Skip to main content

FINRA Entitlement Program: Entitlement Reference Guide

This user guide is designed to assist Super Account Administrators (SAAs) and Account Administrators (AAs) in navigating through the Account Management System of the FINRA Entitlement Program.

Section 1: Super Account Administrator (SAA) Information


The FINRA Entitlement Program requires that each organization designate a Super Account Administrator (SAA). The SAA is entitled as an administrator to all applications participating in the FINRA Entitlement Program that are available to the organization. SAAs are responsible for managing the accounts at their organization by ensuring access is required and appropriate for each user and for the timely deletion of accounts when access is no longer needed to the FINRA Entitlement Platform.

1.1: Considerations for Designating an SAA:

  • Each firm/regulator must designate one SAA.
  • For firms with affiliates, the same SAA or a different SAA may be designated; however, each affiliate (with its Organization ID#) must provide a signed SAA Entitlement Form.
  • SAA must be formally delegated the authority by the organization/agency and as authorized in the New Organization SAA Form (or Update/Replace SAA Form) to perform the SAA responsibilities on its behalf. In order for FINRA to create an SAA account for a new organization, the designation must be executed on the current version of FINRA’s New Organization SAA Form (or Update/Replace SAA Form), as instructed, and be executed by an authorized signatory, as defined by FINRA.
  • An SAA may serve in this role for multiple organizations (affiliated or non-affiliated).

NOTE: a separate username and password is required for each organization.

The individual does not need to have an existing FINRA Entitlement Account.

1.2: SAA Designation

The FINRA Entitlement Program has two Super Account Administrator Forms. The New Organization SAA Form is used to designate an SAA when your organization is new and needs access to the FINRA Entitlement Platform. The Update/Replace SAA Form is used when your firm/regulator needs to replace the SAA or update the name and/or email of your current SAA.

Authorized Signatory Instructions and Requirements

The New Organization SAA Form is used to designate an SAA when your organization is new and requires access to the FINRA Entitlement Platform. This form has specific instructions and signature requirements noted in the form which must be met for processing. This form can be submitted electronically via DocuSign or a downloadable PDF submitted via email or mail. Only person(s) authorized to execute these agreements on behalf of the organization must sign the form. The SAA and the authorized signatory may be the same person only if there is no one at the Organization authorized to act as the authorized signatory (e.g., a sole proprietor). You must provide an explanation if you are authorized to execute this agreement on behalf of the organization but do not meet the authorized signatory requirements below.

  • Broker-Dealer (BD) and CAB Firms: An authorized signatory is the Chief Compliance Officer (CCO) or authorized officer (or other authorized person) listed on Schedule A of the Organization’s initial Form BD. The signatory and the designated SAA cannot be the same person.
  • Investment Adviser Firms: An authorized signatory is either the Chief Compliance Officer (CCO) or Additional Regulatory Contact (ARC) who will be listed on the organization’s initial Form ADV. The signatory and the designated SAA cannot be the same person.
  • Regulators: An authorized signatory is the Securities Commissioner, Chief Regulatory Officer or other authorized signatory. The signatory and the designated SAA cannot be the same person.

1.3: SAA Roles and Responsibilities

  • As an SAA, you are responsible for managing the accounts at your organization that require entitlement to the FINRA Entitlement Platform.
  • Self-entitle their own “User” privileges.
  • Self-edit their own account for phone numbers, title & dept.
  • Create and update privileges (entitlement) for AAs and individual users.
  • Create and manage Roles for your organization (See Section 17)
  • Assign and unassign Roles for your AAs and users (See Section 17)
  • Search for only those entitlements to which they are assigned Administrator privilege.
  • Perform password administration, such as unlocking accounts and resetting passwords.
  • Disable an account if you suspect an information security issue.
  • Delete an account immediately when the individual is no longer with the organization or no longer requires access to the FINRA Entitlement Platform per their job responsibilities.
  • Ability to see deleted accounts.
  • Ability to see FTP (M2M) accounts and certify.
  • Ability to monitor your accounts on a periodic basis by using the Account Details Report.
  • Certify all accounts at the organization for authorized access on an annual basis.

1.4: Updating or Replacing an Existing SAA

Complete the Update/Replace SAA Form to replace an SAA or update the name or email address of the current SAA. This form must be requested by an authorized signatory of your organization. An authorized signatory contacts the Gateway Call Center to request the Update/Replace SAA Form. The FINRA Entitlement Group confirms the identity of the requester and pre-populates the form with a unique identifier specific to the request. FINRA sends the form only to an authorized signatory at the organization, using the individual’s contact information on file.

  • For Broker-Dealers, the authorized signatory is the Chief Compliance Officer (CCO) or authorized officer (or other authorized person) listed on Schedule A of the firm’s initial or current Form BD.
  • For Investment Advisers, the authorized signatory is the Chief Compliance Officer (CCO) or Additional Regulatory Contact (ARC) listed on the firm’s initial or current Form ADV.
    NOTE: IA firms that have access to the FINRA Entitlement Program and need to replace their SAA but have not yet filed their initial Form ADV must use the New Organization SAA Form to replace or update their SAA.
  • For Funding Portals: An authorized signatory is the Chief Compliance Officer (CCO), Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Legal Officer (CLO), Chief Operations Officer (COO) or a Director or any other individuals with similar status or functions and the signer and the designated SAA are not the same person.
  • Regulators: An authorized signatory is the Securities Commissioner, Chief Regulatory Officer or other authorized signatory.

When the completed form is returned to FINRA, the pre-populated information on the form must match the unique identifier that FINRA Entitlement provided. FINRA Entitlement assigns a unique identifier to each update/replace request and therefore, a firm/regulator must request another Update/Replace SAA Form for a subsequent request. Requests are made by contacting the Gateway Call Center. See the Contact Us/Need Help? Section on the right-hand side of the page for contact information.

1.5: How To Self-Entitle User Privileges as an SAA

As a new SAA, you will need to entitle yourself to any user privileges you need to perform your job responsibilities.

