FINRA Entitlement Program: Entitlement Reference Guide

This user guide provides Super Account Administrators (SAAs) and Account Administrators (AAs) with the requirements of the FINRA Entitlement Program and instructions and tips for how to navigate the Account Management System of the FINRA Entitlement Program.

i Responsibilities for Managing Account Access

ii Best Practices for Managing Account Access

i Responsibilities for Managing Account Access

  • Advise your organization’s users to notify you as the SAA or another Account Administrator immediately (within the same day) when:
    • The account owner is terminated or transferred to a position that no longer requires access to FINRA systems.
    • An individual no longer performs the job function(s) as part of their current position.
    • An account is no longer needed for any reason.
  • Disable or delete accounts immediately (within the same day) you are notified that the individual is:
    • No longer with the organization.
    • In violation of any relevant organization security policy.
  • Disable or delete accounts immediately (within 30 minutes of discovery) if the accounts are subject to a threat that includes the specific account being compromised or subject to unauthorized access.
  • Force a password change, reset security questions/answers, or create a new account for an individual if there is suspected activity or evidence indicating that an account may be compromised.
  • Address all actual or suspected security issues immediately.

ii Best Practices for Managing Account Access

  • Confirm that the selected access is authorized and appropriate for the individual based on their current job responsibilities. Verify that access complies with access, privacy, security, data handling, and other organization policies relevant to the access you are providing. Consider that the selected access may cover information that requires compliance with federal or state privacy and data security laws and obligations. For example, access to fingerprint information has specific safeguarding controls and requirements that are listed in the FBI Criminal Justice Information Services Security Policy (Policy).
  • Apply the principle of Least Privilege. Only assign those privileges that align with the individual’s current job responsibilities and nothing more. Verify the individual’s job responsibilities with their manager if you need to confirm if access is valid. Do not set access for an individual’s future job responsibilities.
  • Organizations should consider using Role-based entitlement rather than granting access by each privilege as Roles reduce the risk of human error when assigning access.  Roles bundle entitlements to grant access for individuals who perform the same job functions and need the same level of access.  A Role should provide access to only what a position requires.  An SAA (or AA if provided the functionality by their SAA) has the ability to create a Role and assign entitlements to the Role that are required to perform current job responsibilities. In addition, Roles enable a more efficient way to review users’ access. When managing access to sensitive information, an SAA should consider creating a separate Role to access this type of information so that access can be more easily removed when required.  Remember, an account may have more than one Role assigned to it.
  • Organizations should consider assigning access for separation of duties which is an administrative control that has no one person having sole control over the lifespan of a transaction and requires more than one individual to perform a task. This concept reduces opportunities for fraud, sabotage, or misuse or theft of information by promoting discovery of errors by another person who is involved in the task completion. 

Section 1: Super Account Administrator (SAA) Information

The FINRA Entitlement Program requires that each new organization required to have a Super Account Administrator (SAA) designate an SAA by submitting a New Organization SAA Agreement. Only one SAA is permitted per organization. The SAA is responsible for managing all access to the systems available through the FINRA Entitlement Program and complying with the requirements of the Program, including completing annual validation and certification of all accounts.

The FINRA Entitlement Group entitles an SAA with administrator access to all FINRA Entitlement Program systems that are available for the type of organization that it is (e.g., firm, state, SEC, etc).

The SAA is responsible for managing all access for an organization to systems available through the FINRA Entitlement Program and complying with the FINRA Entitlement Program requirements. SAAs are responsible for managing the accounts at their organization including confirming that access is authorized, appropriate and commensurate with the individual’s current job responsibilities/role. In addition, SAAs are responsible for removing access for a specific system or certain functionality when access is no longer needed, and the timely deletion of an account.

1.1: Considerations for Designating an SAA:

  • To perform the role of SAA, an individual must be knowledgeable about the organization’s functions, staff positions, job responsibilities and relevant data or have the in-house network of managers and others who they can seek out to ask questions about specific job duties and other detailed information that is necessary for setting access.
  • An SAA must have the organization’s trust and confidence to perform the responsibilities to manage access for all of their users and to follow the FINRA Entitlement procedures and policies, as well as the access management requirements of their organization.
  • An SAA may need to coordinate with other departments and individuals to confirm access of an organization’s users. In addition, machine accounts created by the FINRA Entitlement Group may require an SAA to coordinate with their organization’s Technology Specialists to verify use.
  • Each organization required to have an SAA must designate one SAA and replace an SAA within 30 days when the current SAA is no longer performing that role.
  • For firms with affiliates, the same SAA or a different SAA may be designated. Regardless of whether the SAA is the same or different, each affiliate (with its Organization ID#) must provide a signed New Organization SAA Agreement.
  • The SAA is formally delegated the authority by the organization to manage all access for the organization and to perform all SAA responsibilities on behalf of the organization as outlined in the New Organization SAA Agreement (or by using the Replace SAA online workflow). In order for FINRA to create an SAA account for a new organization, the designation must be executed on the current version of FINRA’s New Organization SAA Agreement (or by using the Replace SAA online workflow), as instructed, and be executed by an Authorized Signatory, as defined by FINRA.
  • An SAA may serve in this role for multiple organizations (affiliated or non-affiliated) with a signed New Organization SAA Agreement for each organization designating the individual.
    NOTE: a separate username and password are required for each organization.
  • The individual who is to be designated as an SAA does not need to have an existing FINRA Entitlement Account at the time of designation.

1.2: How a New Organization Designates its SAA

Each new organization required to have an SAA must designate its SAA in order to access the FINRA Entitlement Platform. Only one SAA is permitted for an organization. The New Organization SAA Agreement is used by a new organization to designate its SAA.

  • For firms with affiliates, the same SAA or a different SAA may be designated. Regardless of whether the SAA is the same or different, each affiliate (with its Organization ID#) must provide a signed New Organization SAA Agreement.
  • The SAA is formally delegated the authority by the organization to manage all access for the organization and to perform all SAA responsibilities on behalf of the organization as outlined in the New Organization SAA Agreement. In order for FINRA to create an SAA account for a new organization, the designation must be executed on the current version of FINRA’s New Organization SAA Agreement, as instructed, and be executed by an Authorized Signatory, as defined by FINRA. 

Authorized Signatory Instructions and Requirements

The New Organization SAA Agreement has specific instructions and signature requirements noted in the agreement which must be met for processing. This agreement can be submitted electronically via DocuSign or a downloadable PDF submitted via email or mail. Only person(s) authorized to execute these agreements on behalf of the organization are permitted to sign the agreement. The SAA and the Authorized Signatory may be the same person only if there is no other individual at the Organization authorized to act as the Authorized Signatory (e.g., a sole proprietor). If this is the case, you must provide an explanation if you are authorized to execute the agreement on behalf of the organization, but do not meet the Authorized Signatory requirements described below.

  • Broker-Dealer (BD) and CAB Firms: An Authorized Signatory is the Chief Compliance Officer (CCO) or authorized officer (or other authorized person) listed on Schedule A of the Organization’s initial Form BD. Generally, the signatory and the designated SAA cannot be the same person. There are limited circumstances when this condition is permitted, and an explanation must be provided for evaluation by the FINRA Entitlement Group.
  • Investment Adviser Firms: An Authorized Signatory is either the Chief Compliance Officer (CCO) or Additional Regulatory Contact (ARC) who will be listed on the organization’s initial Form ADV. Generally, the signatory and the designated SAA cannot be the same person. There are limited circumstances when this condition is permitted, and an explanation must be provided for evaluation by the FINRA Entitlement Group.
  • Regulators: An Authorized Signatory is the Securities Commissioner, Chief Regulatory Officer or other individual in a position that authorizes signing on behalf of the organization.  Generally, the signatory and the designated SAA cannot be the same person. There are limited circumstances when this condition is permitted, and an explanation must be provided for evaluation by the FINRA Entitlement Group.

1.3: SAA Roles and Responsibilities

An SAA is responsible for:

  • Complying to the FINRA Entitlement Program requirements.
  • Creating accounts for the organization to access the system on the FINRA Entitlement Platform. 
  • Self-entitling their own “User” privileges when required to perform current job responsibilities.
  • Providing their phone numbers, title & dept for their account.
  • Creating and updating access for Account Administrators and users.
  • Creating and managing Roles for the organization. Consider that access to sensitive information (e.g., SSNs and CJI) should be managed through creation of a secondary Role (See Section 17)
  • Assigning and unassigning Roles for  Account Administrators and users (See Section 17)
  • Verifying that access to sensitive information, such as social security numbers (SSNs) and criminal justice information (CJI), is appropriate to the individual’s current job responsibilities. The selected access may cover information that requires compliance with federal or state privacy and data security laws and obligations.
  • Applying the principle of Least Privilege to each account by assigning only those privileges that align with the individual’s current job responsibilities.
  • Organizations should consider assigning access for separation of duties which is an administrative control that has no one person having sole control over the lifespan of a transaction and requires more than one individual to perform a task. This concept reduces opportunities for fraud, sabotage, or misuse or theft of information by promoting discovery of errors by another person who is involved in the task completion.
  • Performing password administration, such as unlocking accounts and resetting passwords.
  • Disabling an account if they suspect or know of a security issue.
  • Deleting an account immediately (within the same day) when an individual no longer requires access to the FINRA Entitlement Platform.
  • Deleting accounts immediately (within 30 minutes) if there is a suspected or actual security incident with the account.
  • Monitoring the organization’s accounts on a periodic basis by using the Account Details Report.
  • Certifying all accounts at the organization for authorized access on an annual basis and by FINRA’s published due date.

1.4: Replacing or Updating an Existing SAA

An online workflow will enable an organization to replace its SAA or allow an SAA to update their name and/or email address.  The workflow guides the requestor step by step through the request process.  While many requests will process automatically once approved by an Authorized Signatory, there are circumstances that require a request to route to the FINRA Entitlement Group for review, research, and validation prior to fulfillment. 

Benefits of Online Replace/Update Requests

  • Any individual within the organization with an active FINRA Gateway account may request to replace an SAA; however, each request must be approved by an Authorized Signatory. Authorized Signatories auto-populate in the workflow for firms, including Broker Dealers, Capital Acquisition Broker (CAB) firms, and Investment Adviser firms.
  • An authorized Signatory does not need a FINRA Entitlement account to approve a workflow request. 
  • Only the current SAA may request an update to their name or email address through the workflow.
  • An organization has the option to either convert the current SAA account to a User account or delete the account when requesting an SAA replacement.
  • Most requests process automatically once an Authorized Signatory approves the request.  Certain conditions require a request to route to the FINRA Entitlement Group for manual review and fulfillment.
  • The requestor and authorized signatory are the only ones who can see the status of their SAA replacement request as it moves through the workflow.  Only SAAs are able to see the status of their name and/or email change requests.  
  • Emails are sent to the organization’s Requester and Authorized Signatory with updates for each request.
  1. 1.4.1 Replace SAA
  2. 1.4.2 Update Name and/or Email
  3. 1.4.3 Requests & Filings

1.4.1 Replace SAA

An organization must replace its SAA within 30 days of the current SAA no longer fulfilling that role. To replace an SAA, use the Replace SAA workflow in the Account Management System to designate the replacement SAA. Any individual at your organization with an active FINRA Gateway account is able to submit a replacement request via the Admin landing page, but only the Requester and Authorized Signatory may view the request through Requests & Filings (see Section 1.4.3). Keep in mind that an Authorized Signatory must approve the request before it will be processed.

