Frequently Asked Questions (FAQ) regarding Anti-Money Laundering (AML)
For further information on Anti-Money Laundering requirements, please visit the FINRA Anti-Money Laundering (AML) page.
1. What is an AML Compliance Program required to have?
The Bank Secrecy Act, among other things, requires financial institutions, including broker-dealers, to develop and implement AML compliance programs. Members are also governed by the anti-money laundering rule in FINRA Rule 3310.
FINRA Rule 3310 sets forth minimum standards for broker-dealers' AML compliance programs. It requires firms to develop and implement a written AML compliance program. The program has to be approved in writing by a member of senior management and be reasonably designed to achieve and monitor the member's ongoing compliance with the requirements of the Bank Secrecy Act and the implementing regulations promulgated thereunder. Consistent with the Bank Secrecy Act, FINRA Rule 3310 also requires firms, at a minimum, to:
- establish and implement policies and procedures that can be reasonably expected to detect and cause the reporting of suspicious transactions;
- establish and implement policies, procedures, and internal controls reasonably designed to achieve compliance with the Bank Secrecy Act and implementing regulations;
- provide for annual (on a calendar-year basis) independent testing for compliance to be conducted by member personnel or by a qualified outside party. If the firm does not execute transactions with customers or otherwise hold customer accounts or act as an introducing broker with respect to customer accounts (e.g. engages solely in proprietary trading or conducts business only with other broker-dealers), the independent testing is required every two years (on a calendar-year basis);
- designate and identify to FINRA (by name, title, mailing address, e-mail address, telephone number, and facsimile number) an individual or individuals responsible for implementing and monitoring the day-to-day operations and internal controls of the program. Such individual or individuals are associated persons of the firm with respect to functions undertaken on behalf of the firm. Each member must review and, if necessary, update the information regarding a change to its AML compliance person within 30 days following the change and verify such information within 17 business days after the end of each calendar year;
- provide ongoing training for appropriate personnel; and,
- include appropriate risk-based procedures for conducting ongoing customer due diligence, including (i) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (ii) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information, including information regarding the beneficial owners of legal entity customers.
2. Are all broker-dealers subject to the Bank Secrecy Act?
Yes. The Bank Secrecy Act applies to all broker-dealers. There are no exceptions. Firms should recognize, however, that AML compliance programs can and should be tailored to fit their business and risks, considering factors such as size, location, business activities, the types of accounts they maintain, and the types of transactions in which their customers engage.
3. FINRA Rule 3310 requires that a firm's AML program be approved in writing by a member of senior management. Does a member of senior management also have to approve any subsequent material changes to the AML program?
Yes. A member of senior management should approve any subsequent material changes to the firm's AML program. Additionally, if there is a change in senior management, the AML program should be re-approved by the new management.
Designation of an AML Compliance Person
4. Does the AML compliance person have to be a registered principal?
Under FINRA rules, a member’s compliance personnel are required to be registered if they are performing a function that expressly requires registration. For instance, FINRA Rule 1220(a)(3) requires that each person designated as a Chief Compliance Officer as specified in FINRA Rule 3130 must register with FINRA as a Compliance Officer. Neither the Bank Secrecy Act nor FINRA Rule 3310 expressly require designated AML compliance persons to be registered with FINRA. To the extent that a designated AML compliance person is engaged in other activities or functions, firms should review the applicable FINRA rules to determine whether such other activities or functions require registration.
While the designated AML compliance person is not required to be a registered person solely as a result of serving that function, some firms may choose to register such individuals. Firms should also note that, regardless of the designated AML compliance officer’s registration status, such individuals are considered associated persons. (See NASD Notice to Members 02-80, fn.5; NASD Notice to Members 06-07.)
5. What information do members have to provide regarding their AML compliance person, and how should this information be provided to FINRA?
Members are required to provide to FINRA the name, title, mailing address, email address, telephone number, and facsimile number of the AML compliance person. FINRA collects the contact information for the AML compliance person through Contacts in FINRA Gateway. Members may also optionally provide the same contact information for an alternate AML compliance person.
