Anti-Money Laundering, Fraud and Sanctions
Regulatory Obligations and Related Considerations
FINRA Rule 3310 (Anti-Money Laundering Compliance Program) requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act (BSA) and its implementing regulations.1 FINRA Rule 3310(a) requires that member firms establish and implement AML policies and procedures that can be reasonably expected to detect and cause the reporting of suspicious transactions;2 FINRA Rule 3310(c) requires that the AML program provide for independent testing for compliance each calendar year (or every two years in some specialized cases); FINRA Rule 3310(e) requires that the program provide ongoing training for appropriate personnel; and FINRA Rule 3310(f) requires that member firms’ AML programs include appropriate risk-based procedures for conducting ongoing customer due diligence.
Other requirements contained in the BSA’s implementing regulations include maintaining a Customer Identification Program (CIP); verifying the identity of legal entity customers; establishing due diligence programs to assess the money laundering risk presented by correspondent accounts maintained for foreign financial institutions; and responding to information requests from FinCEN within specified timeframes.3
Anti-Money Laundering Act of 2020
On January 1, 2021, Congress passed the FY2021 National Defense Authorization Act (NDAA), which included the Anti-Money Laundering Act of 2020 (AML Act) and, within the AML Act, the Corporate Transparency Act (CTA). Many provisions of the AML Act and the CTA require rulemaking or periodic reporting to Congress on implementation efforts, assessments and findings. Firms should stay apprised of progress being made to implement the AML Act, which is described on the FinCEN website.
- Does your firm’s AML program reasonably address the AML risks associated with its business model, including new and existing business lines, products and services offered, customers and the geographic area in which your firm operates?
- Has your firm experienced substantial growth or changes to its business? If so, has your firm’s AML program evolved alongside the business?
- Does your firm have reasonably designed AML procedures to collect identifying information and verify the identity of its customers under the CIP Rule, and the beneficial owners of its legal entity customers under the Customer Due Diligence (CDD) Rule?4
- Does your firm have reasonably designed AML procedures to detect red flags of identity theft or synthetic identity fraud in connection with account openings?
- Has your firm implemented Regulation S-ID (the SEC Identity Theft Red Flags Rule) and considered relevant identity theft red flags (particularly if your firm offers account openings online or through mobile apps)?
- Do your firm’s AML procedures recognize that suspicious activity reporting obligations may apply to any transactions conducted by, at or through your firm?
- Does your firm have reasonably designed AML procedures to identify and respond to red flags relevant to its business model, such as those detailed in:
- Regulatory Notices 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations) and 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities); and
- the FinCEN Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime and Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs)?
- Does your firm have reasonably designed AML procedures to identify and respond to red flags of sanctions evasion?
- Does your firm comply with FinCEN’s guidance on reporting sanctions-related suspicious activity on Suspicious Activity Reports (SARs), including reporting information that it has not separately included in a blocking report filed with the U.S. Department of the Treasury’s (Treasury) Office of Foreign Assets Control (OFAC)?
- If your firm uses automated surveillance systems for suspicious activity detection and reporting, does your firm review the integrity of its data feeds and assess scenario parameters as needed?
- If your firm introduces customers and activity to a clearing firm, do your AML procedures reasonably address how your firm will coordinate with your clearing firm with respect to the filing of SARs?
- Has your firm established and implemented reasonable written procedures to:
- communicate cyber events to your firm’s AML department, compliance department or both;
- fulfill regulatory obligations, such as the filing of SARs; and
- inform reviews of potentially impacted customer accounts?
- Does your firm’s independent AML testing confirm that your firm has established and implemented reasonably designed procedures for customer identification and verification, customer due diligence and suspicious activity reporting?
- Does your firm maintain appropriate risk-based procedures for conducting ongoing CDD to:
- understand the nature and purpose of customer relationships; and
- to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information?
- Has your firm reviewed Treasury’s National Risk Assessments (NRAs) on Money Laundering, Terrorist Financing and Proliferation Financing, as well as FinCEN’s AML and countering the financing of terrorism priorities (AML/CFT Priorities), and considered incorporating this guidance into its risk-based AML program?
