In December 2015, I sat in a hotel ballroom in New Orleans listening to Rick Ketchum, then FINRA’s Chairman and CEO, give a talk on ethics, culture, and conflicts at the South Region Compliance Seminar. The line that stuck with me — and that I wrote about a few days later — was his observation that a strong compliance culture “reduces the risk of good people making bad decisions” and that such a culture “doesn’t happen accidentally.” He posed six questions for broker-dealer leaders to consider.

A decade later, those questions have aged better than almost anything else I have heard at a FINRA conference. The regulatory furniture has been rearranged considerably since 2015 — most significantly by Regulation Best Interest, which took effect on June 30, 2020 — but the underlying questions about culture, controls, and conflicts have not changed. If anything, Reg BI made them sharper. The supervisory controls testing required by FINRA Rules 3120 and 3130 now sits at the intersection of the old “tone at the top” framework and a new federal standard of conduct that explicitly requires firms to identify, disclose, mitigate, and in some cases eliminate conflicts of interest.

This piece revisits Ketchum’s six questions, layers in the Reg BI obligations that have transformed how those questions get answered in practice, and offers a current-day framework for designing a 3120 test that actually finds problems before examiners do.

The Six Questions, Briefly Restated

Ketchum’s six questions, paraphrased from my 2015 notes:

1. Are control functions really valued? There is a meaningful difference between having control procedures and embracing them.
2. Is there tolerance for policy and control breaches? What actually happens when training requirements are ignored or procedures are bypassed?
3. Does the firm proactively identify risks? The risks identified three years ago are not the risks present today.
4. How often do you communicate that each action must be in the best interest of the customer?
5. How does culture apply throughout various parts of the organization? Geographic dispersion creates sub-cultures that have to be examined separately.
6. What are our conflicts? When mistakes happen, they tend to come from where the incentives sit.

Read those again with 2026 eyes. Question four — “each action must be in the best interest of the customer” — is, almost word for word, the Care Obligation of Reg BI. Question six — “what are our conflicts” — is the Conflicts Obligation. Question one is the Compliance Obligation. Ketchum was describing in 2015 the scaffolding that the SEC would formalize into rule text in 2019.

Rules 3120 and 3130: The Mechanism That Tests All of It

Before getting to Reg BI, it is worth restating what Rules 3120 and 3130 actually require, because some firms still get the basic mechanics wrong.

Rule 3120 requires every member to designate one or more principals to establish, maintain, and enforce a system of supervisory control policies and procedures (SCPs) that test and verify, at least annually, that the firm’s written supervisory procedures (WSPs) are reasonably designed to achieve compliance with applicable securities laws, regulations, and FINRA rules. Where the testing identifies deficiencies, the firm must create or amend supervisory procedures to address them. The designated principal then submits a Rule 3120 report to senior management summarizing the controls in place, the testing methodology, the results — including any significant exceptions — and any procedural changes made in response.

For firms reporting $200 million or more in gross revenue on the prior calendar year’s FOCUS report, the Rule 3120 report must also include a tabulation of customer complaints and internal investigations reported to FINRA during the prior year and a discussion of compliance efforts in specified areas, including anti-money laundering, trading and market activities, sales practices, financial and operational controls, and supervisory systems.

Rule 3130 requires each member to designate a chief compliance officer on Schedule A of Form BD and requires the CEO (or equivalent officer) to annually certify that the firm has in place processes to establish, maintain, review, test, and modify written compliance and supervisory policies and procedures reasonably designed to achieve compliance with applicable rules. The certification must be supported by a 3130 report describing those processes. The 3130 report must be submitted to the firm’s board of directors and audit committee — or equivalent — at the earlier of their next scheduled meetings or within 45 days of the certification.

Two procedural points cause more deficiencies than they should:

The 3120 report and the 3130 report are not the same document and serve different purposes. The 3120 report is a backward-looking summary of what the firm tested and what it found. The 3130 report describes the processes — interactions between business managers and the CCO, the cadence of policy reviews, the mechanism for incorporating new regulatory requirements — that produce and maintain the supervisory framework. They can be combined into a single document, but the substantive content of each must be present and identifiable. A consolidated report that covers only 3120 content and slaps a CEO signature on the front does not satisfy 3130.

The CEO certification must be supported by the report. It cannot precede it. Rule 3130 requires that the CEO have one or more meetings with the CCO during the preceding twelve months to discuss the matters underlying the certification. Examiners ask about those meetings. They ask when they happened, what was discussed, and who was present. A pro forma certification that was signed without that interaction is not what the rule requires, and the failure to actually have those conversations is something FINRA examiners have cited.

