FINRA Entitlement Program Frequently Asked Questions
On this page
- What is FINRA Entitlement?
- Super Account Administrator Information
- Replace/Update SAA
- General Entitlement Information
- Dormant User Account Process
- Certification Process
- Security Questions and Answers
- Role Management
The following FAQ address general Entitlement questions. For detailed information, refer to the website specific to each user group:
FINRA Entitlement Reference Guide
A: FINRA Entitlement is the process by which a user is granted secure access to a participating FINRA Web Application(s) by a Super Account Administrator (SAA) or an Account Administrator (AA) who maintains that account. Entitlement includes creating and deleting accounts and granting specific privileges within an application(s) that allow a user to perform his/her job responsibilities by using specific functionality within a FINRA application.
Q2: What are the responsibilities of an SAA?
A: Each organization with access to FINRA’s Entitlement Program must designate an SAA. An SAA is entitled as an administrator for all applications participating in the FINRA Entitlement Program that are available to that organization. An SAA is able to create, edit and delete accounts for both Account Administrators and users at an organization. The SAA also monitors and reviews accounts to ensure proper access and ensures that users adhere to FINRA’s security procedures and related terms and conditions. An SAA is responsible for requiring a user to update his/her security questions if a user experiences an account lockout due to multiple incorrect responses to a security question or if the SAA believes that a user’s security questions have been compromised. An SAA is required to complete the FINRA Entitlement User Accounts Certification Process when prompted by FINRA.
Q3: What are the criteria for designating an SAA?
A: Each firm is responsible for selecting an SAA. The SAA is a powerful role with administrator rights to all applications and entitlements that are available for an organization and careful consideration should be made when designating an SAA. Consider the following when designating your SAA:
- An SAA is expected to have the requisite knowledge of their organization’s users and the associated responsibilities of these users to justify access to the required systems and functions to which access is granted.
- An SAA must have the organization’s trust and confidence to perform the responsibilities to manage access for all of their users and to follow the FINRA Entitlement procedures and policies, as well as the access management requirements of their organization.
- An SAA may need to coordinate with other departments and individuals to confirm access of an organization’s users. In addition, machine accounts created by the FINRA Entitlement Group may require an SAA to coordinate with their organization’s Technology Specialists to verify use.
- An SAA is formally delegated the authority by the organization and authorized by the New Organization Super Account Administrator (SAA) Form (or the Replace SAA online process) to perform the SAA responsibilities on the organization’s behalf.
- An SAA may serve in this role for multiple organizations (affiliated or non-affiliated); however, a separate username and password is required for each organization. The individual does not need to have an existing FINRA Entitlement Account.
An SAA designation for a new organization must be executed on the current version of FINRA’s New Organization SAA Form, as instructed, and be executed by an Authorized Signatory (See Question 6), as defined by FINRA. An organization must immediately replace an SAA, which is managed through an online workflow, and which requires an Authorized Signatory’s approval.
Q4: How many SAAs can an organization have?
A: For security reasons, an organization may designate only one (1) SAA to serve in this role. The FINRA Entitlement Program automatically checks that only one SAA is designated for an organization. An organization is defined as an entity with a unique Org ID # (whether an entity or an affiliate of an entity).
Q5: How do I designate an SAA for my new organization?
A: Complete the New Organization SAA Form when your new organization is first requesting access to the FINRA Entitlement Program and needs to designate its SAA. Follow the specific instructions on the form, noting the requirements for an Authorized Signatory. This form can be submitted electronically via DocuSign or a downloadable PDF submitted via email, fax or mail.
A: FINRA defines an Authorized Signatory for an organization as follows:
- Broker-Dealer (BD) and CAB Firms: An Authorized Signatory is the Chief Compliance Officer (CCO) or authorized officer (or other authorized person) listed on Schedule A of the Organization’s Initial Form BD and the signer and the designated SAA are not the same person.
- Investment Adviser Firms: An Authorized Signatory is either the Chief Compliance Officer (CCO) or Additional Regulatory Contact (ARC) who will be listed on the Organization’s Initial Form ADV and the signer and the designated SAA are not the same person.
