AML Compliance

Bank Secrecy Act and USA PATRIOT Act

Anti-money laundering (AML) compliance is one of the most critical supervisory responsibilities of a General Securities Principal. The foundation of AML compliance rests on two major pieces of federal legislation: the Bank Secrecy Act (BSA) enacted in 1970, and the USA PATRIOT Act enacted in 2001. Together, these laws establish a comprehensive framework requiring financial institutions, including broker-dealers, to implement programs designed to detect and prevent money laundering and terrorist financing.

The Bank Secrecy Act requires financial institutions to maintain records and file reports that have been determined to have a high degree of usefulness in criminal, tax, and regulatory investigations. Key BSA requirements include currency transaction reporting, suspicious activity reporting, and record retention. The BSA essentially transformed financial institutions into gatekeepers of the financial system, requiring them to serve as the first line of defense against money laundering.

The USA PATRIOT Act, passed in response to the September 11, 2001 terrorist attacks, significantly expanded AML requirements. Title III of the PATRIOT Act, known as the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001, added several critical requirements for broker-dealers including mandatory Customer Identification Programs (CIP), enhanced due diligence for certain accounts, prohibition on correspondent accounts with foreign shell banks, and special measures for jurisdictions or transactions of primary money laundering concern.

Money Laundering: The process of making illegally-gained proceeds (dirty money) appear legal (clean). Money laundering typically involves three stages: placement (introducing illicit funds into the financial system), layering (creating complex layers of transactions to obscure the source), and integration (making the laundered funds appear legitimate).

FinCEN's Role

The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, is the primary federal regulator responsible for administering the Bank Secrecy Act. FinCEN collects and analyzes information about financial transactions to combat money laundering, terrorist financing, and other financial crimes. All Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) are filed with FinCEN. Broker-dealers must comply with FinCEN regulations, which are codified in Title 31 of the Code of Federal Regulations.

FINRA Rule 3310: AML Compliance Program

FINRA Rule 3310 requires every member firm to develop and implement a written anti-money laundering program approved in writing by senior management. The AML program must be reasonably designed to achieve and monitor the member's compliance with the Bank Secrecy Act and the implementing regulations promulgated by FinCEN. This is not optional—every broker-dealer registered with FINRA must have an AML program, regardless of size.

The Four Pillars of an AML Program

At a minimum, an AML program must include four essential components, often referred to as the "four pillars":

1. Internal Policies, Procedures, and Controls: Written procedures based on the firm's specific risk profile and business model. These procedures must address customer identification and verification, monitoring and reporting of suspicious activity, currency transaction reporting, record retention, training, and independent testing of the program.
2. Designated AML Compliance Officer: An individual specifically designated and identified to FINRA as responsible for implementing and monitoring the AML program. The AML Compliance Officer must have sufficient authority, resources, and independence to effectively perform this role.
3. Ongoing Training: Training for appropriate personnel, including all relevant employees, on AML policies and procedures. Training must be provided at least annually and must be tailored to the employee's role and responsibilities.
4. Independent Testing: Periodic independent testing of the AML program, conducted by qualified persons not involved in the day-to-day operation of the program. The testing should evaluate the adequacy of policies and procedures, the effectiveness of the AML program, and compliance with BSA requirements. Testing must be conducted at least every two years, though annual testing is considered a best practice for most firms.

Remember the four pillars: (1) Policies, Procedures, and Controls; (2) Designated AML Officer; (3) Ongoing Training; (4) Independent Testing. Independent testing must occur at least every two years, but many firms do it annually. The AML Compliance Officer must be specifically identified and must have sufficient authority and resources.

Risk-Based Approach

An effective AML program must be tailored to the firm's specific risk profile. FinCEN and FINRA expect firms to conduct a comprehensive risk assessment considering factors such as the types of products and services offered, customer demographics and geographic locations, distribution channels and business partners, and transaction volumes and patterns. Higher-risk areas require more robust controls and enhanced monitoring.

Customer Identification Program (CIP)

Section 326 of the USA PATRIOT Act requires every broker-dealer to implement a Customer Identification Program (CIP) as part of its BSA compliance program. The CIP must include risk-based procedures for verifying the identity of each customer who opens an account. The purpose is to enable the firm to form a reasonable belief that it knows the true identity of each customer.

Required Customer Information

At a minimum, the CIP must require the firm to obtain the following information from each customer before or at the time of account opening:

For individuals: Name, date of birth, residential or business street address (not a P.O. box), and identification number (Social Security number for U.S. persons, or passport number and country of issuance for non-U.S. persons)
For entities: Name, business street address (not a P.O. box), and taxpayer identification number (EIN)

The firm must verify the customer's identity within a reasonable time before or after account opening, using documents, non-documentary methods, or a combination of both. For individuals, acceptable verification documents include unexpired government-issued identification displaying a photograph (driver's license, passport). For entities, acceptable documents include articles of incorporation, government-issued business licenses, or IRS letters confirming EIN.

