FINRA Entitlement Program: Entitlement Reference Guide
This user guide is designed to assist Super Account Administrators (SAAs) and Account Administrators (AAs) in navigating through the Account Management System of the FINRA Entitlement Program.
- Section 2: Account Administrator (AA) Roles & Responsibilities
- Section 3: How To Access the Account Management Functionality
- Section 4: Setting Up Your Newly Created SAA Account
- Section 5: How To Search For and View an Account
- Section 6: How To Create an Account
- Section 7: How To Import an Account
- Section 8: How To Edit an Account
- Section 9: How To Disable, Enable or Delete an Account
- Section 10: How To Request an Account Details Report
- Section 11: How To Review Accounts
- Section 12: How To Reset a Password
- Section 13: How To Change the User Account Status
- Section 14: FINRA Security Questions Feature
- Section 15: How To Log Out
- Section 16: Dormant Accounts
- Section 17: How To Manage Roles
- Section 18: User Accounts Certification
Section 1: Super Account Administrator (SAA) Information
The FINRA Entitlement Program requires that each organization designate a Super Account Administrator (SAA). The SAA is entitled as an administrator to all applications participating in the FINRA Entitlement Program that are available to the organization. SAAs are responsible for managing the accounts at their organization by ensuring access is required and appropriate for each user and for the timely deletion of accounts when access is no longer needed to the FINRA Entitlement Platform.
1.1: Considerations for Designating an SAA:
- Each firm/regulator must designate one SAA.
- For firms with affiliates, the same SAA or a different SAA may be designated; however, each affiliate (with its Organization ID#) must provide a signed SAA Entitlement Form.
- SAA must be formally delegated the authority by the organization/agency and as authorized in the New Organization SAA Form (or by using the Replace SAA online workflow) to perform the SAA responsibilities on its behalf. In order for FINRA to create an SAA account for a new organization, the designation must be executed on the current version of FINRA’s New Organization SAA Form (or by using the Replace SAA online workflow), as instructed, and be executed by an authorized signatory, as defined by FINRA.
- An SAA may serve in this role for multiple organizations (affiliated or non-affiliated).
NOTE: a separate username and password is required for each organization.
The individual does not need to have an existing FINRA Entitlement Account.
1.2: SAA Designation
The New Organization SAA Form is used to designate an SAA when your organization is new and needs access to the FINRA Entitlement Platform. The Update/Replace SAA online workflow is used when your firm/regulator needs to replace the SAA or update the name and/or email of your current SAA. See Section 1.4: Replacing or Updating an Existing SAA.
Authorized Signatory Instructions and Requirements
The New Organization SAA Form is used to designate an SAA when your organization is new and requires access to the FINRA Entitlement Platform. This form has specific instructions and signature requirements noted in the form which must be met for processing. This form can be submitted electronically via DocuSign or a downloadable PDF submitted via email or mail. Only person(s) authorized to execute these agreements on behalf of the organization must sign the form. The SAA and the authorized signatory may be the same person only if there is no one at the Organization authorized to act as the authorized signatory (e.g., a sole proprietor). If this is the case, you must provide an explanation if you are authorized to execute this agreement on behalf of the organization.
- Broker-Dealer (BD) and CAB Firms: An authorized signatory is the Chief Compliance Officer (CCO) or authorized officer (or other authorized person) listed on Schedule A of the Organization’s initial Form BD. Generally, the signatory and the designated SAA cannot be the same person. There are limited circumstances when this condition is permitted, and an explanation must be provided for evaluation by the FINRA Entitlement Group.
- Investment Adviser Firms: An authorized signatory is either the Chief Compliance Officer (CCO) or Additional Regulatory Contact (ARC) who will be listed on the organization’s initial Form ADV. Generally, the signatory and the designated SAA cannot be the same person. There are limited circumstances when this condition is permitted, and an explanation must be provided for evaluation by the FINRA Entitlement Group.
- Regulators: An authorized signatory is the Securities Commissioner, Chief Regulatory Officer or other authorized signatory. Generally, the signatory and the designated SAA cannot be the same person. There are limited circumstances when this condition is permitted, and an explanation must be provided for evaluation by the FINRA Entitlement Group.
1.3: SAA Roles and Responsibilities
- As an SAA, you are responsible for managing the accounts at your organization that require entitlement to the FINRA Entitlement Platform.
- Self-entitle their own “User” privileges.
- Self-edit their own account for phone numbers, title & dept.
- Create and update privileges (entitlement) for AAs and individual users.
- Create and manage Roles for your organization (See Section 17)
- Assign and unassign Roles for your AAs and users (See Section 17)
- Search for only those entitlements to which they are assigned Administrator privilege.
- Perform password administration, such as unlocking accounts and resetting passwords.
- Disable an account if you suspect an information security issue.
- Delete an account immediately when the individual is no longer with the organization or no longer requires access to the FINRA Entitlement Platform per their job responsibilities.
- Ability to see deleted accounts.
- Ability to see FTP (M2M) accounts and certify.
- Ability to monitor your accounts on a periodic basis by using the Account Details Report.
- Certify all accounts at the organization for authorized access on an annual basis.
1.4: Replacing or Updating an Existing SAA
An online workflow will enable your organization to replace its SAA or allow an SAA to update their name and/or email address. The workflow guides you step by step through the request process. While many requests will process automatically once approved by an Authorized Signatory, there are circumstances that require a request to route to the FINRA Entitlement Group for review, research, and validation prior to fulfillment.
Benefits of Online Replace/Update Requests
- An organization will be able to replace its SAA and an SAA will be able to update their name and/or email address online. No need to contact the FINRA Support Center to request a Replace/Update SAA Form.
- An organization will have the option to either convert the current SAA account to a User account or delete the account when requesting an SAA replacement.
- An Authorized Signatory will need to approve each request. Authorized Signatories will auto-populate for Broker Dealer including Capital Acquisition Broker (CAB) firms and Investment Adviser firms.
- Most requests will process automatically once an Authorized Signatory approves the request. Certain conditions will require a request to route to the FINRA Entitlement Group for manual review and fulfillment.
- Organizations will be able to see the status of their SAA replacement request as it moves through the workflow. SAAs will be able to see the status of their name and/or email change requests.
- Emails will be sent to the organization’s Requester and Authorized Signatory with updates on each request.
1.4.1 Replace SAA
To replace an SAA, use the Replace SAA workflow in the Account Management System to designate the replacement SAA. Any individual at your organization with an active FINRA Gateway account is able to submit a replacement request via the Admin landing page, but only the Requester and Authorized Signatory may view the request through Requests & Filings (see Section 1.4.3). Keep in mind that an Authorized Signatory must approve the request before it will be processed.
Step 1: Select Replace SAA from the Admin landing page.
Step 2: Current SAA
From the Current SAA screen, there are 2 options available for you to decide on what is to be done with the current SAA’s account:
- Convert to User Account
- Delete Account
If the organization wants to keep the current SAA’s account as a User, select the first option, ‘Convert to User Account’. Once the request is processed, the SAA’s account will have the SAA administrator role removed and only those privileges that had user marked will remain. If the current SAA no longer needs access or has terminated from the organization, select the second option, ‘Delete Account’. Once you choose an option, select one of the following actions:
- Cancel
- Workflow is terminated.
- Save & Edit
- Workflow is saved and available to Edit and Submit from the Requests button on the banner shown below. The requester will be taken back to the first step, however the previously entered information is retained.
- Workflow is saved and available to Edit and Submit from the Requests button on the banner shown below. The requester will be taken back to the first step, however the previously entered information is retained.
- NEXT
- Workflow moves onto the next step-Select New SAA
Step 3: Select New SAA
Select a new SAA from the list of your users at your organization that have an account.
If the individual you want to designate as the new SAA is not listed under the “Select New SAA” section, a newly created SAA is required. Click on Request New SAA Account on the upper-right-side of screen and go to Step 4.
Once you have completed your selection of the new SAA from the list of your organization’s accounts, select Next to continue with the workflow
- NEXT
- Workflow moves onto the next step-Select Authorized Signatory
Step 4: If a new-SAA is required, enter the information to create the new SAA Account.
Once the new SAA Account information has been entered, select Next to continue with the workflow.
- NEXT
- Workflow moves onto the next step-Select Authorized Signatory
Step 5: Select Authorized Signatory
Select an Authorized Signatory from a list that displays. An Authorized Signatory will need to approve the request before it will be fulfilled. The Authorized Signatories are based on your organization type (e.g., BD, IA) and originate from filing or contact information your firm submitted to FINRA.
FINRA-Defined Authorized Signatories
- For Broker-Dealers, the authorized signatory is the Chief Compliance Officer (CCO), authorized officer or other authorized person listed on Schedule A of the firm’s current Form BD or listed in the FINRA Contact System (FCS).
- For Investment Advisers, the authorized signatory is the Chief Compliance Officer (CCO), Additional Regulatory Contact (ARC) or other authorized person listed on Schedule A of the firm’s current Form ADV.