Findings and Effective Practices
- Misconstruing Obligation to Conduct CIP and CDD: Failing to recognize that certain formal relationships established with the firm to effect securities transactions are customer relationships (and, consequently, not conducting CIP or CDD as required).
- Inadequate Verification of Customer Identities: Failing to collect identifying information at the time of account opening and verify the identity of both customers and the beneficial owners of legal entity customers within a reasonable timeframe.
- Identity Theft: Failing to detect and respond to red flags of identity theft or synthetic identity fraud in connection with account opening.
Emerging Risk Area: Manipulative Trading in Small Cap IPOs
- FINRA, NASDAQ and NYSE have recently observed that initial public offerings (IPOs) for certain small cap, exchange-listed issuers may be the subject of market manipulation schemes, similar to so-called “ramp and dump” schemes.
- FINRA has observed significant unexplained price increases on the day of or shortly after the IPO of certain small cap issuers. These price increases appear to be associated with trading by apparent nominee accounts that invest in the small cap IPO and subsequently engage in apparent manipulative orders and trading activity.5
- Some of the victims of ramp and dump schemes appear to be victims of social media scams such as “pig butchering,” a scheme previously associated with fraudulent crypto-related investment schemes.
- FINRA encourages firms to review Regulatory Notice 22-25 (Heightened Threat of Fraud: FINRA Alerts Firms to Recent Trend in Small Capitalization (Small Cap) IPOs) for potential indicators of these schemes and evaluate their compliance and risk management programs to confirm that they are monitoring for and addressing this threat.
- Additional findings and effective practices related to this topic can be found in the 2023 Report’s Manipulative Trading section.
- Inadequate Due Diligence: Failing to conduct initial and ongoing risk-based CDD to understand the nature and purpose of customer relationships to develop a customer risk profile, or conduct due diligence on correspondent accounts of foreign financial institutions in compliance with FINRA Rule 3310(b).
- Inadequate Ongoing Monitoring and Reporting of Suspicious Transactions:
- Failing to establish and implement written AML procedures that can reasonably be expected to detect and cause the reporting of suspicious activity.
- Failing to reasonably review for and respond to red flags associated with:
- the movement or settlement of cash or securities (e.g., wire and ACH transfers, debit card and ATM transactions, securities trading (including order entry), journal transfers);
- the member’s business operations, including activity related to high-risk products and services (e.g., cash management products and services; trading of low-priced, thinly traded securities).
- suspicious activity introduced to the member by other FINRA member broker-dealers.
- Failing to notify the AML department of events that may require the reporting of a SAR, including cybersecurity events, account compromise or takeovers, or fraudulent wire or ACH transfers; and
- Failing to reasonably investigate inquiries from law enforcement, clearing firms, regulators or other federal and state agencies that concern red flags of suspicious activity.
- Inadequate Handling of FinCEN Information Requests: Failing to review and respond to information requests from FinCEN issued pursuant to Section 314(a) of the Patriot Act, or not doing so within the required two-week timeframe.
Emerging Risk Area: Sanctions Evasion
Since February 2022, OFAC has taken several significant sanctions actions related to the Russian financial services sector in response to Russia’s actions in Ukraine. In response, on February 25, 2022, FINRA issued Regulatory Notice 22-06 (U.S. Imposes Sanctions on Russian Entities and Individuals) to provide firms with information about these actions, and to encourage firms to continue to monitor the OFAC website for relevant information. Firms should familiarize themselves with these sanctioned entities and individuals, and take steps to comply with OFAC’s regulations. (Questions about the details of OFAC’s sanctions should be directed to OFAC at (800) 540-6322.)
On March 7, 2022, FinCEN issued alert FIN-2022-Alert001 (FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts) to warn financial institutions of efforts to evade these sanctions and other U.S.-imposed restrictions implemented in connection with Russia’s actions in Ukraine. As FINRA has observed red flags of Russian sanctions evasion in its investigations involving activity in customer accounts (e.g., material changes in the type or volume of activity in such accounts after sanctions were announced) firms should consider how to appropriately monitor activity in customer accounts for Russian sanctions evasion.
