CEO Annual Certification
Quick Answer
The FINRA CEO certification requirement requires the chief executive officer (CEO) to personally certify in writing each year that the firm has processes in place to establish, maintain, review, test, and modify written compliance policies and Written Supervisory Procedures (WSPs). The CEO must meet with the Chief Compliance Officer (CCO) within the preceding 12 months, and the supporting report must be submitted to the firm's board of directors within 45 days of the certification date.
The CEO certification requirement is the top-of-firm sign-off. The internal supervisory controls requirement hands senior management the testing results; the CEO certification requirement puts the CEO's signature on a statement that the entire supervisory and compliance machine is in place. The exam tests two things constantly: that the CEO (not the CCO) signs the certification, and that the CEO must meet with the CCO before signing.
The CEO Annual Certification
Each member must have its chief executive officer (CEO) (or equivalent officer) certify annually that the firm has in place processes to:
- Establish written compliance policies and WSPs
- Maintain those policies and procedures
- Review them periodically
- Test them (the link to the internal supervisory controls requirement)
- Modify them in response to test results, regulatory changes, or business changes
The certification must be:
- In writing
- Dated
- Reasonably designed to achieve compliance with FINRA rules, MSRB rules, and federal securities laws
The prior year's certification sets the anniversary deadline for the next certification. A firm that certified on March 15 last year owes its next certification by March 15 this year.
Exam Tip: Gotchas
- The CEO personally signs the annual certification. They cannot delegate the certification itself to the CCO or in-house counsel. The CCO is who the CEO has the meeting with; the CEO is who certifies that the meeting occurred and that processes are in place.
- The certification is annual on a rolling anniversary, not on a calendar-year basis. Last year's certification date sets this year's deadline.
The Required CEO-CCO Meeting
The CEO certification is not a paper-only exercise. The CEO certification requirement requires the CEO to certify that they met with the CCO within the preceding 12 months to discuss:
- The firm's processes for establishing, maintaining, reviewing, testing, and modifying policies and procedures
- The firm's compliance efforts during the preceding year
- Significant compliance problems, plans for emerging business areas, and the firm's response
The certification reflects the discussions and conclusions of this meeting. A CEO who never met with the CCO cannot honestly sign the certification.
Think of it this way: The CEO certification requirement forces the CEO and CCO into the same room at least once a year. The rule's drafters understood that compliance failures often start when senior management treats the CCO as a back-office function rather than a peer. Forcing an annual sit-down with documented topics is the structural fix.
Exam Tip: Gotchas
- The CEO must meet with the CCO; the CEO does not delegate the meeting. A meeting between the CCO and the chief operating officer does not satisfy the CEO certification requirement. The rule names the CEO specifically.
- The 12-month window is preceding, not concurrent. The meeting must have occurred sometime in the 12 months before the certification date.
The Report to the Board of Directors
The certification process is documented in a report that the CEO, CCO, and other necessary officers review. The report must be submitted to the firm's board of directors (or equivalent governing body) within 45 days of the certification date.
The report typically includes:
- The substance of the CEO-CCO discussions
- The firm's compliance and supervisory program structure
- Significant issues raised during the meeting and the firm's response
| Document | Audience | Timing |
|---|---|---|
| Supervisory control report | Senior management | At least annually |
| CEO certification | Maintained by the firm | Annually on anniversary date |
| CEO certification supporting report | Board of directors | Within 45 days of certification |
Exam Tip: Gotchas
- 45 days is the board-report deadline, not the certification deadline. The certification is signed first; the board report follows within 45 days. The exam will sometimes pose a fact pattern where the firm certified on time but submitted the board report late, asking whether the firm violated the rule. It did.
- The CEO certification report goes to the board; the supervisory control report goes to senior management. Senior management oversees daily operations; the board oversees the CEO. Each rule sends its report to the layer above the activity being reported on.
Why the Certification Matters
The personal signature of the CEO converts compliance from a back-office concern into a top-of-firm responsibility. A CEO who has signed an annual certification has personally attested that:
- WSPs and compliance policies exist
- A program is in place to test and modify them
- The CCO has communicated significant compliance issues
- The firm is taking action on those issues
Enforcement actions arising from supervisory failures often cite both the underlying supervisory-system defect and a related CEO certification problem (CEO signed despite knowing of unaddressed compliance issues, or CEO signed without holding the required CCO meeting).