In this Oyster Stew Podcast, Oyster Consulting’s experts Ed Wegener, Candy Palugi, Jeffrey Hiller and Evan Rosser provide their insights on the 2022 Report on FINRA’s Examination and Risk Monitoring Program. Topics include Reg BI, variable annuities, cybersecurity, Direct Business monitoring, SPACs, Private Placements and AML.
Transcript provided by Temi transcript services
Ed Wegener: Hello everyone, and welcome to the second in our series of podcasts about regulator priorities for 2022. I’m Ed Wegner, and I am Managing Director for Governance, Risk and Compliance for Oyster Consulting. Today, we’re going to talk about the recently released FINRA report on their exam and risk monitoring programs. The report highlights, operational sales, communication, financial, and market, and integrity priorities for FINRA. In today’s installment, we’re going to focus on operations, sales, and communications. I’m very fortunate to be joined by three of Oyster’s resident experts in Governance, Risk and Compliance – Candy Palugi, Evan Rosser, and Jeffrey Hiller. So thanks for joining me today, everyone.
As we expected FINRA is focusing on regulation, Best Interest or Reg BI. It’s been in place for over a year. Now, almost two years, they have highlighted that as one of their areas of focus for 2022. So maybe Candy, if you can start, what are some of the key considerations and findings that FINRA highlighted in their report?
Candy Palugi: Sure. Ed, thanks. Some of the things that they have noted are firms inaccurately believing that Reg BI and Form CRS do not apply to them. Like they don’t understand the interpretation of a retail investor, or they believe that because the products they offer it doesn’t apply. They also pointed out failing to assess the cost and reasonable available alternatives when they’re making a recommendation of a product to a client. Testing seems to be an issue – testing your procedures, to make sure that they’re working as you intended them to. Identifying, disclosing, and mitigating conflicts. And eliminating conflicts, that’s regarding sales contests, quotas, non-cash compensation to your advisors. Making sure that form CRS and Reg BI disclosures are adequate. That they’re filed appropriately with the SEC, and they’re displayed and delivered to your customers. And also some firms are misconstruing whether form CS is applicable to them as well. Kind of ties into the same, what customer do they have and what kind of products they’re offering
Ed Wegener: It’s interesting that they highlighted the expanded definition of retail investors. I think that’s one of the things that firms have been getting tripped up by a little bit. The way the SEC defines retail investors under Reg BI is fairly expansive. It’s really anyone, any individual. And so even though a client might be a high net worth individual or a credited investor, they would still be covered by the requirements of Reg BI and the requirements to provide the form CRS. Since that’s something that I think they’ve been finding as they’ve been doing both the regular exams and sweep exams. So that is definitely something to keep in mind.
Cathy Palugi: Yes, yes, that’s right. They also noted where some firms who are only offering investment company products, or they have self-directed accounts, oftentimes they are under the impression that form CRS doesn’t apply to them, although it does.
Ed Wegener: I think the testing comment that they had in there as an effective practice, going back and testing your systems, is a good one to take note of. I know that as firms were approaching the effective date of Reg BI, there was a desire to get something set up so that firms could comply. But it’s definitely a good time now that the rule’s been in effect for as long as it has to take a look back at the program that you put in place and making sure that it’s working as intended.
Yes, I agree on that. And we all know that it’s no easy feat complying with the rule. There are the four different components, and it all has to tie in together. But FINRA also provided in this release some valuable information on recent exam findings and effective practices for complying with Reg BI. I think all the firms should review those thoroughly if you’re servicing retail clients. And take a look at your own policies and procedures related to what they’ve seen at other firms.
Ed Wegener: It’ll be interesting to see what they find when they start looking at firms procedures around reasonably available alternatives. I know firms are taking different approaches in terms of how they’re doing those assessments. But it’s important that the firms understand what products are on their shelves that advisors should be considering when doing those assessments. Making sure that they have available to them the information that they need in order to do those assessments. And even though the rule doesn’t require it, I think it does make sense to document those reviews. In case you’re asked by the regulators when they come in to demonstrate that that you’ve done that.
Jeffrey Hiller: My comment would be just a general one that I’m often asked by people. How do you eliminate these conflicts of interest? And I say, you don’t, you just have to manage them in some way. You can manage them by eliminating sales contests, and other things that Candy said. I think it’s critical that you understand that some things you can’t eliminate, but you do need to manage them.