- Inadequate Testing: Failing to conduct adequate independent testing of their AML program by:
- not providing for annual testing of the program on a calendar year basis (or every two years in specialized circumstances);
- not testing critical aspects of the AML program for reasonableness (e.g., suspicious activity detection and reporting), especially where firms have taken on new products, services or client bases that may have materially shifted the firm’s AML risk profile or situations where new threats to the industry are applicable to the firm;
- conducting testing that is not reasonably designed, such as testing that fails to consider whether AML reports and systems are accurately and reasonably capturing suspicious transactions and are reasonably tailored to the AML risks of the member’s business; and
- not confirming that persons with the requisite independence and qualifications perform the testing.
- Regulatory Updates: Reviewing alerts, advisories, significant cases and other updates from the SEC, FinCEN, FINRA, and other regulators and agencies.
- Risk Assessments: Conducting formal, written AML risk assessments that are updated in appropriate situations, such as the findings of its independent AML test or other internal or external audits; changes in size or risk profile of the firm (e.g., changes to business lines, products and services, registered representatives, customers or geographic areas in which the firm operates); or material macroeconomic or geopolitical events.
- Verifying Customers’ Identities When Establishing Online Accounts: Incorporating additional methods for verifying customer identities as part of the firm’s CIP through, for example, methods such as:
- requiring both documentary (e.g., drivers’ license) and non-documentary identifying information, or multiple forms of documentary information;
- asking follow-up questions or requesting additional documents based on information from credit bureaus, credit reporting agencies or digital identity intelligence (e.g., automobile and home purchases);
- contracting third-party vendors to help verify the legitimacy of suspicious information in customer applications;
- validating identifying information that applicants provide through likeness checks;6
- reviewing the IP address of:
- new online account applications for consistency with the customer’s home address; and
- transfer requests (for consistency with locations from which the firm has previously received legitimate customer communications);
- obtaining a copy of the account statement from the account slated to be transferred before sending an Automated Customer Account Transfer Service (ACATS) request;
- delivering firms sending notifications to account owners (e.g., “push” notifications on mobile apps, emails, phone calls), contacting any broker(s) assigned to the account or both when an ACATS transfer is initiated;
- ensuring that any tools used for automated customer verification are reasonably designed to detect red flags of identity theft and synthetic identity fraud;
- limiting automated approval of multiple accounts for a single customer;
- reviewing account applications for common identifiers (e.g., email address, phone number, physical address) present in other applications and in existing accounts, especially seemingly unrelated accounts; and
- reviewing account applications for use of temporary or fictitious email addresses (e.g., @temporaryemail.org) or phone number (e.g., 555-555-5555, 999-999-9999).
Emerging Risk Area: ACATS Fraud
As noted in Regulatory Notice 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts Through ACATS), FINRA has observed an increased number of fraudulent transfers of customer accounts through ACATS, in which a bad actor will use the stolen identity of a legitimate customer to open an online brokerage account. Shortly after successfully opening this account—generally, within a few days or weeks—the bad actor will submit an ACATS request to transfer assets out of an account the legitimate customer holds at a different firm. Once the ACATS request is processed and the legitimate customers’ assets are transferred, the bad actor will subsequently (i.e., within a short period of time) attempt to move the ill-gotten assets to an external account at another financial institution by:
- transferring the account assets (i.e., cash and securities) to an account at another financial institution;
- liquidating the securities or a portion of the securities transferred into the new account, then transferring any realized proceeds (along with any cash that was transferred to the new account) to an account at another financial institution; or
- purchasing additional securities using the transferred cash and then transferring those securities to an account at another financial institution.
FINRA encourages firms, especially those that offer online account opening services, to confirm that their reviews of red flags of new account fraud are incorporated into their customer onboarding process.
- Delegation and Communication of AML Responsibilities: Delegating AML duties to business units in the best position to detect and escalate red flags of certain suspicious activities; and establishing written escalation procedures and recurring cross-department communication between AML, compliance and relevant business unit(s).
- Training: Establishing and maintaining an AML training program for appropriate personnel that is tailored to the individuals’ roles and responsibilities, addresses industry developments impacting AML risk and regulatory developments, and, where applicable, leverages trends and findings from the firm’s QA controls and independent AML testing.
