AML Compliance Program
Quick Answer
the FINRA AML-program requirement requires every member firm to develop and implement a written Anti-Money Laundering (AML) program approved in writing by senior management. The program must satisfy five pillars: policies and procedures to detect and report suspicious activity, independent testing (annual for customer-facing firms, biennial for proprietary-only firms), a designated AML Compliance Officer (AMLCO), ongoing training, and risk-based Customer Due Diligence (CDD) including beneficial-ownership identification.
the AML-program requirement is the structural backbone of broker-dealer AML compliance. It implements the Bank Secrecy Act (BSA) and the USA PATRIOT Act of 2001 through FINRA's rulebook and is enforced by both FINRA and (through the SEC's BSA-compliance recordkeeping rule) the SEC.
Statutory Foundation: BSA, PATRIOT Act, and FinCEN
the AML-program requirement sits inside a layered statutory and regulatory structure:
- Bank Secrecy Act (BSA): the underlying statute that requires financial institutions (FIs) to maintain records and file reports useful in detecting and preventing money laundering. The BSA is implemented through Treasury / Financial Crimes Enforcement Network (FinCEN) regulations
- USA PATRIOT Act (2001): amended the BSA to require broker-dealers (and other FIs) to maintain AML programs and a Customer Identification Program (CIP)
- FinCEN: a bureau of the U.S. Treasury that administers the BSA, collects SAR and CTR filings, and issues law-enforcement information-sharing requests and voluntary FI-to-FI information-sharing authority
The statutory order: the BSA is the law, FinCEN writes the regulations, and the FINRA AML-program requirement carries those obligations into the broker-dealer rulebook.
Exam Tip: Gotchas
- The BSA is the statute; FinCEN is the bureau; the AML-program requirement is the FINRA implementation. The exam will sometimes describe a missed SAR filing and ask which authority enforces the violation. The answer is layered: FinCEN (BSA), FINRA (the AML-program requirement), and the SEC (through its BSA-compliance recordkeeping rule).
The Five Pillars of the AML-program requirement
Each member must establish and implement a written AML program approved in writing by senior management that satisfies, at minimum, five elements:
| # | Pillar | What It Requires |
|---|---|---|
| 1 | Policies, procedures, and internal controls | Reasonably designed to achieve compliance with the BSA and to detect and report suspicious transactions |
| 2 | Independent testing | Annual review by member personnel or a qualified outside party (every 2 years if the firm does not execute customer transactions, hold customer accounts, or act as introducing broker) |
| 3 | Designated AML Compliance Officer (AMLCO) | Designate a person or persons responsible for implementing and monitoring the AML program; identify the AMLCO to FINRA |
| 4 | Ongoing training | Provide AML training to appropriate personnel |
| 5 | Customer Due Diligence (CDD) | Risk-based procedures for ongoing CDD, including understanding the nature and purpose of customer relationships, identifying beneficial owners of legal-entity customers, and conducting ongoing monitoring |
Think of it this way: The five pillars are the regulator's checklist for whether a firm has a real AML program. Pillar 1 writes the rules; pillar 2 audits whether the firm follows them; pillar 3 names an accountable human; pillar 4 trains the staff; pillar 5 keeps the customer profile current. Take any one out and the program fails.
Exam Tip: Gotchas
- The five pillars are the most-tested fact in the AML-program requirement. Originally there were four; pillar 5 (CDD with beneficial-ownership identification) was added by FinCEN's 2018 CDD Rule. The exam will sometimes ask which is NOT a required pillar; any of the five IS required.
- Beneficial-ownership identification is an AML-program requirement, not a CIP requirement. The CIP collects four data elements about the named customer; pillar 5 requires going behind a legal-entity customer to identify the natural-person owners.
Independent Testing Frequency
Pillar 2 has a frequency rule that the exam tests directly:
| Firm Type | Testing Frequency |
|---|---|
| Firms that execute customer transactions, hold customer accounts, or act as introducing broker | Annually (calendar-year basis) |
| Firms that do none of those (e.g., proprietary-only, strictly inter-dealer) | Every 2 years (biennial) |
The tester must:
- Have a working knowledge of the BSA and its implementing regulations
- Be independent of the AML compliance function (cannot test their own work; cannot report to the AMLCO)
Exam Tip: Gotchas
- A firm that does only proprietary trading gets biennial independent testing, not annual. Watch for this carve-out in the question stem. If the firm has no customer accounts and does not execute for customers or introduce, it is on the 2-year cycle.
- The tester cannot report to the AMLCO. Even an outside audit firm must engage someone who is structurally independent. A junior compliance person reviewing the senior compliance officer's program does not satisfy pillar 2.
AMLCO Designation
Pillar 3 requires a designated AML Compliance Officer (AMLCO). The firm must:
- Identify the AMLCO to FINRA through the FINRA Contact System (FCS), providing name, title, mailing address, email, and telephone number
- Update AMLCO contact information within 30 days of any change
- Verify AMLCO information annually (within 17 business days after each calendar year-end)
The AMLCO does not need to be a full-time AML role; small firms often combine the AMLCO function with another compliance role, provided the AMLCO has the authority and resources to run the program.
Exam Tip: Gotchas
- AMLCO contact info must be updated within 30 days of a change and verified annually within 17 business days of year-end. Both timeframes are tested; do not confuse them.
- The AMLCO can hold another compliance title. Small firms commonly have a Chief Compliance Officer (CCO) who is also the AMLCO. The exam may ask whether this is permissible. It is, as long as the AMLCO has authority and resources.
Senior-Management Approval
Pillar 1 requires the program to be approved in writing by senior management. This is a structural independence requirement: the AMLCO writes the program; senior management owns it. A program drafted and signed only by the AMLCO is not approved.
The senior-management approval has the same flavor as the FINRA chief executive officer (CEO) certification of supervisory procedures: regulators want a named senior person on the hook for the program, not just a compliance staffer.
Training (Pillar 4)
The AML program must include ongoing training for appropriate personnel. There is no FINRA-mandated frequency, but the training must be:
- Risk-based: registered representatives who open new accounts need different training than back-office settlement clerks
- Updated: when typologies change (for example, new structuring patterns, new sanctions countries), training content must reflect the change
- Documented: attendance and content records are part of the firm's books-and-records obligation
Exam Tip: Gotchas
- AML training has no fixed FINRA frequency, but it must be ongoing and documented. A firm that runs a single training session at hire and never repeats it does not satisfy pillar 4.
Customer Due Diligence (Pillar 5)
The 2018 CDD Rule (added to the AML-program requirement as pillar 5) requires:
- Understanding the nature and purpose of customer relationships to develop a customer risk profile
- Identifying and verifying beneficial owners of legal-entity customers (any individual owning 25% or more of equity, plus one control person)
- Ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information on a risk basis
The 25-percent ownership threshold defines beneficial owners; the one control person must always be identified, regardless of ownership percentage.
Exam Tip: Gotchas
- The beneficial-ownership threshold is 25 percent for ownership and one control person regardless of ownership. A legal-entity customer with five 20-percent owners has zero ownership-based beneficial owners (none meets 25%), but the firm still must identify one control person.
- Pillar 5 is part of the AML-program requirement, not the CIP. The CIP collects four data elements about the named legal-entity customer; pillar 5 looks behind the entity to the natural-person owners.