Series 99: Broker-Dealer Operations

Series 99 Broker-Dealer Operations questions help you isolate one part of the FINRA outline before returning to a mixed practice test. The questions below are original Securities Prep practice items aligned to this topic and are not copied from any exam sponsor.

Topic snapshot

Sample questions

Question 1

A customer emails their registered representative asking to stop paper statements and confirmations and begin e-delivery to a new email address. The representative forwards the email to Operations and asks that the preference be changed today.

Which action best aligns with durable standards for establishing and maintaining customer delivery preferences (paper vs. e-delivery) while safeguarding NPI?

• A. Email statements as PDFs to the new address without controls
• B. Switch to e-delivery now and document consent later
• C. Verify identity, obtain affirmative e-delivery consent, and retain evidence
• D. Process the change based on the forwarded email request

Best answer: C

Explanation: E-delivery changes should be made only after authenticating the requester, capturing affirmative consent, and keeping a record of the authorization and the updated delivery instruction.

Changing statement/confirmation delivery is a customer instruction that must be authenticated and documented. Moving from paper to e-delivery should be based on the customer’s affirmative consent and recorded in the firm’s systems so the preference is reliably applied going forward. This also helps prevent misdirection of sensitive account information during account takeover attempts.

Paper vs. e-delivery preferences are not just a “service” change; they control where sensitive account information is delivered. Operations should follow WSPs to (1) authenticate the requester using approved methods, (2) capture affirmative consent to e-delivery (and the specific delivery destination), and (3) retain an auditable record of the authorization and the effective change in the system of record.

Common durable controls include using a secure client portal (or recorded line with required authentication), limiting changes based solely on unverified emails, and generating a confirmation/notification of the change per firm procedures. The key is record integrity plus protection of customer information so delivery preferences are established and maintained consistently and defensibly.

• Relying on a forwarded email bypasses authentication and increases account-takeover and misdirection risk.
• Making the change first and documenting later weakens record integrity and supervisory controls.
• Sending statements as uncontrolled PDFs to a new email address risks exposing NPI and does not evidence affirmative consent.

Question 2

During an internal audit, Operations is asked to show evidence that a daily exception report control is being performed as described in the firm’s procedures.

Exhibit: WSP excerpt and control evidence (snapshot)

WSP: Trade Correction Exception Report (Daily)
- Ops generates report by 9:30 a.m.
- Supervisor reviews and initials the log.
- Evidence retained in Supervision folder for 3 years.

Control Log (week of Jan 6)
Date      Report saved?  Reviewed by (initials)
Jan 6     Yes            --
Jan 7     Yes            --
Jan 8     Yes            --

Based on the exhibit, which interpretation is best supported?

• A. The firm lacks required books-and-records evidence that the supervisory control was performed as the WSP describes
• B. Saving the report alone satisfies the WSP because the review can be presumed from generation
• C. Because the reports were saved, the firm may delete the log and rely on system timestamps instead
• D. The issue can be cured by adding supervisor initials later, since the reports were retained

Best answer: A

Explanation: The WSP requires a supervisor review documented in a retained log, but the log shows no reviewer initials despite reports being saved.

WSPs define the supervisory process and the required evidence a firm must keep to demonstrate the control occurred. Here, the WSP explicitly requires a supervisor to review and initial the log, and to retain that evidence. The log shows the reports were saved but provides no documented supervisory review, creating a books-and-records gap tied to the supervisory control.

Books and records are how a firm proves (to itself and to regulators) that its supervisory controls were actually executed, and WSPs specify what supervision must occur and what documentation must be retained. In the exhibit, the WSP requires three elements: generate the report, have a supervisor review and initial the log, and retain evidence in a designated folder. The control log is the firm’s record of performance of that supervisory step; because the “Reviewed by” field is blank for all listed dates, the firm cannot demonstrate that the required supervisory review occurred, even though the reports were saved. The key takeaway is that a control is not just the task—it is also the contemporaneous, retained record that evidences it per the WSP.

