FINRA focusing on Direct Market Access in 2024 — Are you?

At the start of this year, FINRA released its 2024 FINRA Annual Regulatory Oversight Report. As with previous oversight reports, broker-dealers can use the 2024 report to glean useful insights into FINRA’s prior examination findings of member firms and the regulator’s priorities for the months ahead.

Notably, the 2024 report addressed an important compliance topic that is often overlooked by firms: Direct Market Access (Exchange Act 17 CFR § 240.15c3-5). If your firm has or provides market access to other institutions, there are risk considerations, and your compliance program should be assessed to mitigate against such risks.

Direct Market Access requirements

Direct Market Access (DMA) generally includes access to trading securities on an exchange or alternative trading system (ATS) as a member/subscriber (with a few exemptions and caveats). This includes equities, equity options, ETFs, debt securities, security-based swaps, security futures products, and crypto assets that meet the Exchange Act’s definition of a security.

Rule 15c3-5 (aka “Market Access Rule”) requires that firms that have market access or provide market access to customers appropriately control the associated risks “so as not to jeopardize their own financial condition, that of other market participants, the integrity of trading on the securities market, and stability of the financial system.”

Direct Market Access obligations set forth several requirements for broker-dealers with market access. These obligations fall into one of three categories:

1. Financial Risk Management Controls;
2. Regulatory Risk Management Controls; and
3. Compliance Procedures (including testing and CEO certification obligations).

A one-size-fits-all approach to risk controls may be scrutinized, as evidenced by FINRA’s many enforcement actions on the topic. Your objective should be to have “reasonably” designed risk-management controls and tailored procedures to manage and supervise the DMA obligations: financial, regulatory, and other compliance risks. While there is no specific guidance on what is considered “appropriate thresholds,” pre-set thresholds/controls are determined based on an “exercise of reasonable business judgment” by the broker-dealers.

Accordingly, when asked, firms should be prepared to show:

1. Why a particular control was set at such limit;
2. How that set limit may mitigate financial/regulatory exposure; and
3. The monitoring process for the appropriateness of such controls.

Pre-trade controls, whether financial or regulatory, are essential to a firm’s compliance with Rule 15c3-5. As such, broker-dealers should memorialize and document the rationales for their control parameters.

2024 FINRA annual report – Findings

The 2024 FINRA Annual Regulatory Oversight Report highlights many findings related to Direct Market Access that broker-dealers should pay attention to.

Financial risk management findings include:

• Insufficient controls: This may include not establishing pre-trade order limits and pre-set capital thresholds; setting pre-trade controls at “unreasonable thresholds”; not demonstrating the reasonability of assigned controls; and not establishing adequate policies and procedures to govern changes to thresholds.
• Failure to consider additional data: This may include failing to consider your firm’s business model when setting pre-trade limits, historical and available liquidity, etc.
• Impermissible exclusions: Excluding certain orders from pre-trade erroneous controls based on order types.

Regulatory and compliance risk management findings include:

• Reliance on vendors: Relying mainly on third-party tools, including those of an ATS or exchange, to apply controls without performing adequate due diligence, and not maintaining direct and exclusive control over parameters/threshold set by the ATS.
• Failure to document annual review of effectiveness: Failing to document the effectiveness of its risk management controls and review process, including failure to memorialize the reasonableness of the firm’s DMA controls.

2024 FINRA annual report – Effective practices

The 2024 FINRA report also discusses many effective practices that broker-dealers may want to adopt at their firms. The following are a few points to keep in mind.

As previously mentioned, pre-trade controls are essential to a broker-dealer’s compliance with its Rule 15c3-5 obligations. Accordingly, the implementation of pre-trade “hard” and “soft” blocks to prevent a potential threshold breach is crucial and arguably among the most effective controls for broker-dealers. If a threshold is reached, firms may evaluate whether it is appropriate to increase according to supervisory procedures. Again, such controls should be tailored and reasonable based on firms’ business models, products, services, and/or situations.

In addition to robust pre-trade controls, post-trade controls and surveillance should be implemented. Most broker-dealers utilize multiple systems and platforms for direct market access. Such systems’ records and data should be aggregated and integrated in a timely manner to provide for a holistic post-trade supervisory review.

Importantly, broker-dealers should test their market access controls annually. By reviewing their supervisory controls and procedures regarding DMA to prepare for the annual CEO certification attesting to the firm’s controls, the firm could effectively identify any inadequate controls/parameters and take corrective measures. Documenting reviews, memorializing rationalization, and retaining information used in determining why certain controls and parameters were set will provide justification for the “reasonableness” of such decisions.

Direct Market Access obligations can seem challenging, but being proactive about compliance will go a long way in mitigating associated risks. Kaufman Rossin has extensive FINRA and SEC compliance expertise and can assist broker-dealers with meeting their DMA obligations. Contact me or another Risk Advisory Services team member to learn how we can help your firm with this and other regulatory requirements.