FINRA AML Testing

FINRA Anti-Money Laundering Independent Testing

/by

mitch atkins finraIt’s that time of year again. After the calendar winds down, broker-dealers across the country are scheduling — or scrambling to schedule — their annual independent test of the firm’s anti-money laundering program. It’s a ritual that has been part of broker-dealer life for two decades.

But the AML world that surrounds that test today bears almost no resemblance to the one I wrote about back in 2014. The Customer Due Diligence (“CDD”) Rule was just a Treasury proposal back then. The Anti-Money Laundering Act of 2020 didn’t exist. FinCEN had no national priorities. Investment advisers had no AML obligations on the horizon. And FinCEN had never imposed an $80 million penalty on a broker-dealer.

All of that has changed. If you are still running the same independent test you ran in 2014 — or, more commonly, if you are using a vendor template that has not been meaningfully refreshed — you have a problem. Examiners have moved on. So has the rule. So have the bad actors.

Below is a refreshed and expanded look at what FINRA Rule 3310 independent testing requires today, what the most recent enforcement actions tell us about how programs fail in practice, and what the proposed FinCEN AML/CFT Program Rule issued in April 2026 means for the year ahead.

What Rule 3310 Requires — The Core Has Held, But the Edges Have Moved

FINRA Rule 3310 still requires every member firm to develop and implement a written AML compliance program that is approved in writing by senior management and is reasonably designed to comply with the Bank Secrecy Act and its implementing regulations. The familiar pillars are:

  • Establishing and implementing policies, procedures, and internal controls reasonably designed to detect and cause the reporting of suspicious transactions — Rule 3310(a)
  • Establishing and implementing policies, procedures, and internal controls reasonably designed to achieve compliance with the BSA, including the Customer Identification Program and beneficial ownership rules — Rule 3310(b)
  • Independent testing for compliance — Rule 3310(c)
  • Designating an AML compliance person and providing FINRA with that person’s contact information — Rule 3310(d)
  • Ongoing training for appropriate personnel — Rule 3310(e)

What has been added is paragraph (f) of Rule 3310. When FINRA conformed Rule 3310 to FinCEN’s 2016 CDD Rule, it added an explicit obligation to maintain risk-based procedures for ongoing customer due diligence — including understanding the nature and purpose of customer relationships in order to develop a customer risk profile, and conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information on a risk basis. Beneficial ownership identification of legal entity customers — at the 25% ownership threshold and for the individual exercising control — is no longer “proposed.” It has been live since May 2018, and it is squarely within the scope of any competent independent test.

Frequency has also become more nuanced. Independent testing is required annually on a calendar-year basis for member firms that execute transactions for customers, hold customer accounts, or act as introducing brokers. For firms that engage solely in proprietary trading or do business only with other broker-dealers, the test is required every other year. That said, the supplementary material to Rule 3310 has long made clear that more frequent testing should be performed if circumstances warrant — and “circumstances warrant” is something examiners will judge with the benefit of hindsight.

The Independence Requirement: External Is Not Synonymous With Independent

The most common confusion about independent testing is what “independent” actually means.

The test must be conducted by a person with a working knowledge of the BSA and its implementing regulations. If conducted internally, the tester must not perform any of the functions being tested, must not serve as the AML Compliance Officer, and must not report to either the AMLCO or to anyone performing the functions being tested. If conducted externally, the consultant must be free of conflicts that compromise independence.

That second point gets firms in trouble. Hiring a consultant from outside the firm does not automatically make that consultant independent. If the same consultant wrote your AML procedures, drafted your customer risk-rating methodology, or trained your AML staff during the test period, that person may compromise independence for purposes of Rule 3310(c) where they are testing their own work. FINRA has cited firms for exactly that conflict, and it is one of the easier deficiencies to avoid simply by separating the function of writing procedures from the function of testing them.