Step 1: Select Replace SAA from the Admin landing page.   

a-Section 1.4.1 - Step 1

Step 2: Current SAA

From the Current SAA screen, there are 2 options available for you to decide on what is to be done with the current SAA’s account:

  • Convert to User Account
  • Delete Account

b-Section 1.4.1 - Step 2a

If the current SAA’s account is to remain with user access to one or more systems, select the first option, ‘Convert to User Account’. Once the request is approved by an Authorized Signatory and processed, the SAA’s account will have the SAA administrator role removed and only those privileges that had user marked will remain. If the current SAA no longer needs access or has terminated from the organization, select the second option, ‘Delete Account’. Once you choose an option, select one of the following actions:

  • Cancel
    • Workflow is terminated.
  • Save & Edit 
    • Workflow is saved and available to Edit and Submit from the Requests button on the banner shown below. The requester will be taken back to the first step, however the previously entered information is retained.
      c-Section 1.4.1 - Step 2b
  • NEXT  
    • Workflow moves onto the next step-Select New SAA

Step 3: Select New SAA

Select a new SAA from the list of your users at your organization that have an account.

d-Section 1.4.1 - Step 3

If the individual you want to designate as the new SAA is not listed under the “Select New SAA” section, a newly created SAA is required. Click on Request New SAA Account on the upper-right screen and go to Step 4.

Once you have completed your selection of the new SAA from the list of your organization’s accounts, select Next to continue with the workflow.

  • NEXT  
    • Workflow moves onto the next step-Select Authorized Signatory

Step 4: If a new-SAA is required, enter the information to create the new SAA Account.

e-Section 1.4.1 - Step 4

Once the new SAA Account information has been entered, select Next to continue with the workflow.

  • NEXT  
    • Workflow moves onto the next step-Select Authorized Signatory

Step 5: Select Authorized Signatory

Select an Authorized Signatory from a list that displays. An Authorized Signatory will need to approve the request before it will be fulfilled. The Authorized Signatories are based on your organization type (e.g., BD, IA) and originate from filing or contact information your firm submitted to FINRA.

FINRA-Defined Authorized Signatories

  • For Broker-Dealers, the Authorized Signatory is the Chief Compliance Officer (CCO), authorized officer or other authorized person listed on Schedule A of the firm’s current Form BD or listed in the FINRA Contact System (FCS).
  • For Investment Advisers, the Authorized Signatory is the Chief Compliance Officer (CCO), Additional Regulatory Contact (ARC) or other authorized person listed on Schedule A of the firm’s current Form ADV.
  • For Funding Portals: An Authorized Signatory is the Chief Compliance Officer (CCO), Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Legal Officer (CLO), Chief Operations Officer (COO) or a Director or any other individuals with similar status or functions listed on Schedule A of the firm’s current SEC Form FP.
  • For Regulators: An Authorized Signatory is the Securities Commissioner, Chief Regulatory Officer or other individual in a position that authorizes signing on behalf of the organization.

Select an Authorized Signatory from the drop-down list who will approve the request. If you are listed as an Authorized Signatory and other Authorized Signatories are available, you cannot select yourself.  If available, select an Authorized Signatory with an email address for fastest processing times.

zz-Section 1.4.1 - Step 5

Select only one Authorized Signatory. If the Authorized Signatory selected does not have an email address on file, a prompt will display for you to enter the individual’s email address.

f-Section 1.4.1 - Step 5a

Note: Funding Portals, regulators and firms without Authorized Signatories on file will be presented with the ‘Add Authorized Signatory’ screen below to enter an Authorized Signatory. Fields marked with an asterisk are mandatory.

g-Section 1.4.1 - Step 5b

Once the Authorized Signatory has been selected/added, select Next to continue with the workflow.

  • NEXT 
    • Workflow moves onto the next step-Review and Send

Note: Be sure to keep your organization’s Authorized Signatories up to date through the FINRA Contact System, Form BD Schedule A, or Form ADV.

Step 6: Review and Send

Review the requested information for completeness and accuracy.

h-Section 1.4.1 - Step 6

Once you complete the review, select Send Request to continue with the workflow.

  • SEND REQUEST  
    • Confirmation message will display ‘Request to Replace SAA has been Submitted’. Email is sent to the selected Authorized Signatory with a one-time passcode to access the request and decide to approve, deny, or return the request to the Requester.

Step 7: The request is now Pending Review by the Authorized Signatory. A Requester has the option to Recall Request or Exit Request

i-Section 1.4.1 - Step 7a

Once the request is submitted, select one of the following actions:

  • Recall Request
    • If yes, the status is changed to ‘draft’ and the Requester is returned to the first step, however the previously entered information will remain.

      All ‘draft’ requests older than 30 days will be deleted.
    • j-Section 1.4.1 - Step 7b
  • Exit Request 
    • Request has been successfully submitted and no further action is required. For more information on viewing the request statuses, see Section 1.4.3 Requests & Filings.

Step 8: With the Selection of Exit Request, the Authorized Signatory will receive an email with a one-time passcode which the Authorized Signatory will use to log into the application to review the Replace SAA request. A one-time password allows an Authorized Signatory to access the request without needing a FINRA Gateway (FINRA Entitlement) account. Screen will display the status of ‘Pending review by Authorized Signatory’.

k-Section 1.4.1 - Step 8a

In certain cases, the Authorized Signatory will be required to complete two mandatory comment fields to provide justification in the event:
     - Requester’s email address is the same as Authorized Signatories email address OR
     - When replacement SAA has the same information (email) as the Authorized Signatory and
       is not the only Authorized Signatory in the organization.

Once reviewed, the Authorized Signatory selects one of the following actions for the request:

  • Deny Request
    • Acknowledge FINRA Entitlement Agreement
    • Authorized Signatory must provide a reason why the request is being denied.  The Requester will be able see the denial reason.
      l-Section 1.4.1 - Step 8b
    • Requester receives an email ‘SAA Request Denied by Authorized Signatory’. View the request for comments and contact the Authorized Signatory for more information. No further action will be taken on this request.
  • Send Back Request
    • Acknowledge FINRA Entitlement Agreement
    • Authorized Signatory must provide a reason why the request is being sent back. The Requester will see the reason for the returned request.
      m-Section 1.4.1 - Step 8c
    • Requester will receive an email ‘SAA Replacement Request Returned by Authorized Signatory’. View the request for comments and contact the Authorized Signatory for more information. Requester should be able to address the issue and resubmit the request.
  • Approve Request
    • Acknowledge FINRA Entitlement Agreement
      n-Section 1.4.1 - Step 8d
    • Requester receives an email ‘SAA Replacement Request is Approved by Authorized Signatory’. View the approved request.  

Request Workflow

While many requests will process automatically once approved by an Authorized Signatory, there are events within the request workflow that will trigger a review by the FINRA Entitlement Group for security or procedural reasons.  Following an Authorized Signatory’s approval the FINRA Entitlement Group will receive the request, review and validate the information, and either approve, deny, or return the request to the Requester.   The workflow sends a corresponding email to the Requester and Authorized Signatory and provides the FINRA decision status. FINRA statuses are also viewable in Requests & Filings (see Section 1.4.3).

1.4.2 Update SAA Name and/or Email 

Only the organization’s Super Account Administrator (SAA) is able to submit a request to update their name and/or email address.  An Authorized Signatory is required to approve a request before it will be fulfilled.

Step 1: As the SAA, select Request to Update Name or Email from the Admin landing page.

o-Section 1.4.2 - Step 1

Step 2: SAA’s Information

From the Change Name or Email Request screen, enter your updated name and/or email address information.

p-Section 1.4.2 - Step 2a

Once the update has been entered, select one of the following actions:

  • Cancel
    • Workflow has been terminated
  • Save & Edit 
    • Workflow is saved and available to edit and submit from the Requests button on the banner shown below. An SAA is taken back to the first step, however the previously entered information is retained.
      q-Section 1.4.2 - Step 2b
  • NEXT  
    • Workflow moves onto the next step-Select Authorized Signatory

Step 3: Select Authorized Signatory

Select an Authorized Signatory from a list that displays. An Authorized Signatory will need to approve the request before it will be fulfilled. The Authorized Signatories are based on your organization type (e.g., BD, IA) and originate from filing or contact information your firm submitted to FINRA.

FINRA-Defined Authorized Signatories

  • For Broker-Dealers, the Authorized Signatory is the Chief Compliance Officer (CCO), authorized officer or other authorized person listed on Schedule A of the firm’s current Form BD or listed in the FINRA Contact System (FCS).
  • For Investment Advisers, the Authorized Signatory is the Chief Compliance Officer (CCO), Additional Regulatory Contact (ARC) or other authorized person listed on Schedule A of the firm’s current Form ADV.
  • For Funding Portals: An Authorized Signatory is the Chief Compliance Officer (CCO), Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Legal Officer (CLO), Chief Operations Officer (COO) or a Director or any other individuals with similar status or functions listed on Schedule A of the firm’s current SEC Form FP.
  • For Regulators: An Authorized Signatory is the Securities Commissioner, Chief Regulatory Officer or other individual in a position that authorizes signing on behalf of the organization.

Select an Authorized Signatory from the list below who will approve the request. If you are listed as an Authorized Signatory and other Authorized Signatories are available, you cannot select yourself.  If available, select an Authorized Signatory with an email address for fastest processing times.

zz-Section 1.4.2 - Step 3

Select only one Authorized Signatory. If the Authorized Signatory selected does not have an email address on file, a prompt will display for you to enter the individual’s email address.

r-Section 1.4.2 - Step 3a

Note: Funding Portals, regulators and firms without Authorized Signatories on file will be presented with the ‘Add Authorized Signatory’ screen below to enter an Authorized Signatory. Fields marked with an asterisk are mandatory.

s-Section 1.4.2 - Step 3b

Once you select/add the Authorized Signatory, select Next to continue with the workflow.

  • NEXT 
    • Workflow moves onto the next step-Review and Send

Note: Be sure to keep your organization’s Authorized Signatories up to date through the FINRA Contact System, Form BD Schedule A, or Form ADV.

