Frequently Asked Questions (FAQ) about Fingerprint Processing
SEC Provides Temporary Exemptive Relief from Fingerprinting Requirements for, Among Others, Members and All of Their Associated Persons; FINRA Provides Additional Temporary Extension of Time for Submission of Fingerprint Information for Registered Persons Under Rule 1010(d)
On March 20, 2020, the Securities and Exchange Commission (the Commission) issued an order that, among other things, provides a temporary exemption until May 30, 2020 from the fingerprinting requirements of Securities Exchange Act Rule 17f-2 for FINRA members. As a condition of the relief, the Order requires written notification to the Commission by May 30, 2020, that a person will rely on the exemption. FINRA has provided that notification on behalf of all of its members, their employees and associated persons. With respect to an individual seeking registration pursuant to the submission of a Form U4, a FINRA member firm seeking to avail itself of this temporary exemptive relief for registered persons must comply with FINRA’s guidance with respect to FINRA Rule 1010, which is set forth below. A FINRA member firm seeking to avail itself of this temporary exemptive relief for non-registered associated persons (NRFs) must comply with the recordkeeping requirements set out in the guidance regarding NRFs below.
On This Page
- FAQ Applicable to All Firms
- FAQ Applicable to Broker-Dealers
- FAQ Applicable to Funding Portals
- FAQ Applicable to Investment Advisers
- Electronic Fingerprint Submission
- Electonic Fingerprint Security
General FAQs Applicable to All Firms
- Q1: Where does my firm get fingerprint cards and/or barcodes?
- A1: Fingerprint cards are available for purchase through FINRA MediaSource; see the Order Printed Publications page for more information. If you need a supply of barcode stickers, contact the FINRA Gateway Call Center at (301) 590-6500 to order a supply. There is no charge for the barcode stickers.
- Q2: Where on the fingerprint card does the barcode sticker get placed if a card needs one?
- A2: If you need to place a barcode sticker on a fingerprint card, the sticker should only be placed in the area marked "Your No: OCA" on the card. Barcodes are used by FINRA and the FBI for tracking purposes.
- Q3: How do I complete a fingerprint card?
- A3: The following information is required for best practices:
- All fingerprint cards should contain a barcode. If using a barcode sticker, the sticker should be placed in the "Your No: OCA" field on the card.
- All fingerprints must be taken in black ink.
- Always complete the employer's name, address, and Org ID number on every fingerprint card submitted. This is especially important when submitting large batches of fingerprint cards as the cards could get separated during processing.
- Review the following data on the card for accuracy:
- Write clearly on the card to ensure that the fingerprint card can be processed in a timely manner. Information on the card must be legible or the card will be rejected.
- The fingerprint should be signed by the person being fingerprinted and by the official taking the fingerprints.
- Do not highlight any information or any portion of the fingerprint card or the FBI will reject the card.
- Q4: SEC Rule 17f-2 (Fingerprinting of securities industry personnel) under the Securities Exchange Act of 1934 requires that a firm may need to submit three sets of fingerprints if results are returned as illegible. Can my firm submit all three sets of fingerprints at once?
- A4: No. Firms should submit only one set of fingerprints for an individual at a time and only send a subsequent set of fingerprints if an FBI disposition of ILEG posts to Web CRD. FINRA processes all non-deficient fingerprint cards at the time of submission and fingerprint fees are charged accordingly.
- Q5: Which firm personnel are required to be fingerprinted?
- A5: Pursuant to Section 17(f)(2) of the Securities Exchange Act of 1934 and Rule 17f-2 thereunder, the SEC requires firms to submit fingerprints for all partners, directors, officers and employees, unless they are exempt under those same provisions. Rule 17f-2 exempts employees from fingerprinting who do not:
- Sell securities;
- Regularly have access to the keeping, handling, or processing of securities, monies, or the original books and records relating to the securities or monies; and
- Have direct supervisory responsibility over those who sell securities or have access to securities, monies, or the original books and records.
- Q6: What typically prevents a fingerprint transaction from being processed by FINRA?
- A6: Typically, there are two reasons that FINRA cannot process a fingerprint transaction:
- When mandatory information is not included such as the following:
- Date of birth
- Printed name for the individual
- Firm name and CRD number, and
- Required signatures (individual and/or official)
- Using a highlighter or having extraneous writing on a fingerprint card as it is difficult or impossible to image a fingerprint card with this condition in order to transmit the information to the FBI.
- When mandatory information is not included such as the following:
- Q7: What are the codes for hair color and eye color?
- Q8: What address is used to mail fingerprint cards?
- A8: All fingerprint cards should be mailed to one of the two following addresses, depending on the method used:
First Class Mail should be sent to:
P.O. Box 9495
Gaithersburg, MD 20898-9495
Overnight/Courier Mail should be sent to:
9509 Key West Avenue, 3rd Floor
Rockville, MD 20850
NOTE: When sending Overnight/Courier Mail, please include the following phone number: (301) 869-6699.
- If you are submitting fingerprints for a Funding Portal, please write “Funding Portal” on the outside of the envelope.
- Q9: How do I annotate amputated or bandaged prints?
- A9: Use the code 'XX' for amputated or bandaged digits, or 'UP' for unprintable digits.
- However, if all ten of an individual’s fingers are amputated, bandaged, or are otherwise unprintable, please contact FINRA. There is a separate process for these individuals.
- Q10: How does the firm request an exemption from SEC Rule 17f-2 when an individual cannot be printed due to a physical handicap?
- A10: Firms that need to request an exemption from the requirement to submit fingerprints under Rule 17f-2 may submit a request to:
- SEC-Division of Trading and Markets
Office of Clearing and Settlement
Mail Stop 70-10
100 F Street, N.E.
Washington, DC 20549
- Q11: Is an individual exempt from the fingerprinting requirement based on being a foreign national or foreign resident?
- A11: No. Rule 17f-2 lists the bases for exemptions (see Answer 5 above).
- Q12: What happens to fingerprints after FINRA receives a fingerprint submission?
- A12: FINRA transmits the fingerprints to the FBI. The FBI processes the fingerprints and returns to FINRA any information in the FBI’s records. FINRA records receipt and disposition details in the appropriate online application in Firm Gateway. See the Funding Portal FAQ and/or Broker-Dealer FAQ for more information.
- Q13: What is the turnaround time for fingerprint results?
- A13: The FBI’s turnaround time is 24-72 hours, although most prints will come back within 24 hours. Results will be made available in Web CRD/FPRD to entitled users with your firm.
- Q14: Does FINRA provide email responses when fingerprints are received?
- A14: No, FINRA does not provide email responses for successfully received and processed fingerprints. Entitled system users can confirm current status of a fingerprint submission in Web CRD and/or FPRD. See the Funding Portal FAQ and/or Broker-Dealer FAQ for more information about monitoring fingerprints.
- Electronic (EFS): FINRA does notify firms when there is an error processing an electronic fingerprint submission. FINRA will send an automated notification to the email address provided on your certificate to identify the field(s) to correct.
- Hard Copy: FINRA mails notification letters to firms when hard copy fingerprint submissions cannot be processed; however, FINRA does not return deficient hard copy fingerprint cards.
- Q15: How do I find out if a fingerprint submission was processed?
- A15: Fingerprint submission status information is reported in Web CRD and FPRD.
- Q16: Why are some fingerprints returned as illegible?
- A16: The FBI may deem fingerprints illegible for a number of reasons. For example, if the individual's ridges of their fingerprints are worn down and difficult to capture, their prints may be illegible.
- Q17: How long do I have to submit fingerprints to FINRA after the filing is submitted?
- A17: Fingerprints must be received by FINRA within 30 days after a Form U4 is filed in Web CRD. If fingerprints are not received within the 30-day time period, the individual's FINRA registration status will be changed to "Inactive Prints", and the individual will have to cease doing business until such time as the fingerprints are received and processed. Please see the Electronic Fingerprint Processing Quick Reference Guide for more information.
- Q18: How do I retrieve my firm's Fingerprint Reports?
- A18: Your firm's Fingerprint Reports can be retrieved in Web CRD by entitled Reports users. See the Web CRD Reports Quick Reference Guide for detailed navigational information.
- Q19: Are fingerprints required for each affiliated firm on a Form U4 filing?
- A19: No. Only one set of fingerprints is required for affiliated firms included on a Form U4, provided the employment date for all affiliate firms listed in Section 6 is the same as the employment date in Section 1. See the section pertaining to Section 6 in the Form U4 Quick Reference Guide for more information. Affiliated firms can also establish a Simultaneous Filing Group (SFG) to ensure that FINRA fees are deducted from the designated “primary” firm’s account.
- Q20: A firm has Non-Registered Fingerprint individuals (NRFs) who are no longer with the firm. How does the firm terminate these individuals?
- A20: The firm can terminate the individuals by submitting an NRF Amendment Filing that includes the Date of Termination or by using the Bulk Termination function available as part of the Form NRF process in Web CRD. See the Form NRF Quick Reference Guide for additional information.
- Q21: My firm is applying for FINRA registration. How are fingerprints of associated persons submitted to FINRA?
- A21: Funding portals will need to initially submit fingerprints on fingerprint cards until their FINRA Organization ID # (Org ID#) is assigned as part of the FINRA entitlement process. A funding portal will be able to submit fingerprints electronically once its Org ID # is assigned. Fingerprints must be submitted on fingerprint cards that meet FBI requirements. Fingerprint cards are available for purchase through FINRA Media Source. Fingerprint fees apply and must be paid with fingerprint submissions.
- Q22: My firm would like to submit fingerprints electronically. What do I have to do?
- A22: Funding portals are able to submit fingerprints to FINRA electronically once an Org ID# is assigned as part of the FINRA Entitlement Process under FINRA's Electronic Fingerprint Submission (EFS) Program.
- Q23: Who at my funding portal needs to be fingerprinted?
- A23: All associated persons at the funding portal are required to submit fingerprints to FINRA for processing as required by Securities and Exchange Act (“SEA”) Rule 17f-2.
- Q24: What is the Firm CRD number?
- A24: Fingerprint cards have a section called Firm CRD number. Enter your firm's Organization ID# (assigned after your firm is entitled to the FINRA Entitlement Program) in this section.
- Q25: My firm is a broker-dealer with the intent to be designated as a funding portal. Does the firm need to submit additional fingerprints for our associated individuals?
- A25: If fingerprints have already been submitted to FINRA for individuals associated with the broker dealer to comply with SEA 17f-2, no additional fingerprint submissions are required.
FAQ Applicable to Investment Advisers
- Q26: Do investment adviser (IA)-only firms submit fingerprint cards to FINRA for processing?
- A26: No. IA-only firms submit fingerprints directly to the states. Not every state requires fingerprints for an RA registration and an IA-only firm should contact the relevant state to verify state fingerprint requirements.
- Q27: If an IA-only firm submits a fingerprint card to FINRA in error, what happens?
- A27: The fingerprint card will not be returned to the firm. The firm will need to re-print the individual and submit the fingerprint card directly to the state with the fingerprint requirement.
- Q28: What are the first steps to submit fingerprints electronically to FINRA?
- A28: Your firm should decide if you want to purchase and install fingerprint equipment in your office, or send associated individuals to a vendor’s location for fingerprinting. Then contract a certified electronic fingerprint vendor and notify the FINRA EFS Coordinator by email if you purchase fingerprinting equipement. See the Submit Fingerprints Electronically page for step-by-step instructions and a list of certified EFS vendors.
- Q29: What happens if I switch or contract additional vendors?
- A29: Your firm should notify FINRA EFS Coordinator only if your firm purchases fingerprinting equipment.
- Q30: What is a Secure Email Certificate and how does it work?
- A30: Secure Email Certificates allow you to digitally sign and encrypt emails. Certificate encryption requires that both the firm or vendor and FINRA use their certificate's public key to achieve a secure two-way communication. In doing so, this allows you to transmit fingerprint data in an encrypted fashion. The certificate needs to include the email address that will transmit fingerprint cards to FINRA and not a personal email address.
- Q31: What Certificate do I send to FINRA?
- A31: You must send your firm's public certificate to an EFS Coordinator to provide for secure communication.
- Q32: How do I renew or purchase a new Certificate?
- A32: Visit the Entrust website to enroll and purchase new or renewed Entrust Digital IDs.
- Q33: What happens if the email that is being used to transmit fingerprints changes?
- A33: Any change to your email address requires the purchase of a new certificate. After purchasing the new certificate, email EFS Coordinator to coordinate the next steps.
- Q34: My firm includes a disclaimer on all outgoing emails. Does the disclaimer need to be removed from emails prior to transmitting fingerprints to FINRA?
- A34: Yes, you must remove the disclaimer from the emails that transmit fingerprints to FINRA. If a disclaimer is included in the email, FINRA will be unable to process the fingerprints.
- Q35: How long does it take for FINRA to install new/renewed certificates?
- A35: It takes 2-3 business days for FINRA to install certificates; however, we ask that certificates be emailed to EFS Coordinator at least one week prior to the current certificate expiration date. Note: FINRA only requires your certificates public key; never send your firm's private key.
- Q36: Can a single certificate be used in both the testing and production environments?
- A36: Yes, FINRA will use your firm's certificate for both testing and production.
- Q37: Can my firm's certificate email address be in mixed case?
- A37: No, the certificate email address must be in all lower-case.
- Q38: Are the fingerprint files (print images and personal data) sent by our firm stored by FINRA? How long does FINRA maintain data??
- A38: If a firm chooses to send the fingerprint data to FINRA via EFS transmissions, it must be from FINRA certified vendor equipment. The EFS transmissions are kept secure using Digital Certificates and S/MIME encryption.
- Fingerprint images and demographic data are stored in a database with FINRA while they await disposition by the FBI. All information sent to and information received from the FBI is encrypted. After the FBI responses are received, the data is maintained in this database for 30 days after which the information is only available from secure storage databases.
- All FBI Criminal History Record Information (CHRI) data is maintained in encrypted format during transmission and storage.
- Q39: Who controls the Access Permissions for the systems in which our data is stored?
- A39: FINRA technology strictly enforces the short-term database access, which is limited to a subset of FINRA employees. A limited number of FINRA employees have access to fingerprints and CHRI if that access is necessary to perform their regulatory responsibilities.
- CHRI is available to the firm that submitted the fingerprint card along with any affiliated firm that is using that fingerprint card to satisfy its fingerprint requirements through Web CRD. In addition, this CHRI is also available to other regulators with whom the individual previously held, currently holds, or is requesting registration with that regulator through Web CRD. All Web CRD users require specific entitlement to view fingerprint information in Web CRD.
- Q40: Is data sent between FINRA and the FBI encrypted?
- A40: The data between FINRA and FBI is transmitted over a secure transmission line and is encrypted with a hardware encryption device. The FBI has certified this line and configuration.
- Q41: Does FINRA have a group of personnel assigned to implement and maintain information security? If so, please provide a brief explanation of what they do.
- A41: Yes, FINRA Corporate Information Security is the group responsible for overseeing Information Security at FINRA. This includes creation of security policies and standards, compliance verifications to those standards and policies, risk assessments of all applications, working with development teams on securing applications during design phases, and oversight of operational security programs such as antivirus, firewalls, and intrusion detection. The actual security maintenance of our systems is the responsibility of the systems' administrators with compliance monitoring performed by FINRA Corporate Information Security.
- Q42: Are the information systems that store our employees' personal and fingerprint information audited by a third-party group?
- A42: FINRA has their own Internal Audit Department, which is empowered by the Board to perform such audits. Our Internal Audit staff frequently hire outside consultants to conduct or assist in conducting audits. In addition, our external auditor performs audits as well. The audits serve to validate the integrity of FINRA's systems; however, neither the Internal Audit staff nor external auditors are provided access to fingerprints.
- Q43: Are the systems regularly tested for weaknesses, and patched appropriately?
- A43: FINRA performs vulnerability scans on all internal and externally facing systems on a regular basis. Reports are provided to the appropriate technology teams to correct any uncovered issues. In addition, FINRA technology monitors for the release of all relevant security related patches. FINRA has a very aggressive patch management process and critical patches are installed as quickly as feasible. All other security patches are installed during scheduled maintenance windows.
- Q44: How does FINRA mitigate the risk of both internal and external information systems breaches? This would include Extranet (web-based) portals, VPNs, and FINRA's internal Local Area Network.
- A44: FINRA mitigates security risks through strict preventive and detective controls, which include placement of firewalls on borders and gateways providing tightly controlled access. Through Change Management, policies, and standards, we direct how these controls are setup and changed over time to meet business needs and maintain limited access. We monitor system borders, gateways, and machines and are alerted at the signs of possible intrusion. In addition, FINRA requires up-to-date Antivirus on all workstations, servers (including mail servers) and gateways, utilizing a central console for automatic updates.
- FINRA staff’s access to fingerprint information is provided only when necessary to perform their regulatory responsibilities. Management must approve staff access and review it periodically to ensure continued access is necessary.
1 In this regard, firms may be able to have personnel fingerprinted at the local consulate or through local law enforcement authorities. Alternatively, firms may also designate persons within the firm to roll fingerprints as necessary.
2 See Exchange Act Rel. No. 45385 (Feb. 1, 2002), 67 FR 5862 (Feb. 7, 2002).