Anti-Money Laundering, Fraud and Sanctions

Regulatory Obligations

FINRA Rule 3310 (Anti-Money Laundering Compliance Program) requires that each firm develop and implement a written anti-money laundering (AML) program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act (BSA) and its implementing regulations.¹ FINRA Rule 3310(a) requires that firms establish and implement AML policies and procedures that can be reasonably expected to detect and cause the reporting of suspicious transactions;² FINRA Rule 3310(c) requires that the AML program provide for independent testing for compliance each calendar year (or every two calendar years in some specialized cases); FINRA Rule 3310(e) requires that the program provide ongoing training for appropriate personnel; and FINRA Rule 3310(f) requires that firms’ AML programs include appropriate risk-based procedures for conducting ongoing customer due diligence (CDD).

Other requirements contained in the BSA’s implementing regulations include maintaining a Customer Identification Program (CIP); verifying the identity of the beneficial owners of legal entity customers; establishing due diligence programs to assess the money laundering risk presented by correspondent accounts maintained for foreign financial institutions; and responding to information requests from the Financial Crimes Enforcement Network (FinCEN) within specified timeframes.³

Investment Fraud by Bad Actors Targeting Investors Directly

FINRA has observed an increase and evolution in investment fraud committed by bad actors who engage directly with investors. This typically includes enticing victims to withdraw funds from their securities accounts and send the funds to the bad actors as part of a fraudulent scheme.

According to the most recent FBI Internet Crime Report, investment fraud is the costliest type of crime tracked by the FBI’s Internet Crime Complaint Center (IC3), with complaints and losses regarding related scams continuing to rapidly increase.
Common types of investment fraud include:
- Investment Club Scams: schemes in which bad actors post fraudulent social media advertisements—often using the likeness of well-known finance personalities unaffiliated with the scam—to direct victims to purported “investment clubs” on encrypted messaging applications, where victims are persuaded to purchase shares of low-volume and thinly traded securities.
- Relationship Investment Scams: schemes in which fraudsters often hide their true identities and reach out to unsuspecting targets (often online or through text messages), gain the victim’s trust over time, and then defraud them through fake investments. These schemes are sometimes referred to by terms such as “romance scams,” “cryptocurrency investment scams” and “financial grooming scams.”
- Imposter Websites: schemes in which malicious actors use names and other legitimate information to establish a web presence that purports to be a broker-dealer firm, registered representative, financial regulator or law enforcement agency.
- Tech Support and Support Center Scams: schemes in which bad actors impersonate firms’ customer support centers through online sponsored advertising, with the goal to misdirect victims and steal funds, PII or both.

Firms may consider using the following effective practices to help mitigate these threats:

monitoring for abrupt changes in customer behavior, such as a customer making a withdrawal request that does not align with the customer’s typical behavior (e.g., smaller withdrawals over a long period of time, or one or more sudden large withdrawals);
educating firm personnel who are in direct contact with customers how to recognize red flags, how to communicate with customers that they may suspect are victims and how to escalate concerns;
relying on FINRA Rule 2165 (Financial Exploitation of Specified Adults) to place a temporary hold on a customer’s securities transactions or disbursements where there is a reasonable belief of customer financial exploitation;⁴
emphasizing the importance of trusted contact persons and promoting effective practices in connection with FINRA Rule 4512 (Customer Account Information);⁵
providing educational material to customers explaining how scams occur and providing resources for victimized customers (including those on FINRA’s For Investors page); and
developing response plans for situations where the firm identifies that a customer has been victimized, including:
- notifying a customer’s trusted contact person of any concerns;
- for elder or vulnerable adults, notifying Adult Protective Services;
- in addition to filing required suspicious activity reports (SARs), reporting the fraud to the appropriate regulatory (e.g., FTC, SEC, FINRA) and law enforcement agencies (e.g., FBI, the customer’s state’s Attorney General’s Consumer Protection Office and Crime Victim Coalition); and
- engaging with the FBI’s IC3 Recovery Asset Team via their Internet Crime Complaint Center to attempt to recall outgoing wire transactions.