Step 1: Select your SAA account from the search results by clicking on the User ID hyperlink. 

Entitlement Reference Guide: Section 1.5 Search

Step 2: To add/remove entitlements, you need to select Edit Entitlements (under the Entitlement and Access Management tab), which will open a screen and allow you to update the entitlements. You can grant user entitlement for any privilege for which you are entitled as an Administrator. Selecting User allows you access to a specific functionality of the applicable application needed to perform your job responsibilities.

Image 1.5 Step 2 - Edit

As you are adding or removing entitlements, the shopping cart on the right-hand side of the screen is updated to provide an overview of the selected entitlements. Click Save to save your self-entitled privileges.

1.5 Step 2.2 Mark Priv
 

1.6: How To Entitle AAs With New Account Management System

As the SAA, you will need to grant AAs the user privilege for the entitlement labelled "Manage Access to New Account Management Application” in the Account Management application.

Entitlement Reference Guide: Section 1.6: Account Mgmt User

Section 2: Account Administrator (AA) Roles & Responsibilities


An AA is responsible for the following:

  • Create accounts for individual users.
  • Assign and unassign Roles for your users. If your SAA grants your account with this ability. (See Section 17)
  • Provide and update privileges (entitlement) for individual users.
  • Search for only those entitlements to which they are assigned administrator privileges.
  • Perform password administration, such as unlocking accounts, and resetting passwords for individual users.
  • Verify accounts periodically for authorized access.
  • Disable an account if you suspect an information security issue.
  • Delete an account immediately when the individual is no longer with the organization or no longer requires access to the FINRA Entitlement Platform per their job responsibilities.

An Account Administrator CANNOT:

  • Change or reset another Account Administrator’s password.
  • Change or set up their own account privileges (entitlement) or another Account Administrator’s account.
  • Change their own account, another Account Administrator’s account or their Super Account Administrator’s account.
  • See deleted accounts.
  • Create Roles.

NOTE: An AA who needs assistance and is with an organization that has an SAA should contact their SAA. An AA who needs assistance and is with an organization that does not have an SAA should contact the FINRA Gateway Call Center. See the Need Help? Section for contact information.
 

Section 3: How To Access Account Management Functionality


The Account Management functionality can be accessed several ways:

3.1: Supported Browsers

Supported Browsers

For more information on Supported Browsers, see Upgrade Your Web Browser.

3.2: Organizations and Regulators

Step 1: Access the FINRA Gateway and on the landing page, select the Admin icon from the left side menu bar and select the Accounts (New) link to access the Account Management functionality.

3.2 Step 1 Account (New)

  • If your organization has certified, you will be taken to the new EWS Account Management System.
  • If your organization has not certified, you will be taken to the legacy EWS Account Management System to complete the certification process.

Result: The New EWS Account Management: Start New Search screen opens (once certified).
 

Section 4: Setting Up a New SAA Account


Step 1: Enter your user ID and the temporary password provided by FINRA Entitlement in the User ID and Password fields. Read the Privacy Policy and Entitlement Program Terms of Use, and click Accept and Continue.

Section 4 Step 1 - Login

Step 2: Complete the User ID, Temporary Password and New Password fields; you can hold the cursor down on Show to see the actual characters entered in each of these fields. Then click Save.

Section 4 Step 2 - Reset

Step 3: Select your Security Information questions, type your responses in the appropriate Answers fields, and click Continue.

Section 4 Step 3 - Security

NOTES:

  • Each set of questions has a drop-down list that can be used to select your question. Once you have selected the question, provide the appropriate answer.
  • If you are using your personal computer and you trust the device/computer, you can click the Remember this computer checkbox. If you leave the checkbox unmarked, you will be presented with a security question with each login.
  • Upon completion of password reset and security information, the FINRA Gateway or the Funding Portal Gateway home screen appears. Your account is now active and you can navigate through the application as needed. You can begin creating user accounts for users at your organization who require entitlement to FINRA.

ADDITIONAL NOTES:

  • Once you have saved your security information, you will periodically be presented with a security question when you login. Or, if you have not selected the Remember this computer checkbox, you will be presented with a security question with each login.
  • Five incorrect entries of your password will lock your account. You will need to contact your SAA or wait an hour for your account to auto-unlock.
  • View FINRA Entitlement Program Frequently Asked Questions.
     

Section 5: How To Search For and View an Account


As an administrator, you are responsible for managing your users’ accounts. You must first search for the accounts you need to edit or delete.

The Accounts page defaults to displaying all the active accounts in your organization. Only the SAA can filter the list to include deleted accounts or exclude active accounts by updating the checkboxes in the Status section.

Section 5 - Active

Step 1: Use the Search Box to find an account. Type in the account owner’s user ID, name or email address. If you need an exact match, place quotes around the search text (e.g., “john smith”)

Section 5 Step 1 - Search

Section 5 Step 1 - Search 2

Step 2: As an SAA, you can identify deleted accounts by selecting the Deleted Status filter for a list of deleted accounts. A trash can displays next to each deleted account.

NOTE: Filters are dynamic and will show up only when applicable. To remove all filters, click on Clear Filters at the bottom of the left-hand menu.

Section 5 Step 2 - Delete

NOTE: The option to see deleted accounts is only available to the SAA.

Step 3: Filter accounts by Org Class. SAAs have the ability to filter accounts by Org Class (e.g., FTP) by selecting one or more checkboxes in the Org Class Filter section.

NOTE: The option to see FTP accounts is only available to the SAA.

Section 5 Step 3 - FTP

Step 4: Identify SAA, AA or non-admin accounts. Select the User Type of the account you want to see.

NOTE: The SAA/AA will be able to search for only those entitlements to which they are assigned administrator privilege(s).

Section 5 Step 4 - SAA-AA

Step 5: Search by entitlements assigned to account. Click + Entitlement and search by entitlement name.

Section 5 Step 5 - Entitlement

Step 6: Identify Machine to Machine (M2M) accounts. Select Yes in the M2M filter to see accounts that are non-human and are used for machine-to-machine interaction such as FTP accounts.

