Browse Certification Practice Tests by Exam Family

Series 99: Professional Conduct

May 1, 2026

Try 10 focused Series 99 questions on Professional Conduct, with explanations, then continue with the full Securities Prep practice test.

On this page

Series 99 Professional Conduct questions help you isolate one part of the FINRA outline before returning to a mixed practice test. The questions below are original Securities Prep practice items aligned to this topic and are not copied from any exam sponsor.

Open the matching Securities Prep practice route for timed mocks, topic drills, progress tracking, explanations, and the full question bank.
Try Series 99 on Web View full Series 99 practice page

Topic snapshot

ItemDetail
ExamFINRA Series 99
Official topicFunction 2 — Professional Conduct and Ethical Considerations
Blueprint weighting30%
Questions on this page10

Sample questions

Question 1

An operations analyst confirms on September 9, 2025 that an external party had unauthorized access to certain customers’ nonpublic personal information (NPI). On September 10, 2025, the firm receives a written request from law enforcement stating: “Do not notify affected customers until September 23, 2025.”

Exhibit: WSP excerpt (Privacy incident notices)

  • Notify affected customers in writing within 10 calendar days of determination.
  • If a written law-enforcement delay is received, delay notice until the date specified; send the notice the next business day after the delay expires.
  • Email may be used only if it does not include full account numbers, SSNs, or login credentials (mask account numbers to last 4 digits).

Assume business days are Monday–Friday and there are no holidays. Which customer communication meets the WSP timing and content requirements?

  • A. Email the notice on September 24, 2025, including the customer’s full account number for identification
  • B. Email the notice on September 19, 2025, showing only the last four digits of the account number
  • C. Email the notice on September 24, 2025, showing only the last four digits of the account number
  • D. Email the notice on September 23, 2025, showing only the last four digits of the account number

Best answer: C

Explanation: The law-enforcement delay pushes notification to the next business day after September 23, and the email content must avoid full account numbers/SSNs by masking to last four digits.

A written law-enforcement delay overrides the normal 10-calendar-day notification timing. The WSP requires sending the notice on the next business day after the specified delay date and prohibits including full account numbers, SSNs, or credentials in an email notice. The communication that follows the delay timing and uses masked account information is the only compliant choice.

This scenario tests two constraints that must both be satisfied: timing after a law-enforcement delay and content limits for customer notices. Although the firm’s baseline requirement is to notify within 10 calendar days of the determination date, the WSP allows delaying notification when the firm receives a written law-enforcement request.

Apply the exhibit to the dates provided:

  • Determination date: September 9, 2025
  • Law-enforcement “do not notify until” date: September 23, 2025
  • Next business day (Mon–Fri, no holidays): September 24, 2025

For content, the notice (especially by email) must not include full account numbers, SSNs, or login credentials; masking to the last four digits is acceptable. The best response is the one that sends on the required post-delay business day and uses masked identifiers rather than sensitive data.

  • Sending within 10 calendar days of determination ignores the written law-enforcement delay requirement.
  • Including a full account number in an email violates the WSP content constraints for notices.
  • Sending on the delay date conflicts with the instruction to send the next business day after the delay expires.

Question 2

A broker-dealer’s online Privacy Center lets a customer submit an opt-out from sharing nonpublic personal information (NPI) with nonaffiliated third parties. Which operational feature best matches the requirement to record, retain, and honor that opt-out preference?

  • A. Time-stamped preference record stored with the customer profile and applied across eligible accounts and vendor feeds
  • B. A supervisor’s quarterly attestation that the firm follows its privacy policy
  • C. A one-time email confirmation to the customer that the opt-out was received
  • D. A pop-up disclosure shown at login that requires acceptance before trading

Best answer: A

Explanation: Opt-out elections must be captured as an auditable record and systematically enforced in downstream disclosures/sharing processes.

To honor an opt-out, the firm needs a durable, auditable record of the customer’s election and a control that enforces it in any process that could share NPI. The best match is a time-stamped preference stored with the customer profile and used to suppress sharing through downstream systems and vendors.

Opt-out preferences are operationally effective only when they are captured as a persistent customer instruction and then applied wherever the firm could disclose or share NPI. That typically means maintaining a time-stamped preference record (including when/how it was obtained) and integrating it into data entitlements, marketing lists, and any vendor or affiliate file feeds covered by the opt-out. The record must be retained under the firm’s books-and-records controls so the firm can evidence the customer’s election and demonstrate that sharing was suppressed when required. A disclosure pop-up, a courtesy confirmation email, or a general supervisory attestation may support the program, but they do not, by themselves, create an enforceable, system-applied opt-out control.

