Client Alert- FINRA and NFA Issue Compliance Guidance

Feb 19, 2021
  • Corporate Law
  • Financial Services
  • FinTech and Blockchain
  • FisherBroyles News

A copy of this Client Alert can be found HERE .


On February 1, 2021, the Financial Industry Regulatory Authority (“FINRA”) issued a comprehensive report entitled “2021 Report on FINRA’s Examination and Risk Monitoring Program” (the “Report”).[1]  The Report is designed to assist FINRA member firms (“member firms” or “Firms”) in addressing issues in their  compliance programs and discusses 19 different compliance areas.  The National Futures Association (“NFA”) followed on February 8 by releasing three Notices to Members (collectively, the “Notices”) that cover educational resources, common regulatory and compliance deficiencies, and recent regulatory amendments, each aimed at different categories of registrants, to assist members in effectively meeting their regulatory obligations.[2]  In this alert, we provide an overview of the FINRA Report and NFA Notices.

FINRA Report

For select broker-dealer regulatory obligations, FINRA’s Report: (i) identifies the applicable rule and key related considerations for member firms to comply; (ii) summarizes noteworthy findings from FINRA examinations and outlines effective practices noted during FINRA oversight and (iii) provides additional resources.  The Report suggests that broker-dealers can use it as a tool for among other things reviewing the adequacy of their current compliance procedures, identifying gaps in the procedures that should be addressed and flagging additional risks that they should monitor, and as a training and informational resource for keeping employees informed and apprised of compliance requirements.  FINRA expects to revisit the Report annually, as it did with two of its prior publications in the compliance area.

The Report addresses broker-dealer requirements in four categories: (i) Firm Operations; (ii) Communications and Sales; (iii) Market Integrity; and (iv) Financial Management.  Of note, the Report does not address how FINRA member firms adjusted their operations during the pandemic.  FINRA’s review of exam findings, observations or effective practices relating to the pandemic will be addressed in a future publication.

The specific requirements in each category addressed by the Report are as follows:

Firm Operations

  • Anti-money laundering,
  • Cybersecurity and technology governance,
  • Outside business activities and private securities transactions,
  • Books and records,
  • Regulatory events reporting, and
  • Fixed income mark-up disclosures.


Communications and Sales

  • Regulation BI and Form CRS,
  • Communications with the public,
  • Private placements, and
  • Variable annuities.


Market Integrity

  • Consolidated audit trail,
  • Best execution,
  • Large trader reporting,
  • Market access, and
  • Vendor display rule.


Financial Management

  • Net capital,
  • Liquidity management,
  • Credit risk management, and
  • Segregation of assets and customer protection.

While all of these areas contain important information, in this alert we focus on certain of the key requirements highlighted by FINRA that we believe may be significant for many of our broker-dealer clients.

Anti-money Laundering 

Anti-money laundering (“AML”) has long been a concern for FINRA and other regulators, and FINRA rules require broker-dealers to have written policies and procedures reasonably designed to comply with AML regulations.  The Report notes a number of deficiencies found by FINRA examinations, including, among others:

  • Inadequate AML transaction monitoring not tailored to a Firm’s business;
  • Limited scope for suspicious activity reports not covering a range of events involving suspicious transactions;
  • Failing to incorporate AML risks associated with cash management accounts in Firms’ AML programs;
  • Failure to document investigations,
  • Inadequate identification of increased high-risk trading by foreign legal entity accounts in similar low-float and low-prices securities,
  • Insufficient independent testing, and
  • Improper reliance on clearing firms.

In addition, FINRA highlights areas of emerging concerning involving AML, including (i) suspicious activity in micro-cap and penny stocks, (ii) accounts for foreign customers that appear to have been opened solely to trade in initial public offerings in shares issued by companies based in restricted markets and (iii) risks related to special purpose acquisition companies including inadequate procedures for conducting due diligence and addressing potential fraud risks.

Best Execution

FINRA has routinely reviewed member firms for their compliance with best execution obligations.  The Report notes that FINRA has continued to focus on potential conflicts of interest in order-routing decisions, appropriate policies and procedures for different order and security types, and the sufficiency of member firms’ reviews of execution quality. FINRA also has conducted a targeted review of member firms that do not charge commissions for customer transactions (“zero commission” trading) to evaluate the impact that not charging commissions has or will have on member firms’ order-routing practices and decisions, and other aspects of member firms’ business.  Generally, retail firms have moved to this zero-commission model, seeking to replace the lost commissions with payment for order flow.

