Fotolia

Manage Learn to apply best practices and optimize your operations.

Compliance culture: FINRA shifts regulatory focus

Finance industry regulators have shifted gears in 2016, moving away from checkbox-style regulations and focusing on companies' compliance culture.

As the 10-year anniversary of the U.S. financial crisis looms, the industry is still trying to regain the investor confidence by showing that it takes compliance rules seriously and punishes those who don't. To meet this end, finance industry regulators have set their sights on corporate culture and its relationship to compliance practices. In other words, rather than asking to see compliance to-do lists checked off, regulators are seeking broader demonstrations of compliance culture in areas such as internal controls and risk management.

The Financial Industry Regulatory Authority (FINRA) has made it a priority to examine how well firms value internal controls and whether supervisors model the company's stated compliance culture. In upcoming FINRA examinations, auditors will pay close attention to the behaviors that are expected at a firm, the behaviors that are performed and whether policy breaches are tolerated.

This FAQ is part of SearchCompliance's IT Compliance FAQ series.

What can financial firms expect from the industry's self-regulatory body -- the Financial Industry Regulatory Authority -- in 2016?

In 2016, the Financial Industry Regulatory Authority (FINRA) is paying special attention to compliance culture and how it plays out in a firm's internal controls, supervision and risk management. The group is particularly interested in assessing how these functions affect cybersecurity, technology management, conflict-of-interest management, anti-money laundering, outsourcing practices, and data quality.

FINRA is currently formalizing how it assesses compliance culture. In FINRA examinations this year, the group will focus on five indicators:

  • Does the firm value control functions?
  • Does it tolerate control breaches?
  • Do managers effectively model the stated culture?
  • Is the firm proactive in identifying risk and compliance problems?
  • Are non-conforming subcultures held accountable?

Financial firms should take steps to make sure efforts to reduce conflicts of interest are visible, and be prepared to show that their compliance initiatives have necessary resources. The company should also demonstrate that breaches of policy are not tolerated and violators are punished accordingly.

Related content
In 2016, FINRA focusing on risk management, corporate culture
Financial Industry Regulatory Authority announces new compliance priorities

How will FINRA determine whether a firm is adequately implementing its stated compliance culture?

To determine whether a firm's cultural values actually guide business dealings, FINRA will meet with executives and personnel from financial firms' compliance, legal and risk management departments. Firms can expect a discussion about how they communicate and reinforce their values, as well as how they monitor the ways in which these values are demonstrated during business dealings. FINRA is also seeking metrics to demonstrate companies' compliance with these values.

There are several common questions that are likely to arise, including:

  • How are cultural values established, and who establishes them?
  • Is the board involved with establishing cultural values, and how do executives promote these company values?
  • How does the company ensure that middle management applies these values?
  • What processes are used to discover breaches of policy, and how are such breaches addressed?
  • Are there policies or processes for discovering and dealing with subcultures that might compromise company values?
  • How does the compensation structure reinforce values?

Related content
FINRA: The keys to establishing company-wide ethics and values
Finance industry regulators to examine corporate culture

How will FINRA evaluate a firm's supervisory, risk management and internal controls functions?

Supervision, internal controls and risk management are integral to a firm's compliance culture, and will be in the spotlight during FINRA's 2016 examinations in 2016. Under the industry's own rules, firms are required to maintain supervisory systems for compliance matters, but FINRA has seen repeated problems with supervision in the areas of conflict of interest management, technology, outsourcing and anti-money laundering.

FINRA will examine how a firm manages conflicts of interest that can arise in various contexts, including incentives in the retail brokerage side of the business, research analysis vis-a-vis the investment banking side of the business, and controls implemented to minimize information leaks.

How a firm manages its hardware, software and information technology personnel will also be closely examined by FINRA in 2016. The group has cautioned that some firms still have not deployed adequate cyber defenses, and persistent threats create particular risks in the areas of customer accounts, asset transfer systems, online trading systems and vendor management systems. FINRA will look closely at how a firm implements IT management, including data governance, employee training, technical controls, risk assessments, data loss prevention, incident response and vendor management.

Information technology change management is of special concern to FINRA. The group has warned that it has seen too many errors in how changes are made to IT systems and applications, and it will look closely at how firms supervise changes to back office systems and vendor systems.

FINRA has also warned that it will be taking a careful look at how firms monitor and prevent suspicious trading activity. Surveillance systems should be tested and the accuracy of data sources should be verified to ensure that suspicious activity can be detected and reported. If certain transactions are excluded from anti-money laundering surveillance functions, the reason for this exclusion must be documented.

