Try 10 focused Series 26 questions on Compliance and Business Processes, with explanations, then continue with the full Securities Prep practice test.
Series 26 Compliance and Business Processes questions help you isolate one part of the FINRA outline before returning to a mixed practice test. The questions below are original Securities Prep practice items aligned to this topic and are not copied from any exam sponsor.
| Item | Detail |
|---|---|
| Exam | FINRA Series 26 |
| Official topic | Function 3 — Oversees Compliance and Business Processes of the Broker-Dealer and its Offices |
| Blueprint weighting | 41% |
| Questions on this page | 10 |
Your firm’s annual supervisory control testing (covering mutual funds and variable annuities) found that 12 of 40 variable annuity replacements in two branches had evidence of principal review, but the approval timestamp and documentation were missing from the electronic workflow. The independent AML test also noted that the CIP exception log was not being reviewed and signed off as required by the firm’s WSPs. The audit committee requires a written remediation plan within 30 days, and a FINRA exam is scheduled in 60 days.
What is the BEST supervisory action to address the findings and track them to closure?
Best answer: C
Explanation: Audit findings should be logged, assigned, remediated with interim controls, and independently validated/retested with evidence before being closed and reported up.
Annual testing and independent reviews are meant to produce documented remediation that is tracked through completion, not informal fixes. The best response is to place each finding into a centralized issue-tracking process with clear accountability, deadlines, and interim risk reduction. Closure should occur only after the firm documents implementation and validates effectiveness (often via retesting) and reports status to appropriate governance.
For Series 26 purposes, the key concept is that annual testing/independent reviews (e.g., supervisory control testing and independent AML testing) create “findings” that must be managed like formal exceptions: documented, risk-ranked, assigned, remediated, and verified before being closed. Here, the risks are (1) supervision evidence gaps for variable annuity replacements and (2) failure to perform a required CIP exception-log review control.
A sound tracking-to-closure approach typically includes:
Updating documents or collecting attestations can be components of remediation, but they are not a substitute for documented validation and formal closure criteria.
Which statement is most accurate regarding SIPC coverage and FDIC deposit insurance?
Best answer: A
Explanation: SIPC is a broker-dealer liquidation backstop for customer property, while FDIC insurance covers bank deposits and neither insures investment performance.
SIPC coverage is designed to help customers recover missing securities and certain cash when a broker-dealer fails financially and customer property is unavailable. It is not a guarantee against market fluctuation or unsuitable recommendations. FDIC insurance is separate and generally applies to deposits at FDIC-insured banks, not securities positions at broker-dealers.
SIPC is a protection program tied to a broker-dealer’s failure (for example, insolvency or liquidation) and focuses on returning customer property—securities and certain cash that should be in the customer’s brokerage account. SIPC does not insure investment results, so it does not cover losses from market movement, poor performance, or a recommendation that turns out badly.
FDIC deposit insurance is a banking protection that applies to covered deposit products (such as checking or savings) at FDIC-insured banks. A key supervisory distinction is that securities products held at a broker-dealer are not converted into “insured deposits” simply because they appear on an account statement; the applicable protection depends on where the asset is held and what type of product it is.
The best statement correctly separates broker-dealer failure protection from bank deposit insurance.
A registered representative forwards an email from an existing customer requesting that her mutual fund account registration be changed from “Jane Smith (individual)” to “Jane Smith, Trustee of the Smith Family Trust.” No trade is requested. As the Series 26 principal, which action best aligns with durable supervisory standards for approving and documenting account name/designation changes?
Best answer: A
Explanation: A material registration change should be supported by signed customer authorization and entity/trust evidence, reviewed/approved by a supervisor, and preserved to protect record integrity.
Changing an account’s registration (including adding a trustee capacity) is a material account-maintenance event that must be controlled like a records change, not treated as a routine service request. Strong controls include written customer authorization, documentation supporting the new registration, supervisory review/approval, and clear record retention to protect the customer and the firm’s books and records.
Account name or designation changes can alter ownership, authority, and who can transact, so firms typically require documentation that both (1) authorizes the change and (2) supports the legal capacity reflected in the new registration. For a trust registration, that means obtaining a properly executed firm form (or new account documentation as required by WSPs) and acceptable trust evidence (e.g., certification/extract or other trust documentation the firm accepts), then having an appropriately authorized supervisor/principal approve the change and ensuring the documentation is retained in the account records. Email or verbal confirmations may help corroborate intent, but they generally do not replace the firm’s required signed documentation and supervisory authorization for a material registration change. The key takeaway is to prioritize record integrity and customer protection through documented authority and principal approval.
