The Financial Industry Regulatory Authority (FINRA) recently published a transparent description of how it assesses member-firm risk and uses those results to plan and tailor examinations. This framework provides a roadmap for compliance and will allow firms to align their internal risk work to FINRA's model and be better positioned to narrow exam focus, demonstrate effective supervision, and reduce surprise findings.
FINRA begins by segmenting each firm into one of five business models, and these segments anchor the evaluation of risk "likelihood" and "impact" in the context of the firm's actual business mix, products, and revenue drivers. These are the five business models:
- Capital Markets and Investment Banking Services – Firms that primarily engage in activities such as structuring, advising on mergers and acquisitions, underwritings, advisory services, sales of private placement offerings or private equity funds to institutions, product origination, and wholesaling or provide capital markets and investment banking services.
- Carrying and/or Clearing – Firms that primarily engage in correspondent clearing, securities financing transactions, or chaperoning activities for foreign entities pursuant to SEA Rule 15a-6.
- Diversified – Firms that offer multiple services across a range of business lines, such as investment banking, research, sales and trading, public finance, wealth management, asset management, prime brokerage, clearing, and institutional and/or retail services.
- Retail – Firms that primarily provide brokerage services or effect transactions on behalf of an individual customer or an account whose ultimate beneficial owner(s) would be deemed an individual investor.
- Trading and Execution – Firms that primarily engage in executing trades on their own behalf or on behalf of institutional customers.
The methodology distinguishes inherent risk from residual risk.
- Inherent risk reflects the exposure posed by the firm's activities before controls. FINRA then evaluates the effectiveness of controls—people, processes, and systems—using member firm–reported data, internally sourced data, and, when needed, a structured Qualitative Input Assessment that incorporates exam findings and observations.
- Residual risk is the level that remains after considering controls and is expressed as a risk likelihood score for each category.
FINRA evaluates eleven broad categories:
- Accuracy of Regulatory Capital
- Credit
- Cybersecurity and Technology
- Fraud and Deception
- Liquidity
- Market
- Market Integrity
- Anti–Money Laundering
- Operational
- Protection of Customer Assets
- Sales
Each category is assigned a numeric value and a weight reflecting its relative contribution to potential harm. Weighted averages produce a likelihood band—low, medium-low, medium-high, or high—at both the category level and in the aggregate. FINRA reviews inputs and weightings regularly, so scores can change as business models evolve or controls improve. Examination teams use these scores to select firms for review and tailor the scope across sales practice, financial, operational, and trading risks.
Firms can translate this model into exam-readiness in three concrete ways:
First, align internal risk assessments to FINRA's eleven categories and business model segmentation, mapping products, customers, and revenue to category-specific inherent risks. This creates a common language with FINRA's risk monitoring and gives context for why certain risks should be scored lower or examined narrowly.
Second, demonstrate control effectiveness with evidence that mirrors FINRA's inputs: control inventories tied to each risk, testing results, surveillance metrics, exception handling, and remediation histories. Quality, timeliness, and responsiveness—all emphasized in FINRA's qualitative assessment—should be plainly documented.
Third, develop firm-specific risk narratives that explain how controls reduce likelihood within high-visibility domains such as sales practices, Anti-Money Laundering (AML), cybersecurity, and safeguarding customer assets. Narratives that link control changes to measurable outcomes can help focus exam scoping and reduce duplicative requests.
This risk lens will shape supervisory priorities by pushing resources toward categories where residual risk bands are higher and by elevating day-to-day behaviors that drive control effectiveness—accurate books and records, prompt escalation of red flags, disciplined surveillance reviews, and robust technology hygiene. In 2026, the firms that speak FINRA's risk language—and can prove it—will be better positioned for examinations.
If you would like more information on compliance with FINRA's current approach to risk assessment, please contact Justin Senior or a member of Shumaker's Financial Services Industry Sector.