Annual Compliance Review

FINRA Rule 3110(c) requires your broker-dealer to perform an annual compliance review of every business line you conduct, designed to detect and prevent violations of securities laws and regulations. To operationalize it, run a risk-based review of supervision and controls (including communications supervision), document findings and remediation, and update WSPs, training, and surveillance based on what changed and what failed. (FINRA Rule 3110)

Key takeaways:

• Scope the review to the actual businesses you run, not just the org chart, product list, or prior-year checklist. (FINRA Rule 3110)
• Test supervisory controls that prevent/detect violations, then document decisions, findings, remediation owners, and dates. (FINRA Rule 3110)
• Use the review output to update WSPs, supervisory review quality, training, and controls for new products, regulatory developments, and operational changes. (FINRA Rule 3110)

An annual compliance review is a required supervisory control under FINRA Rule 3110(c), and it is routinely tested in examinations because it proves whether supervision is working in practice, not just on paper. The rule’s standard is practical: the review must be “reasonably designed” to help detect and prevent violations, and it must cover the businesses your firm actually engages in. (FINRA Rule 3110)

For a CCO or GRC lead, the fastest path to a defensible annual compliance review is to treat it like a structured control assessment: define the business inventory, map key risks to supervisory controls, test whether those controls operated effectively, and then document a clear remediation plan with evidence that issues were closed. Your output should also drive updates to WSPs, surveillance, and training based on observed deficiencies and material changes to products, channels, people, or systems. (FINRA Rule 3110)

This page gives requirement-level implementation guidance you can run with: who must comply, what to do step-by-step, what evidence to retain, common exam questions, frequent failure modes, and a practical execution plan you can put on a calendar.

Regulatory text

Requirement (excerpt): “Each member shall conduct a review, at least annually, of the businesses in which it engages that is reasonably designed to assist in detecting and preventing violations of applicable securities laws and regulations.” (FINRA Rule 3110)

Operator interpretation: You must run a documented annual review that (1) covers each business the broker-dealer actually conducts, and (2) evaluates whether your supervisory system is reasonably designed and working to prevent and detect violations. “Reasonably designed” is a design-and-operating effectiveness standard: a policy existing in a binder is not enough if supervisory reviews are incomplete, surveillance is not tuned, or exceptions are not escalated. (FINRA Rule 3110)

Minimum content to expect in a strong program: Your review should evaluate the effectiveness of communications supervision, including WSP adequacy, the quality of supervisory reviews, deficiency patterns, training needs, and required updates based on regulatory developments and operational changes. (FINRA Rule 3110)

Plain-English interpretation (what FINRA expects to see)

A defensible annual compliance review answers four questions, in writing:

1. What businesses do we conduct? Not what you intended to do; what you actually did.
2. What are the key compliance risks per business? Focus on risks tied to securities law and FINRA requirements.
3. What supervisory controls address those risks, and did they work? This includes WSPs, principal reviews, surveillance, exception handling, and follow-up.
4. What changed, what broke, and what are we doing about it? Findings, root causes, remediation owners, and evidence of completion. (FINRA Rule 3110)

If your firm has multiple branches, remote supervision models, or heavy use of third parties (archiving, surveillance, marketing, fintech platforms), the annual review should explicitly address how those operating models are supervised and tested.

Who it applies to

In-scope entities

• FINRA member broker-dealers (“members”) must conduct the annual review. (FINRA Rule 3110)

In-scope activities (operational context)

The scope is “the businesses in which [the member] engages.” Practically, include:

• Sales and trading activities relevant to your model (retail brokerage, institutional, advisory where applicable to the BD, etc.)
• Communications with the public and internal communications relevant to supervision
• Supervision of registered persons and branch/OSJ oversight
• Complaint handling and escalation paths
• Surveillance, exception reports, and supervisory follow-up
• Use of third parties that perform compliance-relevant functions (archiving, surveillance tooling, onboarding/KYC platforms, advertising review workflows), because those functions affect your ability to detect/prevent violations.

Accountability

Your CCO typically drives execution, but business heads and supervisors must supply evidence and complete remediation. Compliance owns the methodology and final report; first-line owners own control operation.

What you actually need to do (step-by-step)

Step 1: Build the “businesses we engage in” inventory

Create a business inventory that is stable enough to compare year-over-year but specific enough to test controls. Use:

• Product/channel lists from business leadership
• Supervisory org structure (OSJs, branches, remote models)
• Customer communication channels (email, social, texting, websites, seminars)
• Key systems that generate books/records and supervision evidence (CRM, order systems, archiving, surveillance). (FINRA Rule 3110)

Output: A dated inventory list that defines the review scope and shows inclusion decisions (and exclusions with rationale).