FINRA Rule 3310.02 requires members to review and, if necessary, update the contact information for its AML compliance person in the manner prescribed by FINRA Rule 4517. FINRA Rule 4517 requires firms, via Contacts in Firm Gateway, to update designated contact information promptly, but in any event no later than 30 days following any change in the contact information. In addition, firms must review and, if necessary, update their required contact information within 17 business days after the end of each calendar year.
Customer Identification Program Requirements
6. Have the customer identification requirements for opening a DVP account been established?
Customer identification requirements in 31 CFR 1023.220 apply to all customers opening a new account as those terms are defined in the Bank Secrecy Act and implementing regulations, including DVP accounts. Firms may use documentary, non-documentary or a combination of both methods to verify the identity of DVP accounts. The documents that may be used can vary widely including, but not limited to, certified articles of incorporation, government-issued business licenses, partnership agreements, or trust formation records. Some firms use outside vendors to conduct non-documentary verification on DVP accounts. Depending on the nature of the account and the risks associated with it, firms may conduct additional due diligence on these types of accounts and obtain information on the beneficial owners. See FinCEN’s Guidance on Obtaining and Retaining Beneficial Ownership Information and SIFMA’s suggested due diligence practices for hedge funds for additional information.
7. What are the CIP rule's recordkeeping requirements?
A CIP must include procedures for making and maintaining a record of all information obtained to verify a customer's identity. At a minimum, the record must include all the identifying information gathered by the firm about a customer.
With regard to verification, a firm's records must contain a description of any document that was relied on to verify the customer's identity, noting the type of document, any identification number contained in the document, the place of issuance, and, if any, the date of issuance and expiration date.
With respect to non-documentary verification, the rule requires that records contain a description of the methods and the results of any measures undertaken to verify the identity of a customer.
Finally, the rule requires, with respect to any method of verification chosen, a description of the resolution of each substantive discrepancy discovered when verifying the identifying information obtained. (See NASD Notice to Members 03-34.)
8. How long must a firm retain customer identification records?
A broker-dealer must retain records of all of the identification information obtained from the customer for five years after the account is closed. In addition, records made about information that verifies a customer's identity only have to be retained for five years after the record is made. In all other respects, the records must be maintained pursuant to the provisions of SEC Rule 17a-4. (See NASD Notice to Members 03-34.)
9. How is "account" defined in the CIP rule?
The final rule defines an "account" as a formal relationship with a broker-dealer established to effect transactions in securities, including, but not limited to, the purchase or sale of securities, securities loaned and borrowed activity, and the holding of securities or other assets for safekeeping or as collateral.
Importantly, the final rule contains two exclusions from the definition of "account." The definition excludes: (a) an account that the broker-dealer acquires through any acquisition, merger, purchase of assets, or assumption of liabilities; and (b) an account opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974 ("ERISA").
The Adopting Release explains that in acquisitions, mergers, purchases of assets, or assumptions of liabilities, customers do not initiate these transfers and, therefore, the accounts do not fall within the scope of Section 326 of the USA PATRIOT Act. In addition, transfers of accounts that result from an introducing broker-dealer changing its clearing firm would fall within this exclusion.
As initially proposed, the definition of "account" contained several examples of types of accounts that would be covered including cash accounts, margin accounts, prime brokerage accounts, and accounts established to engage in securities repurchase transactions. The Adopting Release notes that these types of accounts remain "accounts" for purposes of the final rule, but the final rule does not specifically include them as examples to clarify that the list is not exhaustive.
10. Who is a "customer" for purposes of the CIP rule?
The CIP rule defines "customer" as: (a) a person that opens a new account; and (b) an individual who opens a new account for an individual who lacks legal capacity or for an entity that is not a legal person.
Under this definition, "customer" does not refer to persons who fill out account opening paperwork or who provide information necessary to set up an account, if such persons are not the accountholder as well. FinCEN has also determined that a fully-disclosed introduced account is not a customer of the clearing firm for CIP purposes so long as the firms enter into a clearing agreement under which the functions of opening and approving customer accounts and directly receiving and accepting orders from the introduced customer will be allocated exclusively to the introducing firm and the function of extending credit, safeguarding funds and securities and issuing confirmations and statements will be allocated to the clearing firm. The introducing broker is a customer of the clearing firm, although a registered US broker-dealer is exempt from CIP. However, the clearing firm should perform due diligence to determine the risk of its introducing brokers. In addition, clearing firms still have responsibility to identify, monitor and report suspicious activity of its introducing brokers and introduced accounts
See FinCEN guidance FIN-2008-G002 (March 4, 2008).