- For Funding Portals: An authorized signatory is the Chief Compliance Officer (CCO), Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Legal Officer (CLO), Chief Operations Officer (COO) or a Director or any other individuals with similar status or functions listed on Schedule A of the firm’s current SEC Form FP.
- For Regulators: An authorized signatory is the Securities Commissioner, Chief Regulatory Officer or other authorized signatory.
Select an Authorized Signatory from the list below who will approve the request. If you are listed as an Authorized Signatory and other Authorized Signatories are available, you cannot select yourself. If available, select an Authorized Signatory with an email address for fastest processing times.
Select only one Authorized Signatory. If the Authorized Signatory selected does not have an email address on file, a prompt will display for you to enter the individual’s email address.
Note: Funding Portals, regulators and firms without Authorized Signatories on file will be presented with the ‘Add Authorized Signatory’ screen below to enter an Authorized Signatory. Fields marked with an asterisk are mandatory.
Once the Authorized Signatory has been selected/added, select Next to continue with the workflow.
- NEXT
- Workflow moves onto the next step-Review and Send
Note: Be sure to keep your organization’s Authorized Signatories up to date through the FINRA Contact System, Form BD Schedule A, or Form ADV.
Step 6: Review and Send
Review the requested information to make sure it is complete and accurate.
Once you complete the review, select Send Request to continue with the workflow.
- SEND REQUEST
- Confirmation message will display ‘Request to Replace SAA has been Submitted’. Email is sent to the selected Authorized Signatory with a one-time passcode to access the request and decide to approve, deny, or return the request to the Requester.
Step 7: The request is now Pending Review by the Authorized Signatory. A Requester has the option to Recall Request or Exit Request.
Once the request is submitted, select one of the following actions:
- Recall Request
- If yes, the status is changed to ‘draft’ and the Requester is returned to the first step, however the previously entered information will remain.
All ‘draft’ requests older than 30 days will be deleted.
- If yes, the status is changed to ‘draft’ and the Requester is returned to the first step, however the previously entered information will remain.
- Exit Request
- Request has been successfully submitted and no further action is required. For more information on viewing the request statuses, see Section 1.4.3 Requests & Filings.
Step 8: With the Selection of Exit Request, the Authorized Signatory will receive an email with a one-time passcode which the Authorized Signatory will use to log into the application to review the Replace SAA request. A one-time password allows an Authorized Signatory to access the request without needing a FINRA Gateway (FINRA Entitlement) account. Screen will display the status of ‘Pending review by Authorized Signatory’.
In certain cases, the Authorized Signatory will be required to complete two mandatory comment fields to provide justification in the event:
- Requester’s email address is the same as Authorized Signatories email address OR
- When replacement SAA has the same information (email) as the Authorized Signatory and
is not the only Authorized Signatory in the organization.
Once reviewed, the Authorized Signatory selects one of the following actions for the request:
- Deny Request
- Acknowledge FINRA Entitlement Agreement
- Authorized Signatory must provide a reason why the request is being denied. The Requester will be able see the denial reason.
- Requester receives an email ‘SAA Request Denied by Authorized Signatory’. View the request for comments and contact the Authorized Signatory for more information. No further action will be taken on this request.
- Send Back Request
- Acknowledge FINRA Entitlement Agreement
- Authorized Signatory must provide a reason why the request is being sent back. The Requester will see the reason for the returned request.
- Requester will receive an email ‘SAA Replacement Request Returned by Authorized Signatory’. View the request for comments and contact the Authorized Signatory for more information. Requester should be able to address the issue and resubmit the request.
- Approve Request
- Acknowledge FINRA Entitlement Agreement
- Requester receives an email ‘SAA Replacement Request is Approved by Authorized Signatory’. View the approved request.
- Acknowledge FINRA Entitlement Agreement
Request Workflow
While many requests will process automatically once approved by an Authorized Signatory, there are events within the request workflow that will trigger a review by the FINRA Entitlement Group for security or procedural reasons. Following an Authorized Signatory’s approval the FINRA Entitlement Group will receive the request, review and validate the information, and either approve, deny, or return the request to the Requester. The workflow sends a corresponding email to the Requester and Authorized Signatory and provides the FINRA decision status. FINRA statuses are also viewable in Requests & Filings (see Section 1.4.3).
1.4.2 Update SAA Name and/or Email
Only the organization’s Super Account Administrator (SAA) is able to submit a request to update their name and/or email address. An Authorized Signatory is required to approve a request before it will be fulfilled.
Step 1: As the SAA, select Request to Update Name or Email from the Admin landing page.
Step 2: SAA’s Information
From the Change Name or Email Request screen, enter your updated name and/or email address information.
Once the update has been entered, select one of the following actions:
- Cancel
- Workflow has been terminated
- Save & Edit
- Workflow is saved and available to edit and submit from the Requests button on the banner shown below. An SAA is taken back to the first step, however the previously entered information is retained.
- Workflow is saved and available to edit and submit from the Requests button on the banner shown below. An SAA is taken back to the first step, however the previously entered information is retained.
- NEXT
- Workflow moves onto the next step-Select Authorized Signatory
Step 3: Select Authorized Signatory
Select an Authorized Signatory from a list that displays. An Authorized Signatory will need to approve the request before it will be fulfilled. The Authorized Signatories are based on your organization type (e.g., BD, IA) and originate from filing or contact information your firm submitted to FINRA.
FINRA-Defined Authorized Signatories
- For Broker-Dealers, the authorized signatory is the Chief Compliance Officer (CCO), authorized officer or other authorized person listed on Schedule A of the firm’s current Form BD or listed in the FINRA Contact System (FCS).
- For Investment Advisers, the authorized signatory is the Chief Compliance Officer (CCO), Additional Regulatory Contact (ARC) or other authorized person listed on Schedule A of the firm’s current Form ADV.
- For Funding Portals: An authorized signatory is the Chief Compliance Officer (CCO), Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Legal Officer (CLO), Chief Operations Officer (COO) or a Director or any other individuals with similar status or functions listed on Schedule A of the firm’s current SEC Form FP.
- For Regulators: An authorized signatory is the Securities Commissioner, Chief Regulatory Officer or other authorized signatory.
Select an Authorized Signatory from the list below who will approve the request. If you are listed as an Authorized Signatory and other Authorized Signatories are available, you cannot select yourself. If available, select an Authorized Signatory with an email address for fastest processing times.
Select only one Authorized Signatory. If the Authorized Signatory selected does not have an email address on file, a prompt will display for you to enter the individual’s email address
Note: Funding Portals, regulators and firms without Authorized Signatories on file will be presented with the ‘Add Authorized Signatory’ screen below to enter an Authorized Signatory. Fields marked with an asterisk are mandatory.
Once you select/add the Authorized Signatory, select Next to continue with the workflow.
- NEXT
- Workflow moves onto the next step-Review and Send
Note: Be sure to keep your organization’s Authorized Signatories up to date through the FINRA Contact System, Form BD Schedule A, or Form ADV.
Step 4: Review & Send
Review your updated name and/or email address to make sure it is complete and accurate.
Once you complete the review, select Send Request to continue with the workflow.
- SEND REQUEST
- Confirmation message will display ‘Request to Update SAA has been submitted’. Email is sent to the selected Authorized Signatory with a one-time passcode to access the request and decide to approve, deny, or return the request to the SAA.
Step 5: Once submitted, the request is now Pending Review by Authorized Signatory. The SAA will have the option to Recall Request or Exit Request.
Once the request is submitted, select one of the following actions:
- Recall Request
- If yes, the status is changed to ‘draft’ and the SAA is returned to the first step, however the previously entered information will remain.
All ‘draft’ requests older than 30 days will be deleted.
- If yes, the status is changed to ‘draft’ and the SAA is returned to the first step, however the previously entered information will remain.
- Exit Request
- Request has been successfully submitted and no further action is required.
- For more information on viewing the request statuses, see Section 1.4.3 Requests & Filings.
Step 6: With the Selection of Exit Request, the Authorized Signatory will receive an email with a one-time passcode which the Authorized Signatory will use to log into the application to review the Update SAA request. A one-time password allows an Authorized Signatory to access the request without needing a FINRA Gateway (FINRA Entitlement) account. Screen will display the status of ‘Pending review by Authorized Signatory’.
In certain cases, the Authorized Signatory will be required to complete two mandatory comment fields to provide justification in the event:
- Requester’s email address is the same as the Authorized Signatories email address.
Once reviewed, the Authorized Signatory selects one of the following actions for the request:
- Deny Request
- Acknowledge FINRA Entitlement Agreement
- Authorized Signatory must provide a reason why the request is being denied. The Requester will be able to see the denial reason.
Requester receives an email ‘SAA Request Denied by Authorized Signatory’. View the request for comments and contact the Authorized Signatory for more information. No further action will be taken on this request.
