FINRA Rules Archives - FirstMark Regulatory Solutions

Exchange Act Rule 17a-4 – An Old Rule in a New World

May 2, 2026/by Mitchell Atkins, CRCP

The electronic recordkeeping requirements for broker-dealers are spelled out in Exchange Act Rule 17a-4, also known as SEC Rule 17a-4 (and also SEA Rule 17a-4). For many years, the shorthand for the rule was simple: broker-dealer records had to be preserved in WORM format — write once, read many. In the old days, that meant paper, microfilm, microfiche, optical disk, CD-ROM, or some other storage medium that could not be rewritten or erased.

That was the world I was writing about when I first addressed this topic in 2014. Back then, the basic point was straightforward: broker-dealers could not simply save emails in Outlook, back up files at the end of the day, or keep documents in a cloud folder and assume they had satisfied SEA Rule 17a-4(f). Records had to be preserved, indexed, accessible, and protected from alteration or deletion.

The rule is still old. But the world around it has changed again.

Today, broker-dealers live in Microsoft 365, Google Workspace, Salesforce, Teams, Zoom, text messaging platforms, archive vendors, compliance dashboards, cloud servers, and third-party fintech systems. Registered representatives work from home, supervisors review correspondence remotely, firms use outsourced technology providers, and the SEC and FINRA continue to bring major enforcement cases involving off-channel communications and recordkeeping failures.

At the same time, the rule itself has been modernized. The SEC’s 2022 amendments to Rule 17a-4(f) kept WORM as an available approach, but added an audit-trail alternative. The same rulemaking also amended Rule 17a-4(i), which matters when required broker-dealer records are prepared or maintained by outside recordkeeping services, including certain cloud arrangements. That means the modern question is no longer simply, “Is this WORM?” The better question is: “Can the firm preserve, locate, recreate when necessary, produce, and defend the record if an examiner asks for it?”

Back to Basics: What Rule 17a-4 Is Trying to Accomplish

SEA Rule 17a-4 is the broker-dealer record retention rule. In simple terms, it tells broker-dealers what records must be preserved, how long they must be preserved, and what must happen when regulators ask for them.

One of the most important provisions remains Rule 17a-4(b)(4), which requires a broker-dealer to preserve originals of all communications received and copies of all communications sent by the broker-dealer, including inter-office memoranda and communications, relating to its business as such. For broker-dealers, that can include business-related emails, written correspondence, chat messages, instant messages, text messages, social media messages, collaboration-platform messages, and other written electronic communications that relate to the firm’s broker-dealer business.

That is where firms still get into trouble. The communication method changes. The regulatory concept does not.

When I was at NASD in the early days, I spent plenty of time looking at boxes of paper, microfiche, and imaged records. If you ask many people today what microfiche is, you may get a blank look. But the core regulatory expectation has not changed all that much. Whether the record is a paper blotter, a microfiche image, an email, a Teams message, or a customer account approval sitting inside a cloud application, the firm must be able to preserve it for the required retention period and produce it promptly when asked.

That is the point of the rule. It is not about technology for technology’s sake. It is about regulator access, examiner review, enforcement integrity, and the firm’s ability to prove what happened.

The Old WORM Rule and the New Audit-Trail Alternative

For many years, Rule 17a-4(f) required broker-dealers that used electronic storage media to preserve electronic records exclusively in a non-rewriteable, non-erasable format. That is the WORM standard.

WORM is still permitted. A firm may still use an electronic recordkeeping system that preserves records in a non-rewriteable, non-erasable format. For many small firms, that remains the easiest and cleanest answer because the vendor has built its business around broker-dealer archive requirements.

But WORM is no longer the only way to comply.

The SEC’s 2022 amendments added an audit-trail alternative. Under that alternative, an electronic recordkeeping system must preserve records in a way that maintains a complete time-stamped audit trail. That audit trail must capture modifications and deletions, the date and time of actions that create, modify, or delete the record, the identity of the person making the change if applicable, and the information needed to maintain authenticity and reliability and permit re-creation of the original record if it is modified or deleted.

That is a major modernization. It reflects the way many modern systems actually work. A properly designed system may not be “WORM” in the old optical-disk sense, but if it can preserve the record, maintain a complete audit trail, and recreate the original if something changes, it may satisfy the modern rule.

The practical point: WORM is still valid, but it is no longer the only option. A broker-dealer may use either a non-rewriteable, non-erasable system or an audit-trail-compliant electronic recordkeeping system. What it cannot use is a normal business system with ordinary delete, edit, overwrite, and retention settings and pretend that is enough.

What an Electronic Recordkeeping System Must Do Today

The modern version of Rule 17a-4(f) is more technology-neutral than the older rule, but it is not loose. An electronic recordkeeping system must do several things that ordinary storage systems often do not do.

