Chapter 3

Compliance Systems

35 min read Series 24 — General Securities Principal

Supervisory System Overview

FINRA Rule 3110 requires every member firm to establish, maintain, and enforce a system for supervising the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations, as well as FINRA rules. This supervisory obligation is at the heart of the General Securities Principal's role. The supervisory system is not a single document or procedure; it is a comprehensive framework that includes organizational structure, written supervisory procedures, surveillance technology, review processes, and accountability mechanisms.

The supervisory system must be tailored to the firm's specific business model, product offerings, customer base, and organizational complexity. A large full-service broker-dealer with thousands of registered representatives and multiple product lines requires a far more elaborate supervisory infrastructure than a small introducing firm with a handful of representatives selling a limited range of products. However, regardless of size, every firm must address certain core supervisory obligations defined by FINRA rules.

Key Components of the Supervisory System

A well-designed supervisory system includes the following components:

  • Organizational chart: A clear hierarchy showing who supervises whom, with named individuals assigned to specific supervisory responsibilities
  • Written Supervisory Procedures (WSPs): Detailed written procedures covering each area of the firm's business
  • Supervisory control system: Additional testing and verification procedures to ensure that the supervisory system is effective (required by FINRA Rule 3120)
  • Branch office inspection program: A schedule for inspecting branch offices and OSJs
  • Exception and surveillance reports: Automated and manual monitoring tools that flag unusual or potentially problematic activity
  • Compliance training: Ongoing training for registered persons and supervisory personnel
  • Escalation procedures: Clear protocols for escalating identified issues to senior management, compliance, and legal

Definition

Reasonably Designed: The legal standard applied to supervisory systems. The system does not need to guarantee that no violations will ever occur. Rather, it must be reasonably designed to prevent and detect violations given the firm's business model and risk profile. A system that is on paper only, never tested, or consistently ignored would fail this standard.

Written Supervisory Procedures (WSPs)

Written Supervisory Procedures are the backbone of the firm's compliance infrastructure. WSPs must describe in detail how the firm will supervise each area of its business, who is responsible for performing supervisory reviews, what specific steps the supervisor must take, how often reviews are conducted, and how exceptions or violations are to be escalated and resolved. WSPs must be written clearly enough that any qualified principal could use them to perform the required supervisory functions.

Required Content of WSPs

WSPs must address every aspect of the firm's business, including but not limited to:

  • Account opening and documentation: Procedures for verifying customer identity, obtaining required documentation, and ensuring accounts are properly designated
  • Order handling and execution: Review of order entry, execution quality, best execution obligations, and trade reporting
  • Suitability and Reg BI: Processes for reviewing recommendations for compliance with suitability standards and Regulation Best Interest
  • Correspondence and communications: Review and retention of all customer communications, including email, social media, and instant messaging
  • Margin accounts: Supervision of margin activity, margin calls, and concentration risks
  • Options accounts: Special supervisory procedures for options accounts, including approval requirements and suitability review
  • Anti-money laundering: Procedures for detecting and reporting suspicious activity
  • Customer complaints: Intake, investigation, response, and reporting procedures
  • Outside business activities and PSTs: Review and approval processes
  • Books and records: Maintenance, retention, and production of required records

Updating WSPs

WSPs are living documents that must be updated promptly when there are changes in the firm's business, new regulatory requirements, or identified supervisory gaps. FINRA expects firms to review and update their WSPs at least annually, and more frequently when material changes occur. Common triggers for WSP updates include new product offerings, new regulatory rules or guidance, findings from internal or external examinations, changes in the firm's organizational structure or business model, and technology changes that affect supervisory capabilities.

Exam Tip

WSPs must name specific individuals (or titles) responsible for each supervisory function. Vague statements like "management will review" are insufficient. Each WSP section must identify WHO is responsible, WHAT they review, HOW they review it, and HOW OFTEN. FINRA frequently cites firms for having WSPs that are generic or that do not reflect the firm's actual practices.

Supervisory Control System (Rule 3120)

FINRA Rule 3120 requires member firms to designate and specifically identify to FINRA one or more principals who will establish, maintain, and enforce a system of supervisory control policies and procedures. This is distinct from the supervisory system required by Rule 3110. While Rule 3110 establishes the basic supervisory framework, Rule 3120 adds an additional layer that tests and verifies whether the supervisory system is actually working effectively.

Annual Report (Rule 3120)

The chief executive officer (or equivalent) must annually certify that the firm has processes in place to establish, maintain, review, test, and modify written compliance policies and WSPs. This annual certification (sometimes called the "CEO certification") requires a thorough evaluation of the firm's supervisory and compliance systems, including testing of key controls, review of examination findings, and assessment of the overall effectiveness of the supervisory infrastructure.

Branch Office Inspections

Under FINRA Rule 3110(c), member firms must inspect each branch office and OSJ on a regular schedule. The inspection program must include:

  • OSJ inspections: At least annually
  • Branch office inspections: On a regular periodic schedule, which FINRA generally expects to be at least every three years, with more frequent inspections for higher-risk locations
  • Non-branch location inspections: On a schedule determined by the firm's risk-based assessment

Inspections must be conducted by persons who are independent of the office being inspected. A person who supervises the day-to-day operations of a branch should not also be the person who inspects that branch for compliance. The inspection must include a review of safeguarding of customer funds and securities, maintenance of books and records, supervision of customer account activity, compliance with communications rules, and adherence to WSPs.