- Regulators: An Authorized Signatory is the Securities Commissioner, Chief Regulatory Officer or other Authorized Signatory and the signer and the designated SAA are not the same person.
Q7: Can the individual who is to be designated as the firm SAA also be the person who signs the SAA Form, as an Authorized Signatory?
A: In limited circumstances, the individual may be both the designated SAA and an Authorized Signatory. These circumstances are restricted to when the organization is a sole proprietorship, or when no other individual with the authority to sign for the organization is available, because there are no other individuals in this capacity at the firm, or an alternate Authorized Signatory is not available due to unforeseen circumstances (e.g., illness). When the SAA and the Authorized Signatory are the same person, complete Form B of the SAA Form.
Q8: The SAA Form has a Form A and a Form B; which one should I complete?
A: Use Form A when the Super Account Administrator for the organization is NOT the same person who will sign the SAA Form. Use Form B for all other circumstances.
Q9: Our firm wants to designate the Chief Compliance Officer as the SAA. Our organization has other individuals who meet FINRA’s definition of an Authorized Signatory – for example, a Chief Operating Officer and Chief Financial Officer. We completed all required fields of the Form A of the SAA Form. Did we follow the instructions correctly?
A: While your firm completed the correct form, Form A, this form typically would be rejected because your firm has other Authorized Signatories who are available to sign the form. The individual who is being designated as the SAA cannot sign the form when other Authorized Signatories are available. In limited circumstances a form that meets this condition may be processed—see question 7 above.
Q10: How do I complete the SAA Form electronically?
A: FINRA offers the SAA Forms via DocuSign, which allows the form to be completed and submitted electronically.
Q11: Can the same individual be designated as an SAA for multiple firms (affiliated or non-affiliated)?
A: Yes, as long as the individual is formally delegated appropriate authority to act on behalf of the organization.
Q12: Can a firm designate its own SAA as well as its affiliates?
Q13: If I am a new FINRA Entitlement user and designated as an SAA, how will I receive my User ID and Password?
A: For security reasons, the SAA will receive two (2) separate emails; one with the user ID and one with a temporary password. You must change the temporary password during the first login.
Q14: What can I expect as an SAA when I first log in with the User ID and temporary password provided to me by the FINRA Entitlement Group?
A: To ensure that only you have access to your password, when you first log into any participating FINRA Entitlement application to which you have been entitled, you will be directed to create your own password. You will first need to enter the temporary password provided to you by the FINRA Entitlement Group and then create and enter your own password for future use. You will also be directed to select three security questions and responses. The security information will be used if you forget your password or become locked out of your account. When you call the Gateway Call Center, you will be asked to confirm your identity as an Account Administrator by providing your response to all three of the security questions you selected.
Q15: If I already have a FINRA Entitlement account and later am designated as the SAA, will I receive a new user ID and password?
A: No, an existing FINRA Entitlement account that is upgraded to an SAA can use the existing user ID and password. Any entitlements previously granted prior to the SAA designation will also remain.
Q16: What should an SAA do if his/her account password needs to be reset?
A: The SAA should contact the Gateway Call Center to have his/her password reset or account unlocked.
Q17: How do I find out who my organization’s SAA is?
A: Users can click on the red dot in the upper right hand corner and select My Account to see who their SAA is displayed in the Organization Profile section. Account Administrators can also see the SAA designation in the Account Management Search Results Screen.
Q18: Are there any FINRA Entitlement Program applications that are excluded from the SAA process?
A: Yes, the file transfer protocol (FTP) and internet file transfer (IFT) accounts are excluded from the SAA process. Due to the unique environment of these applications, FINRA maintains account administration rights to create these types of accounts. For access, an Authorized Signatory will need to request the FTP/IFT Entitlement Form by contacting the Gateway Call Center. The FINRA Entitlement Group confirms the identity of the requester and pre-populates the form with a unique identifier specific to the request. When the form is returned to FINRA, the pre-populated information on the form must match the unique identifier that FINRA provided. FINRA sends the form only to an Authorized Signatory at the firm, using the individual’s contact information on file.