NOTE: The machine to machine (M2M) filter appears only to the SAA.

Section 5 Step 6 - M2M

Step 7: Identify accounts with identifiers. Select TRACE MPID, EQUITY MPID or MSRB identifiers to see accounts that have a given identifier assigned to them.

Section 5 Step 7 - Identifiers

NOTE: Only those identifiers that are assigned to the SAA/AA will be displayed.

Section 5 Step 7 - Identifiers 2
 

Section 6: How To Create an Account


As an SAA or AA, you are responsible for managing the accounts of users at your organization.

Step 1: On the FINRA Account Management System landing page, select the Create New Account button in the right-hand corner.

Section 6 Step 1 - Create

Step 2: A new screen will open and display the Create Account form followed by a section to create/generate user credentials. First complete the Create Account section by entering the name, email address, phone number and other attributes related to the account owner.

Section 6 Step 2 - Create

Step 3: Next, create a new user ID and password for the account in the User Credentials section.

Section 6 Step 3 - Create

Step 4: When the account credentials are generated, the Create Account button will be activated. When the administrator clicks the Create Account button, the account will be created. Once the Create Account button has been selected, the automated emails will be sent with their User ID and Reset Password screen. The administrator can then modify/edit the account to update user information and/or add entitlements to the account.

NOTES:

  • All fields marked with an asterisk (*) are required to create a new user account. To systematically generate a User ID, enter the user’s first and last names into the appropriate fields and click the Generate User ID hyperlink. To systematically generate a password, click the Generate Password hyperlink.
  • A new account automatically defaults to an initial account status of Active, meaning the user can access the appropriate application as soon as they are provided with the user ID and password.

Step 5: To add entitlements to the newly created account, the administrator will select the Entitlement and Access Management tab at the top of the screen.

Section 6 Step 5 - Edit

Step 6: To assign/unassign MPID (TRACE & EQUITY) & MSRB identifiers and the related entitlements that are assigned to an account, use the Org Identifiers and Related Entitlements section in the Entitlement and Access Management tab.

Section 6 Step 6 - Identifiers

Step 7: Select Edit to assign/unassign MPIDs or an MSRB to an account

Section 6 Step 7 - Identifiers

Step 8: The screen opens displaying the identifiers assigned to the accounts. You can check the boxes to add new identifiers and their related entitlements or uncheck to unassign the existing identifiers.

Section 6 Step 8 - Identifiers

  • If you are adding an identifier for the first time to the account, you need to select the related entitlements that appear below in the screen.
  • If you are removing the identifiers related to an entitlement, you need to unselect the entitlements before hitting Save.
  •  When you select Save, you are assigning/unassigning the identifiers and the related entitlements.

NOTE: An AA can assign/unassign only those identifiers and related entitlements that they have administrative capabilities for. In some instances, the AA may not be able to see all the identifiers & related entitlements because the SAA has not assigned those to the AA.

Step 9: To assign/unassign entitlements that are assigned to an account through the Entitlements section in the Entitlement and Access Management tab, click on Edit Entitlements.

Section 6 Step 9 - Edit

The application entitlements displayed in this section are those that are assigned to the account.

Section 6 Step 9 - Edit 2

Step 10: To see the detailed entitlements that are assigned to an account, select Expand All on the right-hand corner of the Entitlements section. If you need to see entitlements assigned to an application entitlement, select the + symbol.

Section 6 Step 10 - Identifiers

Step 11: To add/remove entitlements, you need to select Edit Entitlements, which will open a screen and allow you to update the entitlements. You can grant user entitlement for any privilege for which you are entitled as an Administrator. Selecting User allows the user access to a specific functionality of the applicable application needed to perform their job responsibilities.

Section 6 Step 11 - Edit

As you are adding or removing entitlements, the shopping cart on the right-hand side of the screen is updated to provide an overview of the selected entitlements.

Section 6 Step 11 - Privs

The application-level entitlements (e.g., Account Management) are referred as the parent entitlements, and the entitlements related to the features or functionality within an application (e.g., Change Password) are referred to as children entitlements.

Section 6 Step 11 - Parent Child

Step 12: If you remove all children entitlements without deselecting the parent entitlement, you will receive a pop-up to confirm that you want to leave the parent entitlement for the account.

NOTE: If you are an administrator for other applications, the other applications and corresponding privileges will appear on this page. Each application has its own section within this screen.

Result: The new user account is now completed and ready.
 

Section 7: How To Import an Account


The ability to clone accounts has been enhanced and relabeled as the Import Entitlements feature. The purpose of this new feature is to import entitlements to a newly created account or to add entitlements to an existing account. You can import entitlements from multiple accounts as many times as required with this new feature.

The Import Entitlements feature saves time when you have several users at your organization who use the same applications and privileges. You can access an existing user’s account and import that user’s entitlements for each individual who requires the same applications and privileges. You can also add or modify any applications or privileges to the new user’s account during the import process.

Step 1: On the New Account Management landing page, search and select the account you want to import entitlements to. Refer to Section 5 on how to search an account. Select Import Entitlements on the right-hand corner of the Individual Information page.

Section 7 Step 1 - Import

A screen will open with the ability to search for an account by name, user id or email to import entitlements from. This account must exist within the same organization.

Section 7 Step 1 - Import 2

Section 7 Step 1 - Import 3

Step 2: The entitlements and identifiers (MPIDs, MSRB) for the selected account will appear, and you can select additional entitlements or deselect the ones that are not required for the account by checking/unchecking the checkboxes.

Section 7 Step 2 - Import

Step 3: Select Import Entitlements at the bottom of the screen, and a pop-up will appear with the summary of entitlements selected for the account. Select Yes, and the entitlements will be added to the account.

Section 7 Step 3 - Import

NOTE: “Firm” and “Other” Organization classes do not have the ability to import entitlements to a File Transfer Protocol/Internet File Transfer (FTP/IFT) account. Only the FINRA Entitlement Group can create FTP/IFT accounts.
 

Section 8: How To Edit an Account


Step 1: Select the account you would like to view/edit from the search results by clicking on the User ID hyperlink. 