• Presuming review from report generation ignores that the WSP requires documented supervisory sign-off.
• Adding initials later is not supported by the exhibit and undermines the control’s evidentiary value.
• Replacing the log with system timestamps conflicts with the WSP’s specified evidence (a supervisor-initialed log).

Question 3

An operations associate is comparing two inbound transfer requests:

• Request 1: A customer wants to transfer a Roth IRA from another broker-dealer that is an ACATS participant (like registration, no account changes).
• Request 2: A customer wants to move assets from an employer-sponsored 401(k) held at a plan recordkeeper to a new IRA at the firm.

Which workflow pairing is most appropriate?

• A. Use ACATS for the Roth IRA; use a direct rollover (non-ACATS) process for the 401(k)
• B. Use ACATS for both requests because both are retirement accounts
• C. Use a non-ACATS process for the Roth IRA; use ACATS for the 401(k)
• D. Use a non-ACATS process for both requests because retirement accounts require special handling

Best answer: A

Explanation: IRAs at ACATS-participating broker-dealers are typically transferable via ACATS, while 401(k) plan rollovers from recordkeepers require non-ACATS rollover handling.

ACATS is the standard automated transfer process between ACATS-participating broker-dealers for eligible account types, including like-registered IRA-to-IRA transfers. A 401(k) is an employer plan at a plan administrator/recordkeeper, not a brokerage account at a delivering ACATS firm, so it is handled as a direct rollover using non-ACATS documentation and delivery of cash/securities.

The decisive differentiator is who holds the delivering account and whether the account is an ACATS-eligible brokerage account. A Roth IRA maintained at a broker-dealer that participates in ACATS is generally eligible for an ACATS transfer when the registration is like-for-like and no ownership changes are requested. By contrast, an employer-sponsored 401(k) is a retirement plan administered by a plan recordkeeper (not a delivering broker-dealer brokerage account), so the movement into an IRA is processed as a direct rollover outside of ACATS.

Operationally, this usually means:

• IRA-to-IRA at another BD: submit an ACATS transfer (full or partial) and track through ACATS statuses.
• 401(k)-to-IRA: obtain plan rollover paperwork/acceptance and receive assets via check/wire or other allowed delivery method.

The key takeaway is that “retirement account” alone does not determine ACATS eligibility; the delivering platform and account type do.

• The option claiming both requests can use ACATS overlooks that a 401(k) recordkeeper rollover is not an ACATS brokerage-to-brokerage transfer.
• The option reversing the workflows misidentifies the ACATS-eligible delivering account (the Roth IRA at a BD).
• The option claiming both must be non-ACATS overgeneralizes “special handling” and ignores that many IRA transfers are routinely processed through ACATS.

Question 4

An operations associate receives an internal ticket from a trader: “Please reissue today’s customer confirmation for the ABC Corp bond trade as agency (not principal) and remove the markup disclosure. Customer called and is upset.” The original confirmation shows: 50 bonds, price 101.250, capacity = principal, settlement date, and a disclosed markup with a total net amount.

What is the primary operational risk/red flag that should drive the next control step?

• A. Increased settlement fail risk due to mismatched SSIs
• B. Customer privacy breach from discussing the complaint internally
• C. Potential record falsification/inaccurate confirmation details
• D. CIP deficiency because bonds require new identity verification

Best answer: C

Explanation: Changing capacity and removing disclosed remuneration would make the confirmation inconsistent with the executed trade and could evidence an improper attempt to alter required transaction details.

Trade confirmations are books-and-records evidence of what was executed, including security, quantity, price, capacity (principal/agent), remuneration (commission/markup/markdown), and net amount. A request to reissue a confirmation to change capacity and remove markup disclosure is a red flag for altering transaction facts rather than processing a legitimate correction. The appropriate control is to investigate and reconcile to the trade record before any reissue.

A customer confirmation is intended to memorialize the actual transaction terms and the firm’s role in the trade. Key confirmation fields such as security identifier, trade/settlement dates, quantity, price (or yield), capacity (principal vs. agent), disclosed remuneration (commission/markup/markdown), and the net amount collectively evidence what the customer agreed to and what the firm did. When someone asks operations to change capacity and remove a markup disclosure solely because a customer is upset, the primary red flag is that the confirmation (and potentially the firm’s records) may be improperly altered to misstate the transaction. The control response is to compare the request to the order/execution record and the firm’s trade blotter, follow formal correction/rebill procedures, and escalate per WSPs if the requested change is not supported by the underlying trade.

