Anti-Money Laundering

As to Anti-Money Laundering (“AML”), the Report focuses on FINRA Rule 3310 (Anti-Money Laundering Compliance Program), which requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act (BSA) and its implementing regulations. Other requirements contained in the BSA’s implementing regulations include maintaining a Customer Identification Program (CIP); verifying the identity of legal entity customers; establishing due diligence programs to assess the money laundering risk presented by correspondent accounts maintained for foreign financial institutions; and responding to information requests from FinCEN within specified timeframes.

Further, on January 1, 2021, Congress passed the Fiscal Year 2021 National Defense Authorization Act (NDAA), which included the Anti-Money Laundering Act of 2020 (AML Act) and, within the AML Act, the Corporate Transparency Act (CTA). Many provisions of the AML Act and the CTA require rulemaking or periodic reporting to Congress on implementation efforts, assessments and findings. Firms should stay apprised of progress being made to implement the AML Act, which is described on the FinCEN website.

Fraud and Sanctions Evasion

Since February 2022, the Office of Foreign Assets Control (“OFAC”) has implemented several significant sanctions related to the Russian financial services sector in response to Russia’s actions in Ukraine. In response, on February 25, 2022, FINRA issued Regulatory Notice 22-06 (U.S. Imposes Sanctions on Russian Entities and Individuals) to provide firms with information about these actions, and to encourage firms to continue to monitor the OFAC website for relevant information. Firms should familiarize themselves with these sanctioned entities and individuals and take steps to comply with OFAC’s regulations. FINRA also advises that firms conduct formal, written AML risk assessments that are updated based on the aforementioned material macroeconomic and geopolitical events.

On March 7, 2022, FinCEN issued alert FIN-2022-Alert001 (FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts) to warn financial institutions of efforts to evade these sanctions and other U.S.-imposed restrictions implemented in connection with Russia’s actions in Ukraine. Because FINRA has observed red flags of Russian sanctions evasion in its investigations involving activity in customer accounts (e.g., material changes in the type or volume of activity in such accounts after sanctions were announced) firms should consider how to appropriately monitor activity in customer accounts for Russian sanctions evasion. To comply with the sanctions enacted by the OFAC, FINRA advises that member firms review the IP addresses of new online account applications and transfer requests. However, utilization of a virtual private network (“VPN”) can obfuscate the location of a given user’s IP address. Therefore, firms should obtain a copy of the account statement from any account slated to be transferred before sending an Automated Customer Account Transfer Service (ACATS) request. Firms should also review account applications for common identifiers (e.g., email address, phone number, physical address) present in other applications and in existing accounts, especially seemingly unrelated accounts. Finally, FINRA advises that firms review account applications for use of temporary or fictitious email addresses (e.g., @ temporaryemail.org) or phone numbers (e.g., 555-555-5555, 999-999-9999).

Cybersecurity and Technological Governance

As nation-states across the world are building national champion firms to dominate industries and extend their national power worldwide, United States firms are competing on an increasingly uneven global economic playing field. U.S. based firms find themselves in a unique and quickly evolving predicament. Many nation-states view privately owned companies within their jurisdiction as extensions of the state. As such, these firms are supported and protected by the arms of the state. Conversely, U.S. firms are decidedly not supported by the federal government, due to free market considerations. For this reason, U.S. firms, including FINRA member firms, are often competing on an uneven global economic playing field. Cybersecurity threats are one of the principal operational risks facing broker-dealers and FINRA expects firms to develop and maintain reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.

The primary lesson since the conclusion of the Cold War is that economic power is the key to national power. Thus, the assets which competitor states seek to obtain from the U.S. are held by private firms, not the U.S. government. As such, the cybersecurity threat facing U.S. firms is nothing short of existential. Yet, the threat of a cybersecurity incident inspires a remarkable lack of passion amongst both firm executives and the American public. This lack of passion is primarily driven by three considerations. First, cybersecurity incidents most often are not violent. Second, the negative impacts of cybersecurity incidents are rarely felt immediately. Third, cybersecurity incidents are usually targeted at a specific firm or asset, meaning that they quickly becomes “someone else’s problem.” As a result, American business leaders and investors underestimate the gravity and pervasiveness of the threat faced. Notwithstanding, cybersecurity incidents, such as account takeovers, ransomware or network intrusions, and any related exposure of customer information or fraudulent financial activity can expose member firms to financial losses, reputational risks and operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370, 3110 (Supervision) and 3120 (Supervisory Control System), as well as Exchange Act Rules 17a-3 and 17a-4.

In response to these threats, FINRA advises firms to develop various cybersecurity procedures, including but not limited to: maintaining critical data backups, monitoring unauthorized access to sensitive customer information, verifying of customer identity during the creation of new accounts, maintaining a firm-wide Incident Response Plan that includes guidance for common cybersecurity incidents, and regularly assessing the firm’s cybersecurity risk profile based on changes in the firm’s size and business model and newly identified threats. The final recommendation, regular assessment of the firm’s cybersecurity risk profile, is the most prescient for FINRA member firms.

Manipulative Trading

A number of FINRA rules prohibit member firms from engaging in impermissible trading practices, including manipulative trading—for example, Rules 2010 (Standards of Commercial Honor and Principles of Trade), 2020 (Use of Manipulative, Deceptive or Other Fraudulent Devices), 5210 (Publication of Transactions and Quotations), 5220 (Offers at Stated Prices), 5230 (Payments Involving Publications that Influence the Market Price of a Security), 5240 (Anti-Intimidation/Coordination), 5270 (Front Running of Block Transactions), 5290 (Order Entry and Execution Practices) and 6140 (Other Trading Practices).

Under Rule 3110 (Supervision), member firms are required to supervise their associated persons’ trading activities, and a firm’s supervisory procedures must include a process for the review of securities transactions that is reasonably designed to identify trades that may violate the Exchange Act, SEC rules or FINRA rules prohibiting insider trading and manipulative and deceptive devices.  Among other obligations, FINRA Rule 5210 prohibits member firms from publishing or circulating communications regarding transactions and quotations unless they believe the information is bona fide; Rule 5270 prohibits trading in a security that is the subject of an imminent customer block transaction while in possession of material, non-public market information concerning that transaction; and Rule 6140 contains a number of requirements to ensure the promptness, accuracy and completeness of last sale information for NMS stocks and to prevent that information from being publicly trade reported in a fraudulent or manipulative manner.

FINRA, NASDAQ and NYSE have recently observed that initial public offerings (IPOs) for certain small cap, exchange-listed issuers may be the subject of market manipulation schemes, similar to so-called “ramp and dump” schemes. FINRA has observed significant unexplained price increases on the day of or shortly after the IPO of certain small cap issuers. These price increases appear to be associated with trading by apparent nominee accounts that invest in the small cap IPO and subsequently engage in apparent manipulative orders and trading activity. Some of the victims of ramp and dump schemes appear to be victims of social media scams such as “pig butchering,” a scheme previously associated with fraudulent crypto-related investment schemes. FINRA encourages firms to review Regulatory Notice 22-25 [Heightened Threat of Fraud: FINRA Alerts Firms to Recent Trend in Small Capitalization (Small Cap) IPOs] for potential indicators of these schemes and evaluate their compliance and risk management programs to confirm that they are monitoring for and addressing this threat.

Conclusion

The Report makes clear that FINRA’s compliance efforts in 2023 will focus on Anti-Money Laundering (AML), Fraud and Sanctions; Cybersecurity and Technological Governance; and Manipulative Trading. We encourage our clients to review the entire 2023 Report for further key issues FINRA plans on monitoring this year.