Although the results of this targeted review have not been released, the Report reminds broker-dealers that they have a continuing obligation to seek best execution for their customers by conducting a “regular and rigorous” review of speed of execution, price improvement, and the likelihood of execution of limit orders, among other things.  The Report also notes that broker-dealers need to consider potential conflicts of interest that might result from order routing arrangements and to ensure that appropriate disclosures are being made regarding payment for order flow arrangements and related conflicts.

Reg. BI and Form CRS

Reg. BI is the new SEC rule that establishes a “best interest” standard of conduct for broker-dealers and associated persons when they make a recommendation to retail customers of any securities transaction or investment strategy involving securities, including recommendations of types of accounts.  Broker-dealers are also required to provide a brief relationship summary, Form CRS, to retail investors that includes certain required disclosures.  In light of the newness of these requirements, which only recently went into effect, the Report does not contain examination findings about compliance with Reg. BI and Form CRS, although FINRA states it expects to publish examination findings in the future.  In lieu thereof, the Report encourages broker-dealers to take into account the following considerations, among others, in connection with Reg. BI and Form CRS compliance:

  • Has the firm provided adequate Reg. BI training to its sales and supervisory staff?
  • Does the firm have policies, procedures and controls addressing Reg BI’s recordkeeping requirements?
  • Does the firm and its associated persons consider the express new elements of care, skill and costs from Reg. BI when making recommendations to retail customers?
  • Does the firm and its associated persons consider reasonably available alternatives to these recommendations?
  • Does the firm place any material limitations on the securities or investment strategies involving securities that may be recommended to retail customers, and if so, does the firm address and disclose such limitations?
  • Does the firm have policies and procedures to identify and address conflicts of interest with respect to retail recommendations?
  • If the firm is not dually registered as an investment adviser, commodity trading advisor or municipal advisor, does the firm or any of its associated persons who are not dually registered advisors or advisory representatives use “adviser” or “advisor” in their name or title?
  • Does the firm have policies, procedures and controls in place regarding the filing, updating and delivery of Form CRS?
  • Does the firm’s Form CRS accurately respond to the disciplinary history questions with regard to the firm and its financial professionals?

Communications with the Public

FINRA’s rules generally require all communications with customers to be fair and balanced.  The Report focuses on FINRA’s requirement in the context of digital assets.  FINRA notes that its examinations had uncovered promotional materials for digital assets that:

  • Failed to balance promotional statements with prominent risk disclosures;
  • Included false, misleading or unwarranted statements;
  • Used the same firm names, websites and other materials for broker-dealers and their digital asset affiliates;
  • Did not identify the (non-broker-dealer) entities responsible for digital asset offerings; and
  • Implied that digital assets were offered by the broker-dealer.

The Report also discusses examination findings with regard to communications involving cash management accounts.  In that regard, FINRA notes that its examinations had uncovered: (i) misrepresentations of material information relating to cash management accounts in online and other communications (in some cases, despite written and verbal warnings from FINRA’s Advertising Regulation Department), including, for example, the firms’ status as broker-dealers rather than banks; (ii) the status of cash management accounts as “checking and savings accounts;” (iii) the amount of FDIC insurance coverage for the deposits; (iv) the amount of time it may take for customer funds to reach the bank accounts; (v) terms of the cash management accounts; and (vi) risks of participating in such programs.

In addition, the Report discusses emerging risks with respect to digital communications, including a “surge” in retail investors opening accounts with online brokers that offer interactive and “game-like” features to induce customers to actively trade.  FINRA states that firms must evaluate these features to determine whether they meet regulatory obligations to comply with Reg. BI and Form CRS requirements, make disclosures to customers regarding risk and other factors, prohibit the use of misleading statements and comply with account openings procedures, among other requirements.

Consolidated Audit Trail (“CAT”)

The Report notes that all member firms that receive or originate orders in National Market System (“NMS”) stocks, over-the-counter (“OTC”) equity securities or listed options must report to CAT.  All proprietary trading activity, including market making activity, is subject to CAT reporting. There are no exclusions or exemptions for size or type of firm or type of trading activity.  The Report states that FINRA is in the early stages of reviewing for compliance with certain CAT obligations and as such, exam findings are not included in the Report but will be provided at a later time when more information is available. In the interim, member firms should consider, among other things, whether their CAT Rules written supervisory procedures, at a minimum: (1) identify the individual, by name or title, responsible for the review of CAT reporting; (2) describe specifically what type of review(s) will be conducted of the data posted on the CAT Reporter Portal; (3) specify how often the review(s) will be conducted; and (4) describe how the review(s) will be evidenced.