During an OSJ inspection, a principal finds 12 retail accounts coded “hold mail” for 9–18 months. The branch kept statements and trade confirmations in a file cabinet, but there are no written customer instructions, no principal approval records, and no log showing customer pickup. The firm’s WSPs require written hold-mail requests, time limits, and periodic customer contact to confirm the address.
If this control failure continues, what is the most likely outcome?
Best answer: C
Explanation: Extended hold-mail without written authorization, documentation, and follow-up is a supervision and records control failure that can harm customers and draw regulatory findings.
“Hold mail” is permitted only with appropriate customer instructions and supervisory controls that prevent concealment of activity and ensure customers receive required disclosures. Keeping statements and confirmations without written authorization, time limits, and pickup/verification records creates both customer-harm risk and a clear supervision/recordkeeping deficiency. The likely consequence is an examination finding and the need for prompt remediation and investigation of impacted accounts.
Holding customer mail is a controlled exception to normal delivery, not a substitute for required disclosures or a way to avoid address verification. When accounts are coded “hold mail” for long periods without written customer direction, principal approval, and evidence of delivery/pickup or periodic address confirmation, it creates red flags (e.g., concealing trading, preventing customers from reviewing confirmations and statements) and undermines the firm’s ability to demonstrate it met delivery and supervision obligations.
A principal would typically need to:
The expected outcome is regulatory exposure for inadequate supervisory controls and deficient documentation, plus potential customer remediation if harm occurred.
A customer emails the OSJ a written complaint alleging they were overcharged on a Class A mutual fund purchase because a breakpoint was not applied. The firm agrees and will refund the difference.
Exhibit: Transaction and breakpoint schedule (front-end sales charge applied to the amount invested)
Which record set best meets customer complaint recordkeeping expectations for closing this matter?
Best answer: A
Explanation: Firms should retain the written complaint plus documentation of investigation, resolution, and supervisory review, including the correct $625 remediation calculation.
Written customer complaints require a complaint file that shows what was received, what the firm did, and principal oversight of the resolution. Here, the overcharge is the 1.25% sales-charge difference on $50,000, which is $625. The complaint record should therefore include the complaint, supporting trade/breakpoint analysis, the remediation calculation/payment, and evidence of supervisory review/approval.
At a high level, complaint recordkeeping should allow a regulator to reconstruct the issue and the firm’s supervision: the original written complaint, the account/trade documents reviewed, the investigation and analysis performed, the firm’s response and remediation (if any), and evidence of principal review/approval.
Here the refund is the overcharge from applying 5.75% instead of 4.50%:
\[ \begin{aligned} \text{Difference} &= 5.75\% - 4.50\% = 1.25\% \\ \text{Refund} &= 0.0125 \times 50{,}000 = 625 \end{aligned} \]A complete file pairs the correct remediation amount with documentation of how the firm reached and approved that outcome.
You are the Series 26 principal reviewing the firm’s complaint log for completeness.
Exhibit: Complaint log entry (CRM)
Date received: Jan 8, 2026
Source: Email to servicing rep
Customer: Maria Lopez
Acct#: 82FJ-1147
Summary: "You moved my mutual fund from Class A to Class C to increase fees. Reverse it and refund the sales charge."
Associated person complained of: [blank]
Disposition/Resolution: [blank] (status = Open)
Which supervisory interpretation/action is best supported by the exhibit and FINRA complaint recordkeeping expectations?
Best answer: B
Explanation: An email alleging a grievance about an associated person’s activity is a written complaint and the record should capture the person complained of and the ultimate disposition.
A written customer complaint is any written statement (including email) alleging a grievance about the firm’s or an associated person’s activity. The exhibit alleges an improper share-class change to increase fees, so it must be captured as a written complaint. Complaint records should be complete enough to evidence what happened, who was involved, and how the firm resolved it.
FINRA expects firms to identify and retain records of written customer complaints—typically defined as any written (including electronic) communication from or on behalf of a customer that alleges a grievance involving the member or an associated person. The email in the exhibit alleges misconduct (“moved my mutual fund…to increase fees”), so it should be logged and handled as a written complaint.
A complaint record should capture, at a high level, the customer and account identifiers, when and how the complaint was received, the nature of the allegation, the associated person(s) involved (if any), and the firm’s disposition/resolution once completed. Here, key fields are blank (who is complained of and the disposition), so the principal should ensure the entry is completed and retained per the firm’s procedures.
Following the firm’s annual supervisory control testing and annual independent AML test, an audit report lists three control findings. The Series 26 principal must choose between two remediation processes.
Process 1: Enter each finding into a centralized issue log with a risk rating, assigned owner, target date, required evidence, and documented independent validation (retest) before closure.
