Supervisory Control System
Written supervisory procedures (WSPs) tell supervisors what to do. But how does a firm know whether those procedures are actually working? That's where FINRA Rules 3120 and 3130 come in, creating a layer of oversight that tests the supervisory system itself.
FINRA Rule 3120: Testing and Verification
FINRA Rule 3120 requires firms to maintain supervisory control procedures (SCPs) that test and verify whether the firm's WSPs are reasonably designed.
The key distinction:
| Rule | Purpose | Focus |
|---|---|---|
| Rule 3110 (WSPs) | Tell supervisors what to do | Day-to-day supervision |
| Rule 3120 (SCPs) | Test whether the WSPs are working | Oversight of the supervisory system |
Rule 3120 is essentially "supervision of the supervisors." It provides an independent check on the supervisory system itself.
How Testing Works
- Designated principals must test and verify that the firm's supervisory procedures achieve compliance with applicable securities laws and FINRA rules
- Firms may use risk-based methodologies and sampling to test a subset of policies and procedures each year
- Testing must address the firm's specific business activities and the risks associated with each
Annual Report to Senior Management
The designated principal(s) must submit to the firm's senior management no less than annually a report that includes:
- A description of the firm's system of supervisory controls
- A summary of test results and significant identified exceptions
- Any additional or amended supervisory procedures created in response to test results
This report ensures that senior management is aware of supervisory deficiencies and corrective actions taken to address them.
Exam Tip: Gotchas
Firms with $200 million or more in gross revenue must include additional specified content in their Rule 3120 annual report. The exam may reference this threshold.
FINRA Rule 3130: Annual CEO Certification
Rule 3130 adds one more layer of accountability by requiring personal certification from the top.
Chief Compliance Officer Requirement
- Each broker-dealer (BD) must designate a Chief Compliance Officer (CCO)
- The CCO serves as the firm's primary point of contact for compliance matters
CEO Certification Process
The firm's CEO (or equivalent officer) must certify annually that the firm has in place processes to:
- Establish written compliance policies and written supervisory procedures
- Maintain those policies and procedures
- Review and test those policies and procedures
- Modify those policies and procedures as business, regulations, or circumstances change
Additional Requirements
- The certification must be based on a process that includes consultation with the CCO
- The CEO must have conducted one or more meetings with the CCO in the preceding 12 months to discuss these processes
- The certification is due no later than the anniversary date of the previous certification
Exam Tip: Gotchas
The CEO certification is about processes, not outcomes. The CEO certifies that processes exist to establish, maintain, review, test, and modify compliance procedures. The CEO does not certify that no violations have occurred or that the firm is in perfect compliance.
How the Three Rules Work Together
The supervisory framework follows a logical chain:
Rule 3110 (Supervision) → Rule 3120 (Testing) → Rule 3130 (Certification)
- Rule 3110 creates the supervisory system and WSPs
- Rule 3120 tests whether the WSPs are working and reports to senior management
- Rule 3130 requires the CEO to certify that the entire framework exists and is maintained
With the supervisory framework in place, the final question is: what happens when supervision fails?