2022 Report on FINRA’s Examination and Risk Monitoring Program

On February 9, 2022, the Financial Industry Regulatory Authority (FINRA) published its 2022 Report on FINRA’s Examination and Risk Monitoring Program (the 2022 Report). In the 2022 Report, FINRA details exam findings and effective practices for regulated firms and includes call-out boxes detailing specific concerns related to low priced securities and IPOs of China-based issuers. Further, FINRA provided firms with a number of additional resources, including a call-out box detailing Financial Crimes Enforcement Network’s (FinCEN) National Anti-Money Laundering (AML)/Countering Financing of Terrorism (CFT) Priorities that notably for member firms, includes securities and investment fraud.

Although AML is not new to FINRA’s findings and certain topics such as low priced securities remain an area of focus, the 2022 Report emphasizes specific effective practices such as risk assessments, governance over monitoring technology supporting the AML program, and the criticality of escalation of red flags and communication of potentially suspicious activity from other departments in the organization, such as departments that handle cybersecurity and fraud. 

Detailed Highlights

The 2022 Report is organized in three sections, summarizing member firms’ regulatory obligations and related considerations, exam findings and effective practices, and additional resources.

Regulatory Obligations and Related Considerations

The 2022 Report reminds broker dealers of their obligation to develop an AML Compliance Program in compliance with FINRA Rule 3310 that evolves with any changes to the firm’s business model and considers the firm’s AML risks related to its business lines, products, customers, and geographic locations. The firm’s risk-based program should also consider FinCEN’s AML/CFT National Priorities published in June 2021.

Importantly, FINRA highlights the expectation that firms that use automated monitoring assess both the system’s data feeds and scenario parameters.

FINRA also highlights several points related to suspicious-activity reporting, including that the obligation to report may apply to transactions that did not originate with the broker-dealer, and that introducing brokers should consider how they coordinate with their clearing firms related to suspicious-activity reports (SARs). FINRA also highlights the importance of internal coordination, including how the firm manages roles and responsibilities for cyber events, including filing SARs and reviewing impacted accounts. FINRA indicates it has observed potentially suspicious low priced securities activity from foreign financial institutions (FFIs) nesting within omnibus accounts of financial institutions based in lower risk jurisdictions. The broker-dealer’s independent test should include a review of such SAR procedures.

Lastly, FINRA highlights compliance with the identification and verification requirements for customers and beneficial owners pursuant to the customer identification program (CIP) and customer due diligence (CDD) rules.

Exam Findings and Effective Practices

Exam Findings

FINRA exam findings largely align to the section on “related considerations.”  

FINRA notes exam findings related to inadequate monitoring and reporting of suspicious transactions including the following: 

1. “Not using AML reports or systems that accurately and reasonably capture potentially suspicious activity and are free of data integrity issues.
2. Not conducting and accurately documenting AML surveillance reviews.
3. Not implementing appropriate risk-based procedures to understand the nature and purpose of customer relationships in order to develop a customer risk profile.
4. Not implementing procedures that are reasonably designed to investigate inquiries from clearing firms that concern “red flags” of potentially suspicious activity.
5. Not tailoring AML programs to risks presented by products, customers, business lines, and transactions (e.g., cash management products, low priced securities trading) and wire and ACH transfers.
6. Not notifying AML departments of events that involve suspicious transactions (e.g., cybersecurity events, account compromises or takeovers, new account fraud, fraudulent wires, and ACH transfers)”

FINRA specifically calls out concerns related to underwriting and trading of issuers based in China and calls on firms to assess controls related to onboarding, transaction monitoring, and trade surveillance for issues such as spoofing and layering.

In addition to the above, FINRA also found issues with CIP and CDD compliance, as well as due diligence on correspondent accounts for FFIs required pursuant to FINRA Rule 3310(b). Lastly, FINRA highlights concerns with AML independent tests, specifically ensuring that tests are performed within the required timeframe, that all key areas of the AML compliance program are assessed, and that testers have the requisite independence.

Effective Practices

FINRA detailed effective practices designed to mitigate identified deficiencies, including:

1. Conducting and maintaining a BSA/AML Risk Assessment.
2. Ensuring verification of identifying information for customers establishing online accounts and employing anti-fraud measures detailed in the 2022 Report.
3. Documenting internal escalation and communication procedures when AML programs rely on other business units to escalate red flags of suspicious activity.
4. Maintaining AML training programs that include content tailored to the specific roles and responsibilities of key departments and that consider industry trends and output from internal and external testing findings.
5. Implementing fraud monitoring and controls related to outbound money movement requests post-ACH setup and employing restrictions on accounts in certain instances.

How Guidehouse Can Help

Guidehouse has a team of AML experts that can help firms meet their obligations and comply with regulatory expectations including:

• Performing BSA/AML risk assessments
• AML transaction monitoring system review and validation, including coverage assessments, rule and parameter selection, tuning, and model validation
• Developing and delivering training tailored to the risks presented by the firm’s business and industry trends
• AML program enhancements, including enhancement of policies, procedures, and controls, as well as governance structure and documentation
• Anti-fraud program assessment and enhancement
• Cryptocurrency program services
• Surge support including staff augmentation or outsourced managed services