Step 4: Review & Send

Review your updated name and/or email address to make sure it is complete and accurate. 

t-Section 1.4.2 - Step 4

Once you complete the review, select Send Request to continue with the workflow.

  • SEND REQUEST  
    • Confirmation message will display ‘Request to Update SAA has been submitted’. Email is sent to the selected Authorized Signatory with a one-time passcode to access the request and decide to approve, deny, or return the request to the SAA.

Step 5: Once submitted, the request is now Pending Review by Authorized Signatory. The SAA will have the option to Recall Request or Exit Request

u-Section 1.4.2 - Step 5a

Once the request is submitted, select one of the following actions:

  • Recall Request
    • If yes, the status is changed to ‘draft’ and the SAA is returned to the first step, however the previously entered information will remain.

      All ‘draft’ requests older than 30 days will be deleted.
    • v-Section 1.4.2 - Step 5b
  • Exit Request 
    • Request has been successfully submitted and no further action is required.
    • For more information on viewing the request statuses, see Section 1.4.3 Requests & Filings.

Step 6: With the Selection of Exit Request, the Authorized Signatory will receive an email with a one-time passcode which the Authorized Signatory will use to log into the application to review the Update SAA request. A one-time password allows an Authorized Signatory to access the request without needing a FINRA Gateway (FINRA Entitlement) account.  Screen will display the status of ‘Pending review by Authorized Signatory’.

In certain cases, the Authorized Signatory will be required to complete two mandatory comment fields to provide justification in the event:
    - Requester’s email address is the same as the Authorized Signatories email address.

Once reviewed, the Authorized Signatory selects one of the following actions for the request:

  • Deny Request
    • Acknowledge FINRA Entitlement Agreement
    • Authorized Signatory must provide a reason why the request is being denied. The Requester will be able to see the denial reason.
    • w-Section 1.4.2 - Step 5c
      Requester receives an email ‘SAA Request Denied by Authorized Signatory’. View the request for comments and contact the Authorized Signatory for more information. No further action will be taken on this request.
  • Send Back Request
    • Acknowledge FINRA Entitlement Agreement
    • Authorized Signatory must provide a Reason why the request is being sent back. The Requester will see the reason for the returned request.
      x-Section 1.4.2 - Step 5d
    • Requester will receive an email ‘SAA Update Request Returned by Authorized Signatory’. View the request for comments and contact the Authorized Signatory for more information. Requester should be able to address the issue and resubmit the request.
  • Approve Request
    • Acknowledge FINRA Entitlement Agreement
      y-Section 1.4.2 - Step 5e
    • Requester receives an email ‘SAA Update Request is Approved by Authorized Signatory’. View the approved request.

Request Workflow

While many requests will process automatically once approved by an Authorized Signatory, there are events within the request workflow that will trigger a review by the FINRA Entitlement Group for security or procedural reasons.  Following an Authorized Signatory’s approval the FINRA Entitlement Group will receive the request, review and validate the information, and either approve, deny, or return the request to the Requester.   The workflow sends a corresponding email to the Requester and Authorized Signatory and provides the FINRA decision status. FINRA statuses are also viewable in Requests & Filings (see Section 1.4.3).

1.4.3: Requests & Filings

Step 1: From the Requests & Filings screen, review the Replace SAA and/or Update SAA entries for your organization. 

z-Section 1.4.3 - Step 1

Click on Active and Completed tabs to see corresponding requests. See Active Statuses below.

Only the Requester or Authorized Signatory, at the organization with an active FINRA Gateway account, will be able to view all Active or Completed Replace or Update SAA Requests.

Any individual at the organization with an active FINRA Gateway account will be able to view all Active or Completed Replace SAA Requests.  Only SAAs can view their Update SAA Requests.

Filter for Replace SAA and Update SAA requests:
The following filters are presented to assist you in searching for requests:

  • Type
    • Replace SAA
    • Update SAA
  • Category
    • Account Management
  • Status
    • Draft (Active) (All ‘draft’ requests older than 30 days will be deleted)
    • Cancelled
    • Pending Review by Authorized Signatory (Active)
    • Denied by Authorized Signatory
    • Pending Review by FINRA (Active)
    • Denied by FINRA
    • Approved by FINRA

NOTE: Filters are dynamic and will show only when applicable. To remove all filters, click on Clear Filters at the bottom of the left-hand menu.

1.5: How To Self-Entitle User Privileges as an SAA

As a new SAA, you will need to entitle yourself to any user privileges you need to perform your job responsibilities. As the SAA, you have 3 options to self-entitle.

Option 1

To quickly access your own account to self-entitle, click on your User Profile in the upper right-hand corner, select My Account and click on My Entitlements which will open the Edit Entitlements screen and allow you to update your entitlements. See Step 1 below.

Entitlement Reference Guide: Section 1.5 Option 1

Option 2

From your SAA account in Account Management, click on Actions and select Edit Entitlements which will open the Edit Entitlements screen and allow you to update your entitlements. See Step 1 below.

Entitlement Reference Guide: Section 1.5 Option 2

Option 3

From your SAA account in Account Management, click on the User ID hyperlink.

Entitlement Reference Guide: Section 1.5 Search

To add/remove entitlements, select Edit Entitlements (under the Entitlement and Access Management tab), which will open the Edits Entitlement screen and allow you to update your entitlements. See Step 1 below.

Image 1.5 Step 2 - Edit

Step 1: Selecting User allows you access to a specific functionality of the applicable application needed to perform your job responsibilities.

As you are adding or removing entitlements, the shopping cart on the right-hand side of the screen is updated to provide an overview of the selected entitlements. Click Save to save your self-entitled privileges. 

1.5 Step 2.2 Mark Priv
 

1.6: How To Entitle AAs With New Account Management System

As the SAA, you will need to grant AAs the user privilege for the entitlement labelled "Manage Access to New Account Management Application” in the Account Management application.

Entitlement Reference Guide: Section 1.6: Account Mgmt User


Section 2: Account Administrator (AA) Roles & Responsibilities

An AA is responsible for the following:

  • Creating accounts for the organization to access the system on the FINRA Entitlement Platform.
  • Assigning and unassigning Roles for your users. If your SAA grants your account with this ability. (See Section 17)
  • Providing and updating privileges (entitlement) for individual users.
  • Verifying that access to sensitive information, such as social security numbers (SSNs) and criminal justice information (CJI), is appropriate to the individual’s current job responsibilities. This selected access may cover information that requires compliance with federal or state privacy and data security laws and obligations.
  • Performing password administration, such as unlocking accounts, and resetting passwords for individual users.
  • Verifying accounts periodically for authorized access.
  • Disabling accounts immediately (within 30 minutes) if there is a suspected or actual of security incident with the account.
  • Deleting an account immediately (within the same day) when an individual no longer requires access to the FINRA Entitlement Platform.

An Account Administrator CANNOT:

  • Change or reset another Account Administrator’s password.
  • Change or set up their own account privileges (entitlement) or another Account Administrator’s account.
  • Change their own account, another Account Administrator’s account or their Super Account Administrator’s account.
  • See deleted accounts.
  • Create Roles.

NOTE: An AA who needs assistance and is with an organization that has an SAA should contact their SAA. An AA who needs assistance and is with an organization that does not have an SAA should contact the FINRA Support Center. See the Need Help? Section for contact information.


Section 3: How To Access Account Management Functionality

The Account Management functionality can be accessed several ways:

3.1: Supported Browsers

For more information on Supported Browsers, see Upgrade Your Web Browser.

3.2: Organizations and Regulators

Step 1: Access FINRA Gateway and on the landing page select the Admin icon from the left side menu bar to access the new Account Management functionality.

Section 3.2 Step 1


Section 4: Setting Up Your Newly Created SAA Account

Step 1: Once your new SAA Account has been activated, you will receive 2 separate emails with your User ID and a link to activate your password.

Step 2: After clicking on the Activate Password link, the Reset Password screen will appear. Enter your new User ID, New Password and then Confirm New Password. You can hold the cursor down on Show to see the actual characters entered in each of these fields. Click Save.

section 4.2 reset password screen new

 

You will receive a ‘Password was changed successfully’ message.

section 4.3 reset password success screen new

 

Click Back to Log in button to return to the main login screen.

Step 3: Select Firm/Org tab, and enter your user ID and new password in the User ID and Password fields. Read the Privacy Policy and Entitlement Program Terms of Use and click Accept and Continue.

section 4.4 login screen new

 

Step 4: You will now be prompted to set up your Security Information questions. Type your responses in the appropriate Answers fields and click Continue.

section 4.5 security question screen new

 

Upon completion of password reset and security information, you will be prompted to complete the Multi-Factor Authentication (MFA) process.  For more information on the MFA, see Multi-Factor Authentication.

Once you have completed the MFA process, you will be presented with the FINRA Gateway or the Funding Portal Gateway home screen appears. Your account is now active and you can navigate through the application as needed. You can begin creating user accounts for users at your organization who require entitlement to FINRA.

NOTES:

  • Each set of questions has a drop-down list that can be used to select your question. Once you have selected the question, provide the appropriate answer.
  • If you are using your personal computer and you trust the device/computer, you can click the Remember this computer checkbox. If you leave the checkbox unmarked, you will be presented with a security question with each login.

ADDITIONAL NOTES:

  • Once you have saved your security information, you will periodically be presented with a security question when you login. Or, if you have not selected the Remember this computer checkbox, you will be presented with a security question with each login.
  • Five incorrect entries of your password will lock your account. You will need to contact your SAA or wait an hour for your account to auto-unlock.
  • View FINRA Entitlement Program Frequently Asked Questions.

4.1: How to Create/Update/Access Fast Account Switching Logins

This feature allows FIRM users to save any active accounts on the same browser and provide functionality to switch from the current logged in account to a previously logged in account enhancing the user login experience. This feature allows a user to add a maximum of 20 accounts.

Step 1: To begin building your Fast Account Switching list, access one of your accounts by selecting the Firm/Org tab and entering your User ID and password in the User ID and Password fields. Read the Privacy Policy and Entitlement Program Terms of Use and click Accept and Continue.

Sec 4.1 Login screen

 

Step 2: As an SAA or AA, you will be presented with the MFA screen if it has been more than 24 hours since the last login before proceeding.

As a non Admin, you will be presented with the Security Question screen. Click the Remember Device check box to quickly access your accounts on this browser. Click Submit. If you leave the check box unmarked, you will be presented with a security question with each login.

Sec 4.1 Security Question

 

Note: For security purposes, you should never check this box on public computers (e.g., library, etc.).

Step 3: You will then be presented with the Remember This Account screen. Click on Remember this account on browser check box to allow this account to be displayed as an available account in the list. If you leave the check box unmarked, the account will not be added. Click Sign In.

