March 4, 2024

Enforcement and Evolution: 2024’s Regulatory Landscape and the Shift to T+1
14 min read

The Future of Finance: Insights from SEC and FINRA’s 2023 Enforcement Actions

Introduction

The Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) have long stood as the twin pillars of financial market regulation in the United States, ensuring that the complex and ever-evolving securities industry operates with integrity, transparency, and in the best interest of investors. As we dissect the enforcement actions and priorities revealed by both bodies for fiscal year 2023, it becomes evident that the landscape of compliance is not only vast but also intricately detailed, requiring a nuanced understanding of both the letter and the spirit of the law. This deep dive aims to unravel the patterns, highlight the emerging threats, and forecast the compliance focus areas for the near future, particularly in light of the imminent shift to a T+1 settlement cycle.

SEC’s 2023 Enforcement Actions: A Closer Look

In fiscal year 2023, the SEC filed 784 enforcement actions, marking a modest increase from the previous year, and obtained orders for nearly $5 billion in financial remedies. This effort underscores a robust approach to tackling a wide array of violations across the securities industry, from traditional billion-dollar frauds to emerging threats involving crypto assets and cybersecurity.

Key Patterns and Focus Areas

Record-Setting Whistleblower Awards and Tips

The SEC’s Whistleblower Program hit a new stride in 2023, awarding nearly $600 million to whistleblowers, including a record-breaking $279 million to a single whistleblower. This surge in whistleblower tips, which saw a 50% increase from the previous year, is a clear indicator of the SEC’s reliance on insider information to identify and prosecute violations. It underscores the critical role that whistleblowers play in the regulatory ecosystem, acting as the eyes and ears on the ground.

Crypto Assets and Cybersecurity

The SEC’s enforcement actions against crypto asset securities represent a concerted effort to address the burgeoning risks and regulatory challenges posed by this relatively new asset class. From billion-dollar fraud schemes to unregistered offerings and exchanges, the SEC’s aggressive posture reflects its intent to bring the crypto market within the fold of traditional securities regulation, ensuring investor protection and market integrity.

Gatekeepers Under the Microscope

Gatekeepers, including auditors, accountants, and brokers, faced significant scrutiny, with numerous actions aimed at ensuring they uphold their responsibilities. This focus highlights the SEC’s strategy to leverage the critical role gatekeepers play in preventing misconduct and ensuring accurate reporting and compliance across the board.

FINRA’s 2023 Enforcement Landscape

FINRA’s enforcement actions in 2023 continued to emphasize the importance of supervisory systems, recordkeeping, and the integrity of market operations. Notably, the actions spanned a range of issues from ensuring the integrity of electronic communications to addressing the adequacies of anti-money laundering programs.

Compliance and Supervisory Failures

A recurrent theme in FINRA’s enforcement actions is the failure of firms to establish and enforce adequate supervisory and compliance systems. This includes ensuring compliance with existing regulations, proper recordkeeping, and overseeing the activities of their representatives and clients.

In the complex and fast-paced world of financial markets, the role of compliance and supervision cannot be overstated. Both serve as the foundation upon which the integrity and trust of the financial system are built. As highlighted by the Financial Industry Regulatory Authority (FINRA) in its 2023 enforcement actions, there’s a critical need for firms to bolster their compliance and supervisory mechanisms. This segment explores the ramifications of compliance and supervisory failures, using insights from recent enforcement actions as a guide to understanding the landscape and pointing towards a path for firms to ensure robust compliance and supervision.

The Crux of the Matter

At the heart of many of FINRA’s enforcement actions in 2023 were failures in compliance and supervisory systems within firms. These shortcomings ranged from inadequate oversight of electronic communications to lapses in implementing effective anti-money laundering (AML) programs. Such deficiencies not only expose firms to regulatory penalties but also erode investor trust and can lead to significant financial and reputational damage.