Q19: I’m a new SAA and cannot access Web CRD, FOCUS, or any other application I need. Why?
A: New SAA accounts will automatically be set up with administrator capabilities which will enable you to create account administrator or user accounts for your firm. However, in order to access or use any of the requested applications and privileges for yourself, you will need to set your own user privileges to your SAA account. You are responsible for determining and setting access to the applications and privileges which you need to use to perform your job functions.
Q20: How does an SAA self-entitle “User” privileges to applications in the Account Management System?
A: As a new SAA, you will need to entitle yourself to any user privileges for applications you need to use to perform your job functions. Keep in mind that you will not be able to access any application unless you have marked “User” for that application for your SAA account. See Section 1.5 (How To Self-Entitle User Privileges as an SAA) of the FINRA Entitlement Reference Guide.
Q21: How does an SAA select Unique IDs and Report Center privileges for an Account Administrator?
A: See Section 6: Step 6 of the FINRA Entitlement Reference Guide.
Q22: How do I get "Administrator" access to new Entitlement Applications/Privileges added on the FINRA Entitlement Program?
A: FINRA will systematically entitle the SAAs that are to be granted with the new entitlement.
Q23: As an active SAA, why are there times when I can’t edit/create a user’s account?
A: On occasion, Entitlement functionality is temporarily suspended to allow the FINRA Entitlement Group to process transactions (e.g., set a new privilege) for a specific account. Once processing is complete, Entitlement functionality is re-established.
(See the FINRA Entitlement Reference Guide, Section 1.4 for more details)
Q24: How does my organization replace its SAA?
A: The Account Management System offers an online workflow that enables your organization to replace its SAA. An Authorized Signatory must approve any online request in order for it to be fulfilled. See the FINRA Entitlement Reference Guide, Section 1.4.1 for more information on SAA replacement.
Note: If your firm is an investment adviser that already has access to the FINRA Entitlement Program and has not yet filed your initial ADV, you must complete the New Organization SAA Form to replace your SAA.
Q25. Who can submit a Replace SAA Request?
A. Any individual at the organization with an active FINRA Gateway account is able to submit a request to the SAA, though the request will need to be approved by an Authorized Signatory before it will be fulfilled. For more information on replacing an SAA, refer to the Entitlement Reference Guide, Section 1.4.1.
Q26. When Replacing the SAA, is an Organization able to maintain an account for the former SAA?
A. Yes, the organization has the option to convert the current SAA to a User Account if the individual will continue to require access to application(s). If you decide to convert the current SAA to a User, once the request is approved and processed, the SAA’s account will have the SAA administrator role removed and only those privileges that had User marked will remain. An organization also has the option to delete the account of the former SAA when requesting an SAA replacement.
Q27: What does my organization do if our SAA will be out of the office for an extended period of time?
A: First, consider that Account Administrators in your organization are able to perform most entitlement transactions (e.g., creating, updating, or deleting user accounts, resetting user passwords). If there are no Account Administrators and an SAA will be unavailable for an extended period of time, your organization will need to replace the SAA. The requester must complete the online Replace SAA process. If the former SAA needs to return to that role, the organization will need to submit a new request using the online Replace SAA workflow.
Q28: How will an organization be notified when an SAA is designated?
A: For newly created SAAs for organizations, both the Authorized Signatory who signed the SAA Form and the SAA will receive an email when the SAA’s account has been processed by FINRA. When replacing an SAA using the online workflow, an email will be sent to the Requester, Authorized Submitter and SAA once the workflow is complete.
Q29. Who can submit an update to an SAA’s name or email address?
A. Only the SAA is able to submit a request to update their name and/or email address. The request will need to be approved by an Authorized Signatory before it will be fulfilled. For more information on updating the name and/or email address of the SAA, refer to the Entitlement Reference Guide, Section 1.4.2.
Note: If your firm is an investment adviser that already has access to the FINRA Entitlement Program and has not yet filed your initial ADV, an SAA must complete the New Organization SAA Form to update their name or email.
