FINRA and OCIE each have issued their 2017 examination priorities. Not surprisingly, there are many common subjects, including (1) high-risk and recidivist brokers, (2) senior investors, and (3) operational risks such as cybersecurity and anti-money laundering. FINRA’s Annual Regulatory and Examination Priorities Letter covers fewer subjects than in previous years and, in contrast to both the 2015 and 2016 letters, this year does not offer a set of discrete themes. Instead, FINRA focuses on what the cover letter emphasizes as the core “blocking and tackling” issues of compliance, supervision, and risk management. OCIE’s 2017 priorities include more focus on its oversight of FINRA, which now has greater responsibility for conducting exams of registered broker-dealers. OCIE also will engage in a number of examination initiatives aimed at registered investment advisers. Both regulators emphasized their expanded capabilities to analyze data and the role that data analysis plays in their exam programs.
We highlight some of the more significant priorities for financial services firms focused on retail investment activities.
High-Risk and Recidivist Brokers
FINRA notes that it recently established a dedicated examination unit to identify and inspect brokers who may pose a high risk to investors, and it says that in 2017, it will review firms’ supervisory procedures for hiring or retraining statutorily disqualified and recidivist brokers, including whether the firm conducts a national search of public records to validate an applicant’s Form U4. FINRA also plans to continue to evaluate firms’ branch office inspection programs and supervisory systems for branch and non-branch locations. This emphasis on problem brokers is not too surprising given FINRA’s historical interest and recent concern expressed in Congress about the problem, one that FINRA has been working on with varying degrees of success for some time. OCIE says it will continue to use data analytics to identify and examine high-risk and recidivist brokers and the investment advisers that employ them this year.
The protection of senior investors remains a top priority for both FINRA and OCIE in 2017. OCIE will focus on the recommendation of variable insurance products and target date funds. OCIE also says it will examine investment advisers to state pension plans, municipalities, and other government entities that hold a large amount of investors’ retirement assets, focusing on assessments of how those advisers manage conflicts of interest, gift and entertainment practices. FINRA says it will assess firms’ controls to protect senior investors from fraud and improper advice. FINRA is especially concerned about recommendations to senior investors involving complex or speculative products that promise high yields and microcap securities.
Product Suitability and Concentration
FINRA again will focus on unsuitable product recommendations to retail customers. It notes the concern that registered representatives themselves may not adequately understand a product’s features, citing as examples complex or novel exchange-traded products, structured retail products, leveraged and inverse exchange-traded funds, non-traded real estate investment trusts, and unlisted business development corporations. FINRA will focus attention this year on firms’ reasonable-basis and customer-specific suitability review processes, including product vetting processes, supervisory systems and controls to review recommendations. FINRA will also increase its scrutiny of the controls firms use to monitor for excess concentration.
Excessive and Short-Term Trading of Long-term Products
Echoing concerns regarding excessive trading and concentration controls expressed in its 2015 priorities letter, FINRA highlights instances of registered representatives recommending that their clients trade long-term productions on a short term basis, which is detrimental to clients who may experience diminished investment returns because of increased costs. For example, in May 2016, a firm was censured and fined $250,000 for, among other conduct, failing to establish, maintain, and enforce a supervisory system and WSPs reasonably designed to prevent unsuitable short-term trading of UITs. Similarly, in June 2016, FINRA sanctioned a firm $100,000 for failing to establish and maintain a system and procedures that were reasonably designed to supervise its registered representatives’ sales of close-end funds (CEFs) to their customers, including detection and prevention of unsuitable short-term trading of CEFs. In that case, FINRA focused on how the firm did not appropriately act upon proper flagging by the firm’s centralized supervision unit. For 2017, FINRA cautions that firms need to evaluate whether their supervisory systems can even detect activity intended to evade automated surveillance for excessive switching activity. That is, the proper infrastructure of supervisory systems and surveillance needs to be in place to detect the excessive trading and prevent any registered representatives from “cheating” the system.
Outside Business Activities and Private Securities Transactions
FINRA continues to emphasize the importance of firms’ controls to review registered persons’ written notification of proposed outside business activities and proposed private securities transactions. FINRA expects that firms will not only collect information about their representatives’ activities but further engage in ongoing supervision over associated persons’ approved private securities transactions for compensation. Monitoring outside business activities and private securities is especially critical when firms employ representatives who are dually-registered with unaffiliated investment advisors. For example, in July 2016, FINRA sanctioned a firm who had dually-registered representatives because it failed to record the transactions that the representatives executed away from the firm.
