FINRA Entitlement Program Frequently Asked Questions

A: FINRA Entitlement is the process by which a user is granted secure access to a participating FINRA system by a Super Account Administrator (SAA) or an Account Administrator (AA) who maintains that account. Entitlement includes creating and deleting accounts and granting specific privileges within an application(s) that allow a user to perform their job responsibilities by using specific functionality within a FINRA system.

Super Account Administrator (SAA) Information

Q2: What are the responsibilities of an SAA?

A: Each organization with access to FINRA’s Entitlement Program must designate an SAA. An SAA is entitled as an administrator for all systems participating in the FINRA Entitlement Program that are available to the type of organization that it is (e.g., firm, SEC, SRO, state regulator, etc). An SAA is responsible for:

Complying to the FINRA Entitlement Program requirements.
Creating accounts for organization to access the system on the FINRA Entitlement Platform.
Self-entitling their own “User” privileges when required to perform current job responsibilities.
Providing their phone numbers, title & dept for their account.
Creating and updating access for Account Administrators and users.
Creating and managing Roles for the organization. Consider that access to sensitive information (e.g., SSNs and CJI) should be managed through creation of a secondary Role. (See Section 17)
Assigning and unassigning Roles for Account Administrators and users (See Section 17)
Verifying that access to sensitive information, such as social security numbers (SSNs) and criminal justice information (CJI), is appropriate to the individual’s current job responsibilities. This access may be subject to federal and state and other agency reporting obligations.
Applying the principle of Least Privilege to each account by assigning only those privileges that align with the individual’s current job responsibilities.
Organizations should consider assigning access for separation of duties which is an administrative control that has no one person having sole control over the lifespan of a transaction and requires more than one individual to perform a task. This concept reduces opportunities for fraud, sabotage, or misuse or theft of information by promoting discovery of errors by another person who is involved in the task completion.
Performing password administration, such as unlocking accounts and resetting passwords.
Disabling an account if they suspect or know of a security issue.
Deleting an account immediately (within one (1) day) when an individual no longer requires access to the FINRA Entitlement Platform.
Deleting accounts immediately (within 30 minutes) if there is a suspected or actual security incident with the account.
Monitoring the organization’s accounts on a periodic basis by using the Account Details Report.
Certifying all accounts at the organization for authorized access on an annual basis and by FINRA’s published due date.

Q3: What are the criteria for designating an SAA?

A: Each firm is responsible for selecting an SAA. The SAA is a powerful role with administrator rights to all applications and entitlements that are available for an organization and careful consideration should be made when designating an SAA. Consider the following when designating your SAA:

An SAA is expected to have the requisite knowledge of their organization’s users and the associated responsibilities of these users to justify access to the required systems and functions to which access is granted.
An SAA must have the organization’s trust and confidence to perform the responsibilities to manage access for all of their users and to follow the FINRA Entitlement procedures and policies, as well as the access management requirements of their organization.
An SAA may need to coordinate with other departments and individuals to confirm access of an organization’s users. In addition, machine accounts created by the FINRA Entitlement Group may require an SAA to coordinate with their organization’s Technology Specialists to verify use.
An SAA is formally delegated the authority by the organization and authorized by the New Organization Super Account Administrator (SAA) Agreement (or the Replace SAA online process) to perform the SAA responsibilities on the organization’s behalf.
An SAA may serve in this role for multiple organizations (affiliated or non-affiliated) with a signed New Organization SAA Agreement for each organization designating the individual; however, a separate username and password is required for each organization.
The individual who is designated as the SAA does not need to have an existing FINRA Entitlement Account when selecting the individual to serve as SAA.

An SAA designation for a new organization must be executed on the current version of FINRA’s New Organization SAA Agreement, as instructed, and be executed by an Authorized Signatory (See Question 6), as defined by FINRA. An organization must replace its SAA within 30 days of when the current SAA is no longer in the role. Organizations should use the online Workflow to request the replacement. The request requires an Authorized Signatory’s approval.

Q4: How many SAAs can an organization have?

A: For security reasons, an organization may designate only one (1) SAA to serve in this role. The FINRA Entitlement Program automatically checks that only one SAA is designated for an organization. An organization is defined as an entity with a unique Org ID # (whether an entity or an affiliate of an entity).

Q5: How do I designate an SAA for my new organization?

A: An SAA designation for a new organization must be executed on the current version of FINRA’s New Organization SAA Agreement, as instructed, and be executed by an Authorized Signatory (See Question 6) as defined by FINRA.

Complete the New Organization SAA Agreement when your new organization is first requesting access to the FINRA Entitlement Program and needs to designate its SAA. Follow the specific instructions on the agreement, and be executed by an Authorized Signatory. This agreement can be submitted electronically via DocuSign or a downloadable PDF submitted via email or mail.

Q6: Who does FINRA define as an Authorized Signatory?