Q30. Where do I find the status of a Replace or Update SAA Request?
Q31. Who can see the status of a Replace or Update SAA Request?
A. Any individual at the organization with an active FINRA Gateway account will be able to view all active and completed requests to replace an SAA. Only SAAs can view their requests to update their name and/or email address. See question 30 for information on how to see request statuses.
Q32: What does it mean to "Import" an account?
A: The ability to clone accounts has been enhanced and relabeled as the Import Entitlements feature. The purpose of this new feature is to import entitlements to a newly created account or to add entitlements to an existing account. You can import entitlements from multiple accounts as many times as required with this new feature. See Section 7 (How To Import Accounts) of the FINRA Entitlement Reference Guide.
Q33: Can I use the import function to update an existing user’s privileges?
A: Yes. Importing may be used when creating a new user account or updating an existing account.
Q34: What should a user at my organization do if he/she has forgotten the password or locked his/her account?
A: A user who forgets his/her password can click on the Forgot Password? link on the login screen to request a new password. To use this functionality, the user must know his/her security response.
Five incorrect password attempts within one hour will result in a locked account. The account will auto-unlock after one hour. Accounts can be unlocked sooner than one hour if users contact their SAA or AA. If it is an SAA account, the SAA needs to contact the FINRA Gateway Call Center.
Q35: I am attempting to select a password for my account and the system keeps rejecting the passwords I choose. Why might this be happening?
A: See the Password Requirements page for a list of password parameters and features.
Q36: How long will it take to process my entitlement form?
A: Please allow approximately three business days from receipt of a non-deficient SAA Entitlement Form. For FTP users, approximately four business days from receipt of a non-deficient FTP entitlement form.
Q37: I have user accounts setup for multiple organizations (e.g., service provider or an individual with separate user accounts for affiliated firms/entities). Why am I receiving Access Denied when I attempt to log in with some of these accounts even though I have provided the correct login information?
A: Your browser could contain a memory of the account information viewed during your previous session. We recommend that you completely close your browser window and start a new browser session prior to logging in again.
Q38: Does a user account ever get automatically deleted?
A: Accounts are considered dormant if they are not used for a defined period of time. For security reasons, FINRA deletes dormant accounts.
Q39: What is the impact if an SAA account is deleted due to dormancy?
A: Although an SAA account should never go dormant based on an SAA’s responsibilities, if an SAA’s account is deleted due to dormancy, there is significant impact to the organization. All FINRA Entitlement Program user accounts for the organization will lose system access until the SAA account is recreated, which requires the firm to contact FINRA.
Q40: How can Administrators manage accounts to prevent dormancy?
- Perform periodic reviews to ensure individuals are using their accounts based on their job responsibilities (e.g., check last login date available for each account in Account Management) and question a user if the elapsed timeframe indicates the account is not being used.
- Delete account(s) when the individual no longer requires access per their job responsibilities or is not using their account.
- Remember to log in periodically to prevent your account from going dormant.
Q41: What do I do if my account is deleted due to dormancy?
A: If your account is deleted due to inactivity, you will need a new user account created to resume access to FINRA applications. You will need to:
- Contact your organization’s SAA or AA to create a new user account.
- If your organization does not have an SAA or AA, or if you are the SAA or an AA with an account created by FINRA, contact FINRA at [email protected] to create a new user account.
Q42: What is the FINRA Entitlement User Accounts Certification Process?
A: FINRA established the FINRA Entitlement User Accounts Certification Process as part of its ongoing efforts to protect the integrity and confidentiality of regulatory, proprietary and personal information maintained by FINRA. Additionally, the certification requirement supports each organization’s compliance with the management of authorized users on FINRA systems. The process provides a formal review of all user accounts in the FINRA Entitlement Program administered by an SAA.
Q43: How frequently will the FINRA Entitlement User Accounts Certification Process be conducted?
A: Certification is generally conducted annually.
Q44: Can an organization’s Administrators review users’ access at any time during the year or are user access reviews limited to only during the annual Certification Period?
