The Financial Industry Regulatory Authority (FINRA) is an independent, non-governmental organization responsible for creating and enforcing regulations governing the securities industry.
FINRA’s mission is to:
- Promote transparency and foster accountability in the financial services marketplace
- Ensure firms uphold high ethical standards in conducting their business
- Protect investors from firm and associated person misconduct
Understanding FINRA’s Compliance Requirements
At the highest level, FINRA technical requirements focus on several key objectives, which the smplsolutions Technical Support team can help you achieve:
- Implementation of a comprehensive risk management framework
- Implement appropriate controls designed to protect personally identifiable customer information (PII)
- Deploy both technical and administrative controls that address a firm’s supervisory requirements
These key objectives are enumerated in various FINRA rules and guidelines, including:
- FINRA Regulatory Notice 21-31: Develop and maintain a robust cybersecurity program
- Regulation S-ID: Establish an Identity Theft Prevention Program
- FINRA Rule 3110: Standards for supervisory practices, documentation, branch office supervision, and human resource needs.
- FINRA Rule 4530(b): Requirements for reporting financial irregularities and violations, including security self-assessments.
- 17 CFR §248.201-202: Policies and procedures for protecting customer information from cyberattacks.
- 17 CFR §248.1-100: Clarification of a firm’s responsibility in detecting and preventing identity theft.
FINRA Requires Stringent Control Over Data Archiving
Data archiving is a crucial aspect of FINRA regulation based upon the underlying SEC rules 17a-3, 17a-4, and FINRA Rule 4511 which outline a firm’s requirements for archiving communications, including email, text messages, chat applications (such as Teams, Slack, Whatsapp) , and more.
These specific rules include:
- Archiving records within systems, or on media, that support a non-erasable, non-rewritable format.
- Requirements for retention period length, record format, record quality, and ensuring record availability
- Requirements that most records be accessible for period up to six years or more (see Books and Records Requirements Checklist)
The Financial Industry Regulatory Authority (FINRA) also provides small to mid-sized firms with cybersecurity guidelines designed to foster the protection of customer PII. These key control areas include those supporting identifying and assessing threats, protecting data, detecting compromises, planning and implementing responses, and recovering lost or stolen data.
Here is a brief summary of FINRA’s 12-section, small-firm cybersecurity checklist:
- Identify and Assess Risks: Inventory – Understand the types and locations of sensitive data, and assign risk severity levels.
- Identify and Assess Risks: Minimize Use – Limit access to PII using tools like Office 365 Sensitivity Labels.
- Identify and Assess Risks: Third Party – Ensure proper safeguards are in place when sharing sensitive data with third parties.
- Protect: Information Assets – Implement protective measures such as password security, antivirus/anti-malware, and advanced threat protection firewalls.
- Protect: System Assets – Review security settings in applications like CRM or cloud storage systems, and enable features like multi-factor authentication.
- Protect: Encryption – Ensure data is encrypted when shared internally or externally, including on devices and backup media or cloud platforms.
- Protect: Employee Devices – Secure employee devices with passcodes, access tracking mechanisms, and mobile device management applications like Microsoft Intune.
- Protect: Controls and Staff Training – Implement access controls and provide employee cybersecurity and compliance awareness training.
- Detect: Penetration Testing – Conduct regular third-party penetration tests to identify system vulnerabilities.
- Detect: Intrusion – Use intrusion detection applications, such as next-gen firewalls, to identify and stop attacks.
- Response Plan – Develop a cybersecurity response plan and incident response team to mitigate damage after a data breach or ransomware infection.
- Recovery – Implement reliable cloud-based backup and recovery solutions for business continuity and data recovery
The High Cost of FINRA Non-Compliance
FINRA compliance should not be taken lightly by securities firms as violations often lead to severe penalties, including fines or sanctions that can cause irreparable harm to a small or mid-sized firms. FINRA regulators anticipate that the number of fines and sanctions will likely rise as they seek to adopt new technologies, such as artificial intelligence (AI), to detect compliance issues more efficiently during their audit engagements..
How Can Firm’s Simplify their FINRA Compliance Journey ?
Achieving FINRA compliance can be a challenging obstacle for many small to mid-sized brokerage firms as the regulations require implementation of a complex set of administrative, physical and technical controls to support a clear path to compliance.
For over 25 years , smplsolutions’ engineering and consultative experts have provided strategic and technical guidance to our FINRA regulated clients in the areas of assessment and remediation of their IT and cybersecurity risks. Our “best-of-breed” IT and cybersecurity services are also designed to meet or exceed FINRA’s compliance requirements.
Find out how smplsolutions can assist your organization in addressing its FINRA requirements by requesting a no-obligation consultation with one of our senior regulatory IT and cyber risk experts:
Written by Eric Gaffin – Linkedin
FINRA® is a registered trademark of the Financial Industry Regulatory Authority, Inc. smplsolutions is not affiliated, sponsored or endorsed by FINRA.
Free IT Consultation
Learn more about our financial services offerings