Section 8 Step 1 - Edit

Step 2: As an SAA/AA, you can update the following information for an account in your organization in the Summary section:

  • Name
  • Email Address
  • Phone number
  • Cell Phone
  • Department

Section 8 Step 2 - Edit

NOTE:

  • An SAA cannot edit their own account (except for the phone numbers, title and department).
  • An AA cannot edit their own account or another AA’s account. They need to contact the SAA.

Step 3: To modify entitlements, you need to select Edit Entitlements, which will open a screen and allow you to update the entitlements. You can grant user entitlement for any privilege for which you are entitled as an administrator. Selecting User allows the user access to a specific functionality of the applicable application needed to perform their job responsibilities.

Section 8 Step 3 - Edit

As you are adding or removing entitlements, the shopping cart on the right-hand side of the screen is updated to provide an overview of the selected entitlements.

Section 8 Step 4 - Edit
 

Section 9: How to Disable, Enable or Delete an Account


Step 1: Select the account you want to disable or delete. The following actions can be performed by an SAA/AA and are listed on the header:

  • Disable – this option is appropriate if you would like to temporarily suspend access to the account.
  • Enable – this option only appears if an account has been disabled by an administrator. (See the note below for accounts disabled by FINRA Admin.)
  • Delete – this option is appropriate if the individual is no longer with the organization, does not need access to the Entitlement Platform or if there is a security issue.

Section 9 Step 1 - Disable

NOTE:

  • A SAA/AA cannot delete/disable their own account. An AA cannot delete/disable another AA’s account.
  • Accounts disabled by FINRA Admin cannot be enabled by the SAA/AA. You are required to call the Gateway Call Center to enable your account.

IMPORTANT TIPS WHEN DELETING USER ACCOUNTS

  • It is important not to delete a user in error because the user will lose access to all participating FINRA Entitlement applications.
  • If you delete a user in error, create a new account for the user and entitle them to any applications and privileges they need.

If a user is entitled to more than one application (e.g., Web CRD, IARD, and FINRA Report Center) and they no longer need access to one of those applications, DO NOT delete the user’s account. The quickest way to remove all privileges for a specific application is to deselect the parent privilege. The system will then ask if you want to remove all child entitlements associated with the parent. Select Yes and the privileges for that application will be removed.

Section 10: How To Request an Account Details Report


The Account Details Report can be accessed in three (3) different ways:

  1. Admin page 
      Entitlement Reference Guide - Section 10 - 10.0 admin page
     
  2. Search page 
      Entitlement Reference Guide - Section 10 - 10.0 search page
     
  3. Reports page  Entitlement Reference Guide - Section 10 - 10.0 reports page

Step 1: Selecting the Account Details Report link from any of the three options will open the Account Details Report. This report provides the capability to monitor your users and permissions on a periodic basis.

Note: The Account Details Report is available to both SAAs and AAs. The report is based on the SAA’s or AA’s entitlement and search criteria.

Once the report template is open, you can use the template tools to customize/download the report content. These tools are located in the top right corner: Columns, Filter, Group, Save and Export.

Entitlement Reference Guide - Section 10 - 10.1 export screen

To view the entitlements per account from the report template, click the   symbol in the Entitlement Column next to the number of entitlements. The list of entitlements with their access level will appear. Click the    symbol to hide the entitlements.

Entitlement Reference Guide - Section 10 - 10.1 export privs

 
Step 2: To customize the report, click the Columns icon in the top-right corner. A pop-up window will open with the list of All Columns and Selected Columns. To select a column, check the checkbox from the Column list and click the Apply button. To deselect a column, uncheck the checkbox from the Selected Column list and click the Apply button.

Entitlement Reference Guide - Section 10 - 10.2 columns screen

 
Step 3: To filter the report, click the Filter icon in the top-right corner. The filter feature allows you to filter the report based on certain data criteria. For example, If you would like to view the SAA account data on the report, you can filter by SAA Equals to Y and click the Apply Filter button. Once you have completed setting all your filters, click the Done button.

Entitlement Reference Guide - Section 10 - 10.3 filter screen

 
Step 4: To save the report, click the Save icon in the top-right corner. A pop-up window will appear. Type the title you would like to use in the Table Name field, and then click the Save button.

Entitlement Reference Guide - Section 10 - 10.4 save as

 
The report will be saved on the My Reports tab on the Reports Landing page.

Once you have saved the changes, the name of the template will change to the name you provided. The Account Details template will remain unchanged. The template you created will be available under My Reports on the Reports Landing page. Every time you open the template, it will contain the most up-to-date data available.

Entitlement Reference Guide - Section 10 - 10.4 reports screen

 
Step 5: To export the report, select the Export icon in the top-right corner. Currently, the report can be downloaded and exported in the CSV format.

Select what you would like to export and click the Export button.

Entitlement Reference Guide - Section 10 - 10.5 export

 
When you select Export in the pop-up window, a message will appear that the file is being prepared for download.

Step 6: Select the View Downloads link in the message or click on the zip file in the Exports Ready for Download section.

Entitlement Reference Guide - Section 10 - 10.6 download

 
Step 7: Choose how you would like to open the zip file.

Entitlement Reference Guide - Section 10 - 10.7 zip file

 
Step 8: Open the exported Excel report file.

Entitlement Reference Guide - Section 10 - 10.8 open excel

 
The report displays in a CSV file format.

Entitlement Reference Guide - Section 10 - 10.8 excel report

Section 11: How To Review Accounts


As an SAA, you have several responsibilities:

  • You are the sole authorizer and manager of access for all the accounts at your organization on the FINRA Entitlement Platform.
  • You serve as the primary contact on all entitlement-related issues.
  • You need to review accounts on a periodic basis to validate if access is still needed based on the individual’s job responsibilities.
  • You are also required to certify all accounts annually for the FINRA Entitlement User Accounts Certification Process.