Sec 4.1 Remember Account

 

Note: For security purposes, you should never check this box on public computers (e.g., library, etc.).

Step 4: The screen will display the account you added to the browser. This screen will be displayed whether you have saved one account or additional accounts.

Select the account you want to use and click Sign In to access the account. See Step 6 to add accounts, or Steps 7 or 8 to remove accounts from your list.

Sec 4.1 oaccount

 

Step 5: Once you have logged into your account and you decide to add another account to your list, click on your User Profile in the upper right-hand corner and select Manage Log Ins

Sec 4.1 Account Profile

 

Step 6: To add additional accounts, click on Sign-In to Another Account.

Repeat Steps 1, 2 and 3 to add additional accounts in your listing.

Sec 4.1 Sign In to Another Acct

 

The account you are currently logged in with will be labeled as ‘Active’ and will appear at the top of the list. You can only log into one account at a given time. 

Sec 4.1 saccount

 

Step 7: To remove an account, click on the X next to the account you wish to remove. You will be presented with the Forget Account screen to confirm. Select Continue to remove this account from your browser. This account will no longer be available to select. If you wish to add the account back, see Step 1.

Sec 4.1 Forget Account

 

Step 8: To remove all accounts, click on Forget All Saved Accounts. You will be presented with the Forget All Accounts screen to confirm. Select Continue to remove all accounts from your browser. The accounts will no longer be available to select. You will be redirected to the Gateway Log In screen. If you wish to add an account back, see Step 1.

Sec 4.1 Forget All Accounts

 

Step 9: Throughout your browser session, click on your User Profile in the upper right-hand corner and select Manage Log Ins to switch between accounts. The account you are currently logged in with will be labeled as ‘Active’ and will appear at the top of the list. You can only log into one account at a given time. All accounts that are added will remain until they are forgotten or removed by the account owner (e.g., disabled, deleted log ins will deny access).

Sec 4.1 Account Profile

 

Click on the account you would like to switch to and click Sign In.

Sec 4.1 saccount Sign In

 

Click Confirm to switch to the account selected.

Sec 4.1 saccount switch

 

Step 10: After a period of inactivity or when you Sign Out, your account(s) will be logged out. Log back in to continue to use the accounts remembered on the same browser.

If you decide to use a different browser and/or device, you will have to go through the entire setup process again. See Step 1.


Section 5: How To Search For and View an Account

As an administrator, you are responsible for managing your organization's accounts. You must first search for the accounts you need to edit or delete.

The Accounts page defaults to displaying all the active accounts in your organization. You can filter the list to include Active, Deleted, Disabled or Draft accounts or exclude active accounts by updating the checkboxes in the Status section.

Section 5 - Active

Step 1: Use the Search Box to find an account. Type in the account owner’s user ID, name or email address. If you need an exact match, place quotes around the search text (e.g., “john smith”)

Section 5 Step 1 - Search

Section 5 Step 1 - Search 2

Step 2: As an SAA, you can identify deleted accounts by selecting the Deleted Status filter for a list of deleted accounts. A trash can displays next to each deleted account.

NOTE: Filters are dynamic and will show up only when applicable. To remove all filters, click on Clear Filters at the bottom of the left-hand menu.

Section 5 Step 2 - Delete

NOTE: The option to see deleted accounts is only available to the SAA.

Step 3: Filter accounts by Org Class. SAAs have the ability to filter accounts by Org Class (e.g., FTP) by selecting one or more checkboxes in the Org Class Filter section.

NOTE: The option to see FTP accounts is only available to the SAA.

Section 5 Step 3 - FTP

Step 4: Identify SAA, AA or non-admin accounts. Select the User Type of the account you want to see.

NOTE: The SAA/AA will be able to search for only those entitlements to which they are assigned administrator privilege(s).

Section 5 Step 4 - SAA-AA

Step 5: Search by entitlements assigned to account. Click + Entitlement and search by entitlement name.

Section 5 Step 5 - Entitlement

Step 6: Identify Machine to Machine (M2M) accounts. Select Yes in the M2M filter to see accounts that are non-human and are used for machine-to-machine interaction such as FTP accounts.

NOTE: The machine to machine (M2M) filter appears only to the SAA.

Section 5 Step 6 - M2M

Step 7: Identify accounts with identifiers. Select TRACE MPID, EQUITY MPID or MSRB identifiers to see accounts that have a given identifier assigned to them.

Section 5 Step 7 - Identifiers

NOTE: Only those identifiers that are assigned to the SAA/AA will be displayed.

Section 5 Step 7 - Identifiers 2


Section 6: How To Create an Account

As an SAA or AA, you are responsible for managing the accounts of users at your organization.

Step 1: On the FINRA Account Management System landing page, select the Create New Account button in the right-hand corner.

Section 6 Step 1 - Create

Step 2: A new screen will open and display the Create Account screen followed by a section to create/generate user credentials. First complete the Create Account section by entering the name, email address, phone number and other attributes related to the account owner.

Section 6 Step 2 - Create

Step 3: Next, create a new user ID for the account in the User Credentials section.

Section 6 Step 3a

Step 4: When the User ID is generated, the Create Draft button will be enabled. When the administrator clicks the Create Draft button, the account will be created as a Draft account until it is activated.

Section 6 Step 3b

Section 6 Step 3c

Draft accounts can be created up to 30 days in advance and be available for 30 days for you to assign the required entitlements. The user who created the Draft account will receive periodic reminder emails to assign access and activate the account. After 30 days the Draft account will be deleted.

Section 6 Step 3c

The account is currently in DRAFT status. At any time, filter on Draft Status to view all your Draft accounts. To activate the account, assign the required access and click ‘Activate Account’. The system requires at least one entitlement for the ‘Activate Account’ button to be enabled. Once activated, the account owner will receive 2 separate emails with their User ID and a link to activate their password.

With the account activation, the account Status will change to Active and the administrator can then modify/edit the account to update user information and/or add additional entitlements to the account.

NOTES:

  • All fields marked with an asterisk (*) are required to create a new user account. To systematically generate a User ID, enter the user’s first and last names into the appropriate fields and click the Generate User ID hyperlink.
  • A newly activated account automatically defaults to an initial account status of Active, meaning the user can access the appropriate application as soon as they are provided with the user ID and password.

Step 5: To add entitlements to the newly created account, the administrator will select the Entitlement and Access Management tab at the top of the screen.

Section 6 Step 5 - Edit

  • Confirm that the selected access is authorized by your organization, is appropriate based on the individual’s job responsibilities, and complies with all other access, privacy, security, data handling, and other organization policies relevant to the access you are providing. Understanding that the selected access may cover information that requires compliance with federal or state privacy and data security laws and obligations.
  • Apply the principle of Least Privilege. Only assign privileges that align with the individual’s job responsibilities.
  • Organizations should consider assigning access for separation of duties which is an administrative control that has no one person having sole control over the lifespan of a transaction and requires more than one individual to perform a task. This concept reduces opportunities for fraud, sabotage, or misuse or theft of information by promoting discovery of errors by another person who is involved in the task completion.

Step 6: To assign/unassign MPID (TRACE & EQUITY) & MSRB identifiers and the related entitlements that are assigned to an account, use the Org Identifiers and Related Entitlements section in the Entitlement and Access Management tab.

Section 6 Step 6 - Identifiers

Step 7: Select Edit to assign/unassign MPIDs or an MSRB to an account

Section 6 Step 7 - Identifiers

Step 8: The screen opens displaying the identifiers assigned to the accounts. You can check the boxes to add new identifiers and their related entitlements or uncheck to unassign the existing identifiers.

Section 6 Step 8 - Identifiers

  • If you are adding an identifier for the first time to the account, you need to select the related entitlements that appear below in the screen.
  • If you are removing the identifiers related to an entitlement, you need to unselect the entitlements before hitting Save.
  •  When you select Save, you are assigning/unassigning the identifiers and the related entitlements.

NOTE: An AA can assign/unassign only those identifiers and related entitlements that they have administrative capabilities for. In some instances, the AA may not be able to see all the identifiers & related entitlements because the SAA has not assigned those to the AA.

Step 9: To assign/unassign entitlements that are assigned to an account through the Entitlements section in the Entitlement and Access Management tab, click on Edit Entitlements.

Section 6 Step 9 - Edit

The application entitlements displayed in this section are those that are assigned to the account.

Section 6 Step 9 - Edit 2

Step 10: To see the detailed entitlements that are assigned to an account, select Expand All on the right-hand corner of the Entitlements section. If you need to see entitlements assigned to an application entitlement, select the + symbol.

Section 6 Step 10 - Identifiers

Step 11: To add/remove entitlements, you need to select Edit Entitlements, which will open a screen and allow you to update the entitlements. You can grant user entitlement for any privilege for which you are entitled as an Administrator. Selecting User allows the user access to a specific functionality of the applicable application needed to perform their job responsibilities.

New: When you select a privilege or Role that provides access to sensitive information (e.g., fingerprints, CHRI, SSN), a new prompt displays to make you aware that you have selected access to sensitive information. As an administrator, you are responsible for confirming that the selected access is authorized by your organization, is appropriate based on the individual’s current job responsibilities, and complies with all other access, privacy, security, data handling, and other organization’s policies relevant to the access that is being provided. 

Section 6 Step 11 - Edit

As you are adding or removing entitlements, the shopping cart on the right-hand side of the screen is updated to provide an overview of the selected entitlements.

Section 6 Step 11 - Privs

The application-level entitlements (e.g., Account Management) are referred as the parent entitlements, and the entitlements related to the features or functionality within an application (e.g., Change Password) are referred to as children entitlements.

Section 6 Step 11 - Parent Child

Step 12: If you remove all children entitlements without deselecting the parent entitlement, you will receive a pop-up to confirm that you want to leave the parent entitlement for the account.

NOTE: If you are an administrator for other applications, the other applications and corresponding privileges will appear on this page. Each application has its own section within this screen.

Result: The new user account is now completed and ready.


Section 7: How To Import an Account

The Import Entitlements feature permits the ‘cloning’ of an account for an individual who requires the exact or very similar access that another account has. The purpose of this feature is to import entitlements to a newly created account or to add entitlements from an existing account. You can import entitlements from multiple accounts as many times as required with this feature.

The Import Entitlements feature saves time when you have several users at your organization who use the same applications and privileges. You can access an existing user’s account and import that user’s entitlements for each individual who requires the same applications and privileges. You can also add or modify any applications or privileges to the new user’s account during the import process.

Step 1: On the New Account Management landing page, search and select the account you want to import entitlements to. Refer to Section 5 on how to search an account.

Step 2: To import entitlements to the account, the administrator will select the Entitlement and Access Management tab at the top of the screen. Select Import Entitlements located in the Entitlements section of the page.

