Skip to navigation Skip to main content Skip to footer

Did your FINRA Audit prep change due to Covid-19?

Contact Us

As a broker-dealer, what changes are you seeing in light of COVID-19 and the economy slow down? Do you need to rethink or re-justify your fintech spend due to cost considerations? Or, are you making investments to automate systems that support the digital transformation of your books and records from physical to digital? A new Gartner survey reveals that despite cuts this year, CFOs are planning to invest in the next phase of technology growth in 2021 with a modest increase in IT spending of .8%. This increase supports technology investments enabling remote work, new ways to reach customers, and enhanced efficiency.

At Iron Mountain, we certainly see both camps — some broker-dealers who rely on our Designated Third Party (D3P) compliance service are delaying projects, and others are accelerating the pace of change by adopting technologies to support their organizations in the new normal. As a result of COVID-19, we have seen an increase in our online access (vs. our onsite offering), as expected. This helps broker-dealers meet health and safety protocols, while at the same time, they won't delay meeting compliance requirements.

FINRA's Guidance during the Coronavirus Pandemic

FINRA is supplying guidance on COVID-19 related topics along with a Frequently Asked Questions page to guide member firms. At a top-level, FINRA states that as coronavirus-related risks decrease, member firms should expect to return to meet any regulatory obligations for which relief has been provided. When appropriate, FINRA will publish a Regulatory Notice announcing a termination date for the regulatory relief that will provide member firms with time to make necessary operational adjustments.

According to a recent update by Mayer Brown, "in statements made at SIFMA's Virtual Compliance and Legal Forum, FINRA Chief Executive Officer, Robert Cook, indicated that FINRA may be reconsidering aspects of its cycle examinations in light of the challenges presented by the COVID-19 pandemic."

"FINRA conducts between 1,500 and 2,000 risk-based cycle examinations annually to assess identified risks and controls and determine whether firms are in compliance with federal securities laws, rules, and regulations. These examinations typically have an on-site component to them …" the update continues. "Because of those limitations, the on-site component of FINRA examinations was halted early in 2020. Cook's comments indicate that, although examinations will still have to find a way to move forward, FINRA may be flexible in finding a mutually agreeable solution. Cook reportedly stated that FINRA will take a 'risk-based approach' and would 'decide on a case-by-case basis' whether examinations need to be in person. … Cook also noted that FINRA was working on a proposal with the SEC to allow firms to conduct remote inspections, if only for 2020 and 2021."

The SEC Expects Compliance, Despite Uncertain Times

Law firm K&L Gates weighs in stating, "While the SEC recognizes these are 'challenging times,' this rationale is unlikely to be an adequate response to the Division or OCIE inquiries. Despite the extraordinary pandemic, the SEC will still expect companies to maintain compliance and to provide thoughtful explanations for the actions they undertake during these 'uncertain times.' We expect that there will be no general defense of COVID-19 for conduct that the SEC views as violating the securities laws."

Their best practice guidance includes, "Protect Data Now: The reality of remote work has restricted the traditional ability to maintain and collect company data. From an uptick in the use of ephemeral messaging and personal devices for communication to the inability to image or take possession of employee devices, data maintenance and collection pose particular challenges. While the SEC will likely recognize these limitations now, they may not be as understanding months or years down the road when the necessary data is unavailable. Companies should be considering creative solutions to maintain data and should have policies in place."

Are You Prepared for your next FINRA Audit?

Whether your FINRA audit is delayed or conducted virtually, you still need to be prepared. Per the Mayer Brown update, FINRA CEO Robert Cook also noted that "If we keep extending the deadline, it is just gonna be a snowplow effect where there's more and more of a backlog for people to work through."

Our D3P team can walk you through strategies to be prepared for a FINRA audit in terms of compliance with the rules around the use of electronic storage media. They can explain how a contract with a D3P provider will ensure you are prepared with the following materials:

  • A System Configuration Plan (SCP): This comprehensive documentation explains the process required to access your firm's electronic records in case they are ever needed by regulatory organizations.
  • Two status reviews each year to reflect any changes in your IT infrastructure
  • An annual test — and test report — completed by Iron Mountain to demonstrate compliance
  • All the necessary documents for you to file with the Securities and Exchange Commission, self-regulatory organizations, and the Commodity Futures Trading Commission via the Electronic Data Gathering Analysis and Retrieval (EDGAR) system.

With this detailed information in hand, you'll be ready to face your audit with confidence instead of dread, even if you are working from home.


NCC Group Software Resilience has acquired Iron Mountain’s Intellectual Property Management (IPM) business. For more information on the acquisition, please visit our dedicated information hub, or contact Iron Mountain IPM.

Get in touch

Skip to navigation Skip to main content Skip to footer