Written Supervisory Procedures and Controls

Quick Answer

Every member firm must establish, maintain, and enforce a supervisory system built on seven pillars, documented in written supervisory procedures (WSPs) and scaled to firm size and risk. A layered program tests the system through internal supervisory controls, tops it with an annual chief executive officer (CEO) certification, and adds a business continuity plan (BCP), current member contact filings, and customer access to the FINRA Manual.

The whole unit on one sheet: the supervisory system, office inspections, the three-layer certification stack, the BCP, and the filing and manual duties the exam loves.


Core Supervisory System

  • Seven pillars (structural floor): written procedures (WSPs), designate registered principals per business line, classify each office, on-site principal at each Office of Supervisory Jurisdiction (OSJ) and branch, assign every registered person to a supervisor, reasonable efforts to qualify supervisors, and an annual compliance meeting.
  • WSPs must be established, maintained, AND enforced. They describe the system, name supervisors, and list steps; content covers general supervision, correspondence, internal communications, complaints, transaction review, and supervision of supervisors.
  • Reasonable-review (scaling) standard: no one-size-fits-all. Scale to size, structure, scope of business, office count, product complexity, volume, personnel per location, disciplinary history, and red flags.

Office Types and Inspection Cadence

Office typeInspection frequency
OSJAnnually
Branch that supervises non-branch locationsAnnually
Branch that does not supervise other locationsAt least every 3 years
Non-branch locationAt least every 3 years
Residential Supervisory Location (RSL)Every 3 years (like a non-branch)
  • Inspection report must be in writing and cover books and records, account supervision, customer-info validation, fund/securities transmittals, and address / investment-objective changes.
  • No self-inspection: the on-site inspector cannot report to, or hold responsibility at, the location inspected.

The One-Liners That Win Points

  • Internal supervisory controls report goes to senior management; CEO certification report goes to the board of directors. Different documents, different audiences.
  • The CEO personally signs the certification; it cannot be delegated to the Chief Compliance Officer (CCO). The CEO meets with the CCO within the preceding 12 months, then certifies.
  • First Emergency Contact Person (ECP) must be senior management AND a registered principal; the second must be senior management (with business knowledge) if not a principal.
  • ECPs and the Executive Representative are filed through the FINRA Contact System (FCS), not Form U4. Individual registrations (U4/U5) run through the Central Registration Depository (CRD).
  • The FINRA Manual duty is satisfied by electronic access (a link to finra.org); no printing or mailing required.

Numbers to Lock In

ItemValue
OSJ / supervising-branch inspectionAnnual
Non-supervising branch, non-branch, RSL inspectionAt least every 3 years
CEO certificationAnnually, on rolling anniversary date
CEO-CCO meeting windowWithin preceding 12 months
Board report after certificationWithin 45 days
Enhanced controls-report threshold$200 million or more gross revenue (prior-year FOCUS)
New broker-dealer first SRO inspectionWithin 6 months (financial responsibility)
New broker-dealer second SRO inspectionWithin 12 months (all other provisions)
BCP required elements10
Emergency Contact Persons2
Compliance / supervisory record retention3 years (first 2 easily accessible)

Top Gotchas

  • Perfect WSPs on paper still fail if never tested. A firm can satisfy the supervisory system rule and still violate the internal-controls testing duty, and satisfy both and still violate the CEO certification requirement. Each layer stands alone.
  • 45 days is the board-report deadline, not the certification deadline. Certify first, then file the supporting report to the board within 45 days.
  • 6 months covers financial responsibility, 12 months covers everything else for a newly registered broker-dealer; the clock starts at registration, not the first trade.
  • A BCP that omits customers' prompt access to their funds and securities is presumptively non-compliant. That element is enumerated, not optional, and the BCP must be in writing.
  • Any branch that supervises another location is bumped to annual inspection, regardless of business volume; an office can be an OSJ with zero customer foot traffic.
  • A red flag during a remote inspection forces an on-site visit; the Remote Inspections Pilot does not waive the underlying supervisory duty.
  • Letting contact info go stale is itself a violation of the member-filing requirement, even with no other misconduct.
  • The $200 million threshold is gross revenue (from the prior-year FOCUS report), not net revenue or net income.

One-Breath Recap

Every firm establishes, maintains, and enforces a supervisory system on seven pillars, documented in WSPs and scaled to size and risk under the reasonable-review standard. Offices are classified as OSJ, branch, or non-branch, with OSJs and supervising branches inspected annually and everything else at least every three years, always by an independent inspector filing a written report. Three layers stack: the supervisory system, internal supervisory controls (tested, reported to senior management, enhanced above $200 million gross revenue), and the CEO's annual certification (preceding-12-month CCO meeting, board report within 45 days). Round it out with a written BCP covering 10 elements plus customer fund access, two ECPs, current CRD and FCS filings, and electronic access to the FINRA Manual.


Need more than the recap? This is a condensed summary. If it is not enough, read the full Written Supervisory Procedures and Controls unit for the complete lesson.