Written Supervisory Procedures
The compliance policies a broker-dealer must establish, maintain, and enforce under FINRA Rule 3110 to supervise all business lines and associated persons.
Definition
Written supervisory procedures (WSPs) are the primary compliance instrument of a registered broker-dealer — the documents that translate the regulatory obligations of FINRA membership into specific, enforceable operational procedures for every business line the firm conducts. Under FINRA Rule 3110(b), each member must establish, maintain, and enforce written procedures to supervise the types of business in which it engages and the activities of its associated persons that are reasonably designed to achieve compliance with applicable securities laws, SEC regulations, and FINRA rules. The phrase "reasonably designed" carries the operative regulatory standard: it is not sufficient for WSPs to exist — they must be plausibly capable of preventing and detecting violations, must cover all activities the firm actually conducts, must be firm-specific rather than based on generic industry templates, and must be enforced through a supervisory system that routes transactions, records, and communications through documented principal review with an audit trail examiners can inspect. WSPs are also subject to SEC Rule 17a-4 recordkeeping requirements: the procedures themselves, their version history, and evidence of amendment and distribution must be retained in WORM-compliant format — deletion of the supervisory procedures document is a books and records violation independent of any other compliance failure.
The WSP Regulatory Framework: Rules 3110, 3120, and 3130
Three FINRA rules form the WSP compliance loop. FINRA Rule 3110 establishes the supervisory system and specifies the required content of written procedures. FINRA Rule 3120 establishes the meta-level control: a supervisory control system that tests and verifies whether the WSPs themselves are working, with a designated principal reporting test results and identified exceptions to senior management at least annually. FINRA Rule 3130 establishes executive accountability: the firm's CEO must certify annually that the firm has processes in place to establish, maintain, review, test, and modify the compliance program based on review meetings with designated compliance officers. Together, the three rules create a closed compliance loop: write procedures (3110), test them (3120), certify they work (3130), amend as needed — then repeat. A firm that maintains WSPs under Rule 3110 but does not conduct Rule 3120 testing, or that completes Rule 3130 certification without evidence of a functioning Rule 3120 process, has satisfied the form of the requirement while failing its substance.
Written supervisory procedures — FINRA Rule 3110 content requirements map
| Rule 3110 Section | Subject Area | Minimum Requirement | Examination Test |
|---|---|---|---|
| 3110(b)(2) | Transaction review | Principal review of all transactions relating to the IB or securities business, evidenced in writing | Is there a signed principal review record for each transaction? |
| 3110(b)(4) | Correspondence review | Incoming/outgoing written and electronic correspondence; risk-based review appropriate to business size and structure | Is each review evidenced in writing with reviewer, date, and actions identified? |
| 3110(b)(5) | Customer complaints | Procedures to capture, acknowledge, and respond to all written (including electronic) customer complaints | Are complaint records complete and response actions documented? |
| 3110(b)(6) | Supervisory personnel | Title, registration, location of each supervisor; no self-supervision; no compensation link to supervised person | Is each supervisor registered for the business they supervise? Any conflicts? |
| 3110(b)(7) | WSP maintenance | Maintained at each OSJ; promptly amended for rule/law changes; communicated to all relevant persons; WORM-retained | Does the WSP reflect current rules? When was it last amended and distributed? |
| 3110(c) | Internal inspections | OSJs annually; non-OSJ branches every 3 years; written inspection report retained 3 years minimum | Was each inspection conducted on schedule? Is the written report on file? |
WSP Content: Minimum Requirements Under Rule 3110(b)
Rule 3110(b) specifies five content areas that every broker-dealer's written procedures must address. Investment banking and securities transaction review under Rule 3110(b)(2) requires that all transactions relating to the firm's investment banking or securities business be reviewed by a registered principal, with that review evidenced in writing. Correspondence review under Rule 3110(b)(4) requires procedures for reviewing incoming and outgoing written and electronic correspondence — reviews must be appropriate for the firm's business, size, structure, and customers, must be evidenced in writing, and must clearly identify the reviewer, the communication reviewed, the date of review, and any actions taken; FINRA has stated explicitly in supplementary guidance that merely opening a communication is not sufficient review. Customer complaint procedures under Rule 3110(b)(5) must provide for capturing, acknowledging, and responding to all written complaints. Supervisory personnel documentation under Rule 3110(b)(6) must list the titles, registration status, and locations of each supervisory person; must prohibit any supervisor from supervising their own activities; and must prohibit any supervisory arrangement where the supervisor's compensation or continued employment is determined by the person they supervise — with specific documentation required if a firm's size makes full compliance impossible. WSP maintenance under Rule 3110(b)(7) requires each firm to promptly amend its procedures whenever applicable laws, regulations, or FINRA rules change, and to communicate the amendments to all associated persons to whom they are relevant.