Ed Wegener: Yeah. Especially in situations where you have a compensation structure set up so that your advisors might be incented to recommend certain products. It’s important that you set up some system for monitoring to mitigate those conflicts.
Cathy Palugi: Yeah. I agree with that also. The other thing is, some of the conflicts, Jeffrey, as you said, some of them cannot be eliminated. But some of them must be eliminated is a point. If you’re offering sales awards or bonuses or anything related to a specific product or anything like that, under Reg BI that pretty much can’t happen any longer, in my opinion.
Ed Wegener: Related to Reg BI and something that’s been in FINRA’s priority list, probably since the time they started to publish their priorities, are variable annuities. And Evan, I know that you’ve, both in your time at FINRA, have discussed or have had exposure to variable annuities have been involved in reviews and investigations of firms, with respect to variable annuities. And also as a consultant have worked with firms on their policies and procedures related to variable annuities. What are some of the things that FINRA raised in this version of their report related to some of the concerns that they have around variables?
Evan Rosser: Well, you’re right, Ed. Variable products have been on this list for years, and I imagine they will remain on this list for years. They can be very complex products with complicated fee structures and numerous provisions and riders and features that make them very difficult to assess. And I think it’s interesting that this follows the Reg BI discussion because now, and I am guessing but I think I’m probably accurate, that most variable annuity transactions be they initial transactions or switches or replacements, are recommended. And firms need now apply Reg BI to their variable transactions, particularly switches and replacements. When I was at FINRA, we brought variable annuity transaction cases. However, they usually focus around switches and replacement. And a lot of our cases didn’t involve us going in and scrutinizing each transaction, each switch, but rather we looked – Did the firm have procedures by which they evaluated these transactions?
Did they have a process to determine that they were suitable back in the old days when they were suitable? Now they have to be in the client’s best interest, and they really need a process around doing that. They need to look at the timing of these replacement transactions. And I think another challenge will be applying the basis of their applying the reasonably available alternative. Sometimes that reasonably available alternative may not be within the same product class. For example, maybe a mutual fund without the insurance features may be a more reasonable alternative for a client than a variable annuity. So, as I said, these products will continue to be scrutinized by regulators because of their structure, because of their fees. And I think training is always going to be an issue. I’m afraid that there are still instances where there are registered people who don’t entirely understand the products and all their features. They may not understand the riders, and I think they’re just going to remain a complicated issue for firms and they need very detailed supervision around these transactions.
Jeffrey Hiller: Ed, Evan, the fees for variable annuities are really much higher than other investments. In some sense, that’s an incentive for brokers to push those funds. Are there, do you think they need special procedures for variable annuities and fixed annuities?
Evan Rosser: Yes, I think they do. And for that reason. Because they do pose a bit of a conflict in their fee structure, and you are often selling an insurance product to someone who doesn’t need or want an insurance product. And because of the complexity of the product, you do need to look at these a little more closely. I mean, there’s the new DOL rule on rollovers, which we’re not going to get into today, does require firms to document why rolling over from an existing retirement account is appropriate and in the client’s best interest. And I think you must do much the same analysis for replacement. Why are you getting out of this product and getting into this product? And that includes a whole range of riders, features, fees. The SEC was very clear on Reg BI that fee alone is not determinant of best interest. It’s not a race to the bottom to sell the cheapest product. Nevertheless, high fees are always going to require more scrutiny.
Ed Wegener: And, going back to the discussion that we had earlier about Reg BI and managing and mitigating conflicts. You know variable annuities, because of the exact thing that you had mentioned, Jeffrey, that the differential in the in the fees and the payout to the reps, that’s a potential conflict that needs to be monitored and mitigated. So, for that reason, plus, as Evan mentioned, the complexity, I think one of the controls that you definitely should have in place, and Evan mentioned this, is having robust training, both in terms of understanding the product, being able to assess whether it’s appropriate for the customer and then doing that assessment of alternatives and making sure that the recommendation that you’re making is reasonable based on your assessment of other alternatives. And so that’s one major way that you can mitigate that. In addition to having monitoring programs, looking for things like rates of exchanges and things like that. Absolutely.
