In February 2025, the Securities and Exchange Commission settled proceedings against Centaurus Financial for Regulation Best Interest Care Obligation violations. Its representatives recommended L Bonds without a reasonable basis to believe the investments were in retail customers’ best interests.
Six months later, the SEC brought a similar settled action against Emerson Equity. Both firms had written Reg BI policies. Both had compliance attestations. Neither had a broker-dealer risk assessment template that could flag the concentration risk before the ticket.
The gap between “we have a policy” and “we can prove the policy caught something” is what a broker-dealer risk assessment template close.
This 2026 edition walks through seven risk categories, a scoring matrix you can use on Monday, how to map output to FINRA Rule 3120 and Reg BI, and where mature programs routinely fail at exam. See our complete guide to the risk assessment process for the underlying method.
The audience is specific: chief compliance officers, heads of supervision, and risk managers at US broker-dealers who want a working template — not a textbook definition.
For a broader enterprise risk management view that sits above this template, we map broker-dealer obligations to a firm-wide risk taxonomy you can present to the audit committee.
Why Every Broker-Dealer Risk Assessment Template Needs a 2026 Refresh
Three regulatory shifts over the past 18 months have made the 2019-era broker-dealer risk assessment template obsolete.
The first is the 2024 amendments to Regulation S-P, which require covered institutions — broker-dealers, funding portals, transfer agents, and registered investment advisers — to notify affected individuals within 30 days of becoming aware of a breach of sensitive customer information.
Larger firms had to comply by December 3, 2025; smaller firms have until June 3, 2026.
If your current risk assessment policy predates these amendments, it is not just dated — it fails the 30-day detection-to-notification test that examiners now anchor cyber-risk scoring to.
Rebuilding the template around the amended Reg S-P clock is this quarter’s highest-leverage compliance project for any US broker-dealer, and the work is smaller than most CCOs fear at first reading.
The second shift is the FINRA 2026 Annual Regulatory Oversight Report, released December 2025. It added generative AI, third-party vendor cyber incidents, and extended-hours trading as examiner focus areas on top of AML and Reg BI priorities.
The third shift is enforcement cadence — the SEC’s FY2024 Division of Enforcement results show more Reg BI actions in 2024 and 2025 than in all prior years combined.
Figure 1: Reg BI enforcement against broker-dealers has climbed from one action in 2021 to 22 in 2025.
The pattern matters for template design. In the enforcement cases that settled with the largest civil money penalties — between $1.25 million and $16.5 million in 2024 alone — the common thread was not a missing policy.
It was a firm that could not produce risk-scored, supervision-linked evidence when asked. That is a broker-dealer risk assessment template problem, and it sits inside the FINRA Risk Control Assessment survey discipline examiners expect.
The Seven Risk Categories Your Broker-Dealer Risk Assessment Template Must Cover
FINRA’s default risk assessment methodology, formalised through the Risk Control Assessment survey, recognises 13 sub-categories. In practice, most broker-dealers manage them cleanly under seven top-level buckets.
Use these seven as the spine of your template; every sub-risk, control, and piece of evidence then lives under exactly one of them. That single choice — one parent per risk — determines whether the template is usable in year three.
The taxonomy discipline we recommend inside our risk register template and guide applies directly here. Firms that skip the taxonomy step end up with overlapping rows, double-counted controls, and an audit committee that cannot tell whether a residual score went down because risk fell or because a category was relabelled. Neither answer survives examiner scrutiny.
