Regulatory Update

FINRA 2024 Annual Regulatory Oversight Report: Impact on Digital Communications Practices

by Robert Cruz

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

As anticipated, FINRA has just published its 90-page annual oversight report — previously titled as FINRA Examination and Risk Monitoring Program— reflecting its supervisory, regulatory, and enforcement priorities for 2024. While it covers a wide variety of operational, financial management, and reporting areas, it also addresses digital communications practices, which we’ll highlight in this post.

Emphasis on new SEC cyber rules

This includes proposed rules for member firms as well as finalized rules for public companies. Several areas of cyber are addressed that touch the firm’s systems to define and evaluate policies, including:

  • Technology management and supervisory controls to assess risks associated with third-party vendors, including change management and business continuity systems
  • Branch controls, including how firms are monitoring the use of personal technology

While firms are aware of cybersecurity risks, FINRA noted that many firms have not yet updated their written supervisory procedures (WSPs) or were not enforcing WSPs related to cyber. FINRA has noted that effective practices in this area include regularly updated lists of all vendors potentially impacting cyber risks, as well as frequent assessments of individual vendor risk.

Related considerations encompass the need for a repeatable process for incident and problem management tracking and reporting that’s coupled with the establishment of capabilities to effectively respond to incidents.

The impact

Given the proposed SEC Cybersecurity Risk Management rules, establishing and maintaining comprehensive cyber compliance policies and procedures, including incident response plans, will be crucial to compliance and governance programs in the upcoming year.

Artificial intelligence as an area of emerging risk

Noting potential concerns about accuracy, privacy, bias and intellectual property, FINRA cautions firms to be aware of how AI may be leveraged. FINRA reminds firms to consider the broader implications before deploying AI technologies. This includes potential impact on requirements covering books and records, supervision, communication with the public, cybersecurity, and model risk management. FINRA also warns firms to be mindful of explainability and transparency when integrating AI technology.

The impact

FINRA acknowledges that the regulatory obligations surrounding the use of artificial intelligence is likely to change, particularly regarding generative AI. However, the industry is moving quickly beyond a view of AI as one of “promising opportunities,” and into pilots and deployments to address risk and compliance processes as well as faster information delivery to the market. Firms will not be deterred in use of AI technologies and will need to monitor the outcome of continued sweeps from the SEC in these areas. This includes potential conflicts of interest as well as further U.S. agency developments following the Biden Administration Executive order from Q4 2023.

Crypto assets and surveillance

Following the lead from the SEC, FINRA launched a targeted exam of practices related to crypto in 2022 and continues to find a rate of non-compliance compared to any other product. As a result, their focus in 2024 has expanded and will center on how firms are communicating relevant crypto risks to investors (FINRA 2210). This includes if/how firm communications are fair and balanced, fails to disclose when crypto assets are offered by affiliates or third parties, as well as make false statements about how federal securities law and FINRA rules apply to crypto assets.

FINRA will also focus on the presence (or lack) of supervisory controls to ensure that firms are conducting the appropriate due diligence on crypto asset private placement recommendations to customers (FINRA 3110).

The impact

Crypto assets and securities will continue to be a topic for further legal court decision making in 2024. FINRA will continue to emphasize the application of existing rules that will require firms to maintain the appropriate recordkeeping and oversight systems as is required for any other category of financial product.

Outside business activities surfacing hidden risk

The side hustles and entrepreneurial endeavors continue rising in popularity. Firms must prioritize governance of outside business activities (OBAs) to meet FINRA’s escalating scrutiny. Deficient oversight of OBAs introduces substantial regulatory compliance risk regarding controls, supervision, and recordkeeping.

FINRA identified ongoing monitoring of registered persons’ communications, marketing content, online presence, customer complaints and financial records to uncover indications of undisclosed OBAs early as effective practices. Simultaneously, firms must watch for lifestyle changes or anomalies in production and performance that may signal unreported external ventures.

And a bit more on crypto, another emerging area of deficiency lies in evaluating whether crypto-asset transactions qualify as securities necessitating OBA protocols. Assumptions around crypto evading regulatory purview breed noncompliance.

The impact

Firms failing to regularly review information sources for irregularities indicating possible OBAs face regulatory violations. Overlooking crypto assets’ potential status as securities also invites noncompliance.

To align with FINRA guidance, firms should implement persistent surveillance procedures for early OBA detection combined with proper crypto asset supervision. Documenting oversight measures represents critical evidence of alignment with industry best practices for governance, supervision and recordkeeping.

Books and records

Of course, no annual FINRA priorities report would be complete without a section on recordkeeping. However, given the SEC off-channel enforcement activity of 2023, this report offers minimal practical guidance on how firms should be adjusting oversight practices. Instead, it seeks additional “effective practices” from member firms over the course of 2024.

What the report does highlight is the failure of some vendors to comply with books and records requirements (likely related to updated SEC 17a-4 letter of undertaking obligations) and failures to preserve certain types of email correspondence. FINRA does guide firms toward:

  • Updating policies and procedures
  • Updating training programs
  • Increasing surveillance focus of customer complaints
  • Increasing vigilance of changes in usage patterns of approved communications tools

The impact

As illustrated by the very small number of FINRA off-channel settlements in 2023, FINRA appears to rely upon continued enforcement leadership from the SEC and CFTC going into this year. While best practices continue to be elusive in addressing off-channel risks, we are observing changes in how firms are:

  • Modifying mobile capture strategies
  • Adjusting processes to assess the benefits vs risk of new channels
  • Modifying oversight protocols to improve visibility into areas that may indicate the use of prohibited networks

We will share these emerging areas of investment via our blog and industry forums over the course of 2024.

Communications with the public

Not surprisingly, FINRA rule 2210 will be an enforcement priority again in 2024 that — in addition to crypto securities — includes a strong emphasis on mobile applications. Based on its 2023 findings of false, misleading and inaccurate information in mobile apps, FINRA will be looking at promotional information sent via ‘nudges’ or push notifications, as well as the form-factor considerations to ensure that information displayed to customers is complete and accurate.

FINRA also calls out the commonly expressed challenge of monitoring for new tools and features, as well as the need to ensure that supervisory oversight is tuned to address the unique modalities that mobile content may possess.

The impact

FINRA is acknowledging that the mobile delivery of information to investors is a given. It highlights the fact that features, functions and enticements designed to attract hybrid office-working retail investors will continue to evolve. As a result, firms will need to account for every application that has a messaging feature and ensure that controls are effective and complete regardless of the delivery form factor.

What does the FINRA oversight report mean for 2024?

Digital communications remain a clear area of focus for FINRA in 2024, given:

  • The continued evolution of communications technology
  • The reality of licensed staff and investors remaining in hybrid work models
  • The inevitable rise of generative AI as a force within the industry

The compliance surface area has never been as large and dynamic, and the topics addressed in the 2024 Oversight Report indicate that the premium placed on proactive governance of digital communications has never been as critical as it will be this upcoming year.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Contact Us

Tell us about yourself, and we’ll be in touch right away.