A record year of FINRA enforcement activity heralds heightened scrutiny on a bevy of issues including cybersecurity, anti-money laundering policies and protection for senior clients, legal and regulatory experts caution.
Analyzing the regulator's 2016 enforcement actions, New York law firm Eversheds Sutherland found that while the total number of cases the industry regulator brought last year dipped slightly from 2015, the monetary fines it assessed nearly doubled to $176 million.
That figure was far and away a record for FINRA penalties, and amounted to a 529% increase since 2008, according to Eversheds Sutherland's analysis.
A main driver of the ballooning fines has been FINRA's increasing tendency to levy what Eversheds Sutherland calls "super-sized" penalties of $1 million or more — in some cases, much more, such as the $20 million fine the regulator levied against MetLife Securities last May in a case involving variable annuities.
It is possible that 2016 will stand as a high-water mark for fines, but observers caution the industry that FINRA will very much remain a cop on the beat.
"We have no signs that the pace at FINRA will be slowing down," says Adam Pollet, an attorney with Eversheds Sutherland who represents brokers and advisers in regulatory matters. "It likely won't reach the record high of 2016, but we can still have a lot of disciplinary actions expected in 2017."
Pollet speculates that FINRA could take an even more aggressive stance "given the possible enforcement void at the SEC under the new administration," which has made deregulation a centerpiece of its domestic agenda.
A spokeswoman for FINRA declined to comment on the organization's enforcement efforts.
One area where experts anticipate mounting scrutiny from regulators is cybersecurity, which the SEC and FINRA have both identified as an examination priority. Neither regulator has brought many enforcement cases solely pegged to cyber deficiencies, but that could quickly change as authorities come to expect firms to have in place a baseline cyber framework.
"FINRA is regularly examining on cybersecurity, as is the SEC," says Eversheds Sutherland partner Brian Rubin. "I expect FINRA and the SEC will bring cases in the future where there are not breaches or hacks, just sort of run-of-the-mill cases in terms of firms not having adequate policies and procedures, or not conducting risk assessments, or not having encryptions or firewalls."
"Even though some of these things might be best practices, I think in the future we'll see them more as regulatory requirements that are just expected by regulators as opposed to best practices," Rubin adds. "So to the extent that you haven't looked at your cybersecurity practices, it probably makes sense to do so before FINRA or the SEC come in on your next exam."
AML ATTRACTS ATTENTION
FINRA appears to be on a similar trajectory with its oversight of firms' anti-money laundering practices, which accounted for more enforcement cases in 2016 (32) in Eversheds Sutherland's tally than any other single issue.
"AML has been working its way up the top enforcement issues list," Pollet says. "FINRA is really aggressive right now investigating AML-related issues. They continue to emphasize with firms a culture of compliance that requires both automated quantitative monitoring programs, as well as qualitative review by employees to detect possible reportable suspicious activities."
Pollet also notes that some of FINRA's enforcement actions have made it plain that it's not enough simply to have an AML policy in place as a compliance exercise.
The case the regulator brought against Raymond James, which resulted in a $17 million fine, illustrates the point. In that action, FINRA pointed to Raymond James' rapid growth over the preceding eight years, a period when the firm's AML systems were largely neglected. Making the violation particularly "egregious," FINRA said, was an earlier action brought against Raymond James in 2012, when the firm had pledged to improve its AML program.
"Firms must not only have written supervisory procedures for AML, but must regularly review them and devote adequate resources to implement those policies and programs," Pollet says. "When you discover problems, you need to fix them -- in particular when you tell the regulator you will."
CARE FOR SENIOR CLIENTS
Likewise, Pollet and Rubin are anticipating more enforcement cases arising that involve senior clients, another area where both FINRA and the SEC have been increasing oversight.
In addition to the heightened scrutiny of the ways that advisers are dealing with senior clients that could lead to more enforcement activity, FINRA recently moved to give firms more latitude in intervening when they suspect a client might be the victim of abuse. Under a rule approved in March by the SEC, FINRA is permitting brokers to place a hold on a request to disburse funds if they feel the client is being exploited.
"FINRA is helping firms do some of the things that firms have wanted to do," Rubin says. "Because previously if they had concerns they sort of had their hands tied behind their back about what types of transactions they could stop or how they could go about asking for this type of information without intruding in the privacy of the customer."