Anti-Money Laundering, Fraud and Sanctions

Regulatory Obligations and Related Considerations

Regulatory Obligations

FINRA Rule 3310 (Anti-Money Laundering Compliance Program) requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act (BSA) and its implementing regulations.¹ FINRA Rule 3310(a) requires that member firms establish and implement AML policies and procedures that can be reasonably expected to detect and cause the reporting of suspicious transactions;² FINRA Rule 3310(c) requires that the AML program provide for independent testing for compliance each calendar year (or every two years in some specialized cases); FINRA Rule 3310(e) requires that the program provide ongoing training for appropriate personnel; and FINRA Rule 3310(f) requires that member firms’ AML programs include appropriate risk-based procedures for conducting ongoing customer due diligence.

Other requirements contained in the BSA’s implementing regulations include maintaining a Customer Identification Program (CIP); verifying the identity of legal entity customers; establishing due diligence programs to assess the money laundering risk presented by correspondent accounts maintained for foreign financial institutions; and responding to information requests from FinCEN within specified timeframes.³

Related Considerations

Scope of AML Program

• Does your firm’s AML program reasonably address the AML risks associated with its business model, including new and existing business lines, products and services offered, customers and the geographic area in which your firm operates?
• Has your firm experienced substantial growth or changes to its business? If so, has your firm’s AML program evolved alongside the business?
• Does your firm’s AML program reasonably address the AML risks associated with effecting transactions in low-priced securities, including transactions effected through omnibus accounts (particularly accounts maintained for foreign financial institutions)?

Suspicious Activity Reporting

• Do your firm’s AML procedures recognize that suspicious activity reporting obligations may apply to any transactions conducted by, at or through your firm?
• Does your firm have reasonably designed AML procedures to detect and respond to indicators of illicit activities (generally referred to as “red flags”) that are relevant to its business model, such as those detailed in:
  • Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations); and
  • Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities).
• Does your firm have AML policies and procedures that can be reasonably expected to respond to red flags of sanctions evasion?
• Does your firm have reasonably designed AML procedures that account for FinCEN guidance addressing when SARs should be filed in addition to Office of Foreign Assets Control (OFAC) blocking reports?⁴
• Does your firm have AML procedures reasonably designed to:
  • detect and cause the reporting of cyber events and cyber-enabled crime as detailed in the FinCEN Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime and Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs); and
  • inform reviews of potentially impacted customer accounts?
• If your firm has determined that it is reasonable, based on your firm’s business, to use a manual review for suspicious transactions, are those reviews appropriately comprehensive, are they reasonably designed to detect suspicious patterns of transactions, and do they cover a sufficient timeframe to reasonably detect suspicious transactions?
• If your firm uses automated surveillance systems for suspicious activity detection and reporting, does it:
  • appropriately monitor trading activity and money movements conducted or attempted by, at or through your firm;
  • review the integrity of its data feeds; and
  • assess scenario parameters as needed?
• If your firm introduces customers and activity to a clearing firm, do your AML procedures reasonably address how your firm will communicate and share information with your clearing firm with respect to the filing of SARs?
• Does your firm maintain appropriate risk-based procedures for conducting ongoing Customer Due Diligence (CDD) to:
  • understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
  • to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information?

Customer Onboarding

• Does your firm have reasonable AML procedures to collect identifying information and verify the identity of its customers under the CIP Rule, and the beneficial owners of all who are considered its legal entity customers under the CDD Rule?⁵
• Does your firm use information gathered as part of CIP and CDD to help ensure compliance with other requirements, such as OFAC regulations?
• Does your firm have AML policies and procedures that can be reasonably expected to detect identity theft or synthetic identity fraud in connection with account openings, and has your firm considered the example red flags included in Regulation S-ID?

AML Independent Testing

• Is your firm’s AML independent test performed by someone with a working knowledge of the BSA and its implementing regulations?
• Does your firm ensure that it is performing its independent AML test with the required frequency (once each calendar year for most firms)?⁶
• Does your firm’s AML independent test confirm that your firm has established and implemented reasonably designed procedures for customer identification and verification, customer due diligence and suspicious activity reporting?