For additional guidance concerning external fraud identification, mitigation and prevention, please see:

The Senior Investors and Trusted Contact Persons topic in the 2025 Report
FINRA Securities Helpline for Seniors
FINRA Investor Alert: Relationship Investment Scams (September 10, 2024)
FINRA Threat Intelligence Product: Protecting Vulnerable Adult and Senior Investors (May 2024)
FINRA Foundation’s Taking Action: An Advocate’s Guide to Assisting Victims of Financial Fraud (2021)
Regulatory Notice 20-30 (Fraudsters Using Registered Representatives Names to Establish Imposter Websites)

Findings and Effective Practices

Findings

Misconstruing Obligation to Conduct CIP and CDD: Not recognizing that certain formal relationships established with the firm to effect securities transactions are customer relationships (and, consequently, not conducting CIP or CDD as required).
Unreasonable Procedures Concerning CIP and CDD: Not establishing and implementing reasonably clear and detailed policies and procedures concerning CIP and CDD requirements.
Inadequate Verification of Customer Identities: Not collecting identifying information at the time of account opening, not reasonably verifying the identity of customers and beneficial owners of legal entity customers with documentary or non-documentary methods within a reasonable timeframe, or, when suspicious activity is detected, not reevaluating the information provided during the customer onboarding and customer identification process as appropriate.
Inadequate Responses to Red Flags:
- Auto-approving customer accounts despite red flags, or otherwise not performing a reasonable review of potential red flags associated with verifying customer identities (e.g., applicant provided a Social Security number that was not valid or was associated with the name of a different person, including a deceased individual).
- Not escalating customer accounts notwithstanding indicia that they are nominee accounts, which have been used to invest in IPOs and then engage in pump-and-dump-like schemes, as highlighted in Regulatory Notice 22-25 (Heightened Threat of Fraud).
- Failing to establish policies and procedures that can be reasonably expected to detect identity theft or synthetic identity fraud in connection with account opening (e.g., PII does not match a consumer report or was used on another account the firm knew was fraudulent).
Inadequate Due Diligence: Not conducting initial and ongoing risk-based CDD to understand the nature and purpose of customer relationships to develop a customer risk profile, or conduct the required due diligence on correspondent accounts the firm maintains for foreign financial institutions.
Inadequate Ongoing Monitoring of Suspicious Transactions:
- Not establishing and implementing written AML procedures that can reasonably be expected to detect and cause the reporting of suspicious transactions.
- Not devoting sufficient resources to suspicious activity monitoring programs, including following a business expansion or a material increase or change in transactions.
- Not reasonably reviewing for and responding to red flags, including for patterns of activity, associated with:
  - orders and securities trading;
  - the movement or settlement of cash or securities (e.g., wire and Automated Clearing House (ACH) transfers, debit card and ATM transactions, securities trading (including order entry), journal transfers);
  - the origin and destination locations (i.e., high-risk jurisdictions) of transfers;
  - transfers made to or from unrelated third-parties;
  - the firm’s business operations including activity related to high-risk products and services (e.g., cash management products and services; trading of low-priced and thinly traded securities); and
  - suspicious activity introduced to the firm by other firms.
Inadequate Ongoing Reporting of Suspicious Transactions:
- Not notifying the AML department of events that may require the reporting of a SAR, including cybersecurity events, account compromise or takeovers, or fraudulent wire or ACH transfers.
- Not reasonably investigating inquiries from law enforcement, clearing firms, regulators or other federal and state agencies that concern red flags of suspicious activity.
- Not reviewing and responding to information requests from FinCEN issued pursuant to Section 314(a) of the Patriot Act,⁶ or not doing so within the required two-week timeframe.
Inadequate Testing: Not conducting adequate independent testing of their AML program by:
- not providing for annual testing of the program on a calendar year basis (or every two calendar years in specialized circumstances);
- not testing critical aspects of the AML program for reasonableness (e.g., suspicious activity detection and reporting), including where firms have taken on new products, services or client bases that may have materially shifted the firm’s AML risk profile or situations where new threats to the industry are applicable to the firm;
- conducting testing that is not reasonably designed, such as testing that fails to consider whether AML reports and systems are accurately and reasonably capturing suspicious transactions and are reasonably tailored to the AML risks of the firm’s business; and
- not confirming that persons with the requisite independence and qualifications perform the testing.
Inadequate Training: Not providing adequate training for appropriate personnel (e.g., training fails to address how to identify red flags of suspicious transactions or actions to take in response to red flags that are detected).