A firm cannot open an account if it cannot form a reasonable belief about the customer's true identity. If the firm cannot verify identity using documents, it must use non-documentary methods such as contacting the customer, independently verifying information, or checking references. Simply accepting self-reported information without verification is insufficient.

Customer Notice

The CIP must include procedures for providing customers with adequate notice that the firm is requesting information to verify their identities. This notice must be provided to customers before account opening. Many firms include CIP notice language in their account opening documents or post it conspicuously at account opening locations.

Recordkeeping Requirements

The firm must maintain a record of all identifying information obtained, the methods used and results of verification, and any resolution of discrepancies in the identifying information. CIP records must be retained for five years after the account is closed.

Suspicious Activity Reports (SARs)

A Suspicious Activity Report (SAR) is a report that broker-dealers must file with FinCEN when they detect transactions that may involve money laundering or fraud. SAR filing is perhaps the most important AML obligation, as it serves as the primary mechanism by which financial institutions alert law enforcement to potential criminal activity. SARs are filed on FinCEN Form 111 (also known as the SAR-SF or Suspicious Activity Report for Securities and Futures).

SAR Filing Thresholds and Timing

A broker-dealer must file a SAR when it knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity, is designed to evade BSA requirements, has no business or apparent lawful purpose, or involves the use of the broker-dealer to facilitate criminal activity. The specific filing thresholds are:

Insider trading: Any transaction, regardless of amount, where the firm knows or suspects insider trading has occurred
Transactions aggregating $5,000 or more: Where the firm knows, suspects, or has reason to suspect the transaction involves funds from illegal activity or is designed to evade BSA regulations (applies to criminal violations affecting the firm)
Transactions aggregating $5,000 or more: That involve potential money laundering or violations of the Bank Secrecy Act
Transactions aggregating $25,000 or more: For which the firm knows of no reasonable explanation or lawful purpose, or for which the firm knows or suspects the transaction is designed to evade BSA requirements

A SAR must be filed within 30 calendar days of the initial detection of the suspicious activity. If the firm cannot identify a subject (suspect) associated with the suspicious activity, the filing deadline is extended to 60 calendar days to provide additional time for investigation.

Structuring (Smurfing): The practice of conducting multiple transactions just below the $10,000 reporting threshold to avoid triggering a Currency Transaction Report. For example, depositing $9,500 in cash on multiple days instead of $20,000 all at once. Structuring is itself a federal crime under 31 U.S.C. Section 5324.

Confidentiality of SARs

SAR confidentiality is absolute. A firm and its employees may not disclose to any person involved in the transaction (the subject) that a SAR has been filed or that the transaction has been reported. This prohibition extends even after the employee leaves the firm. Violating SAR confidentiality can result in civil and criminal penalties. The firm may share SAR information with FinCEN, federal law enforcement, federal regulatory authorities, and state and local law enforcement under specified circumstances, but never with the subject of the SAR.

Safe Harbor Protection

Broker-dealers and their employees are provided safe harbor protection from civil liability for filing SARs. A firm or employee that files a SAR in good faith is protected from lawsuits by the subject of the report, even if the suspicions turn out to be unfounded. This protection is intended to encourage robust reporting without fear of litigation.

Currency Transaction Reports (CTRs)

A Currency Transaction Report (CTR) must be filed for each currency transaction that exceeds $10,000. Unlike SARs, which are based on suspicion, CTRs are mechanical reports required for any currency transaction over the threshold, regardless of suspicion. CTRs are filed electronically through FinCEN's BSA E-Filing System.

What Constitutes a Currency Transaction

A currency transaction includes deposits, withdrawals, exchanges of currency, or other payments or transfers of currency. Currency includes U.S. and foreign coins and paper money. Importantly, CTRs are required only for transactions involving physical currency, not wire transfers, checks, or other non-cash instruments.

Multiple currency transactions must be aggregated if they are conducted by or on behalf of the same person during the same business day and total more than $10,000. For example, if a customer makes three separate cash deposits of $4,000, $3,500, and $3,000 in a single day, these must be aggregated to $10,500, triggering the CTR requirement.

Filing Deadline

CTRs must be filed within 15 calendar days following the day on which the reportable transaction occurred. The report must include complete information about the customer, including name, address, Social Security number or EIN, date of birth, and occupation or type of business.