Understanding the Failures

1. Inadequate Oversight of Electronic Communications: With the digitalization of financial services, the management of electronic communications has become a focal point for compliance. Firms were found lacking in monitoring emails, social media interactions, and other digital communications effectively. This oversight is crucial not only for preventing the leakage of sensitive information but also for ensuring that communications with clients are compliant with regulatory standards.
2. Lapses in Anti-Money Laundering Programs: AML programs are essential for detecting and preventing financial crimes. Failures in this area highlighted by FINRA include inadequate customer due diligence, failure to report suspicious activities, and not having a comprehensive AML compliance program in place. Such lapses not only contravene regulations but also expose firms and the wider financial system to exploitation by malicious actors.
3. Deficient Risk Management Practices: Several enforcement actions underscored firms’ failures to implement risk management practices that align with their business model’s complexity and scale. This includes not having adequate controls to manage trading risks, credit risks, and operational risks effectively.
4. Failure to Supervise: A recurring theme in FINRA’s enforcement actions was the failure of firms to supervise their representatives adequately. This includes not monitoring trading activities closely, failing to ensure that representatives are adequately trained and understand the products they are dealing with, and not having mechanisms in place to prevent unauthorized trading.

Pathways to Compliance

1. Enhancing Technological Infrastructure: Leveraging technology to automate and streamline compliance processes can significantly reduce the risk of oversight. Tools that enable real-time monitoring of communications, automated alerts for suspicious activities, and comprehensive risk management solutions are essential investments for firms.
2. Building a Culture of Compliance: Beyond technology and systems, fostering a culture of compliance within the organization is critical. This includes regular training for employees, clear communication of policies and expectations, and a top-down emphasis on the importance of compliance and ethical behavior.
3. Regular Audits and Assessments: Conducting regular audits and assessments of compliance and supervisory systems can help identify potential weaknesses before they become problematic. These assessments should be thorough and cover all aspects of the firm’s operations, from trading practices to client communications and financial reporting.
4. Engagement with Regulatory Developments: Staying abreast of regulatory changes and understanding their implications for the firm’s operations is crucial. This proactive approach to compliance can help firms adapt their policies and procedures in time to meet new regulatory requirements.

The Evolving Threat of Cybersecurity

Like the SEC, FINRA has placed a significant emphasis on cybersecurity, reflecting a broader industry trend towards digitalization and the associated risks. This includes ensuring that firms have adequate policies and procedures to protect sensitive customer information and to respond to cybersecurity threats effectively.

In recent years, the financial industry has witnessed an unprecedented increase in cybersecurity threats, ranging from data breaches and ransomware attacks to sophisticated phishing schemes. These incidents not only compromise sensitive client information but also pose systemic risks to the integrity of global financial markets. Reflecting this heightened risk landscape, both the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) have intensified their focus on cybersecurity compliance, leading to an uptick in fines and disciplinary actions against firms failing to safeguard against these evolving threats.

Cybersecurity in the Regulatory Spotlight

The SEC and FINRA have made it abundantly clear that cybersecurity is not merely an IT issue but a cornerstone of a firm’s overall compliance and governance framework. This paradigm shift is evident in the enforcement actions and fines levied in 2023, which underscore the regulators’ expectation that firms adopt robust, proactive measures to address cybersecurity risks.

Enhanced Regulatory Expectations: The regulatory bodies have outlined specific cybersecurity expectations, including the implementation of comprehensive risk assessments, the establishment of effective governance structures, and the deployment of adequate incident response and recovery plans. These expectations have been reinforced through guidance, risk alerts, and, increasingly, through enforcement actions against firms demonstrating lapses in their cybersecurity defenses.
Notable Enforcement Actions and Fines: In 2023, several high-profile enforcement actions highlighted the consequences of cybersecurity failures. For instance, cases involving inadequate protection of customer information, failure to disclose cybersecurity breaches in a timely manner, and insufficient controls to prevent unauthorized access to sensitive data led to significant fines. These actions signal regulators’ willingness to impose stiff penalties for non-compliance, underscoring the importance of cybersecurity in the broader regulatory compliance agenda.
Cybersecurity as a Component of Overall Compliance: Beyond specific cybersecurity practices, enforcement actions have also emphasized the integration of cybersecurity considerations into the overall compliance framework. This includes the need for ongoing employee training, the integration of cybersecurity risk into the firm’s risk management processes, and the importance of board and senior management oversight in cybersecurity matters.