- Send Back Request
- Acknowledge FINRA Entitlement Agreement
- Authorized Signatory must provide a Reason why the request is being sent back. The Requester will see the reason for the returned request.
- Requester will receive an email ‘SAA Update Request Returned by Authorized Signatory’. View the request for comments and contact the Authorized Signatory for more information. Requester should be able to address the issue and resubmit the request.
- Approve Request
- Acknowledge FINRA Entitlement Agreement
- Requester receives an email ‘SAA Update Request is Approved by Authorized Signatory’. View the approved request.
- Acknowledge FINRA Entitlement Agreement
Request Workflow
While many requests will process automatically once approved by an Authorized Signatory, there are events within the request workflow that will trigger a review by the FINRA Entitlement Group for security or procedural reasons. Following an Authorized Signatory’s approval the FINRA Entitlement Group will receive the request, review and validate the information, and either approve, deny, or return the request to the Requester. The workflow sends a corresponding email to the Requester and Authorized Signatory and provides the FINRA decision status. FINRA statuses are also viewable in Requests & Filings (see Section 1.4.3).
1.4.3: Requests & Filings
Step 1: From the Requests & Filings screen, review the Replace SAA and/or Update SAA entries for your organization.
Click on Active and Completed tabs to see corresponding requests. See Active Statuses below.
Only the Requester or Authorized Signatory, at the organization with an active FINRA Gateway account, will be able to view all Active or Completed Replace or Update SAA Requests.
Any individual at the organization with an active FINRA Gateway account will be able to view all Active or Completed Replace SAA Requests. Only SAAs can view their Update SAA Requests.
Filter for Replace SAA and Update SAA requests:
The following filters are presented to assist you in searching for requests:
- Type
- Replace SAA
- Update SAA
- Category
- Account Management
- Status
- Draft (Active) (All ‘draft’ requests older than 30 days will be deleted)
- Cancelled
- Pending Review by Authorized Signatory (Active)
- Denied by Authorized Signatory
- Pending Review by FINRA (Active)
- Denied by FINRA
- Approved by FINRA
NOTE: Filters are dynamic and will show only when applicable. To remove all filters, click on Clear Filters at the bottom of the left-hand menu.
1.5: How To Self-Entitle User Privileges as an SAA
As a new SAA, you will need to entitle yourself to any user privileges you need to perform your job responsibilities. As the SAA, you have 3 options to self-entitle.
Option 1 (New Feature)
To quickly access your own account to self-entitle, click on your User Profile in the upper right-hand corner, select My Account and click on My Entitlements which will open the Edit Entitlements screen and allow you to update your entitlements. See Step 1 below.
Option 2
From your SAA account in Account Management, click on Actions and select Edit Entitlements which will open the Edit Entitlements screen and allow you to update your entitlements. See Step 1 below.
Option 3
From your SAA account in Account Management, click on the User ID hyperlink.
To add/remove entitlements, select Edit Entitlements (under the Entitlement and Access Management tab), which will open the Edits Entitlement screen and allow you to update your entitlements. See Step 1 below.
Step 1: Selecting User allows you access to a specific functionality of the applicable application needed to perform your job responsibilities.
As you are adding or removing entitlements, the shopping cart on the right-hand side of the screen is updated to provide an overview of the selected entitlements. Click Save to save your self-entitled privileges.
1.6: How To Entitle AAs With New Account Management System
As the SAA, you will need to grant AAs the user privilege for the entitlement labelled "Manage Access to New Account Management Application” in the Account Management application.
Section 2: Account Administrator (AA) Roles & Responsibilities
An AA is responsible for the following:
- Create accounts for individual users.
- Assign and unassign Roles for your users. If your SAA grants your account with this ability. (See Section 17)
- Provide and update privileges (entitlement) for individual users.
- Search for only those entitlements to which they are assigned administrator privileges.
- Perform password administration, such as unlocking accounts, and resetting passwords for individual users.
- Verify accounts periodically for authorized access.
- Disable an account if you suspect an information security issue.
- Delete an account immediately when the individual is no longer with the organization or no longer requires access to the FINRA Entitlement Platform per their job responsibilities.
An Account Administrator CANNOT:
- Change or reset another Account Administrator’s password.
- Change or set up their own account privileges (entitlement) or another Account Administrator’s account.
- Change their own account, another Account Administrator’s account or their Super Account Administrator’s account.
- See deleted accounts.
- Create Roles.
NOTE: An AA who needs assistance and is with an organization that has an SAA should contact their SAA. An AA who needs assistance and is with an organization that does not have an SAA should contact the FINRA Support Center. See the Need Help? Section for contact information.
Section 3: How To Access Account Management Functionality
The Account Management functionality can be accessed several ways:
- BD, IA and BD/IA firms can access Account Management via FINRA Gateway
- SAAs and AAs can also access the Account Management link located within certain applications (i.e., Web CRD, IARD).
- Funding portals can access Account Management via the Funding Portal Gateway
- Regulators & non-security orgs can access via the Account Management link.
3.1: Supported Browsers
For more information on Supported Browsers, see Upgrade Your Web Browser.
3.2: Organizations and Regulators
Step 1: Access FINRA Gateway and on the landing page select the Admin icon from the left side menu bar to access the new Account Management functionality.
Section 4: Setting Up Your Newly Created SAA Account
Step 1: Once your new SAA Account has been activated, you will receive 2 separate emails with your User ID and a link to activate your password.
Step 2: After clicking on the Activate Password link, the Reset Password screen will appear. Enter your new User ID, New Password and then Confirm New Password. You can hold the cursor down on Show to see the actual characters entered in each of these fields. Click Save.
You will receive a ‘Password was changed successfully’ message.
Click Back to Log in button to return to the main login screen.
Step 3: Select Firm/Org tab, and enter your user ID and new password in the User ID and Password fields. Read the Privacy Policy and Entitlement Program Terms of Use and click Accept and Continue.
Step 4: You will now be prompted to set up your Security Information questions. Type your responses in the appropriate Answers fields and click Continue.
Upon completion of password reset and security information, you will be prompted to complete the Multi-Factor Authentication (MFA) process. For more information on the MFA, see Multi-Factor Authentication.
Once you have completed the MFA process, you will be presented with the FINRA Gateway or the Funding Portal Gateway home screen appears. Your account is now active and you can navigate through the application as needed. You can begin creating user accounts for users at your organization who require entitlement to FINRA.
NOTES:
- Each set of questions has a drop-down list that can be used to select your question. Once you have selected the question, provide the appropriate answer.
- If you are using your personal computer and you trust the device/computer, you can click the Remember this computer checkbox. If you leave the checkbox unmarked, you will be presented with a security question with each login.
ADDITIONAL NOTES:
- Once you have saved your security information, you will periodically be presented with a security question when you login. Or, if you have not selected the Remember this computer checkbox, you will be presented with a security question with each login.
- Five incorrect entries of your password will lock your account. You will need to contact your SAA or wait an hour for your account to auto-unlock.
- View FINRA Entitlement Program Frequently Asked Questions.
4.1: How to Create/Update/Access Fast Account Switching Logins
This feature allows FIRM users to save any active accounts on the same browser and provide functionality to switch from the current logged in account to a previously logged in account enhancing the user login experience. This feature allows a user to add a maximum of 20 accounts.
Step 1: To begin building your Fast Account Switching list, access one of your accounts by selecting the Firm/Org tab and entering your User ID and password in the User ID and Password fields. Read the Privacy Policy and Entitlement Program Terms of Use and click Accept and Continue.
Step 2: As an SAA or AA, you will be presented with the MFA screen if it has been more than 24 hours since the last login before proceeding.
As a non Admin, you will be presented with the Security Question screen. Click the Remember Device check box to quickly access your accounts on this browser. Click Submit. If you leave the check box unmarked, you will be presented with a security question with each login.
Note: For security purposes, you should never check this box on public computers (e.g., library, etc.).
Step 3: You will then be presented with the Remember This Account screen. Click on Remember this account on browser check box to allow this account to be displayed as an available account in the list. If you leave the check box unmarked, the account will not be added. Click Sign In.
Note: For security purposes, you should never check this box on public computers (e.g., library, etc.).
Step 4: The screen will display the account you added to the browser. This screen will be displayed whether you have saved one account or additional accounts.
Select the account you want to use and click Sign In to access the account. See Step 6 to add accounts, or Steps 7 or 8 to remove accounts from your list.
Step 5: Once you have logged into your account and you decide to add another account to your list, click on your User Profile in the upper right-hand corner and select Manage Log Ins.
Step 6: To add additional accounts, click on Sign-In to Another Account.
Repeat Steps 1, 2 and 3 to add additional accounts in your listing.
The account you are currently logged in with will be labeled as ‘Active’ and will appear at the top of the list. You can only log into one account at a given time.
Step 7: To remove an account, click on the X next to the account you wish to remove. You will be presented with the Forget Account screen to confirm. Select Continue to remove this account from your browser. This account will no longer be available to select. If you wish to add the account back, see Step 1.