A: FINRA strongly recommends administrators review user accounts on a regular basis to ensure that accounts remain valid, have proper entitlement, have been deleted if access is no longer needed, and email addresses are correct. The frequency of access reviews may depend on the size of the organization, staff turn-over, the number of organizational changes, an organization’s security guidelines, or other factors that an organization considers in its risk profile. See Section 11 (How To Review Accounts) of the FINRA Entitlement Reference Guide.
Q45: Are all organizations required to certify their user accounts?
A: No, for organizations with only an SAA account and no other users/administrator accounts, they have the option to certify, but are not required, unless the firm has access to the Consolidated Audit Trail (CAT). Firms with one or more accounts with access to CAT must certify.
Q46: If during the Certification Period the number of users at my organization decreases to only one user, will my organization still need to certify?
A: If your organization had more than one user on the start date of the Certification Period, your organization still needs to certify regardless of the changes made to the user population during the Certification Period.
Q47: How long is the Certification Period?
A: The Certification Period is approximately 90 calendar days.
Q48: Who at my organization is responsible for completing the Certification Process?
A: The SAA is responsible for ensuring that the Certification Process is completed by the due date. For specific dates and step-by-step instructions, please refer to the following pages:
- Annual Entitlement User Accounts Certification Process
- FINRA Entitlement Reference Guide, See Section 18 for detailed instructions.
Q49: What if my SAA is unavailable during the annual Certification Period?
A: FINRA requires your organization to replace your current SAA with a replacement SAA to complete the Certification Process. See the FINRA Entitlement Reference Guide for more information about the role’s responsibilities as well as the process to update or replace your firm’s SAA.
Q50: How will an organization be alerted to begin the Certification Process?
A: Your SAA will see the Certification banner on the Account Management Admin landing page and will receive an email that includes the start and due date of the Certification period.
Both your SAA and Chief Compliance Officer (or, for IA-firms, the Additional Regulatory Contact) will receive the following emails:
- Reminder email - If certification is not completed as of 10 business days prior to due date.
- Past Due email - If certification is not completed by the deadline.
Q51: When will an SAA be able to begin the Certification Process?
A: FINRA’s Entitlement User Accounts Certification Process is typically an annual process. An SAA may begin the certification process as soon as he/she receives the Certification message on the Account Management Admin landing page and/or email notification.
Q52: How does the SAA begin the FINRA Entitlement User Accounts Certification Process?
A: Instructions on how to begin the Certification Process are included in the FINRA Entitlement User Accounts Certification email messages and on the Account Management Admin landing page during the certification period. Please see the FINRA Entitlement Reference Guide, Section 18 for screenshots and detailed instructions.
Q53: How will FINRA communicate to the SAAs during the Certification Period?
A: SAAs will receive a series of messages while in the Account Management System, that alerts them to the status of the Certification Process:
- Initial Message - The FINRA Entitlement User Accounts Certification Period is underway with start date and due date defined.
- Reminder Message - If certification is not completed as of 10 business days prior to due date.
- Past Due Message - If certification is not completed by the deadline.
- Successfully Completed Message – Alerts the organization that the SAA has successfully completed the Certification Process.
Q54: Once the SAA begins the Certification Process will he/she be able to exit the Account Management System and complete the Certification Process at a different time?
A: Yes, an SAA may complete the Certification Process at a different time; however, FINRA recommends that an SAA certify users on the same day the export of user account information is requested to prevent having to perform a subsequent review of users as the entitlement data may have been updated since the download was requested.
Q55: Why would the SAA’s Account Management Certification messages not appear?
A: The certification messages will not display in the Account Management System if your organization has completed the Certification Process and the Certification Period has ended.
Q56: Which accounts are included in the Certification Process?
A: All accounts that have access to an application in the FINRA Entitlement Program are included in the certification process. An SAA is able to search online for a list of their user accounts assigned Roles or Entitlements outside Roles. See Section 10 (How To Request an All Accounts Report) of the FINRA Entitlement Reference Guide.
Q57: How does an SAA get a list of user accounts to review?