| # | Risk category | What it captures | Primary regulatory anchor |
| 1 | Market risk | Principal trading, proprietary positions, Regulation SHO short-sale risk, counterparty exposure | SEC Rule 15c3-1 (Net Capital); Rule 15c3-5 (Market Access) |
| 2 | Credit risk | Margin lending, securities-based lending, counterparty credit, prime brokerage concentration | Regulation T; FINRA Rule 4210 |
| 3 | Liquidity risk | Funding liquidity, intraday liquidity, stress scenarios, customer fund withdrawal patterns | Rule 15c3-3 (Customer Protection); FINRA Rule 4120 |
| 4 | Operational risk | Technology outages, trade errors, extended-hours trading controls, books and records integrity | Rule 17a-4; FINRA Rules 3110, 3120 |
| 5 | Compliance and regulatory | Reg BI (Care, Disclosure, Conflict, Compliance), supervision, suitability, communications | Reg BI; FINRA Rules 2111, 3110, 3120 |
| 6 | Cyber and data | Customer data safeguarding, incident response, third-party vendor risk, AI tool governance, 30-day breach notification | Amended Regulation S-P (2024); Rule 17a-4; NIST CSF 2.0 |
| 7 | Financial crime (AML) | CIP, CDD/EDD, SAR filing, OFAC screening, transaction monitoring | BSA; 31 CFR 1023; FINRA Rule 3310; FinCEN guidance |
This seven-category structure is not academic. It maps to the evidence bundles an SEC or FINRA examiner will request.
When a Commission staff member opens a firm’s Rule 3120 annual report or runs a risk-focused exam under the SEC broker-dealer examination planning risk alert, having the same seven buckets across the template, board deck, and supervision file dramatically shortens the cycle.
We have seen exam timelines compress from 14 weeks to seven simply because the firm could present a single taxonomy across three documents.
For a parallel walkthrough of how the same seven-bucket logic works in banking, see our bank compliance risk assessment templates guide. The parallels are almost exact — only the regulatory anchors change.
Figure 2: FINRA’s 2026 examiner priorities — third-party cyber and GenAI have leapfrogged long-standing concerns.
Broker-Dealer Risk Assessment Template: The Scoring Matrix You Can Use on Monday
The fastest way to ruin a broker-dealer risk assessment template is to build it on qualitative labels alone — “high, medium, low” with no numeric anchor. Examiners increasingly expect a scoring methodology that shows your work. Boards expect a trend line.
Use the 1–5 scale below for likelihood and impact, multiply for inherent risk, score control effectiveness on the same 1–5 scale, and subtract. The output is a defensible residual-risk number.
If you want the underlying concept laid out for a non-specialist audience before socialising the model with business heads, see our explainer on what a risk assessment is.
It gives a plain-English walkthrough of inherent versus residual scoring that board members and first-line managers can absorb without a compliance briefing.
| Score | Likelihood | Impact (financial + regulatory + reputational) | Control effectiveness |
| 5 | Almost certain (>80%) | Catastrophic — >$10M loss, SEC enforcement, Wall Street Journal headline | None / not documented |
| 4 | Likely (50–80%) | Major — $1M–$10M, FINRA sanction, significant press | Ad hoc / reactive |
| 3 | Possible (20–50%) | Moderate — $100K–$1M, deficiency letter, client attrition | Documented but untested |
| 2 | Unlikely (5–20%) | Minor — <$100K, clean-up work, minimal external impact | Tested annually, some gaps |
| 1 | Rare (<5%) | Insignificant — no material loss | Continuously monitored, automated, tested |
Apply the matrix to each of the seven categories. Sample output: compliance and regulatory risk scored inherent 5 × 5 = 25 (catastrophic, almost certain), control effectiveness 3, residual = 25 − (3 × 5) = 10.
That 10-point residual goes on the board heat map and drives the year’s supervisory testing plan under FINRA Rule 3120. The power of the method is the conversation it forces when numbers do not match.
For board-ready output formatting that keeps the method visible without overwhelming non-specialists, use our risk management report sample.
The structure separates the methodology appendix from the heat-map narrative so committee members read the conclusions first and the math only if they want to. That separation is the single biggest usability improvement we recommend to firms rebuilding their annual risk-reporting pack this year.
Figure 3: Sample inherent vs. residual scoring across the seven categories of a broker-dealer risk assessment template.