Step 8: To remove all accounts, click on Forget All Saved Accounts. You will be presented with the Forget All Accounts screen to confirm. Select Continue to remove all accounts from your browser. The accounts will no longer be available to select. You will be redirected to the Gateway Log In screen. If you wish to add an account back, see Step 1.
Step 9: Throughout your browser session, click on your User Profile in the upper right-hand corner and select Manage Log Ins to switch between accounts. The account you are currently logged in with will be labeled as ‘Active’ and will appear at the top of the list. You can only log into one account at a given time. All accounts that are added will remain until they are forgotten or removed by the account owner (e.g., disabled, deleted log ins will deny access).
Click on the account you would like to switch to and click Sign In.
Click Confirm to switch to the account selected.
Step 10: After a period of inactivity or when you Sign Out, your account(s) will be logged out. Log back in to continue to use the accounts remembered on the same browser.
If you decide to use a different browser and/or device, you will have to go through the entire setup process again. See Step 1.
Section 5: How To Search For and View an Account
As an administrator, you are responsible for managing your organization's accounts. You must first search for the accounts you need to edit or delete.
The Accounts page defaults to displaying all the active accounts in your organization. You can filter the list to include Active, Deleted, Disabled or Draft accounts or exclude active accounts by updating the checkboxes in the Status section.
Step 1: Use the Search Box to find an account. Type in the account owner’s user ID, name or email address. If you need an exact match, place quotes around the search text (e.g., “john smith”)
Step 2: As an SAA, you can identify deleted accounts by selecting the Deleted Status filter for a list of deleted accounts. A trash can displays next to each deleted account.
NOTE: Filters are dynamic and will show up only when applicable. To remove all filters, click on Clear Filters at the bottom of the left-hand menu.
NOTE: The option to see deleted accounts is only available to the SAA.
Step 3: Filter accounts by Org Class. SAAs have the ability to filter accounts by Org Class (e.g., FTP) by selecting one or more checkboxes in the Org Class Filter section.
NOTE: The option to see FTP accounts is only available to the SAA.
Step 4: Identify SAA, AA or non-admin accounts. Select the User Type of the account you want to see.
NOTE: The SAA/AA will be able to search for only those entitlements to which they are assigned administrator privilege(s).
Step 5: Search by entitlements assigned to account. Click + Entitlement and search by entitlement name.
Step 6: Identify Machine to Machine (M2M) accounts. Select Yes in the M2M filter to see accounts that are non-human and are used for machine-to-machine interaction such as FTP accounts.
NOTE: The machine to machine (M2M) filter appears only to the SAA.
Step 7: Identify accounts with identifiers. Select TRACE MPID, EQUITY MPID or MSRB identifiers to see accounts that have a given identifier assigned to them.
NOTE: Only those identifiers that are assigned to the SAA/AA will be displayed.
Section 6: How To Create an Account
As an SAA or AA, you are responsible for managing the accounts of users at your organization.
Step 1: On the FINRA Account Management System landing page, select the Create New Account button in the right-hand corner.
Step 2: A new screen will open and display the Create Account form followed by a section to create/generate user credentials. First complete the Create Account section by entering the name, email address, phone number and other attributes related to the account owner.
Step 3: Next, create a new user ID for the account in the User Credentials section.
Step 4: When the User ID is generated, the Create Draft button will be enabled. When the administrator clicks the Create Draft button, the account will be created as a Draft account until it is activated.
Draft accounts can be created up to 30 days in advance and be available for 30 days for you to assign the required entitlements. The user who created the Draft account will receive periodic reminder emails to assign access and activate the account. After 30 days the Draft account will be deleted.
The account is currently in DRAFT status. At any time, filter on Draft Status to view all your Draft accounts. To activate the account, assign the required access and click ‘Activate Account’. The system requires at least one entitlement for the ‘Activate Account’ button to be enabled. Once activated, the account owner will receive 2 separate emails with their User ID and a link to activate their password.
With the account activation, the account Status will change to Active and the administrator can then modify/edit the account to update user information and/or add additional entitlements to the account.
NOTES:
- All fields marked with an asterisk (*) are required to create a new user account. To systematically generate a User ID, enter the user’s first and last names into the appropriate fields and click the Generate User ID hyperlink. .
- A newly activated account automatically defaults to an initial account status of Active, meaning the user can access the appropriate application as soon as they are provided with the user ID and password.
Step 5: To add entitlements to the newly created account, the administrator will select the Entitlement and Access Management tab at the top of the screen.
Step 6: To assign/unassign MPID (TRACE & EQUITY) & MSRB identifiers and the related entitlements that are assigned to an account, use the Org Identifiers and Related Entitlements section in the Entitlement and Access Management tab.
Step 7: Select Edit to assign/unassign MPIDs or an MSRB to an account
Step 8: The screen opens displaying the identifiers assigned to the accounts. You can check the boxes to add new identifiers and their related entitlements or uncheck to unassign the existing identifiers.
- If you are adding an identifier for the first time to the account, you need to select the related entitlements that appear below in the screen.
- If you are removing the identifiers related to an entitlement, you need to unselect the entitlements before hitting Save.
- When you select Save, you are assigning/unassigning the identifiers and the related entitlements.
NOTE: An AA can assign/unassign only those identifiers and related entitlements that they have administrative capabilities for. In some instances, the AA may not be able to see all the identifiers & related entitlements because the SAA has not assigned those to the AA.
Step 9: To assign/unassign entitlements that are assigned to an account through the Entitlements section in the Entitlement and Access Management tab, click on Edit Entitlements.
The application entitlements displayed in this section are those that are assigned to the account.
Step 10: To see the detailed entitlements that are assigned to an account, select Expand All on the right-hand corner of the Entitlements section. If you need to see entitlements assigned to an application entitlement, select the + symbol.
Step 11: To add/remove entitlements, you need to select Edit Entitlements, which will open a screen and allow you to update the entitlements. You can grant user entitlement for any privilege for which you are entitled as an Administrator. Selecting User allows the user access to a specific functionality of the applicable application needed to perform their job responsibilities.
As you are adding or removing entitlements, the shopping cart on the right-hand side of the screen is updated to provide an overview of the selected entitlements.
The application-level entitlements (e.g., Account Management) are referred as the parent entitlements, and the entitlements related to the features or functionality within an application (e.g., Change Password) are referred to as children entitlements.
Step 12: If you remove all children entitlements without deselecting the parent entitlement, you will receive a pop-up to confirm that you want to leave the parent entitlement for the account.
NOTE: If you are an administrator for other applications, the other applications and corresponding privileges will appear on this page. Each application has its own section within this screen.
Result: The new user account is now completed and ready.
Section 7: How To Import an Account
The ability to clone accounts has been enhanced and relabeled as the Import Entitlements feature. The purpose of this new feature is to import entitlements to a newly created account or to add entitlements to an existing account. You can import entitlements from multiple accounts as many times as required with this new feature.
The Import Entitlements feature saves time when you have several users at your organization who use the same applications and privileges. You can access an existing user’s account and import that user’s entitlements for each individual who requires the same applications and privileges. You can also add or modify any applications or privileges to the new user’s account during the import process.
Step 1: On the New Account Management landing page, search and select the account you want to import entitlements to. Refer to Section 5 on how to search an account.
Step 2: To import entitlements to the account, the administrator will select the Entitlement and Access Management tab at the top of the screen. Select Import Entitlements located in the Entitlements section of the page.
A screen will open with the ability to search for an account by name, user id or email to import entitlements from. This account must exist within the same organization.
Step 3: The entitlements and identifiers (MPIDs, MSRB) for the selected account will appear, and you can select additional entitlements or deselect the ones that are not required for the account by checking/unchecking the checkboxes.
Step 4: Select Import Entitlements at the bottom of the screen, and a pop-up will appear with the summary of entitlements selected for the account. Select Yes, and the entitlements will be added to the account.
NOTE: “Firm” and “Other” Organization classes do not have the ability to import entitlements to a File Transfer Protocol/Internet File Transfer (FTP/IFT) account. Only the FINRA Entitlement Group can create FTP/IFT accounts.
Section 8: How To Edit an Account
Step 1: Select the account you would like to view/edit from the search results by clicking on the User ID hyperlink.
Step 2: As an SAA/AA, you can update the following information for an account in your organization in the Summary section:
- Name
- Email Address
- Phone number
- Cell Phone
- Department
NOTE:
- An SAA cannot edit their own account (except for the phone numbers, title and department).
- An AA cannot edit their own account or another AA’s account. They need to contact the SAA.
Step 3: To modify entitlements, you need to select Edit Entitlements, which will open a screen and allow you to update the entitlements. You can grant user entitlement for any privilege for which you are entitled as an administrator. Selecting User allows the user access to a specific functionality of the applicable application needed to perform their job responsibilities.