These are some best practices to keep in mind when reviewing accounts:

  • Validate that each user has a continuing need to access FINRA application(s) on the organization’s behalf.
  • Verify that each user is entitled only to the applications and privileges needed to perform current job responsibilities.
  • Ensure that only users who require access to sensitive data (e.g., Criminal History Record Information, Social Security or tax identification numbers, dates of birth) are entitled to access this type of data.
  • Review last login date for each user to determine frequency of use. If several months have gone by, question the user as to the need for continued access. See Section 11.2 for where to find the last login date.

11.1 Review Last Login Date on Search Card

Step 1: Use the Search Box to find an account. Type in the account owner’s user ID, name or email address. If you need an exact match, place quotes around the search text (e.g., “john smith”)

Step 2: From the individual search card, you will see the last login date on the right side of the entry. Review the last login date to validate that the individual’s account has been used recently or if months have gone by without the user logging on. If the last login date is months ago, ask the user about their access to determine if the account is still needed or should be removed. Note that FINRA considers accounts that are inactive for a designated period of time as dormant and deletes these accounts. See Section 16 on Dormant Accounts.

Review Last Login Date on Search Card

11.2 Review Last Login Dates on Account Details Report

Step 1: As the SAA, request the Account Details Report (see Section 10). In the report, you will see the last login date as one of your selected columns. Review the last login date to validate that the individual’s account has been used recently or if months have gone by without the user logging on. If the last login date is months ago, ask the user about their access to determine if the account is still needed or should be removed.

11.2 Review Last Login Dates on All Accounts Report

11.3 Review Account Status

Step 1: On the Main Search Page, review your user’s account statuses located on the left side of the Search Cards. Review to see if any of the accounts are Disabled, Password Lockout or Security Question Lockout and confirm with the user if the account is still needed or should be removed. If no longer needed, delete the account, if needed, update the account to the Active status. 

Section 11.3 Review Account Status

Section 12: How To Reset a Password


If a user has problems logging in to their account, it may be because:

  • They have forgotten the password or the password has expired.
  • They have unsuccessfully entered their password more than five times in the past hour and have been locked out.
  • They have unsuccessfully entered their security questions more than five times and have been locked out.
  • They have been disabled intentionally, either by an Account Administrator or by the FINRA Entitlement Group.

As an SAA/AA, you can reset an account’s password and/or security questions through the Account Settings Credentials section.

Step 1: Select Reset Password in the Account Settings Credentials section.

Section 11 Step 1 - Reset Password

Step 2: A Password Reset Dialog box is presented to the user, and upon confirmation, a password reset link will be sent to the email address associated with the account.

Section 11 Step 2 - Reset Password

Section 11 Step 2 - Reset Password 2

Password Information

See the Password Requirements page for a list of password parameters and features.

Password Security Information:

Section 11 Step 2 - Reset Password 3

  • Users who forget their password can click on the Forgot User ID or Password? link on the login screen to request a new password. The user will be prompted to enter their user ID, the email address associated with the account, and then answer a security question.

Section 11 Step 2 - Reset Password 4

  • Five incorrect password attempts within one hour will result in a locked account. The account will auto-unlock after one hour. Accounts can be unlocked sooner than one hour if users contact their SAA or AA. If it is an SAA account, they need to contact the FINRA Gateway Call Center.
  • Users who have five incorrect security response attempts need to contact their SAA or AA for a reset; or if it is an SAA account, they need to contact the FINRA Gateway Call Center.
     

Section 13: How To Change the User Account Status


View and evaluate the user’s Account Status

Step 1: For a disabled account, click on the Action hyperlink and select Enable Account.

Section 12 Step 1 - Enable

Status Legends/Symbols

Active

Active Account – able to access the FINRA Entitlement Platform Application privileges assigned.

Disabled by Non-FINRA Account Administrator

Account that has been disabled by the SAA or AA at the organization.

Disabled by FINRA Administrator

Account that has been disabled by a FINRA Entitlement Administrator.

Password Lockout

Five incorrect password attempts within one hour will result in a locked account. The account will auto-unlock after one hour. Accounts can be unlocked sooner than one hour if users contact their SAA or AA. If it is an SAA account, they need to contact the FINRA Gateway Call Center.

Security Questions Lockout

Five incorrect security response attempts need to contact their SAA or AA for a reset; or if it is an SAA account, they need to contact the FINRA Gateway Call Center.

Delete

Access to this account has been removed permanently from the FINRA Entitlement Platform.

 

Section 14: FINRA Security Questions Feature


The first time a user logs in to a FINRA Entitlement application/system (e.g., Web CRD, IARD), the user will be required to select three security questions and provide responses to each question. On subsequent logins, a user may be asked to provide the responses to the security questions they selected in order to further verify the user’s identity. This security feature is similar to those used by financial websites as an additional safeguard against unauthorized access.

Once users have saved their security information, they will be periodically presented with a security question. Or if they have not clicked the Remember this computer checkbox, they will be presented with a security question each time they login.

As the AA or SAA, you may need to assist your users if the following occurs:

  • Five incorrect responses to security questions will lock their accounts. They will need to contact an SAA or AA.
  • Five incorrect entries of their password will lock their account. They will need to contact an SAA or AA.
  • View FINRA Entitlement Program Frequently Asked Questions for more information.

14.1: How to Reset Security Questions

Step 1. Select Change Security Questions in the My Profiles section.

Result: The Individual Information screen appears.

Section 13 Step 1 - Reset Security

NOTE: An SAA/AA cannot reset the password/security questions for their own account. An AA cannot reset the password/security questions for another AA’s account.

14.2: How To Change Your Security Questions and Answers

Step 1: A user can change their security questions at any time by clicking on the red dot in the upper right hand corner, selecting My Account and clicking the Change Security Question link.

Result: The My Account: Personal Profile screen appears.

Section 13 Step 1 - Reset Security 2

Step 2: Select Change Security Questions.

Result: The My Account: Security Questions screen appears.

Section 13 Step 2 - Security

Step 3: Change your security questions and answers as desired, then click Change Security Questions.
 

