Annual Entitlement User Accounts Certification Process
Some of the key responsibilities of an SAA are to ensure that access is appropriate and required as well as remove access for users who no longer need it—either because of changes in job duties or termination with the firm. One way to meet these responsibilities is to periodically review the firm's user accounts. The frequency of such reviews depends upon the size of an organization, user access requirements, staff turnover or security concerns. In addition to FINRA’s recommended periodic reviews, FINRA requires SAAs to complete an annual online user accounts certification process. This mandatory process enhances FINRA's overall program to protect the integrity and confidentiality of regulatory, proprietary and personal information maintained by FINRA.
Each year, FINRA designates a 30-day period during which SAAs of organizations with more than one user must certify their users' access to comply with FINRA's Entitlement User Accounts Certification Process.
This certification process ensures that:
- Each user has a continuing need to access FINRA application(s) on the organization's behalf;
- Each user is entitled only to the applications and privileges needed to perform current job responsibilities; and
- Only those users who require access to sensitive data (e.g., Criminal History Record Information (CHRI), Social Security or tax identification numbers, dates of birth) are given access to this type of data. Otherwise, access must be removed.
If user accounts are not certified within the 30-day period, the capability to create, edit and clone accounts will be disabled for all administrators within the organization and will remain disabled until the SAA completes the certification process. In addition, action by the regulator may be taken to ensure compliance with the process.
For more information, refer to the Entitlement User Accounts Certification Process Quick Reference Guide and the FINRA Entitlement Program Frequently Asked Questions.