As you are adding or removing entitlements, the shopping cart on the right-hand side of the screen is updated to provide an overview of the selected entitlements.
Section 9: How to Disable, Enable or Delete an Account
Step 1: Select the account you want to disable or delete. The following actions can be performed by an SAA/AA and are listed on the header:
- Disable – this option is appropriate if you would like to temporarily suspend access to the account.
- Enable – this option only appears if an account has been disabled by an administrator. (See the note below for accounts disabled by FINRA Admin.)
- Delete – this option is appropriate if the individual is no longer with the organization, does not need access to the Entitlement Platform or if there is a security issue.
NOTE:
- A SAA/AA cannot delete/disable their own account. An AA cannot delete/disable another AA’s account.
- Accounts disabled by FINRA Admin cannot be enabled by the SAA/AA. You are required to call the FINRA Support Center to enable your account.
IMPORTANT TIPS WHEN DELETING USER ACCOUNTS
- It is important not to delete a user in error because the user will lose access to all participating FINRA Entitlement applications.
- If you delete a user in error, create a new account for the user and entitle them to any applications and privileges they need.
If a user is entitled to more than one application (e.g., Web CRD, IARD, and FINRA Report Center) and they no longer need access to one of those applications, DO NOT delete the user’s account. The quickest way to remove all privileges for a specific application is to deselect the parent privilege. The system will then ask if you want to remove all child entitlements associated with the parent. Select Yes and the privileges for that application will be removed.
Section 10: How To Request an Account Details Report
The Account Details Report can be accessed in two (2) different ways:
- Admin page
- Reports page
Step 1: Selecting the Account Details Report link from either of the two options will open the Account Details Report. This report provides the capability to monitor your users and permissions on a periodic basis.
Note: The Account Details Report is available to both SAAs and AAs. The report is based on the SAA’s or AA’s entitlement and search criteria.
Once the report template is open, you can use the template tools to customize/download the report content. These tools are located in the top right corner: Columns, Filter, Group, Save and Export.
To view the entitlements per account from the report template, click the ⌄ symbol in the Entitlement Column next to the number of entitlements. The list of entitlements with their access level will appear. Click the ⌃ symbol to hide the entitlements.
Step 2: To customize the report, click the Columns icon in the top-right corner. A pop-up window will open with the list of All Columns and Selected Columns. To select a column, check the checkbox from the Column list and click the Apply button. To deselect a column, uncheck the checkbox from the Selected Column list and click the Apply button.
Step 3: To filter the report, click the Filter icon in the top-right corner. The filter feature allows you to filter the report based on certain data criteria. For example, If you would like to view the SAA account data on the report, you can filter by SAA Equals to Y and click the Apply Filter button. Once you have completed setting all your filters, click the Done button.
Step 4: To save the report, click the Save icon in the top-right corner. A pop-up window will appear. Type the title you would like to use in the Table Name field, and then click the Save button.
The report will be saved on the My Reports tab on the Reports Landing page.
Once you have saved the changes, the name of the template will change to the name you provided. The Account Details template will remain unchanged. The template you created will be available under My Reports on the Reports Landing page. Every time you open the template, it will contain the most up-to-date data available.
Step 5: To export the report, select the Export icon in the top-right corner. Currently, the report can be downloaded and exported in the CSV format.
Select what you would like to export and click the Export button.
When you select Export in the pop-up window, a message will appear that the file is being prepared for download.
Step 6: Select the View Downloads link in the message or click on the zip file in the Exports Ready for Download section.
Step 7: Choose how you would like to open the zip file.
Step 8: Open the exported Excel report file.
The report displays in a CSV file format.
Section 11: How To Review Accounts
As an SAA, you have several responsibilities:
- You are the sole authorizer and manager of access for all the accounts at your organization on the FINRA Entitlement Platform.
- You serve as the primary contact on all entitlement-related issues.
- You need to review accounts on a periodic basis to validate if access is still needed based on the individual’s job responsibilities.
- You are also required to certify all accounts annually for the FINRA Entitlement User Accounts Certification Process.
These are some best practices to keep in mind when reviewing accounts:
- Validate that each user has a continuing need to access FINRA application(s) on the organization’s behalf.
- Verify that each user is entitled only to the applications and privileges needed to perform current job responsibilities.
- Ensure that only users who require access to sensitive data (e.g., Criminal History Record Information, Social Security or tax identification numbers, dates of birth) are entitled to access this type of data.
- Review last login date for each user to determine frequency of use. If several months have gone by, question the user as to the need for continued access. See Section 11.2 for where to find the last login date.
11.1 Review Last Login Date on Search Card
Step 1: Use the Search Box to find an account. Type in the account owner’s user ID, name or email address. If you need an exact match, place quotes around the search text (e.g., “john smith”)
Step 2: From the individual search card, you will see the last login date on the right side of the entry. Review the last login date to validate that the individual’s account has been used recently or if months have gone by without the user logging on. If the last login date is months ago, ask the user about their access to determine if the account is still needed or should be removed. Note that FINRA considers accounts that are inactive for a designated period of time as dormant and deletes these accounts. See Section 16 on Dormant Accounts.
11.2 Review Last Login Dates on Account Details Report
Step 1: As the SAA, request the Account Details Report (see Section 10). In the report, you will see the last login date as one of your selected columns. Review the last login date to validate that the individual’s account has been used recently or if months have gone by without the user logging on. If the last login date is months ago, ask the user about their access to determine if the account is still needed or should be removed.
11.3 Review Account Status
Step 1: On the Main Search Page, review your user’s account statuses located on the left side of the Search Cards. Review to see if any of the accounts are Disabled, Password Lockout or Security Question Lockout and confirm with the user if the account is still needed or should be removed. If no longer needed, delete the account, if needed, update the account to the Active status.
Section 12: How To Reset a Password
If a user has problems logging in to their account, it may be because:
- They have forgotten the password or the password has expired.
- They have unsuccessfully entered their password more than five times in the past hour and have been locked out.
- They have unsuccessfully entered their security questions more than five times and have been locked out.
- They have been disabled intentionally, either by an Account Administrator or by the FINRA Entitlement Group.
As an SAA/AA, you can reset an account’s password and/or security questions through the Account Settings Credentials section.
Step 1: Select Reset Password in the Account Settings Credentials section.
Step 2: A Password Reset Dialog box is presented to the user, and upon confirmation, a password reset link will be sent to the email address associated with the account.
Password Information
See the Password Requirements page for a list of password parameters and features.
Password Security Information:
- All initial passwords require the user to create a new password with initial login.
- If their password has elapsed, a user will have to re-initiate the password reset process in order to receive a new link to change their password.
- A user can change their password at any time by clicking on the red dot in the upper right-hand corner, selecting My Account and clicking the Change Password link.
Result: The My Account: Personal Profile screen appears.
- Users who forget their password can click on the Forgot User ID or Password? link on the login screen to request a new password. The user will be prompted to enter their user ID, the email address associated with the account, and then answer a security question.
- Five incorrect password attempts within one hour will result in a locked account. The account will auto-unlock after one hour. Accounts can be unlocked sooner than one hour if users contact their SAA or AA. If it is an SAA account, they need to contact the FINRA Support Center.
- Users who have five incorrect security response attempts need to contact their SAA or AA for a reset; or if it is an SAA account, they need to contact the FINRA Support Center.
Section 13: How To Change the User Account Status
View and evaluate the user’s Account Status
Step 1: For a disabled account, click on the Action hyperlink and select Enable Account.
Status Legends/Symbols
Active | Active Account – able to access the FINRA Entitlement Platform Application privileges assigned. |
Disabled by Non-FINRA Account Administrator | Account that has been disabled by the SAA or AA at the organization. |
Disabled by FINRA Administrator | Account that has been disabled by a FINRA Entitlement Administrator. |
Password Lockout | Five incorrect password attempts within one hour will result in a locked account. The account will auto-unlock after one hour. Accounts can be unlocked sooner than one hour if users contact their SAA or AA. If it is an SAA account, they need to contact the FINRA Support Center. |
Security Questions Lockout | Five incorrect security response attempts need to contact their SAA or AA for a reset; or if it is an SAA account, they need to contact the FINRA Support Center. |
Delete | Access to this account has been removed permanently from the FINRA Entitlement Platform. |
Section 14: FINRA Security Questions Feature
The first time a user logs in to a FINRA Entitlement application/system (e.g., Web CRD, IARD), the user will be required to select three security questions and provide responses to each question. On subsequent logins, a user may be asked to provide the responses to the security questions they selected in order to further verify the user’s identity. This security feature is similar to those used by financial websites as an additional safeguard against unauthorized access.
Once users have saved their security information, they will be periodically presented with a security question. Or if they have not clicked the Remember this computer checkbox, they will be presented with a security question each time they login.
As the AA or SAA, you may need to assist your users if the following occurs:
- Five incorrect responses to security questions will lock their accounts. They will need to contact an SAA or AA.