A: FINRA defines an Authorized Signatory for an organization as follows:

Broker-Dealer (BD) and CAB Firms: An Authorized Signatory is the Chief Compliance Officer (CCO) or authorized officer (or other authorized person) listed on Schedule A of the Organization’s Initial Form BD. Generally, the signatory and the designated SAA cannot be the same person. There are limited circumstances when this condition is permitted, and an explanation must be provided for evaluation by the FINRA Entitlement Group.
Investment Adviser Firms: An Authorized Signatory is either the Chief Compliance Officer (CCO) or Additional Regulatory Contact (ARC) who will be listed on the Organization’s Initial Form ADV. Generally, the signatory and the designated SAA cannot be the same person. There are limited circumstances when this condition is permitted, and an explanation must be provided for evaluation by the FINRA Entitlement Group.
Regulators: An Authorized Signatory is the Securities Commissioner, Chief Regulatory Officer or other Authorized Signatory. Generally, the signatory and the designated SAA cannot be the same person. There are limited circumstances when this condition is permitted, and an explanation must be provided for evaluation by the FINRA Entitlement Group.

Q7: Can the individual who is to be designated as the firm SAA also be the person who signs the New Organization SAA Agreement, as an Authorized Signatory?

A: In limited circumstances, the individual may be both the designated SAA and the Authorized Signatory. These circumstances are restricted to when the organization is a sole proprietorship, or when no other individual with the authority to sign for the organization is available, because there are no other individuals in this capacity at the firm, or an alternate Authorized Signatory is not available due to unforeseen circumstances (e.g., illness). When the SAA and the Authorized Signatory are the same person, complete Section B of the New Organization SAA Agreement.

Q8: The New Organization SAA Agreement has a Section A and a Section B; which one should I complete?

A: Use Section A when the Super Account Administrator for the organization is NOT the same person who will sign the SAA Agreement. Use Section B for all other circumstances.

Q9: Our firm designated the Chief Compliance Officer (CCO) as the SAA and to expedite the process, the CCO signed the Agreement as an Authorized Signatory. Our organization has other individuals who meet FINRA’s definition of an Authorized Signatory – for example, a Chief Operating Officer and Chief Financial Officer who were available to sign the Agreement. We completed all required fields of Section A of the New Organization SAA Agreement. Did we follow the instructions correctly?

A: While your firm completed the correct Section, Section A, this Agreement typically would be rejected because your firm has other Authorized Signatories designated and as explained, were available to sign. The individual who is being designated as the SAA cannot sign the agreement when other Authorized Signatories are available. In limited circumstances an agreement that meets this condition may be processed—see question 6 above.

Q10: How do I complete the New Organization SAA Agreement electronically?

A: FINRA offers the SAA Agreement via DocuSign, which allows the agreement to be completed and submitted electronically.

Q11: Can the same individual be designated as an SAA for multiple firms (affiliated or non-affiliated)?

A: Yes, as long as the individual is formally delegated appropriate authority to act on behalf of each organization. An SAA may serve in this role for multiple organizations (affiliated or non-affiliated); however, a New Organization SAA Agreement is required by each organization (with Org ID#). A separate username and password is required for each organization.

Q12: Can a firm designate its own SAA as well as its affiliates?

A: Yes. Submit a New Organization SAA Agreement for each organization (with Org ID#)

Q13: If I am a new FINRA Entitlement user and designated as an SAA, how will I receive my User ID and Password?

A: For security reasons, the SAA will receive two (2) separate emails; one with the user ID and one with a link to activate your password. After clicking on the Activate Password link, the Reset Password screen will appear. Enter your new User ID, New Password and then Confirm New Password.

Q14: What can I expect as an SAA when I first log in with the User ID and link to activate a new password provided to me by the FINRA Entitlement Group?

A: To ensure that only you have access to your password, when you first log into any participating FINRA Entitlement system to which you have been entitled, you will be directed to create your own password. You will first need to click the Activate Password link provided to you by the FINRA Entitlement Group and then create and enter your new password. You will also be directed to select three security questions and responses. The security information will be used if you forget your password or become locked out of your account. When you call the FINRA Support Center, you will be asked to confirm your identity as an Account Administrator by providing your response to all three of the security questions you selected.

Q15: If I already have a FINRA Entitlement account and later am designated as the SAA, will I receive a new user ID and password?

A: No, an existing FINRA Entitlement account that is upgraded to an SAA can use the existing user ID and password. Any entitlements previously granted prior to the SAA designation will also remain.

Q16: What should an SAA do if his/her account password needs to be reset?

A: The SAA should contact the FINRA Support Center to have his/her password reset or account unlocked.

Q17: How do I find out who my organization’s SAA is?

A: Users can click on the red dot in the upper right corner and select My Account to see who their SAA is displayed in the Organization Profile section. Account Administrators can also see the SAA designation in the Account Management Search Results Screen.

Q18: Are there any FINRA Entitlement Program applications that are excluded from the SAA process?

