AML Compliance Program
With the stages of money laundering in mind, let's look at exactly what broker-dealers must do to combat it. Financial Industry Regulatory Authority (FINRA) Rule 3310 spells out the Anti-Money Laundering (AML) compliance program requirements.
FINRA Rule 3310 Requirements
FINRA Rule 3310 requires every member firm to establish and implement a written AML compliance program that includes these components:
| # | Requirement | Details |
|---|---|---|
| 1 | Policies and procedures | Reasonably designed to detect and cause the reporting of suspicious activity |
| 2 | AML Compliance Officer (AMLCO) | A designated individual responsible for implementing and monitoring the program day-to-day |
| 3 | Ongoing employee training | All relevant personnel must be trained on AML procedures |
| 4 | Independent testing (audit) | Annual testing conducted by internal audit or a qualified outside party |
Additional requirements:
- The AML program must be approved by senior management
- The AMLCO must be identified to FINRA, and the firm must promptly notify FINRA of any changes
- The independent testing must occur on a calendar-year basis
- The program must include a Customer Identification Program (CIP) as required by USA PATRIOT Act Section 326
Exam Tip: Gotchas
- There are four core components of an AML program: policies/procedures, compliance officer, training, and independent testing. The exam may list these in different order or try to substitute a fake requirement. Remember all four.
- The AML compliance officer does not have to be senior management, but the program must be approved by senior management.
- Independent testing can be done internally (by audit staff) OR externally (by a qualified outside party) - both are acceptable.
Customer Identification Program (CIP)
The Customer Identification Program (CIP) is a required component of every AML program, mandated by USA PATRIOT Act Section 326. It ensures broker-dealers know who their customers are.
What CIP Requires
For every new account, the firm must verify the customer's identity using four pieces of information:
| Information | Notes |
|---|---|
| Name | Full legal name |
| Date of birth | For individual customers |
| Address | Residential or business address |
| Identification number | SSN for U.S. persons; passport or other government-issued ID for non-U.S. persons |
Additional CIP Obligations
- Record retention: Maintain records of the information used to verify identity
- Government list screening: Check customer names against government lists of known or suspected terrorists
- Customer notice: Provide adequate notice to customers that the firm is requesting information to verify their identity
- Verification can use documentary methods (driver's license, passport) or non-documentary methods (credit reports, databases)
Exam Tip: Gotchas
- CIP requires four pieces of identifying information: name, date of birth, address, and identification number. The exam may try to add extra items or leave one out. Remember all four.
- CIP applies to ALL new accounts; there is no exception for existing customers opening additional accounts.
How CIP and AML Work Together
The relationship between CIP and the broader AML program:
- CIP is the front door; it verifies who is opening the account
- AML monitoring is ongoing; it watches for suspicious activity after the account is open
- Reporting (Suspicious Activity Reports/SARs, Currency Transaction Reports/CTRs) is the response; when something suspicious is detected, the firm must report it
Think of it this way: CIP is like checking IDs at the airport entrance. Once you are through security, the cameras (ongoing monitoring) keep watching. If the cameras spot something suspicious, security files a report. CIP gets you in the door; AML monitoring keeps watching afterward.
CIP → Account Opening → Ongoing Monitoring → Suspicious Activity Detected → Filing Reports
Exam Tip: Gotchas
- Know the sequence: FINRA Rule 3310 requires an AML program → the program includes CIP (Section 326) → CIP verifies identity at account opening → ongoing monitoring detects suspicious activity → the firm files reports with the Financial Crimes Enforcement Network (FinCEN)