Cybersecurity has become a perennial examination topic. This year, FINRA highlights two areas where it has observed shortcomings in controls: cybersecurity controls at branch offices and failing to fulfill one or more obligations under Securities Exchange Act (SEA) Rule 17a-4(f). The former issue involves poor controls regarding daily practices, including passwords, encryption of data, portable storage devices, virus protection, and physical security of assets and data, which are not as strong in branch offices. The latter issue involves, among other problems, failing to preserve certain records in a non-rewritable, non-erasable format, a.k.a. WORM format. FINRA notes that it announced actions against 12 firms for, in part, failing to preserve broker-dealer and customer records in WORM format. FINRA acknowledges cybersecurity’s effect on firms and continues to provide resources on its industry issues page dedicated to cybersecurity, which includes relevant notices, guidance, and news releases. Notably, in May 2016, FINRA added the “Small Firm Cybersecurity Checklist” to help smaller firms establish cybersecurity programs. OCIE also promises to continue its initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls.
Supervisory Controls Testing
Consistent with recent years, FINRA again says that it will assess firms’ testing of their internal supervisory procedures. It notes that control breakdowns can include record-retention omissions and failures to deliver requisite disclosure or other documents to clients, as well as situations where automated alerts fail to identify activity in client accounts for further review or where extensive manual intervention is necessary to make the data useable. FINRA encourages firms to engage in regular testing of their supervisory systems to identity and mitigate gaps. Note that this is more than simply a best practices suggestion, as firms must engage in controls testing and certification under FINRA Rules 3120 and 3130.
Anti-Money Laundering and Suspicious Activity Monitoring
Similar to cybersecurity, anti-money laundering and suspicious activity monitoring remain top of mind for securities regulators. This year, FINRA calls out gaps in firms’ automated trading and money movement surveillance systems caused by data integrity problems, poorly set parameters or surveillance patterns that do not capture problematic behavior such as suspicious microcap activity, and weaknesses in systems monitoring foreign currency transactions and transactions that flow through suspense accounts. In May 2016, FINRA fined two affiliated firms a total $17 million for failing to establish and implement adequate AML procedures, which resulted in the firms’ failure to properly prevent or detect, investigate, and report suspicious activity for several years. One of the firm’s former AML Compliance Officer was also fined $15,000 and suspended for three months. FINRA noted that the firms’ significant growth was not matched by commensurate growth in their AML compliance systems and processes. Also, in September 2016, FINRA censured and issued a $350,000 fine to a firm with no former disciplinary history for failing to establish and implement an adequate AML program and procedures tailored to its Venezuelan bond business or its foreign customer base. OCIE says it will continue to examine broker-dealers to assess whether AML programs are tailored to the specific risks faced by the firm. OCIE also emphasizes the importance of effective independent testing. Thus, it remains critically important for firms to concentrate on AML compliance this year.
There are no big surprises in either the FINRA or OCIE 2017 priorities, and many of the areas identified carry over from previous years. As always, firms should use the letters as a checklist to critically evaluate the quality of their control procedures and to ensure that their procedures are specifically tailored to their practices, product mix, and customers.
 In 2015, FINRA identified five key areas that it said compromise the ability to protect investors and undermine integrity of the markets: alignment of customer and firm interests, ethical standards, strong supervisory and risk management systems, novel products, and conflicts management. In 2016, FINRA identified three broad issues—culture, conflicts of interest, and ethics; supervision, risk management, and controls; and liquidity.
 In 2013, FINRA launched the “High-Risk Broker Initiative” to “identify for targeted, expedited review those individuals who pose a significant risk to investors or the industry—and where they have harmed investors and violated our rules, to bar them from the industry as quickly as possible.” FINRA expanded the program in 2014 by creating a dedicated enforcement team to prosecute such cases.
 In March 2016, at a Senate Banking subcommittee hearing, Senator Elizabeth Warren recounted the number of recidivist registered representatives who have engaged in civil, criminal, or regulatory misconduct but are still practicing based on a study issued by economists from the University of Chicago. She pressed then FINRA CEO Rick Ketchum: “As the head of FINRA, what are you doing to make sure that the elderly and people who can least afford bad financial advice don’t fall into the net of someone who has already got a documented history of misconduct?”