Supervisory Hierarchy: OSJ Designation and Principal Registration
FINRA Rule 3110(a)(2) requires the designation of an appropriately registered principal for each type of business in which the firm engages — a firm conducting both equity trading and investment banking must designate separately qualified principals for each, as the appropriate registration category (Series 24, Series 4, Series 79, Series 9/10) differs by business type. Rule 3110(a)(3) requires every branch office and Office of Supervisory Jurisdiction to be registered and designated as such. An OSJ is any office where order execution or market making occurs, public offerings are structured, customer funds or securities are held in custody, new accounts receive final acceptance, customer orders are endorsed, retail communications receive final approval, or where responsibility for supervising activities at other branch offices is held (Rule 3110(f)(1)). The supervisory significance of the OSJ designation is its inspection frequency: every OSJ must be inspected at least once annually on a calendar-year basis, with a written inspection report retained for a minimum of three years. Inspection areas required under Rule 3110(c)(2)(A) include safeguarding of customer funds and securities, books and records, fund and securities transmittals, and changes to customer account information including address and investment objective updates. FINRA Rule 3110.19 established a voluntary Remote Inspection Program allowing qualifying firms to conduct certain required inspections through remote means for eligible locations — the written report obligation and retention requirements are unchanged under that program.
The Rule 3120 Supervisory Control System
Rule 3120 operationalizes WSP quality control. The firm must designate one or more principals specifically to establish, maintain, and enforce a supervisory control system — a separate layer above the WSPs themselves — that tests whether the written procedures are working as intended and creates or amends them where gaps are identified. At minimum annually, those Rule 3120 principals must submit a written report to senior management summarizing the testing performed, significant identified exceptions, and any new or amended procedures created in response. For broker-dealers reporting $200 million or more in gross revenues on their FOCUS reports, the annual Rule 3120 report must additionally include a tabulation of all customer complaints and internal investigations filed with FINRA during the preceding year, and a substantive discussion of compliance efforts across six enumerated areas: trading and market activities; investment banking activities; antifraud and sales practices; finance and operations; supervision; and anti-money laundering. Rule 3120 converts the WSP from a static document into a continuously maintained system — without it, outdated or incomplete procedures have no internal mechanism for self-correction.
Rule 3130: The CEO Accountability Loop
FINRA Rule 3130 requires the CEO (or equivalent senior officer designated by the board) to meet with the firm's designated compliance officials at least annually to discuss the process for establishing, maintaining, reviewing, testing, and modifying written compliance policies and written supervisory procedures. Based on those meetings and the output of the Rule 3120 testing cycle, the CEO must certify in writing that those processes are in place. The Rule 3130 certification is not an attestation that the firm is in full compliance with all applicable rules — it is an attestation that the firm has an active, functioning process for managing compliance. A CEO who certifies under Rule 3130 without evidence that Rule 3120 testing has been conducted, or who certifies a program with known material gaps, faces FINRA disciplinary exposure independent of the underlying compliance deficiencies. The three-rule framework (3110–3120–3130) is designed to ensure that compliance gaps surface before FINRA discovers them during examination, not after.