- Five incorrect entries of their password will lock their account. They will need to contact an SAA or AA.
- View FINRA Entitlement Program Frequently Asked Questions for more information.
14.1: How to Reset Security Questions
Step 1. Select Change Security Questions in the My Profiles section.
Result: The Individual Information screen appears.
NOTE: An SAA/AA cannot reset the password/security questions for their own account. An AA cannot reset the password/security questions for another AA’s account.
14.2: How To Change Your Security Questions and Answers
Step 1: A user can change their security questions at any time by clicking on the red dot in the upper right hand corner, selecting My Account and clicking the Change Security Question link.
Result: The My Account: Personal Profile screen appears.
Step 2: Select Change Security Questions.
Result: The My Account: Security Questions screen appears.
Step 3: Change your security questions and answers as desired, then click Change Security Questions.
Section 15: How To Log Out
Step 1: A user can log out at any time by clicking on the red dot in the upper right-hand corner and selecting Sign Out.
The Logout Successful screen will display. To log back in, select the Click to Login Again button. Follow the prompts to log back in.
ADDITIONAL NOTES:
- When you log out, your browser could contain a memory of the account information viewed during your session. For added security, we recommend that you close your browser window.
- If you are inactive for 27 minutes, you will get a Session Timeout prompt. If you don’t select Stay, you will be logged off. If you select Stay, the clock will be reset.
Example of the 27-minute timeout prompt.
Section 16: Dormant Accounts
Accounts are considered dormant if they are not used for a defined period of time. For security reasons, FINRA deletes dormant accounts.
Although an SAA account should never go dormant based on an SAA’s responsibilities, if an SAA’s account is deleted due to dormancy, there is significant impact to the organization. All FINRA Entitlement Program user accounts for the organization will lose system access until another SAA account is recreated. To reestablish an SAA, the firm will need to contact FINRA.
As the SAA or AA, consider the following best practices to avoid dormant accounts:
- Perform periodic reviews to ensure individuals are using their accounts based on their job responsibilities (e.g., check last login date available for each account in Account Management) and question a user if several months have elapsed without use.
- Delete account(s) when the individual no longer requires access per their job responsibilities or is not using their account.
- Remember to log in periodically to prevent your account from going dormant.
Section 17: How To Manage Roles
Benefits of Roles:
- Roles allow an organization to more effectively manage entitlements by grouping entitlements by job functions, positions, or other areas of responsibilities that meet the needs of an organization.
- Roles provide an efficient way to assign access for users, as the admin no longer needs to select each entitlement for an account.
- Roles may offer more secure access as users performing the same job functions or responsibilities share the same level of access.
- Roles are customizable to maximize flexibility.
- Role Templates are available for certain types of organizations to use when creating their own Roles.
- Roles offer an easier way to review users’ access. In addition, Roles will display for annual account certification, which provides a more effective and efficient way to validate accounts.
Considerations When Using Roles:
- Roles are optional. Consider the number of users in your organization and the job functions and responsibilities they perform to determine how to best use Role functionality for your organization.
- Only SAAs are able to create Roles for their organizations.
- Roles can be classified as Admin Roles or User Roles, based on the privilege level selected for the entitlements.
- Roles in an organization cannot share the same name. When creating a Role, choose a name that best describes the Role.
- When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.
- Consider creating a Role for access to sensitive data (e.g., Criminal History Record Information, Social Security numbers) and assign this Role to only those users that require this level of access.
- Role functionality does not support MPIDs and related entitlements so you cannot add to a Role. Use Account Management to assign MPID entitlement.
- Only Active Roles may be assigned to accounts. Incomplete (Roles that have no entitlements assigned and are active) and Deleted Roles (Roles that are not active) cannot be assigned.
- More than one Role may be assigned to an account.
- SAAs may grant their AAs with the ability to assign Roles to users. However, the AA must have Admin privileges to ALL entitlements the Role includes in order for the AA to be able to assign that Role to a user.
- SAAs may control which Roles an AA can assign based on whether the AA has Admin privileges to all entitlements of Roles.
- AAs with Role assignment functionality will be able to view all Roles in the organization even if the AA cannot assign all Roles.
- Before assigning a Role(s), verify that the users require access to all the applications and privileges in the Role to perform current job responsibilities. If not all access is required, consider modifying the Role or creating a new Role to assign to the users.
- A Role may be modified; however, modification will update all accounts that are assigned to that Role.
- If an SAA assigns an Admin Role to a user account, that user account will be converted to an Account Administrator (AA). If the SAA removes the Admin Role from an account, that account will revert to a user account.
- Delete a Role if obsolete.
- Role functionality works the same for both Firms and Regulators.
As a Super Account Administrator (SAA), you are able to:
- Create and manage Roles for your organization
- Assign and unassign Roles for your Account Administrators (AAs) and users
As an Account Administrator (AA), you are able to:
- Assign and unassign Roles for your users, if your SAA grants your account with the functionality for role assignment
17.1 How To Create Roles
Step 1: As the SAA, select Create Roles from the Admin landing page.
Step 2: Stage 1- Role Information
From the Create Role screen, enter the Role Information (i.e., Name and Description), and click Next.
- Role Name - This field is 50 characters and must be unique for each role. Choose a name that best describes the Role.
- Role description – This field is 250 characters. When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.
The Next button will take you to the next step called Entitlements/Role Templates.
Step 3: Stage 2-Entitlements/Role Templates
From this screen, there may be two options available to create a Role for your organization:
- Option A -Import Entitlements from a Role Template To Create a New Role. FINRA creates Role Templates, which can be customized. This option is only available to specific types of organizations.
- Option B -Select Individual Entitlements to Create a New Role specific to your organization’s needs. This option is available to all organizations with Role functionality.
Option A - Select Import Entitlements from a Role Template to Create a New Role
This option is only available to specific types of organizations.
Step 1: Select a Role Template Created by FINRA
There are several Role Templates created by FINRA to help you create a Role. The Role Templates are focused on functional responsibilities of an organization.
Firm Role Templates Created by FINRA
Operations |
Registration |
Organization |
Regulator Role Templates Created by FINRA
Registration |
Query without SSN |
Query with SSN |
When selecting a Role Template to create a new Role, you can either use the Role Template with the entitlements that are listed in the template, or you can choose to customize the Role Template to best meet the needs of your organization.
Step 2: As shown in the example below, the Operations Role Template created by FINRA has been selected by a firm. You may either mark the All User box to indicate that you want all user privileges for this Role Template to be included, or you may customize the Role Template by marking only the specific user privileges based on the needs of your organization as shown below.
Note: As you are adding entitlements to the Role, the shopping cart on the right side of the screen will update to show you the entitlements that have been selected for the new Role. Click the Next button to take you to the next step called Review & Create Role.
Step 3: From the Review & Create Role step, you may continue to add entitlements to the new Role by clicking on Import More Entitlements From Role Templates or, to further customize the Role, select Add More Entitlements. At this time, you may edit the Role Name and Description. Also, write a Description that best explains the functional responsibilities of the Role to assist with account reviews and user assignments.
- Role Name - This field is 50 characters and must be unique for each role. Choose a name that best describes the Role.
- Role description – This field is 250 characters. When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.
Once you complete your review of the Role and are satisfied with the entitlements, name and description, click Create Role. If the Role name matches an existing Role name, the system will produce an error and you will need to change the Role name. Once the Role is successfully created, it will be available to assign to accounts.
Type: User Role
Name: Compliance Role
Status: Active (Role available to assign)
Note: If you need to change the Role name, it must be done in the Review and Create Role step. Once the Role is created, the Role name cannot be changed.
Cancel Role Creation
If you decide not to create a Role, you can cancel the Role creation process by selecting Cancel, though you must cancel before you select “Create Role”.
Option B – Select Individual Entitlements to Create a New Role
Step 1: Stage 1- Role Information
From the Create Role screen, enter the Role Information (i.e., Name and Description), and click Next.
- Role Name - This field is 50 characters and must be unique for each role. Choose a name that best describes the Role.
- Role description – This field is 250 characters. When creating Roles, add a description for each Role with enough detail to assist with account reviews and Role assignments.
The Next button will take you to the next step called Select Individual Entitlements to Create Role.
Step 2: Stage 2-Entitlements/Role Templates
Select Individual Entitlements to Create Role for when the SAA wants to build a new Role and customize by marking specific entitlements that the Role requires.
When building a new Role for a user, the SAA will scroll through the entitlements and mark the specific user privileges that will be needed to fulfill the job responsibilities and functions of the Role. See the example shown below.
Click Next. The Next button will take you to the next step called Review & Create Role.
Step 3: From the Review & Create Role step, you may continue to add user entitlements to the new Role by clicking on Import More Entitlements From Role Templates or to further customize the Role, select Add More Entitlements. At this time, you may edit the Role Name and Description. The system will prevent you from using a Role Name that already exists for your organization. Also, write a Description that best explains the functional responsibilities of the Role to assist with account reviews and user assignments. Once you complete your review of the Role and are satisfied with the entitlements, name and description, click Create Role. This Role will now be available to assign to accounts.