The Impact of Cybersecurity on Fines and Disciplinary Actions

The impact of cybersecurity on regulatory fines and disciplinary actions is multifaceted, reflecting the complexity and evolving nature of cyber threats. Several key themes have emerged:

1. Quantum of Fines: The quantum of fines related to cybersecurity lapses has seen a noticeable increase, reflecting the severity with which regulators view these infractions. This trend is expected to continue as the financial and reputational implications of cyber incidents become more pronounced.
2. Basis for Disciplinary Actions: Disciplinary actions have been based on a variety of failures, including the lack of comprehensive cybersecurity policies, failure to implement recommended security measures, and inadequate response mechanisms to detected breaches. These actions highlight the comprehensive approach regulators are taking towards cybersecurity, examining every facet of a firm’s cybersecurity posture.
3. Focus on Preventative Measures: A significant portion of the fines and disciplinary actions has been directed towards firms’ failures to implement preventative measures. This includes deficiencies in encryption, firewall configurations, and the monitoring of systems for unauthorized access. The emphasis on prevention underscores the expectation that firms take a proactive stance in safeguarding against cyber threats.
4. Cybersecurity Disclosures: Regulators have also focused on firms’ obligations to disclose cybersecurity risks and incidents to investors. Enforcement actions have targeted firms that either failed to disclose such incidents in a timely manner or downplayed the severity of breaches, misleading investors and the market at large.

One Notable Example of a Cybersecurity related fine

In June 2021, the Financial Industry Regulatory Authority (FINRA) announced that Morgan Stanley Smith Barney LLC had agreed to pay a $35 million fine to settle charges related to its failure to safeguard personal identifying information (PII) of approximately 15 million customers. The charges stemmed from MSSB’s inadequate disposal of hardware containing unencrypted customer data during device decommissioning and replacement operations between 2015 and 2019. Specifically, the firm was accused of failing to properly oversee the decommissioning of data centers used for its wealth management business, leading to the unencrypted devices being resold on auction websites and, in some cases, ending up in unauthorized hands.

This case highlights the critical importance of robust cybersecurity measures and the need for financial institutions to ensure that all aspects of data handling, including the disposal of electronic devices, are conducted securely and in compliance with regulatory standards. The significant fine imposed on MSSB underscores regulatory bodies’ increased focus on protecting sensitive customer information and ensuring that firms adhere to strict cybersecurity practices to prevent data breaches and unauthorized access to client information.

Moving Forward: Strengthening Cybersecurity Compliance

The evolving threat of cybersecurity necessitates a dynamic and forward-looking approach to compliance. Firms are encouraged to adopt a culture of cybersecurity resilience, emphasizing not just technical defenses but also governance, employee training, and incident response readiness. Engaging in regular audits, staying abreast of the latest cyber threats, and fostering a collaborative relationship with regulators are key steps in mitigating the risk of fines and disciplinary actions related to cybersecurity.

The Impending T+1 Settlement Cycle: Implications for Compliance

The transition to a T+1 settlement cycle, set to occur within the next 84 days for the US and 83 days for Canada, represents a significant operational shift for the securities industry. This change aims to reduce credit and market risks, enhance operational efficiencies, and align the U.S. markets with other global markets that have already moved to shorter settlement cycles.

Historical Context and Regulatory Precedent

Historically, regulatory bodies like the SEC and FINRA have not hesitated to impose fines and disciplinary actions for failures in systems and controls that compromise market integrity, investor protection, or fair trading practices. With the implementation of T+1, these regulatory entities are likely to closely monitor firms’ adaptation to the new settlement cycle, focusing on areas such as risk management, operational resilience, and compliance with settlement and clearing obligations.