A: After clicking Start Certification, the Accounts Certification page will display a list of your users. Please see the FINRA Entitlement Reference Guide, Section 18 for screenshots and detailed instructions.
Q58: In the Accounts Certification Report that lists user account information, there are some criteria that are offered for selection. Which criteria should be selected for the exported report in order to conduct the review of user accounts?
A: The Accounts Certification Report will automatically display all Active accounts. Depending on the size of an organization, an SAA may find it helpful to customize the Accounts Certification Report by using the customizing tools: Columns, Filters, and Groups. FINRA recommends that last log in be selected as an option to review when the account was last used. Other criteria may be selected based on an organization’s decision to validate this information. Share this report with other individuals within your organization to confirm individual’s appropriate entitlement, including access to applications, roles/privileges, and sensitive data.
Q59: Is an SAA considered a user?
A: Yes, an SAA is considered a user of the FINRA Entitlement Program, with access to Account Management System, and possibly other applications.
Q60: What criteria should my organization use when reviewing our users?
A: You will need to review your organization’s user accounts to determine that:
- each user has a continuing need to access FINRA application(s) on the organization’s behalf;
- each user is entitled only to the applications and privileges needed to perform current job responsibilities; and
- only users who require access to sensitive data (e.g., Criminal History Record Information, Social Security numbers) are entitled to access this type of data.
Q61: What are the consequences if my organization does not complete the Certification Process by the due date?
A: The capability to create accounts, create and assign Roles, edit and import entitlements to accounts will be disabled and will remain disabled for all administrators (SAAs & Account Administrators) until your organization’s SAA completes the Certification Process. Other consequences include notification to the appropriate FINRA district office for FINRA member firms or notifications to other regulators for non-FINRA organizations. In addition, all user accounts for an organization will be suspended.
Q62: Can my firm still certify after the Certification Period?
A: Yes. However, if all accounts have been disabled by FINRA, the SAA will need to contact the Gateway Call Center to arrange for access to complete the certification.
Q63: Can an administrator delete or disable user accounts or reset passwords if the organization has not certified within the period?
A: Yes. For security purposes, administrators may continue to delete or disable user accounts and reset passwords.
Q64: What is the FINRA Security Questions and Answers feature?
A: The first time a user logs in to a FINRA Entitlement application/system (e.g., Web CRD, IARD, Report Center, etc.) the user will be required to select three security questions and provide responses to each question. On subsequent logins, a user may be asked to provide the responses to the security questions he/she selected in order to further verify the user’s identity. This security feature is similar to those used by financial websites as an additional safeguard against unauthorized access.
Q65: Are all users in my organization required to follow the security questions and answers requirements?
A: Yes, all users (Super Account Administrators, Account Administrators and users—including those with public accounts) who access FINRA Entitlement applications/systems are required to follow the requirements of this security feature. Note: FTP (machine-to-machine) user accounts are not impacted as long as the account is used solely for machine to machine access. If users log in with the FTP account to update their password online they will be required to follow the security questions and answers feature.
Q66: How can an SAA/AA determine if an individual has set up his/her security questions?
A: Once a user has set up his/her security questions and responses, the firm’s SAA/AA will be able to see the security questions and responses on the Individual Information screen.
Q67: Can users change their security questions/responses?
A: Yes, users have the option to update their security questions and responses when they log onto a FINRA Entitlement application/system. Look for the Reset Security Questions option on the Individual Information screen. Note: Users must update their security questions and responses if they experience an account lockout due to multiple incorrect responses to their security questions or if they believe the responses to their security questions have been compromised.
Q68: When will I be required to answer a security question?
A: A user may be presented with a security question if one or more of the following occurs:
- During login, if you did not check the box Remember this computer (Choose this option only if this is your computer and you trust this device/computer).
- You log in from a different computer or use a different browser.
- The system detects a change in how you typically interact with the application.
- A year has passed since you have been presented with a security question.
- Your computer’s cookies were deleted since your last login.
- When an SAA contacts FINRA for password help.
- The 30-day time frame in which the login process will "Remember this Computer" has elapsed.
Q69: How many security questions will I be required to answer if one of the above conditions exists?