The Report states that member firms’ ongoing and increasing reliance on technology for many customer-facing activities, communications, trading, operations, back-office and compliance programs—especially in the current remote work environment in light of the pandemic—requires them to address new and existing cybersecurity risks, including risks relating to cybersecurity-enabled fraud and crime.  FINRA notes that a firm’s cybersecurity program should be reasonably designed and tailored to the firm’s risk profile, business model and scale of operations.  Among other deficiencies found by FINRA in its examinations include:

  • Not encrypting all confidential data, including a broad range of non-public customer information in addition to Social Security numbers (such as other account profile information and firm information).
  • Not maintaining branch-level written cybersecurity policies; inventories of branch-level data, software and hardware assets; and branch-level inspection and automated monitoring programs.
  • Not providing comprehensive training to registered representatives, personnel, third-party providers and consultants on cybersecurity risks relevant to individuals’ roles and responsibilities, including phishing.
  • Not implementing and documenting formal policies and procedures to review prospective and existing vendors’ cybersecurity controls and managing the lifecycle of firms’ engagement with all vendors (i.e., from onboarding, to ongoing monitoring, through off-boarding, including defining how vendors will dispose of non-public client information).
  • Not implementing access controls.


With regard to emerging risks in the cybersecurity area, the Report mentions that FINRA recently observed increased numbers of cybersecurity- or technology-related incidents at firms, including:  systemwide outages; email and account takeovers; fraudulent wire requests; imposter websites; and ransomware.  FINRA also  noted data breaches at some firms and remains concerned about increased risks for firms that do not implement practices to address phishing emails or require multi-factor authentication for accessing non-public information.

 Private Placements

FINRA Rules impose requirements on broker-dealers participating in private placements of securities, including a duty of “reasonable investigation” of the investment opportunity, and the requirement to file certain private placement documents with FINRA.  Reg. BI also applies to broker-dealer recommendations to retail customers with respect to privately-placed investments.  The Report notes a number of deficiencies found in FINRA examinations, including:

  • Not having policies and procedures, processes and supervisory programs to comply with filing requirements (See, e.g., FINRA Rules 5122 and 5123.
  • Failing to perform reasonable investigations of private placement offerings prior to recommending the offerings to retail investors, including failing to conduct additional research about new offerings, relying on their experience with the same issuer in previous offerings and not conducing further inquiry into red flags identified during the investigation process.
  • Failing to address red flags (such as disciplinary history of the issuer’s management), conflicts of interest (such as undisclosed direct or indirect common ownership of affiliated entities or the issuer) or significant concerns (such as no legitimate operating history for the issuer) identified in third-party due diligence reports.

FINRA noted a number of steps that broker-dealers could take to improve compliance, including:

  • Creating private placement “checklists” with respect to requirements and deadlines for private placements.
  • Conducting and documenting independent research on material aspects of the offering, identifying any red flags with the offering or the issuer.
  • Clearly assigning responsibility for private placement filing requirements.
  • Creating private placement committees (at large firms) or formally designating one or more qualified persons (at smaller firms) to approve offerings for sale to investors.
  • Conducting ongoing monitoring after the offering to ascertain whether offering proceeds were used in a manner consistent with the offering memorandum, particularly for ongoing sales of an offering after initial closing.

Outside Business Activities and Private Securities Transactions

FINRA Rules 3270 (Outside Business Activities of Registered Persons) and 3280 (Private Securities Transactions of an Associated Person) require registered representatives to notify their firms in writing of proposed outside business activities, and all associated persons to notify their firms in writing of proposed private securities transactions, so firms can determine whether to limit or allow those activities. A Firm approving a private securities transaction where the associated person has or may receive selling compensation must record and supervise the transaction as if it were executed on behalf of the firm.  FINRA’s exam findings in this area included that Firms incorrectly interpreted the requirements, failed to retain the documentation necessary to demonstrate compliance with the requirements, failed to monitor limitations on registered representatives and with respect to digital asset securities, failed to apply the requirements correctly.