WSP Currency and Digital Assets
WSP currency — the obligation under Rule 3110(b)(7) to promptly amend procedures when applicable rules change — has become an active compliance challenge as the regulatory framework for digital asset activities continues to develop. A broker-dealer that adds digital asset operations without extending its WSPs to cover those activities has a currency gap from the first trade in that business line: the transaction review, correspondence review, and principal designation procedures that govern traditional equity and fixed income activities were not designed for on-chain settlement confirmation, wallet-level position records, or the supervisory controls specific to digital securities activities. Examiners expect that the WSP amendment timeline tracks the firm's business activity timeline — a business line that launched six months ago should have had WSP coverage from launch, not from the date of the next annual review. For broker-dealers evaluating digital asset operations, the WSP extension question is an operational readiness prerequisite, not a post-launch compliance task. The same logic applies to any new business line or product type.
WSP Examination: What FINRA Looks For
FINRA examination of WSPs focuses on three dimensions: completeness, currency, and enforcement. Completeness asks whether the procedures cover every business activity the firm actually conducts — a firm that opens retail accounts but whose WSPs contain no new account review procedures has a completeness gap regardless of what the account opening team actually does. Currency asks whether the procedures reflect applicable rules as currently in force — procedures referencing the T+2 settlement cycle, pre-Regulation Best Interest suitability standards, or outdated digital asset guidance are not current. Enforcement asks whether the procedures are being followed, which is the dimension most difficult to satisfy with documents alone: FINRA examiners look for principal review signatures on transaction records, correspondence review logs identifying the reviewer and each communication reviewed, written inspection reports on file for each required period, Rule 3120 test results submitted to senior management, and Rule 3130 certification documentation. Exchange Act Section 15(b)(4)(E) authorizes the SEC to sanction broker-dealers and associated persons who fail reasonably to supervise, making WSP deficiencies a direct pathway to registration suspension, civil money penalty, or bar for the responsible supervisory principal.
FINRA supervisory compliance — three-rule hierarchy
Devancore Glossary · devancore.com
How it works
1. Map business activities to regulatory obligations and recordkeeping requirements
Every WSP begins with a business activity inventory: a comprehensive list of every type of securities activity the firm conducts — equities trading, fixed income, investment banking, retail accounts, prime brokerage, digital assets — mapped to the specific securities laws, SEC rules, and FINRA rules that apply to each. The mapping also establishes the records creation obligations under SEC Rule 17a-3, which specifies which transaction records a broker-dealer must create, and the retention requirements under Rule 17a-4. Every business activity that falls within the WSP scope is simultaneously subject to these books and records requirements — the WSP audit trail and the 17a-3/17a-4 records are the same records. Firms that skip or shortcut the business activity mapping step produce WSPs with coverage gaps and records that fail to satisfy both the supervisory procedures requirement and the books and records requirement.
2. Draft procedures with minimum content and specific principal designations
For each business line identified in step 1, the firm drafts written procedures covering the transaction review workflow, the correspondence and communication review process, the customer complaint intake and response path, and the exception escalation chain. Each procedure must designate a specific registered principal — by title and registration category — as the supervisory authority. The designation must be specific enough that any FINRA examiner can identify who is responsible for any transaction or communication that occurs in that business line. Generic designations ("the compliance department" or "senior management") are consistently cited as inadequate in FINRA examination findings. Procedures must reflect the firm's actual business, not a template — a WSP that does not describe how the firm's specific supervisory system works fails on both completeness and firm-specificity grounds.