Office Type Inspection Frequency Inspector Requirements Key Areas Reviewed
OSJ At least annually Independent of the OSJ All supervisory functions, records, customer protection
Branch Office At least every 3 years (risk-based) Independent of the branch Customer accounts, communications, records
Non-Branch Location Risk-based schedule Per firm procedures Based on activities conducted

Exception Reports and Surveillance

Exception reports are automated alerts generated by the firm's surveillance systems when activity falls outside predefined parameters. These reports are a critical component of the supervisory system because they enable principals to identify and investigate potentially problematic activity across a large volume of transactions and accounts. Without effective exception reporting, principals would be unable to monitor the breadth of activity at a modern broker-dealer.

Types of Exception Reports

Common exception reports used by broker-dealers include:

  • Concentration reports: Flag accounts with positions concentrated in a single security or sector, which may indicate excessive risk or unsuitability
  • Active account reports: Identify accounts with unusually high trading volume, which may indicate churning or excessive activity
  • Trade blotter reviews: Daily review of all trades executed, looking for patterns of potential misconduct
  • Large transaction reports: Flag transactions above certain dollar thresholds for AML and suitability review
  • Cross-transaction reports: Identify transactions between customer accounts that may indicate manipulation or conflicts of interest
  • Margin exception reports: Flag accounts approaching or exceeding margin limits, concentrated margin positions, or accounts in margin call status
  • Revenue-to-equity ratios: Compare commissions generated to account equity, flagging potentially excessive trading
  • Complaint tracking reports: Aggregate and track customer complaints by representative, branch, and product type

Principal Review Obligations

Generating exception reports is not sufficient; principals must actually review and act on the information they contain. For each exception report, the principal must review the flagged activity, determine whether it requires further investigation, investigate as necessary, document the review and any conclusions reached, and take appropriate action if a violation or concern is identified. The documentation of this review process is critical. Regulators expect to see evidence that exception reports were reviewed timely and that the principal took appropriate follow-up action.

Warning

A firm that generates exception reports but fails to review them is in a worse position than a firm with no reports at all. The existence of unreviewed reports demonstrates that the firm was aware of potential issues but chose not to act. FINRA has imposed significant fines on firms for creating surveillance systems and then ignoring the results. Principals have been personally sanctioned for failure to review exception reports assigned to them.

The Role of the Chief Compliance Officer

While not specifically mandated by FINRA rules for all broker-dealers, most firms designate a Chief Compliance Officer (CCO) who is responsible for overseeing the firm's compliance program. The CCO serves as the primary liaison between the firm and its regulators, coordinates the development and implementation of compliance policies, monitors regulatory developments, and advises senior management on compliance risks and obligations.

The CCO's responsibilities typically include overseeing the development and maintenance of WSPs, coordinating the firm's response to regulatory examinations and inquiries, managing the firm's compliance testing and surveillance programs, advising on new business initiatives and product launches from a compliance perspective, overseeing the AML compliance program (or coordinating with the AML Compliance Officer), managing the firm's regulatory filings and reporting obligations, and training firm personnel on compliance matters.

Compliance Independence

Regulators expect that the compliance function has sufficient independence, authority, and resources to be effective. The CCO should have direct access to the firm's senior management and board of directors. The compliance department should not be subordinate to the revenue-generating business units it oversees, as this creates a conflict of interest. FINRA has emphasized the importance of compliance independence in numerous enforcement actions and regulatory guidance.

Key Takeaway

The supervisory system is not just the WSPs. It is the entire framework including organizational structure, procedures, surveillance technology, exception reporting, branch inspections, compliance testing, and personnel accountability. A principal who merely signs off on reviews without genuine engagement is not fulfilling their supervisory obligation.

Deep Dive Red Flags in Supervisory Systems

FINRA examination staff look for specific red flags when evaluating a firm's supervisory system:

  • Paper-only procedures: WSPs that exist in writing but are not followed in practice
  • Rubber-stamping: Supervisory reviews that are completed without genuine analysis (e.g., identical review notes for every account)
  • Understaffing: Supervisory principals responsible for more activity than they can reasonably review
  • Conflicts of interest: Supervisors who have financial incentives tied to the revenue generated by the persons they supervise
  • Technology gaps: Surveillance systems that do not capture all relevant activity or that produce so many false positives that real issues are missed
  • Lack of escalation: No clear process for escalating identified issues to senior management or legal counsel
  • Stale procedures: WSPs that have not been updated to reflect current business activities, products, or regulatory requirements

Check Your Understanding

Test your knowledge of compliance systems. Select the best answer for each question.

1. How often must OSJ locations be inspected?

2. FINRA Rule 3120 requires an annual certification from which person?

3. Which of the following would be the most significant supervisory deficiency identified by FINRA?

4. Written supervisory procedures must include all of the following EXCEPT:

5. Who should conduct branch office inspections under FINRA rules?