FINRA Report Suggests Growing Need for Enhanced Risk Management in Cybersecurity and Outside Business Activities

Firms that have seen the recently released 2021 Report on the Financial Industry Regulatory Authority’s (FINRA’s) Examination and Risk Monitoring Program (the “Report”) should be formulating plans to fortify their compliance programs based on the noteworthy findings shared from recent FINRA exams. The Report provides firms with valuable insight into 18 regulatory topics categorized by Firm Operations, Communications and Sales, Market Integrity, and Financial Management.

Regulation Best Interest, communications with the public, and compliance with best execution obligations remain popular hot buttons with FINRA. But recent observations indicate FINRA’s continued focus in risks in two areas – Cybersecurity/Technology Governance and Outside Business Activities (OBA) –posed by the continued move to remote work platforms.

Cybersecurity/Technology Governance

To help prevent against the actions of bad actors and other technology-related incidents, FINRA suggests firms continue to develop, document, and maintain effective cybersecurity and system-based controls that include amongst other things, robust third-party vendor oversight and the need for evolving change to existing management and supervisory procedures.

Based on the current regulatory environment and findings from the recent FINRA report, your firm should be prepared to affirmatively answer these questions related to Cybersecurity/Technology, Policies and Procedures, and Business Continuity plan:

  • What technology structure(s) and systems(s) have you developed to identify and respond to salient cybersecurity risks?
  • Do you have a data-loss prevention program/system in place, one that includes the encryption of client-related information and sensitive firm and human resources information?
  • What are your policies and procedures regarding the review of cybersecurity controls of existing and prospective vendors?
  • Have you implemented and documented a comprehensive cybersecurity training program for employees, consultants, and third-party providers?
  • To what extent have you implemented Multi-Factor Authentication (MFA) or similar access management controls?
  • Do you categorize cybersecurity-related risks based on their potential impact to your business? If so, how?
  • What level of supervisory oversight do you have in place to document and approve system change requests and approvals?
  • What are your policies and procedures to address potential risk in connection with the management of associated personnel, client-account access, and your firm’s intellectual and proprietary property, such as trading algorithms?
  • What are your firm’s procedures for tracking information, such as software and/or system risks, the proposed recommendations, and subsequent remediation?

Outside Business Activities (OBA)

As detailed in the Report, FINRA has also taken a closer look at whether firms are in compliance with Rule 3270 (Outside Business Activities of Registered Persons (“OBAs”)), which requires registered representatives to notify their firms in writing of any OBAs with which they’re associated and/or involved in. For example, FINRA flagged pandemic-related Principal Protection Program (PPP) loans as an emerging risk last year suggesting that firms check publicly available records to determine whether a registered representative has received such a loan and omitted to disclose such Information as part of the firm-required OBA.

Given its sharpened focus on OBAs, FINRA’s Report encourages firms to maintain clear policies and procedures that provide for the monitoring of social media and related networking activities publicly available,  financial reports, and public records to detect potential OBAs, and to require that such associated persons document their involvement of the OBAs In a manner consistent with the firm’s policies and procedures before and during the registered representative’s Involvement at the firm.

Here are some of the OBA-related questions that the FINRA Report described as being useful for your firm’s compliance department to review and determine they could respond with confidence when discussed during an examination:  

  • Do your firm’s Written Supervisory Procedures (“WSP”) clearly state when preapproval is required prior to engaging in an OBA, and if so, how must such preapproval be obtained?
  • What policies and procedures does your firm have in place to identify individuals involved in undisclosed OBAs?
  • Does your firm take into account the unique regulatory considerations and characteristics of digital assets when reviewing digital-asset OBAs?
  • What procedures, if any, does your firm have to monitor lifestyle changes of your registered representatives that could result from their participation in an undisclosed OBA?
  • As part of your firm’s onboarding and ongoing training programs, are registered representatives reminded to give written notice and obtain preapproval of their participation in any OBAs, and to update previously provided disclosures, as needed?
  • What disciplinary policy, if any, does your firm have for registered representatives who fail to notify and/or receive preapproval for an OBA?

Recommended Steps

Senior management, legal departments, and compliance officers should thoroughly review FINRA’s Report in its entirety to identify potential gaps or deficiencies that could surface during an examination.  Consider the Report a useful roadmap to determine where your firm’s policies and procedures line up vs. where  it needs to go.

The experienced attorneys and regulatory specialists at Jacko Law Group, PC’s (“JLG”) can help you navigate these evolving changes. Our approach at JLG is  to uncover previously unidentified shortcomings and potential areas of Improvement In connection with your firm’s policies and procedures. JLG can also assist you In crafting your team’s response to any inquiries you may receive from the respective governing agencies.

Contact us at (619) 298-2880 or visit us online at to schedule a consultation.

Leave a Reply

Your email address will not be published. Required fields are marked *