compliance with regulatory requirements. In the past, the letters have traditionally been a detailed description of issues and requirements. Providing practical guidance is far more valuable to firms and will aid their compliance efforts.

Sales Practice and Supervision

FINRA will continue to focus on areas it has discussed in previous annual priorities letters, including complex products, variable annuities, private placements, fixed income mark-up/mark-down disclosures, representatives acting in positions of trust or authority, and senior investors.  In addition to these areas, FINRA will evaluate firms’ compliance with obligations related to several new or emerging areas, discussed below.

Regulation Best Interest (Reg BI) and Form CRS

The SEC adopted Reg BI in June 2019, which establishes a “best interest” standard of conduct for broker-dealers.  The SEC also adopted a new form – Form CRS – which requires broker-dealers to provide a brief relationship summary to retail investors.  Firms must comply with Reg BI and Form CRS by June 30, 2020.

During the first half of 2020, FINRA plans to review firms’ preparedness for Reg BI.  After June 30, 2020, FINRA will focus on firms’ compliance with Reg BI, Form CRS, and related SEC guidance.  FINRA will work with the SEC to ensure consistency in evaluating broker-dealers and their associated persons for compliance with Reg BI and Form CRS.  FINRA’s 2020 Risk Monitoring and Examination Priorities Letter includes a list of factors FINRA may consider when reviewing firms for compliance with Reg BI.

Two of the questions posed by FINRA bear particular consideration: (1) Do your firm and your associated persons consider the express new elements of care, skill and costs when making recommendations to retail customers? (2) Do your firm and your associated persons consider reasonably available alternatives to the recommendation?  Both FINRA and the SEC have been explicit in their guidance that the Best Interest standard does not always mean the cheapest option available. That said, cost is a factor and the specific question regarding whether “reasonably available alternatives” will be an important consideration for firms. The regulators will be looking at what alternatives were available to firms to offer their customers and, if a firm chooses not to make those available, it will be important to ensure that there their review, assessment, and determinations are fully documented.

Communications with the Public

FINRA will continue to focus on firms’ compliance with obligations relating to FINRA Rule 2210 (Communications with the Public), as well as related supervisory and recordkeeping requirements.  In 2020, FINRA will expand its focus to private placement retail communications, by reviewing how firms handle retail communications regarding private placement securities via online distribution platforms, as well as traditional channels. As the SEC looks to expand retail access to private placements, firms will need to be vigilant in the manner in which these products are offered to customers.

FINRA will  also continue to focus on the challenges that the increasingly broad array of digital communications (i.e., texting, messaging, social media, or collaboration applications) pose to firms’ ability to comply with obligations related to the review and retention of such communications.

Cash Management and Bank Sweep Programs

FINRA recognizes that as commission practices change, cash management services that sweep investor cash into firms’ affiliated or partner banks or money market funds have taken on a greater significance. Bank Sweep Programs are offering more services to retail investors (such as check-writing, debit cards, and ATM withdrawals.  These added features raise concerns about firms’ compliance with a range of FINRA and SEC rules.  FINRA will therefore focus on firms’ compliance with such rules in the context of Bank Sweep Programs. Further, to the extent that firms benefit from these programs and, with commissions dropping and or going away in some instances, regulatory review of fees involved in providing services will increase, reviewing such areas as conflicts, disclosure, fairness, etc.

Sales of Initial Public Offering (IPO) Shares

In light of the growth of the IPO market over the past year, FINRA will focus on firms’ obligations under FINRA Rules 5130 (Restrictions on the Purchase and Sale of Initial Equity Public Offerings) and 5131 (New Issue Allocations and Distributions).

Trading Authorization

This year, FINRA will also focus on whether firms maintain reasonable supervisory systems relating to trading authorization, discretionary accounts, and key transaction descriptors.  It will review whether these supervisory systems are designed to detect and address registered representatives exercising discretion without written authorization from the client.

Market Integrity

FINRA will continue to review compliance with the ongoing obligations related to market manipulation, Trade Report and Compliance Engine (TRACE) reporting, short sales, and short tenders.  Certain firms will be required to begin reporting to the Consolidated Audit Trail (CAT) in April 2020, and that FINRA will work with those firms as they prepare for reporting.  The FINRA Letter reminds firms to continue devoting resources to ensure accuracy in their Order Audit Trail System (OATS) reporting, because OATS remains a critical part of the audit trail data that FINRA uses to meet its regulatory obligations.

In 2020, FINRA expects to focus on the following additional areas to promote market integrity:

  1. Direct market access controls;
  2. Best execution;
  3. Disclosure of order routing information; and
  4. Vendor display rule.

