Firm Element

Electronic Recordkeeping Requirements

The SEC adopted amendments to the recordkeeping rules applicable to broker-dealers, security-based swap dealers, and major security-based swap participants. The amendments modify requirements regarding the maintenance and preservation of electronic records, the use of third-party recordkeeping services to hold records, and the prompt production of records. The Commission also is designating broker-dealer examining authorities as Commission designees for purposes of certain provisions of the broker-dealer record maintenance and preservation rule. The effective date is January 3, 2023. The compliance date for the amendments to 17 CFR 240.17a-4 is May 3, 2023. The compliance date for the amendments to 17 CFR 240.18a-6 is November 3, 2023.

•  SEC Release No. 34-96034; File No. S7-19-21 (October 12, 2022): Electronic Recordkeeping Requirements for Broker-Dealers, Security – Based Swap Dealers, and Major Security – Based Swap Participants

Customer Account Statements

FINRA has adopted amendments to Rule 2231 (Customer Account Statements) to add eight new supplementary materials pertaining to:

• compliance with Rule 4311 (Carrying Agreements);
• the transmission of customer account statements to other persons or entities;
• the use of electronic media to satisfy delivery obligations;
• compliance with Rule 3150 (Holding of Customer Mail);
• the information disclosed on customer account statements;
• assets externally held;
• the use of logos and trademarks, etc.; and
• the use of summary statements.

Several of these new supplementary materials are derived largely from Temporary Dual FINRA-NYSE Rule 409T (Statements of Accounts to Customers) and Temporary Dual FINRA-NYSE Rule Interpretation 409T, which will be deleted as a result of amended Rule 2231. These changes become effective on January 1, 2024.

• FINRA Regulatory Notice 23-02 (January 18, 2023): FINRA Amends FINRA Rule 2231

Ransomware

FINRA has received reports about increasing numbers and sophistication of ransomware incidents. Ransomware typically involves bad actors gaining unauthorized access to firm systems and encrypting or otherwise accessing sensitive firm data or customer information, then holding that hijacked data for ransom. Some ransomware attacks have become significant threats that include theft of data and bad actors’ ongoing network access.

Ransomware attacks have proliferated due to, in part, increased use of technology and continued adoption of cryptocurrencies, which bad actors use to hide their identities when collecting ransom payments. Further, Ransomware-as-a-Service (RaaS) models, where bad actors purchase attack services on the dark web,1 have helped execute attacks on a much larger scale and make attacks available to less technologically savvy bad actors.

Rule 30 of the U.S. Securities and Exchange Commission’s (SEC) Regulation S-P requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information. FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to ransomware attacks that include denials of service and other interruptions to members’ operations.

•  FINRA Regulatory Notice 22-29 (December 14, 2022): FINRA Alerts Firms to Ransomware Risks

Heightened Threat of Fraud

FINRA alerts members to an emerging threat to customers and members, where FINRA, NASDAQ and NYSE have observed initial public offerings (IPOs) for certain small capitalization (small-cap) issuers listed on U.S. stock exchanges that may be the subject of pump-and-dump-like schemes (sometimes referred to as "ramp-and-dump" schemes in other jurisdictions). FINRA has observed significant unusual price increases on the day of or shortly after the IPOs of certain small-cap issuers, most of which involve issuers with operations in other countries. FINRA has concerns regarding potential nominee accounts that invest in the small-cap IPOs and subsequently engage in apparent manipulative limit order and trading activity. Some of the investors harmed by ramp-and-dump schemes appear to be victims of social media scams. This Notice addresses concerns similar to those previously raised in the Anti-Money Laundering sections of the 2022 and 2021 Reports on FINRA’s Examination and Risk Monitoring Program.

•  FINRA Regulatory Notice 22-25 (November 17, 2022): FINRA Alerts Firms to Recent Trend in Small Capilization IPOs

FINRA Shares Practices for Obtaining Customers’ Trusted Contacts

Member firms are required to make reasonable efforts to obtain the name of and contact information for a trusted contact for a non-institutional customer’s account. This Notice summarizes member firms’ regulatory obligations, discusses the benefits of trusted contacts in administering customers’ accounts, highlights customer education resources and shares effective practices member firms use.

• FINRA Regulatory Notice 22-31 (December 15, 2022): FINRA Shares Practices for Obtaining Customers’Trusted Contacts

Senior Investors

FINRA has adopted amendments to Rule 2165 (Financial Exploitation of Specified Adults) to permit member firms to: (1) place a hold on a securities transaction (in addition to the already-permitted hold on a disbursement of funds or securities) where there is a reasonable belief of financial exploitation; and (2) extend a temporary hold on a disbursement or transaction for an additional 30 business days, beyond the current maximum of 25 business days (for a total of 55 business days), if the member firm has reported the matter to a state regulator or agency, or a court of competent jurisdiction. The amendments to Rule 2165 have an effective date of March 17, 2022.

• FINRA Regulatory Notice 22-05 (February 15, 2022): FINRA Adopts Amendments to FINRA Rule 2165