Risk Control Assessment Frequently Asked Questions (FAQ)
- What is the Risk Control Assessment (RCA)?
- How do I access the survey?
- Is my firm's data secure?
- What if my firm does not receive the survey?
- Who at the firm is responsible for responding to the RCA?
- How long will the RCA take to complete?
- How will the responses be used?
- What happens if my firm doesn't fill it out?
- Will FINRA spend extra time when examining my firm because we didn't complete the survey?
- Why doesn't FINRA already have this information?
- What feedback did FINRA receive from firms that participated in the 2012 RCA and also had a sales practice cycle exam in 2012?
- What changes have been made to the 2013 RCA?
- Does the RCA contain questions that relate to specific rules or compliance issues?
- What's the best way to answer questions when the available response options don't completely describe or could lead to a potential misinterpretation of my firm's business?
- Should all potential business activities and or products sold be disclosed even if they are not material to the overall business?
- How should we answer questions that could have multiple interpretations?
- For firms with affiliates, what scope of business should be included in survey responses?
- What if I don't know the answer to a question, or I don't know how to answer it?
- Can I amend the RCA after it has been submitted?
- 1. What is the Risk Control Assessment (RCA)?
- The RCA is a survey FINRA sends to firms to collect information about the firms' business models and the activities they engage in, the products and services they sell, and the kinds of clients and counterparties they deal with, and to identify and help us prioritize the underlying risks associated with that business model. We use the information collected to better inform our examination program and make it more risk-based, with the goal of streamlining cycle examinations and having them focus only on the areas that pose real risks to investors.
- 2. How do I access the survey?
- Your firm's executive representative will receive an email on or around May 6, 2013, with a unique link to the survey. Individuals who serve as executive representative to multiple firms will receive multiple emails, each listing the name and BD number for the firm for which the survey is intended, along with the link to that firm's survey. More information, including how to complete the survey using SurveyMonkey, is included in the instructions.
- Alternatively, you can download the survey in Adobe PDF version if you are experiencing difficulties using Survey Monkey to complete the RCA (visit the resources section of the main RCA page to use a PDF version). Please note that all questions marked with an asterisk require responses. As the PDF version does not allow for dynamic skip logic, you will see instructions embedded in the survey prompting you to skip certain questions that would not pertain to your firm. When responding to the survey using the PDF version, please make sure to save your responses and email the completed survey to RCA@finra.org.
- 3. Is my firm's data secure?
- The 2013 RCA is administered through SurveyMonkey, a Web-based third-party vendor. Your private information is encrypted during the transmission process. Survey Monkey uses Verisign certificate Version 3, 128 bit encryption.
- 4. What if my firm does not receive the survey?
- The 2013 Risk Control Assessment (RCA) is being administered through Survey Monkey, a secure Web-based third- party survey application. Firms with firewall rules and Internet security in place may block messages from Survey Monkey. If your firm has this level of security, please have your IT department grant access to www.surveymonkey.com and www.research.net and allow all of its sub-domains.
You may also need your IT department to allow the following IP addresses listed below. This should allow the RCA survey message from Survey Monkey not to be blocked by your servers.
Please also make sure your firm's network does not automatically send the RCA message to a spam or junk folder. Please check the spam or junk folder of your mailbox and look for the email with the subject "2013 FINRA Risk Control Assessment" coming from email@example.com; on behalf of RCA@FINRA.org via research.net. If using Microsoft Outlook, You can right-click on the email to mark it as "not spam" or "not junk" and move it to your Inbox.
- 5. Who at the firm is responsible for responding to the RCA?
- The RCA is distributed to each firm's executive representative, who will serve as the primary point of contact for the RCA. Depending on the firm size and nature of its business, the executive representative may need to identify other individuals who can respond to the survey. The survey can be saved and the link can be forwarded to others within the firm to help with this process. If multiple contributors will be responding within the firm, however, only one person should edit the survey at a time to avoid inadvertently overwriting responses.
- 6. How long will the RCA take to complete?
- The RCA survey content is dynamically built based on the responses given to an initial set of questions about the firm's business model. Firms with a narrow business model will receive a shorter survey. Firms that are engaged in multiple lines of business will receive a longer survey. As a result, the total time commitment required to complete the survey will vary. Nonetheless, the 2013 survey is much shorter, so we anticipate that it will take substantially less time to complete than the 2012 survey.
- 7. How will the responses be used?
- FINRA will use the results of the RCA to better understand the specific business models of individual member firms, the risks attendant in that business model and the controls intended to manage those risks. We will also use this information to benchmark controls and get a better sense of industry-leading practices as they relate to risk and controls. FINRA will use this information to enhance the quality of our regulatory programs—particularly our on-site examinations.
- 8. What happens if my firm doesn't fill it out?
- This is a voluntary survey. If your firm does not participate, your firm will not suffer any negative consequences. It will mean, however, that FINRA will need to follow traditional examination methods to gain a complete understanding of your firm's business model, attendant risks and controls prior to commencing an examination, and will need to gather and assess more documents and information during the course of the examination.
- 9. Will FINRA spend extra time when examining my firm because we didn't complete the survey?
- In most instances, examinations will take longer to complete since the examiners will plan and arrive on-site at your firm without the benefit of critical information needed to complete a risk-based assessment upon which the scope of the examination is based. Feedback from firms that participated in the 2012 RCA and had subsequent examinations was that examiners were better prepared, the examinations were more targeted and the processes streamlined. Our examination staff also confirmed that they gained substantial efficiencies in connection with 2012 examinations of firms that completed the RCA.
- 10. Why doesn't FINRA already have this information?