• Settlement instructions are not evidenced by a retail confirmation and wouldn’t be addressed by changing capacity/markup language.
• Internal escalation of a customer complaint is generally appropriate; the issue here is accuracy of transaction details, not disclosure of NPI.
• CIP is an account-opening control and is not triggered by a request to restate capacity and remuneration on an existing trade confirmation.

Question 5

Which statement best describes a riskless principal transaction and how it affects capacity reporting and customer disclosure?

• A. Offsets same-day buy/sell; report principal; disclose markup/markdown
• B. Matches customer to customer; report agency; disclose commission
• C. Routes order to market; report agency; disclose markup/markdown
• D. Sells from firm inventory; report principal; disclose commission

Best answer: A

Explanation: In riskless principal, the firm fills the customer order with an offsetting trade and reports principal capacity while disclosing compensation as a markup/markdown (not a commission).

Riskless principal means the firm executes an offsetting market trade to fill the customer order and does not take meaningful market risk. Even though the firm is “flat” economically, the trade is reported in principal capacity. On the customer confirmation, the firm discloses it acted as riskless principal and shows compensation as a markup/markdown rather than a commission.

Trading capacity describes whether the broker-dealer acted as an agent for the customer or as a counterparty to the customer. In a riskless principal transaction, the firm executes an offsetting purchase or sale to fill the customer order (typically contemporaneously) and is economically neutral, but it still acts as the customer’s counterparty.

Operationally this drives two key outputs:

• Trade reporting/capacity: the firm reports the transaction as principal (often with a riskless principal indicator where applicable).
• Customer disclosure: the confirmation must accurately state capacity and reflect remuneration appropriately—commission for agency trades versus markup/markdown (or similar principal remuneration) for principal/riskless principal trades.

The common pitfall is treating “no market risk” as “agency,” even though the firm is on the other side of the customer trade.

• The option describing customer-to-customer matching is agency capacity with a commission, not riskless principal.
• The option describing selling from inventory is principal, but it involves inventory positioning and compensation is not disclosed as a commission.
• The option describing routing to the market is consistent with agency execution, but agency trades are typically confirmed with commissions, not markups/markdowns.

Question 6

A broker-dealer is moving required books and records (including email and customer account documentation) to a third-party cloud records-retention vendor. Which statement about the firm’s vendor controls is INCORRECT?

• A. Obtain audit rights and define an exit plan for data migration
• B. Rely on the vendor’s assurances; ongoing monitoring is unnecessary
• C. Perform periodic monitoring and test record retrieval after go-live
• D. Include SLAs covering retention, retrieval time, and regulator access

Best answer: B

Explanation: The broker-dealer retains responsibility for compliant record retention and must conduct ongoing oversight of the vendor.

When a broker-dealer outsources record retention, it does not outsource regulatory responsibility. The firm should perform due diligence up front, set clear contract expectations (access, retention, auditability, and exit planning), and continuously monitor the vendor’s performance and controls. Therefore, a “set it and forget it” approach based only on vendor assurances is not acceptable.

Outsourcing record retention is a control and governance decision: the broker-dealer remains accountable for creating, preserving, and producing required records in a usable format upon request. As a result, vendor management should cover three areas tied directly to recordkeeping risk: due diligence (e.g., review the vendor’s security and operational controls, financial condition, and ability to meet retention/immutability and retrieval needs), contract expectations (e.g., clear SLAs, data ownership, access for the firm and regulators, incident notification, audit rights, and termination/portability), and ongoing monitoring (e.g., periodic control reviews and testing that records can be promptly retrieved and accurately reproduced). The key takeaway is that initial vetting is not a substitute for continuous oversight once records are being retained externally.