Overall, the Report is a valuable compilation of FINRA’s guidance as to compliance issues and related resources. The Report should also assist most broker-dealers to review and improve their compliance procedures across a broad range of regulatory requirements and help them to prepare for their next examination.

NFA Notices

In its Notices, NFA among other things highlights regulatory obligations and common deficiencies noted during examinations of its members, by registration category.

For swap dealers, Notice I-21-06 addresses the following:

  • Business Conduct Standards: NFA notes that common deficiencies included failure to disclose material information and pre-trade mid-market marks to counterparties prior to entering into uncleared swap transactions and failure to disclose daily marks to counterparties for the life of uncleared swap transactions.
  • Market Practices: Common deficiencies noted by NFA included failure to implement adequate trade surveillance to detect fraud, manipulation and abusive practices; and failure to conduct communication surveillance reasonably designed to ensure fair and balanced communications as well as detect fraud and other abusive practices.
  • Portfolio Reconciliation: While not stating any common deficiencies, NFA notes that swap dealers must engage in portfolio reconciliation and are required to establish, maintain and follow written procedures to resolve discrepancies.
  • Reporting: Common deficiencies included failure to report required regulatory messages, either at all or within regulatory timeframes; failure to report accurately required  data fields to the swap data repository; and failure to remediate errors and omissions as soon as technologically practicable after discovery.


        For futures commission merchants (“FCMs”), forex dealer members and introducing brokers, Notice I-21-07 highlighted the following:


  • Supervision: NFA noted that it expects firms to ensure that they have written supervisory policies and procedures to address the manner, frequency and results of monitoring written and oral communications.
  • Self-examination questionnaire: NFA reminded members that they must annually review their operations using NFA’s self-examination questionnaire.
  • Anti-money laundering: Common deficiencies mentioned by NFA included failure to establish or update existing contracts to incorporate the requirements that will be performed by another financial institution in cases where the member relies upon the financial institution to identify and verify beneficial owners of legal entity customers; failure to provide annual training; and failure to conduct an annual independent review of the anti-money laundering program.
  • Notifications and public disclosures (FCMs only): NFA reminded FCM members that they must notify their designated self-regulatory organization (“DSRO”)  within 24 hours they become subject of a formal investigation by the SEC, a securities self-regulatory organization (“SRO”) or a futures SRO and certain related reporting requirements.  FCM members must also update public disclosure information, including any changes to the principals to the firm, as changes to firm operations arise.


            For commodity pool operators and commodity trading advisors, NFA Notice I-21-08 discusses the following:


  • Self-examination questionnaires: NFA reminds CPO and CTA members that they must annually review their operations using the self-examination questionnaire.
  • Pool financial reporting notification requirements: NFA reminds CPO and CTA members of reporting requirements including changes in fiscal year end, changes in certified public accountant, extension requests and cessation of trading.
  • Calculation of financial ratios: NFA reminds CPO and CTA members that they must compute financial ratios using the accrual method of accounting and in accordance with U.S. GAAP or another internationally recognized accounting standards.


A common deficiency across all member registrant categories was the failure to properly train employees on cybersecurity. NFA reminds members that, pursuant to NFA Notice 9070, each member must adopt a written information systems security program to respond to unauthorized attacks and notify NFA, should such incidents occur, through the Cyber Notice Filing System.


FisherBroyles attorneys are knowledgeable on FINRA and NFA compliance and enforcement and are able to advise and assist you with both proactive efforts to build and maintain a compliance program, as well as responding to regulatory inquiries and enforcement matters.


For additional information, please contact any of the following or your regular FisherBroyles contact for assistance:   

Julian Hammar at [email protected];

Robert Boresta at [email protected];

Michael Pierson at [email protected]; or

Seth Travis at [email protected].

[1] Available at 2021 Report on FINRA’s Examination and Risk Monitoring Program |

[2] See NFA Notice I-21-06 for swap dealers; Notice I-21-07 for futures commission merchants, forex dealer members, and introducing brokers; and Notice I-21-08 for commodity pool operators and commodity trading advisors.

About FisherBroyles, LLP

Founded in 2002, FisherBroyles, LLP is the first and world’s largest distributed law firm partnership. The Next Generation Law Firm® has grown to hundreds of partners practicing in 23 markets globally. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at to learn more about our firm’s unique approach and how we can best meet your legal needs.

These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.

© 2022 FisherBroyles LLP