Process 2: Email the report to department heads and mark items “closed” when a manager replies that the issue is resolved.
Which process best meets expectations for tracking audit/testing findings to closure?
Best answer: D
Explanation: A formal issue-tracking log with ownership, due dates, evidence, and independent validation supports controlled remediation to closure.
Firms are expected to treat annual testing/audit findings as formal issues that are owned, remediated, and verified before being closed. A centralized tracking mechanism with due dates and evidence supports accountability and management oversight. Requiring documented validation (retesting) before closure demonstrates the control gap was actually corrected.
Annual testing and audits (internal, external, or independent program tests) commonly generate findings that require a documented remediation process. At a high level, supervisors should be able to show a clear trail from each finding to a corrective action plan, implementation, and verification that the fix worked.
A strong “track-to-closure” process typically includes:
Relying only on business-line attestations without documented evidence and validation weakens accountability and makes it difficult to demonstrate effective remediation to regulators or senior management.
Which statement best describes the purpose of a firm’s supervisory control system (SCS) and how it differs from day-to-day supervision?
Best answer: B
Explanation: An SCS is designed to independently validate that supervisory procedures are working and to drive corrective action, rather than perform the daily review itself.
A supervisory control system is a higher-level control framework that evaluates whether a firm’s supervisory program is effective. It focuses on testing, verification, and identifying gaps for correction, rather than performing the day-to-day supervisory reviews of individual activity. This distinction is key to ensuring supervision is not only performed, but also independently assessed.
Day-to-day supervision is the ongoing, front-line oversight of associated persons’ activities (for example, reviewing transactions, communications, and suitability/Reg BI documentation) according to the firm’s WSPs. A supervisory control system (SCS) sits above that daily process and is designed to confirm the supervisory program itself is working as intended.
An effective SCS typically includes:
The key distinction is purpose: daily supervision monitors activity; the SCS evaluates and strengthens the supervision framework.
An OSJ principal reviews an operations exception ticket requesting an internal transfer due to death. The rep attached an obituary and asked Ops to re-register a customer’s mutual fund account from “John Hale TOD Maria Hale” into Maria Hale’s individual account and liquidate for ACH proceeds. No other documents are in the file.
What is the best next supervisory step in the proper sequence before Ops processes the re-registration?
Best answer: B
Explanation: A TOD transfer on death requires death proof and beneficiary claim documentation before the firm re-registers or distributes assets.
Before processing an internal transfer triggered by death, the principal must ensure required documentation is obtained and retained. For a TOD-registered account, the key control is verifying death and the beneficiary’s claim instructions before any re-registration, liquidation, or distribution occurs. An obituary alone is not sufficient evidence to retitle assets.
Internal transfers tied to life events must be supported by proper documentation before the firm changes registration or releases assets. When an account is registered “owner TOD beneficiary,” the transfer is typically non-probate, but the firm still must confirm the owner’s death and obtain a properly completed beneficiary/TOD claim package (and any required new/updated account paperwork) before re-registering, liquidating, or sending proceeds. A principal’s best next step is to stop processing until the death certificate and beneficiary claim instructions are received, reviewed for completeness, and imaged to the firm’s records. This prevents unauthorized distributions and creates an audit trail showing the basis for the registration change.
A broker-dealer’s surveillance system generates an AML alert for a mutual fund purchase pattern that appears inconsistent with the customer’s stated source of funds. After review, the AML analyst determines the activity is explained by a documented home sale and concludes no SAR is warranted. Which documentation element best matches proper closure of the AML alert?
Best answer: D
Explanation: A complete closure record documents why the alert was cleared, what support was reviewed, who approved, and what follow-up monitoring (if any) will occur.
Proper AML alert closure documentation should show a clear rationale tied to the activity, the key evidence reviewed, and appropriate supervisory/AML approval. It should also record any follow-up steps, such as enhanced monitoring parameters or review dates, when the risk assessment warrants ongoing oversight.
When an AML alert is closed as non-suspicious, the firm’s records should still demonstrate that the alert was reasonably investigated and dispositioned under the firm’s WSPs. At a high level, a complete closure file typically includes (1) a concise narrative explaining why the activity was or was not suspicious, (2) what information was reviewed (e.g., internal account history, KYC/source-of-funds details, and any corroborating documents), (3) who performed the review and who approved the disposition consistent with escalation requirements, and (4) any follow-up actions such as enhanced monitoring, risk rating changes, or a future review date. This supports defensible decisions and consistent supervision, even when the outcome is “no SAR.”
Use the Series 26 Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Use the Series 26 Cheat Sheet on SecuritiesMastery.com when you want a compact review before returning to the FINRA Series 26 Practice Test page.