According to FINRA, firms are not required to test every aspect of their business annually. They have stated that “risk-based methodologies and sampling may be used to determine the scope of testing.” So, how should firms go about identifying the appropriate areas for testing and verification?
FINRA Rule 3120 requires broker dealers to test and verify, at least annually, that its Written Supervisory Procedures are reasonably designed to achieve compliance with applicable securities laws and regulations and FINRA rules. This testing must be tailored to the firm’s and registered representatives’ activities.
Below are some examples of areas firms should consider:
- Areas of significant risk of investor harm.Certain areas have a higher likelihood of potential investor harm. These include areas that may be red flags for fraud and abuse. The firm’s process for receiving and forwarding client funds and securities should routinely be reviewed given the harm that can happen if this area is not well controlled. Additionally, changes of client addresses and investment objectives are two areas that FINRA has called out as important areas for testing. Firms should also consider reviewing patterns of money movements that happen shortly after an address change or patterns of complex or risky product recommendations shortly after a change of investment objective and risk tolerance.
- Major areas of firm business. When regulators conduct examinations, they will focus their review on the areas that drive the firm’s revenue. It is important that firms have strong controls over these areas. Testing the controls over that activity is important. For example, if a firm derives a large amount of revenue from variable annuities, annually reviewing and testing the firm’s controls over suitable annuity recommendations and monitoring exchange activity would be advised. These are likely to be areas of focus for regulators.
- Areas of deficiency identified in recent testing or regulatory exams.Regulators are going to want to ensure that firms have corrected past deficiencies. In fact, one of the common drivers of a regulator’s enforcement actions is repeat findings. It is important that when doing annual testing, firms review past findings and ensure that they have been corrected. It is also important to test to ensure that any remedial actions taken have been effective.
- Regulator priorities. Regulators annually publish their priorities, and as the name implies, these are the areas that they will be focused on during the coming year. Firms should review the regulators’ priorities reports for the last few years to identify which priorities are applicable to the firm’s business. Where applicable, test to ensure that the firm’s procedures and controls are strong in those areas. FINRA has done a great job of identifying (a) considerations, (b) common findings and (c) effective practices for each of their priorities. This should act as a roadmap for firm reviews.
- Applicable areas identified in regulators’ disciplinary reports. Regulators also publish their disciplinary actions on a regular basis. Firms should review these and identify disciplinary actions taken in areas where the firm is active. Where such actions are taken, for example if trading and market activities have been included in disciplinary actions, firms should assess whether the firm has strong controls over the areas identified.
- Compliance with New Rules. Regulators are always apt to review for compliance with new rules during their examinations. It is a best practice to include a review for compliance with applicable new rules during annual testing. Identify and fix any issues in complying with new rules early; the annual testing is a good opportunity to do so.
- Areas that have not been reviewed in several years. Finally, even though certain areas may not fall in one of the categories above, if the area has not been reviewed for several years, it may be good to include the area in testing. This would help avoid situations where something falls off the Compliance team’s radar and ends up getting identified as a deficiency in an examination. Consider putting reviews of these types of areas on some type of cycle. For example, review these areas every other year or every three years.
The list above is not exhaustive. You may have other areas that you think are important to consider. While there is no magic bullet for determining which areas should be subject to review in your 3120 testing, considering the areas above will go a long way to demonstrating to regulators that you have taken a reasonable, risk-based, and tailored approach to your testing.
Oyster Consulting’s compliance professionals have the expertise to create a testing program customized to your firm and its lines of business. Our experts have years of industry, FINRA, SEC and state regulatory experience. They ask thoughtful questions to quickly assess what areas need the most attention and review. We provide compliance support that is agile, reasonable and satisfies regulatory requirements.
