FINRA Annual Compliance Review Checklist — Rule 3120 & 3130 Requirements

FINRA Rule 3120 requires each member firm to designate a principal to establish, maintain, and enforce a supervisory control system. Annually, the designated principal(s) must test and verify that supervisory procedures are reasonably designed to achieve compliance with applicable securities laws. The testing program must be documented in a written report submitted to senior management. The report must describe the test procedures, testing results, and any exceptions identified with remediation actions taken.

Rule 3130(b) requires the firm's CEO (or equivalent) to certify annually, after consultation with the CCO, that the firm has processes in place to: establish, maintain, review, test, and modify written compliance policies and written supervisory procedures. The CCO must participate in preparing the certification and must attest to its completeness. The certification must be maintained for three years and produced upon FINRA request. Draft the certification, conduct the CCO consultation meeting, document the meeting, and obtain signatures before year-end.

FINRA Rule 3110(b)(1) requires each member to establish, maintain, and enforce written supervisory procedures (WSPs) for all of the member's businesses. WSPs must be updated to reflect: new FINRA rules effective during the year, new business lines or products launched, changes in personnel or supervision structure, and any procedures that testing or examination found to be inadequate. Assign each section of the WSP to an owner. Document the review date, reviewer name, and changes made. Stale WSPs — procedures not updated to reflect current rules or practices — are among FINRA's most common examination findings.

FINRA Rule 3310 requires an independent testing program for AML compliance, typically conducted annually (or more frequently for high-risk businesses). The test must be conducted by qualified internal staff (not the CCO or AML compliance officer being tested) or an independent third party. The test must evaluate: customer identification program effectiveness, beneficial ownership compliance, transaction monitoring and suspicious activity report filing, Office of Foreign Assets Control (OFAC) screening, and correspondent account due diligence. Document test methodology, findings, and remediation actions.

FINRA Rule 3270 requires registered persons to provide prior written notice to the member firm before engaging in outside business activities. Rule 3280 requires pre-approval for private securities transactions. The annual compliance review must assess: whether the OBA notification and approval process is functioning, whether all registered persons have submitted current OBA disclosures, whether approved OBAs are being monitored for conflicts, and whether any unapproved private securities transactions occurred. Review BrokerCheck profiles of all registered persons for activities that may not have been disclosed.

FINRA Rule 4530 requires member firms to report specified events to FINRA, including customer complaints alleging theft, forgery, material misrepresentation, and certain other violations. Firms must also maintain a complaint log under FINRA Rule 4513. Review the annual complaint log for: completeness, timely reporting under Rule 4530, adequacy of supervisory review, pattern analysis (recurring complaints about specific registered persons or products), and appropriate resolution. Rule 3110(b)(4) requires supervisory review of all written customer complaints.

FINRA Rule 2111 (suitability) and Reg BI (for retail customers) require that recommendations be suitable and in the customer's best interest. The annual review must test: whether registered persons are documenting customer profiles and investment objectives, whether suitability determinations are being made and documented for complex products, whether supervisors are reviewing recommendations against customer profiles, and whether customer investment objectives in account records are current. Review a sample of account documentation and transaction records.

FINRA Rule 3110(c) requires regular inspections of each office of supervisory jurisdiction (OSJ) at least annually, and each non-OSJ branch at least every three years. Each inspection must be documented with specific coverage items. If inspection results identified exceptions, verify remediation actions were completed before the next inspection. Review the inspection schedule for the coming year to ensure coverage requirements will be met. For remote supervision arrangements, assess whether the supervision system remains adequate for current headcount and business mix.

FINRA Rule 2210 (Communications with the Public) and Rule 3110(b)(4) require supervisory review of registered persons' correspondence and communications. Review whether: all retail communications are being reviewed by a registered principal prior to use, correspondence review procedures are keeping pace with communication volume and channel proliferation (including social media, text messaging, and collaboration platforms), electronic communication retention is functioning correctly, and principals are documenting their reviews with meaningful oversight.

FINRA's Continuing Education Program requires registered persons to complete Regulatory Element training within 120 days of their second registration anniversary and every three years thereafter (transitioning to annual requirements). Firms must also conduct Firm Element training annually, with content based on a needs analysis. Review: whether all registered persons have completed required CE, whether the firm element training program reflects current risk areas identified in the needs analysis, and whether training completion records are maintained.

FINRA Rule 3110(e) requires member firms to ascertain the good character, reputation, qualifications, and experience of each applicant before associating with the firm. All associated persons must be fingerprinted under SEC Rule 17f-2. Annually review: whether all required background checks are completed before registration, whether fingerprinting is current for all associated persons, whether U4 disclosures are current and complete, and whether the firm's process for reviewing negative background information is documented and consistently applied.

FINRA's market integrity rules require surveillance for manipulative trading practices including front-running, churning, marking the close, and spoofing. Review whether the firm's trade surveillance system generates alerts for these patterns, whether alert review is being conducted by qualified supervisors, whether exceptions are escalated appropriately, and whether the surveillance coverage has been updated for new products or trading venues added during the year. Document trade surveillance test results as part of the Rule 3120 report.

SEC Rules 17a-3 and 17a-4 require broker-dealers to create and preserve specific records for defined periods. The annual review must assess: whether all required records are being created and retained, whether electronic records are stored in the required WORM (write once, read many) format, whether the retention schedule is current for all record types, and whether the firm can produce required records within the timeframes specified in examination requests. Test record retrieval capabilities annually.

SEC Rule 15c3-1 (Net Capital Rule) and Rule 15c3-3 (Customer Protection Rule) impose ongoing financial compliance requirements. The annual review should assess: whether the firm's net capital calculations are current and accurate, whether reserve formula computations are being performed on schedule, whether customer funds and securities are properly segregated, and whether the firm's financial condition is being monitored against early warning levels. Verify that FOCUS Report filings are current and accurate.

FINRA Rule 4370 requires member firms to maintain an emergency preparedness plan that addresses business continuity in the event of significant business disruptions. The plan must be reviewed and updated annually. The annual review must assess whether: the plan reflects current systems, personnel, and business operations; emergency contacts are current; backup facilities and systems are tested; and critical business functions (order entry, customer communications, clearing) can be maintained or recovered. Conduct a tabletop or live test exercise and document results.

FINRA's cybersecurity guidance (Report on Cybersecurity Practices) and SEC Reg S-P (Privacy Rule) require firms to maintain a cybersecurity program proportionate to their size and complexity. The annual review should assess: access controls and privileged access management, patch management currency, security incident response plan, vendor/third-party risk management (particularly for cloud services and outsourced functions), data classification and sensitive data handling, and employee phishing/social engineering training completion.

FINRA examines every member firm on a risk-based cycle. Conduct an annual self-assessment using FINRA's examination priorities letter (published each January) to identify areas of heightened scrutiny. Review the prior year's FINRA examination findings letter for any outstanding items or commitments made to examiners. Conduct mock reviews of the highest-risk examination areas: supervision, AML, communications, and suitability. Ensure your exam response team knows their roles and that exam preparation materials are organised and current.

FINRA Rule 3120(b) requires that results of the annual testing and verification program be reported in writing to senior management. The report must cover: testing methodology, scope, findings, exceptions noted, and remediation actions taken or planned. Senior management must review and sign the report. This document is routinely requested in FINRA examinations and demonstrates that the firm's compliance program is functioning. Retain for at least three years under Rule 3130(c) recordkeeping requirements.