Skip to main content

Anti-Money Laundering, Fraud and Sanctions

Regulatory Obligations and Related Considerations


Regulatory Obligations

FINRA Rule 3310 (Anti-Money Laundering Compliance Program) requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act (BSA) and its implementing regulations.1 FINRA Rule 3310(a) requires that member firms establish and implement AML policies and procedures that can be reasonably expected to detect and cause the reporting of suspicious transactions;2 FINRA Rule 3310(c) requires that the AML program provide for independent testing for compliance each calendar year (or every two years in some specialized cases); FINRA Rule 3310(e) requires that the program provide ongoing training for appropriate personnel; and FINRA Rule 3310(f) requires that member firms’ AML programs include appropriate risk-based procedures for conducting ongoing customer due diligence.

Other requirements contained in the BSA’s implementing regulations include maintaining a Customer Identification Program (CIP); verifying the identity of legal entity customers; establishing due diligence programs to assess the money laundering risk presented by correspondent accounts maintained for foreign financial institutions; and responding to information requests from FinCEN within specified timeframes.3

Related Considerations

Scope of AML Program

  • Does your firm’s AML program reasonably address the AML risks associated with its business model, including new and existing business lines, products and services offered, customers and the geographic area in which your firm operates?
  • Has your firm experienced substantial growth or changes to its business? If so, has your firm’s AML program evolved alongside the business?
  • Does your firm’s AML program reasonably address the AML risks associated with effecting transactions in low-priced securities, including transactions effected through omnibus accounts (particularly accounts maintained for foreign financial institutions)?

Suspicious Activity Reporting

  • Do your firm’s AML procedures recognize that suspicious activity reporting obligations may apply to any transactions conducted by, at or through your firm?
  • Does your firm have reasonably designed AML procedures to detect and respond to indicators of illicit activities (generally referred to as “red flags”) that are relevant to its business model, such as those detailed in:
    • Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations); and
    • Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities).
  • Does your firm have AML policies and procedures that can be reasonably expected to respond to red flags of sanctions evasion?
  • Does your firm have reasonably designed AML procedures that account for FinCEN guidance addressing when SARs should be filed in addition to Office of Foreign Assets Control (OFAC) blocking reports?4
  • Does your firm have AML procedures reasonably designed to:
  • If your firm has determined that it is reasonable, based on your firm’s business, to use a manual review for suspicious transactions, are those reviews appropriately comprehensive, are they reasonably designed to detect suspicious patterns of transactions, and do they cover a sufficient timeframe to reasonably detect suspicious transactions?
  • If your firm uses automated surveillance systems for suspicious activity detection and reporting, does it:
    • appropriately monitor trading activity and money movements conducted or attempted by, at or through your firm;
    • review the integrity of its data feeds; and
    • assess scenario parameters as needed?
  • If your firm introduces customers and activity to a clearing firm, do your AML procedures reasonably address how your firm will communicate and share information with your clearing firm with respect to the filing of SARs?
  • Does your firm maintain appropriate risk-based procedures for conducting ongoing Customer Due Diligence (CDD) to:
    • understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
    • to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information?

Customer Onboarding

  • Does your firm have reasonable AML procedures to collect identifying information and verify the identity of its customers under the CIP Rule, and the beneficial owners of all who are considered its legal entity customers under the CDD Rule?5
  • Does your firm use information gathered as part of CIP and CDD to help ensure compliance with other requirements, such as OFAC regulations?
  • Does your firm have AML policies and procedures that can be reasonably expected to detect identity theft or synthetic identity fraud in connection with account openings, and has your firm considered the example red flags included in Regulation S-ID?

AML Independent Testing

  • Is your firm’s AML independent test performed by someone with a working knowledge of the BSA and its implementing regulations?
  • Does your firm ensure that it is performing its independent AML test with the required frequency (once each calendar year for most firms)?6
  • Does your firm’s AML independent test confirm that your firm has established and implemented reasonably designed procedures for customer identification and verification, customer due diligence and suspicious activity reporting?

