The recently issued 2021 Report on FINRA’s Examination and Risk Monitoring Program (the “Report”) replaces, and combines, two previously published FINRA reports – The Report on Examination Findings and Observations as well as the Risk Monitoring and Examination Program Priorities Letter. The Report addresses key regulatory topics in four categories: (1) Firm Operations; (2) Communications and Sales Practices; (3) Market Integrity; and (4) Financial Management. In particular, FINRA identified the following issues that impact many member firms.

Regulation Best Interest (Reg BI) and Form CRS

FINRA noted that in 2021 it intends to expand the scope of its review and testing in this area to engage in a more comprehensive review of firm processes, practices and conduct. FINRA provided a list of considerations its staff will use when examining a firm for compliance with Reg BI and Form CRS, and firms should make sure they have addressed those considerations and FINRA’s prior guidance in this area. FINRA also noted that it was in the “early stages” of review for compliance with these new obligations and thus the report does not contain exam findings or effective practices related to Reg BI and Form CRS. FINRA anticipates issuing a separate report after more examinations have been conducted. Firms should monitor FINRA’s further guidance in this issue.


For years, FINRA has focused on cybersecurity due to firms’ increasing reliance on technology. In the Report, FINRA noted that it has observed an increase in cybersecurity or technology incidents at firms, including data breaches. Further, as COVID-19 has triggered an increase in remote work and virtual client interactions, FINRA is encouraging firms to review its prior guidance on cybersecurity as well as the considerations, observations, effective practices outlined in the Report. FINRA also noted that it remains concerned about increased risks for firms that do not implement practices for addressing phishing emails or requiring multi-factor authentication for accessing non-public information. Accordingly, firms should review their cybersecurity program against FINRA’s guidance to ensure that they have adopted best practices and engaged in sufficient testing of their cybersecurity program.

Communications with the Public

FINRA noted that it is “increasingly focused” on communications about new products and how firms address risks relating to new digital communication channels.” In particular, FINRA noted that it is focused on the risks associated with app-based platforms with interactive or “game-like” features that are intended to influence customers. As more millennials become customers, firms may look to such apps to attract customers and firms should be mindful of FINRA’s guidance in this area. FINRA also stated that it will maintain its traditional focus on communications regarding complex products and communications with seniors and vulnerable investors.

Variable Annuities

FINRA noted that in 2020 it had engaged in an informal review of firms’ procedures for buyouts of variable annuities and disclosures to customers after an insurer with significant variable annuities exited the market. That review found that firms did not have sufficient supervision around buyouts, did not have sufficient supervision over exchanges of annuities, had an inadequate review of source of funds for new annuities and did not provide sufficient training to its registered representatives on the sale of annuities. Firms should consider the findings of this review as well as the other issues raised in the Report in connection with their sale of variable annuities.

The Report also highlighted best execution and consolidated audit trail as areas of focus.

In addition to these areas of specific concern, the Report also outlines examination priorities regarding several other issues, including anti-money laundering, outside business activities, books and records, regulatory events reporting, fixed income mark-up disclosure, private placements, large trader reporting, market access, vendor display rule, net capital, liquidity management, credit risk management, segregation of assets.