  • A login pop-up is a disclosure mechanism, not a persistent preference record that drives downstream suppression.
  • A confirmation email is customer communication and does not ensure sharing is blocked across systems/vendors.
  • A quarterly supervisory attestation is a governance control, not an individual customer election record or enforcement mechanism.

Question 3

A customer calls the operations desk stating they did not authorize an online liquidation and an outgoing wire that is currently in “pending release” status. The customer also asks to immediately update their email address and provide new bank wiring instructions. You see the wire request was entered less than an hour ago from a new device and there is also a same-day request to change the customer’s phone number.

Which action best aligns with durable escalation and customer-protection standards?

  • A. Place a disbursement hold per WSPs and immediately escalate to supervision and compliance/AML for investigation
  • B. Close the account to prevent further activity and mail proceeds to the customer’s address of record
  • C. Release the pending wire after verbally confirming the new bank instructions
  • D. Tell the registered representative to resolve it with the customer and call back if it becomes a written complaint

Best answer: A

Explanation: A hold plus prompt escalation preserves customer assets and routes a fraud/red-flag event to the appropriate supervisory and compliance functions.

This is a fraud/red-flag scenario involving potential account takeover and an unauthorized disbursement. The best operational response is to follow WSPs to protect assets (e.g., hold/restrict disbursements), preserve relevant records, and promptly route the issue to supervisory review and the compliance/AML function for investigation and any required reporting.

Operations should treat conflicting customer instructions plus unusual access/activity (new device, same-day changes to contact information, and a pending wire) as a red flag requiring immediate protective action and escalation. The durable standard is: stop potential loss first within firm procedures, then route to the right control owners.

A sound sequence is:

  • Apply the firm’s WSP-directed restriction/hold on disbursements or high-risk changes.
  • Preserve records needed for review (call notes, authentication results, device/IP logs, tickets).
  • Escalate promptly to the customer’s supervisor/branch management and the appropriate control group (compliance/AML/fraud; legal as needed).

Processing new wiring instructions or delegating resolution to the rep risks further unauthorized movement and weakens record integrity and supervision.

  • Releasing funds based on a verbal confirmation (especially alongside same-day contact changes) fails the safeguard-and-escalate standard.
  • Handing it back to the rep delays escalation and bypasses supervisory and compliance review of a red flag.
  • Closing and mailing proceeds can still move assets during a suspected takeover and is not a substitute for investigation and escalation.

Question 4

An operations supervisor receives two access requests:

  • Request 1 (Customer data): A service associate asks for access to an unmasked export file that includes customer names, addresses, and full SSNs to resolve IRS tax-form corrections.
  • Request 2 (Deal information): A clearing operations analyst asks for access to an Investment Banking shared drive folder labeled “Project Maple” to help prepare settlement instructions for an upcoming underwriting.

Which control approach best matches the key differentiator between restricting access to customer NPI versus restricting access to potential MNPI?

  • A. Restrict unmasked SSN access using the restricted list; grant deal folder access by job title
  • B. Restrict both requests using ACATS validation before granting any access
  • C. Grant unmasked SSN access by role-based entitlement; restrict deal folder via information barriers/wall-crossing controls
  • D. Grant both requests if the employees attest they will not share the information

Best answer: C

Explanation: Customer NPI access is governed by need-to-know/least-privilege entitlements, while potential MNPI requires information barrier and controlled wall-crossing restrictions.

Customer personally identifiable information (NPI) should be accessible only on a need-to-know basis using least-privilege entitlements, masking, and auditable access. Potential MNPI tied to an underwriting requires information barrier controls, such as deal-room access restrictions and formal wall-crossing procedures. The decisive difference is privacy-based access control for NPI versus information-barrier-based restrictions for MNPI.

Operations controls restrict sensitive information in two distinct ways depending on what is being protected. For customer NPI (e.g., full SSNs), the operational control is a privacy/Reg S-P style approach: role-based access, least privilege, masking/unmasking only when required for the task, and audit trails to evidence appropriate access. For potential MNPI (e.g., an Investment Banking deal folder for an underwriting), the core control is an information barrier: separate systems/drive permissions for “deal rooms,” limited access to the deal team, and formal wall-crossing/approval when someone outside the barrier needs access.

The key takeaway is to match the restriction mechanism to the risk: privacy entitlements for customer data, and information barriers for MNPI.