A: Yes, the file transfer protocol (FTP) accounts are excluded from the SAA process. Due to the unique environment of these applications, FINRA maintains account administration rights to create these types of accounts. For access, an Authorized Signatory will need to request the FTP Entitlement Request by contacting the FINRA Support Center. The FINRA Entitlement Group confirms the identity of the requester and pre-populates the request with a unique identifier specific to the request. When the request is returned to FINRA, the pre-populated information on the request must match the unique identifier that FINRA provided. FINRA sends the request only to an Authorized Signatory at the firm, using the individual’s contact information on file.

Q19: I’m a new SAA and cannot access Web CRD, FOCUS, or any other application I need. Why?

A: New SAA accounts will automatically be set up with administrator capabilities which will enable you to create account administrator or user accounts for your firm. However, in order to access or use any of the requested applications and functionality for yourself, you will need to set your SAA account with "User" for each privilege you need to perform your current job responsibilities. You are responsible for determining and setting access to the applications and privileges you need to use to perform your current job functions.

Q20: How does an SAA self-entitle “User” privileges to applications in the Account Management System?

A: As a new SAA, you will need to entitle yourself to any user privileges for applications you need to use to perform your job functions. Keep in mind that you will not be able to access any application unless you have marked “User” for that application for your SAA account. See Section 1.5 (How To Self-Entitle User Privileges as an SAA) of the FINRA Entitlement Reference Guide.

Q21: How does an SAA select Unique IDs and Report Center privileges for an Account Administrator?

A: See Section 6: Step 6 of the FINRA Entitlement Reference Guide.

Q22: How do I get "Administrator" access to new Entitlement Applications/Privileges added on the FINRA Entitlement Program?

A: FINRA will systematically entitle the SAAs that are to be granted with the new entitlement.

Q23: As an active SAA, why are there times when I can’t edit/create a user’s account?

A: On occasion, Entitlement functionality is temporarily suspended to allow the FINRA Entitlement Group to process transactions (e.g., set a new privilege) for a specific account. Once processing is complete, Entitlement functionality is re-established.

Replace/Update SAA

(See the FINRA Entitlement Reference Guide, Section 1.4 for more details)

Q24: How does my organization replace its SAA?

A: The Account Management System offers an online workflow that enables your organization to replace its SAA. An Authorized Signatory must approve any online request in order for it to be fulfilled. See the FINRA Entitlement Reference Guide, Section 1.4.1 for more information on SAA replacement.

An organization must replace its SAA within 30 days of when the current SAA is no longer in the role.

Q25. Who can submit a Replace SAA Request?

A: Any individual at the organization with an active FINRA Gateway account is able to submit a request to the SAA, though the request will need to be approved by an Authorized Signatory before it will be fulfilled. For more information on replacing an SAA, refer to the Entitlement Reference Guide, Section 1.4.1.

Q26. When Replacing the SAA, is an Organization able to maintain an account for the former SAA?

A: Yes, the organization has the option to convert the current SAA to a User Account if the individual will continue to require access to application(s). If you decide to convert the current SAA to a User, once the request is approved and processed, the SAA’s account will have the SAA administrator role removed and only those privileges that had User marked will remain. An organization also has the option to delete the account of the former SAA when requesting an SAA replacement.

Q27: What does my organization do if our SAA will be out of the office for an extended period of time?

A: First, consider that Account Administrators in your organization are able to perform most entitlement transactions (e.g., creating, updating, or deleting user accounts, resetting user passwords). If there are no Account Administrators and an SAA will be unavailable for an extended period of time, the SAA may either create an Account Administrator account if there is time to do so, or temporarily replace the SAA. The requester must complete the online Replace SAA process. If the former SAA needs to return to that role, the organization will need to submit another request using the online Replace SAA workflow.

Q28: How will an organization be notified when an SAA is designated?

A: For newly created SAAs for organizations, both the Authorized Signatory who signed the New Organization SAA Agreement and the SAA will receive an email when the SAA’s account has been processed by FINRA. When replacing an SAA using the online workflow, an email will be sent to the Requester, Authorized Submitter and SAA once the workflow is complete.

Q29: Who can submit an update to an SAA’s name or email address?

A: Only the SAA is able to submit a request to update their name and/or email address. The request will need to be approved by an Authorized Signatory before it will be fulfilled. For more information on updating the name and/or email address of the SAA, refer to the Entitlement Reference Guide, Section 1.4.2.

Q30: Where do I find the status of a Replace or Update SAA Request?

A: The status(es) of a request is available in the Request & Filings dashboard, which is available from FINRA Gateway. For more information, see FINRA Entitlement Reference Guide, Section 1.4.3.

Q31: Who can see the status of a Replace or Update SAA Request?

A: Any individual at the organization with an active FINRA Gateway account will be able to view all active and completed requests to replace an SAA. Only SAAs can view their requests to update their name and/or email address. See question 30 for information on how to see request statuses.

General Entitlement Information

Q32: What does it mean to "Import" an account?