Financial Management

Firms can expect FINRA to continue its focus on compliance programs relating to Exchange Act Rule 15c3-3 (Customer Protection Rule) and Exchange Act Rule 15c3-1 (Net Capital Rule), as well as firms’ overall financial risk management programs.  FINRA has identified the following new areas of focus for 2020:

  1. Digital assets;
  2. Liquidity management;
  3. Contractual commitment arising from underwriting activities; and
  4. London Interbank Offered Rate (LIBOR) transition.

Firm Operations

As firms increasingly rely on technology for business systems and customer-facing activities, cybersecurity has become a large operational risk.  As such, FINRA will focus on cybersecurity and technology governance in 2020.  Specifically, firms should expect FINRA to assess whether their policies and procedures are designed to protect customer information and whether they are implementing controls appropriate to their business model and scale of operations.  FINRA will also ensure firms’ compliance with FINRA Rules 4370 (Business Continuity Plans and Emergency Contact Information), 3110 (Supervision), and 4511 (General Requirements), as well as Exchange Act Rules 17a-3 and 17a-4.

In terms of technology governance, it continues to be important for firms to ensure that all of the right stakeholders are at the table when new technology is being implemented or current technology modified. Often technological solutions are implemented to address an issue and there are unintended consequences creating regulatory gaps. Having compliance and risk at the table as these decisions are being made can often go a long way to mitigating that risk.

Conclusion

FINRA’s examination priorities for 2020 will largely follow prior focus areas, emphasizing firms’ compliance in important areas such as systems for supervision, sales practice risks, anti-money laundering and fraud, insider trading, and manipulation across markets and products.  New this year is an emphasis on Reg BI and Form CRS, as well as issues related to communications with the public, cash management and bank sweep programs, direct market access controls, best execution, disclosure of order routing information, and cybersecurity.

To support firms in their efforts to comply with federal securities laws and regulations, as well as FINRA rules, the 2020 Risk Monitoring and Examination Priorities Letter includes a list of practical considerations and questions for each topic, which may be helpful to firms in evaluating the state of their compliance, supervisory, and risk management programs.

On January 7, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released its 2020 examination priorities.  OCIE is prioritizing practices, products, and services that it believes present heightened risks to investors or market integrity.  The examination priorities are organized around seven themes, many of which build on OCIE’s priorities from prior years:

  1. Retail investor protection, including seniors and those saving for retirement;
  2. Market infrastructure;
  3. Information security;
  4. Focus areas relating to investment advisers, investment companies, broker-dealers, and municipal advisors;
  5. Anti-money laundering programs (AML);
  6. Financial technology (Fintech) and innovation, including digital assets and electronic investment advice; and
  7. Financial Industry Regulatory Authority (FINRA) and the Municipal Securities Rulemaking Board (MSRB).

Retail Investor Protection, Including Seniors and Those Saving for Retirement

 Continuing with the trend in recent years, OCIE will focus on recommendations and advice given to retail investors, with a particular focus on seniors and those saving for retirement.  The examinations will focus on intermediaries that serve retail investors—namely, registered investment advisers (RIAs), broker-dealers, and dually-registered firms—and on investments marketed to, or designed for retail investors, such as mutual funds and exchange-traded funds (ETFs), municipal securities and other fixed income securities, and microcap securities.  OCIE will also focus on higher risk products, such as those that:

  • are complex or non-transparent;
  • have high fees and expenses; or
  • where an issuer is affiliated with or related to the registered firm making the recommendation.

OCIE acknowledged the impact that Regulation Best Interest and Form CRS will have on retail investors.  In order to help broker-dealers with the June 30, 2020 compliance date for Regulation Best Interest and Form CRS, OCIE will engage with broker-dealers during the exam process to answer questions they may have concerning implementation of the new rules.

With regard to RIAs as fiduciaries, OCIE will focus on whether they have fulfilled their duties of care and loyalty by providing advice in the best interests of their clients and eliminating—or at least exposing—conflicts of interest.  Fees and expenses, as well as undisclosed—or inadequately disclosed—compensation arrangements, will likely continue as focus areas.

Information Security

In 2020, OCIE examiners will focus on:

  • Governance and risk management;
  • Access controls;
  • Data loss prevention;
  • Vendor management;
  • Training; and
  • Incident response and resiliency.

As in past years, these focus areas will allow OCIE to prioritize cyber and other information securities risks in each of its five examination programs.  Examinations will focus on proper configuration of network storage devices, information security governance generally, retail trading information security, and RIAs’ protection of clients’ personal financial information.  With respect to third-party and vendor risk management, OCIE will focus on oversight related to certain service providers.