A practical note from running these assessments at banks and regulated investment firms: if residual score for any category exceeds 12 (out of 25), treat that as automatic escalation to the CCO and risk committee.
If it exceeds 18, trigger a documented remediation plan with a named owner and a deadline under 90 days.
These thresholds are not in any rule — they are earned from watching which scores correlate with exam findings.
Mapping the Broker-Dealer Risk Assessment Template to FINRA Rule 3120 and Reg BI
FINRA Rule 3120 is the rule most broker-dealer risk assessment templates should be built around but rarely are.
It requires every member firm to maintain written supervisory control policies and procedures (see the FINRA Written Supervisory Procedures checklist), test them at least annually, and submit a report to senior management summarising test results and significant exceptions.
Firms with $200 million or more in gross revenue must include additional content.
Rule 3120 is the single best hook to hang your template on because it is already the exam-required artifact examiners open first. Aligning the template structure to the 3120 report structure means the report writes itself from the template.
That alignment saves an estimated 40 to 60 hours of annual preparation effort in most mid-size broker-dealer compliance functions.
Here is how the mapping works. Every residual risk score above 12 in the matrix generates a required supervisory test for the following 12 months.
The test is documented in the Rule 3120 plan, executed by designated principals under FINRA Rule 3110, and the results feed the annual report.
The circularity — risk assessment informs the test plan, test plan produces evidence, evidence feeds the next assessment — is what an examiner wants.
Embed the cross-reference directly: each risk row carries a “3120 test ID” column tying it to the corresponding supervisory test.
Firms with mature GRC framework platforms can automate this cross-reference; firms on spreadsheets can maintain it manually. Either approach works, but the cross-reference itself is not optional if the template is going to drive supervision, not just document it.
Regulation Best Interest mapping is where most 2024–2025 enforcement actions landed. The Care, Disclosure, Conflict of Interest, and Compliance Obligations each deserve a distinct row in your broker-dealer risk assessment template — not a single “Reg BI” line item.
Product-specific scoring is essential: complex products (variable annuities, RILAs, L Bonds, private placements) routinely carry inherent scores two to three points higher than generic Reg BI coverage.
The combination of FINRA Rule 2111 suitability obligations and Reg BI obligations in the 2024–2025 enforcement record proves the point.
Firms that score Reg BI as a single row keep missing the concentration-in-complex-products pattern that examiners consistently surface during settled-action investigations. Split the row, and the signal appears early enough in your supervision cycle to intervene before an examiner does.
AML, SAR, and CIP Inside the Broker-Dealer Risk Assessment Template
Bank Secrecy Act obligations sit inside the seventh category of the broker-dealer risk assessment template, but they deserve their own narrative because enforcement volume is so large.
The FinCEN Year in Review for FY 2024 reports US financial institutions filed 4.7 million Suspicious Activity Reports — an average of 12,870 per day.
The FinCEN SAR statistics portal shows SAR filings grew 51.8% between 2020 and 2024. Cyber-related SARs alone grew 30% in 2025, with nearly 31,000 filings reporting cyber-enabled crimes against customers.
That volume, not the rule text, is what determines how deep your template’s AML row has to go — and why AML cannot remain a single line item any longer.
Figure 4: SAR filings grew 51.8% from 2020 to 2024 and kept climbing into 2025.
AML cannot be a single row any more. At minimum, split FINRA Rule 3310 AML program requirements into CIP (Customer Identification Program), CDD/EDD (Customer Due Diligence and Enhanced Due Diligence), transaction monitoring, OFAC screening, and SAR filing program effectiveness.
Each sub-risk gets its own inherent and residual score. For a broader view of how AML risk assessment integrates with compliance risk, see our bank compliance risk assessment templates guide.
If your CCO cannot point to the specific scenario-tuning process behind the firm’s transaction monitoring thresholds, the transaction monitoring residual score should never be below 12 — that is the threshold we use to force an independent model validation.
