Frequently Asked Questions


Supervisory Control Procedures


Q: What is the difference between written supervisory procedures (WSPs) and supervisory control procedures (SCPs)?

A. WSPs are the actual procedures that a firm must adopt to supervise its personnel in the conduct of the firm's securities and/or investment banking business. SCPs comprise two sets of distinct written procedures:

(1) procedures to test and verify that the WSPs achieve compliance with the applicable FINRA rules and federal securities laws, and procedures to amend or add WSPs, where necessary, to achieve compliance; and


(2) specified procedures that are part of a firm's SCPs, such as supervision of producing managers; and procedures to review and monitor certain specified activities (e.g., transmittal of customer funds, changes of customers addresses and changes of customer investment objectives).


WSP Example
"The head of department will approve all new accounts by initialing the new account forms before the first trade in an account is executed."


SCP Example
"Compliance department will review the FINRA Weekly Update emails to determine if any new or proposed requirements are applicable to the firm and the firm's business activities. If so, the compliance department will identify and implement changes to the firm's supervisory system and supervisory procedures to ensure compliance with the new requirements."


Q: Should the written SCPs required by Rule 3012 be separate from the firm's WSPs required by NASD Rule 3010?

A. Firms are permitted to maintain both procedures in the same manual or document, as long as they are clearly identifiable.


Q. How should firms inform FINRA of who their designated SCP principal(s) is/are?

A. Firms must designate the principal(s) and his or her supervisory control responsibilities in their SCPs.


Q: Can my firm use our self-assessment, internal audit or inspection process to comply with Rule 3012's testing and verification requirement?

A. A self-assessment, internal audit or inspection process may be used to satisfy a part or the entirety of the testing and verification process. The extent to which these processes may be solely relied upon depends on whether any of these processes test and verify that the firm's methods, policies and procedures of supervision are reasonably designed to comply with applicable laws, regulations and FINRA and MSRB rules and determine which procedures must be amended or added. If your firm decides to use one or more of its self-assessment, internal audit or inspection processes as a testing mechanism, it must indicate in its annual Rule 3012 report that it has used the data from these processes as a testing mechanism.


Q: Do we need to test and verify all of the firm's policies and procedures on an annual basis?

A. Your firm may use risk-based methodologies and sampling to test a subset of policies and procedures annually. If a risk-based approach is used, factors such as the following may be considered in determining scope:

  • Businesses and activities from which the firm derives significant revenues. (However, to the extent such activities have been previously tested and found sufficiently designed, and there is an absence of other factors-such as a change in the law or rules or the absence of regulatory, compliance or audit findings-deriving significant revenue from an activity, by itself, does not mean that a firm must reach a risk-based assessment that the testing of that area in a given year is necessary).
  • Areas where the firm has had procedural or supervisory deficiencies in the past. (However, the absence of a historical deficiency does not mean that a firm should not consider the area for inclusion in the testing).
  • Products, rules or issues highlighted by regulators as areas of concern or that were otherwise identified as emerging topics/problems.
  • Business activities in which the firm has had customer complaints or which resulted in the termination of personnel.
  • New business activities or products.


Q. If my firm has been in existence for less than one year, when must I complete Rule 3012 testing and verification requirements?

A. Your firm must have in place its entire supervisory control system by the time it becomes a member of FINRA. However, the Rule 3012 report demonstrating the firm's testing and verification does not have to be completed until the first anniversary of becoming a FINRA member.