11. What are the CIP requirements if the customer is a trust or omnibus account?
A broker-dealer is generally not required to look through a trust or similar account to its beneficiaries, and is required only to verify the identity of the named accountholder.
Similarly, with respect to an omnibus account established by an intermediary, a broker-dealer is generally not required to look through the intermediary to the underlying beneficial owners, if the intermediary is identified as the accountholder.
However, a broker-dealer’s AML program must be risk based. If an account, even an omnibus or a trust account, is determined to be higher risk, the firm may require additional information, including identification of the beneficial owners of the account to mitigate that risk. Certain types of private banking accounts for non U.S. persons also require a firm to obtain information on the account's beneficial owners.
(See Guidance from the Staffs of the Department of the Treasury and the U.S. Securities and Exchange Commission, October 1, 2003 and 31 CFR 1010.620 and FinCEN's Joint Guidance on Obtaining and Retaining Beneficial Ownership Information.)
12. Is it appropriate to rely on the fact that a potential customer is a personal acquaintance of a registered representative to meet identity verification obligations?
No. The Adopting Release states that it would be inappropriate to provide special treatment to personal acquaintances. In addition, the Adopting Release notes that the rule is sufficiently flexible to make identity verification for personal acquaintances as unobtrusive as possible.
13. Is there a requirement to verify the identity of those with trading authority over an account?
The CIP rule does not include persons with trading authority over accounts in the definition of "customer." Accordingly, the broker-dealer does not have to verify those individuals' identities. However, the rule recognizes that situations may arise where a broker-dealer will have to take extra steps to verify the identity of those with trading authority. In these instances, a CIP is required to address situations where the broker-dealer will take additional steps to verify the identity of a customer that is not an individual by seeking information about individuals with authority or control over the account in order to verify the customer's identity. (See 31 CFR 1023.220 (a)(2)(ii)(C).) Additionally, the broker-dealer must consider FINRA Rule 4512(a)(1)(E) in that if the customer is a corporation, partnership or other legal entity, the names of any persons authorized to transact business on behalf of the entity must be obtained.
14. Can a firm rely on the performance by another financial institution for some or all of the elements of a firm's CIP?
The CIP rule acknowledges that there may be circumstances in which a firm may be able to rely on the performance by another financial institution of some or all of the elements of a firm's CIP. Therefore, the rule provides that a CIP may include procedures specifying when the broker-dealer will rely on the performance by another financial institution (including an affiliate) of any procedures of the broker-dealer's CIP, with respect to any customer of the broker-dealer that is opening an account or has established an account or similar business relationship with the other financial institution to provide or engage in services, dealings, or other financial transactions.
In order for a broker-dealer to rely on another financial institution, the following requirements must be met:
- Reliance must be reasonable under the circumstances.
- The other financial institution must be subject to a rule implementing the anti-money laundering compliance program requirements of the Bank Secrecy Act and be regulated by a Federal functional regulator.
- The other financial institution must enter into a contract requiring it to certify annually to the broker-dealer that it has implemented its anti-money laundering program, and that it will perform (or its agent will perform) specified requirements of the broker-dealer's CIP.
The Adopting Release notes that the contract and certification will provide a standard means for a firm to demonstrate the extent to which it is relying on another financial institution to perform its CIP, and that the other institution has agreed to perform those functions. If it is not clear from these documents, a broker-dealer must be able to otherwise demonstrate when it is relying on another financial institution to perform its CIP with respect to a particular customer. A broker-dealer will not be held responsible for the failure of the other financial institution to fulfill adequately the broker-dealer's CIP responsibilities, provided that the broker-dealer has complied with the requirements above. If they do not, then the broker-dealer remains solely responsible for applying its own CIP to each customer in accordance with the rule. (See NASD Notice to Members 03-34 and the Adopting Release for the broker-dealer CIP rule.)