• SLAs for retention, retrieval, and regulator access are standard contract expectations for recordkeeping vendors.
• Audit rights and an exit/migration plan address ongoing oversight and vendor/technology change risk.
• Periodic monitoring and retrieval testing helps ensure records remain producible throughout the retention period.

Question 7

A broker-dealer clears through NSCC and uses Continuous Net Settlement (CNS). U.S. equity regular-way settlement is T+1.

Exhibit: Trade blotter (all CNS-eligible, same CUSIP)

Trade date: August 12, 2025
Symbol  Side  Quantity
XYZ     BUY   8,000
XYZ     SELL  4,500
XYZ     BUY   3,000
XYZ     SELL  2,000

What will be the firm’s single CNS settlement obligation for XYZ, and on what date will it settle?

• A. August 13, 2025; receive 11,000 shares
• B. August 14, 2025; receive 4,500 shares
• C. August 13, 2025; deliver 4,500 shares
• D. August 13, 2025; receive 4,500 shares

Best answer: D

Explanation: CNS nets all compared trades to one position per CUSIP per settlement date, and T+1 from August 12 is August 13 with a net buy of 4,500 shares.

Under CNS, NSCC nets a member’s buys and sells in the same security into one net deliver/receive obligation for the settlement date. Here, total buys of 11,000 shares minus total sells of 6,500 shares equals a net receive of 4,500 shares. With T+1 settlement, trades done August 12, 2025 settle August 13, 2025.

CNS is NSCC’s process that consolidates (nets) a member’s CNS-eligible trades in the same security into a single net position for each settlement date, instead of settling trade-by-trade. This netting reduces the number of deliveries/receipts and means settlement exceptions and fails are managed at the net level (a fail reflects the remaining net deliver/receive obligation).

For the blotter:

• Settle date is T+1: August 12 9 business day = August 13, 2025.
• Net position: total buys 11,000 minus total sells 6,500 = net buy (receive) 4,500 shares.

Key takeaway: CNS replaces multiple gross deliveries/receipts with one net deliver/receive obligation for that day’s settlement.

• The deliver-versus-receive choice flips the sign of the netted position.
• Using August 14 applies a T+2 convention instead of T+1.
• Using 11,000 shares reflects gross buys rather than the CNS-netted obligation after offsetting sells.

Question 8

A broker-dealer’s operations team is supporting the quarterly best execution review after surveillance flagged several equity orders that were trade-reported late and then corrected with “as/of” reports. The Best Execution Committee asks operations to provide records that evidence whether the executions were reasonably priced versus the market at the time the orders were handled.

What is the best next step?

• A. Rely on customer confirms and monthly statements to evidence execution quality
• B. Pull order-event and routing/execution data with timestamps and venue, and pair it to NBBO quote data
• C. Document the late-report exceptions and close the alert without market comparison
• D. Submit additional “as/of” trade reports to align the tape to internal timestamps

Best answer: B

Explanation: Best execution monitoring is evidenced by linking order handling and routing/execution records to contemporaneous market data (e.g., NBBO) for execution-quality review.

To evidence best execution monitoring, operations must be able to show how orders were handled (receipt, routing, execution, and any re-routes) and compare those events to contemporaneous market conditions. The most direct operational next step is to gather time-sequenced order and execution/routing records and match them to NBBO quote data for execution-quality analysis and documentation.

Best execution review relies on reconstructing what happened to the order and whether the outcome was reasonable under the market conditions at that time. Late trade reporting and “as/of” corrections affect reporting timeliness, but they do not by themselves demonstrate execution quality. Operations supports the review by producing an audit trail of order handling (order receipt time, routing decisions, venues, execution times/prices, and any modifications) and then pairing it with market data (e.g., NBBO at relevant timestamps) so the firm can evaluate price improvement, effective spread, and venue performance and document the supervisory review. The key control is the ability to link internal order/execution records to contemporaneous quotes, not to adjust trade reports to “fit” internal timestamps.

• Submitting more “as/of” reports addresses reporting corrections, not whether the execution was reasonable versus the market.
• Confirms and statements disclose executions to customers but generally lack the routing and quote context needed for best execution monitoring.
• Closing an exception based only on late-report documentation skips the core best-execution evidence: market comparison tied to the order audit trail.

