The Financial Industry Regulatory Authority regulates broker-dealers and their registered representatives—over 3,400 firms and 620,000 brokers. FINRA writes and enforces rules governing how these firms operate, conduct business with customers, and protect investor assets.
Non-compliance triggers examinations, enforcement actions, fines, and potential bars from the industry. This guide covers what FINRA actually regulates, key rules broker-dealers must follow, the examination process, and practical steps for building a compliance program that satisfies regulatory requirements.
FINRA operates as a self-regulatory organization (SRO) under SEC oversight. While the SEC writes securities laws and has ultimate authority, FINRA handles day-to-day regulation of broker-dealers—writing detailed rules, conducting examinations, and bringing enforcement actions.
Broker-dealers must register with FINRA to conduct securities business. This includes firms that buy and sell securities for customers, make markets in securities, underwrite securities offerings, or provide investment banking services.
Individual representatives must also register. Anyone who effects securities transactions, supervises those who do, or solicits securities business needs registration through FINRA’s Central Registration Depository (CRD) system.
FINRA doesn’t regulate investment advisers (SEC or state-registered), banks and credit unions (separate regulators), insurance companies (state insurance regulators), or commodity futures (CFTC and NFA). The distinction matters—firms operating across multiple regulatory regimes face different requirements for different business lines.
FINRA’s rulebook spans thousands of pages. These rules generate the most examination findings and enforcement actions.
Before recommending a security or investment strategy, firms must have a reasonable basis to believe the recommendation is suitable for the customer. Suitability has three components:
Reasonable-basis suitability requires understanding the investment itself—its risks, rewards, and characteristics. You can’t recommend what you don’t understand.
Customer-specific suitability requires matching recommendations to individual customer profiles—their investment objectives, risk tolerance, financial situation, and needs.
Quantitative suitability addresses excessive trading. Even suitable individual transactions can violate suitability rules if the overall trading frequency is unsuitable given the customer’s profile.
Regulation Best Interest (Reg BI) now overlays additional requirements for recommendations to retail customers, but suitability remains the baseline obligation.
The catch-all ethics rule requires members to “observe high standards of commercial honor and just and equitable principles of trade.” This broad language lets FINRA pursue conduct that violates the spirit of fair dealing even when no specific rule applies.
Firms must establish and maintain supervisory systems reasonably designed to achieve compliance with securities laws and FINRA rules. This includes written supervisory procedures, designated supervisory personnel, and review systems for customer accounts and transactions.
Supervision failures drive a significant percentage of enforcement actions. When representatives violate rules, FINRA typically examines whether supervisory systems should have caught the problem.
Broker-dealers must create and maintain extensive records—customer account information, transaction records, communications, financial records, and compliance documentation. Most records require retention for three to six years.
Electronic storage is permitted but must meet specific requirements for accessibility, indexing, and non-alteration. Firms using third-party storage must have written agreements and backup procedures.
FINRA rules require broker-dealers to establish AML programs compliant with the Bank Secrecy Act. Programs must include policies and procedures reasonably designed to detect and report suspicious activity, a designated AML compliance officer, ongoing employee training, and independent testing.
Customer identification (CIP), beneficial ownership identification, and suspicious activity reporting (SARs) form the core operational requirements.
Firms must maintain business continuity plans that address how they’ll continue operations during significant business disruptions. Plans must cover data backup and recovery, alternate communications, critical personnel, and customer access to funds and securities.
Annual review and updating of BCP plans is required, along with disclosure of BCP summaries to customers.
FINRA doesn’t have a single “cybersecurity rule,” but several regulations create cybersecurity obligations.
Broker-dealers must protect customer nonpublic personal information. This requires written policies and procedures addressing administrative, technical, and physical safeguards. Firms must also provide privacy notices explaining information-sharing practices and opt-out rights.
Firms maintaining covered accounts must implement identity theft prevention programs. These programs must identify relevant red flags, detect red flags in operations, respond appropriately to detected red flags, and update the program periodically.
Beyond specific rules, FINRA has issued extensive guidance on cybersecurity expectations. Examination priorities consistently emphasize cybersecurity governance and risk management, access controls and authentication, data loss prevention, vendor management, and incident response capabilities.
Firms should treat FINRA’s cybersecurity guidance as de facto requirements. Examiners use this guidance when evaluating whether supervisory systems are “reasonably designed.”
FINRA conducts risk-based examinations of member firms. Understanding the process helps firms prepare and respond effectively.
Cycle examinations are comprehensive reviews conducted on a regular schedule based on firm risk profile. Higher-risk firms see more frequent examinations.
Cause examinations result from specific concerns—customer complaints, suspicious trading patterns, tips, or referrals from other regulators.
Sweep examinations target specific issues across multiple firms simultaneously, often following regulatory guidance or emerging risk identification.
Examinations typically cover books and records for accuracy and completeness, supervisory systems and written procedures, customer account documentation and suitability, communications with the public, AML program implementation, customer complaint handling, financial and operational controls, and cybersecurity practices.