Fintech and Innovation, Including Digital Assets and Electronic Investment Advice

Recognizing that advancements in financial technologies, methods of capital formation and market structures, and registered firms’ use of new sources of data warrant ongoing attention and review, OCIE has placed particular emphasis on Fintech and Innovation in 2020.

In the digital asset space, OCIE will continue to assess: (1) suitability; (2) portfolio management and trading practices; (3) safety of client funds and assets; (4) pricing and valuation; (5) effectiveness of compliance programs and controls; and (6) supervision of employee outside business activities.

With regard to “robo-advisers” or automated investment tools and platforms, OCIE will continue its focus on:

  • Registration;
  • Cybersecurity policies and procedures;
  • Marketing;
  • Fiduciary duty, including adequacy of disclosures; and
  • Effectiveness of compliance programs.

Additional Focus Areas Relating to Investment Advisers, Investment Companies, Broker-Dealers, and Municipal Advisors

These registrants can expect OCIE to continue its risk-based examinations in 2020.

  • New RIAs and RIAs registered for several years that have yet to be examined should expect to become areas of focus for OCIE in 2020.
  • Investment companies can expect examinations focusing on mutual funds and ETFs, RIA activity, and oversight practices.
  • Broker-dealer examinations will focus on recent rulemaking and trading practices, and
  • Municipal advisor examinations will include registration and continuing education requirements, as well as fiduciary duty obligations.

Anti-Money Laundering

AML is a repeat priority for OCIE as it is for all regulators in the financial industry regulatory space.  In 2020, OCIE will examine whether broker-dealer and investment companies are complying with their AML obligations.  OCIE notes four areas of review:

  • customer identification programs and SAR filing obligations;
  • customer due diligence;
  • compliance with beneficial ownership requirements; and
  • timely and robust independent testing of AML programs.

Market Infrastructure

With respect to market infrastructure, OCIE will continue examinations of entities providing services critical to market infrastructure, including clearing agencies, national securities exchanges, alternative trading systems, and transfer agents.  Particular attention will be given to the security and resiliency of entities’ systems.

Conclusion

OCIE’s examination priorities for 2020 will largely follow prior focus areas, emphasizing the protection of retail investors with particular focus on fee disclosures, senior investors, and retirement accounts.  OCIE will also continue to examine firms’ abilities to manage risk associated with cybersecurity breaches, money laundering, and digital assets and electronic investment advice.  Finally, regulated firms are reminded that the examination priorities identified are not exhaustive and that OCIE will continue to conduct examinations determined through a risk-based approach that includes analysis of an entity’s history, operations, services, products offered, and other factors.

On January 8, 2020, the Virginia General Assembly will begin its 60 calendar day legislative session. Legislation relating to privacy will be on the agenda, including HB 473, titled the “Virginia Privacy Act,” that proposes to strengthen the data privacy rights of Virginians.

Scope of the Proposed Legislation

The provisions of the legislation apply to “any legal entity (i) that conducts business in the Commonwealth or produces products or services that are intentionally targeted to residents of the Commonwealth and (ii) that (1) controls or processes personal data of not fewer than 100,000 consumers; or (2) derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.” The bill has exceptions to its scope applicable to, among others, local and state governments, credit reporting agencies and financial institutions governed by other privacy laws, and also exempts certain health care related information governed by federal law and employment records.

The legislation focuses on the responsibilities of data controllers, who are primarily responsible for complying with the provisions of the legislation, and data processors, who must adhere to the instructions of the controller and assist a controller in meeting the requirements of the proposed act.

Continue Reading Will Virginia Follow California’s Lead on Consumer Privacy Legislation?

For years, we have waited with bated breath the arrival of the “Internet of Things” (IoT) to transform garages into smart factories, cars into autonomous vehicles and ordinary homes into smart homes completely controllable by cellphones. Two technologies underpinning this world of the future (inexpensive sensors and 5G networking) will catalyze this vision in 2020. Gartner predicts that connected devices will rise from 8.4B in 2017 to 20.4B in 2020. While the hurdles for this vision are many (increased regulation, privacy concerns, and the trade war, which may bifurcate the IoT due to geopolitical disputes regarding 5G), the McKinsey Global Institute estimates that IoT technologies will create between $3.9T and $11.1T in economic value globally by 2025. Those interested in capitalizing on this world of the future should be mindful of the legal framework of the future (and near present).

Continue Reading The IOT is Here and so is the Regulation

Across the country, school districts use technology to facilitate learning and assist in classroom management. From tracking grades and communicating with parents to monitoring bathroom breaks, technology is everywhere in our schools. But as technology becomes more prevalent in the classroom, what does that mean for student data privacy?