Jeffrey Hiller: I wanted to follow up on something that Candy said. I fully agree with her that some conflicts can be eliminated. Variable annuities, I think that particular product, you have to manage and manage very closely. I think that there are clearly the examples that Candy gave, I would wholeheartedly concur with.
Ed Wegener: Well, sort of turning into something that that’s always in the news these days, and it’s no surprise that cyber security continues to be an area that FINRA is focusing on. It’s interesting, I think, they just recently issued an alert on a recent cyber security threat that’s come out. And that’s one of the benefits that FINRA has now that they’ve created their cybersecurity exam program is they’re in touch with firms in terms of keeping an eye on what they’re seeing. And as soon as they identify a potential threat that’s impacting their membership, they’ve been very quick to get that information out to firms so that they can know that those threats are out there and make sure that they’re able to manage them. But the cybersecurity priority, this is an area that’s been a priority for the last several years. FINRA has issued a couple of reports on cybersecurity practices that it’s important for firms to go back and look at.
Some of the things that they highlight there are importantly, the need for firms to conduct cyber security risk assessment, so that firms know where their vulnerabilities are. Making sure that they have a governance process around cybersecurity and cyber security controls. Making sure that governance includes having a plan for responding to incidents. Things like having a data loss prevention program which includes things like encryption, scanning outbound emails. Importantly, and this is something that I know FINRA’s been looking at when they conduct branch office examinations, are looking at firm cybersecurity controls at the branch level. You might have terrific controls at the home office, but are those being effectively implemented at the branch level? And it’s something that they’re looking for. So that’s something that’s important for you to look for as well. Because you can have the greatest program in the world, but if it’s not being implemented effectively, it’s not going to be effective.
Like everything else we’ve talked about today, training is an important component. Both in terms of regular training on what the firm’s policies are around cybersecurity policies and controls, but also, some of the testing that I’ve seen done through firm’s training programs. Where sometimes they’ll send out fake Phish emails to see if people will click on links that they shouldn’t. Just to make sure that people understand that this happens and to sensitize people to the fact that they are vulnerable to clicking on malicious links. Doing vendor assessments, having pen testing, penetration testing, looking for imposter websites using your firm’s name and identity, and then making sure that you’re communicating cyber events both internally within your firm addressing breaches and letting regulators know about cyber events are some of the things that they highlighted. I don’t know if anyone else has any thoughts around cyber security, what firms should be doing or any reaction to the things that FINRA had identified?
Evan Rosser: Well, I would say Ed, and I don’t know if this is specifically set forth in the FINRA, but I’m sure it’s their position as well in recent SEC cases on cybersecurity, it’s clear that the regulators now are not looking at broker dealers and investment advisors as innocent victims. They are looking at them and saying, what could you have done to stop this? And if you are the victim of a breach or a hack or a kidnapping or hijacking of your email, the regulators are going to look at you. And see, did you do all that you could to keep this from happening? So you’re not the victim anymore. You’re going to be looked at. I wouldn’t go so far as to say complicit, but they’re going to look very closely at your procedures to see if you could have prevented this breach.
Ed Wegener: Candy, you have some thoughts?
Cathy Palugi: Yes. I agree with what you and Evan both have said. And the way I look at cyber security is, I feel like there are two main components. One would be your systems. Do you have the proper firewalls and all of that to protect your data the way it should? And then the second, as you said, is training, which in my opinion, for the field, that is just the most important part, and there can never be enough of it really because the fraudsters have become so good at what they do. You can have someone who is very trained in what to look for in a spam email and completely miss everything, because some of them are just that good. So I think training is so important. And it’s important to remind people that it’s not just receiving a fraudulent email or clicking it on a link.
You also need to consider things like, are you keeping your email box clean? You know, keeping personal information out of it as much as you can. So if there is a breach that can limit the amount of information of the firm and your clients that gets out into the public. And then the last comment I had was regarding reporting. It’s important to remember that states have different requirements for cyber breaches, personally, identifiable information breaches. And so if you have a breach, you need to check with the states that were affected within that breach and see what their individual rules are regarding the reporting of those.
