User Accounts Certification for Super Account Administrators (SAA)
Note: The information on this page is intended for broker-dealers, funding portals, investment advisers and US-based regulators that participate in the FINRA Entitlement program. Other organizations without Super Account Administrators (SAAs) refer to the User Accounts Certification for Organizations With Certification Representatives (CRep)
What is the Annual Entitlement Certification?
FINRA designates a period every year during which in-scope SAAs must certify that a review of access to systems on the FINRA Entitlement Platform for all users and administrators within their organization has been completed. Please note that only the SAA can complete this certification on behalf of the organization.
Why Does FINRA Require the Annual Entitlement Certification?
FINRA recommends that every organization perform periodic system access reviews to ensure that individuals have the appropriate level of entitlement required to perform their job responsibilities or remove access if no longer required. In addition to this recommendation, FINRA requires SAAs to complete the annual certification if they manage other user(s) and/or administrator accounts.
What Should SAAs Look for While Performing the Annual Entitlement Certification?
SAAs should confirm that enterprise-wide access to systems on the FINRA Entitlement Platform adheres to the following best practices:
- each individual has a continuing need to access application(s) accessed through the FINRA Entitlement Program on the organization's behalf;
- each individual is entitled only to the applications and roles/privileges needed to perform current job responsibilities;
- access to sensitive data (e.g., Criminal History Record Information (CHRI), Social Security or tax identification numbers, dates of birth) is only given to those who require it; and
- accounts are modified or deleted in a timely fashion when individuals no longer require access.
This mandatory process enhances FINRA's overall program to protect the integrity and confidentiality of regulatory, proprietary and personal information maintained by FINRA.
Note for Organizations That Only Maintain an SAA Account
Organizations that do not have other users and/or administrators in addition to their SAA (often referred to as SAA-only organizations) will have the option to certify, but are not required, unless the firm has access to the Consolidated Audit Trail (CAT). Firms with one or more accounts with access to CAT must certify. FINRA and other regulators will not follow up with SAA-only organizations that are not required to certify, and the SAA's account will not be disabled for failure to certify.
Are There Consequences for Organizations That Do Not Complete the Certification?
The following actions will occur if an organization that is required to certify does not certify within the designated period:
- The capability to create accounts, create and assign roles, and the ability to edit and import entitlements to accounts will be disabled for all administrators within the organization after the certification due date and will remain disabled until the SAA completes the certification process.
- Action by the regulator may be taken to ensure compliance with the process.
- Finally, failure to comply with certification will result in all accounts associated with the organization to be suspended until certification is completed—this action requires an SAA to work with the FINRA Entitlement Group to complete the certification and regain full system functionality.