Most broker-dealers are aware of their annual requirement to test and document their firm’s compliance program. But, the question remains if firms are meeting the full requirements of the rule. Below are the basics of the former NASD Rule 3012, now FINRA Rule 3120, for establishing and maintaining a system of supervisory control.
What is FINRA Rule 3120 on Supervisory Control?
FINRA Rule 3120 requires firms to designate, and identify to FINRA, one or more principals required to create, maintain, and enforce supervisory control procedures and policies. The policies and procedures must:
- Test and verify that the firm’s supervisory procedures are reasonably designed so the firm and its associated persons’ activities are compliant with applicable securities laws, regulations, and FINRA rules; and
- Create additional or amended supervisory procedures when and where necessary.
Who is responsible for completion of the rule?
A designed principal should be responsible for overseeing the testing. One person may perform this testing; however, it is generally recommended as best practice for them to collaborate with other internal and external stakeholders. For example, this could include employees, consultants, legal, accounting, and technology. Most broker-dealers must perform testing. However, capital acquisition broker-dealers are one exception to the rule.
What should be tested?
Risk-based testing is best practice, so this gives firms the flexibility to design adequate reviews. Generally speaking, items to consider include the following:
- Prior regulatory deficiencies;
- New products or business lines;
- Regulatory examination priorities;
- Previous business activities that have a pattern of customer complaints; and
- Prior audit exceptions and deficiencies.
When should the system of Supervisory Control be tested?
Firms should perform testing annually. Many firms perform ongoing testing throughout the year. For a newly approved firm, the first testing and 3120 report must be completed within 12 months of becoming a FINRA member.
Why is this testing important?
First and foremost, testing is a FINRA rule requirement. However, testing is also essential in highlighting any potential business, product, and compliance concerns. Testing locates areas of the greatest litigation and regulatory risk and finally focuses on areas of the business that need mitigation.
What happens after the testing is complete?
After identifying areas and documenting exceptions, firms should document the steps required to create and update any areas of concern. This may include updates to procedures and training. Once documentation is complete, the designated person (generally the CCO) should submit a report to senior management (CEO/Board of Directors/Audit Committee) which outlines the firm’s system of supervisory controls. The report should also include a summary of testing results including any significant exceptions and any additional or amended written supervisory procedures created as a result of the testing.
After presenting the report to appropriate parties, the CEO (or equivalent officer) must complete a certification under FINRA Rule 3130. The annual certification states that the firm has the necessary processes in place to establish, maintain, review, test, and modify its supervisory policies and procedures. It also certifies that the CEO (or equivalent officer) has met with the CCO at least once during the preceding 12 months to discuss the firm’s supervisory controls. Firm officers must complete this certification at least annually, on or before the anniversary date of the prior year’s certification.
FINRA’s FAQ on Rule 3120 is a valuable resource to learn more about this topic. For more information on other supervisory responsibilities, check out our previous blog on the supervision of supervisory personnel.
Contact us today to learn how our team of expert consultants can help your firm in establishing and maintaining your supervisory control testing and certification program.