Skip to main content

Anti-Money Laundering

Regulatory Obligations and Related Considerations


Regulatory Obligations

The Bank Secrecy Act (BSA) requires firms to monitor for, detect and report suspicious activity conducted or attempted by, at, or through the firms to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). Firms should also be aware of the recently enacted Anti-Money Laundering Act of 2020, which may result in material revisions to the implementing regulations over time. 

FINRA Rule 3310 (Anti-Money Laundering Compliance Program) requires that members develop and implement a written anti-money laundering (AML) program reasonably designed to comply with the requirements of the BSA and its implementing regulations. Additionally, FinCEN’s Customer Due Diligence (CDD) rule requires that firms identify beneficial owners of legal entity customers, understand the nature and purpose of customer accounts, and conduct ongoing monitoring of customer accounts to identify and report suspicious transactions and—on a risk basis—update customer information.

Related Considerations

  • How does your firm’s AML compliance program address new business lines, products, customers and risks?
  • Does your firm tailor and adequately resource their AML program to the firm’s business model and associated AML risks?
  • Does your firm’s independent testing confirm that it maintains appropriate risk-based procedures for collecting and verifying customer identification information on all individuals and entities that would be considered customers under the Customer Identification Program rule, and beneficial owners of legal entity customers under the CDD rule?
  • Does your firm review the integrity of its data feeds for its surveillance and monitoring programs?
  • How does your firm coordinate with your clearing firm, including with respect to the filing of joint suspicious activity reports?
  • Does your firm document the results of its reviews and investigations into potentially suspicious activity identified by exception reports?

Exam Findings and Effective Practices


Exam Findings

  • Inadequate AML Transaction Monitoring – Not tailoring transaction monitoring to address firms’ business risk(s).
  • Limited Scope for Suspicious Activity Reports (SARs) – Not requiring staff to notify AML departments or file SARs for a range of events involving suspicious transactions, such as financial crime-related events, including but not limited to cybersecurity events, account compromises, account takeovers, new account fraud and fraudulent wires.
  • Inadequate AML Framework for Cash Management Accounts – Failing to incorporate, or account for, in their AML programs, the AML risks relating to Cash Management Accounts, including the following:
    • monitoring, investigating and reporting suspicious money movements;
    • a list of red flags in their WSPs indicative of potentially suspicious transactions; or
    • expanding or enhancing their AML compliance program resources to address Cash Management Accounts.
  • Unclear Delegation of AML Responsibilities – Non-AML staff (e.g., business line staff responsible for trade surveillance) failing to escalate suspicious activity monitoring alerts to AML departments because firms did not: (1) clearly define the activities that were being delegated; (2) articulate those delegations and related surveillance responsibilities in their WSPs; or (3) train non-AML staff on AML surveillance policies and procedures.
  • Data Integrity Gaps – Excluding certain types of data and customer accounts from monitoring programs as a result of problems with ingesting certain data, inaccuracies and missing information in data feeds.
  • Failure to Document Investigations – Not documenting initial reviews and investigations into potentially suspicious activities identified by SARs.
  • Concerns About High-Risk Trading by Foreign Legal Entity Accounts – Inadequate identification of or follow-up on increased trading by foreign legal entity accounts in similar low-float and low-priced securities, which raised concerns about potential ownership or control by similar beneficial owners.
  • Insufficient Independent Testing – Not reviewing how the firm’s AML program was implemented; not ensuring independence of the testing; and not completing tests on an annual calendar year basis.
  • Improper Reliance on Clearing Firms – Introducing firms relying primarily or entirely on their clearing firms for transaction monitoring and suspicious activity reporting, even though they are required to monitor for suspicious activity attempted or conducted through their firms.

Emerging AML and Other Financial Crime Risks

Microcap and Other Fraud
Some firms continue to engage in fraud, financial crimes and other problematic practices, such as those described in the SEC Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities, which addresses microcap and penny stock activity transacted in omnibus accounts maintained for foreign financial institutions and foreign affiliates of U.S. broker-dealers.

Issuers Based in Restricted Markets
Certain foreign national and foreign entity nominee accounts appear to have been opened solely to invest in the initial public offerings and subsequent aftermarket trading in one or more exchange-listed issuers based in restricted markets, such as China. FINRA has observed red flags that the owners of the accounts may be acting at the direction of others, multiple accounts being opened using the same foreign bank for the source of funds or multiple accounts with the same employer and same email domain. The trading activity may include multiple similar limit orders being placed by the accounts at the same time, which could be indicative of coordinated and manipulative trading of the issuers’ securities.

Risks Relating to Special Purpose Acquisition Companies (SPACs)

Some firms are engaging in the formation and initial public offerings (IPOs) of SPACs without having adequate WSPs that would require independently conducting due diligence of SPACs’ sponsors, and procedures that address other potential fraud risks, including but not limited to:

  • misrepresentations and omissions in offerings documents and communications with shareholders regarding SPAC acquisition targets, such as the prospects of the target company and its financial condition;
  • fees associated with SPAC transactions, including cash and non-cash compensation and compensation earned by affiliates;
  • control of funds raised in SPAC offerings; and
  • insider trading (where underwriters and SPAC sponsors may possess and trade around material non-public information regarding potential SPAC acquisition targets, including private placement offerings with rights of first refusal provided to certain investors prior to the acquisition).

Effective Practices

  • Customer Identification Program – Using, on a risk-basis, both documentary (such as drivers’ licenses or passports) and non-documentary methods (such as using third-party sources) to verify customers’ identities.
  • Monitoring for Fraud During Account Opening – Implementing additional precautions during account opening, including limiting automated approval of multiple accounts opened by a single customer; reviewing account application fields for repetition or commonalities among multiple applications; and using technology to detect indicators of automated scripted attacks in the digital account application process.
  • Bank Account Verification, Restrictions on Fund Transfers and Ongoing Monitoring – Confirming customers’ identities through verbal confirmation, following client verification protocols or using a third-party verification service, such as Early Warning System (EWS); monitoring of outbound money movement requests post-ACH set-up; restricting fund transfers in certain situations; and conducting ongoing monitoring of accounts.
  • Collaboration With Clearing Firms – Understanding the allocation of responsibilities between clearing and introducing firms for handling ACH transactions; and implementing policies and procedures to comply with those responsibilities.
  • AML Compliance Tests – Confirming annual AML independent tests evaluate the adequacy of firms’ AML compliance programs, review firms’ SAR reporting processes, and include sampling and transaction testing of firms’ monitoring programs.
  • Risk Assessments – Updating risk assessments based on the results of AML independent tests, audits, and changes in size or risk profile of the firms, including their businesses, registered representatives and customer account types; and using AML risk assessments to inform the focus of firms' independent AML tests.
  • Testing of Transaction Monitoring and Model Validation – Performing regular, ongoing testing and tuning of transaction monitoring models, scenarios and thresholds; and confirming the integrity of transaction monitoring data feeds and validating models (which are more frequently used at large firms).
  • Collaboration with AML Department – Increasing the likelihood that all potentially reportable events are referred to the AML department by establishing a line of communication (such as reporting and escalation processes, awareness and educational programs, regular meetings, policies and procedures, or exception reports) between the AML department and other departments that may observe potentially reportable events (such as registered representatives and client-facing teams, technology, cybersecurity, compliance, operations, trading desks and fraud departments).
  • Training Programs – Designing training programs for each of the roles and responsibilities of the AML department (as well as departments that regularly work with AML) and addressing all AML regulatory and industry developments.

Additional Resources