First, it must preserve records for the applicable retention period. The system must either preserve the records in a non-rewriteable, non-erasable format or maintain the kind of audit trail described above.

Second, the system must be able to verify automatically the completeness and accuracy of the processes for storing and retaining records electronically. That means the firm should understand whether the system actually captures the records it is supposed to capture and whether there are exceptions, failed captures, skipped sources, disabled users, or configuration gaps.

Third, if the firm is relying on the WORM option, the rule still requires an audit system providing accountability regarding the inputting of required records and any changes made to original and duplicate records, and the audit results must be preserved for the same period as the audited records.

Fourth, the system must be able to download and transfer records, the information needed to locate those records, and the audit trail if applicable, in both a human-readable format and a reasonably usable electronic format. This is where some firms make a costly mistake. A system that lets a user view a record on screen is not necessarily a compliant recordkeeping system. Regulators may ask for records in a format that can be reviewed, searched, exported, analyzed, and tied back to the source system.

Fifth, the system must include a backup electronic recordkeeping system or other redundancy capabilities designed to ensure access to required records. A broker-dealer cannot have a single point of failure where records disappear because a vendor terminates service, an administrator deletes an account, a license lapses, or a cloud configuration changes.

Sixth, the firm must be ready at all times to provide requested records. The rule is not satisfied by telling an examiner that the vendor is looking into it, the IT consultant is unavailable, or the person who knows the archive left the firm. If the firm is required to preserve the record, the firm must be able to produce it.

Why “Secure Cloud Storage” Is Not the Same Thing as 17a-4 Compliance

This is one of the most common misunderstandings I still see.

There is a difference between secure storage and compliant preservation. A system can be encrypted, password-protected, backed up, redundant, and professionally managed — and still fail Rule 17a-4.

For example, a normal cloud folder is not enough if users can delete files, overwrite files, rename files without accountability, purge files after a short retention period, or terminate the account in a way that removes access to the records. The same is true for ordinary email storage. Microsoft 365, Google Workspace, Dropbox, ShareFile, OneDrive, Box, Salesforce, Slack, Teams, Zoom, or any other platform may be part of a compliant architecture, but only if it is configured, retained, supervised, archived, tested, and where applicable, supported by the right undertaking analysis.

That is the key distinction. The product name does not make the system compliant. The configuration, retention controls, capture scope, audit trail, supervision, production capability, and vendor arrangement determine compliance.

I have seen firms assume that because something is in the cloud, it is safer than a local server and therefore compliant. That is not the rule. The question is not whether the cloud provider has strong cybersecurity. The question is whether the broker-dealer’s required records are preserved for the required period and can be produced promptly, completely, and in the required format.

The Old Problems Have Not Gone Away

Many of the non-compliant systems I saw years ago still have modern equivalents.

Email saved in local PST files or ordinary mailboxes that users can delete or alter.
End-of-day backups that miss messages deleted during the day.
Cloud folders used as document archives without immutability controls or an audit-trail-compliant architecture.
Text messages, chats, and collaboration-platform messages that are used for business but not captured.
Customer communications conducted through personal devices or personal messaging apps.
Vendors that host or maintain required records, but where the firm has not addressed the required undertakings or true independent access.
Systems that preserve records but cannot export them in a reasonably usable format.
Archives that capture email but not attachments, calendar entries, approvals, metadata, or supervisory comments.
Retention policies that can be changed by local administrators without compliance review.

These are not technical foot faults. They go directly to the regulator’s ability to reconstruct what happened. If an examiner asks for communications about a customer complaint, a private placement, a rollover recommendation, a suspicious wire, a branch inspection, or a supervisory approval, the firm cannot answer by saying, “We think it was in Teams, but we did not archive that channel.”

Off-Channel Communications: The New Version of an Old Problem

The recordkeeping problem that has received the most attention in recent years is off-channel communications. This is not a new concept, but the scale is different.

Years ago, the concern was that a registered representative might use a personal email account to avoid firm review. Today, the same problem shows up through personal text messages, WhatsApp, Signal, social media direct messages, unapproved collaboration tools, personal devices, and customer communications conducted outside the firm’s monitored systems.

The rule is still the rule. If the communication relates to the broker-dealer’s business as such, the firm must preserve it if it is the type of communication covered by the recordkeeping rules. A firm’s policies should make clear what systems may be used, what systems may not be used, how exceptions are handled, and what happens when personnel use an unapproved channel.

Training alone is not enough. Firms should also test. That means looking for signs of off-channel activity: email signatures listing mobile numbers used for business, customer references to text exchanges, representatives sending “call or text me” language, calendars showing client meetings arranged outside approved systems, or complaint files referring to communications not found in the archive.

The problem is not solved by telling representatives, “Do not text clients.” If the firm knows or should know that business communications are occurring through unapproved channels, the supervisory issue becomes much larger.