Layering: The second stage of money laundering, involving complex layers of financial transactions designed to separate illicit proceeds from their source and obscure the audit trail. Examples include wire transfers through multiple accounts, purchasing and selling securities, or converting funds into different currencies or financial instruments.

CTR vs. SAR: Key Distinctions

Feature	SAR (FinCEN Form 111)	CTR
Trigger	Suspicious activity (subjective)	Currency transactions over $10,000 (objective)
Threshold	$5,000 or $25,000 (depends on type)	$10,000
Filing Deadline	30 days (or 60 if no subject identified)	15 days
Confidentiality	Absolute - cannot disclose to subject	Not confidential - customer may be aware
Transaction Type	Any suspicious transaction	Physical currency only

OFAC and Sanctions Compliance

The Office of Foreign Assets Control (OFAC), a division of the U.S. Department of the Treasury, administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals. Broker-dealers must screen customers and transactions against OFAC's list of Specially Designated Nationals (SDNs) and blocked persons. Conducting business with sanctioned individuals, entities, or countries can result in severe civil and criminal penalties.

OFAC Screening Requirements

Firms must implement procedures to ensure they do not facilitate transactions involving SDNs or blocked persons. This requires screening new customers at account opening, ongoing screening of existing customers against updated OFAC lists, screening transactions in real-time or near real-time, and maintaining records of screening activities. OFAC publishes its SDN list online, and it is updated regularly—often weekly. Firms must ensure they are working with current lists.

Blocked Transactions

If a firm identifies a match with an OFAC-listed individual or entity, it must block (reject) the transaction and freeze the assets. The firm must report blocked transactions to OFAC within 10 business days and cannot release the blocked assets without authorization from OFAC. Even a partial match requires investigation to determine whether it is a true match or a false positive.

OFAC violations carry severe penalties. Civil penalties can reach hundreds of thousands or even millions of dollars per violation. Willful violations can result in criminal penalties including imprisonment. A principal's failure to implement adequate OFAC screening procedures exposes both the firm and the principal to significant regulatory and legal risk.

Sanctioned Countries and Comprehensive Embargoes

In addition to the SDN list, OFAC maintains comprehensive sanctions programs targeting specific countries and regions. As of 2026, these include Cuba, Iran, North Korea, Syria, and certain regions of Ukraine (Crimea, Donetsk, and Luhansk). Transactions involving these jurisdictions are generally prohibited, with limited exceptions for humanitarian purposes.

Integration: The third and final stage of money laundering, in which the laundered funds are reintroduced into the legitimate economy in a way that makes them appear to be the proceeds of lawful activity. Examples include purchasing real estate, luxury goods, or businesses, or creating shell companies with legitimate-appearing revenue streams.

Red Flags and Suspicious Activity Detection

Detecting suspicious activity requires vigilance and an understanding of common red flags that may indicate money laundering, fraud, or other illicit activity. As a principal, you are responsible for ensuring the firm has adequate systems to identify these red flags and that personnel are trained to recognize them.

Common Red Flags

Red flags that may warrant further investigation or SAR filing include:

Structuring behavior: Multiple transactions just below $10,000 to avoid CTR filing
Unusual account activity: Sudden large deposits followed by immediate withdrawals, especially to foreign accounts
Third-party transactions: Customers receiving wires from or sending wires to parties with no apparent connection to the customer
Reluctance to provide information: Customer unwilling to provide required identification or information, or providing obviously false information
Illogical transactions: Trading patterns that make no economic sense, such as buying and selling the same security at a loss
Use of multiple accounts: Moving funds through multiple accounts with no apparent business purpose
High-risk jurisdictions: Transactions involving countries known for money laundering or terrorist financing
Secretive behavior: Customer insisting on secrecy or making unusual requests regarding confidentiality
Shell companies: Business accounts with no clear business purpose or economic rationale
Penny stock manipulation: Concentrated trading in low-priced securities with no legitimate purpose

Placement: The first stage of money laundering, involving the introduction of illicit funds into the financial system. This is often the most vulnerable point for detection because large amounts of cash or unusual deposits may trigger scrutiny. Methods include depositing cash in small amounts (smurfing) or commingling illegal funds with legitimate business revenue.

Enhanced Due Diligence

For higher-risk customers, firms must conduct enhanced due diligence (EDD). EDD involves obtaining additional information beyond standard CIP requirements, understanding the source of funds and wealth, conducting ongoing monitoring of account activity, and obtaining senior management approval for the relationship. Higher-risk categories include politically exposed persons (PEPs), customers from high-risk jurisdictions, and businesses with complex ownership structures or no clear business purpose.

