FINRA Issues 2022 Report on Examination and Risk Monitoring Program

Cybersecurity and Privacy   |   Financial Services Regulatory   |   Life, Annuity, and Retirement Solutions   |   Securities & Investment Companies   |   Securities Litigation and Enforcement   |   February 16, 2022

On February 9, 2022, FINRA issued the 2022 Report on FINRA's Examination and Risk Monitoring Program to provide firms with "information that may help their compliance programs."

The 2022 report addresses 21 topic areas. For each topic, the 2022 report identifies relevant rules, highlights key considerations for firm compliance programs, summarizes noteworthy examination findings, outlines effective practices, and provides additional resources. FINRA notes that the 2022 report builds on the "structure and content" of the 2021 report.

Prior to addressing each of the 21 topic areas, the 2022 report selected seven to highlight:

  • Regulation Best Interest (Reg BI) and Form CRS (customer relationship summary)
  • Consolidated Audit Trail (CAT)
  • Order Handling, Best Execution, and Conflicts of Interest
  • Mobile Apps
  • Special Purpose Acquisition Companies (SPACs)
  • Cybersecurity
  • Complex Products

We have selected a number of topics for further discussion:

Communications and Sales

Reg BI and Form CRS

Reg BI and Form CRS became effective on June 30, 2020. 2021 was the first full calendar year during which FINRA examined firms’ implementation of Reg BI and Form CRS obligations. The 2021 exams reviewed and tested firms’ practices in making recommendations that adhere with Reg BI’s Care Obligation, identifying and mitigating conflicts of interest, and providing effective training. FINRA continues to conduct Reg BI and Form CRS exams and gather additional information on firms’ practices.

Effective practices include:

  • Identifying, disclosing, and eliminating or mitigating conflicts of interest across business lines, compensation arrangements, relationships or agreements with affiliates, and activities of their associated persons by, among others:
    • Establishing and implementing policies and procedures to identify and address conflicts of interest.
    • Sampling recommended transactions to evaluate how costs and reasonably available alternatives were considered.
    • Providing resources to associated persons making recommendations that account for reasonably available alternatives with comparable performance, risk, and return that may be available at a lower cost.
    • Updating client relationship management (CRM) tools that automatically compare recommended products to reasonably available alternatives.
    • Revising commission schedules within product types to flatten the percentage rate.
    • Broadly prohibiting all sales contests.
  • Mitigating the risk of making recommendations that might not be in a retail customer's best interest by:
    • Establishing product review processes to identify and categorize risk and complexity levels for existing and new products.
    • Limiting high-risk or complex product, transaction, or strategy recommendations to specific customer types.
    • Applying heightened supervision to recommendations of high-risk or complex products.
  • Tracking and delivering Form CRS and Reg BI-related documents to retail investors and retail customers in a timely manner by:
    • Automating tracking mechanisms to determine who received Form CRS and other relevant disclosures.
    • Memorializing delivery of required disclosures at the earliest triggering event.
  • Monitoring associated persons' compliance with Reg BI by:
    • Conducting monthly reviews to confirm that their recommendations meet Care Obligation requirements, including system-driven alerts or trend criteria to identify:
      • Account type or rollover recommendations that may be inconsistent with a customer's best interest.
      • Excessive trading.
      • Sale of same product(s) to a high number of retail customers.
    • Monitoring communication channels (e.g., email, social media) to confirm that associated persons who were not investment adviser representatives (IARs) were not using the word "adviser" or "advisor" in their titles.
    • Incorporating Reg BI-specific reviews into the branch exam program as part of overall Reg BI compliance efforts, focusing on areas such as documenting Reg BI compliance and following the firms' Reg BI protocols.

Communications with the Public and Mobile Apps

FINRA is focusing on compliance issues involving communications in a time of rapid technological change. The use of mobile apps in particular has generated a number of concerns regarding false, misleading, or inaccurate information conveyed to customers - perhaps even more so than other platforms simply due to the inherent limitations of mobile apps. It is of particular concern with respect to options and margin trading through such apps. But the requirements for fair, balanced, and not misleading communications remain the same no matter the platform. Mobile apps also bring other regulatory concerns, such as gamification features that may constitute recommendations to customers. Firms offering such apps must establish and implement a supervisory system to ensure compliance with the rules regarding communications with the public - that the data displayed to customers is accurate - and to ensure that the information provided does not constitute a recommendation under Reg BI.

The use of digital communication channels such as chatrooms, podcasts, instant messages, and the like also presents concerns. Effective practices include having policies, training, and supervision addressing the use (or not) of all such channels; a means to maintain books and records of all such communications; and reviews for red flags arising from the use of unapproved communication channels.