Continuing Risk: ACH Fraud

FINRA has recently observed an increase in suspicious and fraudulent activity related to ACH fraud. This observation is consistent with recent findings and rulemaking activity from other organizations:

According to FinCEN, ACH fraud was the most reported suspicious activity in securities and futures SAR filings between 2014 and 2022.⁷
On October 1, 2024, the National Automated Clearinghouse Association (Nacha) issued new requirements that all non-consumer participants in the ACH network implement fraud detection and monitoring programs.
ACH fraud encompasses two fraud typologies:
- First-party ACH fraud: A customer initiates a fraudulent ACH reclaim without sufficient funds, which typically comes in two forms:
  - Non-sufficient funds fraud (NSF)—taking advantage of the “instant funds credit” firms offer to customers that initiate ACH pulls into a brokerage account, which makes some or all the funds requested immediately available to the customer even though the funds have not settled in the account and there are no funds in the customer’s account; and
  - Unauthorized reclaim fraud (URF)—reporting a false claim of third-party fraud within the ACH system’s 60-day reporting window, triggering the funds sent via ACH transfer to be “recalled” from the receiving account.
- Third-party ACH fraud: A bad actor conducts a fraudulent ACH transaction by using stolen or synthetic information to:
  - take over a legitimate customer account at a depository financial institution (i.e., an account takeover); and
  - open a brokerage account in the name of the legitimate customer (i.e., new account fraud).
  - The bad actor then submits an ACH transfer request to:
    - pull assets from the legitimate customer’s compromised account at a depository financial institution; and
    - deposit them into the brokerage account fraudulently established in the legitimate customer’s name.⁸
The increase in ACH fraud may stem from bad actors’ preference to use ACH over wire transactions, since the ACH system can more easily, quickly and cheaply move funds between accounts.

Some effective practices for firms to consider to help mitigate vulnerability to this type of fraud, especially those firms that offer fully online account opening services and rely on automated account opening or customer verification services, are to:

require additional identification and verification documents during account opening and initiation of ACH transfer requests, such as obtaining customer account statements from the originating depository financial institution (ODFI) prior to processing an ACH transaction;
implement internal procedures using Nacha’s recommended cutoff times for the same-day ACH function (which allows the financial institution to be notified more quickly of any issues with an ACH transaction, such as insufficient funds);
use micro-deposits, test deposits or test transactions as micro-entries to verify the connection to a customer’s bank account for funds transfer;
contract with third-party vendors that offer services to risk rank customers attempting to deposit funds in an account at a financial institution based on real time assessment of whether the account is open and in good standing, along with previous activity related to that account;
communicate known fraud scenarios, red flags, fake identities and electronic identifying information (e.g., IP addresses) to organizations such as the National Cyber-Forensics and Training Alliance (NCFTA), Early Warning Services (EWS) and InfraGard; and
limit the amount and number of outbound transfers from a brokerage account to help mitigate first-party ACH fraud, based on factors such as specific time periods, the age of an account or other potential red flags that could indicate the account is at risk for certain type of fraud.

For additional guidance, FINRA recommends:

Regulatory Notice 21-14 (FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse); and
Nacha’s ACH Operations Bulletin #1-2023 Update to Sample Written Statement of Unauthorized Debit.