Related content
Report: Number of cybercrime incidents for economic gain growing quickly in UK
SEC Risk Alert provides cybersecurity guidance for financial firms

What can firms do to prepare for FINRA examinations of information technology systems?

Firms facing a FINRA examination should make sure that they have written procedures guiding change management of IT systems. Adequate segregation of duties for employees who deploy technology changes should be visible, as should the testing of user acceptance. Technology governance should include sufficient testing of algorithms as well.

Compliance systems must be shown to operate effectively, and demonstrate that no major breakdowns occurred in the transition from legacy systems to new systems. Firms should be sure that no coding problems are evident and that email and other electronic communications are properly supervised and retained.

FINRA is expected to look closely at data quality and governance in its examinations this year. Data reporting practices and quality controls must ensure that information channeled to supervisors and surveillance systems are accurate, complete, consistent and timely. In particular, FINRA wants to see that automated anti-money laundering surveillance systems are picking up accurate and thorough data.

Related content
Channel partners in the financial services sector find opportunities in regulatory compliance
Rule puts new compliance focus on IT records and systems

How do FINRA's 2016 priorities compare to those of the U.S. Securities & Exchange Commission?

Like FINRA, federal regulators will be taking a closer look at the financial industry's internal controls in 2016. The Office of Compliance Inspections and Examinations at the U.S. Securities and Exchange Commission has made cybersecurity and Systems Compliance and Integrity (SCI) two of its top priorities. The regulators will assess, among other things, how well firms have implemented cybersecurity procedures and controls and whether data centers, infrastructure components and security operations are up to the task.

Related content
SEC announces 2016 examination priorities
FINRA, SEC increased enforcement in 2015

Next Steps

Learn more about new finance industry mandates, including how Regulation SCI broadens the scope of IT systems compliance and why the rule represents a new level of enforcement for federal regulators.

This was last published in March 2016

Dig Deeper on Financial services compliance requirements

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think FINRA's new focus on company culture will reduce compliance violations in the financial industry? Why or why not?
Cancel
FINRA’s focus on company culture will reduce compliance violations in the financial industry and it will happen in two waves. This shift in focus gives the compliance team in financial services firms a lot to work with when it comes to raising awareness of the importance of regulatory compliance at an organizational level. More and more, compliance and the necessary training and systems required to maintain it effectively are not limited to the compliance department. For example, the marketing department wishes to leverage social media to promote the business and stay competitive, but they must do it in a managed and supervised way to maintain compliance in the process. It will take the right combination of policies, systems to enforce them and people knowing what they should be doing with the right training up front.

The first wave of compliance violation reductions will stem from the initial communication of this new focus for FINRA to all key stakeholders within financial services firms and getting an agreement that the whole organization has to embrace the notion of a culture of compliance and agree on the set of policies that will accomplish it. As an immediate step, an organization-wide training initiative can then be kicked off for all stakeholder groups that generate content subject to regulatory compliance to have a firm understanding of what they should and should not be doing and the
specific policies the firm has in place to address it including the punitive
actions that will be taken for those who ignore the policies willfully. Think of this as the “awareness” phase.

The second and probably more impactful wave of compliance violation reductions will happen when the proper automated systems and technologies have been put in place to effectively capture, supervise, review and report on the content where regulatory compliance applies and according to the policies that have been established in a more holistic way. With the right technology and systems, the compliance team can catch potential violations as they occur, document that they caught them, take corrective action with the individuals involved and potentially enhance or tune their policy-checking as a result – and have an audit trail for the whole process to share with the regulator should they be examined. The added benefit of having the right systems and technology in place is that firms can also open up restrictions on the usage of content types like social media and web with the confidence that potential violations can be trapped and remedied in the few instances where they may occur versus having no choice but to prohibit their use altogether from the various stakeholder groups across the organization. Think of this as the “automated enforcement” phase.

The good news is that technologies such as comprehensive archive platforms with specialized workflows for supervision, review and reporting exist today and can help firms keep up with the changes that FINRA is making and stay in lock-step.

Cancel

Good points- Buy-in from all employees from throughout a
company's departments is a vital first step to building this compliance
culture. Employees remain on the front lines of a company's regulatory compliance
processes, and negligent employees are a major risk factor for regulatory breaches.
Education/awareness training – and a lot of it – can go a long way to improving
compliance culture and ultimately protecting an organization's digital assets, customer
data and reputation by avoiding compliance violations.



This is where the automation tools come in, and can further help
ensure legal and regulatory compliance. These tools definitely must be
monitored and updated often, however, and companies still must be wary of the
potential for errors made by the employees whose job it is to run these IT services.
Unfortunately, human error will always be a factor when it comes to compliance
violations, no matter how well a company is able to incorporate a culture of compliance.

Cancel

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close