  • The ACATS process is about account transfers, not a control framework for employee access to NPI or MNPI.
  • Restricted/watch lists address MNPI-driven trading/communications risk, not routine access to customer SSNs for tax corrections.
  • Employee attestation alone is not a sufficient operational control without entitlement, monitoring, and supervisory procedures.

Question 5

An operations associate is reviewing the following account maintenance ticket.

Exhibit: Account maintenance ticket (snapshot)

Acct: 8KQ-1142 (Individual)
Age of account: 6 years
Request(s):
  1) Change mailing address effective immediately
  2) Add new bank instructions
  3) Wire $48,500 today
Request channel: Email
From email: j.smith247@outlook.com (not on file)
Call-back number provided: (917) 555-0188 (not on file)
Last statement status: Returned mail (UAA) 10 days ago
Standing instructions: None on file

Based on the exhibit, which interpretation is best supported under a firm’s Regulation S-ID identity theft prevention program?

  • A. The combination of UAA mail and email-initiated change plus new wire instructions is a red flag requiring escalation and verification before processing
  • B. Because the account is seasoned, the requests can be processed as long as the wire is sent only to a bank account in the customer’s name
  • C. The only required action is to screen the beneficiary against OFAC before releasing the wire
  • D. This should be treated as a CIP deficiency and the account must be restricted until identity is re-verified using documentary methods

Best answer: A

Explanation: UAA mail followed by remote change requests and first-time wire instructions is an identity-theft red flag that should trigger heightened verification and escalation per the program.

Regulation S-ID programs require firms to identify and respond to “red flags” that suggest possible identity theft. The exhibit shows returned mail (UAA) followed shortly by email-initiated changes and a first-time wire request using contact information not on file. Operations should pause processing and follow program steps to verify the customer and escalate as required.

Regulation S-ID focuses on detecting and responding to patterns that indicate possible identity theft, especially when account maintenance activity is inconsistent with the customer’s established profile. Here, multiple red flags appear together: returned mail (UAA), a request submitted via an unrecognized email address, a new call-back number not on file, adding new bank instructions, and an urgent first-time wire.

Operations typically supports the firm’s identity theft prevention program by:

  • Placing a temporary hold or stopping disbursement processing when red flags appear
  • Using out-of-band verification to known contact points (not the new email/phone)
  • Escalating to the designated team (e.g., supervisor/fraud/AML/Compliance) per WSPs
  • Documenting the red flags observed and the resolution steps taken

The key is responding to the red flags before releasing funds, rather than assuming the request is legitimate based on account age or doing only routine sanctions screening.

  • Processing based on the account being “seasoned” ignores the exhibit’s UAA and unverified channel/contact changes tied to a same-day wire.
  • Treating this as a CIP problem confuses account-opening identity verification with ongoing red-flag detection and response.
  • OFAC screening may be part of wire controls, but it does not address the identity-theft indicators shown in the ticket.

Question 6

At 2:50 p.m. ET (wire cutoff is 3:00 p.m. ET), a registered rep forwards an email for an institutional LLC account requesting a $250,000 same-day wire. The email includes a scanned LOA to add a new third-party bank instruction and directs the wire to that new bank; the account has two authorized signers on file, and the wire request is not coming from an authenticated client channel. A back-office associate with entitlements to both update standing instructions and release wires is asked to “push it through before cutoff,” and the phone number in the email signature does not match the number on the account profile.

What is the single best action to satisfy supervisory controls and reduce operational risk?

  • A. Have the same associate update the bank and release the wire under dual control
  • B. Hold the wire; Account Services verifies change via number on file; Cashiering releases
  • C. Process the wire based on the rep’s email and scanned LOA to meet cutoff
  • D. Call the phone number in the email signature to confirm and then release the wire

Best answer: B

Explanation: Segregating maintenance from disbursements and using out-of-band verification prevents a single person from both changing instructions and moving funds based on an unauthenticated request.

The key control is segregation of duties between account maintenance and cash movement, with independent verification of a high-risk change. Because the request is unauthenticated and includes a new third-party bank instruction, the firm should verify using contact information from its records and require independent review before any disbursement.