Federal Laws Governing Student Data Privacy

There are several federal laws that govern student data privacy. The Family Educational Rights and Privacy Act (FERPA) protects student educational records and requires the consent of parents or students age 18 or older to consent to the release of education records. The Protection of Pupil Rights Amendment (PPRA) requires parental consent for any federally funded student survey or evaluation that requires the student to provide sensitive information. Lastly, the Children’s Online Privacy Protection Act (COPPA) regulates companies collecting data about kids under the age of thirteen. Under the law, educational products may not require parental consent, and instead, schools can consent on behalf of parents. Importantly, the Federal Trade Commission (FTC) is considering updating COPPA’s regulations. The FTC requested comments on the rule in July and held a workshop in October.

Continue Reading Trends in Student Data Privacy

In less than one month, the California Consumer Privacy Act of 2018 (CCPA) will go into effect and begin a new era of data breach litigation. While the California Attorney General is charged with generally enforcing the state’s landmark privacy law, consumers’ ability to rely on a violation of the CCPA as a basis for violations of other state law statutes will be a concern.

For background, Section 1798.150(a)(1) of the CCPA gives consumers a limited private right of action. The provision allows consumers to sue businesses that fail to maintain reasonable security procedures and practices to protect “nonencrypted or nonredacted personal information” of a consumer and further fail to cure the breach within 30 days. A violation of this data security provision allows recovery of statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive relief. To determine the appropriate amount of statutory damages, courts must analyze the circumstances of the case, including the number of violations, the nature, seriousness, willfulness, pattern, and length of the misconduct, and the defendant’s assets, liabilities, and net worth.

Continue Reading CCPA Review: The CCPA May Prohibit Some, But Not All, State Consumer Protection Law Claims

This week, the California Attorney General held public hearings on the draft California Consumer Privacy Act (CCPA) regulations it issued in October.  We attended the hearings in both Los Angeles and San Francisco.  One clear message resounded — unintended consequences of the proposed regulations if left as drafted.

Both hearings were well-attended, with dozens of comments from businesspeople, attorneys, and a handful of concerned citizens.  In addition to these two hearings, the Attorney General also held public hearings in Sacramento and Fresno, and is accepting written comments through Friday, December 6, 2019.  If the Los Angeles and San Francisco hearings are any indication, there are many areas in which the Attorney General could provide further clarity should it choose to revise the current draft regulations.

Continue Reading California Attorney General’s Public Hearings on CCPA Regulations in Los Angeles and San Francisco—An Overview

While customer data breaches are garnering a lot of media attention, a subtler but equally problematic cybercrime is slowly on the rise — domain spoofing.

In this context, cybercriminals register domain names that are virtually identical to an entity’s legitimate domain name and/or brand, often with subtle misspellings or the addition of business designations or generic words describing the entity’s business. The false domain names are so similar to a company’s actual domain and/or brand that they appear legitimate.

The cybercriminals then use the deceptively similar domain name to create email addresses and send emails impersonating a company or its employees, sometimes using the names of the entity’s actual employees — a tactic commonly called “email spoofing.” Those emails typically contain malware in links or attachments, which are triggered by clicking the link or opening the attachment. Other email spoofing schemes attempt to trick recipients into providing login credentials, providing payment card information, or routing wire transfers to the cybercriminal’s bank account.

Continue Reading *Chime* It’s an Email from Your Favorite Outside Counsel, or Is It?

On October 31, a bipartisan group of senators introduced the Filter Bubble Transparency Act (FBTA), an act which would require large online platforms to be more transparent in their use of algorithms driven by user-specific data.

“This legislation is about transparency and consumer control,” said Senator John Thune (R-S.D.).

“For free markets to work as effectively and as efficiently as possible, consumers need as much information as possible, including a better understanding of how internet platforms use artificial intelligence and opaque algorithms to make inferences.”

The bill is named after Eli Pariser’s book The Filter Bubble, which argues that the personalized search results generated by user-specific data can trap users in an ideological bubble by filtering out content contrary to their ideological viewpoints.

Continue Reading Bipartisan Bill Seeks to Increase Internet Transparency and Consumer Control Over Content

For years, corporate boards have hired third-party companies to conduct financial audits to assure that there is no fraud or other breaches of fiduciary responsibility by management. Cyber risks should be managed similarly. Who can thoroughly evaluate whether management is prepared to protect the company when its systems are attacked or when a data breach occurs? Is management prepared to execute the company’s incident response plan, or is it just sitting on the shelf untested?

Continue Reading Effective Incident Response Requires Good Cyber Exercise—Is Your Company in Shape?