Ed Wegener: Those are all terrific ideas. And you know, one of the things is that there is a tremendous amount of resources that are available to firms both generally on the internet. But also I do know that on FINRA’s website, they have a section on cybersecurity where they have the reports that they’ve issued as well as a number of other helpful resources and tools. So, I would recommend that firms definitely check that out and use those resources both in terms of developing their systems, and as you said, developing their training. You know, one thing that’s new on the report this time, and we’ve talked about this Candy, is FINRA’s focus on direct way business, or some people call it application way business. I know that FINRA’s had issues with this in their examination program, but what is it that FINRA highlighted with respect to direct way business? And what’s your experience been having worked at a firm in a compliance department around direct application way business?
Cathy Palugi: Yes. So I know that FINRA has been doing a sweep of some direct business reviews, especially as it relates around mutual funds. Some of the things that they pointed out are – how are ensuring that your blotters are captured appropriately and getting all of the necessary information. Like making sure you’re getting all of the customer data, the fund symbol, the share class. Pretty much you would need to capture anything that would be included on an order ticket in order to properly be able to supervise it and include it in your books and records. They also pointed out ensuring that the transactions are coded correctly as a new transaction, instead of just putting it as a reinvestment or recurring contribution. Sometimes if you do it as recurring contributions or reinvestments, that will skip through the surveillance process and maybe those new investments aren’t being captured for supervision appropriately. They also pointed out ensuring that adequate and recurring supervisory reviews are happening around the direct business model and ensuring that exception reports are used when necessary, making sure they’re being run against some type of exception criteria, even though they’re not held directly with the firm.
Ed Wegener: You know, as FINRA has been evolving their risk-based exam program, they’ve been relying much more heavily on data and reviewing data before they come out to firms. And one area that they’ve been relying on are getting electronic copies of firms’ blotters. And I think what they’ve been finding as part of that review is that the blotters they get for cleared business through the clearing firm versus blotters that they get that direct way business are significantly different, and I think it’s caused them some issues. And that might be one of the reasons giving rise to their focus on this area because it’s been impacting their exams. But also wanting, to your point, make sure that firms are still supervising this business appropriately, despite whether it’s cleared or application way. So that’s a good area for firms to focus on if you have both cleared business and application way business. Another area that’s come up, that I think is somewhat newer but has been talked about a lot lately, is special purpose acquisition companies. I think I’ve heard them referred to both as SPACs or S-PACs. I don’t know, Jeffrey, how you refer to them, but can you talk a little bit about what FINRA’s concerns are with respect to SPACs or S-PACs?
Jeffrey Hiller: Sure. SPACs, as Ed said, are special purpose acquisition companies and they’re also called black blank check companies. SPACs are shell companies listed on the stock exchange and publicly traded and are also registered with the SEC. The sole purpose of a SPAC is to finance a merger or acquisition. The public can buy shares before any merger or acquisition takes place. There are both advantages and disadvantages, and regulatory interest in SPACs. The advantages include it facilitates quick access to markets and is certainly quicker than IPOs and clearly less expensive than IPOs. And there are currently fewer regulatory demands and oversight. But now that this is on the FINRA list and will likely show up on other regulators list, I think that may be going away. The disadvantages are many. Investors could purchase the shares before any merger or acquisition target is identified.
They could be buying into something that they really know nothing about. They’re going to have to trust whoever the sponsor is. That’s a difficult thing to do also with regard to a SPACs there’s less disclosure. Again, less regulatory oversight is both a plus and a minus. There are very inherent risks in the product because of that. Regulatory concerns include the regulators have raised issues such as the disclosure around the offering of these SPACs. The fees are substantially high. Initial sponsors get a lot of shares of stock that they can exercise after the merger, which could cause dilution of ownership. There is conflicts of interest, although there’s some protections, if they engage in any affiliated transaction. And finally, the market practices, to make sure that the public gets the information and really understands these before they purchase them.
The research shows that more than 70% of SPACs trade less than their initial offering price and are less successful. In those cases, the sponsors may make money, but the shareholders don’t. The benefits of promoters is clear. I’d give two examples. One is DrafKings and that was $10 a share or $6 a share until they announced the merger or acquisition, and then it shot up and it’s done really well. It’s one of the few SPACs that I am aware of that did well. You have others in the electric vehicle areas such as Lordstown Motors, which initially had a high rise, but is really underwater. And so they’re very, very risky. They’re not new, but they’re new in the way they’re promoting them. So I think that’s what gives rise to regulatory concern. And I think they’re going to be taking a deep dive.
