Skip to main content

What to Expect: Anti-Money Laundering Reviews During Routine Examinations

This is another installment in our "What to Expect" webcast series, which focuses on key regulatory processes. In this guide that accompanies the webcast, we focus on what firms should expect from the Anti-Money Laundering reviews conducted as part of FINRA's routine examinations. We will review how FINRA examiners will check to make sure you have appropriate AML procedures in place, and you will learn what we expect of you and what you should expect from us during the AML part of an exam. As always, we welcome your thoughts and suggestions. We hope you find it helpful and that it takes some of the mystery out of FINRA's examination process.


The USA PATRIOT Act was enacted on October 26, 2001—shortly after the 9-11 terrorist attacks. The Act was designed to help prevent and detect money laundering and terrorist financing. When funds—even legitimate funds—are used to support terrorist activities, the act is known as terrorist financing.

Money laundering involves an attempt to hide or conceal the original proceeds of a crime. While money laundering is most often associated with drug trafficking, it can involve the proceeds of many crimes, including securities fraud,market manipulation, identity theft and racketeering.

AML Requirements

The PATRIOT ACT requires all broker-dealers to develop and implement an anti-money laundering (AML) compliance program that complies with the Bank Secrecy Act. Consistent with these requirements, NASD and NYSE adopted AML compliance program rules. These rules require FINRA member firms to build and implement a written AML program reasonably designed to achieve and monitor compliance with the Bank Secrecy Act and related regulations.

The Bank Secrecy Act and regulations require that firms establish a customer identification program, as well as procedures for identifying and reporting suspicious activity. It must also include designating an AML compliance officer to FINRA, providing ongoing training to employees and conducting independent testing. There are no exemptions or exceptions to the requirement to have an AML program.

These requirements apply to all FINRA member firms – regardless of size or business model, even if they do not hold customer funds.

Securities firms of all types and sizes have been money laundering victims, but AML risk varies from firm to firm. Generally, AML rules are designed to identify and stop attempts to use brokerage accounts to launder criminal activity proceeds or to finance terrorism. They help financial institutions focus on money-laundering risks and develop critical intelligence for law enforcement.

A robust and effectively implemented AML program is integral to a firm's overall supervision and compliance program. So, AML has been a required part of every routine exam since April 2002. This means that FINRA is responsible for reviewing a firm's compliance with AML rules during routine exams regardless of firm size or business model.

Creating a Risk-Based Program

During a routine examination, examiners will likely ask about your firm's AML program. They will expect to see that it is "risk-based" and designed to specifically mitigate your firm's money laundering risk. This allows firms to efficiently use their compliance and supervisory resources, and it provides flexibility to design an AML program customized to fit their business model and customer base.

To assess your firm's risk, start by reviewing, analyzing and understanding your firm's business and customers. Then, identify the types of risks your firm is most likely to encounter. Document this self-assessment to identify those key risk factors.

There are at least three risk categories to consider:

Client Risk

Your firm's client risk will depend on what type of clients you have and how they open their accounts. Determine if they are domestic or foreign, if they open accounts online or in person, and if they have a high net worth, are institutional customers or entities that could have ownership structures that make it difficult to discern the underlying owners.

Business Risk

For business risk, assess how easy it would be for a customer to use the products and services you offer to launder money or use your firm to commit a crime. For example, look to see if your business involves transactions in penny stocks, bearer shares or Regulation S securities. While these are all perfectly legitimate products, they are examples of securities that may be susceptible to fraud and market manipulation. Also, examine the source of funds for your client's accounts, the products held in them and whether those products are consistent with the client's stated investment objectives.

Geographic Risk

To identify geographic risks, review where the customer wants to do business along with the place the funds are coming from or going to. Also, take into account your location and the customer's location. These are just some examples of money-laundering risk categories for your firm to consider, and there are certainly more.

There is a lot of good information available to help you create your risk assessment. As a start, review those listed in the resource links section of this guide.

