Table of Contents
SERIES 7 | SERIES 65 | FINANCIAL REGULATION COURSES
FINRA Rule 3120 — Supervisory Control System — requires every FINRA member firm to establish a system of supervisory control policies and procedures that tests and verifies whether the firm's written supervisory procedures required by FINRA Rule 3110 are actually working as designed — serving as the quality assurance layer of the FINRA supervision framework that transforms paper compliance into operational effectiveness and ensures that supervisory systems are regularly assessed, identified deficiencies are remediated, and senior management receives documented evidence of the supervisory system's adequacy through an annual report.
The critical distinction between Rule 3110 and Rule 3120 — tested directly on both the Series 7 and Series 65 examinations — is the distinction between establishing a supervisory system and testing whether that system works. FINRA Rule 3110 requires firms to establish, maintain, and enforce written supervisory procedures.
FINRA Rule 3120 requires firms to test and verify that those procedures are actually functioning as intended — that the supervision described in the WSP is occurring in practice and is achieving the compliance outcomes it was designed to achieve. A firm that has excellent written procedures but has never verified whether those procedures are being followed and are effective has satisfied Rule 3110 but has not satisfied Rule 3120.
Rule 3120 requires designated principals to establish, maintain, and enforce supervisory control policies and procedures — SCPs — that serve two specific functions that together constitute the testing and verification obligation.
The first function is to test and verify that the firm's supervisory procedures are reasonably designed with respect to the activities of the firm and its associated persons to achieve compliance with applicable securities laws, regulations, and FINRA rules. This testing function requires designated principals to systematically examine whether the supervisory activities described in the WSP are actually being performed — whether correspondence reviews are occurring as scheduled, whether transaction surveillance is detecting the patterns it is designed to detect, whether annual compliance meetings are being held, whether customer complaints are being handled in accordance with the firm's procedures, and whether all other supervisory functions described in the WSP are functioning as described.
The testing may be conducted using risk-based methodologies and sampling — FINRA does not require that every supervisory activity be tested in full each year. A risk-based approach focuses testing resources on the highest-risk areas of the firm's business — the activities, products, customer segments, and geographic locations that present the greatest potential for compliance failures — while using sampling to efficiently assess whether standard supervisory processes are functioning properly across lower-risk areas.
The second function is to create additional or amend existing supervisory procedures where the need for change is identified by the testing and verification process. Testing that identifies a gap — a supervisory procedure that is not functioning as designed, a compliance risk that is not adequately addressed by existing procedures, or a regulatory change that requires updates to the WSP — must result in corrective action. The SCP must specify the process through which testing findings are translated into WSP amendments or new procedures — ensuring that the testing function drives continuous improvement of the supervisory system rather than merely documenting existing deficiencies without remediation.
Rule 3120 requires each member firm to designate and identify to FINRA one or more principals responsible for establishing, maintaining, and enforcing the firm's supervisory control policies and procedures.
The designated principal or principals must have the authority and the organisational position necessary to effectively execute the testing and verification function — including the ability to access all relevant supervisory records and compliance data, to direct the testing activities of compliance staff, and to escalate findings to senior management for remediation when necessary.
The designation of Rule 3120 principals must be documented and reported to FINRA through the appropriate registration channels — FINRA must know who is responsible for the firm's supervisory control testing function so that it can assess whether the designated individuals have appropriate qualifications and authority for the role. Member firms with complex or diversified businesses may designate multiple principals with responsibility for different business lines or functional areas — as long as the overall SCP covers the firm's complete range of activities without gaps.
The designated principal or principals must submit to the firm's senior management, no less than annually, a report detailing the firm's system of supervisory controls, the summary of the test results and significant identified exceptions, and any additional or amended supervisory procedures created in response to the test results.
This annual report — universally called the Rule 3120 Report — is the primary mechanism through which the board of directors and senior management of a member firm receive documented evidence of the supervisory system's operational effectiveness. The Rule 3120 Report gives senior management the information they need to assess whether the firm's compliance infrastructure is functioning adequately, to identify areas requiring remediation or enhanced resources, and to fulfil their own governance responsibilities with respect to the firm's regulatory compliance.
The Rule 3120 Report must address each of the required components — the description of the supervisory control system, the testing methodology employed, the specific areas tested, the findings and significant exceptions identified, and the corrective actions taken or planned in response to identified deficiencies. A report that merely confirms that testing was conducted without providing meaningful detail about the testing scope, findings, and remediation is not a compliant Rule 3120 Report.
Rule 3120 imposes additional reporting requirements on member firms that have reported two hundred million dollars or more in gross revenue on their FOCUS report in the prior calendar year — recognising that larger firms with more complex operations and greater investor impact warrant enhanced supervisory control reporting.
For firms meeting this revenue threshold the annual Rule 3120 Report to senior management must include additional specified content — including a tabulation of reports pertaining to customer complaints and internal investigations made to FINRA during the period, and a discussion of the firm's compliance efforts including the procedures and educational programmes it has implemented in specified regulatory areas.
The enhanced reporting requirements for larger firms reflect the regulatory recognition that the supervisory control failures at large complex firms have greater potential for widespread investor harm than similar failures at smaller firms — making the quality of supervisory control oversight at large firms a matter of particular regulatory concern. The additional reporting content gives senior management at larger firms a more comprehensive picture of the firm's regulatory footprint — including the volume and nature of its regulatory interactions — enabling more informed governance oversight of the firm's compliance function.
