Supervisory Control System (FINRA Rule 3120)

Supervisory Control System

Quick Answer

The supervisory-control rule sits on top of the supervision rule as supervision of supervision. The firm must establish a system of supervisory control policies and procedures to test and verify that the firm's supervisory procedures are working. The designated principal must prepare an annual report to senior management summarizing test results, significant exceptions, and any procedural amendments. Risk-based sampling is permitted.

The supervision rule requires the firm to build a supervisory system. The supervisory-control rule requires the firm to test whether that system actually works. The supervisory-control rule sits on top of the supervision rule as a second line of defense: supervision of supervision.

What does the supervisory-control rule add to the supervision rule?

The two rules are complementary, not alternative.

  • The supervision rule requires a supervisory system and written supervisory procedures (WSPs)
  • The supervisory-control rule requires a firm to have a system of supervisory control policies and procedures (SCPs) that test and verify whether the supervisory procedures are working

Think of it this way: The supervision rule is the firm's playbook. The supervisory-control rule is the quality-assurance audit of the playbook. A firm with a perfectly written WSP that nobody actually follows fails the supervisory-control rule even though it looks clean under the supervision rule.

What are the core supervisory-control rule obligations?

Each member must designate one or more principals (identified to FINRA) who will:

  • Establish, maintain, and enforce a system of SCPs that test and verify that the firm's supervisory procedures are reasonably designed to achieve compliance with securities laws, SEC regulations, and FINRA rules
  • Create additional or amend supervisory procedures where testing identifies a need

The designated principal(s) own the supervisory-control program end-to-end. They define the testing methodology, run the tests, and roll the results into the annual report.

What does the supervisory-control rule's annual report require?

The designated principal(s) must prepare a report, at least annually, detailing the firm's system of supervisory controls. This is the annual supervisory-controls report and it must be submitted to senior management.

The annual supervisory-controls report must include:

  • A summary of test results
  • Significant identified exceptions
  • Any additional or amended supervisory procedures created in response to the test results

Exam Tip: Gotchas

  • The annual supervisory-controls report is annual and must go to senior management. A firm that performs testing but never rolls the results up to senior management has not satisfied the rule. The reporting step is the part that makes the control cycle complete.

What testing methodology does the supervisory-control rule permit?

The supervisory-control rule gives firms flexibility in how they test, but the testing must be substantive.

Key testing rules:

  • A firm may use risk-based methodologies and sampling to test and verify a subset of policies and procedures annually
  • Testing does not need to cover every WSP every year
  • Over time, the testing must be reasonably designed to cover the firm's supervisory system
  • For a newly approved firm, the first testing and first annual supervisory-controls report must be completed within 12 months of becoming a FINRA member

Think of it this way: Risk-based sampling is like an auditor's test of internal controls. The auditor does not verify every transaction; the auditor picks a representative sample weighted toward higher-risk areas. The supervisory-control rule accepts the same logic for supervisory testing, as long as the coverage cycle makes sense across years.

Exam Tip: Gotchas

  • Supervisory-control testing can be risk-based and use sampling. A firm does not have to test every procedure every year. But the testing must be reasonably designed overall. "We tested one control out of forty this year" does not satisfy the rule.

What enhanced supervisory-control content applies to larger firms?

Firms with $200 million or more in gross revenue reported on the prior-year FOCUS report must include specified additional content in the annual supervisory-controls report (to the extent applicable to the firm's business). The enhanced content addresses areas like customer complaints and internal investigations reported to FINRA.

For most Series 6 firms, this threshold is not relevant. The standard supervisory-control framework applies.

What are the most tested supervisory-control concepts?

Exam Tip: Gotchas

  • Supervision rule = supervision; supervisory-control rule = supervising the supervision. The supervision rule creates WSPs; the supervisory-control rule tests whether those WSPs work and reports the findings up to senior management. They are complementary, not alternative.
  • The annual supervisory-controls report is annual AND goes to senior management. Both elements matter; missing either fails the rule.
  • Risk-based sampling is permitted. A firm does not have to test every procedure every year, but the cumulative testing must cover the supervisory system.
  • Newly approved firms: first testing and first report within 12 months of becoming a FINRA member. This is the cold-start timeline.
  • Enhanced content applies to firms with $200 million or more in prior-year gross revenue. Series 6 firms typically fall below this threshold, but the rule still exists.