A: The Import Entitlements feature permits the ‘cloning’ of an account for an individual who requires the exact or very similar access that another account has. The purpose of this feature is to import entitlements to a newly created account or to add entitlements to an existing account. You can import entitlements from multiple accounts as many times as required with this feature. See Section 7 (How To Import Accounts) of the FINRA Entitlement Reference Guide.

Q33: Can I use the import function to update an existing user’s privileges?

A: Yes. Importing may be used when creating a new user account or updating an existing account.

Q34: What should a user at my organization do if they forgot their password or locked their account?

A: A user who forgets their password can click on the Forgot Password? link on the login screen to request a new password. To use this functionality, the user must know the responses to their security questions.

Five incorrect password attempts within one hour will result in a locked account. The account will auto-unlock after one hour. Accounts can be unlocked sooner than one hour if a user contacts their SAA or AA. If it is an SAA account, the SAA needs to contact the FINRA Support Center.

Q35: I am attempting to select a password for my account and the system keeps rejecting the passwords I choose. Why might this be happening?

A: See the Password Requirements page for a list of password parameters and features.

Q36: How long will it take to process my entitlement request?

A: Please allow approximately three business days from receipt of a non-deficient New Organization SAA Agreement. For FTP users, approximately four business days from receipt of a non-deficient FTP entitlement request. For most non-deficient update/replace SAA requests, the workflow will automatically process the same day.

Q37: I have user accounts setup for multiple organizations (e.g., service provider or an individual with separate user accounts for affiliated firms/entities). Why am I receiving Access Denied when I attempt to log in with some of these accounts even though I have provided the correct login information?

A: Your browser could contain a memory of the account information viewed during your previous session. We recommend that you completely close your browser window and start a new browser session prior to logging in again.

Dormant User Account Process

Q38: Does a user account ever get automatically deleted?

A: Accounts are considered dormant if they are not used for a defined period of time. For security reasons, FINRA deletes dormant accounts.

Q39: What is the impact if an SAA account is deleted due to dormancy?

A: Although an SAA account should never go dormant based on an SAA’s responsibilities, if an SAA’s account is deleted due to dormancy, there is significant impact to the organization. All FINRA Entitlement Program user accounts for the organization will lose system access until the SAA account is recreated, which requires the firm to contact FINRA.

Q40: How can Administrators manage accounts to prevent dormancy?

Perform periodic reviews to ensure individuals are using their accounts based on their job responsibilities (e.g., check last login date available for each account in Account Management) and question a user if the elapsed timeframe indicates the account is not being used.
Delete account(s) when the individual no longer requires access per their job responsibilities or is not using their account.
Remember to log in periodically to prevent your account from going dormant.

Q41: What do I do if my account is deleted due to dormancy?

A: If your account is deleted due to inactivity, you will need a new user account created to resume access to FINRA applications. You will need to:

Contact your organization’s SAA or AA to create a new user account.
If your organization does not have an SAA or AA, or if you are the SAA or an AA with an account created by FINRA, contact FINRA at [email protected] to create a new user account.

Annual Certification Process

Q42: What is the FINRA Entitlement User Accounts Certification Process?

A: FINRA established the FINRA Entitlement User Accounts Certification Process as part of its ongoing efforts to protect the integrity and confidentiality of regulatory, proprietary and personal information maintained by FINRA. Additionally, the certification requirement supports each organization’s compliance with the management of authorized users on FINRA systems. The process provides a formal review of all user accounts in the FINRA Entitlement Program administered by an SAA or by a Certification Representative for non-SAA organizations.

Q43: How frequently will the FINRA Entitlement User Accounts Certification Process be conducted?

A: Certification is generally conducted annually.

Q44: Can an organization’s Administrators review users’ access at any time during the year or are user access reviews limited to only during the annual FINRA Entitlement User Accounts Certification Process?

A: FINRA strongly recommends administrators review user accounts on a regular basis to ensure that accounts remain valid, have proper entitlement, have been deleted if access is no longer needed, and email addresses are correct. The frequency of access reviews may depend on the size of the organization, staff turn-over, the number of organizational changes, an organization’s security guidelines, or other factors that an organization considers in its risk profile. See Section 11 (How To Review Accounts) of the FINRA Entitlement Reference Guide.

Q45: Are all organizations required to certify their user accounts?

A: No, for organizations with only an SAA account and no other users/administrator accounts, they have the option to certify, but are not required, unless the firm has access to the Consolidated Audit Trail (CAT). Firms with one or more accounts with access to CAT must certify.

Q46: If during the FINRA Entitlement User Accounts Certification Process the number of users at my organization decreases to only one user, will my organization still need to certify?

A: If your organization had more than one user on the start date of the Certification Period, your organization still needs to certify regardless of the changes made to the user population during the Certification Period.

Q47: How long is the FINRA Entitlement User Accounts Certification Process?

A: The Certification Period is approximately 60 calendar days.

Q48: Who at my organization is responsible for completing the FINRA Entitlement User Accounts Certification Process?