Section 7 Step 1 - Import

A screen will open with the ability to search for an account by name, user id or email to import entitlements from. This account must exist within the same organization.

Section 7 Step 1 - Import 2

Section 7 Step 1 - Import 3

Step 3: The entitlements and identifiers (MPIDs, MSRB) for the selected account will appear, and you can select additional entitlements or deselect the ones that are not required for the account by checking/unchecking the checkboxes.

Section 7 Step 2 - Import

Step 4: Select Import Entitlements at the bottom of the screen, and a pop-up will appear with the summary of entitlements selected for the account. Select Yes, and the entitlements will be added to the account.

Section 7 Step 3 - Import

NOTE: “Firm” and “Other” Organization classes do not have the ability to import entitlements to a File Transfer Protocol/Internet File Transfer (FTP/IFT) account. Only the FINRA Entitlement Group can create FTP/IFT accounts.


Section 8: How To Edit an Account

Step 1: Select the account you would like to view/edit from the search results by clicking on the User ID hyperlink. 

Section 8 Step 1 - Edit

Step 2: As an SAA/AA, you can update the following information for an account in your organization in the Summary section:

  • Name
  • Email Address
  • Phone number
  • Cell Phone
  • Department

Section 8 Step 2 - Edit

NOTE:

  • An SAA cannot edit their own account (except for the phone numbers, title and department).
  • An AA cannot edit their own account or another AA’s account. They need to contact the SAA.

Step 3: To modify entitlements, you need to select Edit Entitlements, which will open a screen and allow you to update the entitlements. You can grant user entitlement for any privilege for which you are entitled as an administrator. Selecting User allows the user access to a specific functionality of the applicable application needed to perform their job responsibilities.

Section 8 Step 3 - Edit

As you are adding or removing entitlements, the shopping cart on the right-hand side of the screen is updated to provide an overview of the selected entitlements.

Section 8 Step 4 - Edit


Section 9: How to Disable, Enable or Delete an Account

Step 1: Select the account you want to disable or delete. The following actions can be performed by an SAA/AA and are listed on the header:

  • Disable – this option is appropriate if you would like to temporarily suspend access to the account.
  • Enable – this option only appears if an account has been disabled by an administrator. (See the note below for accounts disabled by FINRA Admin.)
  • Delete – this option is appropriate if the individual is no longer with the organization, does not need access to the Entitlement Platform or if there is a security issue.

Section 9 Step 1 - Disable

NOTE:

  • A SAA/AA cannot delete/disable their own account. An AA cannot delete/disable another AA’s account.
  • Accounts disabled by FINRA Admin cannot be enabled by the SAA/AA. You are required to call the FINRA Support Center to enable your account.

IMPORTANT TIPS WHEN DELETING USER ACCOUNTS

  • It is important not to delete a user in error because the user will lose access to all participating FINRA Entitlement applications.
  • If you delete a user in error, create a new account for the user and entitle them to any applications and privileges they need.

If a user is entitled to more than one application (e.g., Web CRD, IARD, and FINRA Report Center) and they no longer need access to one of those applications, DO NOT delete the user’s account. The quickest way to remove all privileges for a specific application is to deselect the parent privilege. The system will then ask if you want to remove all child entitlements associated with the parent. Select Yes and the privileges for that application will be removed.


Section 10: How To Request an Account Details Report

The Account Details Report can be accessed in two (2) different ways:

  1. Admin page 
      
Entitlement Reference Guide - Section 10 - 10.0 admin page

  1.  
  2. Reports page  
Entitlement Reference Guide - Section 10 - 10.0 reports page

Step 1: Selecting the Account Details Report link from either of the two options will open the Account Details Report. This report provides the capability to monitor your users and permissions on a periodic basis.

Note: The Account Details Report is available to both SAAs and AAs. The report is based on the SAA’s or AA’s entitlement and search criteria.

Once the report template is open, you can use the template tools to customize/download the report content. These tools are located in the top right corner: Columns, Filter, Group, Save and Export.

Entitlement Reference Guide - Section 10 - 10.1 export screen

To view the entitlements per account from the report template, click the   symbol in the Entitlement Column next to the number of entitlements. The list of entitlements with their access level will appear. Click the    symbol to hide the entitlements.

Entitlement Reference Guide - Section 10 - 10.1 export privs

 
Step 2: To customize the report, click the Columns icon in the top-right corner. A pop-up window will open with the list of All Columns and Selected Columns. To select a column, check the checkbox from the Column list and click the Apply button. To deselect a column, uncheck the checkbox from the Selected Column list and click the Apply button.

Entitlement Reference Guide - Section 10 - 10.2 columns screen

 
Step 3: To filter the report, click the Filter icon in the top-right corner. The filter feature allows you to filter the report based on certain data criteria. For example, If you would like to view the SAA account data on the report, you can filter by SAA Equals to Y and click the Apply Filter button. Once you have completed setting all your filters, click the Done button.

Entitlement Reference Guide - Section 10 - 10.3 filter screen

 
Step 4: To save the report, click the Save icon in the top-right corner. A pop-up window will appear. Type the title you would like to use in the Table Name field, and then click the Save button.

Entitlement Reference Guide - Section 10 - 10.4 save as

 
The report will be saved on the My Reports tab on the Reports Landing page.

Once you have saved the changes, the name of the template will change to the name you provided. The Account Details template will remain unchanged. The template you created will be available under My Reports on the Reports Landing page. Every time you open the template, it will contain the most up-to-date data available.

Entitlement Reference Guide - Section 10 - 10.4 reports screen

 
Step 5: To export the report, select the Export icon in the top-right corner. Currently, the report can be downloaded and exported in the CSV format.

Select what you would like to export and click the Export button.

Entitlement Reference Guide - Section 10 - 10.5 export

 
When you select Export in the pop-up window, a message will appear that the file is being prepared for download.

Step 6: Select the View Downloads link in the message or click on the zip file in the Exports Ready for Download section.

Entitlement Reference Guide - Section 10 - 10.6 download

 
Step 7: Choose how you would like to open the zip file.

Entitlement Reference Guide - Section 10 - 10.7 zip file

 
Step 8: Open the exported Excel report file.

Entitlement Reference Guide - Section 10 - 10.8 open excel

 
The report displays in a CSV file format.

Entitlement Reference Guide - Section 10 - 10.8 excel report


Section 11: How To Review Accounts

As an SAA, you have several responsibilities:

  • You are the sole authorizer and manager of access for all the accounts at your organization on the FINRA Entitlement Platform.
  • You serve as the primary contact on all entitlement-related issues.
  • You need to review accounts on a periodic basis to validate if access is still needed based on the individual’s job responsibilities.
  • You are also required to certify all accounts annually for the FINRA Entitlement User Accounts Certification Process.

These are some best practices to keep in mind when reviewing accounts:

  • Validate that each user has a continuing need to access FINRA application(s) on the organization’s behalf.
  • Verify that each user is entitled only to the applications and privileges needed to perform current job responsibilities.
  • Ensure that only users who require access to sensitive data (e.g., Criminal History Record Information, Social Security or tax identification numbers, dates of birth) are entitled to access this type of data.
  • Review last login date for each user to determine frequency of use. If several months have gone by, question the user as to the need for continued access. See Section 11.2 for where to find the last login date.

11.1 Review Last Login Date on Search Card

Step 1: Use the Search Box to find an account. Type in the account owner’s user ID, name or email address. If you need an exact match, place quotes around the search text (e.g., “john smith”)

Step 2: From the individual search card, you will see the last login date on the right side of the entry. Review the last login date to validate that the individual’s account has been used recently or if months have gone by without the user logging on. If the last login date is months ago, ask the user about their access to determine if the account is still needed or should be removed. Note that FINRA considers accounts that are inactive for a designated period of time as dormant and deletes these accounts. See Section 16 on Dormant Accounts.

Review Last Login Date on Search Card

11.2 Review Last Login Dates on Account Details Report

Step 1: As the SAA, request the Account Details Report (see Section 10). In the report, you will see the last login date as one of your selected columns. Review the last login date to validate that the individual’s account has been used recently or if months have gone by without the user logging on. If the last login date is months ago, ask the user about their access to determine if the account is still needed or should be removed.

11.2 Review Last Login Dates on All Accounts Report

11.3 Review Account Status

Step 1: On the Main Search Page, review your user’s account statuses located on the left side of the Search Cards. Review to see if any of the accounts are Disabled, Password Lockout or Security Question Lockout and confirm with the user if the account is still needed or should be removed. If no longer needed, delete the account, if needed, update the account to the Active status. 

Section 11.3 Review Account Status


Section 12: How To Reset a Password

If a user has problems logging in to their account, it may be because:

  • They have forgotten the password or the password has expired.
  • They have unsuccessfully entered their password more than five times in the past hour and have been locked out.
  • They have unsuccessfully entered their security questions more than five times and have been locked out.
  • They have been disabled intentionally, either by an Account Administrator or by the FINRA Entitlement Group.

As an SAA/AA, you can reset an account’s password and/or security questions through the Account Settings Credentials section.

  • At any time, an Administrator can force a password change for an individual if there is evidence or suspected activity indicative of compromise of the individual’s account access.

Step 1: Select Reset Password in the Account Settings Credentials section.

Section 11 Step 1 - Reset Password

Step 2: A Password Reset Dialog box is presented to the user, and upon confirmation, a password reset link will be sent to the email address associated with the account.

Section 11 Step 2 - Reset Password

Section 11 Step 2 - Reset Password 2

Password Information

See the Password Requirements page for a list of password parameters and features.

Password Security Information:

Section 11 Step 2 - Reset Password 3

  • Users who forget their password can click on the Forgot User ID or Password? link on the login screen to request a new password. The user will be prompted to enter their user ID, the email address associated with the account, and then answer a security question.

Section 11 Step 2 - Reset Password 4

  • Five incorrect password attempts within one hour will result in a locked account. The account will auto-unlock after one hour. Accounts can be unlocked sooner than one hour if users contact their SAA or AA. If it is an SAA account, they need to contact the FINRA Support Center.
  • Users who have five incorrect security response attempts need to contact their SAA or AA for a reset; or if it is an SAA account, they need to contact the FINRA Support Center.


Section 13: How To Change the User Account Status

View and evaluate the user’s Account Status

Step 1: For a disabled account, click on the Action hyperlink and select Enable Account.

Section 12 Step 1 - Enable

Status Legends/Symbols

ActiveActive Account – able to access the FINRA Entitlement Platform Application privileges assigned.
Disabled by Non-FINRA Account AdministratorAccount that has been disabled by the SAA or AA at the organization.
Disabled by FINRA AdministratorAccount that has been disabled by a FINRA Entitlement Administrator.
Password LockoutFive incorrect password attempts within one hour will result in a locked account. The account will auto-unlock after one hour. Accounts can be unlocked sooner than one hour if users contact their SAA or AA. If it is an SAA account, they need to contact the FINRA Support Center.
Security Questions LockoutFive incorrect security response attempts need to contact their SAA or AA for a reset; or if it is an SAA account, they need to contact the FINRA Support Center.
DeleteAccess to this account has been removed permanently from the FINRA Entitlement Platform.