Findings and Effective Practices

Findings

• Misconstruing Obligation to Conduct CIP and CDD: Failing to recognize that certain formal relationships established with the firm to effect securities transactions are customer relationships (and, consequently, not conducting CIP or CDD as required).
• Inadequate Verification of Customer Identities: Failing to collect identifying information at the time of account opening and reasonably verify the identity of customers and beneficial owners of legal entity customers with documentary and/or non-documentary methods within a reasonable timeframe.
• Inadequate Responses to Red Flags:
  • Auto-approving customer accounts despite red flags, or otherwise failing to perform a reasonable review of potential red flags associated with verifying customer identities (e.g., applicant provided a social security number that was not valid or was associated with the name of a different person, including a deceased individual).
  • Failing to have established policies and procedures that can be reasonably expected to detect identity theft or synthetic identity fraud in connection with account opening (e.g., personal identifying information does not match a consumer report or was used on another account the firm knew was fraudulent).
• Inadequate Due Diligence: Failing to conduct initial and ongoing risk-based CDD to understand the nature and purpose of customer relationships to develop a customer risk profile, or conduct due diligence on correspondent accounts of foreign financial institutions in compliance with FINRA Rule 3310(b).
• Inadequate Ongoing Monitoring and Reporting of Suspicious Transactions:
  • Failing to establish and implement written AML procedures that can reasonably be expected to detect and cause the reporting of suspicious activity.
  • Failing to reasonably review for and respond to red flags associated with:
    • orders and securities trading;
    • the movement or settlement of cash or securities (e.g., wire and Automated Clearing House (ACH) transfers, debit card and ATM transactions, securities trading (including order entry), journal transfers);
    • the member’s business operations, including activity related to high-risk products and services (e.g., cash management products and services; trading of low-priced, thinly traded securities);
    • suspicious activity introduced to the member by other FINRA member broker-dealers; and
    • orders for crypto asset trades.
  • Failing to notify the AML department of events that may require the reporting of a SAR, including cybersecurity events, account compromise or takeovers, or fraudulent wire or ACH transfers.
  • Failing to reasonably investigate inquiries from law enforcement, clearing firms, regulators or other federal and state agencies that concern red flags of suspicious activity.
• Inadequate Handling of FinCEN Information Requests: Failing to review and respond to information requests from FinCEN issued pursuant to Section 314(a) of the Patriot Act,⁷ or not doing so within the required two-week timeframe.
• Inadequate Testing: Failing to conduct adequate independent testing of their AML program by:
  • not providing for annual testing of the program on a calendar year basis (or every two years in specialized circumstances);
  • not testing critical aspects of the AML program for reasonableness (e.g., suspicious activity detection and reporting), including where firms have taken on new products, services or client bases that may have materially shifted the firm’s AML risk profile or situations where new threats to the industry are applicable to the firm;
  • conducting testing that is not reasonably designed, such as testing that fails to consider whether AML reports and systems are accurately and reasonably capturing suspicious transactions and are reasonably tailored to the AML risks of the member’s business; and
  • not confirming that persons with the requisite independence and qualifications perform the testing.

Effective Practices

• Regulatory Updates: Reviewing alerts, advisories, significant cases and other updates from the SEC, FinCEN, FINRA, OFAC, and other regulators and agencies.
• Risk Assessments: Conducting formal, written AML risk assessments that are updated in appropriate situations, such as the findings of its independent AML test or other internal or external audits; changes in size or risk profile of the firm (e.g., changes to business lines, products and services, registered representatives, customers or geographic areas in which the firm operates); or material macroeconomic or geopolitical events.
• Verifying Customers’ Identities When Establishing Online Accounts: Incorporating additional methods for verifying customer identities as part of the firm’s CIP through, for example, methods such as: 
  • requiring both documentary (e.g., driver licenses) and non-documentary identifying information, or multiple forms of documentary information;
  • asking follow-up questions or requesting additional documents based on information from credit bureaus, credit reporting agencies or digital identity intelligence (e.g., automobile and home purchases);
  • contracting third-party vendors to help verify the legitimacy of suspicious information in customer applications (e.g., cross-referencing information across multiple vendors);
  • validating identifying information that applicants provide through likeness checks;⁸
  • reviewing the IP address or other available geolocation data associated with:
    • new online account applications for consistency with the customer’s home address; and
    • transfer requests (for consistency with locations from which the firm has previously received legitimate customer communications);
  • obtaining a copy of the account statement from the account slated to be transferred before sending an Automated Customer Account Transfer Service (ACATS) request;
  • delivering firms sending notifications to account owners (e.g., “push” notifications on mobile apps, emails, phone calls), contacting any broker(s) assigned to the account or both when an ACATS transfer is initiated;
  • ensuring that any tools used for automated customer verification are reasonably designed to detect red flags of identity theft and synthetic identity fraud;
  • limiting automated approval of multiple accounts for a single customer;
  • reviewing account applications for common identifiers (e.g., email address, phone number, physical address) present in other applications and in existing accounts, especially seemingly unrelated accounts; and
  • reviewing account applications for use of temporary or fictitious email addresses (e.g., @temporaryemail.org) or phone number (e.g., 555-555-5555, 999-999-9999).