The rise of digital asset investments also presents concerns. For firms that market such products, effective practices include ensuring that communications are fair and balanced, and do not misrepresent the extent to which the digital assets are regulated by FINRA or the federal securities laws, or the extent to which they are eligible for the protections thereunder.

A review of the latest developments in the SEC's review of digital engagement practices - the "gamification of trading" - is available here.

Private Placements

FINRA is focusing on the timeliness of filings with FINRA's Corporate Financing Department under FINRA Rules 5122 and 5123 for private placement offerings and the due diligence performed prior to their recommendation to customers. Firms must conduct an appropriate level of research, particularly when the firm lacks experience or specialized knowledge regarding the issuer's underlying business or when an issuer lacks an operating history. Firms cannot simply rely on the firm's past experience with the same issuer in previous offerings. They also must inquire into and analyze any red flags identified during the due diligence process.

Effective practices include:

  • Creating private placement checklists to list all steps to be taken, dates and related documentation requirements, and identifying who is to perform each step.
  • Conducting and documenting independent research on all material aspects of the offering, to include identifying and following up on any red flags encountered.
  • Verifying all key information by independent sources.
  • Identifying and addressing conflicts of interest.
  • Assigning responsibility for due diligence efforts and for filing obligations to specific individuals and conducting in-depth training regarding those obligations and the firm's procedures.
  • Creating an alert system to warn of upcoming filing deadlines.
  • Conducting post-closing assessments of offerings to determine whether the proceeds were used in a manner consistent with the offering memorandum.

Variable Annuities

The 2022 report confirms that both FINRA Rule 2330 and Reg BI apply when a registered person recommends the purchase or exchange of a variable annuity to a retail customer. FINRA is focusing on variable annuity exchanges and buyout offers. FINRA states that firms "must implement surveillance procedures to determine if any associated person is effecting deferred variable annuity exchanges at a rate that might suggest conduct inconsistent with FINRA Rule 2330 and any other applicable FINRA rules or the federal securities laws." In addition, firms must reasonably supervise recommendations related to issuer buyout offers.

Effective practices include:

  • Using automated tools, exception reports, and surveillance to review variable annuity exchanges; and implementing second-level supervision of supervisory reviews of exchange-related exception reports and account applications.
  • Requiring registered representatives to provide detailed written rationales for variable annuity exchanges for each customer (including confirming that such rationales address the specific circumstances for each customer and do not replicate rationales provided for other customers).
  • Requiring supervisory principals to verify the information provided by registered representatives, including product fees, costs, rider benefits, and existing product values.
  • Standardizing review thresholds for rates of variable annuity exchanges.
  • Monitoring for emerging trends across registered representatives, customers, products, and branches.
  • Creating automated solutions to synthesize variable annuity data (including general product information, share class, riders, and exchange-based activity) in situations warranted by the volume of variable annuity transactions.
  • Engaging with insurance carriers (affiliated and nonaffiliated) and third-party data providers (e.g., DTCC and consolidated account report providers) to address inconsistencies in available data, data formats, and reporting processes for variable annuities.
  • Establishing a supervisory system that collects and utilizes key transaction data.
  • Considering the following data points when conducting a review of an exchange transaction under FINRA Rule 2330 and Reg BI: branch location; customer state of residence; policy riders; policy fees; issuer of exchanged policy; exchanged policy product name; date exchanged policy was purchased; living benefit value, death benefit value or both, that was forfeited; surrender charges incurred; and any additional benefits surrendered with forfeiture.

Firm Operations

Cybersecurity and Technology Governance

FINRA is focusing on identifying "fraudsters and other bad actors engaging in cybercrime" that increase both fraud risk (e.g., synthetic identity theft, customer account takeovers, illegal transfers of funds, phishing campaigns, imposter websites) and money laundering risk (e.g., laundering illicit proceeds through the financial system).

With regard to technology governance, FINRA reminds firms that "cybersecurity remains one of the principal operational risks facing broker-dealers." FINRA expects firms to develop "reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations." In this regard, FINRA suggests that firms consider several factors in assessing technology governance:

  • Implementing controls to mitigate system capacity performance and integrity issues that may undermine its ability to conduct business and operations, monitor risk, or report key information.
  • Documenting system change requests and approvals.
  • Performing testing prior to system or application changes being moved into a production environment and post-implementation.
  • Procedures for tracking information technology problems and their remediation, including whether a firm categorizes problems based on their business impact.

