FINRA stands for the Financial Industry Regulatory Authority. It is a self-regulatory nonprofit that the U.S. Securities Exchange Commission (SEC) oversees. Operating this type of organization entails having some administrative authority over industry entities, such as the New York Stock Exchange and the securities industry, which FINRA oversees.
Often, FINRA works hand in hand with the SEC to draw up specific regulations. FINRA also deters misconduct among stockbrokers and brokerage firms and makes sure the financial markets are fair. It works to enforce securities sector guidelines and SEC rules while ensuring industry transactions are transparent.
What is FINRA?
Although it may seem otherwise, FINRA is not a government organization. Despite this, FINRA oversees the stock market, monitors more than 4,200 brokers and brokerage firms, and is responsible for 30 billion transactions every day — sometimes overseeing 75 billion events in a single day. FINRA provides oversight for the following functions:
- Licensing brokers and firms
- Conducting exams and training for members
- Creating, instituting, and enforcing compliance rules
- Regulating trading in equities, corporate bonds, and securities futures
In general, the goal of FINRA is to keep standards for the market and investors high. It has done so by coming up with rules and regulations concerning how data is tracked and stored. To comply with FINRA regulations, you need to retain data for a specified length of time. Destroying or falsifying data is a serious violation of the rules.
If you store data using electronic storage media (ESM), such as a cloud-based platform, the ESM needs to meet certain requirements, outlined in SEA Rule 17a-4(f). The data must also be protected, accessible, and auditable.
If you fail to comply with FINRA rules, you may face disciplinary actions, including fines. These fines are set in place to deter financial misconduct.
For example, FINRA issued $57.0 million in fines in 2020. In addition, FINRA can take disciplinary actions in ways other than fines, such as barring individuals from working in the financial industry and ordering suspensions on people who are noncompliant.
Although FINRA is not a government organization, it does refer insider trading and fraud cases to the SEC and other government agencies. FINRA also has the power to discipline you if you've violated their security rules. When FINRA opens an investigation, it can rely on the information from surveillance reports, referrals, complaints, tips, and findings from examinations, but it will not violate your right to confidentiality.
If you go against the regulations or rules of FINRA, your violation may or may not lead to formal discipline. FINRA can discipline you by ordering a litigated proceeding or settlement.
What are the FINRA compliance requirements?
There are many FINRA compliance requirements that businesses in the financial services industry must follow. We'll take a look at some of these regulations specifically regarding email compliance and what categories might affect your business at large.
What are FINRA compliance requirements for email?
A financial service organization must keep a record of all emails for a certain period. SEC 17a-4 specifies that electronic records must be kept for a minimum of six years, with the first two years stored in an easily accessible place. Your digital data regarding your emails must also be auditable.
How do I meet FINRA compliance requirements?
Understanding and complying with all FINRA requirements can be a challenge, which is why many businesses use third parties for help. Box is an example of a third party that can aid you with comprehending and complying with FINRA rules and regulations is.
FINRA functions based on a set of internally developed regulations that brokers and brokerage firms need to follow. The following is a list of compliance issues that are important for brokers to be aware of:
A large part of FINRA is regulating brokerage firms and ensuring they operate fairly. Here is a list of operations within a brokerage firm that FINRA keeps an eye on:
- Regulatory events reporting
- Cybersecurity and technology governance
- Books and records
- Anti-money laundering
- Private securities transactions
- Fixed income mark-up disclosure
- Outside business and private securities transactions
Communications and sales
How a business communicates with its clients and other companies it may work with is important to FINRA. Some categories within communications and sales that FINRA focuses on include:
- Regulatory BI (Best Interest) and form CRS (Customer Relationship Summary)
- Private placements
- Variable annuities
- Communications with the public
Ensuring market integrity is essential to upholding honest business practices and ensuring a safer industry. FINRA does this by regulating:
- Best execution
- Market access
- Large trader reporting
- Consolidated audit trail (CAT)
- Vendor display rule
- Financial management
How a business manages its financials is essential to FINRA because it oversees how money flows within the New York Stock Exchange and securities industry. Concerning net capital, FINRA oversees the following:
- Liquidity management
- Credit risk management
- Segregation of assets and customer protection
Of course, each of these 20 compliance issues involves more detail than as stated, so it's best to figure out which ones are important to you. The most effective practices to employ to avoid these compliance issues will vary depending on your business. However, these items broadly impact compliance across all businesses.