Evan Rosser: Yeah, I would agree. And, I would say for many regulators, this is just a fancied up blind pool from the old days. And all you’re really buying is the expertise of the sponsors. There’s nothing there. At least there shouldn’t be anything there. I think in the old blind pool days, there were things envisioned, but they weren’t disclosed in the prospectus, which is a whole different problem. Yeah. Regulators are always going to have a problem with anything that provides quick access to the marketplace because it doesn’t go through the standard review and registration process. And I think one other thing that they look at as well, there’s a provision for SPACs that the investor gets his or her money back if there’s no merger. However, sometimes you can rush through a merger just prior to that expiration, so they don’t have to return the money. And I think whether you’re buying or selling or recommending a SPAC, you really need to look very closely at those transactions that occur late in the process that might be used just so the sponsors can keep the invested money.
Cathy Palugi: Yeah. I agree with all that you both have said. I think the most important thing for firms to consider if they are allowing or offering SPACs is to make sure that their advisors and registered reps are well trained on the product and probably to have some limitations around the type client it’s suitable for, because these obviously will not be suitable for every client.
Jeffrey Hiller: That’s a very good point – the suitability issue. Because they seem to be right now, a big trend people are trying to get in and buy them. They think it’s a get rich quick, but I agree with your point wholeheartedly that people have to understand the risks and an appropriate client, which would be not your everyday investor.
Ed Wegener: Similarly, on the other side of the spectrum, in terms of capital raising are private placements. Evan, and this is an area that FINRA has long put on their list of priorities. It’s an area that they’ve identified concerns with meeting registration exemption requirements filings, and also an area where they have found a lot of fraud. And so it’s definitely an area that they pay close attention to. Based on what you’ve read in their current report, and also your experience working at FINRA, what are some of the things firms should keep in mind when dealing with private placements?
Evan Rosser: Yeah, these are on the list also because they provide quick access to the market and they don’t go through the standard registration process. And again, that will cause scrutiny from the regulators. When you look at the FINRA report this year, they seem to focus on two areas. One – the filing requirements in their rules, 51, 22 and 51 23. If you’re selling these to retail customers, you need to file either the memorandum or whatever information you have. You need to make that filing with FINRA. If it is an affiliate, then you’re subject to additional filing requirements. So a lot of what FINRA seems to be saying was firms were not aware of their filing requirements in offering private placements. The other concern that came out seemed to be due diligence in that firms were not doing adequate due diligence on the private placements that they were selling.
A lot of these do present red flags and whenever you offer a private placement or a lot of offerings that are exempt from registration, you just don’t have the same amount of information. You’re just not going to get the detailed in-depth information about the issuer that you would get in a full SEC registration. So again, like so many other topics that we talk about, it is due diligence, it’s suitability. Customers have to understand the liquidity or the lack of liquidity in these products, the speculative nature of these products. And I would say for many customers who purchase private placements, retail customers, they’re not aware of some of the provisions here or the fees that they might be paying in private placements.
Ed Wegener: Well, and the provisions changed quite a bit when the jobs act went through and there were new types of offerings that were allowed and some sort of hybrids between private and public offerings like Reg A offerings. And so it’s really important for firms to understand the specific requirements under each of the types of offerings to make sure that they’re complying and not inadvertently selling something that needs to be registered with Reg A offerings. You know, one of the things that we found in working with clients is making sure that you understand that even though they’re not required to be registered, they are considered public offerings. So you have to look at things like any potential conflicts under 5121. Because I think a lot of firms think Reg A offerings look more like private offerings and might treat them as such. So there’s a lot of things that you need to make sure of if you’re going to engage in this business. That you’re being cognizant of. Due diligence is a keyway of making sure as part of going through that process, that the offerings are meeting the requirements that they need to meet.
Evan Rosser: And on the due diligence point, another other point that came out of the FINRA report is you can’t blindly rely on due diligence done by the issuer, nor can you rely on third party due diligence without doing some due diligence on that third party and the quality of their due diligence.
Ed Wegener: Yeah. A lot of those issues, you probably remember back when medical capital was a big offering that had had issues associated with it, and a number of investigations started. And I think that’s the big issue that they found was firms relying either on the issuers due diligence are solely relying on issuer information or on a third party without doing their own due diligence. And that can really come back to haunt you.