Question 9

A customer mails a physical stock certificate and a signed LOA (with a valid medallion signature guarantee) requesting the certificate be deposited into her individual cash account. Per firm WSPs, Operations performs a Securities Information Center (SIC) inquiry on all certificate deposits over $25,000; the inquiry returns a “HIT” showing the certificate number was reported stolen. The customer calls asking that the deposit be completed today.

What is the single best next action?

• A. Reject the request and mail the certificate back to the customer with an explanation that it was flagged
• B. Quarantine the certificate, escalate internally, and promptly report possession/“recovered” status to SIC rather than processing the deposit
• C. Deposit the shares because the LOA has a medallion signature guarantee, then research the SIC hit after posting
• D. Request the transfer agent issue a replacement certificate to the customer and destroy the submitted certificate

Best answer: B

Explanation: A SIC “hit” is a lost/stolen alert, so the firm should not process or return the certificate and must report possession to SIC per its controls.

A SIC inquiry “hit” is a high-risk red flag indicating the certificate has been reported lost, missing, stolen, or counterfeit. Operations should stop the transfer, secure the certificate, escalate per WSPs, and report the firm’s possession of the security to SIC so the record is updated and the item is handled as potentially stolen.

Firms use SIC inquiries and reporting to prevent the transfer of certificates that have been reported lost, missing, stolen, or counterfeit. When an inquiry returns a “hit,” Operations should treat the certificate as suspect and avoid any action that could facilitate an improper transfer or tip the certificate back into circulation.

Appropriate handling generally includes:

• Secure/quarantine the physical certificate and restrict access
• Escalate to the appropriate supervisory/compliance contacts per WSPs
• Notify SIC that the firm is in possession of a “hit” certificate (i.e., report it as recovered/located), and coordinate next steps with the issuer/transfer agent as directed

The key control is to stop processing and update SIC/records, rather than depositing, returning, or destroying the certificate.

• Posting the deposit despite a SIC hit defeats the control that prevents transferring reported stolen certificates.
• Mailing the certificate back can return a potentially stolen instrument into circulation and undermines custody controls.
• Destroying the certificate and requesting a replacement is inappropriate when the certificate is flagged and may be evidence or belong to another party.

Question 10

A customer submits a physical certificate for ABC Corp common stock registered in her name and requests that the shares be re-registered into her revocable trust. Operations wants the customer to authorize the transfer without signing (endorsing) the back of the certificate itself.

Which item best matches the document used for this purpose?

• A. Bond power
• B. Transfer agent
• C. Medallion signature guarantee
• D. Stock power

Best answer: D

Explanation: A stock power is a separate assignment form that authorizes transfer of ownership of a stock certificate without endorsing the certificate.

A stock power is used to assign/transfer ownership of a certificated equity in registered form via a separate document rather than endorsing the certificate. The issuer’s transfer agent relies on properly executed transfer paperwork to cancel the old registration and re-register the shares to the new owner (here, the trust).

For a certificated security held in registered form, ownership changes are effected by the issuer’s transfer agent, which maintains the official record of registered owners and processes transfers by cancelling the old certificate/registration and issuing (or book-entry registering) the new one. To instruct that transfer, the registered owner can sign a separate “power” form instead of signing the back of the certificate.

• Use a stock power for equity certificates (common/preferred stock).
• Use a bond power for certificated debt securities.

A medallion signature guarantee is an authentication of the signature for transfer purposes, not the assignment document itself.

• A bond power serves the same function as a stock power but is used for certificated bonds, not common stock.
• A transfer agent is the party that effects and records the re-registration, not the form the owner signs to assign the security.
• A medallion signature guarantee verifies the signer’s identity/signature; it does not, by itself, transfer ownership.

Continue with full practice

Use the Series 99 Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Related focused pages

• Professional Conduct
• Free Series 99 Full-Length Practice Exam

Free review resource

Use the Series 99 Cheat Sheet on SecuritiesMastery.com when you want a compact review before returning to the FINRA Series 99 Practice Test page.