A related point that often gets overlooked: the FINRA designated AML contact must be kept current. Rule 3310.02 requires firms to review and update the contact information for the AML compliance person, and Rule 4517 requires updates within 30 days of any change and a review within 17 business days after the close of each calendar year. Examiners check this. It is a small thing — and it is almost always the first thing they look at.

The Bigger Picture: What has Actually Changed

The independent test does not exist in a vacuum. It is a check on whether the program meets the regulatory framework. That framework has expanded considerably:

The FinCEN CDD Rule. Finalized in 2016 and effective May 11, 2018, the CDD Rule made the “fifth pillar” of AML compliance — ongoing customer due diligence and beneficial ownership identification — a formal regulatory requirement rather than a best practice. Any independent test today must look at how the firm collects, verifies, and refreshes beneficial ownership information for legal entity customers, and how it builds and updates customer risk profiles. FinCEN’s February 2026 order relieved covered institutions from re-identifying/re-verifying beneficial owners each time an existing legal entity customer opens another account; however, firms must still identify and verify beneficial owners at the first account opening, when facts call prior information into question, and as required by risk-based ongoing CDD procedures.

The Anti-Money Laundering Act of 2020 (AMLA). Tucked into the National Defense Authorization Act, AMLA was the most consequential rewrite of U.S. AML law in a generation. It expanded whistleblower protections, broadened FinCEN’s authority, mandated the issuance of national AML/CFT priorities, and set the stage for AML coverage of investment advisers and antiquities dealers. AMLA is the reason regulators are now talking openly about “effectiveness” instead of just “compliance.”

The National AML/CFT Priorities. In June 2021, FinCEN issued the first government-wide priorities for anti-money laundering and countering the financing of terrorism. Today’s priorities cover corruption, cybercrime (including virtual currency), terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking and smuggling, and proliferation financing. Firms are expected to consider these priorities in their risk assessments. A 2026 independent test that does not look at how the firm has incorporated the national priorities into its risk assessment is incomplete.

The Investment Adviser AML Rule — and Its Delay. FinCEN finalized the Investment Adviser AML Rule on August 28, 2024, with an original effective date of January 1, 2026. In 2025, Treasury announced its intent to delay the effective date, and FinCEN ultimately moved it to January 1, 2028, while reopening the rulemaking. For broker-dealers that are dually registered or affiliated with investment advisers, this is a moving target — but the eventual application of BSA obligations to RIAs is a “when,” not an “if,” and dual registrants should not let the delay lull them into complacency.

The April 2026 FinCEN AML/CFT Program Rule Proposal. On April 7, 2026, FinCEN issued a Notice of Proposed Rulemaking that would substantially revise the AML/CFT program requirements applicable to banks, broker-dealers, money services businesses, mutual funds, and other covered institutions. The proposal explicitly shifts the supervisory focus from technical process-and-documentation compliance to program effectiveness, formalizes a risk assessment requirement, and instructs institutions to incorporate the national AML/CFT priorities into their risk assessments and resource-allocation decisions. FinCEN has proposed a 12-month implementation period after a final rule. FINRA’s 2026 Report already reflects similar themes.

Effectiveness Over Form: What Examiners Are Looking For Now

The shift toward effectiveness is showing up in FINRA’s exam findings. The Anti-Money Laundering, Fraud, and Sanctions topic in the 2026 FINRA Annual Regulatory Oversight Report continues to flag firms whose AML programs are static while their businesses are dynamic. The themes are consistent year over year, and they should drive how you scope an independent test:

  • AML programs that did not grow with the firm’s business — particularly where the firm added high-risk products, customer types, geographies, or distribution channels without commensurate updates to its surveillance, customer due diligence, and SAR investigation processes
  • Customer risk profiles that exist on paper but are not actually used to drive monitoring or escalation
  • Suspicious activity surveillance that runs but is not meaningfully reviewed, or where the underlying data feeds are incomplete (suspense accounts, omnibus structures, foreign affiliate flows)
  • 314(a) information requests that are not addressed to within the required two-week window
  • Independent tests that are too narrow in scope, that are completed late, or that are completed by personnel whose independence is compromised

A theme cuts across all of these: existence of a policy is not evidence of compliance. The independent test must look at whether the program worked during the test period, not just whether it was written.