Step 2: Map each business to the supervisory controls that prevent/detect violations

For each business line, document:

• Key compliance risks
• Control owner (role, not just a name)
• Control description and where it is documented in WSPs
• Evidence produced by the control (reports, sign-offs, tickets, approvals)
• Escalation/exception handling path. (FINRA Rule 3110)

Practical tip: Keep the control map “audit-able.” If an examiner asks, “Show me how you supervise retail email advertising,” you should be able to point to the WSP section, the review queue, reviewer qualifications, and exception logs.

Step 3: Test design and operating effectiveness (risk-based)

Design tests around the rule’s intent: detect and prevent violations. Common test types:

• WSP adequacy check: Are procedures current, specific, and aligned to how the business actually operates?
• Supervisory review quality sampling: Are reviews timely, documented, and substantive, or “rubber-stamped”?
• Surveillance and exception handling: Do alerts tie to real risks, and are exceptions investigated and closed?
• Communications supervision: Are communications captured, reviewed per procedure, and escalated when needed?
• Training needs analysis: Do patterns of findings point to training gaps? (FINRA Rule 3110)

Document test steps, selection criteria, what you reviewed, what you found, and how you concluded effectiveness.

Step 4: Identify issues, classify them, and assign remediation

Your annual review should produce a findings register with:

• Issue statement (what happened)
• Condition vs. requirement (what procedure/control failed)
• Root cause (process gap, unclear WSPs, staffing, system limitation)
• Owner and target completion
• Required validation evidence (what proves it’s fixed). (FINRA Rule 3110)

Avoid vague actions like “enhance monitoring.” Instead: “Update WSP section X; implement pre-use approval workflow in system Y; train supervisors; retest a sample of approvals.”

Step 5: Update WSPs, training, and supervisory tooling based on results and change

The rule’s practical expectation is that your review changes your program when needed:

• Revise WSPs where procedures are outdated or not aligned to the operating model
• Update supervisory review checklists and surveillance parameters
• Add or revise training based on deficiency trends
• Incorporate regulatory developments and operational changes (new products, channels, systems, branch model changes). (FINRA Rule 3110)

Step 6: Produce the annual compliance review report package

Create a report package that an examiner can follow without narration:

• Scope and methodology
• Businesses reviewed
• Tests performed and summary results
• Findings and remediation plan
• WSP/training updates completed or planned
• Management acknowledgments (who reviewed/approved the report). (FINRA Rule 3110)

Step 7: Track remediation to closure and retain evidence

The annual review is weak if it ends at “identify issues.” Keep a remediation tracker, collect closure evidence, and schedule retesting for higher-risk gaps.

Where Daydream fits: Daydream can help you run the annual review as a controlled workflow: scoped inventories, control mapping, evidence requests to business owners, centralized artifact storage, and remediation tracking tied back to the annual review findings.

Required evidence and artifacts to retain

Keep artifacts that prove both performance and reasonableness of the program:

• Annual review plan: scope, businesses list, methodology, testers, schedule (FINRA Rule 3110)
• Control map to WSP sections and owners (FINRA Rule 3110)
• Testing workpapers: samples, walkthrough notes, screenshots/exported reports, sign-offs (FINRA Rule 3110)
• Communications supervision evidence: review queues, approvals, exceptions, escalations (FINRA Rule 3110)
• Findings log with root cause and remediation actions (FINRA Rule 3110)
• Updated WSP redlines and final versions tied to findings/changes (FINRA Rule 3110)
• Training needs assessment and completion evidence (FINRA Rule 3110)
• Remediation closure evidence and any retest results (FINRA Rule 3110)
• Final annual review report and management acknowledgment (FINRA Rule 3110)

Common exam/audit questions and hangups

Expect questions that test scope, rigor, and follow-through:

• “Show me your annual compliance review and how it covers each business you engage in.” (FINRA Rule 3110)
• “How did you determine the scope and risk areas?” (FINRA Rule 3110)
• “Where did you test communications supervision, and what did you find?” (FINRA Rule 3110)
• “Show examples of supervisory reviews and how you assess review quality.” (FINRA Rule 3110)
• “What changed since last year (products, channels, systems), and how did you update WSPs?” (FINRA Rule 3110)
• “Which findings were remediated, and what evidence shows closure?” (FINRA Rule 3110)

Hangups often occur when the firm cannot show workpapers, cannot tie tests to businesses, or cannot show remediation closure.