Notwithstanding the requirement that the other financial institution must be subject to a rule implementing the anti-money laundering compliance program requirements of the Bank Secrecy Act, the SEC staff has provided no-action relief to firms that treat a registered investment adviser as if it were so subject for purposes of paragraph (a)(6) of the CIP rule or paragraph (j) of the portion of the customer due diligence rule that addresses beneficial ownership requirements for legal entity customers, 31 CFR 1010.230 ("Beneficial Ownership Requirements"). The no-action relief is conditioned on meeting the other provisions of the CIP rule and the Beneficial Ownership Requirements, respectively, as well as the other conditions described in the no-action relief.
The current No-Action letter extends the relief until December 9, 2022. It can be accessed at https://www.sec.gov/divisions/marketreg/mr-noaction/2020/sifma-120920-17a8.pdf.
15. What is a "reasonable time" to verify customers' identities before or after the customer's account is opened?
The term "reasonable time" is not defined by the rule. The Adopting Release emphasizes that broker-dealers must reasonably exercise the flexibility to undertake verification before or after an account is opened. The amount of time may depend on various factors, which are part of a firm's risk assessment.
16. Are there situations where firms may need to implement additional verification steps?
The CIP rule includes a provision regarding additional verification for certain customers. The Adopting Release explains that, while firms may be able to verify the majority of customers adequately through documentary and non-documentary methods, there may be instances where those methods are inadequate. The risk that a firm may not know the customer's true identity may be heightened for certain types of accounts, such as an on-line account, an account opened in the name of a corporation, partnership, or trust that is created or conducts substantial business in a jurisdiction that has been designated by the U.S. as a primary money laundering concern or has been designated as non-cooperative by an international body, or a tax haven. Treasury and the SEC emphasize that a firm must take further steps to identify customers that pose a heightened risk of not being properly identified. A firm's CIP must include additional measures that may be used to obtain information about the identity of the individuals associated with the customer when standard documentary methods prove to be insufficient.
For example, the rule (31 CFR 1023.220(a)(2)(ii)(C)) requires that a CIP address situations where, based on the broker-dealer's risk assessment of a new account opened by a customer that is not an individual, the broker-dealer will obtain information about individuals with authority or control over such account. This verification method applies only when the broker-dealer cannot verify the customer's true identity using documentary and non-documentary verification methods. In addition, a broker-dealer should consider obtaining information concerning the beneficial owners of higher risk accounts. (See NASD Notice to Members 03-34, the Adopting Release for the broker-dealer CIP rule, and Joint Guidance on Obtaining and Retaining Beneficial Ownership Information.)
17. How does risk assessment fit into a firm's CIP?
The appropriate procedures for the verification aspect of a CIP are governed by a risk-based assessment. A CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must be based on the broker-dealer's assessment of the relevant risks, including those presented by the various types of accounts maintained by the broker-dealer, the various methods of opening accounts, the various types of identifying information available and the broker-dealer's size, location and customer base.
Treasury and the SEC recommend that firms analyze whether there is a logical consistency between the identifying information provided, such as the customer's name, street address, zip code, telephone number (if provided), date of birth, and Social Security number (e.g., zip code and city/state are consistent).
18. Is there a regulation or guidance that requires member firms to obtain information on the source of account funding? For example, for entity accounts, such as a foundation, charity, or non-profit, would regulators expect to see member firms document the source of funds as part of its CIP requirements or general account due diligence, or would this be a best practice based on the firm's risk assessment of the account/entity?
In order to implement a properly risk-based AML compliance program, a member firm may document the source of funds as part of general account due diligence based on the firm’s risk assessment of the account or the entity. Except in the case of private banking accounts, there is no specific regulation or guidance that requires member firms to obtain information on the source of account funding.
For private banking accounts established for non-U.S. persons, which are specifically defined in the Bank Secrecy Act as accounts with a $1,000,000 minimum aggregate deposit requirement and the assignment of a liaison for the account, the member firm must “ascertain the source(s) of funds deposited into a private banking account and the purpose and expected use of the account.” See 31 CFR 1010.620.