- Anti-Money Laundering (AML) Topic Page
- Anti-Money Laundering (AML) Template for Small Firms
- Frequently Asked Questions (FAQ) regarding Anti Money Laundering (AML)
- Regulatory Notice 22-25 (Heightened Threat of Fraud: FINRA Alerts Firms to Recent Trend in Small Capitalization (“Small Cap”) IPOs)
- Regulatory Notice 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts Through ACATS)
- Regulatory Notice 22-06 (U.S. Imposes Sanctions on Russian Entities and Individuals)
- Regulatory Notice 21-36 (FINRA Encourages Firms to Consider How to Incorporate the Government-Wide Anti-Money Laundering and Countering the Financing of Terrorism Priorities Into Their AML Programs)
- Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts)
- Regulatory Notice 21-14 (FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse)
- Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities)
- Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection with Potential Account Takeovers and New Account Fraud)
- Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)
- Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations)
FINRA Unscripted Podcasts
- AML Update: The Latest Trends and Effective Practices (May 2022)
- At, By or Through: Fraud in the Broker-Dealer Industry (April 2021)
- Overlapping Risks, Part 2: Anti-Money Laundering and Elder Exploitation (November 2020)
- Overlapping Risks, Part 1: Anti-Money Laundering and Cybersecurity (October 2020)
- Beyond Hollywood, Part II: AML Priorities and Best Practices (May 2019)
- Beyond Hollywood, Part I: Money Laundering in the Security Industry (April 2019)
- Anti-Money Laundering (AML) Source Tool for Broker-Dealers
- Risk Alert: Compliance Issues Related to Suspicious Activity Monitoring and Reporting
- Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities
Treasury and FinCEN Resources
- Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime
- Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic
- Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments
- Advisory on Elder Financial Exploitation
- Advisory on Kleptocracy and Foreign Public Corruption
- Alert: FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts
- Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting and Other Anti-Money Laundering Considerations
- The Anti-Money Laundering Act of 2020
- Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs)
- FIN-2022-Alert001 (FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts)
- FinCEN 314(a) Fact Sheet
- The SAR Activity Review, Issue 8, Section 5 “Revised Guidance on Filing Suspicious Activity Reports Relating to the Office of Foreign Assets Control List of Specially Designated Nationals and Blocked Persons” (April 2005)
Treasury NRAs on Money Laundering, Terrorist Financing and Proliferation Financing
- In March 2022, the Treasury issued the 2022 NRAs on Money Laundering, Terrorist Financing and Proliferation Financing, which highlights the most significant illicit finance threats, vulnerabilities and risks facing the United States. The NRAs are an important resource that firms can use to understand the current illicit finance environment and inform their own risk mitigation strategies.
- The findings within the NRAs align with the AML/CFT Priorities FinCEN issued in June 2021.
- Financial Action Task Force: Risk-based Approach Guidance for the Securities Sector (October 2018)
- Financial Action Task Force: Money Laundering and Terrorist Financing in the Securities Sector (October 2009)
2 Broker-dealers are required to file SARs for financial crimes such as money laundering, fraud and sanctions violations in addition to other identified violations pursuant to 31 U.S.C. 5318(g) and 31 CFR § 1023.320.
3 See 31 C.F.R. Part 1010 and 31 C.F.R. Part 1023.
4 31 C.F.R. § 1023.220 requires broker-dealers to conduct CIP on their “customers.” A “customer” is defined by 31 C.F.R. § 1023.100(d) as "a person that opens a new account.” An “account” is, in turn, defined by 31 C.F.R. § 1023.100(a)(1) as a “formal relationship with a broker-dealer established to effect transactions in securities.”
Broker-dealers are also required to identify and verify the identity of the beneficial owners of its “legal entity customers” when “a new account is opened.” 31 C.F.R. § 1010.230. A “legal entity customer” is defined as a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account. 31 C.F.R. § 1010.230(e). As under the CIP rule, an “account” is defined as a “formal relationship with a broker-dealer established to effect transactions in securities.” 31 C.F.R. § 1010.230(c).
5 See the 2022 Report’s AML section for red flags of potentially manipulative trading associated with how investors open new accounts and trade securities of China-based issuers after the IPO is completed.