Type: User Role
Name: Operations Specialist
Status: Active (Role available to assign)
Creating Roles for Account Administrators (AAs)
When creating Roles for AAs, follow the same process as when creating User Roles, except mark Admin for the specific privileges required, and mark the specific user privileges that the Admin Role needs.
Role Types
User Role- A User Role is comprised of entitlements that have a User privilege level. A User Role is required by a user in your organization to access systems and/or functions related to a specific system to perform a task related to their job function.
Admin Role – An Admin Role is comprised of Admin level privileges for the entitlements assigned to the Role. An Admin Role can be assigned to Account Administrators (AA), who in turn can assign the Role to other users in their organization.
Both User & Admin Role –A User & Admin Role is comprised of both Admin & User level privileges for the entitlements assigned to the Role. An Admin Role can be assigned to Account Administrators (AA), who in turn can assign the Role to other users in their organization as well as access FINRA systems and/or functions related to a specific system, as per the user entitlements that are included in the Role.
17.2 How To Assign Roles
This section explains Role assignment.
- The SAA has the ability to assign Admin and User Roles.
- An AA that is granted Assign Roles by the SAA can assign Roles to Users. AAs will only be able to assign a Role when they have Admin access to all privileges in the Role.
There are 2 ways for a SAA to assign a Role to an Admin or user:
- Option A – Assign the Role through the Role (Create a Role/Search for a Role)
- Option B – Assign the Role from an individual user’s or AA’s Account
Option A – Assign the Role through the Create Role Functionality
Step 1: Once the SAA creates a Role, the Role may be assigned to users that require the Role. You can assign Roles using the Create Role functionality. Select the Users tab and click the Assign box to assign a Role. In the example below, the Compliance Role will be assigned to a user account that is called Non-Admin User.
When assigning Roles, if you assign a user account to an Admin Role, the user account will be converted to an Account Administrator (AA) with that Role. If that is not your intent, remove the AA Role to revert the account to a user with the entitlement the account previously had prior to the Role assignment.
Step 2: Once the Role has been assigned, search for user’s account, click on the Entitlement and Access Management tab and click on Roles to see the account with the assigned organization’s Role.
Option B- Assign the Role from a User or AA account.
Step 1: From the Admin landing page, select Search Accounts.
Step 2: Use the Search box to find the account. Select the account and click on the user ID.
Step 3: Select Entitlement and Access Management, then click Roles.
Step 4: From the Roles section, you have the option to assign Role(s) that the SAA created. Both Admin (AA) Roles and User Roles are listed as categories for the types of Roles that may be created, though the category will only show the Roles if the SAA has created any. For example, as the AA, if no AA Roles have been assigned and you are presented with the Edit Admin Roles Link, you will be able to assign an Admin Role. Choose the Role category based on the Role you want to assign.
The ability to Edit a Role will only display if the functionality is permissible to the AA.
- Edit Admin Roles link: assign/unassign Admin Role
- Edit User Roles link: assign/unassign User Role
When assigning Roles, if you assign a user account to an Admin Role, the user account will become an AA with that Role. If that is not your intent, remove the AA Role to revert the account to a user with the entitlement the account previously had prior to the Role assignment.
17.3 How To Search Roles
Step 1: As the SAA, select Search Roles from the Admin landing page.
Step 2: From the Search Role screen, you can do the following:
- Create a new Role
- Click on an existing Role to view, add, or delete entitlements
- Click on an existing Role to delete the Role
- Use the filters to search for specific Role characteristics (e.g., Active, Deleted, Role Type, Entitlements)
- View accounts that are already associated with a specific Role from the corresponding Actions link on the right side. If there are no accounts associated with the Role, Action link displays “No Action Available”
Review Role Icon Definitions
Active Role available to assign Delete Role is no longer available to assign Incomplete Role with no Entitlements
Once Search Roles has been selected from the Admin landing page, the Roles screen will appear and default to all Active Roles. If there are no Roles created for your organization, there will be ‘0’ results displayed.
Filters for Search Roles:
The Search page has the following filters to assist you in searching for a Role:
- Role Status
- Active – By default
- Deleted – All the Roles that have been deleted
Role Type
- User – identify all Roles that have only User entitlements
- Admin – identify Roles that have Admin only or User/Admin entitlements
- Incomplete – identify Roles that do not have entitlements assigned to them
Entitlements:
Search for Roles based on the entitlement(s) assigned to the Role. For example, identify the Roles that have CRD entitlement with User privilege.
Select entitlements
- A pop up opens
- Type in CRD in the search bar
- Select Next on the search results
- When you see CRD entitlement, select User privilege
- Click Save
- Role Status
All Roles with CRD User entitlement will be displayed in the Search results.
Each Search result displays the following information about the Role:
- Role Name – Unique name assigned to a Role
- Role Type – Admin, User or Incomplete
- Updated Date – Date the Role was last updated/modified
- Description – Details to assist with account reviews and Role assignments
- Actions:
- View Assigned Accounts – This action enables the SAA to view all the accounts assigned to the Role. When selected, Account Management application will open in a new tab, with the Role filters selected, so that you can see the individual accounts that have been assigned to the Role.
- Other Features in Search Roles:
- Sorting – By default the Roles are sorted based on relevance (e.g., Usefulness). However, as a user you can select how you want to sort the search results. The options for sorting are:
- Most Relevant
- Updated Date
- Role Name
- Role Type
- Org Class
- Saved Views – As a user you can select certain filters and then save that filter criteria for future use
- Search bar –The search bar allows you to search for a Role by Role Name. If you want an exact match of the Role, you need to include quotes to the search text (e.g. “Compliance Analyst”). If you do not know the name of the Role, use the following %Compl% and it will give you a list of possible matches.
- Sorting – By default the Roles are sorted based on relevance (e.g., Usefulness). However, as a user you can select how you want to sort the search results. The options for sorting are:
17.4 How To Edit Roles
Step 1: As the SAA, select Search Roles from the Admin landing page.
Step 2: Click on the Role Name to open the Role information.
Step 3: To Edit the Role, click the Import Entitlements from another Role or Edit Entitlements to add addition privileges.
Step 4: Import or mark the additional entitlements and click Save. The Role will be updated and accounts with this Role will have their entitlement updated.
As entitlements are added or removed, any accounts assigned to the Role will be impacted with the Role change.
17.5 How To Delete Roles
Step 1: As the SAA, select Search Roles from the Admin landing page.
Step 2: Click on the Role Name to open the Role information.
Step 3: To Delete the Role, click the Delete icon.
Step 4: A pop up will open and if the Role has assigned users, the following message will display.
- Click View Assigned Accounts and unassign all accounts from that Role.
- From each account displayed from clicking on the ‘View Assigned Accounts’ message, click on the User ID hyperlink.
Select Entitlement and Access Management, then click Roles to unassign the selected Role by clicking on the ‘x’ next to the selected Role.
Step 5: Once all accounts have been unassigned from the Role, select Search Role from the Admin landing page (Step 1), click on the Role name to delete, click the Delete icon and provide a reason for deleting the Role.
17.6 How To Provide the AA With the Ability To Assign Roles
Step 1: If an SAA wants their AAs to assign Roles to other users, the SAA needs to assign the AA account with the Assign Roles -User privilege. The AA must have Admin privileges to ALL entitlements within the Role in order for the AA to be able to assign the Role to other user accounts. AAs with Role assignment functionality will be able to view all Roles in the organization even if the AA cannot assign all Roles.
From the Search Account screen, use the search box to find the AA account. Type in the account owner’s user ID, name, or email address. If you need an exact match, place quotes around the search text (e.g., “john smith”). Click on the Account User ID.
Step 2: As the SAA, to add the Assign Roles privilege to the AA, select Edit Entitlements, which opens a screen and allows you to update the entitlements.
Step 3: Select User access for the Assign Roles privilege to allow the AA the ability to assign Roles to users. Inform the AA that the ability to assign Roles has been granted. If an AA indicates that a specific Role cannot be assigned, verify that the AA account has Admin privileges to all entitlements of the Role.
Section 18: User Accounts Certification
FINRA's Entitlement User Accounts Certification requires all organizations to review and validate their users’ access each year. During this period, SAAs for firms with more than one user and/or administrator account must certify that authorized users are entitled to only those privileges/roles necessary to perform their job responsibilities on the FINRA Entitlement Platform. If an individual no longer requires access, SAAs must immediately remove the entitlement(s) or delete the account.
Organizations with only an SAA account and no other users or administrators have the option to certify, though are not required, unless the firm has access to the Consolidated Audit Trail (CAT). Firms with one or more accounts with access to CAT must certify.
18.1: SAA Certification Roles and Responsibilities
- Manage all accounts at your organization that require access to the FINRA Entitlement Platform and assign only the entitlements required to perform job responsibilities.