The 2025 FinCEN FAQs on SAR reporting reduced some compliance burdens (narrative flexibility, discontinuance determination, retention clarifications), but none change the risk math.
Cyber and Reg S-P Integration in the Broker-Dealer Risk Assessment Template
The 2024 amendments to Regulation S-P are the single most consequential recent rulemaking for broker-dealer risk programs. Almost every template we reviewed in Q1 2026 still has them as an afterthought.
FINRA’s cybersecurity advisory on the Reg S-P amendments confirms the scope: broker-dealers, funding portals, transfer agents, and registered investment advisers must develop and maintain a written incident response program, and must notify affected individuals within 30 days.
Firms that already run an ISO 27001 risk assessment template can reuse most of the scaffolding, but the 30-day clock is new and binding. The template has to score detection speed — if it takes 28 days to detect an incident, the 30-day notice is a legal fiction. Detection time is now a scored KRI, not a narrative attestation.
The broker-dealer risk assessment template integration has three moving parts. First, score third-party vendor incident reporting SLAs; the majority of 2024–2025 broker-dealer breaches originated with vendors.
Our third-party risk management framework handles the scoring mechanics end-to-end. Second, SEC Rule 17a-4 books and records requirements now require tamper-evident electronic preservation of incident evidence — score the retention architecture separately.
Third, the template has to cover generative AI tools, which are now in scope because they process customer data.
Our AI risk assessment framework maps the generative-AI failure modes to Reg S-P safeguarding standards and gives you a scoring scaffold you can drop into the cyber and data row of the broker-dealer risk assessment template this quarter. No other template we have seen does this integration cleanly.
A pragmatic shortcut we use with broker-dealer clients is to adopt the five Functions in the NIST Cybersecurity Framework 2.0 (Govern, Identify, Protect, Detect, Respond, Recover) as sub-rows inside the cyber and data row.
Each function gets an inherent score, a residual score, and a cross-reference to specific Reg S-P requirements. For a detailed walkthrough, see our NIST CSF 2.0 implementation guide.
Running the Broker-Dealer Risk Assessment Template in 90 Days
Implementation failure kills more broker-dealer risk assessment template projects than design failure. The template looks good in pilot, stalls in month four, and by month six the firm is back to the legacy spreadsheet.
The 90-day sequence below has delivered operational templates inside firms from 50 to 3,000 employees — including at a multi-billion-dollar pension fund where operational risk stakes run in tens of millions per incident. Executive sponsorship from the CCO is non-negotiable.
Get written commitment from supervision and the business lines before day one. Anchor the workflow to our complete guide to the risk assessment process, which gives the sequencing discipline that stops most projects from drifting into month five without a heat map. The discipline costs nothing; skipping it routinely costs three months of slippage on an otherwise well-scoped program.
| Phase | Days | Key deliverables | Evidence the phase is done |
| 1. Scope and ownership | 1–15 | Risk taxonomy agreed; seven categories confirmed; one named owner per category; draft scoring matrix circulated | RACI signed by CCO, head of supervision, each owner |
| 2. Inherent-risk scoring | 16–40 | Business interviews, inherent scores, product-level Reg BI scoring, sub-risk decomposition | First-pass inherent score sheet with 40+ sub-risks |
| 3. Control mapping | 41–65 | Each control mapped to a risk; control effectiveness scored; gaps documented; 3120 test plan drafted | Residual-risk heat map; 3120 annual testing calendar |
| 4. Validation and reporting | 66–85 | Independent challenge by internal audit or second-line peer; board-ready heat map; Rule 3120 report outline | Signed-off heat map; board presentation draft |
| 5. Integration and go-live | 86–90 | Template embedded in supervision workflow; remediation plans for residuals > 18; annual refresh date set | Written policy on annual refresh cadence filed in WSPs |
The non-negotiable milestone is the end of Phase 3. If a firm reaches day 65 without a heat map the CCO and head of supervision will both sign, the project is in trouble — usually because the seven-category taxonomy was not actually agreed at day 15. Go back and fix the taxonomy before adding detail.
