7 takeaways from FINRA regulatory report

AI and 5 other FINRA worries for 2024

January 9, 2024 6:42 PM

If advisors want to gauge just how much tech advances have disrupted their industry in recent years, a good place to look is FINRA's latest report on regulatory oversight.

Top of mind for the broker-dealer industry's self-regulator are cybersecurity, cryptocurrencies, artificial intelligence, and so-called off-channel messages firm representatives send to each other using WhatsApp and similar services. To be sure, the Financial Industry Regulatory Authority is still concerned with more bread-and-butter matters like the Regulation Best Interest conduct standard for brokerages.

But, as the 2024 FINRA Annual Regulatory Oversight Report makes clear, new technologies and related threats are due some additional attention. Cybersecurity comes in for particular concern.

Speaking on an episode of FINRA's Unscripted podcast aired on Tuesday, Omer Meisel, the head of the agency's national cause and financial crime detection program, said he has seen reports suggesting ransomware attacks have risen by 95% in the past year. Ransomware refers to cyberattacks in which hackers take over a firm's or person's computer system and refuse to relinquish control until they've been paid a certain amount of money or receive other forms of ransom.

"And the most heavily targeted industry now is the financial sector, having overtaken the health care sector," Meisel said. "So from my perspective, the cyber threat remains one of if not the top threat to the financial industry."

Claire O'Sullivan, the FINRA vice president of regulatory advisor and stakeholder engagement, said the report is not meant to be a list of regulators' priorities. Rather, the 26 topics it discusses are a reflection of what agency officials noticed over the past year to 18 months of conducting compliance exams and similar activities.

For some of the highlights, scroll down:

Cybersecurity

Cybersecurity is a top concern not only for FINRA. The Securities and Exchange Commission, which oversees FINRA, has itself adopted a new rule giving publicly traded companies four days to report hacks or other data breaches.

The Wall Street regulator has also proposed several regulations specifically for the wealth management industry. One, for instance, would give advisors and brokers who have been hacked 30 days to notify their clients of the attack.

Tiffany Magri, a regulatory advisor at the compliance consultant SMARSH, noted in an interview Tuesday that the SEC now has its cybersecurity rules slated for approval in April. That said, Magri said the regulator has been known to push back its approval of complicated proposals before.

"So I think that it is still probably at the top of the rulemaking agenda but, no, I can't speak to: Will they actually have it in April," Magri said.

FINRA's report reminds firms that they should be constantly looking for flaws in their cybersecurity protections not only at their home offices but also at branches and third-parties they contract services out to. It also calls on brokerages to be on guard particularly for weaknesses that could arise when they move from one technological system to another or when they upgrade an existing system. Firms, FINRA says, should have contingency plans in place to help them keep their main business running even during a cyberattack.

"There's been an increase in the variety, frequency and sophistication of certain cybersecurity incidents, such as ransomware, cyberintrusions at critical vendors utilized by the financial industry, insider threats and impostor websites," Meisel said.

New account fraud

One emerging risk identified by FINRA is what it deems "new account fraud." This often occurs when a fraudster uses hacked personal information to open an account at a firm in someone else's name. The accounts then are sometimes used to hold assets stolen from the victim's holdings at other financial institutions.

FINRA said the increasing popularity of electronic banking and trading has made new account fraud only more common. The increase in cases is a result in part of more and more personal information becoming easy to discover online.

What's more, Meisel said, "The risk of new account fraud has grown in part has resulted in the growth of investors opening up brokerage accounts through online platforms."

FINRA recommends brokers combat new account fraud by insisting new customers present multiple forms of identification. It also suggests that firms, among other things, follow up with inquiries to credit bureaus and similar agencies.

Crypto

FINRA in November published a crypto assets key topics page calling attention to firms' obligation to let regulators know of any planned dealings in bitcoin or other digital assets. So far, only 26 firms have obtained FINRA approval for everything from operating a special-purpose broker-dealer allowed to custody crypto assets to running alternative trading systems for digital assets. Hundreds, meanwhile, have informed the regulator of outside business activities ranging from operating funds that invest in digital assets to engaging in crypto "mining."

Meisel said FINRA is also taking a close look at messages brokerages send out about crypto investments. The regulator has discovered instances when firms have compared "crypto assets to other assets such as securities or cash, without providing a sound basis to compare the benefits and risks of these investments."