Rule 17a-4(i): The Outside Service Provider Problem

The 2022 amendments also matter because of modern vendor relationships. Broker-dealers now rely on outside service providers for email archiving, cloud storage, CRM systems, document management, cybersecurity, order management, accounting, compliance workflows, and other systems that may contain required books and records.

Rule 17a-4(i) is a different undertaking rule from Rule 17a-4(f). Paragraph (f) deals with the undertaking that supports access to records preserved on an electronic recordkeeping system. Paragraph (i) deals with outside service providers that prepare or maintain records the broker-dealer is required to keep.

The traditional Rule 17a-4(i) undertaking still generally applies where required records are prepared or maintained by an outside service bureau, depository, bank, or other recordkeeping service, including a recordkeeping service that owns and operates the servers or storage devices on which records are preserved or maintained.

Under that traditional undertaking, the outside entity acknowledges that the records are the property of the broker-dealer and will be surrendered promptly on request of the broker-dealer. It also undertakes to permit examination by the SEC or its designee and to furnish true, correct, complete, and current hard copies on request.

The amended rule does provide an alternative undertaking that was designed for certain electronic recordkeeping relationships that look more like modern cloud arrangements. But it is narrower than many people assume.

The alternative is available only if required records are maintained and preserved by means of an electronic recordkeeping system utilizing servers or other storage devices owned or operated by the outside entity, including an affiliate, and the broker-dealer has independent access to the records. In the rule, independent access is not just convenient login access. It means the broker-dealer can regularly access the records without any intervention by the outside entity and, through that access, can permit examination and promptly furnish hard copies to the SEC or its designee.

That is why this is not a blanket “cloud exception.” If the firm must ask the provider to transfer the records, decrypt them, restore access, or otherwise take an intervening step before the firm can reach them, the alternative undertaking is not the right fit.

In the alternative undertaking itself, the outside entity must acknowledge that the records are the property of the broker-dealer and that the broker-dealer has represented three things: first, that it is subject to SEC rules governing the maintenance and preservation of certain records; second, that it has independent access to the records maintained by the outside entity; and third, that it consents to the outside entity fulfilling the obligations set forth in the undertaking.

The outside entity must also undertake to facilitate within its ability, and not impede or prevent, SEC or SEC-designee examination, access, download, or transfer of the records, and in the broker-dealer context, a SIPA trustee’s access, download, or transfer as permitted by law.

One more practical point matters here. The SEC and FINRA have both warned about service contracts that allow a provider to withhold, delete, or discard required records because of nonpayment or some other dispute. That kind of contract language is inconsistent with Rule 17a-4. So the analysis is not only about the system. It is also about the contract.

The point for firms is simple: do not assume that a vendor relationship is “just IT.” If the vendor prepares, maintains, hosts, or preserves required broker-dealer records, the firm needs to evaluate Rule 17a-4(i), whether the traditional or alternative undertaking applies, whether the firm truly has independent access, and whether the firm can produce the records without the vendor becoming a bottleneck.

The Designated Third Party and Designated Executive Officer Undertakings

There is another undertaking issue under Rule 17a-4(f), and it is a different one. Do not confuse the paragraph (f) access undertaking with the separate paragraph (i) outside-service-provider undertaking above.

Historically, broker-dealers using electronic storage had to have a third party with access to the records provide an undertaking to produce records if the firm failed to do so. There were also limitations on who could be the third party.

The amended rule gives firms more flexibility. A broker-dealer using an electronic recordkeeping system must have the required undertaking filed with its designated examining authority, signed by either a designated third party or a designated executive officer.

A designated third party is a person not affiliated with the broker-dealer who has access to and the ability to provide records maintained and preserved on the electronic recordkeeping system. A designated executive officer is a member of senior management who has access to and the ability to provide the records directly or through designated specialists.

This is an important change, especially for firms with mature internal technology and compliance functions. But it is not a paperwork shortcut. If the firm uses a designated executive officer, that executive officer must actually have the ability to provide the records, either directly or through designated personnel. A name on a form is not enough.

The designated executive officer may appoint in writing up to two designated officers to act if the executive officer cannot fulfill the undertaking, and up to three designated specialists. But the appointment of those persons does not relieve the designated executive officer of the obligations in the undertaking.

For small firms, the old third-party model may still be cleaner. For larger firms, the designated executive officer approach may make sense. But either way, the firm should be able to answer three basic questions:

Who is responsible for producing records if the firm receives a regulatory request?
Does that person actually have access to the records and the audit trail, if applicable?
Has the required undertaking been filed and kept current?

The DEA Notice Requirement Is Gone, But the Responsibility Is Not

One of the practical changes in the 2022 amendments is that the SEC eliminated the old requirement that a broker-dealer notify its designated examining authority before employing an electronic recordkeeping system. The SEC also removed the old DEA representation requirement tied to electronic storage media. Those requirements made sense when electronic recordkeeping was new. They make much less sense today, when nearly every broker-dealer uses electronic systems in some form.

