FINRA Supervision Technology
FINRA supervision technology is the software infrastructure broker-dealers use to implement, enforce, and document the supervisory controls required under FINRA Rules 3110 and 3120.
Definition
FINRA supervision technology encompasses the software systems and automated workflows that broker-dealers use to fulfill the supervisory obligations imposed by FINRA Rule 3110 (Supervision) and Rule 3120 (Supervisory Control System). Rule 3110 requires every member firm to establish and maintain a supervisory system — including written supervisory procedures (WSPs), designated supervisors for each business line, and evidence of ongoing supervisory activity — that is reasonably designed to achieve compliance with applicable securities laws and regulations. Rule 3120 requires firms to establish a separate layer of supervisory control: policies and procedures that test whether the supervision system itself is operating as designed, with results reported to senior management annually. Technology is the mechanism through which these obligations are operationalized at scale.
The relationship between WSPs and supervision technology is critical. WSPs are the documentation layer — the written description of what the firm supervises, how it supervises it, and who is responsible. Supervision technology is the execution layer — the software that implements those procedures, monitors activity, surfaces exceptions, routes them to the designated supervisor, records the supervisory action taken, and retains the audit trail. FINRA examiners routinely test both layers independently: they verify that the WSPs are current and specific, and they verify that the supervision system is operating in the manner the WSPs describe. A gap between the documented procedure and the actual system — a WSP that describes daily account review but a system that has no queue for that activity — is itself a supervisory violation.
Exception-Based Surveillance
At the trading volume and communication frequency of most broker-dealers, manual review of every activity is operationally impossible. Exception-based surveillance addresses this by defining parameters and surfacing only the activity that falls outside those parameters for human review. Modern surveillance systems operate across three parameter types: threshold-based rules that flag specific values (a trade exceeding a defined size or concentration limit); pattern-based rules that identify sequences associated with known violations (wash trades, layering, front-running); and behavioral anomaly detection that compares a registered person's activity against a statistical peer baseline — a representative whose trading patterns, communication volume, or order behavior deviate significantly from comparable peers generates an exception even if no single action crosses a fixed threshold. Behavioral surveillance is increasingly important as regulators move away from simple keyword-based searches toward pattern recognition that is harder for bad actors to circumvent. The supervisor reviews the flagged items, documents the review and its conclusion, and closes or escalates accordingly.
FINRA supervision rules — Rule 3110 vs Rule 3120
| Rule | Core obligation | Technology implication | Documentation output |
|---|---|---|---|
| Rule 3110 — Supervision | Establish and maintain supervisory system for all associated persons | Exception alerts, review queues, approval workflows | Audit log per review action |
| Rule 3120 — Supervisory control | Test and verify that supervision system is working as designed | Automated testing; control gap reports | Annual certification to senior management |
| Rule 3110(b) — WSPs | Written supervisory procedures for every regulated activity | Procedure-to-system mapping; version control | Current WSP document per business line |
| Rule 3110(c) — Internal inspections | Periodic inspection of offices and supervisory locations | Inspection scheduling; finding management | Inspection report and remediation tracking |
| Electronic comms review | Review of associated persons' business communications | Archiving, filtering, flagging, review queue | Reviewer identity, date, conclusion per item |
The design of exception parameters is itself a compliance function. Parameters that are too narrow miss violations; parameters that are too broad generate so many exceptions that supervisors cannot meaningfully review all of them, defeating the surveillance purpose. FINRA has noted in examination findings that firms with chronically unclosed exception queues may not have a supervision system that is "reasonably designed" regardless of what the WSP says. A persistent backlog of unreviewed alerts is not merely an operational problem — it is itself a supervisory violation, and queue aging is among the first metrics FINRA examiners examine.
Electronic Communications Surveillance
Rule 3110(b) requires firms to review electronic communications of their associated persons in a manner reasonably designed to detect and prevent violations. This obligation covers email, instant messaging, and other digital communication channels used for business purposes. Modern electronic communications surveillance technology applies keyword filtering, natural language processing, and behavioral pattern recognition to surface communications that warrant supervisor review — flagging investment recommendations, customer complaints, or language associated with potential misconduct. The firm's WSP must specify how communications are captured, how reviews are assigned, what the review workflow looks like, and how reviewer conclusions are documented.
Off-channel communications enforcement has become one of the highest-priority areas in broker-dealer regulation. Following SEC and FINRA enforcement actions from 2021 through 2024 — resulting in billions in aggregate penalties against major institutions for WhatsApp, Signal, Telegram, and personal email use by registered personnel — regulators expect firms to actively detect indicators of off-channel business communications, not merely to prohibit them in WSPs. A supervision system with a written prohibition but no surveillance capability for detecting off-channel use does not satisfy the Rule 3110 obligation in the current enforcement environment.
Rule 3120 and Supervisory Control Testing
Rule 3120 operates as an audit function on the supervision system itself. Each year, the firm must test its supervisory control policies and procedures to verify that they are operating as designed, identify gaps or deficiencies, and report results to senior management — typically the CEO and CCO — with a description of any remediation required. The C-suite's annual certification under Rule 3120 rests directly on the supervision system's ability to produce the required data: if the technology cannot generate the metrics the report requires, the executives signing the certification have no basis for their attestation. Supervision technology supports Rule 3120 by generating the metrics and logs needed to assess system performance: exception volume by category, average time to close, escalation rates, open item aging, and identified gaps between the WSP and the system's actual operation.