Section 14: FINRA Security Questions Feature

The first time a user logs in to a FINRA Entitlement application/system (e.g., Web CRD, IARD), the user will be required to select three security questions and provide responses to each question. On subsequent logins, a user may be asked to provide the responses to the security questions they selected in order to further verify the user’s identity. This security feature is similar to those used by financial websites as an additional safeguard against unauthorized access.

Once users have saved their security information, they will be periodically presented with a security question. Or if they have not clicked the Remember this computer checkbox, they will be presented with a security question each time they login.

As the AA or SAA, you may need to assist your users if the following occurs:

  • Five incorrect responses to security questions will lock their accounts. They will need to contact an SAA or AA.
  • Five incorrect entries of their password will lock their account. They will need to contact an SAA or AA.
  • View FINRA Entitlement Program Frequently Asked Questions for more information.
  • At any time, an administrator can reset security questions/answers for an individual if there is evidence or suspected activity of a compromise of the individual’s account.

14.1: How to Reset Security Questions

Step 1. Select Change Security Questions in the My Profiles section.

Result: The Individual Information screen appears.

Section 13 Step 1 - Reset Security

NOTE: An SAA/AA cannot reset the password/security questions for their own account. An AA cannot reset the password/security questions for another AA’s account.

14.2: How To Change Your Security Questions and Answers

Step 1: A user can change their security questions at any time by clicking on the red dot in the upper right hand corner, selecting My Account and clicking the Change Security Question link.

Result: The My Account: Personal Profile screen appears.

Section 13 Step 1 - Reset Security 2

Step 2: Select Change Security Questions.

Result: The My Account: Security Questions screen appears.

Section 13 Step 2 - Security

Step 3: Change your security questions and answers as desired, then click Change Security Questions.


Section 15: How To Log Out

Step 1: A user can log out at any time by clicking on the red dot in the upper right-hand corner and selecting Sign Out.

Section 14 Step 1 - Log Out

The Logout Successful screen will display. To log back in, select the Click to Login Again button. Follow the prompts to log back in.

Section 14 Step 1 - Log Out 2

ADDITIONAL NOTES:

  • When you log out, your browser could contain a memory of the account information viewed during your session. For added security, we recommend that you close your browser window.
  • If you are inactive for 27 minutes, you will get a Session Timeout prompt. If you don’t select Stay, you will be logged off. If you select Stay, the clock will be reset.

Section 14 Step 1 - Log Out 3

Example of the 27-minute timeout prompt.


Section 16: Dormant Accounts

Accounts are considered dormant if they are not used for a defined period of time. For security reasons, FINRA deletes dormant accounts.

Although an SAA account should never go dormant based on an SAA’s responsibilities, if an SAA’s account is deleted due to dormancy, there is significant impact to the organization. All FINRA Entitlement Program user accounts for the organization will lose system access until another SAA account is recreated. To reestablish an SAA, the firm will need to contact FINRA.

As the SAA or AA, consider the following best practices to avoid dormant accounts:

  • Perform periodic reviews to ensure individuals are using their accounts based on their job responsibilities (e.g., check last login date available for each account in Account Management) and question a user if several months have elapsed without use.
  • Delete account(s) when the individual no longer requires access per their job responsibilities or is not using their account.
  • Remember to log in periodically to prevent your account from going dormant.


Section 17: How To Manage Roles

Benefits of Roles:

  • Roles allow an organization to more effectively manage entitlements by grouping entitlements by job functions, positions, or other areas of responsibilities that meet the needs of an organization.
  • Roles provide an efficient way to assign access for users, as the admin no longer needs to select each entitlement for an account.
  • Roles may offer more secure access as users performing the same job functions or responsibilities share the same level of access.
  • Roles are customizable to maximize flexibility.
  • Role Templates are available for certain types of organizations to use when creating their own Roles.
  • Roles offer an easier way to review users’ access. In addition, Roles will display for annual account certification, which provides a more effective and efficient way to validate accounts.

Considerations When Using Roles:

  • Roles are optional. Consider the number of users in your organization and the job functions and responsibilities they perform to determine how to best use Role functionality for your organization.
  • Only SAAs are able to create Roles for their organizations.
  • Roles can be classified as Admin Roles or User Roles, based on the privilege level selected for the entitlements.
  • Roles in an organization cannot share the same name.  When creating a Role, choose a name that best describes the Role.
  • When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.
  • Consider creating a Role for access to sensitive data (e.g., Criminal History Record Information, social security numbers) and assign this Role to only those users that require this level of access.
  • Organizations should consider assigning access for separation of duties which is an administrative control that has no one person having sole control over the lifespan of a transaction and requires more than one individual to perform a task. This concept reduces opportunities for fraud, sabotage, or misuse or theft of information by promoting discovery of errors by another person who is involved in the task completion.
  • Role functionality does not support MPIDs and related entitlements so you cannot add to a Role. Use Account Management to assign MPID entitlement.
  • Only Active Roles may be assigned to accounts.  Incomplete (Roles that have no entitlements assigned and are active) and Deleted Roles (Roles that are not active) cannot be assigned.
  • More than one Role may be assigned to an account.
  • SAAs may grant their AAs with the ability to assign Roles to users. However, the AA must have Admin privileges to ALL entitlements the Role includes in order for the AA to be able to assign that Role to a user.
  • SAAs may control which Roles an AA can assign based on whether the AA has Admin privileges to all entitlements of Roles.  
  • AAs with Role assignment functionality will be able to view all Roles in the organization even if the AA cannot assign all Roles.
  • Before assigning a Role(s), verify that the users require access to all the applications and privileges in the Role to perform current job responsibilities. If not all access is required, consider modifying the Role or creating a new Role to assign to the users.
  • A Role may be modified; however, modification will update all accounts that are assigned to that Role.
  • If an SAA assigns an Admin Role to a user account, that user account will be converted to an Account Administrator (AA). If the SAA removes the Admin Role from an account, that account will revert to a user account. 
  • Delete a Role if obsolete.
  • Role functionality works the same for both Firms and Regulators.

As a Super Account Administrator (SAA), you are able to:

  • Create and manage Roles for your organization
  • Assign and unassign Roles for your Account Administrators (AAs) and users

As an Account Administrator (AA), you are able to:

  • Assign and unassign Roles for your users, if your SAA grants your account with the functionality for role assignment

17.1 How To Create Roles

Step 1: As the SAA, select Create Roles from the Admin landing page.

Step 1 - Create Role

Step 2: Stage 1- Role Information

From the Create Role screen, enter the Role Information (i.e., Name and Description), and click Next.

  • Role Name - This field is 50 characters and must be unique for each role. Choose a name that best describes the Role.
  • Role description – This field is 250 characters. When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.

The Next button will take you to the next step called Entitlements/Role Templates.

Step 2 - Create Role

Step 3: Stage 2-Entitlements/Role Templates

From this screen, there may be two options available to create a Role for your organization:

  • Option A -Import Entitlements from a Role Template To Create a New Role. FINRA creates Role Templates, which can be customized. This option is only available to specific types of organizations.
  • Option B -Select Individual Entitlements to Create a New Role specific to your organization’s needs. This option is available to all organizations with Role functionality.

Step 3 - Create Role Options

Option A - Select Import Entitlements from a Role Template to Create a New Role

This option is only available to specific types of organizations.

Step 1: Select a Role Template Created by FINRA

There are several Role Templates created by FINRA to help you create a Role. The Role Templates are focused on functional responsibilities of an organization.

Step 3 - Option A

Firm Role Templates Created by FINRA

Operations
Registration
Organization

Regulator Role Templates Created by FINRA

Registration
Query without SSN
Query with SSN

When selecting a Role Template to create a new Role, you can either use the Role Template with the entitlements that are listed in the template, or you can choose to customize the Role Template to best meet the needs of your organization.

Option A - Step 1

Step 2:  As shown in the example below, the Operations Role Template created by FINRA has been selected by a firm. You may either mark the All User box to indicate that you want all user privileges for this Role Template to be included, or you may customize the Role Template by marking only the specific user privileges based on the needs of your organization as shown below.

Note: As you are adding entitlements to the Role, the shopping cart on the right side of the screen will update to show you the entitlements that have been selected for the new Role. Click the Next button to take you to the next step called Review & Create Role.

Option A - Step 2

Step 3:  From the Review & Create Role step, you may continue to add entitlements to the new Role by clicking on Import More Entitlements From Role Templates or, to further customize the Role, select Add More Entitlements. At this time, you may edit the Role Name and Description. Also, write a Description that best explains the functional responsibilities of the Role to assist with account reviews and user assignments.

  • Role Name - This field is 50 characters and must be unique for each role. Choose a name that best describes the Role.
  • Role description – This field is 250 characters. When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.

Once you complete your review of the Role and are satisfied with the entitlements, name and description, click Create Role. If the Role name matches an existing Role name, the system will produce an error and you will need to change the Role name. Once the Role is successfully created, it will be available to assign to accounts.

Type: User Role
Name: Compliance Role
Status: Active (Role available to assign)

Option A - Step 3

Note: If you need to change the Role name, it must be done in the Review and Create Role step. Once the Role is created, the Role name cannot be changed.

Cancel Role Creation
If you decide not to create a Role, you can cancel the Role creation process by selecting Cancel, though you must cancel before you select “Create Role”.

Option B – Select Individual Entitlements to Create a New Role

Step 1:  Stage 1- Role Information

From the Create Role screen, enter the Role Information (i.e., Name and Description), and click Next.

  • Role Name - This field is 50 characters and must be unique for each role. Choose a name that best describes the Role.
  • Role description – This field is 250 characters. When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.

The Next button will take you to the next step called Select Individual Entitlements to Create Role.

Option B - Step 1

Step 2:  Stage 2-Entitlements/Role Templates

Select Individual Entitlements to Create Role for when the SAA wants to build a new Role and customize by marking specific entitlements that the Role requires. 

Option B - Step 2

When building a new Role for a user, the SAA will scroll through the entitlements and mark the specific user privileges that will be needed to fulfill the job responsibilities and functions of the Role.

New: When you select a privilege for a Role you are creating or modifying that will authorize accounts assigned this Role to access to sensitive information (e.g., fingerprints, CHRI, SSN), a new prompt displays to make you aware that you have selected access to sensitive information. As an administrator, you are responsible for confirming that the selected access for this Role is authorized by your organization, is appropriate based on the individual’s current job responsibilities, and complies with all other access, privacy, security, data handling, and other organization’s policies relevant to the access that is being provided. 