Effective practices include:

  • Collaborating across technology, risk, compliance, fraud, and internal investigations/conduct departments to assess key risk areas, monitor access and entitlements, and investigate potential violations of firm rules or policies regarding data access or data accumulation.
  • Establishing and regularly testing (often using tabletop exercises) a written formal incident response plan that outlines procedures for responding to cybersecurity and information security incidents; and developing frameworks to identify, classify, prioritize, track, and close cybersecurity-related incidents.
  • Implementing timely application of system security patches to critical firm resources (e.g., servers, network routers, desktops, laptops, mobile phones, software systems) to protect nonpublic client or firm information.
  • Creating and keeping current an inventory of critical information technology assets - including hardware, software, and data - as well as corresponding cybersecurity controls.
  • Implementing change management procedures to document, review, prioritize, test, approve, and manage internal and third-party hardware and software changes, as well as system capacity, in order to protect nonpublic information and firm services.
  • Continuously monitoring and testing the capacity of current systems, and tracking average and peak utilization, to anticipate the need for additional resources based on increases in accounts or trading volumes, as well as changes in systems.
  • Requiring customers to use multifactor authentication to access their online account.

Outside Business Activities (OBAs) and Private Securities Transactions (PSTs)

FINRA is focusing on firms' procedures once receiving written notice of an OBA; for example, whether firms consider the effect of the OBA on a registered representative's obligations to the firm and its customers, and whether the public may view the OBA as part of the firm's business. FINRA also is focusing on whether firms treat OBAs as PSTs, with attendant supervisory responsibilities, when appropriate.

Other concerns include whether firms are looking at digital asset OBAs and PSTs, whether they record PSTs for compensation in their books and records, how they supervise such PSTs, and whether firms' controls are adequate to confirm compliance with their OBA/PST procedures are adequate.

Effective practices include:

  • Requiring registered representatives and other associated persons to periodically complete questionnaires with attestations regarding any involvement with OBAs or PSTs.
  • Conducting due diligence regarding any disclosed OBAs/PSTs.
  • Monitoring registered representatives and other associated persons for red flags that might indicate involvement in OBAs/PSTs, such as changes in performance, production levels, or lifestyle, or by review of marketing materials, fund movements, customer complaints, correspondence, and financial records.
  • Implementing WSPs that clearly identify activities that would constitute OBAs/PSTs;
  • Creating checklists to determine whether digital asset activities may be considered OBAs/PSTs.
  • Conducting training regarding OBAs/PSTs.
  • Taking disciplinary action against persons who fail to comply with firm procedures regarding OBAs/PSTs.

Books and Records

FINRA is focusing on firms' obligations regarding vendors, such as cloud service providers, whom they retain to use for complying with their books and records obligations. FINRA is concerned with whether firms are performing reasonable due diligence in verifying the vendors' ability to comply with books and records requirements, especially regarding electronically stored media, as well as the use of virtual data rooms (VDRs) and whether the documents embedded there are preserved following the closing of the VDR.

Effective practices include:

  • Reviewing vendors' contracts and agreements to assess whether they will be able to comply with the books and records rules.
  • Testing and verifying vendors' capabilities to fulfill their regulatory obligations by, for example, simulating a regulator's request for records and engaging regulatory or compliance consultants to confirm compliance with the requirements.
  • Verifying that the vendors will provide third-party attestations as may be required.

Trusted Contact Persons

New for 2022, FINRA is focusing on whether firms have established an adequate supervisory system, including WSPs, related to seeking to obtain and using the names and contact information for trusted contact persons. FINRA also is focusing on whether firms educate registered representatives about the importance of collecting and using trusted contact information, where possible.

Effective practices include:

  • Conducting training, for both front office and back-office staff, on the warning signs of potential: (1) customer exploitation; (2) diminished capacity; and (3) fraud perpetrated on the customer.
  • Emphasizing the importance of trusted contact persons and promoting effective practices.
  • Establishing specialized groups or appointing individuals to handle situations involving elder abuse or diminished capacity; contacting customers' trusted contact persons - as well as Adult Protective Services, regulators, and law enforcement, when necessary -and guiding the development of products and practices focused on senior customers.
  • Hosting conferences or joining industry groups focused on protecting senior customers.

Market Integrity

Best Execution

FINRA is focusing on whether firms are conducting reviews of execution quality. Where a firm does not conduct order-by-order reviews, there must be "regular and rigorous" reviews of execution quality. This requires comparisons with the execution quality that might be obtained in competing markets. And documentation regarding such reviews must be preserved.

In particular, FINRA is focusing on conflicts of interest in order routing determinations, including whether the use of firm affiliates in routing decisions may affect execution quality, and whether payment-for-order-flow considerations may affect execution quality. FINRA also is focusing on whether firms tailor their policies and procedures to address its best execution obligations for different products and for trading during extended hours. For example, FINRA has found failures to conduct best execution reviews for certain types of products (on market, marketable limit, or non-marketable limit orders) or for conducting deficient reviews that do not consider all the relevant factors, such as speed of execution, price improvement, and the likelihood of execution of limit orders.