Potential Areas of Regulatory Focus

1. Operational Readiness and System Failures: Firms must ensure their systems are robust enough to handle the increased speed of settlement under T+1. Failures that lead to delays or inaccuracies in trade settlement could attract regulatory scrutiny and potential fines, as these would directly contravene the objectives of the T+1 initiative.
2. Risk Management Practices: The shorter settlement cycle will necessitate tighter risk management controls to manage the accelerated flow of funds and securities. Firms that fail to adjust their risk management frameworks to account for the reduced window for identifying and addressing settlement risks might face disciplinary actions for inadequate risk controls.
3. Disclosure and Communication to Clients: Regulators will expect firms to effectively communicate the implications of T+1 to their clients, ensuring investors are aware of the changes to trade settlement times and how these may affect their trading activities. Inadequate client communication may be viewed as a failure to uphold high standards of investor protection.
4. Recordkeeping and Reporting: The shift to T+1 will also impact recordkeeping and reporting requirements. Firms will need to ensure that their systems are capable of accurately tracking and reporting transactions within the compressed timeline. Non-compliance in this area, given its importance to market transparency and regulatory oversight, could lead to significant penalties.

Anticipated Disciplinary Actions and Fines

Drawing on the regulatory focus areas outlined above, we can anticipate that firms may face fines and disciplinary actions if they:

- Experience systemic failures that lead to delayed or inaccurate trade settlements, potentially undermining the efficiency gains intended by the shift to T+1.
- Fail to demonstrate that they have adequately adjusted their risk management frameworks to address the unique challenges and risks presented by the faster settlement cycle.
- Do not provide sufficient information and support to clients regarding the transition to T+1, leading to potential investor harm or confusion.
- Exhibit lapses in recordkeeping and reporting, compromising the ability of regulators to maintain oversight of market activities and ensure compliance with securities laws.

Compliance Challenges and Opportunities

The shift to T+1 will require firms to streamline their operations, enhance their technological infrastructure, and revise their compliance and risk management frameworks to adapt to the faster settlement timeline. This includes ensuring accurate and timely trade reporting, enhancing liquidity management practices, and ensuring robust communication with clients regarding the implications of the shorter settlement cycle.

Looking Ahead: Compliance in a Rapidly Evolving Landscape

As we look to the future, it is clear that the SEC and FINRA will continue to adapt their enforcement strategies to address the evolving risks and challenges of the securities industry. The emphasis on whistleblower programs, crypto asset regulation, cybersecurity, and the integrity of gatekeepers signals a comprehensive approach to ensuring market integrity and investor protection.

The Road Ahead

The transition to T+1 presents both challenges and opportunities for market participants. Firms must proactively engage with the changing regulatory landscape, leveraging technology and innovation to meet compliance requirements efficiently and effectively. Additionally, the continued growth and integration of digital assets into the financial ecosystem will likely remain a focal point for regulatory bodies, necessitating a forward-looking approach to regulation and compliance.

Final Thoughts

The enforcement actions and priorities outlined by the SEC and FINRA in 2023 serve as a roadmap for firms navigating the complex regulatory environment of the securities industry. By understanding these patterns and preparing for the changes ahead, firms can not only ensure compliance but also contribute to a more stable, transparent, and investor-friendly market. As the industry continues to evolve, the role of regulation in shaping the future of finance remains undiminished, with the ultimate goal of fostering trust, integrity, and innovation in the markets.

Loffa has been helping firms for over 20 years, the CEO has extensive experience working with Prime Broker agreements, DVP trade verification, and SEC 17a-13(b)(3) and storing SEC 17-(a)-4 letters for 20+ years. Our Operations team is extensively trained and can assist in you your workflow processes. Give us a call today: Tel: 480 405-9662

Enforcement and Evolution: 2024’s Regulatory Landscape and the Shift to T+114 min read