- Monitor periodically all accounts to determine continued need for access.
- Review and certify each year all accounts by the due date.
- Disable an account immediately if you suspect an information security issue.
- Delete an account immediately when the individual is no longer with the organization or no longer requires access.
Best practices when reviewing accounts:
- Verify that each user is entitled only to the applications, roles and privileges needed to perform current job responsibilities.
- Ensure that only users who require access to sensitive data (e.g., Criminal History Record Information, Social Security numbers) are entitled to access this type of data.
- Monitor accounts on a periodic basis by using the Account Details Report.
- Using the Export report function, save report and share with managers and others in your organization who are most familiar with job responsibilities to assist with validating access.
- Review last login date for each user to determine frequency of use. If there is elapsed time from last use that seems unusual, question the user as to the need for continued access. See Section 11.2 for where to find the last login date.
- Certify your users on the same day you download the Accounts Certification Report to prevent having to perform a subsequent review of your users as the entitlement data may have changed since the download was requested.
18.2: Consequences for Failing to Certify
If an organization that is required to certify does not certify by the published due date, Account Management functions will be disabled for the SAA and all Account Administrators and will remain disabled until the SAA completes certification.
In addition, failure to certify will result in the suspension of all accounts in the organization. To regain access and full system functionality, the SAA will need to contact the FINRA Entitlement Group and complete certification.
FINRA will take action to ensure compliance with the process, and other regulators may follow up for failing to comply.
See Section 18.4 – Certification: Past Due for more information.
18.3: How to Complete User Accounts Certification
Step 1: As the SAA, from the Admin landing page, view the FINRA Entitlement User Accounts Certification banner, which appears with the start of the Certification Period, and click Start Certification to begin.
Step 2: Review the FINRA User Account Certification Instructions and proceed with your review of your organization’s accounts. Accounts display in the Accounts Certification Report at the bottom of the screen.
Note: The Accounts Certification Report defaults to displaying the filtered list of user accounts that have not been deleted in your organization. If you want to include Deleted accounts in your review, you will need to remove the Delete (Yes/No) Filter.
To customize/export report content, use the customizing tools located in the top right corner of the report template: Columns, Filter, Group, and Export.
- Columns – choose which fields you want to display in the report.
- Filter – narrow down your results by providing a value for any available field.
- Group – arrange the data into groups by choosing any available field as the ‘Group By’ field.
- Export – export your report to a .csv file with the final report criteria you have chosen.
Step 3: To view each account’s Roles, Entitlements Outside of a Role, and All Entitlements in the report, click the ⌄ symbol next to the number in the appropriate column to see the details. See information below for more information about each column. Click the ⌃ symbol to hide the details.
- Viewing Number of Roles Assigned to Accounts Column
- Click on the ⌄ symbol next to the number in the Number of Roles Assigned to Accounts Column, to view the names of the Role(s) assigned to the account, if any. To review the access the Role includes, click on the Role link to see the Role entitlements from the Search Roles screen.
- Viewing Individual Entitlements Assigned to Account Outside of Role Column
- Click on the ⌄ symbol next to the number in the Individual Entitlements Assigned to Account Outside of Role Column to view the list of entitlements (privileges) that have been granted to the account and which are not associated with a role. In addition, the level of access, User or Admin, shows for each entitlement.
- Viewing All Entitlements Assigned to Account Column
- Click on the ⌄ symbol next to the number in the All Entitlements Assigned to Account Column to see a complete list of all entitlements (roles and entitlements outside of roles) assigned to the account and the level of access, User or Admin, for each entitlement.
Step 4: To customize the columns displayed in the report, click the Columns icon. A pop-up window will open with the list of All Columns and Selected Columns. To select a column field, mark the checkbox from the Column list and click the Apply button. To deselect a column field, unmark the checkbox from the Selected Column list and click the Apply button. Select “Clear All” to remove the customized fields.
Step 5: To narrow your search, click the Filter icon. This feature allows you to filter the report based on certain data criteria. For example, if you would like to view the SAA account information on the report, filter by selecting “Y” for SAA Equals and click the Apply Filter button. Once you have completed setting all of your filters, click the Done button.
Step 6: To arrange the data into groups, click on the Groups Icon. Choose the field(s) for how you want the data to be organized for your review. Once you have completed setting all your Groups, click the Apply button.
Applying Multiple Groups
To further define your report, you can use the Group tool to organize individuals into several groupings. For example, if you want to know the Roles and Entitlements Outside of a Role, you can use the Group tool to select these group tags so that the information in the report displays with this information. Note that the group tag you apply first will be the initial grouping in the results. You will need to click another group tag (e.g., Entitlement Name) to see the next grouping, and so on. That is why each grouping is indented under the initial group. You can drag and drop to rearrange the grouping order. Once you are complete arranging your group tags, click the Apply button.
When you apply the groups, a box appears with a count of the number of groupings selected.
Modifying Applied Group Settings, click Add Group to edit your group settings. You can add or remove groups and drag and drop to rearrange the group order.
Step 7: To export your report to a .csv file with the final report options you have chosen, click on the Export Icon. Select the type of Exported Report you would like to export and click the Export button.
- Quick Export
- Advanced Export
Note: FINRA recommends that you certify your users on the same day you request the download to prevent having to perform a subsequent review of your users as the entitlement data may have changed since the download was requested.
Quick Export (default)
The Quick Export will display the data selected from the customization tools with only the numbers displayed for the Individual Entitlements Assigned to Account Outside of Role, All Entitlements Assigned to Account, and Number of Roles Assigned to Account per account.
Advanced Export
Only one sub-table, as shown below, can be exported when Advanced Export is selected.
- Report sub-table #1– Individual Entitlements Assigned to Account Outside of Role
- The export will display the data selected from the customization tools with a listing of all Entitlements Outside the Role(s) and if the account owner has User or Admin access.
- Report sub-table #2 – All Entitlements Assigned to Account
- The export will display the data selected from the customization tools with a listing of all entitlements within a Role(s) and Outside the Role(s) and if the account owner has User or Admin access.
- Report sub-table #3 – Number of Roles Assigned to Accounts
- The export will display the data selected from the customization tools with the number of Roles per account. If you need to review the content of the Role, click on the Role link to review the Role entitlements from the Search Roles screen.
Step 8: Once export selections have been made, a message will display to click on ‘View Downloads’ which will take you to the Reports landing page.
From the Reports landing page, there is a section for Exports Ready for Download in the right margin. Files that are being prepared for export will appear in grey text. When the file is ready to download, it will appear as a blue hyperlink.
Step 9: The file will download as a zip file. Click to unzip the file. If more than one file is ready for download, the files will be sorted by descending order with the newest file at the top of the list.
Step 10: Open Accounts Certification Report. Review content and determine if any changes are required. Save this report and share with other individuals within your organization to confirm individual’s entitlement, including access to applications, roles, entitlements (privileges), and access to sensitive data are appropriate for job responsibilities and that the last login date indicates continued access is required.
Step 11: Once you review, update if required, and verify information for all accounts, click ‘Certify Users’ to complete certification for your organization.
Step 12: Review the Terms and Conditions and click ‘I Agree’.
The system will display a ‘Successfully Completed’ banner and you will receive a confirmation email.
Email Confirmation
18.4 Certification: Past Due
If an organization does not complete the User Accounts Certification by the due date, the certification status will change to Past Due. The Past Due banner informs the SAA of the Account Management functions that are disabled and these functions are no longer available for selection until certification is completed.
‘The 2022 FINRA Entitlement User Accounts Certification Period has ended and your organization did not certify your user accounts as required. The capability to create accounts, create and assign roles, edit and import entitlements to accounts within your organization has been disabled and will remain disabled for all administrators until you, as the SAA, complete the certification process. For security purposes, administrators may continue to delete or disable accounts. In addition, failure to certify will include reassessment by the appropriate regulator and the suspension of all of your organization’s FINRA Entitlement accounts.’
Account Management Functions Disabled
SAA and AAs of organizations that failed to certify by the due date will not be able to perform the following Account Management functions:
- Create accounts
- Edit account description (name, email, title, dept, phone etc.)
- Edit Entitlements
- Edit Org identifiers
- Assign/Unassign roles
- Edit Account Access
- Import Entitlements
Role Management Functions Disabled
SAAs of organizations that failed to certify by the due date will not be able to perform the following Role Management functions:
- Create roles
- Edit role description
- Add entitlements
- Import entitlements
- Assign roles
- Unassign Roles
- Delete Roles
How to Certify Post Due Date
Step 1: As the SAA, from the Admin landing page, view the FINRA Entitlement User Accounts Certification Past Due banner and click Start Certification to begin (see 18.3 How to Complete User Accounts Certification).
Once the Certification process has been submitted, all Account Management and Role Management functions will be restored.
If you need assistance or have questions, use the Contact Us/Need Help? Section.