Finra priorities in 2016: AML, cybersecurity, data quality, compliance culture

The self-regulatory body responsible for broad examination and enforcement of the nation’s securities’ sector has highlighted it will be giving increased focus to financial crime compliance programs and officers, the underlying data and systems and cyber defenses in 2016.

The Financial Industry Regulatory Authority (Finra) this week released its 2016 Regulatory and Examination Priorities letter highlighting three broad issues – supervision, risk management and controls; and liquidity, while noting forcefully it will “emphasize anti-money laundering, cybersecurity, the management of conflicts of interest and technology management, as well as outsourcing and data quality.”

The statements by Finra along with a flurry of actions in the last half of the year focusing on AML programs and penalizing AML and chief compliance officers follow a trend gaining momentum in the past few years of federal and state regulators going more aggressively after individuals in the case of egregious compliance failures and related monetary penalties.

While in some ways mirroring the issues touched on in 2015 and 2014, Finra delves into more detail in its latest letter around more complex anti-money laundering (AML) program elements, such as accurately vetting and risk-rating customers, adequately monitoring transactions, and the algorithms and alert scenarios that could indicate criminal activity.

“For example, FINRA has observed problems with firms’ automated AML surveillance systems not capturing complete and accurate data, which can result in missed or poor quality alerts,” the letter stated, noting that firms should also “routinely test systems and verify the accuracy of data sources,” to ensure some customers are not falling through the cracks or were erroneously excluded.

The letter also exhorted firms to “consider reviewing customers’ activity over a period of time sufficient to identify patterns and ensure they assess the full picture of activity,” with particular attention being paid to higher risk operations, such as lower-priced securities or penny stocks, a ripe area for trading frauds.

As well, Finra warned that when firms delegate the monitoring of suspicious trading activity to personnel outside of the AML function, they “should ensure that appropriate delegation has been made, and that the AML function has an open line of communication with the personnel conducting reviews of trading activity.”

On the cybersecurity front, Finra give much more attention to the issue in this year’s letter, an issue barely mentioned in 2014.

“While many firms have improved their cybersecurity defenses, others have not—or their enhancements have been inadequate,” the letter said. “Firms face risks from unauthorized internal and external access to customer accounts, online trading systems and asset transfer systems, as well as in the management of their vendor relationships.”

For 2016, Finra will review firms’ approaches to cybersecurity risk management, and “depending on a firm’s business and risk profile, we will examine one or more of the following topics: governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training.”

Examiners will also consider examining firms’ abilities to protect the “confidentiality, integrity and availability of sensitive customer and other information,” which in some cases the latter requires “electronically stored records to be preserved in a non-rewriteable, non-erasable format.”