Frequent implementation mistakes (and how to avoid them)

1. Checklist-only reviews with no testing.
   Fix: Require evidence-backed test steps and document how each control performed. (FINRA Rule 3110)

2. Scope mismatch (review doesn’t reflect the real business).
   Fix: Start with an inventory derived from actual activity, channels, and systems, then get business sign-off. (FINRA Rule 3110)

3. WSP updates that are not tied to findings or changes.
   Fix: For every WSP change, link it to a specific finding, regulatory development, or operational change in the report. (FINRA Rule 3110)

4. No measurement of supervisory review quality.
   Fix: Sample supervisory reviews and assess completeness, escalation, and follow-up, not just whether a sign-off exists. (FINRA Rule 3110)

5. Remediation drift.
   Fix: Put remediation in a tracker with owners, due dates, required closure evidence, and a retest decision for material items. (FINRA Rule 3110)

Enforcement context and risk implications

FINRA Rule 3110(c) is a supervision control requirement. If the annual review is missing, superficial, or not tied to real business risk, you face examination findings that can expand into broader supervisory program concerns. The risk is compounded when communications supervision is weak, WSPs are stale, or exception handling is inconsistent, because those failures undermine detection and prevention across multiple rules. (FINRA Rule 3110)

Practical 30/60/90-day execution plan

Use this as an execution sequence; adjust to your firm’s calendar and complexity.

First 30 days: Scope and design

• Confirm businesses inventory and supervising models (branches/OSJs/remote). (FINRA Rule 3110)
• Build or refresh the control map tied to WSPs and evidence outputs. (FINRA Rule 3110)
• Define test plan focused on highest-risk areas and communications supervision. (FINRA Rule 3110)
• Stand up a centralized evidence collection workspace (for example, Daydream) and assign owners. (FINRA Rule 3110)

Next 60 days: Execute testing and draft findings

• Perform walkthroughs and sampling for key supervisory controls. (FINRA Rule 3110)
• Validate communications capture and review workflows against WSPs. (FINRA Rule 3110)
• Document findings with root cause and specific corrective actions. (FINRA Rule 3110)
• Socialize preliminary findings with business owners to confirm facts and start fixes. (FINRA Rule 3110)

Next 90 days: Remediate, update WSPs, finalize report

• Update WSPs, checklists, surveillance logic, and training based on findings and changes. (FINRA Rule 3110)
• Collect closure evidence for completed remediation and decide which items need retesting. (FINRA Rule 3110)
• Finalize the annual compliance review report package and obtain management acknowledgment. (FINRA Rule 3110)
• Put next year’s review on the calendar with carry-forward items and known change events. (FINRA Rule 3110)

Frequently Asked Questions

Does “annual” mean once per calendar year or every 12 months?

FINRA Rule 3110(c) requires the review “at least annually.” (FINRA Rule 3110) Set an internal cadence that ensures you never exceed your defined annual cycle, and document the period covered in the report. (FINRA Rule 3110)

How detailed does the annual review need to be?

Detailed enough to show it is “reasonably designed” to detect and prevent violations and that it covered the businesses you engage in. (FINRA Rule 3110) A narrative plus evidence-backed testing and a remediation tracker is easier to defend than a high-level memo. (FINRA Rule 3110)

Do we have to include communications supervision in the annual review?

Your annual review should evaluate communications supervision effectiveness, including WSP adequacy, supervisory review quality, deficiency patterns, training needs, and updates driven by change. (FINRA Rule 3110)

Can Internal Audit or a consultant run the review?

FINRA Rule 3110(c) places the obligation on the member to conduct the review. (FINRA Rule 3110) You can assign execution to qualified personnel or third parties, but keep clear accountability, oversight, and final approval within the firm. (FINRA Rule 3110)

What’s the minimum evidence an examiner will expect?

A scoped plan, workpapers showing what you tested, a findings/remediation log, and proof that you updated WSPs/training/controls where needed. (FINRA Rule 3110) If evidence is scattered, centralize it in a system of record before the exam cycle. (FINRA Rule 3110)

How do we prove the review was “reasonably designed”?

Tie each business line to key risks and to specific supervisory controls, then show tests of control operation and documented remediation where gaps exist. (FINRA Rule 3110) The design story should be visible in your control map and test plan, not inferred after the fact. (FINRA Rule 3110)