• Delegation and Communication of AML Responsibilities: Delegating AML duties to business units in the best position to conduct ongoing monitoring to identify suspicious activity; and establishing written escalation procedures and recurring cross-department communication between AML, compliance and relevant business unit(s).
• Training: Establishing and maintaining an AML training program for appropriate personnel that is tailored to the individuals’ roles and responsibilities, addresses industry developments impacting AML risk and regulatory developments, and, where applicable, leverages trends and findings from the firm’s quality assurance controls and independent AML test.

Additional Resources

• FINRA
  • Anti-Money Laundering (AML) Key Topics Page
  • Anti-Money Laundering (AML) Template for Small Firms (September 8, 2020)
  • Frequently Asked Questions (FAQ) regarding Anti Money Laundering (AML)
  • Industry Risks and Threats – Resources for Member Firms
  • SEC Identity Theft Red Flags Rule (Reg S-ID)
  • Regulatory Notices:
    • Regulatory Notice 23-06 (FINRA Shares Effective Practices to Address Risks of Fraudulent Transfers of Accounts Through ACATS)
    • Regulatory Notice 22-25 (Heightened Threat of Fraud: FINRA Alerts Firms to Recent Trend in Small Capitalization (“Small Cap”) IPOs)
    • Regulatory Notice 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts Through ACATS)
    • Regulatory Notice 22-06 (U.S. Imposes Sanctions on Russian Entities and Individuals)
    • Regulatory Notice 21-36 (FINRA Encourages Firms to Consider How to Incorporate the Government-Wide Anti-Money Laundering and Countering the Financing of Terrorism Priorities Into Their AML Programs)
    • Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts)
    • Regulatory Notice 21-14 (FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse)
    • Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities)
    • Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection with Potential Account Takeovers and New Account Fraud)
    • Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)
    • Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations)
  • FINRA Unscripted Podcasts
    • A New Twist on New Account Fraud: Detecting and Preventing ACATS Fraud (May 2, 2023)
    • AML Update: The Latest Trends and Effective Practices (May 31, 2022)
    • At, By or Through: Fraud in the Broker-Dealer Industry (April 20, 2021)
    • Overlapping Risks, Part 2: Anti-Money Laundering and Elder Exploitation (November 10, 2020)
    • Overlapping Risks, Part 1: Anti-Money Laundering and Cybersecurity (October 27, 2020)
    • Beyond Hollywood, Part II: AML Priorities and Best Practices (May 14, 2019)
    • Beyond Hollywood, Part I: Money Laundering in the Security Industry (April 30, 2019)
• SEC
  • Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities (October 17, 2023)
  • Risk Alert: Observations from Anti-Money Laundering Compliance Examinations of Broker-Dealers (July 31, 2023)
  • Anti-Money Laundering (AML) Source Tool for Broker-Dealers (May 16, 2022)
  • Risk Alert: Compliance Issues Related to Suspicious Activity Monitoring and Reporting (March 29, 2021)
• Treasury and FinCEN
  • FinCEN Alert to Financial Institutions to Counter Financing to Hamas and its Terrorist Activities (October 20, 2023)
  • FinCEN Alert on Prevalent Virtual Currency Investment Scam Commonly Known as “Pig Butchering” (September 8, 2023)
  • Advisory on Elder Financial Exploitation (June 15, 2022)
  • Advisory on Kleptocracy and Foreign Public Corruption (April 14, 2022)
  • Alert: FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts (March 7, 2022)
  • Treasury Publishes National Risk Assessments for Money Laundering, Terrorist Financing, and Proliferation Financing (March 1, 2022)
  • The Anti-Money Laundering Act of 2020 (June 30, 2021)
  • Anti-Money Laundering and Countering the Financing of Terrorism National Priorities (June 30, 2021)
  • Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting and Other Anti-Money Laundering Considerations (January 19, 2021)
  • Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (October 1, 2020)
  • Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic (July 30, 2020)
  • FinCEN 314(a) Fact Sheet (February 26, 2019)
  • Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (October 25, 2016)
  • Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs) (October 25, 2016)
  • The SAR Activity Review, Issue 8, Section 5 “Revised Guidance on Filing Suspicious Activity Reports Relating to the Office of Foreign Assets Control List of Specially Designated Nationals and Blocked Persons” (April 2005)
  • Interpretive Release No. 2004–02 (Unitary Filing of Suspicious Activity) (December 23, 2004)
• Financial Action Task Force
  • Risk-based Approach Guidance for the Securities Sector (October 26, 2018)