The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

Skip to Content

FINRA Issues 2024 Annual Regulatory Oversight Report

FINRA issued its 2024 Annual Regulatory Oversight Report on January 9, 2024, providing a glimpse into FINRA’s current regulatory oversight of member firms and their registered personnel in 27 topic areas.

The 2024 report has a new name. But, similar to prior annual reports, FINRA intends the 2024 report to serve as a resource for firms to strengthen compliance programs.  

The 2024 report also provides an update on FINRA’s ongoing sweep examinations in the areas of (i) special purpose acquisition companies, (ii) social media influencers, customer acquisition, and related information protection, and (iii) option account opening, supervision, and related areas.

We discuss several topics in the 2024 report in the order addressed in the report.

Financial Crimes

In 2023, FINRA included a new section in its annual priorities report dedicated to combatting financial crimes. FINRA kept that section front and center in its 2024 report. This year, the financial crimes section placed a heavy emphasis on cybersecurity, particularly the new SEC rules adopted in July 2023. These new rules require public reporting companies to disclose within four business days the nature, scope, timing, and material impact of a cybersecurity incident. The new SEC rules also require companies on an annual basis to report material information regarding their cybersecurity risk management, strategy, and governance.

Over the past year, FINRA noticed an uptick in the variety, frequency, and sophistication of cyber intrusions. This includes the use of imposter websites, insider threats, and ransomware. In addition, FINRA highlighted the risk that firms face when their critical vendors experience a cybersecurity incident.

Effective practices to mitigate the risk of a cybersecurity incident include:

  • When a firm suspects an account intrusion, review the potentially violative activity to determine the appropriate action (e.g., fund restrictions).
  • Monitor the internet for imposter websites and maintain written procedures for reporting imposter websites and notifying customers and business partners.
  • Scan outbound email attachments that contain customers’ personally identifying information and firm-sensitive information.
  • Review FINRA’s “Cross Market Options Supervision: Potential Intrusion Report Card,” which lists trades related to potentially fraudulent options transactions facilitated by account takeover schemes.
  • Provide training to employees regarding cybersecurity threats, such as phishing attacks and social engineering.
  • For firms that allow new accounts to be opened online, develop a comprehensive identity verification system that incorporates the use of third parties that can provide a risk score associated with the new account.

FINRA cites new account fraud as an emerging risk to firms. Bad actors have been using stolen and “synthetic” identification information to open new accounts. Synthetic identification information is a combination of real and fictitious data. For instance, real Social Security numbers and dates of birth may be combined with fictitious phone numbers and email addresses. Once a bad actor opens a fraudulent new account, that person could use the new account to make fraudulent ACAT requests and launder proceeds of ill-gotten gains from government programs (e.g., COVID-19 relief).

Anti-money laundering is a constant on FINRA’s annual report. Although much of the report is unchanged, FINRA noted in its findings that firms had an inadequate response to red flags. For instance, FINRA saw firms auto-approving customers where the applicant provided an invalid Social Security number or was associated with a different person.  

To combat new account fraud and comply with anti-money laundering supervision obligations, firms should:

  • Evaluate their review of red flags during the account opening process.
  • Cross-reference customer information across multiple vendors.
  • Review the IP address or other available geolocation data.
  • Evaluate their monitoring of known fraud schemes.
  • Enhance these processes to comply with Regulation S-ID and other applicable securities laws and rules.

FINRA also discusses the emerging risk of generative artificial intelligence and instructs firms to consider the implications of using AI in their business. The report cautions that while AI is promising, it has been marked by privacy, accuracy, bias, and intellectual property concerns. FINRA notes that firms should be mindful of new rules and guidance that may emerge in this changing regulatory landscape.  

Crypto Asset Developments

FINRA included crypto guidance for the first time in the 2024 report. The regulator warns firms intending to engage in crypto-related activities to address all regulatory and compliance challenges and risks. This includes making sure a firm’s systems and procedures consider supervisory functions, such as anti-money laundering, manipulative trading, private securities transactions, outside business activities, communications with customers, and due diligence.

FINRA’s Membership Application Program has approved firms to engage in crypto asset securities business, including serving as a placement agent, operating an alternative trading system, and providing custodial services for crypto assets. In addition to firms specifically approved by FINRA to engage in crypto asset securities business, the regulator has asked all firms to notify FINRA if they or an affiliate intend to engage in crypto-related activities, including activities related to crypto assets that are not securities.