19. How can we obtain the Customer Identification Program Notice in card form?
FINRA has produced a Customer Identification Program Notice to assist members in fulfilling the notification requirement in the CIP Rule. This Notice replaces the NASD AML Statement Stuffer that many firms have distributed to their customers. FINRA will print the Notice in bulk at the member's cost. Visit our AML web page for information on how to order the Notice.
Suspicious Activity Reporting
20. Are there any exceptions from the SAR reporting requirement?
Yes. The rule contains three exceptions from reporting violations otherwise reported to various law enforcement authorities. They are:
- a robbery or burglary that is reported by the broker-dealer to appropriate law enforcement authorities;
- lost, missing, counterfeit, or stolen securities that are reported by the broker-dealer pursuant to Rule 17f-1 under the Securities Exchange Act of 1934; and
- a violation of the federal securities laws or rules of a self-regulatory organization by the broker-dealer, its officers, directors, employees, or registered representatives, that is reported appropriately to the SEC or a self-regulatory organization ("SRO"), except for a violation of Rule 17a-8 under the Securities Exchange Act of 1934, which must be reported on a SAR.
See 31 CFR 1023.320(c).
21. Should broker-dealers reject third party wires? If not, what due diligence should be followed before accepting them?
There is no requirement that broker-dealers reject third party wires; however, FINRA Rule 3110(c)(2)(A)(iv) requires, if applicable to the location being inspected, that internal inspection reports include, without limitation, the testing and verification of policies and procedures related to, among other things, transmittals of funds (e.g. wires or checks, etc.) or securities from customers to third party accounts; from customer accounts to outside entities (e.g., banks, investment companies, etc.); from customer accounts to locations other than a customer's primary residence (e.g., post office box, “in care of” accounts, alternate address, etc.); and between customers and registered representatives, including the hand-delivery of checks. Additionally, third party wires and journals are identified as possible money laundering "red flags" in Regulatory Notice 19-18. These types of red flags may warrant additional due diligence by the broker-dealer before proceeding with the transaction. The broker-dealer's AML procedures should address these types of red flags, how red flags will be detected, and what due diligence and actions will be performed if such red flags are detected. The broker-dealer should maintain evidence of any due diligence performed. There is not any specific due diligence required, so the broker-dealer should assess the risk of the customer and the transaction and conduct appropriate due diligence to determine whether or not the transaction is suspicious and thus reportable on a SAR. Examples of due diligence could include, but not be limited to, contacting the customer, getting a signed Letter of Authorization from the customer, and/or obtaining a written statement from the customer regarding the reason for the third party wire. If the customer's explanation is not reasonable or does not make business sense, the broker-dealer may want to consider whether they are comfortable with the risk associated with the transaction and whether it should file a SAR.
22. Can an introducing or clearing firm be relieved of AML obligations to the extent that the other is monitoring for suspicious activities?
No. While a clearing firm can provide tools to help the introducing firm monitor its accounts for potential suspicious activity, all broker-dealers have an independent responsibility to comply with the suspicious activity reporting requirements. Introducing and clearing firms are both responsible for filing SARs for suspicious transactions "conducted or attempted by, at, or through" the firm. Introducing and clearing brokers involved in the same transaction may, but are not required to, file a SAR jointly as long as it includes all relevant facts about the transactions and is otherwise permissible under the law. For example, a SAR filed by the clearing firm in which the introducing broker is the subject could not be shared.
23. Are there any tools available to help my firm search the U.S. Treasury's Office of Foreign Asset Control's (OFAC) "Specially Designated Nationals and Blocked Persons" (SDN) list?
FINRA offers a method of searching the OFAC SDN list. The FINRA OFAC Search Tool is one option for members to consider using to comply with OFAC economic sanctions. The search tool also includes the Palestinian Legislative Council List. For further information regarding your obligations under the OFAC regulations, please consult the OFAC website.
Specific securities industry guidance from OFAC can be found at the following links:
- Risk Factors for OFAC Compliance in the Securities Industry
- Opening Securities and Futures Accounts from an OFAC Perspective
- OFAC Compliance in the Securities and Investment Sector, Journal of Investment Compliance, September 2012
There are many other services available offering search capabilities.