As your firm's business model changes or you begin to sell new products and add new services, you may need to adjust your AML program. Different products and services may present different AML risks. Your AML program should be dynamic and appropriately updated. The frequency of updates will depend on the size and complexity of your firm, and whether its business changes.

Even though bigger firms may have more types of customers and varieties of products that create unique monitoring challenges, even small firms with few customers and standard products will likely need to periodically reassess and update AML procedures.

Implementing an Effective Customer Identification Program

Many risks can be mitigated by an effective customer identification program (CIP). This includes your customer due diligence or "Know your Customer" processes. So, FINRA examiners will also closely review this area.

FINRA wants to see what your firm does beyond simply complying with SEC and FINRA Books and Records rules. FINRA expects your firm to have procedures to determine when you need to go above and beyond the basic customer identification process. Your examiner will review these procedures and check to see that your firm has followed them. For example, if you deal with customers such as off-shore trusts, your procedures may include additional due diligence to obtain information about the account's beneficial owners.

Your firm's CIP should also show how you gather information about your customers based on your firm's risk assessment. The acceptable and manageable level of risk varies for each firm. For example, firms with a long history of working with institutional customers may feel very comfortable continuing to do so. But other firms that lack experience or need additional resources to conduct proper due diligence may not. Some firms may decide they can mitigate high-risk accounts with heightened transaction monitoring.

One of the biggest challenges in implementing CIP is knowing how much due diligence is required. Risk-based program regulations generally do not show you how much information you need. No amount of information will reduce the risk to zero, so you need to decide when you have enough to be comfortable with the customer and the account.

Be sure to note that just because a customer is a registered representative's personal acquaintance, this does not satisfy CIP verification requirements. But, the risk-based approach is flexible enough to make identity verification for personal acquaintances as unobtrusive as possible. For example, if the customer is a relative or a close personal friend of the registered representative, the firm may not require more than the minimum verification required by the rules, such as checking her driver's license. However, the verification that is undertaken must still be documented.

Also, even if your firm only does business in private placements and does not handle funds or securities, it must still follow CIP for all new customer accounts. For purposes of CIP, an account is a formal relationship with a broker-dealer established to effect transactions in securities. So, this broad definition may cover more than what one traditionally thinks of as a "customer account."

Reporting Suspicious Activities

Another key part of the AML rules requires firms to identify and report any "suspicious activity" that may indicate potential money-laundering problems. FINRA examiners will expect to see that you have procedures in place to do this. They will also expect to see that those procedures are implemented.

Identifying suspicious activity can be a challenge. It generally is any unusual activity by, at or through an account that has no reasonable explanation. It can include sudden and major movements of money to and from the account, activity that does not make business or economic sense, or is inconsistent with the client's previous or expected transactions. It can also include activity that suggests market manipulation, penny stock fraud, insider trading or other securities fraud.

Your firm can make best use of its resources by using the risk assessment process mentioned earlier to identify its own particular set of risks and then focus its monitoring. Firms should determine which "red flags" or indications of possible suspicious activity apply to its business. For instance, if a broker-dealer has significant over-the-counter business, monitoring might include reviewing physical certificates, securities journals and accounts that have the appearance of churning. The firm could also use news filters to identify parties with a negative history. In contrast, a private placement firm may find monitoring using front line controls focused on verifying the customer works better.

Remember, finding a red flag does not automatically mean the firm should file a Suspicious Activity Report for the Securities and Futures Industry (SAR-SF). It does mean, however, that the firm should follow up and ask the necessary questions to find out if there is a reasonable and legitimate explanation.

If you are using automated systems, FINRA examiners will look to see if your thresholds are producing meaningful results, how those thresholds are derived, and what quality assurance efforts you have to ensure that your monitoring is appropriate. If you use a manual system, FINRA examiners will review to see if key staff are properly trained to identify suspicious activity. Whether you file a SAR-SF or not, remember to document whatever process you use to review and analyze transactions for suspicious activity reporting.