Off-channel communications

Firm representatives' misuse of WhatsApp and similar encrypted messaging services to discuss business among themselves and clients has attracted particular scrutiny from regulators this past year. In some cases, the result has been big fines from the SEC.

FINRA is eager to let firms know that so-called off-channel communications are one of its top priorities as well.

"In my time in the industry, I've rarely seen one issue permeate legal and compliance as off-channel communication has in the last year or two," said Michael Solomon, FINRA senior vice president of examinations.

Solomon said he generally sees firms taking two approaches to the increasing popularity of encrypted messaging services among brokers. One is to allow firm representatives to use the systems and to go to additional lengths to make sure the resulting discussions are both recorded and supervised.

The other is simply to ban the services.

"And in those instances, we're testing to see how those firms are ensuring that their employees are complying with that prohibition and how they're handling discipline to the extent employers may violate that policy," Solomon said.

Magri said many firms have policies and procedures on off-channel communications. But too few have taken steps to make sure their representatives are actually abiding by those rules.

"If you can't get people to follow your procedure, do you even have a policy?" Magri said.

Magri said firms should also ask themselves: What should their representatives do if they keep receiving off-channel messages from clients even after explaining that they'll only talk business through official means.

"Who do I contact?" Magri said. "And If you have unapproved channels, how do you handle that? How do you get them back to an approved channel?"

Artificial intelligence

New account fraud and off-channel communications may figure near the top of FINRA's list of priorities. But that doesn't mean the regulator is oblivious to the biggest technological advance to catch the world's attention in 2023: artificial intelligence.

The SEC has already put forward a 243-page proposal that would make advisors responsible for eliminating or neutralizing any conflicts of interests that might arise from using AI, predictive analytics or similar technologies to make investment recommendations. FINRA shares many of the same concerns.

Ornella Bergeron, FINRA senior vice president of member supervision, said she believes AI could transform virtually every aspect of the wealth management industry. She said statements generated by the technology bring up concerns related to everything from accuracy to privacy and intellectual property.

"So far, firms are being very cautious and being very thoughtful when considering the use of AI tools, as well as before deploying new technologies," Bergeron said. "So while for this year's report, there was not a lot in the AI section by way of specific roles, or observations, this is likely a topic we'll be seeing a lot more about in the future."

Reg BI

One of FINRA's priorities since Regulation Best Interest went into effect in June 2020 has been to make sure brokerages are looking out for their clients' best interests in every recommendation they make. Solomon said FINRA regulators are still finding a large number of Reg BI deficiencies, or exceptions, when it examines firms.

"The good news is that the majority of the exceptions that we see are not significant exceptions that warrant enforcement referrals," Solomon said. "So only about 10% of the instances where we find a deficiency during an exam, in terms of Reg BI or Form CRS, are instances where those are referred to enforcement for further investigation."

Francois Cooke, the managing director of the regulatory consultant ACA Compliance Group, said regulators are stressing that firms need to make sure they have considered more standard alternatives to any risky or unorthodox investment product they are considering recommending. Not only that, they should also document why they choose any risky product over a safer alternative, particularly showing how they took their clients' investing needs and goals into account.

Regulators' enforcement of Reg BI has been slow so far. Cooke said he thinks that's about to change.

"They started off trying to make sure that there are procedures and training in place, that there were supervisory mechanisms being put in place by the industry," he said. "And now I think we're in a phase where they're going to start looking at practices and if broker-dealers really are acting in the best interest of the clients."

Purpose of the report

O'Sullivan said many people look at reports like FINRA's as something meant to show the industry how it has gone wrong. She said she sees it also as an opportunity to draw attention to what's working.

"As a self-regulatory organization, FINRA is really uniquely positioned to engage with firms on these emerging issues and areas of risk, and then to share that intelligence back out with our member firms to help them strengthen their compliance programs," O'Sullivan said.

Cooke said that although many of the matters touched on in FINRA's 2024 regulatory report have been discussed in previous years, he's noticing a new urgency in the agency's compliance expectations.

"I think it's more about if firms are finding issues in a particular area they need to remediate them very promptly," he said. "And then one of the challenges firms are having is that, with such a big scope of requirements, they may not have sufficient staffing and tools. So you're finding a number of instances where problems may be identified, but they're not resolved quickly enough."