A: The SAA is responsible for validating and certifying all accounts by the due date provided by FINRA. For specific dates and step-by-step instructions, please refer to the following pages:

Annual Entitlement User Accounts Certification Process
FINRA Entitlement Reference Guide, See Section 18 for detailed instructions.

Q49: What if my SAA is unavailable during the FINRA Entitlement User Accounts Certification Process?

A: FINRA requires your organization to replace your current SAA with a replacement SAA to complete the Certification Process. See the FINRA Entitlement Reference Guide for more information about the role’s responsibilities as well as the process to update or replace your firm’s SAA.

Q50: How will an organization be alerted to begin the FINRA Entitlement User Accounts Certification Process?

A: Your SAA will see the Certification banner on the Account Management Admin landing page and will receive an email that includes the start and due date of the Certification period.

Both your SAA and Chief Compliance Officer (or, for IA-firms, the Additional Regulatory Contact) will receive the following emails:

Reminder email - If certification is not completed as of 10 business days prior to due date.
Past Due email - If certification is not completed by the deadline.

Q51: When will an SAA be able to begin the FINRA Entitlement User Accounts Certification Process?

A: FINRA’s Entitlement User Accounts Certification Process is typically an annual process. An SAA may begin the certification process as soon as they receive the Certification message on the Account Management Admin landing page and/or email notification.

Q52: How does the SAA begin the FINRA Entitlement User Accounts Certification Process?

A: Instructions on how to begin the Certification Process are included in the FINRA Entitlement User Accounts Certification email messages and on the Account Management Admin landing page during the certification period. Please see the FINRA Entitlement Reference Guide, Section 18 for screenshots and detailed instructions.

Q53: How will FINRA communicate to the SAAs during the FINRA Entitlement User Accounts Certification Process?

A: SAAs will receive a series of messages while in the Account Management System, that alerts them to the status of the Certification Process:

Initial Message - The FINRA Entitlement User Accounts Certification Period is underway with start date and due date defined.
Reminder Message - If certification is not completed as of 10 business days prior to due date.
Past Due Message - If certification is not completed by the deadline.
Successfully Completed Message – Alerts the organization that the SAA has successfully completed the Certification Process.

Q54: Once the SAA begins the FINRA Entitlement User Accounts Certification Process will they be able to exit the Account Management System and complete the Certification Process at a different time?

A: Yes, an SAA may complete the Certification Process at a different time; however, FINRA recommends that an SAA certify users on the same day the export of user account information is requested to prevent having to perform a subsequent review of users as the entitlement data may have been updated since the download was requested.

Q55: Why would the SAA’s Account Management Certification messages not appear?

A: The certification messages will not display in the Account Management System if your organization has completed the Certification Process and the Certification Period has ended.

Q56: Which accounts are included in the FINRA Entitlement User Accounts Certification Process?

A: All accounts that have access to an application in the FINRA Entitlement Program are included in the certification process. An SAA is able to search online for a list of their user accounts assigned Roles or Entitlements outside Roles. See Section 10 (How To Request an All Accounts Report) of the FINRA Entitlement Reference Guide.

Q57: How does an SAA get a list of user accounts to review?

A: After clicking Start Certification, the Accounts Certification page will display a list of your users. Please see the FINRA Entitlement Reference Guide, Section 18 for screenshots and detailed instructions.

Q58: In the Accounts Certification Report that lists user account information, there are some criteria that are offered for selection. Which criteria should be selected for the exported report in order to conduct the review of user accounts?

A: The Accounts Certification Report will automatically display all Active accounts. Depending on the size of an organization, an SAA may find it helpful to customize the Accounts Certification Report by using the customizing tools: Columns, Filters, and Groups. FINRA recommends that last log in be selected as an option to review when the account was last used. Other criteria may be selected based on an organization’s decision to validate this information. Share this report with other individuals within your organization to confirm individual’s appropriate entitlement, including access to applications, Roles/privileges, and sensitive data.

Q59: Is an SAA considered a user?

A: Yes, an SAA is considered a user of the FINRA Entitlement Program, with access to Account Management System, and possibly other applications.

Q60: What criteria should my organization use when reviewing our users?

A: You will need to review your organization’s user accounts to determine that:

each user has a continuing need to access FINRA application(s) on the organization’s behalf;
each user is entitled only to the applications and privileges needed to perform current job responsibilities; and
only users who require access to sensitive data (e.g., Criminal History Record Information, Social Security numbers) are entitled to access this type of data.

Q61: What are the consequences if my organization does not complete the FINRA Entitlement User Accounts Certification Process by the due date?

A: The capability to create accounts, create and assign Roles, edit and import entitlements to accounts will be disabled and will remain disabled for all administrators (SAAs & Account Administrators) until your organization’s SAA completes the Certification Process. Other consequences include notification to the appropriate FINRA district office for FINRA member firms or notifications to other regulators for non-FINRA organizations. In addition, all user accounts for an organization will be suspended.