A: Typically, a user will be required to correctly answer one security question.
Q70: Does the answer to a security question have to exactly match what was provided?
A: The system allows for some flexibility in responses. For example, the system ignores capitalization and accepts minor variations (e.g., street or “St”).
Q71: What will happen if an incorrect response is made to a security question?
A: A user will be presented with another attempt to answer the security question. If a second attempt fails, the user will be presented with a different security question. Eventually, a user will experience an account lockout if too many incorrect responses are provided.
Q72: What should I do if I am locked out of my user account?
A: If your account is locked, contact your Super Account Administrator (SAA) or Account Administrator (AA) to unlock your account. If your account is locked because of multiple incorrect responses to your security questions, your SAA/AA will unlock your account and require you to reset your security questions. If you are an SAA and your own account is locked, or if you do not have an SAA or AA to go to for assistance, contact the FINRA Gateway Call Center.
Q73: I am using a mobile device to access a FINRA Entitlement application/system. Why do I not see the “Remember this computer (Choose this option only if this is your computer and you trust this device/computer).” option when I set up my security information?
A: The login security feature does not support this option for mobile devices. In addition to entering your username and password, mobile users are always required to answer a security question during login.
Q74: If my organization has questions, whom should we contact?
A: Firms should contact the Gateway Call Center at:
- Broker-Dealers: (301) 869-6699
- Investment Advisers: (240) 386-4848
- Funding Portals: (301) 590-6500
(See FINRA Entitlement Guide, Section 17 for more details)
Q75. What are the Role responsibilities of the Super Account Administrator (SAA) and the Account Administrator (AA)?
A: Super Account Administrators (SAAs) are able to:
- Create and manage Roles for their organization
- Assign and unassign Roles for their Account Administrators (AAs) and users
Note: All existing and new SAAs are automatically granted Role Management to their accounts.
Account Administrators (AAs) are able to:
- Assign and unassign Roles for their users, if their SAA has granted their accounts with the Assign Roles privilege that allows Role assignment functionality.
Q76. What are the benefits of using Roles?
- Roles allow an organization to manage entitlements more effectively by grouping entitlements by job functions, positions, or other areas of responsibilities that meet the needs of an organization.
- Roles provide an efficient way to assign access for users as selecting each entitlement for an account is no longer necessary.
- Roles may offer more secure access as users performing the same job functions or responsibilities share the same level of access.
- Roles offer an easier way to review users’ access. In addition, Roles will display for annual account certification, which provides a more effective and efficient way to validate accounts.
- Roles are fully customizable to maximize flexibility. Several Role Templates are available for certain types of organizations to use as is, or to customize.
- All organizations that have Role functionality will be able to create new Roles and fully customize the Roles.
Q77. Are Roles required to be used when setting access for an account?
A: No, Roles are optional. SAAs should consider how best Roles can be used to meet their organization’s access management needs.
Q78. Can Roles be created for AAs and users?
A: Yes, an SAA may create Roles for AAs or for users.
Q79. Is there a system limit to the number of Roles that can be created?
A: No, there is no system limit to the number of Roles that can be created, however, keep in mind that too many Roles will be difficult to manage and maintain. Consider your users, how many individuals perform the same job responsibilities, or that are in the same position, or users that require special access such as to sensitive information and decide how many Roles are needed for your organization.
Q80. Can Roles be customized?
A: Yes, Roles can be customized. SAAs have the choice when creating Roles to:
- Use Role Templates created by FINRA (available for certain types of organizations) to use as is, or to customize
- Create a new Role by importing or adding entitlements; or,
- Further customize existing Roles previously created by the SAA
Q81: What are the workflow steps when creating a Role?
A: Step 1 – Role Information – Decide on a name for the Role and provide a description of the Role. The SAA must assign a unique name for each Role. A detailed description will help identify the Role’s access and function.
Step 2 – Entitlement/Role Template – Create the Role using a Role Template (if available) to use as is, or to customize, or create a new role and assign/unassign entitlements.
