FINRA Supervisory Controls Assessment

FINRA Rule 3120 – Assessment
FINRA Rule 3130 – CEO Certification

FINRA CEO / CCO Certification

Annual CEO Certification
Supervisory Controls Assessment

  • Frequency

    FINRA Rule 3120 testing and the certification required by FINRA Rule 3130 are each required to be completed once each calendar year. FINRA members are required to submit a report to the firm’s senior management that details the system of supervisory controls and the results of the test of those controls. The FINRA Rule 3120 report is required to be completed no less than annually. And, the certification required under Rule 3130 must be completed annually but not later than the anniversary date of the previous year’s certification. The FINRA Rule 3130 report must be current as of the date of the certification. Finally, if you are a new FINRA member you are required to conduct your first FINRA Rule 3120 test and FINRA Rule 3130 certification within 12 months of becoming a FINRA member.

  • FINRA Rule 3130 Certification

    The annual CEO certification required by FINRA Rule 3130 must be supported by a report that covers the firm’s processes for establishing, maintaining, reviewing, testing and modifying its supervisory and compliance procedures. The report generated as a result of the FINRA Rule 3120 testing may also be combined with the FINRA rule 3130 report. This report services as the basis for the CEO’s certification. Once the CEO has held a meeting with the CCO to discuss matters related to the certification, including the firm’s compliance efforts and plans (along with any corrective action required as a result of the report) the certification should be completed and maintained.

  • Report Requirements

    FINRA requires the Rule 3120 report to be submitted to the firm’s senior management. However, the FINRA Rule 3130 report must be submitted to the firm’s board of directors and audit committee (or equivalent) at the earlier of their next scheduled meetings or within 45 days of the annual certification.

  • Supervisory Procedures v. Supervisory Control Policies

    Written supervisory procedures (or WSPs as they are often called) are the procedures that the firm has developed to supervise the various businesses in which it is engaged. For each area, they specify the primary requirements, who is responsible for supervising that area, what review is performed (with what records), how often the review is conducted, and how it is documented. Supervisory control procedures however, are different in that they specify how (and who) tests and verifies the WSPs to ensure that they are reasonably designed in respect to all business lines of the broker-dealer. Importantly, they include procedures for how the firm monitors developments, rule filings, and changes in business to ensure that new or revised procedures are put into place as required.

  • Producing Branch Managers

    The prior version of FINRA Rule 3120 was called NASD Rule 3012. The old version of the rule contained extensive requirements related to the supervision of producing branch managers. Specifically, firms were required to identify producing managers who generated 20% or more of the revenue of the business units supervised, and then to develop heightened supervisory procedures for monitoring the activities of those managers. FINRA rule 3110(b)(6)(C) replaces this requirement and instead requires procedures that effectively mitigate the conflicts presented by the producing branch manager rules. That provision also requires that a firm develop procedures prohibiting its associated persons from supervising themselves or reporting to, or having their compensation or continued employment determined by a person they are supervising. In other words, FINRA expects that firms have procedures to sufficiently mitigate conflicts of interest. In 2013, FINRA published this report on conflicts that extensively outlines these requirements.


Each of these rules has a separate purpose, although FINRA permits the reports required under each to be combined into one. FINRA Rule 3130 requires that the firm designate a Chief Compliance Officer (CCO) and that the CEO certify annually that the firm has processes in place to establish, maintain, review, test and modify written compliance policies and written supervisory procedures. The CEO also attests that he or she has conducted at least one meeting with the CCO in the prior 12 months to discuss these processes. The annual requirement for FINRA Rule 3120 testing (the supervisory controls assessment) and verification relates to the review of the firm’s supervisory systems, including supervisory policies and procedures. A FINRA Rule 3120 report should detail the testing and verification of a firm’s procedures and specifically whether those procedures are reasonably designed to achieve compliance with applicable rules. In practice, firms often prepare a single report and may even call it a “FINRA Supervisory Controls Assessment” report when in reality in also includes the required CEO certification per FINRA Rule 3130. When FirstMark handles the annual supervisory controls assessment for a client, it prepares a single report along with a separate written certification for review and signature by the CEO. The combined report serves as the basis for the CEO certification. The report provides recommendations for amendments to the firm’s procedures and supervisory controls as needed.

finra rule 3120 testing

FINRA Rule 3120 Testing of Supervisory Controls

FirstMark conducts comprehensive reviews of client supervisory systems and procedures in the manner required by FINRA Rule 3120. This is a risk-based review during which we test and verify that the firm’s supervisory procedures are reasonably designed to achieve compliance with applicable securities laws and regulations (and FINRA Rules). It also identifies exceptions and amendments that may be required as a result of the testing. FirstMark provides recommendations based on its assessment.

Using risk-based methodologies and sampling (similar to what FINRA examiners use when conducting examinations) FirstMark tests and verifies those areas of the firm’s written supervisory policies and procedures that are most likely to pose the greatest risk, often called a “risk-based approach.” In making this determination, FirstMark works with the client to identify areas of: significant revenue, prior regulatory exam findings, emerging issues, new business lines, regulatory priorities, and concentrations in customer grievances (if any). FirstMark provides input and expertise regarding the areas to be selected. Once a plan is developed, the testing commences and FirstMark prepares the comprehensive, consolidated report that satisfies FINRA Rules 3120 and 3130. Note that a supervisory controls assessment is not an audit, nor is it designed to be exhaustive. Rather, using FINRA guidance, it is designed using a risk-based approach.