What Recent Enforcement Tells Us — and Why You Should Be Reading It

I tell every client I work with the same thing: read the FINRA disciplinary actions monthly, and read the FinCEN and SEC AML orders as they come out. They are the cheapest education available. A handful of recent matters illustrate where programs are breaking down.

In March 2026, FinCEN imposed an $80 million civil money penalty against Canaccord Genuity LLC — the largest AML penalty ever assessed against a broker-dealer — with parallel $20 million penalties from the SEC and FINRA. The order documented a years-long failure to maintain an effective AML program despite repeated regulator warnings going back to 2013. The firm had four employees reviewing more than 100 surveillance reports producing thousands or millions of line items annually; key reports went unreviewed for stretches as long as four years; alert filters were used to suppress volume rather than focus attention; and, critically, certain employees falsified records during a FINRA examination. The firm failed to file at least 160 SARs. There are several lessons here, but the one most relevant to independent testing is this: a competent test would have surfaced the unreviewed reports, the suppressed alert volumes, and the under-resourcing of the surveillance team long before it became an expensive enforcement matter.

In October 2025, a Miami-headquartered broker-dealer settled an AWC with FINRA for $650,000 — the firm’s second AML penalty in roughly seven years. Among other findings, the firm consented to findings that it failed to monitor approximately 900 wire transfers totaling $305 million for suspicious activity, did not complete required periodic reviews that drove its automated monitoring’s risk parameters, and did not investigate when other financial institutions rejected wire transfers from customers the firm itself had designated as high risk. Recidivism is expensive. It is also avoidable, especially when the independent test gets at the actual implementation of the procedures rather than just confirming that the procedures exist.

In August 2025, FINRA fined a firm $500,000 for using the wrong SAR filing threshold — applying the $25,000 bank threshold to brokerage account activity instead of the $5,000 broker-dealer threshold — which led to 42 unfiled SARs covering account intrusions, identity theft, and internet scams. The firm only discovered the error after reading a similar enforcement action against another company. A robust independent test sample-checks SAR thresholds, timeliness of filings, quality of SAR narratives, and the firm’s process for identifying when a SAR is required. This is exactly the kind of foundational error that surfaces quickly when somebody who knows what they are looking for actually tests the work.

Another recent case involved a small firm that had purchased its AML procedures from a vendor and never tailored the generic list of red flags to its actual business — which was concentrated in penny-stock activity. A penny-stock firm whose AML procedures contain a generic list of red flags has not satisfied Rule 3310. Generic templates do not meet the rule, and a competent independent test will say so. Tailoring red flags surveillance and training is critical to an effective AML compliance program.

Common Independent Testing Pitfalls

FINRA has frequently provided insights on AML testing pitfalls. FirstMark has also observed similar issues. Some are easy to fix. Others reflect deeper problems that can take time to remediate. The most common include:

  • Scope that is too narrow. Tests that look at the AML written supervisory procedures, training records, and FinCEN contact information but never sample customer accounts, never review SAR decisioning, and never validate that surveillance alerts were actually worked.
  • Lack of true independence. External consultants who wrote or substantially revised the procedures during the test period; internal testers who report to the AMLCO; testers without working knowledge of the BSA.
  • Failure to review the risk assessment and the national priorities. An AML test that does not look at the firm’s current risk assessment, and at how the firm has considered the national AML/CFT priorities, is going to look thin to an examiner.
  • No review of beneficial ownership compliance. The CDD Rule has been live for over seven years. Sample-test beneficial ownership records for legal entity customers, and look at how the firm handles renewal, refresh, and changes in ownership.
  • Surveillance system gaps. Validate that the data feeding the AML surveillance system is complete. Suspense accounts, foreign affiliate accounts, omnibus and wrap structures, and journal entries are common sources of blind spots.
  • Wire and ACH activity not tested. Wire and ACH activity is where suspicious activity actually occurs. If the test does not pull a sample of wires — including outbound wires to high-risk jurisdictions, and inbound wires from third parties — it is not a serious test.
  • No look at 314(a) and OFAC processes. These are bread-and-butter exam items. The test should confirm timely 314(a) responses and validate the OFAC screening process and exception handling.
  • Stale documentation, current findings. A test report that recycles last year’s findings without confirming whether they were actually remediated is worse than no test at all.