Effective practices include:

  • Using exception and surveillance reports to support efforts to meet best execution obligations.
  • Reviewing payment for order flow (PFOF) practices at the firm and whether it affects order handling and best execution.
  • Conducting "regular and rigorous reviews" of execution quality on a quarterly basis, as a minimum.
  • Continuously update the firm's WSPs and best execution analysis to address market and technology changes.

A review of recent FINRA and SEC developments regarding payment for order flow may be found here.

Market Access Rule

For firms that provide direct market access, FINRA is focusing on whether they are appropriately controlling the risks associated with such access. In particular, FINRA is concerned with the adequacy of written procedures and pre-trade controls to manage the financial, regulatory, and other risks of market access. This includes controls related to credit limits, order limits, capital thresholds, and duplicative and erroneous orders. FINRA is also concerned with firms' use of automated controls and whether firms maintain direct and exclusive control of applicable thresholds where third-party vendors are involved, and whether firms review the vendor's performance in meeting such obligations. Testing of market access controls and training provided to traders is also a focus.

Effective practices include:

  • Implementing systemic pre-trade "hard blocks" to prevent fixed income orders from reaching an alternative trading system (ATS) that would cause a breach of a threshold;
  • Implementing processes for intraday ad hoc adjustments to credit limits and then to return such limits to their original values as needed.
  • Tailoring erroneous and duplicative order controls to particular products or order types, and preventing the routing of market orders based on impact to the market by use of average daily volume controls that are set at reasonable levels and calibrated to reflect, among other things, the characteristics of the securities, the business of the firm, and market conditions.
  • Employing reasonable controls to ensure records are aggregated and integrated in a timely fashion to facilitate holistic post-trade and supervisory reviews for, among other things, potentially manipulative trading patterns.
  • Periodically testing such controls to form the basis for the annual CEO certification of such controls.

Financial Management

The 2022 report addresses five topics related to financial management: net capital, liquidity risk management, credit risk management, segregation of assets and customer protection, and portfolio margin and intraday trading. We summarize below the effective practices FINRA identifies for each.

With regard to net capital, effective practices include:

  • Performing an assessment of net capital treatment of assets, including CDs, to confirm that they were correctly classified for net capital purposes.
  • Obtaining from and verifying with banks the withdrawal terms of any assets, with particular focus on CD products, and reviewing all of the agreement terms.
  • Developing guidance and training for FinOp principal and other relevant staff on net capital rule requirements for fails.
  • Clarifying WSPs to address clearing firms' responsibilities regarding net capital requirements.

With regard to liquidity risk management, effective practices include:

  • Updating liquidity risk management practices to take into account a firm's current business activities.
  • Conducting stress tests in a manner and frequency that consider the complexity and risk of the firm's business model.

With regard to credit risk management, effective practices include:

  • Developing comprehensive internal control frameworks to capture, measure, aggregate, manage, and report credit risk.
  • Maintaining approval and documentation processes for increases or other changes to assigned credit limits.
  • Monitoring exposure to affiliated counterparties.

With regard to segregation of assets and customer protection, effective practices include:

  • Collaborating with legal and compliance departments to confirm that all agreements supporting control locations are finalized and executed before the accounts are established and coded as good control accounts on firms' books and records.
  • Confirming which staff have system access to establish a new good control location and that they are independent from the business areas to avoid potential conflicts of interest; and conducting ongoing review to address emerging conflicts of interest.
  • Conducting periodic review of, and implementing exception reports for, existing control locations for potential miscoding, out-of-date paperwork, or inactivity.
  • Creating and implementing policies to address receipt of customer checks, checks written to the firm, and checks written to a third party.
  • Creating and reviewing firms' check received and forwarded blotters to confirm that they are up to date and include the information required to demonstrate compliance with the customer protection rule exemption.

With regard to portfolio management and intraday trading, effective practices include:

  • Developing and maintaining a robust internal risk framework to identify, monitor, and aggregate risk exposure within individual portfolio margin accounts and across all portfolio margin accounts.
  • Maintaining and following reasonably designed processes (reflected in the firm's WSPs) and robust controls to monitor the credit exposure resulting from concentrated positions within both individual portfolio margin accounts and across all portfolio margin accounts.
  • Clearly and proactively communicating with clients with large or significantly increasing exposures, according to clearly delineated triggers and escalation channels established by the firm's WSPs; and requesting that clients provide their profit and loss position each month.


Finally, the 2022 report includes an appendix that outlines how to use FINRA reports in a firm's compliance program, observing that firms have used prior FINRA publications, such as exam findings reports and priorities letters, to enhance their compliance programs.

* * *

The 2022 report is a helpful resource for compliance professionals. Firms are encouraged to review their compliance practices and WSPs and revise practices and procedures as necessary to address topics covered in the 2022 report. FINRA will continue to assess the compliance, supervision, and risk management issues covered in the 2022 report.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.