Q62: Can my firm still certify after the FINRA Entitlement User Accounts Certification Process?

A: Yes. However, if all accounts have been disabled by FINRA, the SAA will need to contact the FINRA Support Center to arrange for access to complete the certification.

Q63: Can an administrator delete or disable user accounts or reset passwords if the organization has not certified within the period?

A: Yes. For security purposes, administrators may continue to delete or disable user accounts and reset passwords.

Security Questions and Answers

Q64: What is the FINRA Security Questions and Answers feature?

A: The first time a user logs in to a FINRA Entitlement application/system (e.g., Web CRD, IARD, Report Center, etc.) the user will be required to select three security questions and provide responses to each question. On subsequent logins, a user may be asked to provide the responses to the security questions he/she selected in order to further verify the user’s identity. This security feature is similar to those used by financial websites as an additional safeguard against unauthorized access.

Q65: Are all users in my organization required to follow the requirements for using security questions and answers requirements?

A: Yes, all users (Super Account Administrators, Account Administrators and users—including those with public accounts) who access FINRA Entitlement applications/systems are required to follow the requirements of this security feature. Note: FTP (machine-to-machine) user accounts are not impacted as long as the account is used solely for machine to machine access. If users log in with the FTP account to update their password online they will be required to follow the security questions and answers feature.

Q66: How can an SAA/AA determine if an individual has set up their security questions?

A: Once a user has set up their security questions and responses, the firm’s SAA/AA will be able to see the security questions and responses on the Individual Information screen.

Q67: Can users change their security questions/responses?

A: Yes, users have the option to update their security questions and responses when they log onto a FINRA Entitlement application/system. Look for the Reset Security Questions option on the Individual Information screen. Note: Users must update their security questions and responses if they experience an account lockout due to multiple incorrect responses to their security questions or if they believe the responses to their security questions have been compromised.

Q68: When is a security question required?

A: A user may be presented with a security question if one or more of the following occurs:

During login, if you did not check the box Remember this computer (Choose this option only if this is your computer and you trust this device/computer).
You log in from a different computer or use a different browser.
The system detects a change in how you typically interact with the application.
A year has passed since you have been presented with a security question.
Your computer’s cookies were deleted since your last login.
When an SAA contacts FINRA for password help.
The 30-day time frame in which the login process will "Remember this Computer" has elapsed.

Q69: How many security questions will I be required to answer if one of the above conditions exists?

A: Typically, a user will be required to correctly answer one security question though additional questions may be required.

Q70: Does the answer to a security question have to exactly match what was provided?

A: The system allows for some flexibility in responses. For example, the system ignores capitalization and accepts minor variations (e.g., street or “St”).

Q71: What will happen if an incorrect response is made to a security question?

A: A user will be presented with another attempt to answer the security question. If a second attempt fails, the user will be presented with a different security question. Eventually, a user will experience an account lockout if too many incorrect responses are provided.

Q72: What should I do if I am locked out of my user account?

A: If your account is locked, contact your Super Account Administrator (SAA) or Account Administrator (AA) to unlock your account. If your account is locked because of multiple incorrect responses to your security questions, your SAA/AA will unlock your account and require you to reset your security questions. Contact the FINRA Support Center, if you are an SAA and your own account is locked, or if you do not have an SAA or AA.

Q73: I am using a mobile device to access a FINRA Entitlement application/system. Why do I not see the “Remember this computer (Choose this option only if this is your computer and you trust this device/computer).” option when I set up my security information?

A: The login security feature does not support this option for mobile devices. In addition to entering your username and password, mobile users are always required to answer a security question during login.

Q74: If my organization has questions, whom should we contact?

A: Firms should contact the FINRA Support Center at:

Broker-Dealers: (301) 869-6699
Investment Advisers: (240) 386-4848
FINRA Support Center, Funding Portals: (301) 590-6500

Role Management

(See FINRA Entitlement Guide, Section 17 for more details)

Q75: What are the Role responsibilities of the Super Account Administrator (SAA) and the Account Administrator (AA)?

A: Super Account Administrators (SAAs) are able to:

Create and manage Roles for their organization
Assign and unassign Roles for their Account Administrators (AAs) and users

Note: All existing and new SAAs are automatically granted Role Management to their accounts.

Account Administrators (AAs) are able to:

Assign and unassign Roles for their users, if their SAA has granted their accounts with the Assign Roles privilege that allows Role assignment functionality.

Q76: What are the benefits of using Roles?

A: As a best practice to managing accounts, organizations should consider using role-based entitlement rather than granting access by each privilege because Roles reduce the risk of human error when assigning access. Roles bundle entitlements to grant access for individuals who perform the same job functions and need the same level of access. A role should provide access to only what a position requires. An SAA (or AA if provided the functionality by their SAA) has the ability to create a role and assign entitlements to the role that are required to perform current job responsibilities. In addition, Roles enable a more efficient way to review users’ access. When managing access to sensitive information, an SAA (or AA) should consider creating a separate role to access this type of information so that access can be more easily removed when needed. Remember, an account may have more than one role assigned to it.