Organizations should consider using Role-based entitlement rather than granting access by each privilege as Roles reduce the risk of human error when assigning access.  Roles bundle entitlements to grant access for individuals who perform the same job functions and need the same level of access.  A Role should provide access to only what a position requires.  An SAA (or AA if provided the functionality by their SAA) has the ability to create a Role and assign entitlements to the Role that are required to perform current job responsibilities. In addition, Roles enable a more efficient way to review users’ access. When managing access to sensitive information, an SAA should consider creating a separate Role to access this type of information so that access can be more easily removed when required.  Remember, an account may have more than one Role assigned to it.

  • Create a primary Role and assign only those privileges based on the job responsibilities of the position.
  • Create a secondary Role for individuals who have job responsibilities that require access to sensitive information, such as social security numbers or information available from a fingerprint transaction, whether that data is an FBI fingerprint result or personal identifiable information from the fingerprint card (both of which are considered by the FBI to be criminal justice information (CJI), requiring compliance with the FBI’s Criminal Justice Information System Security Policy).

Click Next. The Next button will take you to the next step called Review & Create Role.

Option B - Step 2(2)

Step 3:  From the Review & Create Role step, you may continue to add user entitlements to the new Role by clicking on Import More Entitlements From Role Templates or to further customize the Role, select Add More Entitlements. At this time, you may edit the Role Name and Description. The system will prevent you from using a Role Name that already exists for your organization.  Also, write a Description that best explains the functional responsibilities of the Role to assist with account reviews and user assignments. Once you complete your review of the Role and are satisfied with the entitlements, name and description, click Create Role. This Role will now be available to assign to accounts.

Type: User Role
Name: Operations Specialist
Status: Active (Role available to assign)

Option B - Step 3

Creating Roles for Account Administrators (AAs)

When creating Roles for AAs, follow the same process as when creating User Roles, except mark Admin for the specific privileges required, and mark the specific user privileges that the Admin Role needs.

Role Types
User Role- A User Role is comprised of entitlements that have a User privilege level. A User Role is required by a user in your organization to access systems and/or functions related to a specific system to perform a task related to their job function.

17.1 Role Types-User Role

Admin Role – An Admin Role is comprised of Admin level privileges for the entitlements assigned to the Role. An Admin Role can be assigned to Account Administrators (AA), who in turn can assign the Role to other users in their organization.

17.1 Role Types-Admin Role

Both User & Admin Role –A User & Admin Role is comprised of both Admin & User level privileges for the entitlements assigned to the Role. An Admin Role can be assigned to Account Administrators (AA), who in turn can assign the Role to other users in their organization as well as access FINRA systems and/or functions related to a specific system, as per the user entitlements that are included in the Role.

17.1 Role Types-Admin 2 Role

17.2 How To Assign Roles

This section explains Role assignment.

  • The SAA has the ability to assign Admin and User Roles.
  • An AA that is granted Assign Roles by the SAA can assign Roles to Users.  AAs will only be able to assign a Role when they have Admin access to all privileges in the Role.

There are 2 ways for a SAA to assign a Role to an Admin or user:

  • Option A – Assign the Role through the Role (Create a Role/Search for a Role)
  • Option B – Assign the Role from an individual user’s or AA’s Account

Option A – Assign the Role through the Create Role Functionality

Step 1:  Once the SAA creates a Role, the Role may be assigned to users that require the Role. You can assign Roles using the Create Role functionality.  Select the Users tab and click the Assign box to assign a Role. In the example below, the Compliance Role will be assigned to a user account that is called Non-Admin User.

Option A - Step 1

When assigning Roles, if you assign a user account to an Admin Role, the user account will be converted to an Account Administrator (AA) with that Role.  If that is not your intent, remove the AA Role to revert the account to a user with the entitlement the account previously had prior to the Role assignment.

Step 2:  Once the Role has been assigned, search for user’s account, click on the Entitlement and Access Management tab and click on Roles to see the account with the assigned organization’s Role.

Option A - Step 2

Option B- Assign the Role from a User or AA account.

Step 1:  From the Admin landing page, select Search Accounts.

17.2 B Step 1 Search Accounts

Step 2:  Use the Search box to find the account. Select the account and click on the user ID.

Option B - Step 2

Step 3:  Select Entitlement and Access Management, then click Roles.

Option B - Step 3

Step 4:  From the Roles section, you have the option to assign Role(s) that the SAA created.  Both Admin (AA) Roles and User Roles are listed as categories for the types of Roles that may be created, though the category will only show the Roles if the SAA has created any.  For example, as the AA, if no AA Roles have been assigned and you are presented with the Edit Admin Roles Link, you will be able to assign an Admin Role.  Choose the Role category based on the Role you want to assign.

The ability to Edit a Role will only display if the functionality is permissible to the AA.

  • Edit Admin Roles link: assign/unassign Admin Role
  • Edit User Roles link: assign/unassign User Role

Option B - Step 4

When assigning Roles, if you assign a user account to an Admin Role, the user account will become an AA with that Role.  If that is not your intent, remove the AA Role to revert the account to a user with the entitlement the account previously had prior to the Role assignment.

17.3 How To Search Roles

Step 1:  As the SAA, select Search Roles from the Admin landing page.

17.3 Step 1 Search Roles

Step 2:  From the Search Role screen, you can do the following:

  • Create a new Role
  • Click on an existing Role to view, add, or delete entitlements
  • Click on an existing Role to delete the Role
  • Use the filters to search for specific Role characteristics (e.g., Active, Deleted, Role Type, Entitlements)
  • View accounts that are already associated with a specific Role from the corresponding Actions link on the right side. If there are no accounts associated with the Role, Action link displays “No Action Available”

  • Review Role Icon Definitions

    ActiveRole available to assign
    DeleteRole is no longer available to assign
    IncompleteRole with no Entitlements

Step 2 - Search Roles

Once Search Roles has been selected from the Admin landing page, the Roles screen will appear and default to all Active Roles. If there are no Roles created for your organization, there will be ‘0’ results displayed.

17.3 Step 2 Role Status

  1. Filters for Search Roles:

    The Search page has the following filters to assist you in searching for a Role:

    1. Role Status
      • Active – By default
      • Deleted – All the Roles that have been deleted

    2. Role Type

      • User – identify all Roles that have only User entitlements
      • Admin – identify Roles that have Admin only or User/Admin entitlements
      • Incomplete – identify Roles that do not have entitlements assigned to them

      17.3 Step 2 Role Type

    3. Entitlements:

      Search for Roles based on the entitlement(s) assigned to the Role. For example, identify the Roles that have CRD entitlement with User privilege.

      • Select entitlements

        17.3 Step 2 Entitlements

      • A pop up opens
      • Type in CRD in the search bar
      • Select Next on the search results
      • When you see CRD entitlement, select User privilege
      • Click Save

17.3 Step 2 Entitlements CRD

All Roles with CRD User entitlement will be displayed in the Search results.

Each Search result displays the following information about the Role:

  • Role Name – Unique name assigned to a Role
  • Role Type – Admin, User or Incomplete
  • Updated Date – Date the Role was last updated/modified
  • Description – Details to assist with account reviews and Role assignments

17.3 Step 1 Search Role Screen

  1. Actions:
    • View Assigned Accounts – This action enables the SAA to view all the accounts assigned to the Role. When selected, Account Management application will open in a new tab, with the Role filters selected, so that you can see the individual accounts that have been assigned to the Role.

17.3 Step 1 View Assigned Accts

  1. Other Features in Search Roles:
    1. Sorting – By default the Roles are sorted based on relevance (e.g., Usefulness). However, as a user you can select how you want to sort the search results. The options for sorting are:
      • Most Relevant
      • Updated Date
      • Role Name
      • Role Type
      • Org Class
    2. Saved Views – As a user you can select certain filters and then save that filter criteria for future use
    3. Search bar –The search bar allows you to search for a Role by Role Name. If you want an exact match of the Role, you need to include quotes to the search text (e.g. “Compliance Analyst”). If you do not know the name of the Role, use the following %Compl% and it will give you a list of possible matches.

17.4 How To Edit Roles

Step 1:  As the SAA, select Search Roles from the Admin landing page.

17.4 Step 1 Search Roles

Step 2: Click on the Role Name to open the Role information.

Step 2 - Edit Role

Step 3: To Edit the Role, click the Import Entitlements from another Role or Edit Entitlements to add addition privileges.

Step 3 - Edit Role

Step 4:  Import or mark the additional entitlements and click Save.  The Role will be updated and accounts with this Role will have their entitlement updated.

As entitlements are added or removed, any accounts assigned to the Role will be impacted with the Role change.

17.5 How To Delete Roles

Step 1:  As the SAA, select Search Roles from the Admin landing page.

17.5 Step 1 Search Roles

Step 2: Click on the Role Name to open the Role information.

Step 2 - Delete Role

Step 3: To Delete the Role, click the Delete icon.

Step 3 - Delete Role

Step 4: A pop up will open and if the Role has assigned users, the following message will display.

  • Click View Assigned Accounts and unassign all accounts from that Role.

Step 4 - Delete Role

  • From each account displayed from clicking on the ‘View Assigned Accounts’ message, click on the User ID hyperlink.

17.5 Step 4 Delete Role on Acct Addl

Select Entitlement and Access Management, then click Roles to unassign the selected Role by clicking on the ‘x’ next to the selected Role.

17.5 Step 4 Delete Role

Step 5: Once all accounts have been unassigned from the Role, select Search Role from the Admin landing page (Step 1), click on the Role name to delete, click the Delete icon and provide a reason for deleting the Role.

17.5 Step 5 Delete Role

17.5 Step 5 Delete Role Popup

17.6 How To Provide the AA With the Ability To Assign Roles

Step 1: If an SAA wants their AAs to assign Roles to other users, the SAA needs to assign the AA account with the Assign Roles -User privilege. The AA must have Admin privileges to ALL entitlements within the Role in order for the AA to be able to assign the Role to other user accounts. AAs with Role assignment functionality will be able to view all Roles in the organization even if the AA cannot assign all Roles.

From the Search Account screen, use the search box to find the AA account. Type in the account owner’s user ID, name, or email address. If you need an exact match, place quotes around the search text (e.g., “john smith”). Click on the Account User ID.

Step 1 - Mark AA

Step 2:  As the SAA, to add the Assign Roles privilege to the AA, select Edit Entitlements, which opens a screen and allows you to update the entitlements.

Step 2 - Mark AA

Step 3: Select User access for the Assign Roles privilege to allow the AA the ability to assign Roles to users. Inform the AA that the ability to assign Roles has been granted. If an AA indicates that a specific Role cannot be assigned, verify that the AA account has Admin privileges to all entitlements of the Role.