Broker-dealers organize supervision and controls by separating incompatible functions (e.g., account instruction maintenance vs. cashiering/disbursements) and requiring independent verification/approval for higher-risk events. In this scenario, a late-day request combines two fraud-sensitive actions—adding a new third-party wire instruction and sending funds—delivered through a non-authenticated channel with a contact mismatch red flag. The best control response is to stop the disbursement, route the instruction change to the team supervised for account maintenance, perform out-of-band verification using a number already on file (not information provided in the request), and only then allow cashiering—under its own supervisory chain and dual controls—to release the wire. This reduces the chance that one compromised user, rep, or ops associate can both alter standing instructions and move customer funds.

  • Processing based on a rep-forwarded email/LOA fails authentication and independent verification for a new third-party instruction.
  • Letting one associate both change instructions and release the wire defeats segregation of duties, even if “dual control” is claimed.
  • Calling the number in the email relies on potentially compromised contact data rather than an out-of-band callback to information of record.

Question 7

A cashiering associate receives a same-day wire request from a retail customer to send $85,000 to a new third-party bank account. The request also includes a change to the customer’s phone number and email address. When the associate calls the new phone number to authenticate, the caller cannot answer basic out-of-wallet questions, and the customer’s prior number on file goes straight to voicemail.

Under Regulation S-ID, what is the most appropriate escalation step?

  • A. Only update the contact information, but process the wire to the existing registration
  • B. Process the wire because a callback was completed to the phone number provided
  • C. Treat it solely as a privacy incident and delete the request from email to limit exposure
  • D. Place a hold, escalate per the firm’s Identity Theft Prevention Program, and re-verify using an independent contact method

Best answer: D

Explanation: Reg S-ID requires responding to red flags by stopping the transaction and escalating per the firm’s program while independently verifying the customer’s identity.

This scenario presents multiple identity theft red flags (new contact info, high-risk disbursement, failed authentication). Regulation S-ID requires the firm to follow its written Identity Theft Prevention Program to respond appropriately, which typically includes stopping or holding the transaction, escalating to the designated supervisor/compliance contact, and independently verifying identity using reliable information not provided in the suspicious request.

Regulation S-ID requires broker-dealers to have an Identity Theft Prevention Program that detects, prevents, and mitigates identity theft in connection with covered accounts. Here, the combination of changed contact details, a high-dollar third-party wire request, and unsuccessful authentication are classic “red flags.” The operational response should follow the firm’s escalation path and controls designed to prevent unauthorized disbursements.

Appropriate escalation and response generally include:

  • Do not process the disbursement until identity is verified
  • Escalate to the program’s designated personnel (e.g., supervisor/compliance/fraud team)
  • Re-verify using an independent method (e.g., previously validated phone, secure message, documentary verification)
  • Document actions taken and the resolution per WSPs

The key control point is stopping the transaction and escalating, rather than relying on potentially compromised contact information.

  • Completing a callback to newly provided contact information does not resolve the red flag because that channel may be compromised.
  • Updating contact data while still processing the wire does not mitigate the suspected identity theft risk tied to the disbursement.
  • Deleting the request addresses data handling, but it does not escalate or mitigate the suspected account takeover and unauthorized transfer risk.

Question 8

In a broker-dealer’s privacy incident response program (Reg S-P / Reg S-ID concepts), which action best reflects proper escalation and evidence preservation when unauthorized access to customer nonpublic personal information (NPI) is suspected?

  • A. Email details broadly so all staff can watch for similar activity
  • B. Escalate per the incident response plan and preserve logs via read-only copies
  • C. Delete suspicious emails and purge logs to prevent further exposure
  • D. Reboot affected systems to clear memory before collecting any records

Best answer: B

Explanation: Prompt internal escalation and preserving tamper-resistant copies of access and system records helps contain the incident and supports investigation and reporting.

A suspected privacy breach should be escalated through the firm’s defined incident response channels and handled in a way that preserves evidence. Preserving tamper-resistant copies of relevant records (for example, authentication and access logs) supports containment, investigation, and any required notifications or filings without contaminating evidence.

Under Reg S-P safeguarding expectations (and related Reg S-ID governance for identity-theft risk), firms should follow written incident response procedures that quickly route suspected unauthorized access to the right control owners (typically information security, compliance, legal, and operations management). Evidence preservation focuses on capturing what happened without altering it.

Practical evidence to preserve commonly includes:

  • User access/authentication logs (including privileged access)
  • System/security event logs and alerts (SIEM outputs)
  • Ticketing records, timestamps, and affected account lists
  • Forensic images or read-only exports with documented chain of custody

Actions that overwrite or destroy data (reboots, log purges, ad hoc “cleanup”) can compromise investigation and regulatory response.

