2023 Report on FINRA's Examination and Risk Monitoring Program

On Jan. 10, 2023, the Financial Regulatory Authority (FINRA) released its 2023 Report on FINRA's Examination and Risk Monitoring Program ("Report") in which it identifies the year's areas of examination focus for FINRA Member Firms ("Firms"). This is the third year for FINRA's new reporting system, which replaced the prior format for examination focus, the Risk Monitoring and Examination Program Priorities Letter. The Report builds on last year's (see GT Alert) by adding a new focus area-Financial Crimes-and adding new materials related to established areas of focus.

The Report addresses several key topics from five distinct categories: Financial Crimes, Firm Operations, Communications and Sales, Market Integrity, and Financial Management. Highlighted areas from these categories are:

• Regulation Best Interest ("Reg BI") and Form CRS (customer relationship summary)
• Consolidated Audit Trail (CAT)
• Order Handling, Best Execution, and Conflicts of Interest
• Mobile Apps
• Cybersecurity
• Complex Products and Options

A more thorough discussion of these highlighted topics follows below. The Report also contains an Appendix that describes how Firms can use the Report in their compliance programs.

Reg BI and Form CRS

Reg BI and Form CRS continue to be FINRA's focal points. Firms are expected to ensure: (1) recommendations adhere to Reg BI's Care Obligation; (2) conflicts of interest are identified and addressed; (3) all material facts related to conflicts of interest are disclosed to retail customers; (4) adequate written supervisory procedures are established and enforced; and (5) accurate Forms CRS are filed, delivered, and tracked. Firms should regularly consider new interpretative guidance from the SEC when reviewing and updating their compliance approaches.

CAT

Continuing from last year, FINRA will evaluate Firms that receive/originate orders in National Market System (NMS) stocks, over-the-counter (OTC) equity securities, and listed options to ensure compliance with the Securities Exchange Act of 1934 ("Exchange Act"), Rule 613, and the CAT NMS Plan FINRA Rule 6800 Series ("Consolidated Audit Trail Compliance Rule") (collectively, CAT Rules). When determining whether Firms complied with CAT Rules, FINRA checks that Firms are doing timely reportable event and correction submissions, reporting complete/accurate CAT records, and effectively supervising third-party vendors.

Order Handling, Best Execution, and Conflicts of Interest

FINRA also continues to evaluate whether Firms comply with their best execution obligations, pursuant to FINRA Rule 5310 and Rule 606 of Regulation NMS. FINRA assesses whether Firms fully and promptly execute marketable customer orders, adequately conduct "regular and rigorous reviews," and conspicuously disclose specific terms related to all profit-sharing relationships with venues used to route orders. Additionally, the Report includes findings and observations from the targeted exam started in 2020, targeted efforts noted in last year's Report, and targeted reviews of wholesale market makers and their order handling practices for customer orders received from other broker-dealers.

Mobile Apps

While FINRA pointed out in last year's Report that there are many benefits to investors regarding mobile apps, they also noted that such apps raise novel questions and potential concerns. Such concerns include the potential to encourage retail investors to engage in trading activities and strategies that may not be consistent with their investment goals or risk tolerance, as well as concerns about the apps' interface designs and functionality and their influence on investor behavior. Potential issues that FINRA has observed with some mobile apps include not adequately distinguishing between products and services of the broker-dealer and those of affiliates or other third parties (such as transactions involving crypto assets). FINRA also continues to monitor how mobile apps disclose and explain risks of higher-risk products or services.

Cybersecurity

FINRA believes cybersecurity threats continue to be one of the most significant risks many customers and Firms face. They note that the frequency, sophistication and variety of attacks continue to increase; including such attacks as customer account intrusions, ransomware attacks and cyber-enabled fraud. In August 2022, FINRA established the Cyber and Analytics Unit (CAU) to enhance their ability to deal with cyber threats as well as the growth of the crypto-asset market. FINRA's CAU utilizes teams that examine Firms' cybersecurity risk management through reviews of their control; conduct investigations of cyber-related fraud; and investigate and examine crypto-asset activity.

FINRA has also increased cybersecurity threat outreach to member Firms. These efforts include email alerts to Firms' Chief Information Security Officers (CISOs) and Chief Compliance Officers (CCOs), and notifying Firms when they have identified website(s) or social media profiles that may be attempting to impersonate that Firm, one or more of the Firm's current or previous registered representatives, or individuals purporting to be associated with the Firm. In December 2022, FINRA issued Regulatory Notice 22-29 (FINRA Alerts Firms to Increased Ransomware Risks) to provide Firms with questions they can use to evaluate their cybersecurity programs, including information about possible additional ransomware controls and relevant resources.

Complex Products and Options

FINRA will continue to review Firms' communications and disclosures to customers in relation to complex products. FINRA will also review customer account activity to assess whether Firm recommendations regarding complex products are in the best interest of the retail customer given their investment profile and the potential risks, rewards, and costs. In March 2022, FINRA issued Regulatory Notice 22-08 (FINRA Reminds Members of Their Sales Practice Obligations for Complex Products and Options and Solicits Comment on Effective Practices and Rule Enhancements) to reiterate Firms' current regulatory obligations and solicit comments on Firms' effective practices and the regulatory framework regarding complex products and options.

In November 2022, FINRA announced a targeted exam of Firms' retail communications regarding crypto assets. FINRA will be evaluating whether these communications contain false or misleading statements or claims, misrepresent the extent to which the federal securities laws or FINRA rules apply to a crypto asset product or service, or fail to balance the benefits of crypto asset products with their associated investment risks. FINRA will share its findings from these reviews at a future date.

In December 2022, FINRA provided an update on its targeted exam of Firms' practices and controls related to the opening of options accounts and related areas, including account supervision, communications and diligence. The update includes a list of questions for Firms to consider—based on FINRA's observations to date—when evaluating whether their supervisory systems are reasonably designed to address risks related to supervising the approval of options accounts (both self-directed and full-service brokerage accounts) and monitoring the trading activity in options accounts.

Conclusion

FINRA continues to ensure Firms perform their duties and comply with FINRA, SEC, and other rules required of them. This list of priorities, while thorough, is not exhaustive, and priorities and focus are subject to change due to current events and/or changes in the law.

* Special thanks to Law Clerk/JD Leisel O. Greig˘ for her valuable contributions to this GT Alert.

˘ Not admitted to the practice of law.