FINRA Supervisory Controls Testing Graphic

Menu

Supervisory Controls Testing

FINRA Rule 3120 testing and Rule 3130 certification, completed annually with the substance and documentation regulators expect. Engagements are led by Mitchell Atkins, CRCP, a former FINRA Senior Vice President and Regional Director who oversaw all types of examinations.

FirstMark Regulatory Solutions conducts supervisory controls assessments under FINRA Rule 3120 and prepares the consolidated report supporting the annual CEO certification required by FINRA Rule 3130. Engagements are scoped around the firm’s actual business activities, supervisory structure, and risk profile — not driven by templates.


Engagement Length

~60 days

From receipt of documents to delivery of final report.

Pricing

Fixed Fee

Scoped to business mix, supervisory structure, and risk profile.

Deliverable

Report & Certification

Consolidated report, supporting exhibits, and CEO certification document.

Format

Risk-Based Review

Sample-based testing similar to FINRA examination methodology.


What FINRA Rules 3120 and 3130 Require

FINRA Rule 3120 requires every member firm to test and verify that its supervisory procedures are reasonably designed to achieve compliance with applicable rules. The firm must submit an annual report to senior management detailing the testing and the results.

FINRA Rule 3130 requires the firm to designate a Chief Compliance Officer and the CEO to annually certify that the firm has processes in place to establish, maintain, review, test, and modify its written compliance and supervisory procedures. The CEO must also attest to having held at least one meeting with the CCO during the prior twelve months.

The Rule 3130 report must be submitted to the firm’s board of directors and audit committee at the earlier of their next scheduled meetings or within 45 days of the certification. New FINRA members must complete their first Rule 3120 test and Rule 3130 certification within 12 months of becoming a member.


The Difference Between Rules 3120 and 3130

Each rule has a distinct purpose, although FINRA permits the reports to be combined. Rule 3120 focuses on the testing and verification of the firm’s supervisory procedures — the substantive review of whether those procedures are reasonably designed to achieve compliance with applicable rules. Rule 3130 focuses on the firm’s processes for establishing, maintaining, reviewing, testing, and modifying its compliance and supervisory procedures, and on the CEO’s annual certification regarding those processes.

In practice, firms typically prepare a single consolidated report covering both requirements. FirstMark prepares the combined report along with a separate written certification document for the CEO’s review and signature. The combined report serves as the basis for the certification and provides recommendations for amendments to the firm’s procedures and supervisory controls as needed.


The FirstMark Approach

FirstMark engagements are tailored to the firm. The work is not template-driven. Each engagement begins with a review of the firm’s current supervisory structure, business activities, prior examination findings, and risk priorities, and the testing scope is built from there.

Using risk-based methodologies and sampling similar to those FINRA examiners use during examinations, FirstMark tests and verifies the areas of the firm’s written supervisory procedures most likely to pose the greatest risk. In making this determination, FirstMark works with the client to identify areas of significant revenue, prior regulatory findings, emerging issues, new business lines, regulatory priorities, and concentrations in customer complaints.

A supervisory controls assessment is not an audit and is not designed to be exhaustive. It is designed using a risk-based approach consistent with FINRA guidance, and the report reflects the substance of testing performed rather than a checklist of categories reviewed.


What Gets Tested

A FirstMark supervisory controls test typically covers the following elements, with depth and sample size scaled to the firm’s risk profile:


  • Written Supervisory Procedures

    Review of the firm’s WSPs against current regulatory requirements, the firm’s actual business activities, and any prior examination findings. WSPs that do not reflect the firm’s specific business or that have not been updated for relevant rule changes are flagged.

  • Risk-Based Scoping

    Identification of the supervisory areas, business lines, and regulatory priorities that warrant testing in the current year, based on the firm’s risk profile, prior findings, regulatory developments, and changes in business.

  • Supervisory Systems Testing

    Sample-based testing of the firm’s actual supervisory practices — whether reviews are being performed, whether they are being documented, and whether the documentation supports the conclusions reached.

  • Regulation Best Interest Considerations

    Where applicable, evaluation of the firm’s supervisory controls related to Regulation Best Interest and its component obligations. The depth of this review depends on the firm’s business and is informed by current regulatory expectations.

  • Conflicts of Interest Procedures

    Review of the firm’s procedures for identifying and mitigating conflicts of interest, including procedures addressing situations where associated persons may otherwise supervise themselves or report to a person they supervise.

  • Findings and Remediation

    Documentation of identified exceptions, recommended procedural amendments, and corrective action items, with severity assessments to support prioritization.

  • Combined Rule 3120 / 3130 Report

    Preparation of the consolidated report supporting both the supervisory controls assessment and the CEO certification, along with a separate written certification document for the CEO’s review and signature.


Leadership

FirstMark engagements are led by Mitchell Atkins, CRCP, founder and Principal of FirstMark Regulatory Solutions. Mitch is a former FINRA Senior Vice President and Regional Director who oversaw thousands of supervisory examinations during his twenty-year career at the regulator.

A supervisory controls report exists to demonstrate that the firm has tested its procedures rigorously and identified the issues a regulator would expect to see addressed. The work product needs to reflect that. Templated assessments and check-the-box reports tend to invite regulatory follow-up rather than resolve it. FirstMark’s supervisory controls assessments are scoped, conducted, and documented to meet the substance and presentation that FINRA examiners expect — informed by direct experience.


Expert Insights

FINRA Supervisory Controls Testing in the Age of Reg BI: Six Questions That Still Matter

A practitioner’s perspective on how Regulation Best Interest has shaped supervisory controls testing — including six questions firms should be able to answer about how Reg BI is reflected in their current supervisory framework.


Discussing an Engagement

For firms seeking a substantive supervisory controls assessment, initial discussions are handled confidentially and are generally used to determine whether the engagement is appropriate for the firm’s business model, supervisory structure, and timing. FirstMark accepts a limited number of supervisory controls engagements so that each review receives senior-level attention from scoping through final report.

Mitchell Atkins, CRCP  ·  Founder and Principal
FirstMark Regulatory Solutions
(561) 948-6511  ·  Contact Form