3. Register branch offices and OSJs; designate principals with appropriate registration
Once the supervisory structure is mapped, all OSJs and branch offices are registered with FINRA as required by Rule 3110(a)(3). Each OSJ requires at least one principal designated with supervisory responsibility for that office. Each registered representative and associated person must be assigned to a specific supervisor under Rule 3110(a)(5). A written record of all supervisory designations — including their dates of effectiveness — must be maintained for at least three years under Rule 3110(b)(6)(B), with the first two years in an easily accessible location. The designated principal for each business type must hold the appropriate registration category for that business — a Series 24 for general securities supervision, a Series 79 for investment banking, a Series 9/10 for retail supervision — and the WSP must identify the principal's registration category alongside the supervisory designation.
4. Implement enforcement controls as operational workflows
Written procedures that are not enforced through operational controls provide no compliance protection and fail the examination test. Each procedure requiring principal review must be implemented as an enforced workflow: a maker-checker control that routes the transaction or record to the designated principal before it can be committed, with approval and rejection logged with full attribution. Correspondence review procedures must produce documented review evidence — a log entry that identifies the reviewer, the communication, the date, and any action taken, not merely an attestation that review occurred. Customer complaint intake must produce a timestamped record of receipt, assignment, and response, satisfying both Rule 3110(b)(5) and the FINRA Rule 4513 complaint record retention requirement. Exception escalation rules must route flagged activities to the correct supervisory principal automatically based on configurable criteria.
5. Conduct annual internal inspections under Rule 3110(c)
Every OSJ must be inspected at least once annually on a calendar-year basis; every non-OSJ branch office that supervises other branches must also be inspected annually; every other non-OSJ branch office must be inspected at least once every three years; and every non-branch location on a regular periodic schedule based on the nature and complexity of the securities activities there. Each inspection must produce a written inspection report, retained for a minimum of three years. The inspection must cover safeguarding of customer funds and securities, books and records maintenance, supervision of supervisory personnel, fund and securities transmittals to third-party accounts, and customer account information changes. The inspecting person must not be associated with the location being inspected and must not report to a person associated with that location — conflict independence is required under Rule 3110(c)(3)(B). Firms operating under the Rule 3110.19 Remote Inspection Program must document the remote methodology and confirm eligibility for each location before substituting remote review for an in-person inspection.
6. Run Rule 3120 supervisory control testing annually
The Rule 3120 designated principal tests the firm's written procedures against the standard of being reasonably designed to achieve compliance — not against whether violations occurred, but whether the procedures and controls in place are capable of detecting them. Testing typically includes transaction sampling, communication review log audits, exception queue analysis, complaint handling reviews, and coverage gap assessments across all business lines. The results, identified exceptions, and any resulting procedure amendments are documented in the annual Rule 3120 report submitted to senior management. For firms above the $200 million gross revenue threshold, the report must include complaint and investigation tabulations and substantive discussion across the six enumerated compliance areas. The Rule 3120 report is a primary examination document — examiners use it to assess whether senior management has meaningful visibility into the compliance program's performance and whether identified gaps have been addressed.
7. Complete Rule 3130 CEO certification and amend for regulatory changes
The annual Rule 3130 CEO certification is completed after the Rule 3120 testing cycle, based on meetings with designated compliance officers reviewing the program's adequacy and the test results. The certification is documented and retained in WORM-compliant storage as a regulatory record. Contemporaneously, WSPs must be reviewed for currency against any regulatory changes that occurred during the year — new SEC rules, FINRA rule amendments, guidance updates, or changes to the firm's own business activities. Rule 3110(b)(7) requires WSPs to be amended promptly when applicable rules change, not at the next annual review cycle. Each amendment must be communicated to all associated persons to whom it is relevant, with evidence of distribution retained. The amended WSP — with a record of when amendments were made, what regulatory change triggered them, and to whom they were distributed — closes the annual compliance cycle and forms the foundation for the next year's supervision.