Another area that continues to come up on the priorities is AML. We do a lot of work in the AML space and it’s an area that firms are required to do testing in every year. And maybe, Evan and Jeffrey, if you could touch on AML, what FINRA looks for and some of the issues that they’ve been finding on their examinations last year that are leading to the priorities for this year.
Evan Rosser: Sure. Like so many of these topics, AML will just always be with us. It’s like cybersecurity. There’s always someone working to get around it. It’s never going to go away. Yesterday’s procedures might have been great, but they’re inadequate tomorrow. And I think that’s one of the things that came out from the FINRA report is that you have to keep your AML procedures current with your business. Current with the risks that your business presents. You have to use that AML testing, that requirement for that independent review. You really need to use that and really need to have it done well. I know sometimes firms look at that as a rather perfunctory exercise and just get it out of the way. But you really, that independent review of your procedures is really important for firms.
One thing I always tell firms as well about SAR, suspicious activity reporting, you don’t need a transaction to file a SAR. Any suspicious activity, even if it’s just opening an account. If you find suspicious activity in the opening of an account that requires the filing of a SAR. And it’s interesting that when I look at the report, the discussion of AML is followed by low priced securities and FINRA will apply SAR reporting to your low-price securities transactions. As, I don’t know this, but I would guess, a large number of FINRA AML cases surround activity in low-price securities. I think FINRA looks at the activity in low price securities as, I have to be careful in my words here, suspicious. Let’s just say it’s suspicious. They will look for volume spikes. They’ll look for price spikes. They’ll look for what they think might be pump and dump activities on various sites. And if you’re trading low price securities, the other thing they’ll look at as well is whether the seller is a control person, and you might be stepping into an unregistered distribution of securities. And these are all potentially violative or criminal activity. You need to file a SAR if you suspect any of those things happening. So I think on one hand firms need to keep their AML procedures up to date. They need to evolve. They need to reflect the current state of the firm’s business. And if that business consists of trading low-price securities, then you need special procedures around that activity.
Jeffrey Hiller: The only thing I would add to that is a pattern. Is there in the account, a pattern of say, $9,000 for each transaction, and they consistently look and try to stay below $10,000, which triggers a notice or a filing. The other thing I would say is critical is to have an AML officer and to routinely train traders, managers, ops people, whoever it is that that can see and touch that along the process, to make sure they’re adequately trained in the policies and procedures. You may not catch everyone, but you better have a rigorous process to find how to catch them.
Ed Wegener: And it’s interesting that they mentioned not only the testing requirement, but they encourage firms to make sure that they’re doing risk assessments. And I think it’s important for firms to really do an adequate risk-based assessment of your firm to really understand the types of customers that you have, and the risk associated with those customers, types of services and activities and products that you sell, understanding the geographies of your clients and where you’re engaging in business. And also assessing the controls that you have in place to mitigate those risks so you can assess whether the resulting residual risk is within your firm’s risk tolerance and have a governance and a process around that. So you can really assess whether your program is adequate enough to be able to address the AML risk that it has.
Evan Rosser: And if your firm is offering direct market access to customers, there is a provision in
15 C 3 5, you must conduct post trade surveillance and any suspicious activity that you find there, it probably would merit the filing of a SAR. And part of that risk assessment is setting your parameters properly so that you are capturing patterns of activity, spoofing, layering, potentially manipulative cross trading, or wash trades. So that’s another big area on an AML that if you are providing that and you don’t even, you may not even have contact with those clients. Nevertheless, that activity is going through your firm through the direct market you’re providing, and you need to surveil that post trade very carefully and report that or develop controls to prohibit that.
Ed Wegener: Well, thanks everyone. I really appreciate your thoughts on, on the priorities. And it was a lot to get through and we only scratched the surface. We talked about sales, communications and operations in future podcasts. We’re going to talk about financials as well as market integrity, priorities for FINRA. And we’ll talk about other priorities in including when the SEC issues their priorities letter for the year. So we look forward to those discussions and thank you very much.
Oyster: Thanks again, for listening to the Oyster Stew podcast. Don’t forget to subscribe so we can help you make the best decisions for your firm. If you are struggling with a topic and you’d like us to do a podcast on it, or you’d like a free consultation, please reach out to us at 804-965-5400 or visit our website at www.oysterllc.com. Have a great day.