Supervisory Control System

FINRA Rule 3120(a) requires your broker-dealer to name one or more principals who will build, run, and enforce a Supervisory Control System (SCS): written supervisory control policies and procedures that independently test and verify your supervisory procedures. To operationalize it, assign accountable principals, define test plans and sampling, execute testing, document results, remediate gaps, and retain evidence. (FINRA Rule 3120)

Key takeaways:

• Name specific principals with clear accountability for supervisory controls, not just supervision. (FINRA Rule 3120)
• Build written supervisory control policies that test and verify your WSPs, including methodology, sampling, and documentation. (FINRA Rule 3120)
• Treat SCS as a recurring control loop: test, document, fix, retest, and evidence it for exams. (FINRA Rule 3120)

A Supervisory Control System is where many firms get tripped up because it sounds like “supervision,” but FINRA expects something more specific: an independent control layer that tests whether your supervisory procedures actually work in practice. FINRA Rule 3120(a) is explicit that you must designate and specifically identify one or more principals who establish, maintain, and enforce supervisory control policies and procedures that test and verify supervisory procedures. (FINRA Rule 3120)

For a CCO or GRC lead, the operational translation is straightforward: you need named owners, a written control program, a repeatable test plan with defined sampling and methodologies, a way to record results, and a remediation workflow that proves you corrected what testing found. Your deliverable is not a slide deck. It is a working program that can withstand exam scrutiny: a clear line from WSP obligation → supervisory control test → evidence → issue management → retest.

This page focuses on communications supervision as a common high-risk area, but the operating model applies to any supervisory procedure you maintain. (FINRA Rule 3120)

Regulatory text

Requirement (excerpt): “Each member shall designate and specifically identify one or more principals who shall establish, maintain, and enforce a system of supervisory control policies and procedures that test and verify supervisory procedures.” (FINRA Rule 3120)

Operator meaning:

• Designate and specifically identify principals: You need named principals (by role and identity in your records) responsible for the SCS, not an informal committee. (FINRA Rule 3120)
• Establish, maintain, and enforce: Write the supervisory control policies, keep them current, and make sure they are actually followed. “Maintain” means updates when business, products, channels, or risk change. (FINRA Rule 3120)
• Test and verify supervisory procedures: Your SCS must independently test your WSP-driven supervision. For communications, that means your supervisory controls should verify the WSPs are reasonably designed to achieve compliance, using defined methodologies, sampling approaches, and documented results. (FINRA Rule 3120)

Plain-English interpretation (what FINRA wants to see)

FINRA is asking for quality control over supervision. Supervision (WSPs and day-to-day review) can fail quietly: reviewers may not review, reviews may be rubber-stamped, tools may not capture channels, or escalation may not happen. Your SCS is how you prove you periodically check those failure modes.

For communications supervision, a defensible interpretation is:

1. Your WSPs describe how communications are captured, reviewed, escalated, and retained.
2. Your supervisory control policies describe how you test that those steps happen and verify they are effective. (FINRA Rule 3120)
3. Your testing produces records that a principal can explain, defend, and map back to the WSP requirements. (FINRA Rule 3120)

Who it applies to

In-scope entities

• FINRA member broker-dealers (“each member”). (FINRA Rule 3120)

In-scope operational contexts (communications focus)

Your SCS should cover supervisory procedures for:

• Approved communication channels (email, recorded lines, messaging platforms you permit)
• Registered representatives and associated persons subject to supervision
• Supervisory reviewers (OSJs, branch managers, principals) whose work must be tested and verified (FINRA Rule 3120)

If you outsource any part of communications capture, review, or archiving to a third party (surveillance tools, archiving providers, consultants), your SCS should still test and verify the supervisory procedure outcome. Outsourcing does not outsource accountability. (FINRA Rule 3120)

What you actually need to do (step-by-step)

Step 1: Appoint accountable SCS principals (and document it)

• Name one or more principals responsible for the SCS program and scope.
• Define their authority: access to data, ability to direct remediation, ability to escalate.
  Artifact: SCS principal designation record (org chart, board/management memo, or HR role designation) that “specifically identifies” the principals. (FINRA Rule 3120)

Step 2: Define scope and inventory the supervisory procedures you will test

• Build a list of supervisory procedures/WSP sections in scope for communications supervision (capture, review, escalation, retention, training/attestation, exceptions).
• Map each procedure to: owner, population, systems, data source, and expected evidence.
  Artifact: WSP-to-SCS control mapping table.