A broker-dealer risk assessment template with a messy top level cannot be saved by detail in the middle layers.
If you need to stress-test the taxonomy before committing, the checkpoints in our risk register template and guide surface the usual issues in under an hour.
Run the checklist with one business head and one supervision principal in the room; if they disagree on any category, resolve the disagreement before moving on.
Broker-Dealer Risk Assessment Template FAQs: Expert Answers to Critical Questions
These are the questions US broker-dealer CCOs ask most often in practitioner forums, FINRA member firm events, and compliance conferences when the conversation turns to template design and exam readiness.
What is a broker-dealer risk assessment template?
A broker-dealer risk assessment template is a structured document that catalogues the risks facing a registered broker-dealer, scores each for likelihood and impact, records the controls in place, and produces a residual-risk rating that drives supervisory testing under FINRA Rule 3120.
The best 2026 templates cover seven top-level categories and tie every row to a specific regulatory anchor.
How often should a broker-dealer risk assessment template be refreshed?
Refresh fully at least annually to satisfy Rule 3120’s supervisory control testing requirement.
Update individual rows on event-driven triggers — a new product launch, an acquisition, a rulemaking like the 2024 Reg S-P amendments, an examination finding, or a material incident. Firms running fewer than annual refreshes routinely receive deficiency letters on their supervisory control systems.
Who should own the broker-dealer risk assessment template?
The Chief Compliance Officer owns the broker-dealer risk assessment template at most US firms, with delegated category owners in supervision, technology, finance, and the first line.
Each of the seven risk categories needs a named individual owner — not a team — because accountability dilutes fast.
The board or risk committee signs off on the annual output, typically using a format modelled on our risk management report sample.
What regulatory anchors should a broker-dealer risk assessment template map to?
At minimum, the broker-dealer risk assessment template needs to map to SEC Rule 15c3-1 (Net Capital), Rule 15c3-3 (Customer Protection), the Market Access Rule (15c3-5), Regulation Best Interest, amended Regulation S-P, the Bank Secrecy Act, FINRA Rules 3110, 3120, 3310 (AML), 4210 (Margin), and the NIST Cybersecurity Framework 2.0. Templates mapping to fewer anchors leave material gaps for examiners.
How does Regulation Best Interest change the broker-dealer risk assessment template?
Reg BI adds four obligations — Care, Disclosure, Conflict of Interest, and Compliance — each deserving its own risk row. Product-specific scoring is essential: complex products like variable annuities, RILAs, L Bonds, and private placements carry materially higher inherent risk than plain-vanilla recommendations.
The SEC FY2024 Division of Enforcement results confirm that this is where the Commission has focused its settled actions.
How does the 2024 Reg S-P amendment affect the broker-dealer risk assessment template?
The amended Reg S-P adds a 30-day customer notification requirement for unauthorised access to sensitive customer information. Larger-entity compliance deadline: December 3, 2025. Smaller-entity: June 3, 2026.
The template must score detection speed, third-party vendor notification SLAs, and the written incident response program required by the rule. FINRA’s cybersecurity advisory walks through the implementation mechanics step by step.
What’s the biggest mistake firms make with a broker-dealer risk assessment template?
Treating it as a compliance artefact rather than a supervisory tool. A template producing a heat map nobody uses is worse than no template — it creates a paper trail of unused risk intelligence, which is a finding waiting to happen.
Build it into the supervisory workflow. Our how to develop a risk assessment policy guide covers the governance scaffolding that makes the circularity real.
Can a single broker-dealer risk assessment template cover a dual-registered firm?
Yes, and most efficient designs do. Use a unified taxonomy with entity-specific scoring — the cyber risk row is the same; the Reg BI row (BD-only) and the IA Rule 206(4)-7 compliance row (RIA-only) sit alongside each other.