There are a few exemptions from performing customer identification, like customers that are publicly-traded companies on the New York Stock Exchange, NASDAQ or AMEX. It's important to remember that for customers who are exempt from CIP, firms must still monitor those customers' activities for anything suspicious and report them when necessary. Whatever monitoring procedures you have in place to do this, be sure to review and update them on a regular basis.

Submitting Accurate and Timely SAR-SFs

FINRA examiners will also look to see if your firm has instituted a strong system for submitting accurate and timely SAR-SFs. You do not have to know nor be able to prove possible unlawful activity—you just need to determine that activity appears "suspicious" under the rule. Once this is done, a SAR-SF report must be filed within 30 days. This countdown begins once the firm determines that the activity is "suspicious"—not 30 days after the firm initially spots a red flag.

Examiners will also look to see if the firm has procedures in place for escalating, analyzing and reporting the potential suspicious activity in a timely manner. It's important that your firm have an appropriate staffing model for its size and the number of accounts it handles. If your firm lacks staff or they are under trained, your firm may have trouble filing accurate and timely suspicious activity reports.

When preparing a SAR-SF, keep in mind that your intended audience is law enforcement. So, be sure to cover the full spectrum of who, what, when, where, and most importantly, why you think the transaction is suspicious. Write in plain English, because law enforcement agents may not know securities terminology. If your firm determines not to file a SAR-SF, carefully document that decision. Look at the rationale and the steps taken to reach that conclusion. You may need to show your examiner that your determination was reasonable.

Preparing a SAR-SF

  • Be sure to answer – who, what, when, where and why.
  • Write in plain English; avoid industry jargon.
  • Document your decision-making process.

Conducting Independent Testing

It helps to have an unbiased person evaluate your firm's anti-money laundering program to find weaknesses and provide opportunities for improvement. Therefore, FINRA's AML rules require the vast majority of firms to conduct independent testing of their AML program at least once a year. A few kinds of firms—for example, those that do not execute transactions for customers or otherwise hold customer accounts—can test every two years.

A firm's independent testing is crucial as it helps determine whether their AML program functions as intended and provides a chance to adjust, identify and fix weaknesses. FINRA expects that you will perform a robust review of both your procedures and their implementation. As part of this, you should do some sampling to ensure you know how your procedures are actually implemented.

Independent testing may be conducted by an employee of your firm or a qualified outside party, provided certain criteria are met. Among them, the person must know the applicable requirements of the Bank Secrecy Act and its implementing regulations. The person should neither be one who performs the AML functions being tested, nor any designated AML compliance person or a person who reports to either one.

Firms that lack the personnel for this may qualify for an exception. If your firm does,make sure to document how your firm qualifies for it and establish appropriate procedures to address potential conflicts following FINRA's Independent Testing Requirements. Those requirements can be found in Interpretive Material 3011-1. You can find a link to it in the resource links section of this guide.

FINRA examiners will bring deficiencies they find to your attention during the exam. If they do, identify and explain to them the remedies you plan to put in place. Hopefully, your independent testing already caught any deficiencies so that you were able to address them, or at least establish a plan for addressing them, before they are pointed out by FINRA examiners.

Tips for Meeting AML Compliance Obligations

  • Designate specific officers to oversee your firm's program, and provide for ongoing training at least once each year
    Your firm must designate one or more people to oversee, implement and monitor the day-to-day operations of your anti-money laundering program.
  • Provide FINRA with contact information for your AML officer or officers
    You can update your firm's contact information by following the link in the resources section of this guide. You should update this information immediately if it changes.
  • Assess the risks your firm faces – customer, business and geographic
    FINRA expects your firm to implement strong procedures in a risk-based framework, including rigorous programs for Customer Identification and Suspicious Activity Reporting.
  • Establish and test your AML compliance program
    Your firm should establish and test a program that maximizes the likelihood that customers will be appropriately identified and red flags will be detected, followed up on and, if appropriate, reported. Most firms need to independently review this program at least once a year.