Roles allow an organization to manage entitlements more effectively by grouping entitlements by job functions, positions, or other areas of responsibilities that meet the needs of an organization.
Roles provide an efficient way to assign access for users as selecting each entitlement for an account is no longer necessary.
Roles may offer more secure access as users performing the same job functions or responsibilities share the same level of access.
Create a Role for access only to sensitive information such as fingerprint information or social security numbers, which provides more control and ease when removal of such access is required.
Roles offer an easier way to review users’ access. In addition, Roles will display for annual account certification, which provides a more effective and efficient way to validate accounts.
Roles are fully customizable to maximize flexibility. Several Role Templates are available for certain types of organizations to use as is, or to customize.
All organizations that have Role functionality will be able to create new Roles and fully customize the Roles.

Q77: Are Roles required to be used when setting access for an account?

A: No, Roles are optional. SAAs should consider how best Roles can be used to meet their organization’s access management needs. Roles are typically considered a more secure way to manage access by limiting human error when setting access.

Q78: Can Roles be created for AAs and users?

A: Yes, an SAA may create Roles for AAs or for users.

Q79: Is there a system limit to the number of Roles that can be created?

A: No, there is no system limit to the number of Roles that can be created, however, keep in mind that too many Roles will be difficult to manage and maintain. Consider your users, how many individuals perform the same job responsibilities, or that are in the same position, or users that require access to sensitive information and decide how many Roles are needed for your organization.

Q80: Can Roles be customized?

A: Yes, Roles can be customized. SAAs have the choice when creating Roles to:

Use Role Templates created by FINRA (available for certain types of organizations) to use as is, or to customize
Create a new Role by importing or adding entitlements; or,
Further customize existing Roles previously created by the SAA

Q81: What are the workflow steps when creating a Role?

A: Step 1 – Role Information – Decide on a name for the Role and provide a description of the Role. The SAA must assign a unique name for each Role. A detailed description will help identify the Role’s access and function.

Step 2 – Entitlement/Role Template – Create the Role using a Role Template (if available) to use as is, or to customize, or create a new Role and assign/unassign entitlements.

Step 3 – Review and Create Role – Verify the information for the Role and then select ‘Create Role’. The Role is saved once ‘Create Role’ is selected and the Role is available to assign.

Q82: What are the three Role Types?

Active – Role available to assign
Delete – Role is no longer available to assign
Incomplete – Role with no Entitlements

Q83: Can more than one Role be assigned to an account?

A: Yes, more than one Role may be assigned to an account.

Q84: Can a Role include MPIDs and related entitlements?

A: No, Role functionality does not support MPIDs and related entitlements and SAAs cannot add MPIDs and entitlements to a Role. To assign MPID entitlement, use Account Management.

Q85: Should entitlements to sensitive data be added to a Role?

A: Yes, consider creating a separate Role that provides access only to sensitive information such as fingerprint information and social security numbers. Assign the Role to users who require such access to perform their current job responsibilities. Do not co-mingle access to other systems and functionality with access to sensitive information. By creating a separate Role, you have more control on this access and create an easier and more efficient way to remove this access when it is no longer needed.

Q86: Can an Admin Role be assigned to a user account?

A: Yes, if you assign an Admin (AA) Role to a user account, the user account will become an AA. If that is not your intention, remove the AA Role in order to revert the account to a user with the entitlement the account previously had prior to the AA Role assignment.

Q87: When a Role is updated with additional entitlements, how will it affect the accounts that have been assigned the Role?

A: Users with the Role will have their accounts automatically updated with the added entitlements as soon as the SAA saves the updated Role.

Q88: Do all AAs have the ability to assign Roles?

A: No, only the AAs who have been granted the Assign Roles privilege by their SAA will have the functionality to assign Roles to users. However, when granting this privilege to an AA, keep in mind that the AA must have Admin privileges to ALL entitlements the Role includes in order for the AA to be able to assign/unassign the Role to a user.

Q89: Will all AAs be able to view Roles assigned to the users?

A: No, only those AAs who have been granted the Assign Roles privilege will be able to view Roles assigned to users’ accounts.

Q90: As SAA, I granted the Assign Roles privilege to my AA, but my AA said that they cannot assign/unassign the Roles. Why?

A: Make sure that your AA has Admin privileges to ALL entitlements in each Role that you want the AA to manage. If your AA does not have Admin to one or more privileges in a Role, they will not be able to assign/unassign that Role, even with the Assign Roles privilege. Before you grant your AA the Assign Roles privilege, review the AA’s account to verify that the account has Admin to all the privileges within the Role(s). If an AA tells you they cannot assign/unassign a Role, review the AA account and edit the account to include Admin to the missing Role privileges.

Q91: When an SAA deletes a Role, will it automatically remove the Role from all the accounts assigned to the Role?