Section 15: How To Log Out


Step 1: A user can log out at any time by clicking on the red dot in the upper right-hand corner and selecting Sign Out.

Section 14 Step 1 - Log Out

The Logout Successful screen will display. To log back in, select the Click to Login Again button. Follow the prompts to log back in.

Section 14 Step 1 - Log Out 2

ADDITIONAL NOTES:

  • When you log out, your browser could contain a memory of the account information viewed during your session. For added security, we recommend that you close your browser window.
  • If you are inactive for 27 minutes, you will get a Session Timeout prompt. If you don’t select Stay, you will be logged off. If you select Stay, the clock will be reset.

Section 14 Step 1 - Log Out 3

Example of the 27-minute timeout prompt.

Section 16: Dormant Accounts


Accounts are considered dormant if they are not used for a defined period of time. For security reasons, FINRA deletes dormant accounts. Currently, accounts become dormant 16 months after the last successful authentication (i.e., login date). (Note that CAT privileges are removed from an account after 12 months of inactivity).

Although an SAA account should never go dormant based on an SAA’s responsibilities, if an SAA’s account is deleted due to dormancy, there is significant impact to the organization. All of the organization’s accounts will lose system access until another SAA account is established. To reestablish an SAA, the firm will need to contact FINRA.

As the SAA or AA, consider the following best practices to avoid dormant accounts:

  • Perform periodic reviews to ensure individuals are using their accounts based on their job responsibilities (e.g., check last login date available for each account in Account Management) and question a user if several months have elapsed without use.
  • Delete account(s) when the individual no longer requires access per their job responsibilities or is not using their account.
  • Remember to log in periodically to prevent your own account from going dormant.

Section 17: How To Manage Roles


Benefits of Roles:

  • Roles allow an organization to more effectively manage entitlements by grouping entitlements by job functions, positions, or other areas of responsibilities that meet the needs of an organization.
  • Roles provide an efficient way to assign access for users, as the admin no longer needs to select each entitlement for an account.
  • Roles may offer more secure access as users performing the same job functions or responsibilities share the same level of access.
  • Roles are customizable to maximize flexibility.
  • Role Templates are available for certain types of organizations to use when creating their own Roles.
  • Roles offer an easier way to review users’ access. In addition, Roles will display for annual account certification, which provides a more effective and efficient way to validate accounts.

Considerations When Using Roles:

  • Roles are optional. Consider the number of users in your organization and the job functions and responsibilities they perform to determine how to best use Role functionality for your organization.
  • Only SAAs are able to create Roles for their organizations.
  • Roles can be classified as Admin Roles or User Roles, based on the privilege level selected for the entitlements.
  • Roles in an organization cannot share the same name.  When creating a Role, choose a name that best describes the Role.
  • When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.
  • Consider creating a Role for access to sensitive data (e.g., Criminal History Record Information, Social Security numbers) and assign this Role to only those users that require this level of access.
  • Role functionality does not support MPIDs and related entitlements so you cannot add to a Role. Use Account Management to assign MPID entitlement.
  • Only Active Roles may be assigned to accounts.  Incomplete (Roles that have no entitlements assigned and are active) and Deleted Roles (Roles that are not active) cannot be assigned.
  • More than one Role may be assigned to an account.
  • SAAs may grant their AAs with the ability to assign Roles to users. However, the AA must have Admin privileges to ALL entitlements the Role includes in order for the AA to be able to assign that Role to a user.
  • SAAs may control which Roles an AA can assign based on whether the AA has Admin privileges to all entitlements of Roles.  
  • AAs with Role assignment functionality will be able to view all Roles in the organization even if the AA cannot assign all Roles.
  • Before assigning a Role(s), verify that the users require access to all the applications and privileges in the Role to perform current job responsibilities. If not all access is required, consider modifying the Role or creating a new Role to assign to the users.
  • A Role may be modified; however, modification will update all accounts that are assigned to that Role.
  • If an SAA assigns an Admin Role to a user account, that user account will be converted to an Account Administrator (AA). If the SAA removes the Admin Role from an account, that account will revert to a user account. 
  • Delete a Role if obsolete.
  • Role functionality works the same for both Firms and Regulators.

As a Super Account Administrator (SAA), you are able to:

  • Create and manage Roles for your organization
  • Assign and unassign Roles for your Account Administrators (AAs) and users

As an Account Administrator (AA), you are able to:

  • Assign and unassign Roles for your users, if your SAA grants your account with the functionality for role assignment

17.1 How To Create Roles

Step 1: As the SAA, select Create Roles from the Admin landing page.

Step 1 - Create Role

Step 2: Stage 1- Role Information

From the Create Role screen, enter the Role Information (i.e., Name and Description), and click Next.

  • Role Name - This field is 50 characters and must be unique for each role. Choose a name that best describes the Role.
  • Role description – This field is 250 characters. When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.

The Next button will take you to the next step called Entitlements/Role Templates.

Step 2 - Create Role

Step 3: Stage 2-Entitlements/Role Templates

From this screen, there may be two options available to create a Role for your organization:

  • Option A -Import Entitlements from a Role Template To Create a New Role. FINRA creates Role Templates, which can be customized. This option is only available to specific types of organizations.
  • Option B -Select Individual Entitlements to Create a New Role specific to your organization’s needs. This option is available to all organizations with Role functionality.

Step 3 - Create Role Options

Option A - Select Import Entitlements from a Role Template to Create a New Role

This option is only available to specific types of organizations.

Step 1: Select a Role Template Created by FINRA

There are several Role Templates created by FINRA to help you create a Role. The Role Templates are focused on functional responsibilities of an organization.

Step 3 - Option A

Firm Role Templates Created by FINRA

Operations

Registration

Organization

Regulator Role Templates Created by FINRA

Registration

Query without SSN

Query with SSN

When selecting a Role Template to create a new Role, you can either use the Role Template with the entitlements that are listed in the template, or you can choose to customize the Role Template to best meet the needs of your organization.