What Reg BI Added — And Why It Changes the Testing Conversation

Regulation Best Interest, adopted by the SEC on June 5, 2019 and effective June 30, 2020, established a new standard of conduct for broker-dealers and their associated persons when making recommendations of any securities transaction or investment strategy, including account recommendations, to a retail customer. Reg BI is built on a General Obligation — act in the retail customer’s best interest at the time the recommendation is made, without placing the firm’s or the representative’s interests ahead of the customer’s — that is satisfied only by complying with four component obligations:

The Disclosure Obligation. The firm must provide, in writing and prior to or at the time of the recommendation, full and fair disclosure of all material facts relating to the scope and terms of the relationship, including capacity, fees and costs, and the type and scope of services. Form CRS sits inside this obligation for retail-relationship purposes but is separately required.

The Care Obligation. The associated person must exercise reasonable diligence, care, and skill to (1) understand the potential risks, rewards, and costs of the recommendation, (2) have a reasonable basis to believe the recommendation could be in the best interest of at least some retail customers, and (3) have a reasonable basis to believe the recommendation is in the best interest of this particular retail customer based on that customer’s investment profile and the recommendation’s potential risks, rewards, and costs.

The Conflict of Interest Obligation. The firm must establish, maintain, and enforce written policies and procedures reasonably designed to identify and at a minimum disclose, or eliminate, all conflicts of interest associated with recommendations. Specific subcategories require firms to mitigate — not merely disclose — conflicts that create incentives for associated persons to place their interests ahead of the retail customer’s interests, and to eliminate sales contests, sales quotas, bonuses, and non-cash compensation based on the sale of specific securities or specific types of securities within a limited period.

The Compliance Obligation. The firm must establish, maintain, and enforce written policies and procedures reasonably designed to achieve compliance with Reg BI as a whole.

Each of these obligations creates testable controls. And each of them lives directly inside what a firm’s annual Rule 3120 test must reach.

The 2026 FINRA Annual Regulatory Oversight Report: What Examiners Are Finding

The 2026 Regulatory Oversight Report is unusually direct about where firms are still falling short on Reg BI, and the findings map cleanly onto failures of supervisory controls testing.

On account-type recommendations, FINRA found firms failing to maintain or enforce written policies and procedures by omitting clear guidance on the factors to evaluate — account costs, services provided, whether services would be duplicative — when recommending a specific account type, and by not specifying the supervisory steps required to determine whether an account-type recommendation was actually in the customer’s best interest. In practice, this means rollover recommendations from employer plans to IRAs, transitions between brokerage and advisory accounts, and recommendations to open margin or option accounts. These are exactly the kinds of recommendations where the conflict — higher fees, ongoing compensation, expanded product universe — is most pronounced and the supervisory documentation is most often thin.

On private placement offerings, FINRA continues to flag pre-IPO fund offerings as a significant risk area, including potentially fraudulent conduct involving material misrepresentations and omissions about sales compensation. This is reinforced by recent enforcement: in January 2026, FINRA filed a complaint alleging that a member firm and its CCO failed to establish a supervisory system reasonably designed to achieve compliance with the Care Obligation as it relates to private placement offerings, including failures to conduct reasonable due diligence, to maintain records of the diligence performed, and to respond to red flags concerning pre-IPO share ownership.

On annuities, FINRA identified Care Obligation violations involving recommended surrenders and withdrawals — failing to consider the costs of terminating variable annuity living benefits and riders when recommending replacements or exchanges, and recommending partial withdrawals or full surrenders from registered index-linked annuities mid-segment without considering interim value risk.

A February 2026 FINRA enforcement action makes the supervisory-testing connection explicit. FINRA fined a broker-dealer $60,000 and issued a censure for willful violations of Reg BI’s Conflict of Interest Obligation and Compliance Obligation, Form CRS delivery failures, and a multi-year failure to complete annual supervisory control system testing under Rule 3120. The supervisory testing failure was not a sidebar to the Reg BI charges. It was the mechanism by which the Reg BI deficiencies persisted undetected.

That is the through-line of FINRA enforcement under Reg BI: when the substantive violation is found, the supervisory test is almost always part of the charging document. Bill St. Louis, FINRA’s head of Enforcement, noted publicly in late 2025 that FINRA’s Reg BI case count had already surpassed the prior full year’s total. The pace has not slowed.

Clearly, a generic, off-the-shelf testing program produces generic, off-the-shelf findings. Examiners can spot a templated test from a long way off. A test that is tailored to the firm’s actual business mix, its actual product set, its actual customer base, and its actual conflict inventory is what FINRA expects — and is also what produces information that is useful to senior management.