Findings and Effective Practices


Findings

  • Misconstruing Obligation to Conduct CIP and CDD: Failing to recognize that certain formal relationships established with the firm to effect securities transactions are customer relationships (and, consequently, not conducting CIP or CDD as required).
  • Inadequate Verification of Customer Identities: Failing to collect identifying information at the time of account opening and reasonably verify the identity of customers and beneficial owners of legal entity customers with documentary and/or non-documentary methods within a reasonable timeframe.
  • Inadequate Responses to Red Flags:
    • Auto-approving customer accounts despite red flags, or otherwise failing to perform a reasonable review of potential red flags associated with verifying customer identities (e.g., applicant provided a social security number that was not valid or was associated with the name of a different person, including a deceased individual).
    • Failing to have established policies and procedures that can be reasonably expected to detect identity theft or synthetic identity fraud in connection with account opening (e.g., personal identifying information does not match a consumer report or was used on another account the firm knew was fraudulent).
  • Inadequate Due Diligence: Failing to conduct initial and ongoing risk-based CDD to understand the nature and purpose of customer relationships to develop a customer risk profile, or conduct due diligence on correspondent accounts of foreign financial institutions in compliance with FINRA Rule 3310(b).
  • Inadequate Ongoing Monitoring and Reporting of Suspicious Transactions:
    • Failing to establish and implement written AML procedures that can reasonably be expected to detect and cause the reporting of suspicious activity.
    • Failing to reasonably review for and respond to red flags associated with:
      • orders and securities trading;
      • the movement or settlement of cash or securities (e.g., wire and Automated Clearing House (ACH) transfers, debit card and ATM transactions, securities trading (including order entry), journal transfers);
      • the member’s business operations, including activity related to high-risk products and services (e.g., cash management products and services; trading of low-priced, thinly traded securities);
      • suspicious activity introduced to the member by other FINRA member broker-dealers; and
      • orders for crypto asset trades.
    • Failing to notify the AML department of events that may require the reporting of a SAR, including cybersecurity events, account compromise or takeovers, or fraudulent wire or ACH transfers.
    • Failing to reasonably investigate inquiries from law enforcement, clearing firms, regulators or other federal and state agencies that concern red flags of suspicious activity.
  • Inadequate Handling of FinCEN Information Requests: Failing to review and respond to information requests from FinCEN issued pursuant to Section 314(a) of the Patriot Act,7 or not doing so within the required two-week timeframe.
  • Inadequate Testing: Failing to conduct adequate independent testing of their AML program by:
    • not providing for annual testing of the program on a calendar year basis (or every two years in specialized circumstances);
    • not testing critical aspects of the AML program for reasonableness (e.g., suspicious activity detection and reporting), including where firms have taken on new products, services or client bases that may have materially shifted the firm’s AML risk profile or situations where new threats to the industry are applicable to the firm;
    • conducting testing that is not reasonably designed, such as testing that fails to consider whether AML reports and systems are accurately and reasonably capturing suspicious transactions and are reasonably tailored to the AML risks of the member’s business; and
    • not confirming that persons with the requisite independence and qualifications perform the testing.

Effective Practices

  • Regulatory Updates: Reviewing alerts, advisories, significant cases and other updates from the SEC, FinCEN, FINRA, OFAC, and other regulators and agencies.
  • Risk Assessments: Conducting formal, written AML risk assessments that are updated in appropriate situations, such as the findings of its independent AML test or other internal or external audits; changes in size or risk profile of the firm (e.g., changes to business lines, products and services, registered representatives, customers or geographic areas in which the firm operates); or material macroeconomic or geopolitical events.
  • Verifying Customers’ Identities When Establishing Online Accounts: Incorporating additional methods for verifying customer identities as part of the firm’s CIP through, for example, methods such as: 
    • requiring both documentary (e.g., driver licenses) and non-documentary identifying information, or multiple forms of documentary information;
    • asking follow-up questions or requesting additional documents based on information from credit bureaus, credit reporting agencies or digital identity intelligence (e.g., automobile and home purchases);
    • contracting third-party vendors to help verify the legitimacy of suspicious information in customer applications (e.g., cross-referencing information across multiple vendors);
    • validating identifying information that applicants provide through likeness checks;8
    • reviewing the IP address or other available geolocation data associated with:
      • new online account applications for consistency with the customer’s home address; and
      • transfer requests (for consistency with locations from which the firm has previously received legitimate customer communications);
    • obtaining a copy of the account statement from the account slated to be transferred before sending an Automated Customer Account Transfer Service (ACATS) request;
    • delivering firms sending notifications to account owners (e.g., “push” notifications on mobile apps, emails, phone calls), contacting any broker(s) assigned to the account or both when an ACATS transfer is initiated;
    • ensuring that any tools used for automated customer verification are reasonably designed to detect red flags of identity theft and synthetic identity fraud;
    • limiting automated approval of multiple accounts for a single customer;
    • reviewing account applications for common identifiers (e.g., email address, phone number, physical address) present in other applications and in existing accounts, especially seemingly unrelated accounts; and
    • reviewing account applications for use of temporary or fictitious email addresses (e.g., @temporaryemail.org) or phone number (e.g., 555-555-5555, 999-999-9999).