Option A - Step 1

Step 2:  As shown in the example below, the Operations Role Template created by FINRA has been selected by a firm. You may either mark the All User box to indicate that you want all user privileges for this Role Template to be included, or you may customize the Role Template by marking only the specific user privileges based on the needs of your organization as shown below.

Note: As you are adding entitlements to the Role, the shopping cart on the right side of the screen will update to show you the entitlements that have been selected for the new Role. Click the Next button to take you to the next step called Review & Create Role.

Option A - Step 2

Step 3:  From the Review & Create Role step, you may continue to add entitlements to the new Role by clicking on Import More Entitlements From Role Templates or, to further customize the Role, select Add More Entitlements. At this time, you may edit the Role Name and Description. Also, write a Description that best explains the functional responsibilities of the Role to assist with account reviews and user assignments.

  • Role Name - This field is 50 characters and must be unique for each role. Choose a name that best describes the Role.
  • Role description – This field is 250 characters. When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.

Once you complete your review of the Role and are satisfied with the entitlements, name and description, click Create Role. If the Role name matches an existing Role name, the system will produce an error and you will need to change the Role name. Once the Role is successfully created, it will be available to assign to accounts.

Type: User Role
Name: Compliance Role
Status: Active (Role available to assign)

Option A - Step 3

Note: If you need to change the Role name, it must be done in the Review and Create Role step. Once the Role is created, the Role name cannot be changed.

Cancel Role Creation
If you decide not to create a Role, you can cancel the Role creation process by selecting Cancel, though you must cancel before you select “Create Role”.

Option B – Select Individual Entitlements to Create a New Role

Step 1:  Stage 1- Role Information

From the Create Role screen, enter the Role Information (i.e., Name and Description), and click Next.

  • Role Name - This field is 50 characters and must be unique for each role. Choose a name that best describes the Role.
  • Role description – This field is 250 characters. When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.

The Next button will take you to the next step called Select Individual Entitlements to Create Role.

Option B - Step 1

Step 2:  Stage 2-Entitlements/Role Templates

Select Individual Entitlements to Create Role for when the SAA wants to build a new Role and customize by marking specific entitlements that the Role requires. 

Option B - Step 2

When building a new Role for a user, the SAA will scroll through the entitlements and mark the specific user privileges that will be needed to fulfill the job responsibilities and functions of the Role.  See the example shown below.

Click Next. The Next button will take you to the next step called Review & Create Role.

Option B - Step 2(2)

Step 3:  From the Review & Create Role step, you may continue to add user entitlements to the new Role by clicking on Import More Entitlements From Role Templates or to further customize the Role, select Add More Entitlements. At this time, you may edit the Role Name and Description. The system will prevent you from using a Role Name that already exists for your organization.  Also, write a Description that best explains the functional responsibilities of the Role to assist with account reviews and user assignments. Once you complete your review of the Role and are satisfied with the entitlements, name and description, click Create Role. This Role will now be available to assign to accounts.

Type: User Role
Name: Operations Specialist
Status: Active (Role available to assign)

Option B - Step 3

Creating Roles for Account Administrators (AAs)

When creating Roles for AAs, follow the same process as when creating User Roles, except mark Admin for the specific privileges required, and mark the specific user privileges that the Admin Role needs.

Role Types
User Role
- A User Role is comprised of entitlements that have a User privilege level. A User Role is required by a user in your organization to access systems and/or functions related to a specific system to perform a task related to their job function.

17.1 Role Types-User Role

Admin Role – An Admin Role is comprised of Admin level privileges for the entitlements assigned to the Role. An Admin Role can be assigned to Account Administrators (AA), who in turn can assign the Role to other users in their organization.

17.1 Role Types-Admin Role

Both User & Admin Role –A User & Admin Role is comprised of both Admin & User level privileges for the entitlements assigned to the Role. An Admin Role can be assigned to Account Administrators (AA), who in turn can assign the Role to other users in their organization as well as access FINRA systems and/or functions related to a specific system, as per the user entitlements that are included in the Role.

17.1 Role Types-Admin 2 Role

17.2 How To Assign Roles

This section explains Role assignment.

  • The SAA has the ability to assign Admin and User Roles.
  • An AA that is granted Assign Roles by the SAA can assign Roles to Users.  AAs will only be able to assign a Role when they have Admin access to all privileges in the Role.

There are 2 ways for a SAA to assign a Role to an Admin or user:

  • Option A – Assign the Role through the Role (Create a Role/Search for a Role)
  • Option B – Assign the Role from an individual user’s or AA’s Account

Option A – Assign the Role through the Create Role Functionality

Step 1:  Once the SAA creates a Role, the Role may be assigned to users that require the Role. You can assign Roles using the Create Role functionality.  Select the Users tab and click the Assign box to assign a Role. In the example below, the Compliance Role will be assigned to a user account that is called Non-Admin User.

Option A - Step 1

When assigning Roles, if you assign a user account to an Admin Role, the user account will be converted to an Account Administrator (AA) with that Role.  If that is not your intent, remove the AA Role to revert the account to a user with the entitlement the account previously had prior to the Role assignment.

Step 2:  Once the Role has been assigned, search for user’s account, click on the Entitlement and Access Management tab and click on Roles to see the account with the assigned organization’s Role.

Option A - Step 2

Option B- Assign the Role from a User or AA account.

Step 1:  From the Admin landing page, select Search Accounts.

17.2 B Step 1 Search Accounts

Step 2:  Use the Search box to find the account. Select the account and click on the user ID.

Option B - Step 2

Step 3:  Select Entitlement and Access Management, then click Roles.

Option B - Step 3

Step 4:  From the Roles section, you have the option to assign Role(s) that the SAA created.  Both Admin (AA) Roles and User Roles are listed as categories for the types of Roles that may be created, though the category will only show the Roles if the SAA has created any.  For example, as the AA, if no AA Roles have been assigned and you are presented with the Edit Admin Roles Link, you will be able to assign an Admin Role.  Choose the Role category based on the Role you want to assign.

The ability to Edit a Role will only display if the functionality is permissible to the AA.