Examiners request documents, interview personnel, and test controls. They’re looking for both specific violations and systemic weaknesses in compliance infrastructure.
After examination, FINRA issues findings that range in severity. Items requiring immediate attention demand prompt remediation. Examination findings may note issues that don’t rise to violations but warrant attention. Some examinations result in no findings.
Serious findings can trigger referral to FINRA’s enforcement division, potentially resulting in formal disciplinary proceedings.
FINRA brings enforcement actions against firms and individuals for rule violations. Understanding enforcement patterns helps firms prioritize compliance investments.
Recent enforcement trends emphasize suitability and Reg BI violations, supervision failures, AML program deficiencies, books and records violations, communications violations (misleading advertising, social media), and cybersecurity failures.
FINRA’s Sanction Guidelines provide a framework for penalties. Factors include the nature and severity of the violation, harm to customers, firm size and resources, disciplinary history, and cooperation and remediation efforts.
Penalties range from censures and fines to suspensions and permanent bars. Significant cases result in restitution orders requiring firms to compensate harmed customers.
FINRA maintains BrokerCheck, a public database showing disciplinary history, customer complaints, and regulatory actions for registered firms and individuals. Disclosure events remain visible for years, creating reputational consequences beyond direct penalties.
Broker-dealers face technology requirements embedded throughout FINRA’s rulebook—from books and records to cybersecurity to business continuity.
IT GOAT provides specialized support for firms navigating these technology-intensive compliance obligations.
Cybersecurity program development builds controls that satisfy FINRA guidance and examination expectations, covering governance, access management, data protection, and incident response.
Books and records compliance ensures electronic recordkeeping meets FINRA and SEC requirements for retention, accessibility, and integrity.
Business continuity planning develops and tests BCP capabilities that satisfy regulatory requirements and actually work during disruptions.
Effective compliance requires systematic attention to policies, supervision, training, and monitoring.
Designate supervisors for each business line and location. Supervisory responsibilities must be clearly assigned—ambiguity about who supervises what creates gaps. Document supervisory assignments and ensure supervisors have appropriate training and resources.
WSPs must address each applicable FINRA rule and reflect actual business activities. Generic procedures that don’t match operations fail examination scrutiny. Review and update WSPs when business changes or new rules take effect.
Regular testing verifies that procedures work as designed. Test customer account documentation for completeness, review transaction samples for suitability documentation, verify communications comply with advertising rules, and confirm AML procedures detect reportable activity.
Document testing results and track remediation of identified issues.
FINRA requires continuing education for registered representatives through the Regulatory Element (FINRA-administered) and Firm Element (firm-administered) programs.
Beyond required CE, effective compliance programs include training on firm-specific procedures, emerging risks, and examination findings. Training should reach all relevant personnel, not just registered representatives.
Establish clear procedures for receiving, investigating, and responding to customer complaints. Document complaint investigations thoroughly. Monitor complaint patterns for emerging issues that might indicate systemic problems.
Certain complaints require regulatory reporting. Ensure procedures capture reportable events and meet filing deadlines.
Recognized for excellence with numerous industry awards, reflecting our commitment to delivering top-tier IT solutions. Our accolades showcase our dedication to innovation, quality service, and client satisfaction.
The SEC has ultimate authority over securities markets and writes primary securities laws. FINRA operates as a self-regulatory organization under SEC oversight, writing detailed rules for broker-dealers, conducting examinations, and bringing enforcement actions. Both can take action against broker-dealers, but most routine regulation happens through FINRA.
Examination frequency depends on firm risk profile. Higher-risk firms—those with retail customers, complex products, or compliance history issues—face more frequent examination. Some firms see annual examinations while lower-risk firms may go several years between comprehensive reviews.
Investigations can result from examination findings, customer complaints, trading surveillance alerts, whistleblower tips, referrals from other regulators, or media reports. FINRA’s surveillance systems also flag unusual trading patterns that may indicate violations.
Most disclosure events remain on BrokerCheck permanently or for extended periods. Customer complaints typically stay visible for the representative’s career. Regulatory actions and criminal matters remain indefinitely. This creates long-term consequences beyond immediate penalties.
Practically, no. SEC rules and FINRA rules overlap substantially for broker-dealers. A comprehensive compliance program addresses both simultaneously. However, some SEC requirements (like Reg BI) add obligations beyond base FINRA rules, requiring program updates when new regulations take effect.
IT GOAT simplifies cybersecurity by integrating over 750+ enterprise apps to make sure your business runs smoothly.
FINRA regulations establish requirements for broker-dealers operating in securities markets, including:
These requirements apply to registered broker-dealers, individual representatives, and firms conducting securities business.
Enforcement actions result in fines, suspensions, and industry bars. Disciplinary records appear on BrokerCheck, creating lasting reputational consequences.
Work with IT GOAT to implement technology controls that satisfy FINRA requirements.