A Practical Approach for This Year’s Test

If you are scoping your 2026 – 2027 independent test now — or hiring a consultant to do it — there are a few things I would build into the engagement:

Start with the firm’s most current risk assessment. If the firm doesn’t have a current risk assessment, that is itself a finding. The risk assessment should consider the firm’s products, customers, geographies, and distribution channels, and should explicitly address the national AML/CFT priorities. Everything else in the test flows from this.

Build the sample around risk. High-risk customers, foreign customers, low-priced and microcap securities activity, cash management products, large or unusual wires, and any business line that has grown materially during the test period should be over-sampled relative to lower-risk activity. The proposed FinCEN program rule explicitly endorses this kind of risk-based resource allocation, and examiners are looking at it now.

Test implementation, not just policy. Pull surveillance alerts and trace them through investigation, escalation, and disposition. Pull SARs and read them. Pull customer files and verify CIP and beneficial ownership documentation. Pull rejected wires and confirm that the firm investigated them. Read what the AML team actually did, not what the procedures say it should have done.

Document everything — and write a real report. The test report should describe scope, methodology, sample sizes, findings, severity, and recommended remediation. It should be specific enough that, a year from now, the firm can point to exactly what was tested and what was concluded. Vague reports can be an enforcement liability.

Don’t sit on the findings. Build a remediation plan with owners and target dates, and follow up. The Miami case I mentioned above is a good reminder that examiners view recidivism harshly, and that “we identified the issue but didn’t fix it” is in many ways worse than “we missed the issue entirely.”

Looking Forward: The FinCEN Reform and the Year Ahead

The April 2026 FinCEN proposal is the most important AML development of the year for broker-dealers, and it deserves serious attention even before it is finalized. A few practical implications worth thinking about now:

The proposed rule formalizes a risk assessment requirement. Many broker-dealers already have one. Many do not, or have a document that has not been meaningfully updated in years. Either way, the risk assessment is about to become the foundation on which the entire program — and the independent test — rests.

The proposed rule pushes institutions to incorporate the national AML/CFT priorities into the risk assessment in a meaningful, non-superficial way. FinCEN has explicitly cautioned that boilerplate treatment will not satisfy supervisory expectations. Firms should be prepared to explain why each priority is, or is not, material to their business.

The proposed rule preserves and arguably elevates the role of independent testing. Testing is expected to focus on whether the program is effective and to identify issues for remediation, with objective criteria designed to assess whether the firm has effectively established and maintained an AML program and allocated resources consistent with its risk profile. That standard is higher than “did the firm follow its written procedures.”

The proposed rule is not yet final — comments are due June 9, 2026, and FinCEN has proposed a 12-month implementation window after a final rule is issued. But the direction of travel is clear, and a thoughtful 2026 independent test should already be looking at the firm’s program through the effectiveness lens.

Closing Thought

I oversaw the creation of FINRA’s National AML Investigative Unit in 2012, and I have watched the AML space evolve through every major change in the years since. The cases that hurt firms the most have a common thread: nobody — internally or through the independent test — was meaningfully checking whether the program actually worked. Procedures existed. Boxes were ticked. Reports were generated. But there was often a failure to take an honest look at the implementation, and the gaps grew until the regulators found them.

The annual independent test is the single most efficient mechanism a broker-dealer has to find its own problems before someone else does. It is worth doing well.