Step 3 - Mark AA


Section 18: User Accounts Certification

FINRA's Entitlement User Accounts Certification requires all organizations to review and validate their users’ access each year. During this period, SAAs for firms with more than one user and/or administrator account must certify that authorized users are entitled to only those privileges/Roles necessary to perform their job responsibilities on the FINRA Entitlement Platform. If an individual no longer requires access, SAAs must immediately remove the entitlement(s) or delete the account.

Organizations with only an SAA account and no other users or administrators have the option to certify, though are not required, unless the firm has access to the Consolidated Audit Trail (CAT). Firms with one or more accounts with access to CAT must certify.

18.1: SAA Certification Roles and Responsibilities

  • Manage all accounts at your organization that require access to the FINRA Entitlement Platform and assign only the entitlements required to perform job responsibilities.
  • Monitor periodically all accounts to determine continued need for access.  
  • Review and certify each year all accounts by the due date.
  • Disable an account immediately (within the same day) if you suspect an information security issue.
  • Delete an account immediately (within the same day) when the individual is no longer with the organization or no longer requires access.

Best practices when reviewing accounts:

  • Verify that each user is entitled only to the applications, Roles and privileges needed to perform current job responsibilities.
  • Ensure that only users who require access to sensitive data (e.g., Criminal History Record Information, Social Security numbers) are entitled to access this type of data.
  • Monitor accounts on a periodic basis by using the Account Details Report.
  • Using the Export report function, save report and share with managers and others in your organization who are most familiar with job responsibilities to assist with validating access.
  • Review last login date for each user to determine frequency of use. If there is elapsed time from last use that seems unusual, question the user as to the need for continued access. See Section 11.2 for where to find the last login date.
  • Certify your users on the same day you download the Accounts Certification Report to prevent having to perform a subsequent review of your users as the entitlement data may have changed since the download was requested.

18.2: Consequences for Failing to Certify

If an organization that is required to certify does not certify by the published due date, Account Management functions will be disabled for the SAA and all Account Administrators and will remain disabled until the SAA completes certification.

In addition, failure to certify will result in the suspension of all accounts in the organization. To regain access and full system functionality, the SAA will need to contact the FINRA Entitlement Group and complete certification.

FINRA will take action to ensure compliance with the process, and other regulators may follow up for failing to comply.

See Section 18.4Certification: Past Due for more information.

18.3: How to Complete User Accounts Certification

Step 1: As the SAA, from the Admin landing page, view the FINRA Entitlement User Accounts Certification banner, which appears with the start of the Certification Period, and click Start Certification to begin.

a-Section 18.2-Step 1

Step 2: Review the FINRA User Account Certification Instructions and proceed with your review of your organization’s accounts. Accounts display in the Accounts Certification Report at the bottom of the screen.

Note: The Accounts Certification Report defaults to displaying the filtered list of user accounts that have not been deleted in your organization. If you want to include Deleted accounts in your review, you will need to remove the Delete (Yes/No) Filter.

To customize/export report content, use the customizing tools located in the top right corner of the report template: Columns, Filter, Group, and Export.

  • Columns – choose which fields you want to display in the report.
  • Filter – narrow down your results by providing a value for any available field.
  • Group – arrange the data into groups by choosing any available field as the ‘Group By’ field.
  • Export – export your report to a .csv file with the final report criteria you have chosen.

b-Section 18.2-Step 2x

Step 3: To view each account’s Roles, Entitlements Outside of a Role, and All Entitlements in the report, click the  symbol next to the number in the appropriate column to see the details. See information below for more information about each column. Click the  symbol to hide the details.

c-Section 18.2-Step3(1)

  • Viewing Number of Roles Assigned to Accounts Column
    • Click on the  symbol next to the number in the Number of Roles Assigned to Accounts Column, to view the names of the Role(s) assigned to the account, if any.  To review the access the Role includes, click on the Role link to see the Role entitlements from the Search Roles screen.

d-Section 18.2 Step 3(2)

  • Viewing Individual Entitlements Assigned to Account Outside of Role Column
    • Click on the  symbol next to the number in the Individual Entitlements Assigned to Account Outside of Role Column to view the list of entitlements (privileges) that have been granted to the account and which are not associated with a role. In addition, the level of access, User or Admin, shows for each entitlement. 

e-Section 18.2 Step 3(3)

  • Viewing All Entitlements Assigned to Account Column
    • Click on the  symbol next to the number in the All Entitlements Assigned to Account Column to see a complete list of all entitlements (Roles and entitlements outside of Roles) assigned to the account and the level of access, User or Admin, for each entitlement. 

f-Section 18.2 Step 3(4)

Step 4: To customize the columns displayed in the report, click the Columns icon. A pop-up window will open with the list of All Columns and Selected Columns. To select a column field, mark the checkbox from the Column list and click the Apply button. To deselect a column field, unmark the checkbox from the Selected Column list and click the Apply button. Select “Clear All” to remove the customized fields.

g-Section 18.2 Step 4(1)

Step 5: To narrow your search, click the Filter icon. This feature allows you to filter the report based on certain data criteria. For example, if you would like to view the SAA account information on the report, filter by selecting “Y” for SAA Equals and click the Apply Filter button. Once you have completed setting all of your filters, click the Done button.

h-Section 18.2 Step 5(1)x

i-Section 18.2 Step 5(2)

Step 6: To arrange the data into groups, click on the Groups Icon. Choose the field(s) for how you want the data to be organized for your review.  Once you have completed setting all your Groups, click the Apply button.

j-Section 18.2 Step 6(1a)

j-Section 18.2 Step 6(1)

Applying Multiple Groups

To further define your report, you can use the Group tool to organize individuals into several groupings.  For example, if you want to know the Roles and Entitlements Outside of a Role, you can use the Group tool to select these group tags so that the information in the report displays with this information. Note that the group tag you apply first will be the initial grouping in the results. You will need to click another group tag (e.g., Entitlement Name) to see the next grouping, and so on. That is why each grouping is indented under the initial group. You can drag and drop to rearrange the grouping order. Once you are complete arranging your group tags, click the Apply button.

k-Section 18.2 Step 6(2)

When you apply the groups, a box appears with a count of the number of groupings selected.

Modifying Applied Group Settings, click Add Group to edit your group settings. You can add or remove groups and drag and drop to rearrange the group order.

Step 7: To export your report to a .csv file with the final report options you have chosen, click on the Export Icon. Select the type of Exported Report you would like to export and click the Export button.

  • Quick Export
  • Advanced Export

Note: FINRA recommends that you certify your users on the same day you request the download to prevent having to perform a subsequent review of your users as the entitlement data may have changed since the download was requested.

Quick Export (default)

The Quick Export will display the data selected from the customization tools with only the numbers displayed for the Individual Entitlements Assigned to Account Outside of Role, All Entitlements Assigned to Account, and Number of Roles Assigned to Account per account.

l-Section 18.2 Step 7(1)

Advanced Export

Only one sub-table, as shown below, can be exported when Advanced Export is selected.

m-Section 18.2 Step 7(2)x

  • Report sub-table #1– Individual Entitlements Assigned to Account Outside of Role
    • The export will display the data selected from the customization tools with a listing of all Entitlements Outside the Role(s) and if the account owner has User or Admin access.
  • Report sub-table #2 – All Entitlements Assigned to Account
    • The export will display the data selected from the customization tools with a listing of all entitlements within a Role(s) and Outside the Role(s) and if the account owner has User or Admin access.
  • Report sub-table #3 – Number of Roles Assigned to Accounts
    • The export will display the data selected from the customization tools with the number of Roles per account. If you need to review the content of the Role, click on the Role link to review the Role entitlements from the Search Roles screen.

Step 8: Once export selections have been made, a message will display to click on ‘View Downloads’ which will take you to the Reports landing page.

n-Section 18.2 Step 8(1)

From the Reports landing page, there is a section for Exports Ready for Download in the right margin. Files that are being prepared for export will appear in grey text. When the file is ready to download, it will appear as a blue hyperlink. 

o-Section 18.2 Step 8(2)

Step 9: The file will download as a zip file. Click to unzip the file. If more than one file is ready for download, the files will be sorted by descending order with the newest file at the top of the list.

p-Section 18.2 Step 8(3)

q-Section 18.2 Step 8(4)

Step 10: Open Accounts Certification Report. Review content and determine if any changes are required. Save this report and share with other individuals within your organization to confirm individual’s entitlement, including access to applications, Roles, entitlements (privileges), and access to sensitive data are appropriate for job responsibilities and that the last login date indicates continued access is required.

Step 11: Once you review, update if required, and verify information for all accounts, click ‘Certify Users’ to complete certification for your organization.

Section 18.3 Step 11

Step 12: Review the Terms and Conditions and click ‘I Agree’.

s-Section 18.2 Step 10(1)

The system will display a ‘Successfully Completed’ banner and you will receive a confirmation email.

t-Section 18.2 Step 11(1)

Email Confirmation

u-Section 18.2 Step 11(2)

18.4 Certification: Past Due

If an organization does not complete the User Accounts Certification by the due date, the certification status will change to Past Due. The Past Due banner informs the SAA of the Account Management functions that are disabled and these functions are no longer available for selection until certification is completed.

v-Section 18.3

‘The 2022 FINRA Entitlement User Accounts Certification Period has ended and your organization did not certify your user accounts as required. The capability to create accounts, create and assign Roles, edit and import entitlements to accounts within your organization has been disabled and will remain disabled for all administrators until you, as the SAA, complete the certification process. For security purposes, administrators may continue to delete or disable accounts. In addition, failure to certify will include reassessment by the appropriate regulator and the suspension of all of your organization’s FINRA Entitlement accounts.’

Account Management Functions Disabled

SAA and AAs of organizations that failed to certify by the due date will not be able to perform the following Account Management functions:

  1. Create accounts
  2. Edit account description (name, email, title, dept, phone etc.)
  3. Edit Entitlements
  4. Edit Org identifiers
  5. Assign/Unassign Roles
  6. Edit Account Access
  7. Import Entitlements

Role Management Functions Disabled

SAAs of organizations that failed to certify by the due date will not be able to perform the following Role Management functions:

  1. Create Roles
  2. Edit Role description
  3. Add entitlements
  4. Import entitlements
  5. Assign Roles
  6. Unassign Roles
  7. Delete Roles

How to Certify Post Due Date
Step 1: As the SAA, from the Admin landing page, view the FINRA Entitlement User Accounts Certification Past Due banner and click Start Certification to begin (see 18.3 How to Complete User Accounts Certification).

w-Section 18.3 Step 1(1)

Once the Certification process has been submitted, all Account Management and Role Management functions will be restored.

x-Section 18.3 Step 1(2)

If you need assistance or have questions, use the Contact Us/Need Help? Section.