Rule 3120 does not prescribe a specific testing methodology — it allows firms to use risk-based methodologies and sampling to determine the scope and frequency of testing, recognising that different firms with different business models and risk profiles require different approaches to effective supervisory control testing.
A risk-based testing approach allocates testing resources to the highest-risk areas of the firm's business — dedicating more intensive and more frequent testing to activities, products, registered persons, and locations that present elevated compliance risk based on factors including complexity, customer vulnerability, compensation structure, prior regulatory history, and market conditions. Lower-risk areas may be tested less frequently or through sampling rather than comprehensive review.
Member firms may use their existing internal audit, self-assessment, compliance review, or branch inspection processes to satisfy the Rule 3120 testing requirement — provided that those processes are sufficiently rigorous and comprehensive to constitute genuine testing and verification of supervisory procedure effectiveness rather than mere procedural confirmation. FINRA has acknowledged that existing internal control processes can satisfy Rule 3120's requirements when they are appropriately designed and documented to demonstrate testing of supervisory procedure adequacy.
The Rule 3120 Report and the Rule 3130 Report — both of which are annual documents required by companion rules in FINRA's supervisory framework — serve distinct but complementary purposes that are important to understand and distinguish.
The Rule 3120 Report is a report from the designated principal or principals to senior management that documents the testing and verification of the firm's supervisory procedures — summarising what was tested, what the testing found, what exceptions were identified, and what changes were made or will be made to address those exceptions. It is a detailed operational document that evidences the functioning of the supervisory control system.
The Rule 3130 Report — described in the FINRA Rule 3130 entry of this dictionary — is prepared by the firm's chief compliance officer and submitted to the board of directors and audit committee, evidencing the processes in place to establish, maintain, review, test, and modify the firm's written compliance policies and supervisory procedures. The Rule 3130 Report supports the CEO's annual certification required by Rule 3130 — confirming that the processes exist and are functioning — while the Rule 3120 Report documents the actual testing results that demonstrate those processes are working effectively.
Together the two reports and the CEO certification create a governance framework that connects the operational testing of supervisory procedures through the Rule 3120 process with the senior leadership accountability established through the Rule 3130 certification — ensuring that both operational and governance dimensions of supervisory system adequacy are formally documented and reported each year.
FINRA's examination of member firms under its examination programme directly assesses the adequacy and effectiveness of each firm's Rule 3120 supervisory control system — making the quality of the Rule 3120 testing process a primary focus of FINRA's regulatory oversight activity.
When FINRA examines a member firm it will typically request the firm's most recent Rule 3120 Report as part of the initial document request — using the report as a roadmap of the firm's own assessment of its supervisory system's strengths and weaknesses. FINRA examiners will then conduct their own testing of the firm's supervisory procedures to assess whether the firm's Rule 3120 testing was sufficiently rigorous and whether the significant exceptions identified by the firm's testing were appropriately remediated.
A firm that has conducted thorough Rule 3120 testing, identified compliance gaps, and implemented effective remediation before the FINRA examination demonstrates a functioning supervisory control culture that FINRA regulators view positively — even if the testing identified significant exceptions, because identifying and addressing problems proactively is evidence of an effective supervisory system. A firm that has conducted perfunctory Rule 3120 testing that failed to identify compliance gaps subsequently found by FINRA examiners has demonstrated the opposite — a supervisory control system that is not functioning as designed and that failed to identify problems before they caused harm.
FINRA Rule 3120 is tested on the Series 7 and Series 65 examinations in the context of the supervisory framework — specifically the distinction between the written supervisory procedures of Rule 3110 and the testing and verification function of Rule 3120.
The key points to retain are these.
FINRA Rule 3120 — Supervisory Control System — requires every member firm to establish supervisory control policies and procedures that test and verify whether the firm's written supervisory procedures required by FINRA Rule 3110 are actually functioning as designed and achieving compliance with applicable securities laws, regulations, and FINRA rules. The critical distinction from Rule 3110 — Rule 3110 requires establishing the supervisory system, Rule 3120 requires testing whether that system is working.
The two functions of the supervisory control policies and procedures are to test and verify that WSPs are reasonably designed to achieve compliance — and to create or amend supervisory procedures where testing identifies gaps or deficiencies. Risk-based methodologies and sampling may be used to scope the testing — focusing resources on highest-risk areas while efficiently assessing standard supervisory processes across lower-risk activities. Designated principals must submit an annual Rule 3120 Report to senior management detailing the supervisory control system, test results, significant exceptions, and corrective actions taken. Firms reporting two hundred million dollars or more in gross revenue face enhanced reporting requirements including tabulation of customer complaints and FINRA reports and discussion of compliance programmes.
The Rule 3120 Report is distinct from the Rule 3130 Report — the Rule 3120 Report documents testing results and remediation while the Rule 3130 Report evidences the processes that support the CEO's annual certification under Rule 3130. Together Rules 3110, 3120, and 3130 form the complete supervisory governance framework — establish through Rule 3110, test through Rule 3120, certify through Rule 3130.