FINRA’s Advertising Regulation Department noticed crypto-related retail communications with noncompliance rates that are significantly higher than in other products. As a result, FINRA began initiating targeted exams to review practices with firms that actively communicate with customers regarding crypto.

For those firms engaged in crypto-related activities, effective practices include:

  • Performing due diligence on unregistered crypto offerings to ensure the firm knows, among other things, where the assets will be maintained, who has access to the crypto wallet, how funds will be returned if the minimum amount is not raised, and the specific mechanics of the crypto asset security.
  • Conducting risk-based on-chain assessments when the firm or its associated people are accepting, trading, or transferring a crypto asset and have established procedures for when the firm should perform these assessments.
  • Ensuring customers understand the difference between their brokerage accounts and their linked/affiliated crypto accounts.

Off-Channel Communications

Consistent with intensive SEC and FINRA enforcement efforts in the area of unapproved off-channel communications, FINRA has observed that firms are not capturing, reviewing, and archiving electronic communications of registered representatives such as permitted use of non-firm email addresses to conduct firm business, including domains for “doing business as” entities.

Effective books and records practices, including off-channel communication practices, include:

  • Reviewing vendors’ contracts and agreements to assess whether firms will be able to comply with the record-keeping requirements.
  • Testing record-keeping vendors’ capabilities to fulfill regulatory obligations by, for example, simulating a regulator’s examinations by requesting records and engaging regulatory or compliance consultants to confirm compliance with the record-keeping requirements.

Regulation Best Interest and Form CRS

FINRA continues to examine firms for compliance with SEC Regulation Best Interest (Reg BI) and Form CRS. With regard to Reg BI’s care obligation, the 2024 report includes pointers for firms on evaluating costs and reasonably available alternatives when making recommendations. For example, FINRA asks:  

  • Has your firm developed a process to identify the scope of reasonably available alternatives that its associated persons should evaluate?
  • Does your firm and its associated persons begin by considering a broader array of investments or investment strategies generally consistent with the retail customer’s profile, before narrowing the scope of a smaller universe of potential investments or investment strategies, as the analysis becomes more focused on meeting the best interest of a particular retail customer?
  • When recommending a higher-cost or higher-risk product, does your firm and its associated persons consider whether any reasonably available alternatives are less costly or lower risk, and consistent with the retail customer’s investment profile?

With respect to Reg BI’s conflict of interest obligation, the 2024 report asks whether firms have considered a list of practices to identify conflicts of interest, including:

  • Defining conflicts in a manner that is relevant to the firm’s business.
  • Evaluating whether conflicts arise in different aspects of the relationship with the retail customer, including account recommendations, product menus, allocation of investment opportunities among retail customers and cash management services.
  • Establishing a process to identify the types of conflicts the firm and its associated persons may face and how such conflicts may impact recommendations.
  • Providing for an ongoing process to identify conflicts arising, for example, in connection with changes to the firm’s business or structure, changes in compensation structures, or introduction of new products or services.
  • Establishing training programs regarding conflicts of interest that address roles and responsibilities (among other considerations).

When firms deliver Form CRS electronically, FINRA found that firms have not always taken steps to present Form CRS prominently in the electronic communication and make it easily accessible to retail investors. 

FINRA notes that a Reg BI disclosure obligation effective practice includes tracking and delivering Form CRS and Reg BI-related documents to retail customers in a timely manner by automating tracking mechanisms to evidence delivery of Form CRS and other relevant disclosures and memorializing delivery of required disclosures at the earliest triggering event.

Variable Annuities

FINRA continues to focus examination efforts on exchanges of variable annuities. New examination findings for 2024 include insufficient supervision of exchange recommendations, including those involving increased fees to the customer (e.g., surrender fees for early liquidation of the customer’s existing product) or the loss of material, paid-for accrued benefits (e.g., loss of living benefit rider). 

FINRA also observed “inadequate procedures and systems that do not detect rates of exchanges,” as in the case of recommending the same replacement of a variable annuity to many customers with different investment objectives. In this regard, a new effective practice noted in the report is requiring registered representatives, when recommending variable annuities to retail customers, to provide them with “clear, accessible materials that allow them to compare the fees, benefits lost or gained and surrender periods for different variable annuities.”

