Firm Operations

Business Continuity Planning

Business Continuity Planning

Due to the recent outbreak of coronavirus disease (COVID-19), FINRA reminds member firms to consider pandemic-related business continuity planning, including whether their business continuity plans (BCPs) are sufficiently flexible to address a wide range of possible effects in the event of a pandemic in the United States. Each member firm is also encouraged to review its BCP to consider pandemic preparedness and to review its emergency contacts to ensure that FINRA has a reliable means of contacting the firm. This Notice also provides pandemic-related guidance and regulatory relief to member firms from some requirements. As coronavirus-related risks decrease, member firms should expect to return to meeting any regulatory obligations for which relief has been provided.

• FINRA Regulatory Notice 20-08 (March 9, 2020): Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief

Business continuity remains a priority for firms and their associated persons. It is important that firms maintain adequate business continuity and contingency plans and ensure that employees are aware of and understand these plans.

• FINRA Topic Page: Business Continuity Planning

• FINRA Small Firm Business Continuity Planning Template

FINRA Membership

(New) FINRA Membership Application

The Notice shares key operational changes in FINRA’s Membership Application Program (MAP) implemented to improve its effectiveness and efficiency (MAP Transformation), including establishing a centralized application intake function and aligning the program with the firm grouping model developed by FINRA’s Member Supervision Department during its recent transformation.

• FINRA Information Notice 4/19/22: Membership Application Program Transformation

Anti-Money Laundering

U.S Imposes Sanctions on Russian Entities and Individuals

The U.S. government has imposed sanctions in response to Russia’s actions in Ukraine. FINRA is issuing this Notice to provide member firms with information about these recent actions. FINRA encourages member firms to continue to monitor the Department of Treasury’s Office of Foreign Asset Control (OFAC) website for relevant information.

• FINRA Regulatory Notice 22-06 (February 25, 2022): FINRA Alerts Firms to Sanctions

 

AML Act of 2020 First Priorities Issued

FinCEN has issued the first government-wide priorities for AML and CFT, which was mandated by the AML Act of 2020. FinCEN also issued a statement to provide covered non-bank financial institutions, including broker-dealers, with guidance on how to approach the AML/CFT Priorities. FINRA is issuing this Notice to inform member firms of the AML/CFT Priorities and the Statement, and to encourage member firms to consider how to incorporate the AML/CFT Priorities into their risk-based AML compliance programs.

• FINRA Regulatory Notice 21-36 (October 8, 2021): FINRA Encourages Firms to Consider How to Incorporate the Government-wide AML and CFT Priorities into their AML Programs

 

Advisory on FATF-Identified Jurisdictions

The FinCEN issued an advisory to inform financial institutions of updates to the FATF list of jurisdictions with strategic anti-money laundering and combating the financing of terrorism (AML/CFT) and counter-proliferation financing deficiencies. As part of the FATF’s listing and monitoring process to ensure compliance with its international standards, the FATF identifies certain jurisdictions as having strategic deficiencies in their regimes. Financial institutions should consider the FATF’s statements when reviewing their obligations and risk-based policies, procedures, and practices with respect to the jurisdictions noted below.

FinCEN Advisory, FIN-2021-A003 (March 11, 2021) 

 

Fraud Prevention 

Low-priced securities tend to be volatile and trade in low volumes. It may be difficult to find accurate information about them. There is a long history of bad actors exploiting these features to engage in fraudulent manipulations of low-priced securities. Frequently, these actors take advantage of trends and major events to perpetrate fraud. FINRA has observed potential misrepresentations about low-priced securities issuers’ involvement with COVID-19 related products or services, such as vaccines, test kits, personal protective equipment and hand sanitizers. These misrepresentations appear to have been part of potential pump-and-dump or market manipulation schemes that target unsuspecting investors. These COVID-19-related manipulations are the most recent manifestation of this type of fraud.

• FINRA Regulatory Notice 21-03 (February 10, 2021): FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities

Cybersecurity

FINRA Alerts Firms to “Log4Shell” Vulnerability in Apache Log4j Software

FINRA is alerting firms to a recently identified vulnerability in Apache Log4J software, which is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. The “Log4Shell” vulnerability presents risk for member firms because they may be using this software in internal applications, or the software may be embedded in third-party software packages. In addition, many applications written in Java are potentially vulnerable.

• FINRA Regulatory Notice 21-42 (December 14, 2021): FINRA Alerts Firms to “Log4Shell” Vulnerability in Apache Log4j Software

 

Alert: Phishing Campaigns Using Imposter FINRA Domain Names

FINRA warns member firms of an ongoing phishing campaign that involves fraudulent emails (see sample in Appendix) purporting to be from FINRA and using one of at least three imposter FINRA domain names:

  • “@finrar-reporting.org”
  • “@Finpro-finrar.org”
  • “@gateway2-finra.org”
  • "@westour.org"
  • "@gateway-finra.org"
  • "supports@finra-online.com"

FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident.