WSP supervisory review — exception escalation flow
Devancore Glossary · devancore.com
WSP supervisory review — exception escalation flow
Devancore Glossary · devancore.com
In Devancore™
FINRA Rule 3110 — supervisory jurisdiction structure
Devancore Glossary · devancore.com
Devancore encodes written supervisory procedures as operational workflows rather than storing them as static policy documents. Every WSP requirement that demands a principal review, an escalation, or a dual-control approval is implemented as a configurable rule in the platform — a trade above a threshold, a position modification, or a settlement exception routes automatically to the designated supervisory principal for approval before it is committed, and every action is logged with full attribution. The compliance program is not maintained separately from operations; it is embedded in the operational controls that govern how the firm processes trades and manages positions.
Maker-Checker as Rule 3110(b)(2) Enforcement
The maker-checker workflow in Devancore is the operational implementation of Rule 3110(b)(2)'s requirement for registered principal review evidenced in writing. When a registered person initiates a transaction, account modification, or exception resolution, the platform routes the action to the designated supervisory principal based on the business line, transaction type, and value threshold configured in the WSP rules. The principal reviews, approves or rejects, and annotates — and the full audit record (actor, timestamp, reviewed record, decision, annotation) is written to the immutable log at the moment of action. There is no separate step to "document" the review: the act of review in the platform is the record. FINRA examiners requesting evidence of principal review receive an exportable log with the exact evidence the rule requires.
Exception Escalation and Correspondence Review
Supervisory exception routing in Devancore follows the escalation hierarchy defined in the firm's WSP configuration. Flagged trade activity, compliance alerts, and trade break exceptions are routed to the registered principal responsible for that business line — not to a generic compliance inbox. Each escalation event generates an audit record that tracks the original flag, the routing decision, the reviewer, the review outcome, and any regulatory report obligation triggered. For correspondence and communication review workflows, the same audit trail applies: each reviewed item is logged with reviewer identity and date, satisfying the Rule 3110(b)(4) evidencing requirement and FINRA guidance that opening a communication alone is not sufficient review.
Customer Complaint Capture and Rule 3110(b)(5) Evidence
Complaint intake in Devancore captures the full lifecycle of each written customer complaint: date received, originating account, complaint content, the compliance officer to whom it was assigned, the response timeline, and the resolution outcome. This record satisfies Rule 3110(b)(5)'s requirement for procedures to capture, acknowledge, and respond to all written complaints, and produces the complaint record that FINRA Rule 4513 requires to be maintained for four years. The complaint log is available to Rule 3120 testing workflows, enabling the supervisory control principal to sample complaint handling as part of the annual control system test without manual record assembly.
Annual Inspection and Rule 3120 Workflow Support
Devancore's audit log exports are structured to support annual internal inspections under Rule 3110(c) without manual data assembly. The inspection team can extract, for any date range and any location, the complete record of transactions reviewed, exceptions escalated, settlement actions taken, and account modifications approved — providing the inspection report with the factual foundation required by Rule 3110(c)(2)(A). For Rule 3120 testing, the same log structure supports sampling workflows: a compliance principal can extract a statistical sample of transactions, correspondence reviews, complaint records, or exception escalations and verify that required controls were applied. The Rule 3120 test results, documented in Devancore's compliance reporting module, form the evidence base for the annual senior management report and the Rule 3130 CEO certification.
WSP Amendment Tracking, WORM Retention, and Distribution
Devancore's compliance configuration layer records every change to supervisory workflow rules — threshold updates, principal re-designations, new business line procedures — with the date of change and the regulatory trigger. When Rule 3110(b)(7) requires prompt amendment in response to a rule change, the amendment is implemented in the operational controls and simultaneously logged as a WSP update. WSP version history is retained in WORM-compliant storage alongside the operational records it governs — the supervisory procedures and the audit trail of their enforcement are co-retained under the same SEC Rule 17a-4 framework. Distribution is tracked: each associated person to whom the amended procedure is relevant receives notification through the platform, with a read confirmation that satisfies the communication requirement. When FINRA or SEC examiners request evidence that the firm's WSPs are current and that amended procedures were distributed before the activities they govern occurred, Devancore produces the amendment log, the distribution record, and the operational audit trail confirming the revised controls were active — without manual assembly.