FINRA supervision — rule and technology layer
Devancore Glossary · devancore.com
How it works
1. WSP mapping to system configuration
The first step in implementing supervision technology is mapping each WSP procedure to a corresponding system capability. A WSP that requires daily review of trades over a defined size threshold must correspond to a surveillance parameter that generates a daily exception queue for trades meeting that threshold, a routing rule that assigns those exceptions to the designated supervisor, and an audit field that records when the review occurred and who performed it. Where no system capability corresponds to a WSP obligation, either the technology must be configured or the WSP must be amended to reflect the actual supervision method.
2. Activity ingestion and monitoring
Supervision technology ingests activity data from the trading system, order management system, communication archive, account management system, and other operational platforms in near real time. Each activity record is evaluated against the exception parameters defined in the system configuration. Activity that falls within parameters is logged but not surfaced for active review. Activity that meets an exception threshold is routed to the appropriate supervisor's review queue.
3. Exception queue and review workflow
Each exception generates a work item in the supervisor's queue with the relevant activity data, the parameter that triggered the exception, and any contextual information — account history, comparable peer activity, prior exceptions for the same registered person — that the supervisor needs to make an informed review decision. The supervisor reviews the item, documents the conclusion (no violation, violation escalated, explanation noted), and closes or escalates the exception. Every action in the queue is timestamped and attributed to the reviewing supervisor, creating the audit trail that demonstrates supervisory activity occurred.
4. Escalation and investigation
Exceptions where the supervisor identifies a potential violation, or where the activity warrants further investigation, are escalated to the firm's compliance or legal team. The escalation workflow records the escalating supervisor, the date of escalation, and the basis for escalation. Compliance tracks escalated items through to resolution — which may include a regulatory filing (such as a Suspicious Activity Report or a FINRA Form U4 amendment), disciplinary action against the associated person, or a determination that no violation occurred. The full escalation history is retained as part of the supervisory audit trail.
5. Branch office and remote supervision
Rule 3110(c) requires periodic inspection of branch offices and supervisory locations. The rule distinguishes between Offices of Supervisory Jurisdiction (OSJs) — which must be inspected at least annually — branch offices requiring periodic inspection, and non-branch locations inspected on a risk-based schedule. Supervision technology routes inspection assignments based on location classification, activity volume, and prior finding history, and maintains inspection scheduling, finding documentation, and remediation tracking in the same system as day-to-day exception management. For geographically distributed firms, remote oversight tools provide supervisors at the home office with real-time visibility into branch activity — the same exception queues and surveillance tools available locally are accessible across all locations — generating a documented inspection record for each site without requiring on-site presence for every review.
6. Rule 3120 control testing and annual report
At year end, the supervision system must provide the data needed to complete the Rule 3120 control testing: exception volume and closure rates by category, time-to-close averages, escalation rates, open item aging, and identified gaps between the WSP and the system's actual operation. The Rule 3120 annual report is submitted to senior management — typically the CEO and CCO — which means the C-suite's annual certification rests on the supervision system's ability to produce this record. A technology platform that cannot generate these metrics leaves the compliance team without the data the report requires, creating personal exposure for the executives who sign it. The compliance team uses this data to assess whether the supervision system is operating as designed, identify remediation priorities, and document the certification basis.
Supervision workflow — exception handling
Devancore Glossary · devancore.com
Supervision workflow — exception handling
Devancore Glossary · devancore.com
In Devancore™
Devancore — supervisory control workflow
Devancore Glossary · devancore.com
Devancore — supervisory control workflow
Devancore Glossary · devancore.com
The gap between what a WSP describes and what the supervision system actually does is the most common finding in FINRA Rule 3110 examinations. Supervision infrastructure must bridge those layers — implementing the written procedures, maintaining the audit trail, and generating the metrics the Rule 3120 annual report requires. Devancore provides the operational workflow layer that connects WSP obligations to documented, auditable supervisory actions across trading, position management, and settlement activities.
Maker-checker and approval workflows
Every material action in Devancore — trade entry, position adjustment, account parameter change, settlement instruction — supports configurable maker-checker approval requirements. The initiating user creates the action; a designated principal reviews and authorizes it before the action takes effect. Every approval step is recorded with the approver's identity, timestamp, and outcome, creating the documented approval chain that Rule 3110 requires for actions subject to principal review.
Exception queue and supervisory review
Devancore surfaces configurable exception conditions — trades exceeding defined thresholds, accounts with unusual position concentrations, settlement items exceeding age limits — as prioritized review items routed to the designated supervisor's queue. Each exception record includes the triggering activity, the relevant parameter, and the registered representative context. Supervisors review, document their conclusion, and close or escalate within the same system, maintaining a complete supervisory record without a separate documentation step. Exception queue metrics — volume by category, time-to-close, open item aging — are available for Rule 3120 annual reporting.
Hybrid rail supervision — traditional and digital settlement
For firms that settle across traditional securities rails and USDC or tokenized settlement, Devancore provides a unified exception view. On-ledger settlement events are timestamped and immutable at the moment they occur, allowing supervisors to flag discrepancies against pre-approved instructions in real time — a supervisory transparency advantage over traditional cash settlement, where bank statement data is typically lagged by hours or days. WSPs that extend to digital asset activity can be implemented within the same exception workflow as traditional supervisory controls.
Audit trail and Rule 3120 reporting
Every supervisory action through Devancore — exception reviewed, approval granted, escalation created, access attempted — is retained in a tamper-evident, timestamped audit log with full user attribution. In a FINRA examination, the audit log provides the documentation that supervision occurred as the WSP describes. At year end, the same log and exception metrics provide the data the Rule 3120 annual report requires: the C-suite's certification rests on the system's ability to produce this record, and a supervision platform that cannot generate it leaves senior management without the factual basis for their attestation.