- FINRA does not capture and maintain the type of information across all member firms that the survey seeks.
- 11. What feedback did FINRA receive from firms that participated in the 2012 RCA and also had a sales practice cycle exam in 2012?
- Respondents characterized the overall impact of the RCA on their examination experience as extremely positive. Specifically, the feedback was that their subsequent sales practice cycle exam was more streamlined, that examiners arrived on-site with a better understanding of the firm's business, and that the focus of the examinations were more targeted and risk-based.
- 12. What changes have been made to the 2013 RCA?
- The 2012 RCA was used to create a baseline that helps us understand the business model firms deploy, the products and services they sell, the clients and counterparties they engage with, and the underlying control structures intended to manage or mitigate attendant risks. We performed regression and correlation analyses from those results to identify the specific control attributes that were most likely to occur in problematic firms—the 2013 RCA focuses mostly on those attributes and eliminates questions from the 2012 RCA that were not helpful to this analysis.
In addition, we responded to feedback by making a number of enhancements to the RCA for 2013.
- The forms have been streamlined. Based on our analysis, we've targeted this effort on only the most relevant questions and in the process, significantly reduced the overall effort required to complete the survey.
- Firms receive a different version of the survey based on firm size. Specifically, firms with fewer than 10 registered representatives and a single office will receive a survey that is focused solely on the firm's business model and access to cash and securities, and all other firms will receive a survey that includes questions that reflect more complex business models. It should be noted, however, that both versions of the survey are significantly shorter than the 2012 RCA.
- Firms have the option to add comments relative to certain questions.
- The survey can now be routed by forwarding the email link, which will allow multiple participants to provide input within a firm.
- The survey can now be printed.
- 13. Does the RCA contain questions that relate to specific rules or compliance issues?
- No. The survey does not seek to test for compliance with specific rules. The survey is focused, instead, on better understanding the business models of individual firms, the attendant risks in the business models and the controls in place to manage those risks. We have deliberately avoided questions that address rules or potential rule violations.
- 14. What's the best way to answer questions when the available response options don't completely describe or could lead to a potential misinterpretation of my firm's business?
- Use your best judgment. The results of this analysis will not be used to try and "catch" firms, nor are the questions designed to trick respondents. FINRA is seeking to better understand the businesses that your firm is materially engaged in. In this regard, firms should use their best judgment and select the answer choice that is the closest match. Firms can also use the comments section that has been provided with many questions to explain further if necessary.
- 15. Should all potential business activities and or products sold be disclosed even if they are not material to the overall business?
- No. We are interested in responses regarding business activities that represent a material component of your overall business. As you complete survey questions, we ask only that you use your best judgment when responding. In this regard, your responses should seek to describe the material aspects of your business rather than immaterial activities. For example:
The examples are provided to assist you in making a decision in how to respond to questions in the RCA. If you believe an available response option does not describe your business for a particular question, use your best judgment or call the Help Desk (240) 386-4001. In addition, many questions include a comment section that will allow you to clarify—or expand upon—your responses at your discretion.
- We ask if your firm sells or transacts in penny stocks for its retail customers. If you engaged in a small number of non-recommended or unsolicited trades last year on a customer's behalf, but otherwise do not transact in penny stocks as a regular part of your business, we would expect your answer to be "No."
- If you execute a small number of isolated trades in other types of securities that the firm normally does not handle as an accommodation for an established customer, we would expect your answer to be "No."
- If your penny stock business contributes to a significant portion of your total gross revenue, we would anticipate your answer to be "Yes."
- If, for example, to your knowledge, your penny stock business contributes minimally to your total gross revenue, but your firm facilitates a material percentage of all secondary market trading in penny stocks in a given year, we would anticipate your answer to be "Yes."
- 16. How should we answer questions that could have multiple interpretations?
- Although we've taken every effort to use common financial services industry terms, you may identify words or phrases that you feel are open to interpretation. In all cases, we mean the commonly accepted uses of terms. As a general rule, use your best judgment and experience, considering interpretations from the perspective of the financial services industry. For example, words like asset-backed security (ABS) could potentially have different connotations to different people. We intend ABS to mean a security that is primarily serviced by the cash flows of a discrete pool of receivables or other financial assets that convert into cash within a finite time period. We're not looking for a broader interpretation and we are not looking for responses regarding products that your firm is not involved with in the normal course of business. If after considering this guidance you still have a question, please call the Help Desk for clarification at (240) 386-4001.
- 17. For firms with affiliates, what scope of business should be included in survey responses?
- The RCA focuses on the business of the broker-dealer, including businesses conducted as part of the legal entity that houses the broker-dealer. In this regard, if, for example, the same legal entity is registered as both a broker-dealer and investment adviser (commonly referred to as a "dual registrant"), complete the RCA questions from the perspective of both brokerage and advisory activities. On the other hand, if the broker-dealer is not a dual registrant but is affiliated with an investment adviser that is registered through a separate legal entity, you should not complete the RCA based on the activities of the investment adviser.
- 18. What if I don't know the answer to a question, or I don't know how to answer it?
- The RCA, by intent, addresses multiple business areas within the firm. As such, firms are encouraged to identify the most qualified or appropriate resources within the firm to respond to designated sections of the RCA. If no one at the firm is able to respond to a question, please contact the Help Desk at (240) 386-4001 for additional assistance.
- 19. Can I amend the RCA after it has been submitted?
- It is not possible for you to re-open the survey to make changes to your firm's survey responses after the survey has been submitted. However, if you discover a material inaccuracy in your submission, please contact the Help Desk at (240) 386-4001 and we will make sure that the survey properly reflects your views.