The Six Questions, Revisited Through a Reg BI Lens

With that backdrop, here is how I would put Ketchum’s six questions to a broker-dealer CEO today.

1. Are control functions really valued?

In 2015, this was a culture question. In 2026, it is also a Compliance Obligation question. Reg BI requires firms to establish, maintain, and enforce written policies and procedures reasonably designed to achieve compliance with the regulation. “Reasonably designed” is the operative phrase, and it is a higher bar than “exists in a manual.” Examiners are increasingly asking whether the compliance and supervision functions are adequately staffed and resourced relative to the firm’s business activities, whether the CCO has direct access to the CEO and the board, and whether compliance findings actually result in business changes. A firm where the CCO raises an issue and is consistently overruled is, almost by definition, a firm where control functions are not really valued — and the 3120 test should be capturing that pattern, not papering over it.

2. Is there tolerance for policy and control breaches?

This question has acquired a sharp edge under Reg BI. The Conflict of Interest Obligation requires firms to mitigate conflicts that create incentives for associated persons to place their interests ahead of the retail customer’s interests. One of the SEC’s enumerated mitigation methods is adjusting compensation for associated persons who fail to adequately manage conflicts of interest. Stated plainly: if your firm has identified conflict-management requirements but does nothing when a representative ignores them, you have not mitigated the conflict — you have disclosed it and walked away. Recent CCO and supervisory enforcement makes this point repeatedly. Where firms approve transactions despite information indicating that the recommendations were inconsistent with customer risk tolerances or liquidity needs, FINRA has charged both the firm and the supervisor.

3. Does the firm proactively identify risks?

The supervisory control system is supposed to be the mechanism by which firms identify risks before they become enforcement findings. The 2026 FINRA ROR adds several risks that did not meaningfully exist in 2015: generative AI tools used in client-facing communications, including by third-party vendors; off-channel communications and the recordkeeping obligations that apply to them regardless of the device used; cybersecurity incidents and Regulation S-P breach response requirements; extended-hours trading; and the perennial fast-evolving private placement landscape. A 3120 test that is structurally identical to the firm’s 2018 test is, by definition, not capturing risks that emerged in 2020, 2022, or 2025. The risk assessment that drives the testing scope should be reviewed and refreshed every year.

4. How often do you communicate that each action must be in the best interest of the customer?

This is the General Obligation, restated as a cultural question. Reg BI explicitly states that the standard cannot be satisfied by disclosure alone. And it is what FINRA points to when a firm argues that its Form CRS and product-level disclosures should be sufficient. The communication of “best interest” has to reach the front line and has to be consistent across compensation arrangements, training, supervision, and discipline. If the firm’s incentive structure tells representatives one thing while the compliance manual tells them another, the representatives will follow the incentives every time.

5. How does culture apply throughout various parts of the organization?

The geographic-dispersion point Ketchum made in 2015 has gotten more, not less, important. The 2026 FINRA ROR specifically calls out branch and home-office supervision, including how firms supervise the activities of registered representatives operating from non-branch locations and remotely. Supervision of independent contractor representatives — who may be physically distant from any home-office supervisor — has been a recurring deficiency cited in FINRA examination findings. The 3120 test should sample across geographic and organizational lines. A test that pulls all of its samples from headquarters and the largest two branches is not testing supervision; it is testing one slice of supervision.

6. What are our conflicts?

This is now, formally, a regulatory inventory requirement. The Conflict of Interest Obligation is operationalized through the firm’s conflict inventory — the documented identification of every material conflict associated with recommendations, paired with the firm’s response: disclosure, mitigation, or elimination. Firms that conducted a conflict inventory in 2020 in preparation for the Reg BI compliance date and have not refreshed it since are working from a stale document. New product launches, new compensation arrangements, new third-party relationships, new technology vendors, and new business lines all generate new conflicts. The inventory is supposed to be a living artifact. The 3120 test should sample the inventory, test whether the documented mitigation steps are actually being performed, and test whether new conflicts that have arisen during the year have been added.

What FINRA Expects From a Supervisory Controls Test

FINRA’s guidance, including the supervisory controls FAQs, describe the test in functional rather than prescriptive terms, and that flexibility can be misread as permissiveness. FINRA Examiners know what they expect to see, and the gap between a test that satisfies them and a test that does not is rarely subtle.

The test is risk-based, not exhaustive. FINRA does not require — and a thoughtful test does not attempt — that every supervisory procedure be tested every year. What FINRA expects is a documented, current risk assessment that drives the selection of areas tested, refreshed annually, with the rationale for what is in scope captured in the workpapers. A test that examines the same five areas every year regardless of how the business has changed is a test that has stopped functioning.

