On January 22, the Financial Industry Regulatory Authority (“FINRA”) released its 2019 Risk Monitoring and Examination Priorities Letter (the “Letter”). The Letter highlights material new priorities for FINRA examinations in the coming year, as well as priorities in areas of ongoing concern. The topics highlighted in this year’s Letter reflect FINRA’s increasing focus on its members’ interaction with, and adoption of, innovative financial technologies, as well as its implicit acknowledgement of the ability for such innovations to assist in regulatory compliance. The new priorities highlighted in the Letter include several related to FinTech, including online distribution platforms, use of regulatory technology (or “RegTech”), and supervision of digital asset businesses. In priority areas of ongoing concern, the Letter confirmed that FINRA will continue to focus on reviewing the adequacy of firms’ cybersecurity programs. Below we detail FINRA’s discussion of these priorities and analyze them in the context of other recent guidance and enforcement actions.
Highlighted Exam Priorities
FINRA announced that it would focus in 2019 on the following new FinTech-oriented risks and exam priorities:
- Online Distribution Platforms – As the letter details, FINRA will examine members’ connection to online platforms used to conduct securities distributions under the public offering registration exemptions found in Rule 506(c) of Regulation D and Regulation A under the Securities Act of 1933. As FINRA indicated, although some platforms are owned and operated by broker-dealers, others are controlled by unregistered entities that use FINRA members to conduct certain necessary functions. FINRA indicated it would focus on members that have performed these functions while stating publicly that they have neither sold nor recommended securities, despite evidence that indicates otherwise. In particular, FINRA stated that it will evaluate members’ compliance with the following obligations:
- Conducting reasonable basis and customer-specific suitability analyses;
- Supervising communications with the public;
- Meeting anti-money laundering (“AML”) requirements; and
- Addressing the risks of issuers distributing offering documents, or making public comments, to potential investors that contain false or misleading statements or material omissions or that promise unreasonably high returns.
FINRA also indicated it will tailor its review of members’ activities to the distinct obligations applicable to Regulation D and Regulation A offerings.
- RegTech – FINRA plans to enter into a dialogue with members to understand how they are adopting technological solutions to satisfy regulatory compliance obligations. In particular, the focus will be on supervision and governance systems, third-party vendor management, safeguards over customer data, and cybersecurity practices.
- Supervision of Digital Assets Businesses – In light of firms’ expression of significant interest in entering digital asset markets, FINRA plans to supervise members’ activities in that industry through its membership and examination processes. In doing so, FINRA will assess members’ compliance with applicable securities laws and regulations, and whether they have addressed the distinct risks that digital asset markets present by adopting controls for supervision, compliance, and operational purposes. Moreover, FINRA stated that it will work closely with the SEC to consider how members are determining whether a particular asset is a “security,” which is an issue that the SEC has been particularly active in policing.
The Letter evidences FINRA’s increasing focus on members’ FinTech activities. Following investor alerts issued on initial coin offerings and cryptocurrency-related stock scams in 2017, FINRA first indicated in its 2018 Regulatory and Examination Priorities Letter that it would examine members’ engagement in digital asset markets. In that letter, FINRA stated it would “closely monitor developments” and review members’ operational infrastructure to ensure regulatory compliance when effecting transactions in digital asset securities. FINRA followed up on its 2018 Letter with its first enforcement action in digital asset markets against a member for his failure to satisfy operational requirements under FINRA rules. This year’s Letter goes further in expecting members to have identified and implemented controls and supervision of compliance measures tailored to the distinct risks that digital assets present.
FINRA’s prioritization of examining members’ use of RegTech for compliance purposes and their engagement with online distribution platforms is new, but nonetheless consistent with its more expansive focus on FinTech innovations beyond digital asset markets. In July 2018, FINRA issued Special Notice 18-20, which explicitly requested feedback on (1) the provision of data aggregation services for investors; (2) members’ compliance with FINRA supervision requirements using artificial intelligence and machine learning; and (3) the value of developing a taxonomy-based, machine-readable rulebook. While it is unclear how FINRA will use the comments it received, its Letter expresses a continued focus on the issues presented by members’ adoption of innovative FinTech solutions.
Additionally, FINRA’s focus on members’ use of RegTech to address cybersecurity risks builds on its recent Report on Selected Cybersecurity Practices. The Letter thus serves as another reminder to members of the need to tailor their data security practices and policies to their activities, making fact-specific, individualized determinations to how to mitigate cybersecurity risks.
 FINRA is a self-regulatory organization charged with overseeing the broker-dealer and funding portal industries. All SEC-registered broker-dealers and funding portals must obtain membership with FINRA, as do associated persons of those firms who are engaged in the securities business of the firm.
 In particular, FINRA plans to examine how members interact with unaffiliated platforms that may use those members to serve as selling agents or brokers of record, or to carry out “custodial, escrow, back-office, and other FinTech-related functions” on behalf of the platform.
 Such evidence, according to the Letter, has most typically involved FINRA members that handle customer accounts and funds or receive transaction-based compensation for services performed for the platforms.
 In the context of Regulation D offerings, the Letter indicated that FINRA will evaluate how members address risks of non-compliance from sales to persons who are not accredited investors. FINRA will focus on the risks that compensation arrangements between members and issuers are excessive or undisclosed in the case of Regulation A offerings.
 The Letter encourages members to notify the organization when they intend to participate in activities in this market, even where the activities would not ordinarily require FINRA membership.
 In particular, FINRA indicated it expects to see controls and supervision over compliance that are tailored to address FINRA’s rules on the “marketing, sale, execution, control, clearance, recordkeeping and valuation of digital assets, as well as AML/Bank Secrecy act rules and regulations.”
 For example, the SEC issued multiple enforcement actions against ICO token issuers, broker-dealers, and exchange platforms after determining the digital assets at issue qualified as “securities.”
 FINRA had previously issued an investor alert in March 2018 concerning members’ use of data aggregation services for customers.