Consolidated Audit Trail (CAT)

FINRA continues to focus on firm compliance with Rule 613 of the Securities Exchange Act of 1934 and the FINRA Rule 6800 series (Consolidated Audit Trail Compliance Rules) (collectively, “CAT rules”). The CAT rules are designed so that firms may track all activity in NMS securities. Helpful guidance regarding firm supervisory responsibilities associated with CAT compliance can be found in FINRA Regulatory Notice 20-31.

FINRA is particularly focused on CAT-related written supervisory procedures and whether firms are periodically evaluating their supervisory controls to ensure they are reasonably designed to ensure compliance with the CAT rules.

FINRA’s findings regarding CAT compliance have focused on:

  • Incomplete submission of reportable events.
  • Failure to repair errors timely.
  • Unreasonable vendor supervision.
  • Record-keeping violations.

FINRA recommends the following as effective practices for CAT compliance:

  • Mapping internal records to CAT-reported data: maintaining a “map” that shows how the firm’s internal records and blotters correspond to various fields reported to CAT.
  • Archiving CAT feedback: archiving CAT feedback within a 90-day window so that firms can submit corrections, if necessary.
  • CAT supervision: implementing written supervisory procedures requiring a comparative review of CAT submissions versus firm order records (including for firms that rely on third-party submitters), conducting a daily review of the CAT Reporter Portal, regardless of the error rate percentage, and using CAT Report Cards and CAT FAQs to design an effective and reasonable supervision process.
  • Ensuring CAT Clock Synchronization through the use of daily logs to assess clock drift.

Best Execution

FINRA continues to focus on best execution obligations under FINRA Rule 5310, notwithstanding that the SEC proposed, in December 2022, its own best execution rules (proposed Exchange Act Rules 1100, 1101, and 1102), which would likely replace FINRA Rule 5310. But until the proposed rules are enacted, FINRA Rule 5310 remains in effect. 

Best execution requires that, in any transaction for or with a customer or a customer of another broker-dealer, a member firm and persons associated with a member firm shall use reasonable diligence to ascertain the best market for the subject security and buy or sell in such market so that the resultant price to the customer is as favorable as possible under prevailing market conditions.

FINRA’s relevant findings regarding best execution have focused on:

  • Does the firm conduct “regular and rigorous” reviews of execution quality?
  • How does the firm, if it accepts payment for order flow, prevent those payments from interfering with execution quality?
  • Has the firm established targeted policies and procedures to address its best execution obligations for fixed income and options products (if applicable)?

FINRA recommends the following as effective practices for best execution:

  • Using exception reports and surveillance reports to support firms’ efforts to meet their best execution obligations.
  • Regularly evaluating the thresholds your firm uses to generate exceptions as part of the firm’s supervisory systems designed to achieve compliance with the firm’s “full and prompt” obligations.
  • Reviewing how payment for order flow affects the order-handling process, including the following factors: any explicit or implicit contractual arrangement to send order flow to a third-party broker-dealer; terms of these agreements; whether it is on a per-share basis or per-order basis; and whether it is based upon the type of order, size of order, type of customer, or the market class of the security.
  • Conducting “regular and rigorous” reviews, at a minimum, on a quarterly or more frequent basis (such as monthly), depending on the firm’s business model, that consider the potential execution quality available at various trading centers, including those to which a firm does not send order flow.

Disclosure of Routing Information

FINRA is focusing on the quarterly Rule 606 reports that a firm files to disclose information regarding the handling of customer orders in NMS stocks and certain options, and whether the reports are accurate, properly formatted, and capture the right information.

In August 2023, the SEC approved two new FINRA rules regarding such disclosures (FINRA Rules 6151 “Disclosure of Order Routing Information for NMS Securities” and 6470 “Disclosure of Order Routing Information for OTC Equity Securities”). The new rules require firms to publish monthly order routing information for OTC securities on a quarterly basis and to submit these reports, along with order routing reports for NMS securities, to FINRA for centralized publication.

FINRA’s findings regarding the completeness or accuracy of the reports have focused on:

  • The classification of orders, to include both “other orders” and “special handling” orders.
  • Incorrectly stating the firm does not receive payment for order flow from execution venues.
  • Not including payments, credits, or rebates (whether received directly from an exchange or through a pass-through arrangement) in the “net payment paid/received” and “material aspects” sections of the quarterly report.
  • Reporting only held orders in listed options, instead of both held and not held orders.
  • Inadequate descriptions of payment for order flow arrangements.
  • Not notifying customers in writing of the availability of the information specified in Rule 606.
  • Insufficient written supervisory procedures not reasonably designed to achieve compliance with Rule 606.