Step 3: Write Supervisory Control Policies and Procedures (SCPs)

Your SCPs should be a practical testing playbook, not a policy statement. Include:

• Testing objectives (what “good” looks like)
• Testing methodology (walkthroughs, sample testing, re-performance, system configuration checks)
• Sampling approach (how you pick accounts, reps, channels, timeframes)
• Exception classification (what counts as a finding vs observation)
• Documentation standards (what evidence is required)
• Remediation and escalation workflow
  Artifact: Supervisory Control Policies and Procedures document for communications supervision. (FINRA Rule 3120)

Step 4: Build a communications supervision test plan you can run repeatedly

Create test modules aligned to failure modes. Example modules:

• Capture completeness test: Verify approved channels are captured into archive/surveillance and are searchable.
• Review execution test: Verify required supervisory reviews occurred per WSP (timing, reviewer eligibility, sign-off integrity).
• Escalation test: Verify flagged items were escalated, investigated, and closed with rationale.
• Blocked-channel control test: Verify controls prevent or detect prohibited channel use consistent with your WSP requirements.
• Recordkeeping integrity test: Verify retention settings and access controls support required supervisory review and retrieval.

Artifact: Test plan with procedures, responsible tester, evidence list, and pass/fail criteria. (FINRA Rule 3120)

Step 5: Execute testing with independence in mind

FINRA Rule 3120(a) is about supervisory controls that test and verify supervisory procedures. Practically, avoid having the same person who performs the day-to-day supervision “grade their own homework” without a second-line check.

Implementation options:

• Assign testing to a different principal or a compliance testing function
• Use peer review across branches/regions
• Use internal audit-style validation for higher-risk areas

Artifact: Completed test workpapers (checklists, screenshots, exports, reviewer notes) linked to each test step. (FINRA Rule 3120)

Step 6: Record results and manage issues to closure

• Log findings with: description, WSP reference, population impacted, root cause, corrective action, owner, due date, and validation approach.
• Track remediation evidence and require retesting for material failures.
  Artifacts: Issues log, remediation plans, closure memos, and retest evidence. (FINRA Rule 3120)

Step 7: Update WSPs, training, and tooling based on what testing finds

Supervisory controls should produce improvements. Common outputs:

• WSP edits to remove ambiguity and set clearer review expectations
• Tuning surveillance lexicons or workflows (if applicable)
• Reviewer training refreshers and documented acknowledgments
  Artifacts: WSP change log, training records, system change tickets, and validation results. (FINRA Rule 3120)

Step 8: Prepare an exam-ready “SCS package”

Build a single folder (or GRC record) that tells the story:

• Who owns SCS
• What you tested
• How you tested it
• What you found
• What you fixed
• What you retested
  This reduces exam disruption and prevents last-minute evidence scrambles.

Required evidence and artifacts to retain (exam-ready checklist)

Evidence category	What to retain	Why it matters
Principal designation	Named SCS principals, role descriptions, authority	Proves “designate and specifically identify” requirement (FINRA Rule 3120)
SCP document	Written supervisory control policies and procedures	Shows “establish, maintain, enforce” (FINRA Rule 3120)
Test plan	Methodology, sampling approach, timing, pass/fail	Demonstrates “test and verify” is structured (FINRA Rule 3120)
Workpapers	Data pulls, samples, screenshots, checklists, reviewer notes	Shows tests were actually performed
Results & issues	Findings log, severity, root cause, CAPAs	Shows controls drive remediation
Retesting proof	Validation steps and evidence	Proves fixes worked
Governance	Meeting minutes, approvals, reporting to management	Shows oversight and enforcement

Common exam/audit questions and hangups

Expect examiners to press on these areas:

1. “Who is the designated principal for SCS, and where is that documented?” (FINRA Rule 3120)
2. “Show me your supervisory control procedures, not your WSPs.” Firms often hand over WSPs and call it SCS. (FINRA Rule 3120)
3. “Walk me through one test end-to-end.” They will ask for sampling logic, evidence, exceptions, and closure proof. (FINRA Rule 3120)
4. “How do you know the communications review is happening as written?” You need verification, not assurances. (FINRA Rule 3120)
5. “What changed since last cycle, and how did you update controls?” “Maintain” implies updates, not a static binder. (FINRA Rule 3120)

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating SCS as an annual attestation.
   Avoid: Run SCS as a recurring testing program with documented workpapers and tracked remediation. (FINRA Rule 3120)

2. Mistake: No separation between the supervisor and the tester.
   Avoid: Assign independent testing responsibility or require second-line validation for key tests. (FINRA Rule 3120)

3. Mistake: Vague sampling (“we sampled some emails”).
   Avoid: Write the sampling approach into the SCPs and keep the sample selection evidence (queries, selection rationale). (FINRA Rule 3120)

4. Mistake: Findings without closure evidence.
   Avoid: Require closure memos and retest proof for meaningful gaps, then link them back to the original test. (FINRA Rule 3120)

5. Mistake: Tool confidence without configuration verification.
   Avoid: Include configuration checks and completeness tests in your SCS, especially if a third party provides archiving/surveillance. (FINRA Rule 3120)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite enforcement outcomes.

Operationally, weak supervisory controls increase the chance that supervisory procedures exist on paper but fail in execution. That risk shows up during exams as requests for evidence of testing, sampling, and remediation trails tied to your supervisory procedures. (FINRA Rule 3120)

Practical 30/60/90-day execution plan

First 30 days: Stand up accountable ownership and a runnable design

• Formally designate SCS principals and document authority. (FINRA Rule 3120)
• Inventory communications supervision WSP obligations and map them to testable controls.
• Draft SCPs that specify testing methods, sampling approach, and documentation standards for communications. (FINRA Rule 3120)
• Set up an evidence repository and naming conventions (so workpapers are consistent).

By 60 days: Execute your first testing cycle and open remediation

• Finalize the test plan modules (capture, review execution, escalation, retention).
• Run testing and compile workpapers. (FINRA Rule 3120)
• Open an issues log and assign corrective actions with clear owners.
• Report results to the designated SCS principal(s) and relevant management.

By 90 days: Close the loop and make it repeatable

• Validate remediation for the highest-risk findings and retain closure evidence. (FINRA Rule 3120)
• Update WSP language where testing found ambiguity or gaps.
• Document “lessons learned” and adjust the SCPs to improve next cycle’s sampling and procedures. (FINRA Rule 3120)
• If you run this in Daydream, store SCPs, test workpapers, issues, and closure evidence as linked records so exam production is a controlled export instead of an ad hoc scramble.

Frequently Asked Questions

Do my Written Supervisory Procedures (WSPs) satisfy FINRA’s Supervisory Control System requirement?

No. FINRA Rule 3120(a) requires supervisory control policies and procedures that test and verify supervisory procedures, which is a separate layer from day-to-day supervisory procedures. Your WSPs explain supervision; your SCPs explain how you test that supervision works. (FINRA Rule 3120)

What does “designate and specifically identify” principals mean in practice?

You should be able to show a document that names the responsible principal(s) and describes their SCS responsibilities. If an examiner asks, you can point to a specific record, not an informal understanding. (FINRA Rule 3120)

How detailed do supervisory control testing methodologies need to be?

Detailed enough that another qualified person could rerun the test and reach the same conclusion using your procedure and evidence list. FINRA expects documented methodologies and sampling approaches, not general statements. (FINRA Rule 3120)

Can a third party run my communications testing?

A third party can perform testing support, but your firm must still establish, maintain, and enforce the supervisory control system through designated principals. Keep third-party workpapers and your internal review/approval of their work as evidence. (FINRA Rule 3120)

What evidence do examiners typically want to see first?

They usually start with the designated SCS principal(s), the supervisory control procedures document, and a completed set of testing results with supporting workpapers and remediation closure. Organize these as an exam-ready package. (FINRA Rule 3120)

How do I show that SCS testing is “independent” of supervision?

Use role separation where possible, and document it. If full separation is not feasible, document compensating steps such as second-line review of test workpapers and sign-off by a different principal. (FINRA Rule 3120)