A: No, the SAA will need to first unassign the Role for all accounts assigned to the Role and then delete the Role and provide a Reason for the deletion.

Q92: As SAA, where will I be able to manage and review my firm’s Roles?

A: From the Search Role screen on the Admin landing page, the SAA can:

Create a new Role
Click on an existing Role to view, add, or delete entitlements
Click on an existing Role to delete the Role – you must first unassign all users to the Role
Use the filters to search for specific Role entities (e.g., Active, Deleted, Role Type, Entitlements)
View accounts that are associated with a specific Role from the corresponding Actions link on the right-hand side of the screen. If there are no accounts associated with the Role, Action link displays “No Action Available”
Review Role Types.

Q93. Will Roles be viewable for accounts during the annual FINRA Entitlement Account Certification Program?

A: Yes, if your firm creates and assigns Roles to accounts, Roles will appear with each associated account for an SAA’s review during the annual FINRA Entitlement account certification.

Q94: If using the Role Management functionality, is it required that users only be assigned a Role(s)?

A: No, the ability to grant privileges separate from a Role is available. You may assign a user with one or more Roles and also add privileges to the account, though keep in mind that adding individual privileges may increase the complexity of an account, especially when reviewing access. To grant privileges outside of a Role, follow the current process for adding entitlements to an account in Account Management.

Sensitive Information

Q95: What is sensitive information?

A: Sensitive information is information that must be protected to ensure privacy of individuals and organizations and where the loss, misuse, or unauthorized access to or modification of data could cause harm to those individuals and organizations. Assign access to sensitive information only to individuals who require this access to perform their current job responsibilities.

Q96: What are examples of sensitive information in FINRA systems?

Criminal Justice Information (CJI) data which refers to FBI-sourced information (i.e., fingerprints, personal identifiable information from a fingerprint, fingerprint result, criminal history record information (CHRI), etc) necessary for organizations to perform their missions including but not limited to biometric, identity history, biographic data.
Personal Identifying Information which refers to information such as social security number, date of birth, residential address, etc.

Q97: What are examples of the privileges on the FINRA Entitlement Platform that contain sensitive information?

A: Examples include the following:
CRD View Fingerprint Statuses (BD Only)
View Individual Information >View CHRI Information (BD only)
View SSN

New: When you select a privilege and/or a Role that provides access to sensitive information (e.g., fingerprints, CHRI, social security number), a new prompt will display to warn you that you have selected privileges that give access to sensitive information. As an administrator, you are responsible for confirming that the selected access is authorized by your organization and that access is appropriate based on the individual’s current job responsibilities. Be aware that access to sensitive information may require compliance with federal or state privacy and data security laws and obligations.

Q98: As an SAA or AA that grants users with authorized access to view Criminal Justice Information through FINRA systems, are there specific requirements to consider?

A: As an Administrator for your organization, you are responsible for confirming that an individual user’s access to Criminal Justice Information (CJI) contained in FINRA systems is necessary for the user to perform their job responsibilities. CJI refers to FBI-sourced fingerprint and fingerprint results (Criminal History Record Information (CHRI)) as well as the personal identifying information for the associated individual received from the FBI. As a result of accessing CJI through FINRA systems, your organization is responsible for complying with the requirements set forth in the current FBI Criminal Justice Information Services Security Policy (Policy). This Policy establishes the minimum set of security requirements an organization must implement to maintain appropriate controls to protect and safeguard CJI.

Q99: How should sensitive information be managed?

A: Keep access to sensitive information separate from access to other functionality and systems on the FINRA Entitlement Platform. Consider creating a new Role that provides access only to sensitive information (e.g., Criminal History Record Information, social security numbers), and then assign this Role to individuals that require this level of access to perform their current job responsibilities. Do not co-mingle other access with sensitive information access. It is more efficient to remove a Role that provides only access to sensitive information from an account.

Q100: How can Administrators monitor accounts with access to sensitive information?

Perform periodic reviews and review access when an individual has changed positions or transfers to a new department within the organization. Validate with their manager whether the individual continues to need access to sensitive information based on their current job responsibilities.
Modify account(s) when the individual no longer requires access, particularly in the case of sensitive information.
During the annual FINRA Entitlement User Accounts Certification Process, review accounts to confirm an ongoing need for access to sensitive information and remove privileges and/or Roles that grant access to such information if no longer required. See the Certification Process section.

Q101: What should you do if you have a suspected or actual compromised account with access to sensitive information?

A: If you suspect or know of an account as being compromised or subject to unauthorized access, disable or delete the account immediately (within 30 minutes) of discovery.

Q102: Why should organizations consider separation of duties when working with sensitive information?

A: Separation of Duties is an administrative control to segregate responsibilities among more than one individual so that no one person has sole control over the lifespan of a task or transaction. When granting access to sensitive information, consider how to separate duties across more than one individual to perform a task. This concept reduces opportunities for fraud, sabotage, or misuse or theft of information by promoting discovery of errors by another person who is involved in completing the task or transaction.