Effective practices include:

  • Regular, periodic supervisory reviews of the Rule 606 reports for accuracy and completeness.
  • Where third-party vendors provide such reports, reviewing the content of the reports for accuracy and completeness.

Regulation SHO — Bona Fide Market Making Exemptions

FINRA is focusing on compliance with the closeout requirements and “locate” requirements for short sales under Rules 203 and 204 of Regulation SHO and, specifically, whether the market maker exception is being correctly applied. Typically, this turns on whether the market maker is engaged in bona fide market making activity.

FINRA’s findings have focused on distinguishing bona fide market making activity from other proprietary trading activity by the posted quotes.

Effective practices include:

  • Establishing supervisory systems to supervise and review market making activity to ensure that any reliance on the market making exception is appropriate.
  • Establishing policies and procedures to ensure that the firm’s closeout actions adhere to the requirements of Rule 204.

Market Access Rule

Exchange Act Rule 15c3-5 (Market Access Rule) requires firms that provide market access to their customers to appropriately control the risks associated with market access so as not to jeopardize their own financial condition, that of other market participants, the integrity of trading on the securities markets, and the stability of the financial system.

FINRA’s findings have focused on:

  • Not establishing pre-trade order limits, thresholds, and duplicative or erroneous order controls for accessing alternative trading systems.
  • Pre-trade order limits set at unreasonable thresholds based on the firm’s business model.
  • Not maintaining documentation demonstrating the reasonableness of the pre-trade controls.
  • Not establishing reasonable policies and procedures to govern intraday changes to thresholds and to document their justifications.
  • Inadequate financial risk management controls
  • Reliance on vendors.
  • Failure to document annual reviews of the effectiveness of the firm’s controls and supervisory procedures.

Effective practices include:

  • Implementing systemic pre-trade “hard” blocks to prevent fixed income orders from reaching an alternative trading system that would cause the breach of a threshold.
  • Implementing processes for requesting, approving, reviewing, and documenting ad hoc credit threshold increases and returning limits to their original values as needed.
  • Implementing detailed and reasonable written supervisory procedures that list the steps that firm personnel should take when determining how to handle orders that trigger soft blocks.
  • Tailoring erroneous or duplicative order controls to particular products, situations, or order types, and preventing the routing of market orders based on impact (e.g., average daily volume control) that are set at reasonable levels (particularly in thinly traded securities).
  • Ensuring that controls apply to all order flow and all trading sessions.
  • Developing reasonable complementary controls (e.g., a market impact check, a liquidity check, an average daily volume control) based upon the firm’s business model and historical order flow, and using a benchmark when pricing child orders for a larger parent market order (e.g., the NBBO or last sale at the time of the initial child order route) to monitor the cumulative market impact of subsequent child orders over a short period of time.

Net Capital

In its 2023 exams focusing on financial controls and net capital compliance, FINRA observed some minor deficiencies, as well as some material ones, including the following:

  • Lack of supervisory review of various key functions, such as wire movements and financial report preparation.
  • Not properly designating a qualified financial and operations principal per FINRA Rule 1220 (registration categories).
  • Misclassification of assets and liabilities, inadequate reconciliations, and not adequately accruing liabilities, leading to inaccurate financial reporting and, in some cases, net capital deficiencies.
  • Expense sharing and service level agreements that failed to adequately outline the allocation of expense as required by SEC rules and addressed in NASD Notice to Members 03-63 (“SEC Issues Guidance on the Recording of Expenses and Liabilities by Broker/Dealers”).
  • Providing persons not associated with the broker-dealer with authority over firm bank accounts, thereby allowing them to perform certain covered functions without proper registration, as defined in FINRA Rule 1220.

FINRA advises firms to take these findings into consideration when evaluating their internal financial controls.

*           *           *

The 2024 report is a helpful resource for compliance professionals. Firms are encouraged to review their compliance practices and written supervisory procedures, and revise practices and procedures as necessary to address topics covered in the 2024 report. FINRA will continue to assess the compliance, supervision, and risk management issues covered in the 2024 report.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.