Rule 3110 Supervisory Review: What It Requires and How to Automate It

FINRA Rule 3110 requires each broker-dealer to establish, maintain, and enforce a supervisory system that is "reasonably designed" to achieve compliance with applicable securities laws and regulations. For electronic communications, this means designated principals must review registered representatives' communications — regularly, systematically, and in a way they can document to examiners.

What Rule 3110 Actually Requires

Rule 3110(b)(4) specifically addresses electronic communications. It requires each firm to have written supervisory procedures that include review of electronic communications by a principal, the frequency and manner of review, the process for detecting and addressing non-compliant communications, and how the firm monitors for use of non-approved communication channels.

The rule doesn't specify exactly how frequently reviews must occur or what percentage of communications must be reviewed. It requires that the supervisory system be "reasonably designed" — a standard that FINRA interprets in context of the firm's size, business, and risk profile.

The Manual Review Problem

Many firms continue to satisfy Rule 3110 through manual review: a principal periodically reviews a sample of each representative's communications. This approach has several problems.

Sampling bias: Manual review typically covers less than 5% of total communications. If a representative is engaged in a pattern of problematic communications, manual sampling is unlikely to detect it unless the problematic messages happen to be in the sampled subset.

Documentation burden: Manual review must be documented — what was reviewed, when, and any findings. This documentation is itself subject to regulatory examination. Maintaining compliant documentation is time-consuming and error-prone.

Detection latency: Manual review is typically periodic — weekly, monthly, quarterly. A representative who begins a problematic pattern won't be detected until the next review cycle, which may be weeks or months later.

How Automated Supervisory Review Works

Technology-assisted supervisory review uses automated tools to analyze communications continuously and flag those that warrant principal attention:

Keyword and phrase detection: Communications containing words, phrases, or patterns associated with regulatory concern — references to guaranteed returns, client complaints, discussions of undisclosed conflicts, certain securities-specific terminology — are automatically flagged for review.

Behavioral pattern analysis: Sophisticated systems analyze communication patterns over time. A representative who suddenly increases communication volume with a particular client, or who communicates outside normal business hours, may be flagged even if no individual communication triggers a keyword alert.

Risk-stratified sampling: Rather than random sampling, technology-assisted review can implement risk-stratified sampling — reviewing higher proportions of communications from representatives with elevated risk profiles, and lower proportions from those with consistently clean records.

The Review Desk: Cruve's Approach to Supervisory Review

The Review Desk is Cruve's built-in supervisory review workflow. It integrates directly with The Ledger to provide principals with structured access to communications that require review.

Flagging: Communications matching configurable criteria are automatically flagged and placed in the Review Desk queue. Principals configure keyword lists, communication patterns, representative risk categories, and other criteria.

Review: Principals access the Review Desk through the Cruve interface. Each flagged communication is presented in context — the full thread, participant identities, relevant metadata — with the ability to view historical communications for context.

Decision and documentation: For each flagged communication, the principal makes a review decision: clear (no action required), flag for follow-up, escalate to compliance, or initiate a formal investigation. Each decision is recorded with a timestamp and the principal's identity, creating a documented supervisory record.

Reporting: The Review Desk generates reports documenting supervisory activity: communications reviewed, review decisions made, patterns identified, and actions taken. These reports are maintained in The Ledger alongside the communications themselves.

What "Automated" Doesn't Mean

It's important to be clear about what technology-assisted review automates and what it doesn't. Automation handles detection and routing — identifying which communications warrant principal attention and presenting them for review. The review itself is still performed by a human principal.

FINRA requires that a registered principal — a human — review electronic communications. Fully automated review without human involvement doesn't satisfy Rule 3110. When FINRA asks "who reviewed these communications and what was the outcome?", the answer needs to involve a specific principal who made a documented decision.

Building the Written Supervisory Procedures

Rule 3110 requires written supervisory procedures (WSPs) that document the firm's supervisory system. For electronic communications, the WSPs need to address: which communication channels are approved, which principals are responsible for which categories of representatives, the criteria for flagging communications for review, the review workflow and decision documentation process, the escalation process for potential violations, and how the firm detects and responds to communications on non-approved platforms.

A technology-assisted supervisory system that generates audit logs of review activity, stores review decisions in the compliance archive, and produces reports on supervisory activity is significantly better positioned to respond to examination requests than a firm relying on email records of manual review.