• FINRA Regulatory Notice 21-30 (August 13, 2021): FINRA Alerts Firms to a Phishing Email Campaign Using Multiple Imposter FINRA Domain Names

• FINRA Regulatory Notice 21-22 (June 23, 2021): FINRA Alerts Firms to Phishing Email From “FINRA Support” From the Domain Name “westour.org”

• FINRA Regulatory Notice 21-20 (June 7, 2021): FINRA Alerts Firms to Phishing Email Using “gateway-finra.org” Domain Name

• FINRA Regulatory Notice 21-08 (March 4, 2021): FINRA Alerts Firms to Phishing Email Using “finra-online.com” Domain Name

 

Protecting Customer Accounts

FINRA has received an increasing number of reports regarding customer account takeover (ATO) incidents, which involve bad actors using compromised customer information, such as login credentials (i.e., username and password), to gain unauthorized entry to customers’ online brokerage accounts. To help firms prevent, detect, and respond to such attacks, FINRA recently organized roundtable discussions with representatives from 20 firms of various sizes and business models to discuss their approaches to mitigating the risks from ATO attacks.

• FINRA Regulatory Notice 21-18 (May 12, 2021): FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts

 

Heightened Threat of Fraud

FINRA warns member firms that it has recently observed a sharp increase in new customers opening online brokerage accounts and engaging in Automated Clearing House (ACH) “instant funds” abuse to effect securities trading. FINRA has previously warned firms about trends in losses from schemes involving electronic funds transfers, such as those involving outbound wire transfers and ATM withdrawals.

• FINRA Regulatory Notice 21-14 (March 25, 2021): FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse

 

FINRA Cybersecurity Topic Page

Given the evolving nature, increasing frequency, and sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for FINRA. Visit the link below for more information on related rules, notices, guidance, news and investor education

• FINRA Topic Page:  Cybersecurity

 

SEC Investor Bulletin

The SEC’s Office of Investor Education and Advocacy issued this Investor Bulletin to help investors protect their online investment accounts from fraud. As with all web-based accounts, investors should take precautions to help ensure that their online investment accounts remain secure. These online security tips can help.

• SEC Investor Bulletin: Protecting Your Online Accounts from Fraud (July 1, 2021)

 

Vendor Management and Outsourcing

FINRA is publishing this Notice to remind member firms of their obligation to establish and maintain a supervisory system, including written supervisory procedures, for any activities or functions performed by third-party vendors that are reasonably designed to achieve compliance with applicable securities laws and regulations and with applicable FINRA rules. This Notice reiterates applicable regulatory obligations, summarizes recent trends in examination findings, observations and disciplinary actions; and provides questions member firms may consider when evaluating their systems, procedures and controls relating to Vendor management.

• FINRA Regulatory Notice 21-29 (August 13, 2021): FINRA Reminds Firms of their Supervisory Obligations
Related to Outsourcing to Third-Party Vendors

 

Digital Assets

For the past several years, FINRA has encouraged firms to keep their risk monitoring analyst informed if the firm, or its associated persons or affiliates, engaged, or intended to engage, in activities related to digital assets, including digital assets that are non-securities. FINRA appreciates members’ cooperation with this request and is encouraging firms to continue to keep their risk monitoring analyst abreast of their activities related to digital assets on an ongoing basis.

• FINRA Regulatory Notice 21-25 (July 8, 2021): FINRA Continues to Encourage Firms to Notify FINRA if
They Engage in Activities Related to Digital Assets

Senior Investors

Senior Investors

FINRA has adopted amendments to Rule 2165 (Financial Exploitation of Specified Adults) to permit member firms to: (1) place a hold on a securities transaction (in addition to the already-permitted hold on a disbursement of funds or securities) where there is a reasonable belief of financial exploitation; and (2) extend a temporary hold on a disbursement or transaction for an additional 30 business days, beyond the current maximum of 25 business days (for a total of 55 business days), if the member firm has reported the matter to a state regulator or agency, or a court of competent jurisdiction. The amendments to Rule 2165 have an effective date of March 17, 2022.

• FINRA Regulatory Notice 22-05 (February 15, 2022): FINRA Adopts Amendments to FINRA Rule 2165

 

NASAA Model Act to Protect Seniors and Vulnerable Adults

In a significant step toward providing much needed protection for seniors and vulnerable adults, NASAA announced that its membership has voted to adopt a model act designed to protect vulnerable adults from financial exploitation. The model, entitled “An Act to Protect Vulnerable Adults from Financial Exploitation,” provides new tools to help detect and prevent financial exploitation of vulnerable adults.

• NASAA Model Statute to Protect Vulnerable Adults

• www.serveourseniors.org