Regulation best interest and customer relationship summary
FINRA has internally created rules concerning regulatory obligations and customer relationships to protect customers' best interests.
Regulatory best interest concerning FINRA establishes a standard of conduct for broker-dealers that is in customers' best interest, especially when recommending security transactions to retail customers. For example, you would need to act in your client's best interest when recommending different types of accounts.
Broker-dealers must create summaries of the types of customer relationships and services their firm offers, including fees, conflicts of interest, costs, standards of conduct, reportable legal or disciplinary history, and ways to get more information about their firm.
FINRA requires you to disclose any material information you might have about investments you recommend to or discuss with investors. If you report false information or don't report all information, you may be pegged for fraud. You must report all material information from discussions and distributed materials. You also cannot guarantee that any security transaction won't lose money.
Restrictions exist on telemarketing investors, too. As an example, FINRA prohibits cold-calling a customer after 9:00 p.m. or before 8:00 a.m. You also cannot call anyone who has stated they would like you not to call them. Also, must avoid calling individuals who are on the national do-not-call registry.
Cybersecurity is a key focus for FINRA because of the increasing number of sophisticated breaches and attacks.
FINRA analyzes how you manage risks of your data being breached or attacked by looking at the following areas of your business: technical controls, incident response, risk assessment, technology governance, data loss prevention, staff training, branch controls, system change management, technology governance, and vendor management. FINRA looks into these business operations to ensure your customers' information is secure, accessible, and confidential.
FINRA protects investors by safeguarding their data. It's best to establish a system that will do the following to make sure your firm's data is safe:
- Identify and assess cybersecurity threats
- Detect when your assets or systems have been compromised
- Protect your assets from cyber attacks
- Plan for the response when a compromise occurs
- Implement a plan to recover assets
Keep in mind that using this checklist does not mean you will be safe from compliance violations concerning FINRA. You still need to follow all federal or state security laws, FINRA rules, and applicable state or federal regulatory requirements.
If there is a security breach
Even if you use ransomware assistance, you are still vulnerable to cyberattacks. If there's a breach in your security, and some of your data is compromised, it's best to contact your local FBI office. If you face a particularly problematic attack or breach that leaves you or your customers unable to conduct business, you can also reach out to a FINRA risk-monitoring analyst.
Common cybersecurity threats
FINRA regularly tracks security breaches and attacks in its industries, which is how the most common cybersecurity threats have been pinpointed. These common threats include the following:
- Imposter websites
- Customer account takeover
- Firm account compromise or takeover
- Fraudulent wires or Automated Clearing House (ACH) transactions
- Distributed denial-of-service (DDoS) attacks
- Vendor breaches
FINRA also has rules applying to public communications. These include:
- The definition of communications is understood to be institutional communications, retail communications, and correspondence
- The definition of correspondence and retail communication is understood to mean communication with 25 or fewer retail investors within 30 days
- The definition of institutional communication is understood to be communication with institutional investors
- A retail investor cannot be an institutional investor
- No form of communication may be passed to an institutional investor if you also pass it to a retail investor
Consolidated Audit Trail (CAT)
FINRA works alongside the SEC to create a National Market System (NMS) that meets the requirements of Rule 613, which ensures FINRA and the SEC collaborate to form a Consolidated Audit Trail. The Consolidated Audit Trail was established to track orders throughout their entire lifecycle. This ability allows for ultimate tracking of activity throughout U.S. markets in Eligible Securities.
Background of the CAT
The Securities Exchange Act enacted rule 613. This rule ensures regulators can be more accurate and efficient in keeping records of the U.S. equities and options markets. This precision and efficiency are important in keeping the markets fair.
CAT reporting obligations
Several entities must report to the Consolidated Audit Trail. These entities include ones that have orders originating in over-the-counter (OTC) equity securities, listed options, or NMS stocks. CAT reporting is also a must for all proprietary trading activity. According to FINRA, you need to report to CAT for your clearing firm if you're a member. If a clearing firm will report for an introducing firm, then the proper documentation needs to be filled out.
You must ensure the market you suggest to a customer is one you believe will be favorable for them. The following are factors considered when deciding if you've shown diligence in making this happen:
- The character of the market for the security
- The quotation's accessibility
- The size and type of transaction
- The terms and conditions of the order
- The number of markets checked
Here are some other rules involving best execution under the FINRA:
- Interjecting a third party between the customer and the best market for them is prohibited
- You must show justified circumstances if you can't directly interact with a market and use another means to do so
- If you channel an order in a way that violates a best execution rule and a third party is involved, this third party would also be in violation of the rule
- You may not execute a transaction away from the best market for a customer because you do not have the manpower to complete it within your office
Deferred variable annuities
Hybrid investments involving insurance features and securities are called deferred variable annuities. The SEC and FINRA oversee sales of these investments. Annuities represent choices investors have for contract options and features.