Dual-registered firms maintaining two separate templates almost always discover control duplication, policy contradictions, and evidence gaps at exam time that a unified design would have prevented.
Where Broker-Dealer Risk Assessment Template Programs Stall — And How to Unstick Them
Every mature broker-dealer risk assessment template has survived at least one of the failure modes below.
The difference between firms that recover and firms that quietly abandon the program is pattern recognition — knowing which failure you are watching and what fix actually works.
For structural fixes, see our complete guide to the risk assessment process and the SEC broker-dealer examination planning risk alert.
| Pitfall | Root cause | Remedy |
| Heat map produced, nothing changes | Template disconnected from the supervisory calendar | Tie every residual score >12 to a Rule 3120 test and >18 to a named remediation plan |
| Taxonomy drift across deliverables | No single source of truth for the risk taxonomy | Publish the seven-category taxonomy in the WSP and reference it from board decks, 3120 reports, and the template |
| AML treated as one row | Template built before 2020 SAR volumes scaled up | Split AML into CIP, CDD/EDD, transaction monitoring, OFAC, and SAR filing; score each separately |
| Cyber scored without Reg S-P context | Template updated before the 2024 amendments | Add the five NIST CSF 2.0 Functions as sub-rows and embed the 30-day detection/notification test |
| Reg BI as a single line item | Template built before the first wave of 2024 enforcement | Split into the four Reg BI obligations and add product-level rows for complex products |
| Scores never change year-to-year | Inherent scoring treated as static | Refresh inherent scores whenever a new product, rule, or examination finding materially changes exposure |
| Board decks look different from the template | Category owners re-cut data for the board | Enforce one-to-one mapping — the board deck renders directly from the template |
The Next Wave: Broker-Dealer Risk Assessment Template Trends Practitioners Can’t Ignore
Three trends will redefine the broker-dealer risk assessment template between 2026 and 2028. Firms embedding them now will avoid a painful 2028 rebuild. The first is generative AI governance.
The FINRA 2026 Annual Regulatory Oversight Report flagged both the defensive use of AI (bad actors exploiting GenAI to threaten investors) and the offensive use (firms adopting GenAI for research, supervision, and customer service).
The template has to carry a named AI-governance row by the end of 2026 — scoring model inventory, bias and drift controls, human-in-the-loop thresholds, and Reg S-P implications of feeding customer data into third-party models.
Our AI risk assessment framework is the scaffold we recommend for this row; it integrates cleanly with an enterprise risk management view above it.
The second trend is extended-hours trading supervision. FINRA’s extended-hours trading notice added this as a new focus area because overnight trading volumes have grown materially and because thinner liquidity combined with lower supervision coverage and retail access creates a concentrated risk surface.
A template written in 2023 did not score extended-hours trading separately; a 2026 template should — with inherent scores elevated above the regular-session baseline.
The third trend is the shift from annual to continuous risk assessment. The regulatory cadence — 30-day breach notifications, event-driven Reg BI re-evaluations, FinCEN alert-driven SAR escalations — has moved faster than the annual template refresh can support.
Leading firms have moved to continuous assessment where inherent scores update monthly from controlled data feeds (exam findings, incident tickets, regulatory alerts) and residual scores update quarterly.
That shift is a taxonomy discipline, not a technology project. If the seven-category top level is stable, the rest follows. If it is not, no amount of automation saves the broker-dealer risk assessment template.
For firms that want adjacent templates to cross-reference, the risk assessment templates library is a good starting point for benchmarking across other regulated domains.
Need help translating this broker-dealer risk assessment template into a working program for your firm?
Explore our risk advisory and template implementation services or get in touch for a scoped engagement. We size the work to your firm’s complexity, regulatory profile, and existing supervision architecture — not to a generic framework template built for a different type of broker-dealer.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.