  • Edit Admin Roles link: assign/unassign Admin Role
  • Edit User Roles link: assign/unassign User Role

Option B - Step 4

When assigning Roles, if you assign a user account to an Admin Role, the user account will become an AA with that Role.  If that is not your intent, remove the AA Role to revert the account to a user with the entitlement the account previously had prior to the Role assignment.

17.3 How To Search Roles

Step 1:  As the SAA, select Search Roles from the Admin landing page.

17.3 Step 1 Search Roles

Step 2:  From the Search Role screen, you can do the following:

  • Create a new Role
  • Click on an existing Role to view, add, or delete entitlements
  • Click on an existing Role to delete the Role
  • Use the filters to search for specific Role characteristics (e.g., Active, Deleted, Role Type, Entitlements)
  • View accounts that are already associated with a specific Role from the corresponding Actions link on the right side. If there are no accounts associated with the Role, Action link displays “No Action Available”
  • Review Role Icon Definitions

    Active

    Role available to assign

    Delete

    Role is no longer available to assign

    Incomplete

    Role with no Entitlements

Step 2 - Search Roles

Once Search Roles has been selected from the Admin landing page, the Roles screen will appear and default to all Active Roles. If there are no Roles created for your organization, there will be ‘0’ results displayed.

17.3 Step 2 Role Status

  1. Filters for Search Roles:

    The Search page has the following filters to assist you in searching for a Role:

    1. Role Status
      • Active – By default
      • Deleted – All the Roles that have been deleted
    2. Role Type
      • User – identify all Roles that have only User entitlements
      • Admin – identify Roles that have Admin only or User/Admin entitlements
      • Incomplete – identify Roles that do not have entitlements assigned to them

      17.3 Step 2 Role Type

    3. Entitlements:

      Search for Roles based on the entitlement(s) assigned to the Role. For example, identify the Roles that have CRD entitlement with User privilege.

      • Select entitlements

        17.3 Step 2 Entitlements

      • A pop up opens
      • Type in CRD in the search bar
      • Select Next on the search results
      • When you see CRD entitlement, select User privilege
      • Click Save

17.3 Step 2 Entitlements CRD

All Roles with CRD User entitlement will be displayed in the Search results.

Each Search result displays the following information about the Role:

  • Role Name – Unique name assigned to a Role
  • Role Type – Admin, User or Incomplete
  • Updated Date – Date the Role was last updated/modified
  • Description – Details to assist with account reviews and Role assignments

17.3 Step 1 Search Role Screen

  1. Actions:
    • View Assigned Accounts – This action enables the SAA to view all the accounts assigned to the Role. When selected, Account Management application will open in a new tab, with the Role filters selected, so that you can see the individual accounts that have been assigned to the Role.

17.3 Step 1 View Assigned Accts

  1. Other Features in Search Roles:
    1. Sorting – By default the Roles are sorted based on relevance (e.g., Usefulness). However, as a user you can select how you want to sort the search results. The options for sorting are:
      • Most Relevant
      • Updated Date
      • Role Name
      • Role Type
      • Org Class
    2. Saved Views – As a user you can select certain filters and then save that filter criteria for future use
    3. Search bar –The search bar allows you to search for a Role by Role Name. If you want an exact match of the Role, you need to include quotes to the search text (e.g. “Compliance Analyst”). If you do not know the name of the Role, use the following %Compl% and it will give you a list of possible matches.

17.4 How To Edit Roles

Step 1:  As the SAA, select Search Roles from the Admin landing page.

17.4 Step 1 Search Roles

Step 2: Click on the Role Name to open the Role information.

Step 2 - Edit Role

Step 3: To Edit the Role, click the Import Entitlements from another Role or Edit Entitlements to add addition privileges.

Step 3 - Edit Role

Step 4:  Import or mark the additional entitlements and click Save.  The Role will be updated and accounts with this Role will have their entitlement updated.

As entitlements are added or removed, any accounts assigned to the Role will be impacted with the Role change.

17.5 How To Delete Roles

Step 1:  As the SAA, select Search Roles from the Admin landing page.

17.5 Step 1 Search Roles

Step 2: Click on the Role Name to open the Role information.

Step 2 - Delete Role

Step 3: To Delete the Role, click the Delete icon.

Step 3 - Delete Role

Step 4: A pop up will open and if the Role has assigned users, the following message will display.

  • Click View Assigned Accounts and unassign all accounts from that Role.

Step 4 - Delete Role

  • From each account displayed from clicking on the ‘View Assigned Accounts’ message, click on the User ID hyperlink.

17.5 Step 4 Delete Role on Acct Addl

Select Entitlement and Access Management, then click Roles to unassign the selected Role by clicking on the ‘x’ next to the selected Role.

17.5 Step 4 Delete Role

Step 5: Once all accounts have been unassigned from the Role, select Search Role from the Admin landing page (Step 1), click on the Role name to delete, click the Delete icon and provide a reason for deleting the Role.

17.5 Step 5 Delete Role

17.5 Step 5 Delete Role Popup

17.6 How To Provide the AA With the Ability To Assign Roles

Step 1: If an SAA wants their AAs to assign Roles to other users, the SAA needs to assign the AA account with the Assign Roles -User privilege. The AA must have Admin privileges to ALL entitlements within the Role in order for the AA to be able to assign the Role to other user accounts. AAs with Role assignment functionality will be able to view all Roles in the organization even if the AA cannot assign all Roles.

From the Search Account screen, use the search box to find the AA account. Type in the account owner’s user ID, name, or email address. If you need an exact match, place quotes around the search text (e.g., “john smith”). Click on the Account User ID.

Step 1 - Mark AA

Step 2:  As the SAA, to add the Assign Roles privilege to the AA, select Edit Entitlements, which opens a screen and allows you to update the entitlements.

Step 2 - Mark AA

Step 3: Select User access for the Assign Roles privilege to allow the AA the ability to assign Roles to users. Inform the AA that the ability to assign Roles has been granted. If an AA indicates that a specific Role cannot be assigned, verify that the AA account has Admin privileges to all entitlements of the Role.

Step 3 - Mark AA