Step 3 – Review and Create Role – Verify the information for the Role and then select ‘Create Role’. The Role is saved once ‘Create Role’ is selected and the Role is available to assign.
Q82: What are the three Role Types?
- Active – Role available to assign
- Delete – Role is no longer available to assign
- Incomplete – Role with no Entitlements
Q83: Can more than one Role be assigned to an account?
A: Yes, more than one Role may be assigned to an account.
Q84: Can a Role include MPIDs and related entitlements?
A: No, Role functionality does not support MPIDs and related entitlements and SAAs cannot add MPIDs and entitlements to a Role. To assign MPID entitlement, use Account Management.
Q85: Should entitlements to sensitive data be added to a Role?
A: Keep in mind that all entitlements that are added to a Role are available to each account that is assigned the Role. Before assigning an account to a Role, verify that the individual requires all of the access of the Role to perform their job responsibilities. If not, consider creating a new Role. It is recommended that the SAA consider creating a Role for access to sensitive data (e.g., Criminal History Record Information, Social Security Numbers), and then assign this Role to those users that require this level of access.
Q86: Can an Admin Role be assigned to a user account?
A: Yes, if you assign an Admin (AA) Role to a user account, the user account will become an AA. If that is not your intention, remove the AA Role in order to revert the account to a user with the entitlement the account previously had prior to the AA Role assignment.
Q87: When a Role is updated with additional entitlements, how will it affect the accounts that have been assigned the Role?
A: Users with the Role will have their accounts automatically updated with the added entitlements as soon as the SAA saves the updated Role.
Q88: Do all AAs have the ability to assign Roles?
A: No, only the AAs that have been granted the Assign Roles privilege by their SAA will have the functionality to assign Roles to users. However, when granting this privilege to an AA, keep in mind that the AA must have Admin privileges to ALL entitlements the Role includes in order for the AA to be able to assign/unassign the Role to a user.
Q89: Will all AAs be able to view Roles assigned to the users?
A: No, all AAs will not be able to view Roles assigned to users. Only those AAs who have been granted the Assign Roles privilege will be able to view a Role assigned to a user’s account.
Q90: As SAA, I granted the Assign Roles privilege to my AA, but my AA said that they cannot assign/unassign the Roles. Why?
A: Make sure that your AA has Admin privileges to ALL entitlements in each Role that you want the AA to manage. If your AA does not have Admin to one or more privileges in a Role, they will not be able to assign/unassign that Role, even with the Assign Roles privilege. Before you grant your AA the Assign Roles privilege, review the AA’s account to verify that the account has Admin to all the privileges within the Role(s). If an AA tells you they cannot assign/unassign a Role, review the AA account and edit the account to include Admin to the missing Role privileges.
Q91: When an SAA deletes a Role, will it automatically remove the Role from all the accounts assigned to the Role?
A: No, the SAA will need to first unassign the Role for all accounts assigned to the Role and then delete the Role and provide a Reason for the deletion.
Q92: As SAA, where will I be able to manage and review my firm’s Roles?
A: From the Search Role screen on the Admin landing page, the SAA can:
- Create a new Role
- Click on an existing Role to view, add, or delete entitlements
- Click on an existing Role to delete the Role – you must first unassign all users to the Role
- Use the filters to search for specific Role entities (e.g., Active, Deleted, Role Type, Entitlements)
- View accounts that are associated with a specific Role from the corresponding Actions link on the right-hand side of the screen. If there are no accounts associated with the Role, Action link displays “No Action Available”
- Review Role Types.
Q93. Will Roles be viewable for accounts during the annual FINRA Entitlement Account Certification Program?
A: Yes, if your firm creates and assigns Roles to accounts, Roles will appear with each associated account for an SAA’s review during the annual FINRA Entitlement account certification.
Q94: If using the Role Management functionality, is it required that users only be assigned a Role(s)?
A: No, the ability to grant privileges separate from a Role is available. You may assign a user with one or more Roles and also add privileges to the account, though keep in mind that adding individual privileges may increase the complexity of an account, especially when reviewing access. To grant privileges outside of a Role, follow the current process for adding entitlements to an account in Account Management.