AML Recordkeeping Requirements

The Bank Secrecy Act imposes extensive recordkeeping obligations on broker-dealers. As a principal, you must ensure the firm maintains all required AML records and makes them available to regulators upon request. Failure to maintain adequate records is itself a violation, even if no underlying suspicious activity occurred.

Required Records and Retention Periods

Key AML recordkeeping requirements include:

Customer Identification Program records: All identifying information, verification methods and results, and any discrepancies identified. Retention: 5 years after account closure.
SARs and supporting documentation: Copies of all filed SARs and supporting work papers documenting the investigation. Retention: 5 years from filing date.
CTRs and supporting documentation: Copies of all filed CTRs and records supporting the information reported. Retention: 5 years from filing date.
Funds transfer records: Records of all wire transfers of $3,000 or more (both originating and receiving). Retention: 5 years.
Monetary instrument purchases: Records of purchases of monetary instruments (cashier's checks, money orders, traveler's checks) between $3,000 and $10,000. Retention: 5 years.
AML program and policies: Written AML program, risk assessments, policies, procedures, and training materials. Retention: 5 years after superseded.
Independent testing reports: All independent audit and testing reports of the AML program. Retention: 5 years.

The standard AML retention period is 5 years for most records. Remember: CIP records are retained for 5 years after account closure, while SARs and CTRs are retained for 5 years from the filing date. Wire transfer records and monetary instrument purchases between $3,000 and $10,000 must also be retained.

Availability to Regulators

AML records must be made available to FINRA, the SEC, FinCEN, and other federal regulators upon request. Firms must be able to produce records promptly—typically within a few business days. Failure to produce required records can result in enforcement action and penalties, even if the underlying activity was compliant.

Principal Supervisory Responsibilities

As a General Securities Principal, you have direct supervisory responsibility for ensuring the firm's AML program is effective and properly implemented. This extends beyond simply having a written AML program—you must actively supervise and verify that the program is functioning as intended.

Key Principal Obligations

Your AML supervisory responsibilities include:

Approving the AML program: Senior management, including principals with supervisory authority, must approve the firm's written AML program and any material updates
Ensuring adequate resources: The AML Compliance Officer must have sufficient authority, resources, and access to information to perform their duties effectively
Reviewing testing results: Principals must review the results of independent testing and ensure that identified deficiencies are remediated
Monitoring escalations: When suspicious activity is identified, principals must be involved in the decision-making process regarding SAR filing
Training oversight: Ensuring that all appropriate personnel receive required AML training and that training is documented
Responding to examinations: Cooperating with regulatory examinations and ensuring that the firm takes corrective action in response to any findings

Penalties for AML Violations

AML violations can result in severe penalties for both the firm and individual principals. Potential consequences include:

Civil monetary penalties: FinCEN and FINRA can impose substantial fines for AML program failures, failure to file SARs or CTRs, and other violations. Penalties can reach millions of dollars
Criminal penalties: Willful violations of the Bank Secrecy Act can result in criminal prosecution, including imprisonment for up to five years and fines up to $250,000 for individuals
Regulatory sanctions: FINRA can impose suspensions, bars, censures, and limitations on activities
Reputational damage: Public disclosure of AML failures can severely damage a firm's reputation and business relationships

AML compliance is not a box-checking exercise. It requires ongoing vigilance, adequate resources, continuous training, and active principal oversight. Firms and principals can be held liable not only for failing to detect and report suspicious activity, but also for having inadequate AML programs. Your job as a principal is to ensure the program is reasonably designed and effectively implemented.

Deep Dive Real-World AML Case Studies

FINRA and FinCEN have brought numerous enforcement actions against broker-dealers for AML failures. Common themes in these cases include:

Failure to file SARs: Firms that identified red flags but failed to investigate or file SARs. In one case, a firm was fined $10 million for failing to file SARs on suspicious penny stock transactions despite multiple red flags.
Inadequate CIP: Firms that opened accounts without properly verifying customer identities, particularly for foreign customers or entities with complex ownership structures.
No independent testing: Firms that went years without conducting independent testing of their AML programs, or where testing was conducted by individuals who lacked independence.
Ignoring red flags: Firms that generated AML alerts but failed to investigate or document the results of their investigations.
Understaffed compliance: Firms where the AML Compliance Officer was responsible for monitoring thousands of accounts without adequate staff or technology support.
OFAC screening failures: Firms that failed to screen customers against OFAC lists or that failed to update their screening systems with current lists.

These cases underscore the importance of a robust, well-resourced, and actively supervised AML program. Regulatory expectations are high, and the consequences of failure are severe.