Effective Practices

Investigating Unusual Withdrawal Requests: Conducting thorough inquiries when customers—particularly those who may be elderly or vulnerable—request that an unusually significant amount of funds be disbursed to a personal bank account, including where the disbursements would incur losses, fees or negative tax consequences (e.g., a disbursement from a retirement account), as these could be signs of affinity fraud, relationship fraud, Ponzi schemes or other forms of misappropriation.
Reviewing Clearing Firm Transactions: Reviewing transactions on a firm-by-firm basis to identify patterns of potentially suspicious transactions.
Reviewing Regulatory Updates: Reviewing alerts, advisories, significant cases and other updates from the SEC, FinCEN, FINRA, OFAC, and other regulators and agencies; and incorporating the information from such updates into the firm's AML systems and procedures, as appropriate.
Conducting Risk Assessments:
- Conducting formal, written AML risk assessments that are updated in appropriate situations, such as:
  - following the findings of its independent AML test or other internal or external audits;
  - changes in the size or risk profile of the firm (e.g., changes to business lines, products and services, registered representatives, customers or geographic areas in which the firm operates); or
  - material macroeconomic or geopolitical events.
- For firms that engage in low-priced securities or small capitalization initial public offerings, ensuring that your firm’s reasonably designed AML procedures detect and respond to red flags associated with that activity, including those detailed in:
  - Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities); and
  - Regulatory Notice 22-25 (Heightened Threat of Fraud).
- Reviewing alerts or exception reports to ensure they are functioning as intended and that the firm’s surveillance systems properly ingest the required data.
- Ensuring the firm’s AML procedures are tailored to services your firm provides, including services such as direct market access or access to alternative trading systems.
Additional Steps for Verifying Customers’ Identities When Establishing Online Accounts: Incorporating additional methods for verifying customer identities as part of the firm’s CIP through, for example:
- requiring both documentary (e.g., driver licenses, government issued IDs) and non-documentary identifying information, or multiple forms of documentary information;
- asking follow-up questions or requesting additional documents based on information from credit bureaus, credit reporting agencies or digital identity intelligence (e.g., automobile and home purchases);
- contracting third-party vendors to help verify the legitimacy of suspicious information in customer applications (e.g., cross-referencing information across multiple third-party vendors);
- validating identifying information that applicants provide through likeness checks;⁹
- reviewing the IP address or other available geolocation data associated with:
  - new online account applications for consistency with the customer’s home address; and
  - transfer requests (for consistency with locations from which the firm has previously received legitimate customer communications);
- obtaining a copy of the account statement from the account slated to be transferred before sending an Automated Customer Account Transfer Service (ACATS) request;
- for firms that initiate ACATS transfers (i.e., delivering firms), sending notifications to account owners (e.g., “push” notifications on mobile apps, emails, phone calls) or contacting any broker(s) assigned to the account or both;
- ensuring that any tools used for automated customer verification are reasonably designed to detect red flags of identity theft and synthetic identity fraud;
- limiting automated approval of multiple accounts for a single customer;
- reviewing account applications for common identifiers (e.g., email address, phone number, physical address) present in other applications and in existing accounts, especially seemingly unrelated accounts; and
- reviewing account applications for use of temporary or fictitious email addresses (e.g., @temporaryemail.org) or phone numbers (e.g., 555-555-5555, 999-999-9999).
Delegation and Communication of AML Responsibilities: Delegating AML duties to business units in the best position to conduct ongoing monitoring to identify suspicious activity; and establishing written escalation procedures and recurring cross-department communication between AML, compliance and relevant business unit(s).
Training: Establishing and maintaining an AML training program for appropriate personnel that is tailored to the individuals’ roles and responsibilities, addresses industry developments impacting AML risk and regulatory developments, and, where applicable, leverages trends and findings from the firm’s quality assurance controls and independent AML test.

Emerging Risk: Adversarial Use of Generative Artificial Intelligence

FINRA has observed that bad actors are increasingly exploiting generative artificial intelligence (Gen AI) in ways that amplify threats to investors, firms and the securities markets:

Investment Club Scams: creating text, as well as deepfake¹⁰ audio and video, to impersonate well-known finance personalities in fraudulent social media advertisements for purported investment clubs hosted on end-to-end encrypted messaging applications.
New Account Fraud and Account Takeovers: creating synthetic IDs, deepfake media (e.g., a photo of a Gen AI–created person holding a Gen AI–created ID) and malware to establish new fraudulent brokerage accounts, or take over customers’ brokerage accounts to conduct financial crimes (e.g., theft of funds, fraudulent ACATS transfer requests, manipulative trading, instant funds abuse).
Business Email Compromise: using Gen AI-enhanced social-engineering schemes to compromise firm email accounts (e.g., tailoring the text in phishing emails to appear to be written for each individual target) to trick employees into conducting fraudulent wire transfers.
Ransomware Attacks: conducting phishing campaigns with Gen AI-enhanced digital media (e.g., fake emails, text, and phone and video calls that appear realistic) and using Gen AI–enhanced malware to gain unauthorized access to a firm’s network, lock or exfiltrate sensitive information and extort money.
Imposter Scams: creating websites that impersonate firms and associated persons to lure victims into investing funds with fraudulent entities.
Market Manipulation: using Gen AI–created images or deepfake videos to spread false information on social media to move a company’s stock price in a direction from which the bad actors have prepositioned themselves to benefit.