It's advisable to make an effort to find out a customer's age, investment experience, investment objectives, risk tolerance, existing assets, investment time horizon, and annual income before recommending the exchange or purchase of a deferred variable annuity.
You need to have a reason to believe your customer will benefit from different features of deferred variable annuities, such as a death or living benefit, annuitization, or tax-deferral.
Annuities tend to be complex, so they are a significant source of investor complaints to FINRA. FINRA has two rules to deal with deferred variable annuities.
FINRA compliance made simple
Why does FINRA exist? It protects sellers and buyers through an extensive catalog of regulations and rules. It encourages member firms to secure their financial data and execute transparent transactions.
Understanding FINRA in its entirety can be a challenge. However, when you work with companies that provide cybersecurity solutions, it becomes much easier. Here at Box, we offer the Content Cloud — a cloud content management platform you can use to track all your content while staying compliant with FINRA. Why not take advantage of our expertise in such matters and simultaneously keep all your content all in one secure place?
Box security and compliance solutions
Box has many solutions to optimize your business's workflow and security. Below are our four products that help you keep your data secure, accessible, and compliant with different organizational regulations.
Complete the following tasks with Box Shield:
- Classify data automatically and manually
- Identify regulated data, whether it's active, downloaded, edited, shared, previewed, or uploaded
- Prevent leaks
- Quickly configure access policies
- Quickly configure personal identifiable information (PII) classification
- Safely collaborate
- Utilize frictionless controls
- Minimize content-centric risks
- Contain malware spread
- Scan content while it's being edited, uploaded, shared, and previewed
- Respond to quick alerts concerning breached accounts and logins from problematic locations
With Box Governance, you can access your data and keep it secure at any point in its lifecycle. Do the following with ease:
- Create flexible retention schedules
- Preserve data for defensible discovery
- Perform disposition management.
- Comply with CCPA, GDPR, HIPAA, and FINRA
- Avoid friction with flexibility concerning retention schedules
- Avoid enterprise risk
- Remove unnecessary data
- Use advanced trash controls
- Easily restore content
- Avoid legal risk
- Prevent litigation
- Utilize legal holds
Box Zones allows you to secure your data by storing your encrypted-at-rest content. You can do this in places such as:
Whether you have regional or country-specific privacy issues, storing your files in-region with Box Zones can solve them. The ease you'll have in safeguarding your data with Box Zones will save you time and allow you peace of mind. You'll also be able to grow your company beyond the bounds of your location.
Your sensitive material stays safe in the Content Cloud with Box Trust — our comprehensive network of technology partners bringing you best-in-class security and compliance. No matter the industry-specific regulation, from FINRA and Export Control, to GxP and GDPR, Box has you covered with a security plan that’s right for your business.
Learn more about what Box has to offer
See what Box has to offer
Content is essential to your business, which is why we want to help you put it to work. No matter what industry you work in, files like sales contracts, marketing assets, videos, and product specs are probably all a part of your workday. When you use Box, you can keep all your content in one easy-to-use and secure cloud. Real work gets done in the Content Cloud, where you can co-edit, share, create, classify, and retain data, and enable legal e-signatures for all your content.
Powerful security, faster business
We help stop data leaks with frictionless controls, such as dynamic, multi-layered watermarking and two-factor authentication (2FA). When you use Box KeySafe, you have the availability to manage your own encryption keys. With Box Shield, you can reduce the risk of a data breach with intelligent threat detection and classification-based policies.
Governance made easy
Make your process for managing your content lifecycle simpler with the powerful information governance Box enables, which can help you set modifiable policies capable of preserving, retaining, and disposing of your content.
All the compliance you need
Box covers many compliance bases, including FINRA, Export Control, GxP, international privacy standards, and data residency requirements.
Benefits of using the Content Cloud
You'll have access to the following benefits when you work with Box:
- Your field staff will be able to work anytime, anywhere, and on any device
- You'll experience faster client onboarding with to workflow automation
- You can efficiently manage your content to ensure it's compliant with various regulations
**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.