Supervision That Works: Practical Lessons from a Former FINRA Enforcement Attorney

If you work as a financial or compliance professional for a broker-dealer, you already know the headline rule: firms must supervise their associated persons and the businesses in which they engage. That mandate is at the core of FINRA Rule 3110, which requires a member to establish and maintain a supervisory system reasonably designed to achieve compliance with applicable securities laws and FINRA rules. “Reasonably designed” is the operative phrase; the rule does not demand perfection, but it does require a system that actually functions in practice.

This article distills observations and lessons I’ve gathered throughout my legal career and as a former FINRA Enforcement attorney. The through-line is simple: what you supervise is dictated by rule, but how you supervise determines whether your program holds up in exams and enforcement.

Principle 1: Written Procedures Must Tell People What To Do - Not Just Restate the Rules

Every firm needs Written Supervisory Procedures (WSPs). But WSPs that merely regurgitate FINRA and SEC text will fail when tested. Effective procedures identify each area of supervision, assign who is responsible, describe how the task is performed (including tools, frequencies, and sampling), and specify what to document. FINRA’s own materials emphasize that WSPs are a living document that should guide supervisory personnel through each review, not a binder on a shelf. They must be updated promptly as the business, risks, and operating experience change.

Under Rule 3110(b), WSPs must cover the types of business you conduct and the activities of your associated persons, and they must be communicated to the people who need them. If you rely on electronic distribution, ensure versions are controlled, amendments are promptly communicated, and prior versions are retained per record-retention rules.

Principle 2: Training and Communication Make Procedures Usable

Well-written WSPs only work if people understand and can follow them. In practice, that means structured onboarding, role-specific training, and periodic refreshers tied to business changes and regulatory developments. FINRA frequently frames supervisory obligations alongside training expectations; firms should build training into their supervisory design and use risk-based questions to evaluate how well staff understand their compliance obligations and procedural steps. Tie training to attestation and quiz results, then fix the gaps those results reveal.

Remember also the ongoing CE environment, which registered persons must keep current. Align your internal training calendar with CE cycles so your people receive the right guidance at the right times.

Principle 3: Surveillance and Testing Are the Feedback Loops

A policy without appropriate controls and tools is an aspiration. Build surveillance that tests whether your procedures are being followed. Rule 3110(d) requires a process to review securities transactions, identify potential insider trading or manipulative activity, and promptly investigate red flags. Couple this with Rule 3120’s supervisory control requirement, which mandates at least annual testing and verification of your procedures and the creation of additional or amended procedures where testing shows they’re needed. Risk-based methodologies and sampling are expressly contemplated so use them, but also document them.

What does all this mean in plain English? Define exception reports that matter for your business, assign reviewers with deadlines, create escalation thresholds, and measure the system’s effectiveness through 3120 testing. Then show your work. Document the review, the analysis, and the resolution.

Principle 4: Inspect What You Expect - And Do It On a Cadence That Matches Your Risk

Rule 3110(c) requires at least annual reviews of the businesses you engage in and sets inspection cycles for OSJs, supervisory branches, and other locations. The rule also lays out what inspection reports must include, such as testing and verification of safeguarding customer funds, supervision of supervisory personnel, wires and address changes, and more. Your cadence should reflect the nature and complexity of the activities and the presence of red flags.

Principle 5: Appoint the Right People - and Manage Conflicts

A system is only as strong as its supervisors. Rule 3110 requires firms to designate appropriately registered principals with authority to carry out supervisory responsibilities, assign each registered representative to an appropriate supervisor, and keep records of supervisory designations. The rule also addresses conflicts, such as prohibiting self-supervision and requiring procedures reasonably designed to prevent conflicts, like a supervisor’s compensation, from compromising the supervisory system. Where size or business model makes strict separation impossible, you must document the factors and how you otherwise comply.

FINRA has also clarified that individual supervisory liability attaches when a designated supervisor fails to investigate and respond to red flags reasonably, not simply because they hold a compliance title. This is especially relevant for CCOs because designation and delegation drive liability, not job titles alone. Train supervisors on red-flag duties and give them practical playbooks for escalation and remediation.

Principle 6: Supervise Your Vendors Like They’re Part of Your Firm - Because They Are

Outsourcing never outsources responsibility. FINRA has repeatedly reminded firms to establish and maintain supervisory systems, including WSPs, for third-party vendors and sub-vendors performing covered activities. Your vendor oversight should map to your WSPs: due diligence, onboarding controls, periodic testing, and documented issue management.

Principle 7: Leadership Accountability - Test, Report, Certify

Good programs report up and get better over time. Rule 3120 requires a report to senior management at least annually that summarizes the results of supervisory testing and any significant exceptions found, along with the additional or amended procedures created in response. Rule 3130 then requires the CEO’s annual certification that the firm has processes to establish, maintain, review, test, and modify compliance policies and supervisory procedures, and recognizes that business-line supervisors remain accountable for discharging those responsibilities. Align your compliance calendar so 3120 testing meaningfully informs the 3130 certification.

What “Reasonably Designed” Looks Like in Practice

A reasonable system is tailored, proactive, and documented. Here’s how that translates:

Start by mapping your business model to supervisory risks: products, channels, customer profiles, compensation, high-risk reps, remote work, and vendor reliance. Build WSPs that are task-level and operational: who runs which report, how often, what exceptions trigger escalation, and what evidence reviewers retain. Communicate those procedures, train your staff in them, and keep the procedures current when the business or rules change. Use surveillance to validate that the procedures are being followed day-to-day, and use 3120 testing to validate that the procedures work. Inspect on a cadence that reflects risk, with special attention to wires, address changes, and other abuse vectors that FINRA explicitly calls out for testing and verification in inspections. Ensure your supervisors are empowered, conflict-managed, and trained to act on red flags. Finally, connect all of this to leadership through exception reporting, trend analysis, and your annual certification cycle. That is the ecosystem regulators expect to see.

Common Pitfalls I See (and How to Avoid Them)

One recurring failure is beautifully written policies that don’t match the firm’s actual operations. If your sales culture, technology stack, or vendor dependencies have evolved, but your WSPs haven’t, examiners will notice. Another is relying on generic “we review for red flags” language without defining which red flags, where they appear, and what the reviewer does next. A third is insufficient vendor oversight, especially for surveillance tools or outsourced functions that are central to your supervisory system. And finally, firms often under-document supervisory work. If it isn’t memorialized, regulators will presume it wasn’t done. Each of these pitfalls is preventable with living WSPs, targeted training, risk-based surveillance, and disciplined recordkeeping tied to inspection and 3120 cycles.

The Bottom Line

FINRA supervision is not a compliance slogan. Rather, it is an operational program with moving parts that must work together: clear, actionable WSPs; training and communication; surveillance and testing; inspections; empowered supervisors; vendor oversight; and leadership accountability through 3120 and 3130. Build it for how your business actually runs, document what you do, and improve it with data. That is what “reasonably designed” looks like.

How AMW Law PLLC Can Help

AMW Law PLLC advises broker-dealers, compliance officers, supervisors, and registered representatives on supervisory design, WSP drafting and remediation, Rule 3120 testing programs, 3130 certifications, vendor oversight, and responses to FINRA inquiries, 8210 requests, examinations, and Enforcement matters. If your firm needs help strengthening its supervisory system - or defending it - reach out. As a former FINRA Senior Enforcement counsel, I bring practical, regulator-tested solutions to your table. Contact AMW Law PLLC to speak with a FINRA defense attorney about supervision, compliance, and risk management tailored to your business.