Quick Answer
Every member firm must establish, maintain, and enforce a supervisory system built on seven pillars, documented in written supervisory procedures (WSPs) and scaled to firm size and risk. A layered program tests the system through internal supervisory controls, tops it with an annual chief executive officer (CEO) certification, and adds a business continuity plan (BCP), current member contact filings, and customer access to the FINRA Manual.
The whole unit on one sheet: the supervisory system, office inspections, the three-layer certification stack, the BCP, and the filing and manual duties the exam loves.
Core Supervisory System
- Seven pillars (structural floor): written procedures (WSPs), designate registered principals per business line, classify each office, on-site principal at each Office of Supervisory Jurisdiction (OSJ) and branch, assign every registered person to a supervisor, reasonable efforts to qualify supervisors, and an annual compliance meeting.
- WSPs must be established, maintained, AND enforced. They describe the system, name supervisors, and list steps; content covers general supervision, correspondence, internal communications, complaints, transaction review, and supervision of supervisors.
- Reasonable-review (scaling) standard: no one-size-fits-all. Scale to size, structure, scope of business, office count, product complexity, volume, personnel per location, disciplinary history, and red flags.
Office Types and Inspection Cadence
| Office type | Inspection frequency |
|---|---|
| OSJ | Annually |
| Branch that supervises non-branch locations | Annually |
| Branch that does not supervise other locations | At least every 3 years |
| Non-branch location | At least every 3 years |
| Residential Supervisory Location (RSL) | Every 3 years (like a non-branch) |
- Inspection report must be in writing and cover books and records, account supervision, customer-info validation, fund/securities transmittals, and address / investment-objective changes.
- No self-inspection: the on-site inspector cannot report to, or hold responsibility at, the location inspected.
The One-Liners That Win Points
- Internal supervisory controls report goes to senior management; CEO certification report goes to the board of directors. Different documents, different audiences.
- The CEO personally signs the certification; it cannot be delegated to the Chief Compliance Officer (CCO). The CEO meets with the CCO within the preceding 12 months, then certifies.
- First Emergency Contact Person (ECP) must be senior management AND a registered principal; the second must be senior management (with business knowledge) if not a principal.
- ECPs and the Executive Representative are filed through the FINRA Contact System (FCS), not Form U4. Individual registrations (U4/U5) run through the Central Registration Depository (CRD).
- The FINRA Manual duty is satisfied by electronic access (a link to finra.org); no printing or mailing required.
Numbers to Lock In
| Item | Value |
|---|---|
| OSJ / supervising-branch inspection | Annual |
| Non-supervising branch, non-branch, RSL inspection | At least every 3 years |
| CEO certification | Annually, on rolling anniversary date |
| CEO-CCO meeting window | Within preceding 12 months |
| Board report after certification | Within 45 days |
| Enhanced controls-report threshold | $200 million or more gross revenue (prior-year FOCUS) |
| New broker-dealer first SRO inspection | Within 6 months (financial responsibility) |
| New broker-dealer second SRO inspection | Within 12 months (all other provisions) |
| BCP required elements | 10 |
| Emergency Contact Persons | 2 |
| Compliance / supervisory record retention | 3 years (first 2 easily accessible) |
Top Gotchas
- Perfect WSPs on paper still fail if never tested. A firm can satisfy the supervisory system rule and still violate the internal-controls testing duty, and satisfy both and still violate the CEO certification requirement. Each layer stands alone.
- 45 days is the board-report deadline, not the certification deadline. Certify first, then file the supporting report to the board within 45 days.
- 6 months covers financial responsibility, 12 months covers everything else for a newly registered broker-dealer; the clock starts at registration, not the first trade.
- A BCP that omits customers' prompt access to their funds and securities is presumptively non-compliant. That element is enumerated, not optional, and the BCP must be in writing.
- Any branch that supervises another location is bumped to annual inspection, regardless of business volume; an office can be an OSJ with zero customer foot traffic.
- A red flag during a remote inspection forces an on-site visit; the Remote Inspections Pilot does not waive the underlying supervisory duty.
- Letting contact info go stale is itself a violation of the member-filing requirement, even with no other misconduct.
- The $200 million threshold is gross revenue (from the prior-year FOCUS report), not net revenue or net income.
One-Breath Recap
Every firm establishes, maintains, and enforces a supervisory system on seven pillars, documented in WSPs and scaled to size and risk under the reasonable-review standard. Offices are classified as OSJ, branch, or non-branch, with OSJs and supervising branches inspected annually and everything else at least every three years, always by an independent inspector filing a written report. Three layers stack: the supervisory system, internal supervisory controls (tested, reported to senior management, enhanced above $200 million gross revenue), and the CEO's annual certification (preceding-12-month CCO meeting, board report within 45 days). Round it out with a written BCP covering 10 elements plus customer fund access, two ECPs, current CRD and FCS filings, and electronic access to the FINRA Manual.
Need more than the recap? This is a condensed summary. If it is not enough, read the full Written Supervisory Procedures and Controls unit for the complete lesson.