This article first appeared on Radical Compliance January 11, 2023.
FINRA, the regulator for broker-dealer firms that every other compliance professional should follow anyway, has given us yet another piece of nifty guidance: its annual report on regulatory examinations, brimming with advice about risks related to cybersecurity, anti-money laundering, and other issues.
Like most other financial regulators, FINRA examines the compliance programs of businesses under its jurisdiction every year. Then FINRA publishes a review of its findings – that is, mistakes in compliance that FINRA examiners commonly see, and measures a firm could implement to address such mistakes in its own operations.
This year’s report runs 75 pages. Most of the material relates to issues specific to broker dealers, but plenty of FINRA’s observations apply to any company, in any industry. Compliance officers from any walk of life could put those observations to good use in your own compliance programs, so let’s dig into what FINRA found.
We can begin with everyone’s favorite risk, cybersecurity. FINRA examiners flagged a few common deficiencies in the compliance programs they reviewed:
- Access controls. Lack of multifactor authentication (MFA) for login access to the firm’s operational, email and registered representative systems for employees, contractors and customers.
- New account identity validation. Ineffective processes and tools for validating the identity of customers opening new accounts or detecting suspicious activity associated with the opening of new accounts (such as multiple new accounts opened from the same IP address).
- Identity theft prevention program. Implementing a generic program that isn’t tailored to the firm’s size and complexity, or to the nature and scope of the firm’s activities; and not periodically updating the firm’s program to reflect changes in identity theft risks.
We’ve talked about every one of these issues before, people! The Securities and Exchange Commission has published its own alert about identity theft protection. New York state financial regulators slapped around Coinbase for doing the bare minimum on customer onboarding just last week. Multi-factor authentication for better access control has been cited by just about everyone.
My point is simply that if you’re looking for guidance on solid information protection programs – which, incidentally, will address a good portion of your privacy compliance risks along the way – such guidance does exist. Financial regulators and their examination reviews are an excellent resource.
Practices to Consider
Aside from telling us everything firms are doing wrong, FINRA’s report also provided numerous examples of good practices that the agency wants to see. Among them:
- Risk assessments. Regularly assessing the firm’s cybersecurity risk profile based on changes in firm size and business model, as well as newly identified threats; and updating your cybersecurity program and AML program based on those assessments.
- Identity verification. For firms that allow new accounts to be opened online, developing a comprehensive process for validating the identity of new clients; and using third parties that can verify identities and provide a score assigned to the level of risk associated with a new account (to determine whether you need additional verification efforts).
- Vendor management. Maintaining a list of all third-party services, systems and software components, in the event of a cybersecurity incident at one of your third-party vendors.
- Branch office procedures. Limiting the use of branch-managed servers for email or other applications; or, if you do allow branch-managed servers, ensuring that you have adequate security controls.
Again, most of these best practices can be implemented by any company, and they’re highly relevant to today’s business climate.
For example, FINRA’s warning about risk assessments is especially timely amid all this talk of trimming the white-collar workforce. These are the people often involved in approval processes or other control functions – so if management decides to lay them off, how do you assure that the control objectives are still achieved? We also have Russia’s war in Ukraine, which led CISA and other regulators to warn about increased risk of cyber attacks. (Let me repeat for the 1,000th time that CISA is an excellent resource if you’re looking for trends in cyber attacks; so are any number of security vendors.)
I was also intrigued by FINRA’s warning for branch offices. This is one any compliance officer should be able to appreciate, because so often we’ve seen local branches of global corporations embarking on some nutty corruption scheme because the local branch has its own IT system. (Lookin’ at you, Danske Bank and your notorious Estonia branch.)
One hopes that in the modern world with cloud-based IT systems, this bad habit becomes a relic of the past. Still, I have no illusions that local branches of at least some companies do maintain their own servers; which means CISOs, privacy officers, and compliance officers need to assess the security precautions applied to those servers.
Those are the observations just about cybersecurity; the FINRA alert has plenty more about AML compliance, cryptocurrency (barf), and how broker-dealer employees communicate with clients. We can explore some of those topics another day, or if you’re looking for advice on any of those issues – pull your PDF reader up to the fireplace and settle in with the FINRA report at your own pace.