FINRA details 2017 examination priorities

The Financial Industry Regulatory Authority has released its annual “Regulatory and Examination Priorities Letter,” a rundown of areas it plans to review in 2017 exams.

A common thread running throughout the letter is a focus on core “blocking and tackling” issues of compliance, supervision, and risk management, FINRA President and CEO Robert Cook wrote in an introduction. Starting this year, it will publish a summary report that outlines key findings from examinations in selected areas. The document will alert firms to what FINRA is seeing from a national perspective and serve as an additional tool firms can use to strengthen the control environment for their business.

Cyber-security

In 2017, FINRA will continue to assess firms’ programs to mitigate cyber-security risks.
“FINRA recognizes there is no one-size-fits-all approach to cyber-security, and we will tailor our assessment of cyber-security programs to each firm based on a variety of factors, including its business model, size and risk profile,” the letter says.

Among the areas FINRA may review are firms’ methods for preventing data loss, including understanding their data (including its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors. Examinations may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools.

In some instances, FINRA will review how firms manage their vendor relationships, including the controls to manage those relationships. The controls should be informed by a clear understanding of any customer or employee personally identifiable information or sensitive firm information to which vendors have access. Controls to protect sensitive information from insider threats will also be considered.  

The letter notes that cyber-security controls at branch offices, particularly independent contractor branch offices, tend to be weaker than those at firms’ home offices. Reviews have observed poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data.  MORE