  • Rebooting first can overwrite volatile artifacts and changes timestamps, weakening forensic integrity.
  • Broadcasting details to all staff increases internal exposure of sensitive incident information and can create additional records-management and privacy issues.
  • Deleting emails or purging logs destroys key evidence and impairs containment, investigation, and required response steps.

Question 9

A customer calls after seeing a trade on yesterday’s online activity that they did not authorize. Operations determines it was an internal keying error: an order for Customer A was mistakenly booked to Customer B’s account. The trade can be corrected through the firm’s normal trade correction process, and a corrected confirmation will be generated.

Which action should the operations professional NOT take when communicating and documenting this correction?

  • A. Document the error, investigation, approvals, and resolution in firm records
  • B. Overwrite the original booking and delete related emails once corrected
  • C. Promptly inform the customer of the error and planned correction
  • D. Notify the executing/clearing parties as needed to process the correction

Best answer: B

Explanation: Firms must preserve the original records and maintain an auditable trail of the error, communications, and correction.

Operational errors should be corrected through controlled workflows while keeping a complete audit trail. Communications with customers and any vendors/contra parties should be timely and accurate, and the firm should retain records of what happened, who approved the fix, and how the customer impact was remediated. Deleting or overwriting the original evidence of the error breaks required books-and-records controls.

When a booking error places a trade in the wrong customer account, operations should (1) promptly communicate accurate information to the affected customer(s), (2) coordinate with any internal teams and external parties needed to complete the correction, and (3) document the event end-to-end. Documentation should preserve the original entry and all related communications, show the investigation and approvals, and evidence the corrective action (e.g., corrected confirms/adjustments) so the firm maintains an auditable trail. Destroying, deleting, or overwriting the original blotter/booking and communications to “clean up” the file is improper because it obscures what occurred and undermines record retention and supervision.

  • Prompt customer communication is appropriate because customers should not learn about operational errors only through later statements or complaints.
  • Coordinating with executing/clearing parties is appropriate when their action is required to process reversals/corrections or to prevent settlement breaks.
  • Logging the error and retaining evidence (timestamps, approvals, corrected outputs) is appropriate to support supervision and books-and-records requirements.

Question 10

A clearing broker-dealer receives an email from a regular-way equity counterparty’s settlements mailbox stating a trade is in DK status and asking for the underlying customer’s full name and account number “to confirm the trade was authorized.” Your firm can resolve DKs using trade identifiers and affirmed settlement instructions, and customer-identifying data is treated as nonpublic personal information (NPI). You are the operations professional assigned the exception. What is the best next step?

  • A. Email a full trade blotter export including customer identifiers.
  • B. Wait for a new confirm from counterparty before responding.
  • C. Send customer name and account number to resolve the DK.
  • D. Call back via known number, then share only trade identifiers.

Best answer: D

Explanation: Authenticate the requester and provide only the minimum information needed to resolve the settlement exception.

When a vendor or counterparty requests information, operations should apply need-to-know and least-privilege principles. First confirm the requester is legitimate (e.g., call-back using established contact information), then limit what you disclose to what is required to complete the operational task. For a DK, trade-level details and SSIs are typically sufficient without sharing customer NPI.

The control point here is confidentiality in external communications: counterparties should receive only what they need to resolve the specific issue, and access to customer-identifying information should be restricted. For a DK, the normal workflow is to authenticate the counterparty contact using firm-approved verification (such as a call-back to a known number or validated mailbox) and then provide the minimum data required (e.g., trade date, quantity, price, contra, account at DTC/clearing details, and agreed SSIs).

A practical sequence is:

  • Verify the requester is an authorized counterparty contact (call-back/validated channel).
  • Share only trade/settlement identifiers needed to correct the DK.
  • Escalate internally if the counterparty insists on customer NPI beyond what the process requires.

Key takeaway: authenticate first, then disclose the minimum necessary information.

  • Sending customer name/account number is unnecessary for resolving most DKs and violates least-privilege handling of NPI.
  • A full blotter export typically contains excessive customer data and is not a minimum-necessary response.
  • Waiting for a new confirmation delays resolution and does not address the immediate need to authenticate and communicate appropriately.

Continue with full practice

Use the Series 99 Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try Series 99 on Web View Series 99 Practice Test

Free review resource

Use the Series 99 Cheat Sheet on SecuritiesMastery.com when you want a compact review before returning to the FINRA Series 99 Practice Test page.

Revised on Sunday, May 3, 2026
Broker-Dealer Operations
Free Practice Exam