Firms may consider communicating with their employees and customers about the heightened risks related to Gen AI and steps the employees and customers can take to mitigate these threats.

For additional information, FINRA recommends these Investor Insights articles:

Investor Alert: Relationship Investment Scams (September 10, 2024)
Be Aware of Support Center Ad Scams (July 25, 2024)
Be Alert to Signs of Imposter Investment Scams (March 11, 2024)
Artificial Intelligence (AI) and Investment Fraud (January 25, 2024)
Following the Crowd: Investing and Social Media (March 13, 2023)

Additional Resources

FINRA
SEC
- Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities (October 17, 2023)
- Risk Alert: Observations from Anti-Money Laundering Compliance Examinations of Broker-Dealers (July 31, 2023)
- Risk Alert: Observations from Broker-Dealer and Investment Adviser Compliance Examinations Related to Prevention of Identity Theft Under Regulation S-ID (December 5, 2022)
- Anti-Money Laundering (AML) Source Tool for Broker-Dealers (May 16, 2022)
- Risk Alert: Compliance Issues Related to Suspicious Activity Monitoring and Reporting at Broker-Dealers (March 29, 2021)
Treasury and FinCEN
- FinCEN Alerts/Advisories/Notices/Bulletins/Fact Sheets, including:
  - FinCEN Alert on Fraud Schemes Involving Deepfake Media Targeting Financial Institutions (November 13, 2024)
  - FinCEN Notice on the Use of Counterfeit U.S. Passport Cards to Perpetrate Identity Theft and Fraud Schemes at Financial Institutions (April 15, 2024)
  - FinCEN Alert to Financial Institutions to Counter Financing to Hamas and its Terrorist Activities (October 20, 2023)
  - FinCEN Alert on Prevalent Virtual Currency Investment Scam Commonly Known as “Pig Butchering” (September 8, 2023)
- The Anti-Money Laundering Act of 2020 (June 30, 2021)
- Anti-Money Laundering and Countering the Financing of Terrorism National Priorities (June 30, 2021)
Financial Action Task Force
- Risk-based Approach Guidance for the Securities Sector (October 26, 2018)

Previous:
Cybersecurity and Cyber-Enabled Fraud

Up:
Anti-Money Laundering, Fraud and Sanctions

Next:
Manipulative Trading

1 Capital Acquisition Broker (CAB) Rule 331 (Anti-Money Laundering Compliance Program) applies AML compliance program requirements to Capital Acquisitions Brokers.

2 31 CFR § 1023.320 requires broker-dealers to file reports of suspicious transactions (SARs) relevant to a possible violation of law or regulation—such as money laundering, fraud, or sanctions violations—to the extent and in the manner required by that regulation.

3 See 31 C.F.R. Part 1010 and 31 C.F.R. Part 1023.

4 See the Senior Investors and Trusted Contact Persons topic for additional guidance.

5 Id.

6 See FinCEN, Section 314(a) for additional guidance.

7 See FinCEN SAR Filings By Industry.

8 For additional guidance related to identifying, mitigating and preventing account takeovers and new account fraud (e.g., methods for verifying customer identities upon account opening and on an ongoing basis thereafter), see the Cybersecurity and Cyber-Enabled Fraud, and Anti-Money Laundering, Fraud and Sanctions, topics in the 2025 Report, as well as the Anti-Money Laundering, Fraud and Sanctions topic in the 2024 Report.

9 An identity verification method where applicants upload a photo or video of themselves, which is then compared with their recently submitted identity documents (See Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts)).

10 The term “deepfake” refers to a type of highly realistic multimedia—including text, images, sound and videos—made using machine learning, a subset of AI.