FINRA Compliance Compromised Not by Inadequate Policies, but by Lack of Automated Supervisory Metrics

Learn how automation can facilitate regulatory compliance and risk management

Senthil RajamanickamJanuary 10, 2017

Download Case Study

A few weeks ago, the Financial Industry Regulatory Authority (FINRA) announced that it had fined Merrill Lynch, Pierce, Fenner & Smith Inc. $6.25 million, as well as approximately $780,000 in restitution, for inadequately supervising its customers’ use of leverage in their Merrill brokerage accounts.

Merrill “loan management accounts” (LMAs) are lines of credit that allow the firm’s customers to borrow money from an affiliated bank using the securities held in their brokerage accounts as collateral. According to a recent press release, FINRA found that from January 2010 through November 2014, Merrill lacked adequate supervisory systems and procedures regarding its customers’ use of proceeds from these LMAs. More specifically, FINRA found that although both Merrill policy and the terms of the non-purpose LMA agreements prohibited customers from using LMA proceeds to buy many types of securities, the firm’s supervisory systems and procedures were not reasonably designed to detect or prevent such use. FINRA further found that during the relevant period, on thousands of occasions, Merrill brokerage accounts collectively bought hundreds of millions of dollars of securities within 14 days after receiving incoming transfers of LMA proceeds.

The lack of compliance demonstrated above can be true for many corporate organizations. While we might take pride in setting up corporate compliance teams that follow best in class corporate policies to prevent any of the above situations, the truth is, regulatory sanctions are growing YoY. Just take a look at this list of recent fines from FINRA for just supervisory failures.

Organization Fines Reason
Oppenheimer &Co $1.85 Million Reporting violations; Failing to comply with discovery obligation
Merrill Lynch $2.8 Million Systemic reporting, books and records, and related supervisory violations
Ameriprise Financial Services, Inc $850K Failing to supervise the transmittal of funds from customer brokerage accounts
Deutsche Bank Securities Inc $12.5 Million Inadequate supervision of internal communication


As demonstrated above, these leading banks were all fined for one common reason: supervisory violations. The thing is, these banks all had policies around this type of wrong doing, as well as internal auditors and external audit firms auditing their practices.  What’s in question is the level of policy enforcement. Did they measure and provide evidence of such enforcements? Did executives get the enforcement metrics in time to prevent such misuse or abuse? Were there any actionable insights, lesson learned and/or preventive processes put in place to stop such incidents from reoccurring?

Information Governance

While policies existed, the missing element was information governance teams crafting automated supervisory metrics which provide early warning indicators to compliance teams and internal audit teams when policies are out of variance. In today’s data driven world, monitoring the information flow with the capability to trace it back to its origination is pivotal to promptly detect policy violations before they grow into compliance risks. Information architects and/or data stewards are the right people to easily translate corporate compliance policy or auditable check gates. In addition, they are the ones that can create actionable information governance metrics to help understand policy adherence that ultimately leads to a more actionable, metric-driven, information-trusted environment.

Take, for example, age-based marketing that needs to follow and enforce corporate compliance across all digital marketing initiatives. With the need to meet multiple regulations, compliance becomes unmanageable because underage marketing of products can violate regulations like COPPA, GLBA, and FCRA. Each of these regulations have their own regulatory objectives that might over ride each other or complement one other.

If you are the head of digital corporate initiatives, you know the landscape is riddled with complexity that requires automation to provide meaningful metrics. But the reality is that competing priorities derail the organization from investing resources to automate policy enforcement until a compliance mandate or regulation is violated. That’s why organizations often institute inadequate policy validation with a few basic data rules and filters that are too weak to detect or stop a breach.

Data Metrics can Prevent Compliance Failure

So how can we make life easier for ourselves by employing automated controls to monitor and track data to prevent a compliance violation from occurring? Information architects can provide the required data for digital programs, as well as help capture required data metrics around the data, as it is passed through compliance filters and aggregation rules. Data monitoring and metric collection around the data flow can provide key metrics that can be linked when reporting compliance enforcement. Data monitoring controls can capture and track information flow and provide invaluable data insights.

The diagram below shows data extraction, cleansing, standardization, and transformation when used for digital marketing campaigns. As the data moves through each step in the process, internal validation controls can monitor the application state, data state and information origination details.

As the data flows through this process, data controls collect data flow metrics associated with the process and help validate some of the key data rules or mandates such as data confidence, data alignment, accountability details, enforcement rules, etc. Once parameters are validated, the outcome of each will be used for metric validation, reconciliation and analysis of the data before the campaign data is shared with the digital team.

Data Controls: How they can Help

Data controls can help streamline data monitoring through an automated data controls framework, as well as reduce deployment time and increase compliance adherence rates. Pre-built standardized data metric reporting can provide reporting that can be related to compliance measurements.

Organizations have two choices: (1) Orchestrate an offensive approach to ensuring policies are being enforced through continuous data controls that provide actionable metrics and insights or (2) take a good enough approach and react to issues as they arise.

Regulatory compliance and risk management need not be a risky business. Learn more about automation to ensure compliance by reading this case study.

Get Insights

For a deeper dive into this topic, visit our resource center, where you will find a broad selection of content that represents the compiled wisdom, experience, and advice of our seasoned data experts and thought leaders.

Download Case Study