Proposed Changes to FINRA’s MFA Requirement on Behalf of Law Firms and Compliance Consultants

This is a gentle reminder that while FINRA only regulates its broker-dealer members, it hosts the Investment Adviser Registration Depository (“IARD”) and Central Registration Depository (“CRD”). The IARD and CRD are two systems used by investment advisers registered with states and the SEC and exempt-reporting advisers.

FINRA has adopted a new multi-factor authentication system (“MFA”) for all persons who have access to the IARD and CRD system. FINRA started rolling it out in May and expects it to be fully operational for all firms by December 2020.

This new system is a burden on compliance consultants and law firms. Each time a compliance consultant or lawyer is given access rights to the system, they must create a separate username and password. They must then link a phone, tablet, or email to their account. They receive a code and must enter the code in the system. Then they must sit by and wait for a phone call to confirm their account. They have to go through this process for every single client that they assist on the IARD and CRD system.

I recently wrote to Marcia E. Asquith, EVP, Board and External Relations with FINRA to request that FINRA consider a revision to their system for compliance consultants and law firms that would provide a single access point for multiple registrants.

I don’t believe that this would compromise any registrants or their information materially if the consultant or law firm’s account was also subject to MFA. If needed, FINRA could impose some level of due diligence before approving any consultant or law firm.

I would request that law firms and compliance consultants that use the IARD and CRD system make similar requests.

Leave a Reply

%d bloggers like this: