Supervision Frequently Asked Questions (FAQ)
I. FINRA Rule 3110
Supervision
Rule 3110(b) Documentation and Supervision of Supervisory Personnel
- When can a firm rely on FINRA Rule 3110(b)(6)(C)’s limited exception to the prohibition of a firm’s supervisory personnel from supervising their own activities and reporting to, or having their compensation or continued employment determined by, a person the supervisor is supervising?
- How must a firm document its reliance on the limited exception in FINRA Rule 3110(b)(6)(C)?
- Does the person conducting supervisory reviews under the limited exception in FINRA Rule 3110(b)(6) have to be a principal?
- Does the limited exception provide relief from FINRA Rule 3110(b)(6)’s requirement that a firm have procedures to address conflicts of interest that may be present in the firm’s supervisory arrangements for its supervisory personnel?
- FINRA Rule 3110(c) regarding internal inspections also has a limited exception. Is this exception the same as FINRA Rule 3110(b)'s limited exception?
- Must a firm notify FINRA if the firm is relying on the limited exceptions in FINRA Rules 3110(b)(6) or 3110(c)?
Rule 3110(c) Internal Inspections
- What must a firm do to demonstrate compliance with FINRA Rule 3110(c)(2)'s requirement to have a means or method to document customer confirmation, notification or follow-up for transmittals of funds or securities from customers to third parties, to outside entities and to locations other than the customer’s primary residence, and between customers and registered representatives?
- Are securities transfers through the Automated Customer Account Transfer Service (ACATS) covered by the "customer notification" requirements of FINRA Rule 3110(c) for funds or securities transmittals?
- I am registered as a Financial and Operations Principal (FINOP) for several firms and conduct my work off-site. Do I need to conduct an on-site inspection of the firms’ books and records as part of fulfilling my FINOP obligations?
II. FINRA Rule 3120
Supervisory Control System
- What is the difference between written supervisory procedures (WSPs) and supervisory control policies and procedures (SCPs)?
- Should the written SCPs required by FINRA Rule 3120 be separate from the firm's WSPs required by FINRA Rule 3110?
- How should a firm inform FINRA of who it designated as its FINRA Rule 3120 principal(s)?
- Can a firm use its self-assessment, internal audit or inspection process to comply with FINRA Rule 3120's testing and verification requirement?
- Does a firm need to test and verify all of its policies and procedures on an annual basis?
- If a firm has been in existence for less than one year, when must it complete FINRA Rule 3120’s testing and verification requirements?
Rule 3120 Report
Rule 3120 Report and Rule 3130 Report
- What is the difference between the FINRA Rule 3120 report and the FINRA Rule 3130 report?
- Can the report required by FINRA Rule 3130 be combined with the report required by FINRA Rule 3120?
- What are the timetables for the FINRA Rules 3120 and 3130 reports and the Rule 3130 certification?
III. FINRA Rule 3130
Annual Certification of Compliance and Supervisory Processes
- Can a firm have more than one CEO execute the FINRA Rule 3130 certification?
- Can a firm have more than one CCO for purposes of complying with Rule 3130?
- What needs to be done before the execution of the Rule 3130 certification?
- Must the Rule 3130 report be submitted to the board of directors and audit committee prior to the execution of the Rule 3130 certification by the CEO(s) (or equivalent officer(s))?
- To whom does a firm submit the Rule 3130 report if it does not have a board of directors or audit committee?
- When must a new member firm execute its first Rule 3130 certification?
- How can member firms change the date on which their Rule 3130 annual certification is due?
I. FINRA Rule 3110
Supervision
Rule 3110(b) Documentation and Supervision of Supervisory Personnel
- 1. When can a firm rely on FINRA Rule 3110(b)(6)(C)’s limited exception to the prohibition of a firm’s supervisory personnel from supervising their own activities and reporting to, or having their compensation or continued employment determined by, a person the supervisor is supervising?
- Rule 3110(b)(6) requires a firm’s supervisory procedures to prohibit supervisory personnel from supervising their own activities and reporting to, or having their compensation or continued employment determined by, a person or persons they are supervising. Rule 3110(b)(6)(C) provides an exception to this prohibition for a firm that determines, with respect to any of its supervisory personnel, that compliance is not possible because of the firm’s size or a supervisory personnel’s position within the firm. FINRA expects that this exception will be used primarily by a sole proprietor in a single-person firm or where a supervisor holds a very senior executive position within the firm (FINRA Rule 3110.10). However, these situations are non-exclusive, and a firm may still rely on the exception in other instances where it cannot comply because of its size or the supervisory personnel’s position within the firm, provided the firm complies with FINRA Rule 3110(b)(6)’s documentation requirements.
- 2. How must a firm document its reliance on the limited exception in FINRA Rule 3110(b)(6)(C)?
- A firm relying on the exception must document the factors the firm used to reach its determination and how the supervisory arrangement with respect to such supervisory personnel otherwise complies with FINRA Rule 3110(a)’s requirements that a firm have a supervisory system and written supervisory procedures that are reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules.
- 3. Does the person conducting supervisory reviews under the limited exception in FINRA Rule 3110(b)(6) have to be a principal?
- Rule 3110(b)(6) does not explicitly require that the person relying on the limited exception to conduct supervisory reviews of a firm’s supervisory personnel be a principal. However, Rule 3110(b)(6) does require that the supervisory arrangement with respect to such supervisory personnel otherwise complies with Rule 3110(a)’s requirement that the firm have a supervisory system and written supervisory procedures that are reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules. This would include a supervisory arrangement that is reasonably designed to comply with FINRA’s qualification requirements for persons acting in a supervisory capacity.
- 4. Does the limited exception provide relief from FINRA Rule 3110(b)(6)’s requirement that a firm have procedures to address conflicts of interest that may be present in the firm’s supervisory arrangements for its supervisory personnel?
- No. The limited exception does not apply to Rule 3110’s requirement that a firm have procedures reasonably designed to prevent the supervisory system from being compromised due to the conflicts of interest that may be present with respect to the associated person being supervised, such as the supervised person’s position, the amount of revenue such person generates for the firm or any compensation that the supervisor may derive from the associated person being supervised. However, the conflicts of interest requirement does not impose a strict liability obligation to eliminate all conflicts of interest, but rather requires that the supervisory procedures be reasonably designed despite the firm’s conflicts of interest.
- 5. FINRA Rule 3110(c) regarding internal inspections also has a limited exception. Is this exception the same as FINRA Rule 3110(b)'s limited exception?
- No. The limited exceptions for Rules 3110(b)(6) and 3110(c)(3) are not the same. Rule 3110(c) requires a firm, for each inspection under the provision, to ensure that the person conducting the inspection is not an associated person assigned to the location or is not directly or indirectly supervised by, or otherwise reporting to, an associated person assigned to that location. Rule 3110(c)(3) provides a limited exception from this requirement if a firm determines compliance is not possible either because of the firm’s size or its business model. FINRA Rule 3110.14 reflects FINRA’s expectation that a firm generally will rely on the exception in instances where the firm has only one office or has a business model where small or single-person offices report directly to an OSJ manager who is also considered the offices’ branch office manager. However, these situations are non-exclusive, and a firm may still rely on the exception in other instances where it cannot comply because of its size or business model, provided the firm complies with FINRA Rule 3110(c)(3)’s documentation requirements.
In contrast, as discussed in question 1 above, Rule 3110(b)(6)'s limited exception addresses who may conduct supervisory reviews of a firm’s supervisory personnel if the firm cannot meet Rule 3110(b)(6)’s provisions prohibiting supervisory personnel from supervising their own activities and reporting to, or having their compensation or continued employment determined by, a person the supervisor is supervising. - 6. Must a firm notify FINRA if the firm is relying on the limited exceptions in FINRA Rules 3110(b)(6) or 3110(c)?
- No. There is no notification requirement for reliance on either exception. However, as noted previously, if the firm decides to rely on the Rule 3110(b)(6) exception, the firm must document the factors the firm used to make its determination and how the supervisory arrangement otherwise complies with Rule 3110(a). Similarly, Rule 3110(c) requires that if a firm relies on the exception in that provision, the firm must document in the inspection report both the factors the firm used to make its determination and how the inspection otherwise complies with Rule 3110(c)(1).
Rule 3110(c) Internal Inspections
- 7. What must a firm do to demonstrate compliance with FINRA Rule 3110(c)(2)'s requirement to have a means or method to document customer confirmation, notification or follow-up for transmittals of funds or securities from customers to third parties, to outside entities and to locations other than the customer’s primary residence, and between customers and registered representatives?
- Rule 3110(c) does not prescribe how customers should be notified of these transmittals, but the rule does require "a means or method of customer confirmation, notification, or follow-up that can be documented." Accordingly, customer contact to confirm or follow-up to fulfill this requirement must be memorialized and retained for review. Factors to be considered with respect to the documentation of customer contact would include:
- The date of notification;
- The means or method of contact (e.g., telephone number, email address, etc.);
- Identification of the account(s) in question;
- Whether there was a response from the customer; and, if so, a brief summary of the customer's response and any follow-up action taken.
- 8. Are securities transfers through the Automated Customer Account Transfer Service (ACATS) covered by the "customer notification" requirements of FINRA Rule 3110(c) for funds or securities transmittals?
- No. The “customer notification” requirements do not apply to transfers of customer account assets conducted through ACATS; such transfers are governed by FINRA Rule 11870 (Customer Account Transfer Contracts). However, Rule 11870 allows a customer to transfer a portion of his or her account assets outside of ACATS pursuant to “authorized alternate instructions,” such as Letters of Authorization, transmitted to the carrying (i.e., delivering) organization. Any such "ex-ACATS" transfers are subject to the provisions of Rule 3110(c).
- 9. I am registered as a Financial and Operations Principal (FINOP) for several firms and conduct my work off-site. Do I need to conduct an on-site inspection of the firms’ books and records as part of fulfilling my FINOP obligations?
- All FINOPs, regardless of whether they work part-time, work off site or hold multiple registrations are responsible for fulfilling the duties outlined in FINRA Rule 1220(a)(4)(A). FINRA has previously provided guidance to member firms to help them assist their FINOPs in fulfilling the obligations specified in Rule 1220(a)(4)(A). See Notice to Members 06-23 (May 2006). The guidance, which includes a provision regarding on-site visits, should not be viewed as requirements (i.e., a FINOP is not required to conduct an on-site visit if the FINOP can fulfill his or her obligations through other means). A member firm’s written supervisory procedures, however, may impose additional requirements for FINOPs, such as an on-site visit to review a location’s books and records. In addition, nothing in this guidance relieves a firm from the obligation to conduct periodic office inspections in accordance with the requirements of Rule 3110(c).
II. FINRA Rule 3120
Supervisory Control System
- 1. What is the difference between written supervisory procedures (WSPs) and supervisory control policies and procedures (SCPs)?
- WSPs document the supervisory system that a firm has established. In this regard, Rule 3110(b) requires each firm to establish, maintain, and enforce written procedures to supervise the types of business in which it engages and the activities of its associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations, and FINRA rules. In contrast, Rule 3120 requires each firm to establish SCPs to test and verify that the firm’s WSPs are reasonably designed with respect to the activities of the firm and its associated persons to achieve compliance with applicable securities laws and regulations, and FINRA rules. Rule 3120 further requires that a firm create additional or amend supervisory procedures where the need is identified by such testing and verification.
- WSP Example
- “The head of department will approve all new accounts by initialing the new account forms before the first trade in an account is executed.”
- SCP Example
- “The Compliance Department will review the FINRA Weekly Update emails to determine whether any new or proposed requirements are applicable to the firm and its business activities. If so, the Compliance Department will identify and implement changes to the firm's supervisory system and supervisory procedures to ensure compliance with the new requirements.”
- 2. Should the written SCPs required by FINRA Rule 3120 be separate from the firm's WSPs required by FINRA Rule 3110?
- A firm has the discretion to maintain both procedures within the same manual or document as long as the procedures are distinct and clearly identifiable.
- 3. How should a firm inform FINRA of who it designated as its FINRA Rule 3120 principal(s)?
- A firm must designate the principal(s) and his or her supervisory control responsibilities in its SCPs.
- 4. Can a firm use its self-assessment, internal audit or inspection process to comply with FINRA Rule 3120's testing and verification requirement?
- A self-assessment, internal audit or inspection process may be used to satisfy the testing and verification process in whole or part. The extent to which a firm may rely upon these processes depends on whether they adequately test and verify that the firm’s supervisory procedures are reasonably designed to comply with applicable securities laws and regulations, and with FINRA rules, and amend or create additional supervisory procedures where the need is identified by such testing and verification. If a firm decides to use one or more of its self-assessment, internal audit or inspection processes as a testing mechanism, it must indicate in its annual Rule 3120 report that it has used the data from these processes as a testing mechanism.
- 5. Does a firm need to test and verify all of its policies and procedures on an annual basis?
- No. A firm may use risk-based methodologies and sampling to test and verify a subset of policies and procedures annually. If a risk-based approach is used, factors such as the following may be considered in determining scope:
- Businesses and activities from which the firm derives significant revenues. However, to the extent such activities have been previously tested and found sufficiently designed and there is an absence of other factors such as a change in the law or rules or the absence of regulatory, compliance or audit findings, deriving significant revenue from an activity, by itself, does not mean that a firm must reach a risk-based assessment that the testing of that area in a given year is necessary.
- Areas where the firm has had procedural or supervisory deficiencies in the past. However, the absence of a historical deficiency does not mean that a firm should not consider the area for inclusion in the testing.
- Products, rules or issues that were identified as emerging topics or problems, including those highlighted by regulators as areas of concern.
- Business activities in which the firm has had customer complaints or which resulted in the termination of personnel.
- New business activities or products.
- 6. If a firm has been in existence for less than one year, when must it complete FINRA Rule 3120’s testing and verification requirements?
- A firm must have in place its entire supervisory system, including WSPs, by the time it becomes a member of FINRA. However, the Rule 3120 report must be completed within 12 months of becoming a FINRA member.
Rule 3120 Report
- 7. Do the designated principals have any reporting requirements once they have completed testing and verifying the firm’s supervisory procedures?
- Yes. Rule 3120 requires the designated principals to submit, no less frequently than annually, a report to the firm’s senior management that details the firm's system of supervisory controls, the summary of the test results and significant identified exceptions, and any additional or amended supervisory procedures that have been created in response to those test results.
In addition, if the designated principals are associated with a firm that reported $200 million or more in gross revenue (as defined in Rule 3120) on its FOCUS report in the prior calendar year, the Rule 3120 report must include to the extent applicable to the firm’s business (1) a tabulation of the reports pertaining to customer complaints and internal investigations made to FINRA during the preceding year; and (2) a discussion of the preceding year’s compliance efforts, including procedures and educational programs, in each of the following areas:- Trading and market activities;
- Investment banking activities;
- Antifraud and sales practices;
- Finance and operations;
- Supervision; and
- Anti-money laundering.
Rule 3120 Report and Rule 3130 Report
- 8. What is the difference between the FINRA Rule 3120 report and the FINRA Rule 3130 report?
-
While these reports can be combined (see question 9 below), their purposes are different. The Rule 3130 report identifies the processes a firm has in place, at the time of the CEO’s certification, to establish, maintain, review, test and modify its written compliance policies and written supervisory procedures.
The Rule 3130 report evidences the processes that a firm has in place to adopt and keep current supervisory policies and procedures under Rule 3110, and to establish, maintain and enforce a supervisory control system as required under Rule 3120. FINRA recommends that firms review the results of their Rule 3120 reports in considering whether their Rule 3130 processes are sufficient. For example, if a firm's Rule 3120 report consistently notes a firm's failure to adopt WSPs around new regulatory requirements, then the firm should consider whether its Rule 3130 processes adequately take into account new regulatory requirements.
In contrast, the Rule 3120 report requires member firms to conduct a look back of their system of supervisory controls and testing and to provide to their senior management (no less than annually) a report that:
- Details the manner, method and review for testing and verifying that a firm's system of supervisory policies and procedures are reasonably designed to achieve compliance with applicable rules and laws;
- Provides a summary of the test results and significant gaps found; and
- Identifies the changes a firm made or will need to make to its supervisory procedures in order to address deficiencies found through its testing.
-
Additionally, for firms meeting certain gross revenue criteria as defined in the rule, the report must include certain information from the preceding year pertaining to compliance efforts, customer complaints and internal investigations data.
- 9. Can the report required by FINRA Rule 3130 be combined with the report required by FINRA Rule 3120?
- Yes. The Rule 3130 report may be combined with any other compliance report, such as the Rule 3120 report, or other similar report required by any other self-regulatory organization provided that:
- Such report is clearly titled and addresses all of the required elements of the respective reports;
- A firm that submits a report for review in response to a FINRA request must submit the report in its entirety; and
- The firm makes such report in a timely manner, i.e., annually.
- 10. What are the timetables for the FINRA Rules 3120 and 3130 reports and the Rule 3130 certification?
-
Timing and Submission Rule 3120 Report Rule 3130 Report & Certification Frequency No less than annually No less than annually Time Period Covered by Report Must look back to preceding year (including a summary of the test results, significant identified exceptions, and any additional or amended supervisory procedures created in response to the test results) Must be current as of the date of certification Submit to Firm's senior management Firm's board of directors and audit committee (or equivalent bodies) at the earlier of their next scheduled meetings or within 45 days of the last Rule 3130 certification
III. FINRA Rule 3130
Annual Certification of Compliance and Supervisory Processes
- 1. Can a firm have more than one CEO execute the FINRA Rule 3130 certification?
- Yes. A firm may designate a co-CEO (for a maximum of two CEOs) solely for the purpose of complying with Rule 3130. However, co-CEOs may not divide up the requirements of the Rule; rather, each of the two CEOs is required to individually discharge all of the obligations set forth in Rule 3130, each is responsible for the representations in the certification as if they were the firm’s only CEO, and the signature of each co-CEO is expected to appear on the same single annual certification.
- 2. Can a firm have more than one CCO for purposes of complying with Rule 3130?
- Yes. A firm may designate multiple CCOs on Schedule A of Form BD, provided that:
- Each designated CCO is a principal;
- The firm precisely defines and documents the areas of primary compliance responsibility assigned to each designated CCO and makes specific provisions for which of the designated CCOs has primary compliance responsibility in areas that can reasonably be expected to overlap;
- Each designated CCO satisfies all of the requirements of Rule 3130 with respect to his or her defined area of primary compliance responsibility as if that individual was the firm's only CCO; and
- Collectively, the designated CCOs have the responsibilities and expertise that enable them to consult with the CEO on the totality of the subject matters required to be addressed in the certification by the CEO under Rule 3130.
- 3. What needs to be done before the execution of the Rule 3130 certification?
- Before the execution of the certification can be completed, the following steps must be taken:
- The member creates a report (“Rule 3130 report”) that documents the member’s processes for establishing, maintaining, reviewing, testing and modifying its compliance policies that are reasonably designed to achieve compliance with applicable federal securities laws and regulations, FINRA rules, and MSRB rules.
- The firm's CEO(s) (or equivalent officer(s)), CCO(s) and any other officers the firm deems necessary to make the certification reviews the Rule 3130 report.
- The CEOs(s) (or equivalent officer(s)) must meet with the CCO(s) during the preceding year to:
- Discuss and review the matters that are the subject of the certification;
- Discuss and review the firm's compliance efforts to date; and
- Identify and address significant compliance problems and plans for emerging business areas.
- 4. Must the Rule 3130 report be submitted to the board of directors and audit committee prior to the execution of the Rule 3130 certification by the CEO(s) (or equivalent officer(s))?
- No. The Rule 3130 report must be submitted to the member's board of directors and audit committee (or equivalent bodies) in final form either prior to execution of the certification or at the earlier of their next scheduled meetings or within 45 days of the date of execution of the certification.
- 5. To whom does a firm submit the Rule 3130 report if it does not have a board of directors or audit committee?
- If a firm does not have a board of directors or audit committee, the firm would submit the Rule 3130 report to the firm's governing bodies and committees that serve similar functions in lieu of a board of directors and audit committee, such as a managing member, management committee, general partner, board or managers, advisory board, financial standards committee, etc. If a firm does not have a governing body or audit committee or equivalent, the report can be shared with the firm's majority shareholder or shareholders.
- 6. When must a new member firm execute its first Rule 3130 certification?
- The first certification must be executed within 12 months of becoming a FINRA member and then annually thereafter.
- 7. How can member firms change the date on which their Rule 3130 annual certification is due?
- Rule 3130 requires member firms to complete their annual certification requirement on or before the date on which it was completed in the prior year. Some firms have asked if it is possible to reset their certification date. It is possible. To do so, a firm may certify any time before the one-year anniversary of its most recent certification. Thus, changing the date will require the firm to certify more than once within the one-year period. The following year, the annual certification would be due on or before the new date.
For example, firms that wish to move the date by a short amount of time may certify again soon after the last certification. If a firm’s last certification was on March 15, but it wants to move that date to April 1 for future years, the firm could achieve this by certifying by March 15 and then certifying again on April 1, provided that on April 1 the conditions set forth in Rule 3130(c) are satisfied:- the firm has in place processes to establish, maintain, review, test and modify its policies and procedures;
- the CEO has conducted one or more meetings with the CCO to cover the requisite content in the 12 months preceding the new certification;
- the processes are evidenced in a report that has been reviewed by the CEO and CCO and either:
- was provided to the firm’s board of directors and audit committee prior to the new certification or
- if the report was not previously submitted, will be submitted to those bodies at the earlier of the next scheduled meeting or within 45 days of the original March 15 certification date; and
- the CEO has consulted with other persons to the extent deemed appropriate in order to attest to the statements made in the certification.
If any of the conditions are no longer satisfied, then the firm must satisfy those conditions prior to the execution of a new certification by the CEO on April 1. For example, any material changes to the report that was certified on March 15 must be reviewed by the CEO and CCO and either provided to the firm’s board of directors and audit committee prior to the new certification, or submitted to those bodies at the earlier of the next scheduled meeting or within 45 days of April 1.
In either case, the next certification would be due no later than April 1 the following year. -