Supervisory Control System (FINRA Rule 3120)

Quick Answer

FINRA Rule 3120 sits on top of Rule 3110 as supervision of supervision. The firm must establish a system of supervisory control policies and procedures to test and verify that Rule 3110 supervisory procedures are working. The designated principal must prepare an annual report to senior management summarizing test results, significant exceptions, and any procedural amendments. Risk-based sampling is permitted.

FINRA Rule 3110 requires the firm to build a supervisory system. FINRA Rule 3120 requires the firm to test whether that system actually works. Rule 3120 sits on top of Rule 3110 as a second line of defense: supervision of supervision.

What does FINRA Rule 3120 add to Rule 3110?

The two rules are complementary, not alternative.

  • Rule 3110 requires a supervisory system and written supervisory procedures (WSPs)
  • Rule 3120 requires a firm to have a system of supervisory control policies and procedures (SCPs) that test and verify whether the Rule 3110 supervisory procedures are working

Think of it this way: Rule 3110 is the firm's playbook. Rule 3120 is the quality-assurance audit of the playbook. A firm with a perfectly written WSP that nobody actually follows fails Rule 3120 even though it looks clean under Rule 3110.

What are the core FINRA Rule 3120 obligations?

Each member must designate one or more principals (identified to FINRA) who will:

  • Establish, maintain, and enforce a system of SCPs that test and verify that the firm's supervisory procedures are reasonably designed to achieve compliance with securities laws, SEC regulations, and FINRA rules
  • Create additional or amend supervisory procedures where testing identifies a need

The designated principal(s) own the Rule 3120 program end-to-end. They define the testing methodology, run the tests, and roll the results into the annual report.

What does the FINRA Rule 3120 annual report require?

The designated principal(s) must prepare a report, at least annually, detailing the firm's system of supervisory controls. This is known as the Rule 3120 Report and it must be submitted to senior management.

The Rule 3120 Report must include:

  • A summary of test results
  • Significant identified exceptions
  • Any additional or amended supervisory procedures created in response to the test results

Exam Tip: Gotchas

  • The 3120 Report is annual and must go to senior management. A firm that performs testing but never rolls the results up to senior management has not satisfied the rule. The reporting step is the part that makes the control cycle complete.

What testing methodology does FINRA Rule 3120 permit?

Rule 3120 gives firms flexibility in how they test, but the testing must be substantive.

Key testing rules:

  • A firm may use risk-based methodologies and sampling to test and verify a subset of policies and procedures annually
  • Testing does not need to cover every WSP every year
  • Over time, the testing must be reasonably designed to cover the firm's supervisory system
  • For a newly approved firm, the first testing and first 3120 Report must be completed within 12 months of becoming a FINRA member

Think of it this way: Risk-based sampling is like an auditor's test of internal controls. The auditor does not verify every transaction; the auditor picks a representative sample weighted toward higher-risk areas. Rule 3120 accepts the same logic for supervisory testing, as long as the coverage cycle makes sense across years.

Exam Tip: Gotchas

  • 3120 testing can be risk-based and use sampling. A firm does not have to test every procedure every year. But the testing must be reasonably designed overall. "We tested one control out of forty this year" does not satisfy the rule.

What enhanced FINRA Rule 3120 content applies to larger firms?

Firms with $200 million or more in gross revenue reported on the prior-year FOCUS report must include specified additional content in the 3120 Report (to the extent applicable to the firm's business). The enhanced content addresses areas like customer complaints and internal investigations reported to FINRA.

For most Series 6 firms, this threshold is not relevant. The standard 3120 Report framework applies.

What are the most tested FINRA Rule 3120 supervisory control concepts?

Exam Tip: Gotchas

  • Rule 3110 = supervision; Rule 3120 = supervising the supervision. Rule 3110 creates WSPs; Rule 3120 tests whether those WSPs work and reports the findings up to senior management. They are complementary, not alternative.
  • The 3120 Report is annual AND goes to senior management. Both elements matter; missing either fails the rule.
  • Risk-based sampling is permitted. A firm does not have to test every procedure every year, but the cumulative testing must cover the supervisory system.
  • Newly approved firms: first testing and first report within 12 months of becoming a FINRA member. This is the cold-start timeline.
  • Enhanced content applies to firms with $200 million or more in prior-year gross revenue. Series 6 firms typically fall below this threshold, but the rule still exists.