The test is substantive, not procedural. Confirming that a written supervisory procedure exists is not testing. Confirming that the supervisor performed the review the WSP requires, that the review was substantive, and that the documentation supports the conclusion — that is testing. Examiners distinguish quickly between a test that pulled samples and walked them through the supervisory chain and a test that read the manual and called it done. A supervisory controls test should not be confused with the separate obligation under Rule 3110 to perform an annual review of the procedures, including a gap analysis. Both are required.

The test must produce findings that go somewhere. Rule 3120 itself requires firms to create or amend supervisory procedures where testing identifies a need. A report that is suspiciously clean given the firm’s size and complexity invites questions the firm will not enjoy answering.  Examiners frequently ask to see what changed in the WSPs as a result of the prior year’s test, and a coherent answer to that question is one of the better indicators of a healthy program. FINRA often states it will not penalize firms for conducting robust self-evaluation, but it expects that any findings from such evaluative processes are addressed.

A Practical Framework for 2026 FINRA Supervisory Controls Testing

FINRA has long stated that supervisory controls testing should be risk-based. And as a practical matter it makes no sense to cast the net so wide that there can be no meaningful, in-depth review. Here is how I would scope a controls test for a typical retail broker-dealer this year.

Start with a refreshed risk assessment. What changed at the firm in the last twelve months? New products, new lines of business, new representatives, new branches, new clearing or technology vendors, new types of customers, regulatory developments, and prior examination findings all feed in. The output is a ranked inventory of risk areas that drives sample selection.

Map Reg BI obligations to existing supervisory controls. For each of the four obligations, identify the WSPs that operationalize the obligation, the supervisory reviews that are supposed to verify compliance, and the records that should evidence those reviews. Where a supervisory step is supposed to occur — for example, principal review of a rollover recommendation — pull a sample and verify that the review actually happened, that it was substantive, and that it was documented.

Test conflict mitigation, not just conflict disclosure. This is where many tests fall short. Pulling Form CRS to confirm that conflicts are disclosed is the easy half of the work. The harder half is confirming that, where mitigation is required — for example, where a representative is approaching a compensation threshold that creates an incentive to recommend a particular product — the firm’s mitigation step (surveillance, compensation adjustment, supervisory review) is actually being performed.

Sample account recommendations specifically. Rollovers, account-type changes, and brokerage-to-advisory transitions are the highest-risk Reg BI population in most retail firms. Pull a sample, test whether the documented best-interest analysis includes the factors the 2026 FINRA ROR specifically calls out — costs, services, alternatives — and test whether the supervisory steps required by the WSPs were performed before the recommendation was effected. Test whether there is a supervisory review of the best interest rationales.

Test the Form CRS delivery process. Look at the system that triggers Form CRS delivery, sample new accounts during the test period, and confirm that delivery actually occurred at the required times. This is one of the most cited Form CRS deficiencies and is straightforward to test. Test whether there is a supervisory review of the delivery process.

Test the conflict inventory itself. Sample new products, new compensation arrangements, and new vendor relationships entered into during the year. Are they reflected in the inventory? Has the firm assessed each for conflicts? If mitigation was identified as required, has it been implemented?

Document everything. The 3120 report is the artifact that proves the test happened. It should describe what was tested, how it was tested, what was found, and the firm should prepare a summary of corrective actions related to the findings. A short, generic report may not satisfy the rule and does not protect the CEO making the 3130 certification.

Closing Thought

When Rick Ketchum gave that talk in 2015, Reg BI was years away. Form CRS did not exist. The Conflict of Interest Obligation was not a regulatory term of art. And yet his six questions cut to exactly the issues the SEC and FINRA would later codify. Good supervision has always been about caring for the customer, taking control functions seriously, knowing where your conflicts are, and being willing to act on what you find.

I spent years on the regulator side watching what distinguishes the firms that handle examinations cleanly from the firms that do not. One reliable predictor was whether the firm’s annual supervisory controls test was a real exercise — risk-driven, sample-based, with findings that actually went somewhere — or a paperwork exercise designed to produce a signature and a date.

In 2026, with Reg BI fully embedded in the supervisory framework and FINRA’s enforcement pace on Reg BI cases continuing to accelerate, the gap between those two kinds of tests is the gap between a firm that finds its problems and a firm whose problems get found for it.

Ketchum’s questions are still the right questions. The answers just have more weight behind them now.

Mitchell Atkins, CRCP, is FINRA’s former South Region Director and the founder and Principal of FirstMark Regulatory Solutions. FirstMark provides Rule 3120 supervisory controls testing, Rule 3130 certification support, AML independent testing, FINRA new membership and continuing membership applications, and broader regulatory consulting services to broker-dealers across the country.