Emerging Risk: New Account Fraud

  • FINRA has observed an increase in suspicious and fraudulent activity related to new account fraud (NAF), which occurs when a bad actor uses stolen or synthetic identification9 information to fraudulently open an account.
    • NAF relies on the availability of stolen identification information, which is often extracted during data breaches and then sold on dark web marketplaces.
    • Customers’ increasing interest in fully online account-opening processes—including those for mobile application–based brokerage accounts—has decreased human interaction between prospective customers and firms, creating the potential for bad actors to fraudulently open brokerage accounts with greater ease.
  • NAF may be a precursor to other fraud schemes. Examples observed in FINRA examinations and investigations include, but are not limited to:
    • fraudulent requests to the ACATS to steal securities and other assets from an investor;
    • fraudulent ACH transfers and wire transfers, including instances in which accounts opened through NAF were used as conduits to steal money from customers at other financial institutions; and
    • deposit or movement of fraudulently obtained funds from government benefit programs (e.g., fraudulently obtained COVID-relief funds).
  • FINRA encourages firms, especially those that offer fully online account opening services and rely on automated account opening or customer verification services, to:
    • evaluate their review of red flags of NAF during the account opening process;
    • evaluate their monitoring of ongoing customer account activity for NAF and other known fraud schemes; and
    • enhance these processes, as needed, to ensure compliance with Regulation S-ID and other applicable rules.
  • For additional guidance, FINRA recommends:
    • Regulatory Notice 23-06 (FINRA Shares Effective Practices to Address Risks of Fraudulent Transfers of Accounts Through ACATS)
    • Regulatory Notice 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts Through ACATS)
    • Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts)
    • Regulatory Notice 21-14 (FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse)
    • Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection with Potential Account Takeovers and New Account Fraud)
  • Delegation and Communication of AML Responsibilities: Delegating AML duties to business units in the best position to conduct ongoing monitoring to identify suspicious activity; and establishing written escalation procedures and recurring cross-department communication between AML, compliance and relevant business unit(s).
  • Training: Establishing and maintaining an AML training program for appropriate personnel that is tailored to the individuals’ roles and responsibilities, addresses industry developments impacting AML risk and regulatory developments, and, where applicable, leverages trends and findings from the firm’s quality assurance controls and independent AML test.

Additional Resources



1 Capital Acquisition Broker (CAB) Rule 331 applies AML compliance program requirements to Capital Acquisitions Brokers.

2 31 CFR § 1023.320 requires broker-dealers to file reports of suspicious transactions (SARs) relevant to a possible violation of law or regulation—such as money laundering, fraud, or sanctions violations—to the extent and in the manner required by that regulation.

3 See 31 C.F.R. Part 1010 and 31 C.F.R. Part 1023.

5 31 C.F.R. § 1023.220 requires broker-dealers to conduct CIP on their “customers.” A “customer” is defined by 31 C.F.R. § 1023.100(d) as "a person that opens a new account.” An “account” is, in turn, defined by 31 C.F.R. § 1023.100(a)(1) as a “formal relationship with a broker-dealer established to effect transactions in securities.”

31 C.F.R. § 1010.230 requires broker-dealers to identify and verify the identity of the beneficial owners of its “legal entity customers” when “a new account is opened.” 31 C.F.R. § 1010.230(e) defines a “legal entity customer” as a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account. 31 C.F.R. § 1010.230(c) defines “account” as a “formal relationship with a broker-dealer established to effect transactions in securities, including, but not limited to, the purchase or sale of securities and securities loaned and borrowed activity, and to hold securities or other assets for safekeeping or as collateral.”

6 FINRA Rule 3310(c) provides that a member may only conduct its testing every two years (on a calendar-year basis) if the member does not: (i) execute transactions for customers; (ii) otherwise hold customer accounts; or (iii) act as an introducing broker with respect to customer accounts. FINRA Rule 3310(c) also provides two examples of the types of firms that would qualify for two-year testing: firms that engage solely in proprietary trading and firms that conduct business only with other broker-dealers. FINRA Rule 3310.01(a) also requires members to undertake more frequent testing if circumstances warrant.

7 See FinCEN, Section 314(a) for additional guidance.

8 An identity verification method where applicants upload a photo or video of themselves, which is then compared with their recently submitted identity documents (See Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts)).

9 A synthetic identity is a combination of real and fictitious data. For example, synthetic identities may include legitimate Social Security numbers and date of birth combined with fake names, addresses and email addresses.