But firms should not misunderstand the change. The fact that the old notice requirement is gone does not mean electronic recordkeeping has become informal. It means the burden has shifted even more squarely to the firm to know what systems it uses, what records they contain, how those records are preserved, and how they will be produced.

In other words, the firm may not need to send the same kind of advance notice before using electronic recordkeeping, but it still needs to get the system right.

What Records Are We Really Talking About?

When firms think about Rule 17a-4, they often think first about email. Email is important, but it is only one piece of the recordkeeping architecture.

Depending on the firm’s business, required records may include:

Business-related emails and attachments.
Internal memoranda and inter-office communications.
Correspondence with customers.
Retail communications and approvals.
Text messages and instant messages relating to broker-dealer business.
Social media messages and direct messages used for business.
CRM notes and customer-contact records.
Order tickets, trade blotters, confirmations, and account records.
New account documents and account updates.
Customer complaints and complaint investigations.
Supervisory reviews, exception reports, and approvals.
AML surveillance alerts, investigations, alert resolution notes, and SAR support materials.
WSPs, compliance manuals, and procedure updates.
Reg BI records, rollover documentation, and Form CRS delivery records.
Cybersecurity and Regulation S-P incident response records required to be preserved.

The exact retention period depends on the record. Some records are three-year records. Some are six-year records. Some must be preserved for the life of the enterprise. The mistake is assuming that one blanket retention period or one archive setting solves everything.

A good recordkeeping program begins with a record inventory. What records does the firm create? Where are they created? Who owns the system? What rule requires retention? What is the retention period? Is the record captured automatically? Can it be altered? Can it be deleted? Can the firm produce it in usable form?

Rule 17a-4(f) applies when required broker-dealer records are preserved on an electronic recordkeeping system. A working copy of a record that is already properly preserved elsewhere may not itself be the firm’s required preserved record. But if the copy is annotated, approved, stamped, revised, or otherwise becomes evidence of a separate business action, it may become a new required record that must be preserved under the applicable recordkeeping rule.

Where Small Firms Still Get This Wrong

Small broker-dealers often have an advantage: fewer people, fewer systems, and less complexity. But they also tend to have fewer internal technology resources, and that creates predictable problems.

The most common issues I see are:

Assuming Microsoft 365 or Google Workspace is automatically compliant. These platforms can be part of a compliant environment, but ordinary mailbox retention is not the same as broker-dealer record preservation.
Archiving email but ignoring chats and texts. If representatives use text messaging, Teams, Zoom chat, Slack, WhatsApp, or other messaging tools for business, the firm must address preservation and supervision.
Treating Rule 17a-4(f) and Rule 17a-4(i) as the same undertaking issue. They are not. One addresses access to records on the firm’s electronic recordkeeping system. The other addresses outside entities that prepare or maintain required records.
Using a vendor without reviewing the undertaking and the firm’s independent access. A vendor’s marketing page is not the undertaking required by the rule.
Not testing production. The firm may believe records are preserved until FINRA asks for a date range, a custodian, attachments, metadata, or export format and the firm cannot produce it.
Failing to capture terminated users. When a representative leaves, mailbox and archive retention must be controlled. Deactivating or deleting the account without preserving required records is a serious mistake.
Letting IT control retention without compliance review. Retention settings are compliance settings, not merely IT preferences.
Not documenting system changes. If the firm changes email vendors, CRM systems, archive vendors, or storage architecture, someone must document what happened to historical records and how they will be produced.

What I Would Expect to See in a Recordkeeping Review

If I were reviewing a broker-dealer’s electronic recordkeeping program today, I would not stop at asking whether the firm has a WORM archive. That question is now too narrow.

I would ask for the firm’s recordkeeping map. I would want to see every system that creates or stores required records. I would ask whether the firm is relying on WORM or the audit-trail alternative for each relevant system. I would ask for the third-party or designated executive officer undertaking under Rule 17a-4(f). I would ask whether any outside service provider is covered by Rule 17a-4(i), whether the firm is claiming independent access, and whether that claimed access depends on the vendor to transfer or decrypt the records. I would ask how the firm captures text messages, chats, CRM notes, approvals, and supervisory reviews. I would ask whether the firm has tested production.

I would also ask how the firm knows its archive is complete. That is not a trick question. It is the question.

A firm should be able to demonstrate:

A current inventory of systems that create or preserve required records.
The applicable retention period for each major record type.
Whether the firm is using WORM or the audit-trail alternative.
How records are captured from each communication channel.
How off-channel communications are prohibited, detected, escalated, and remediated.
How terminated-user records are preserved.
How the firm can export records and audit trails in human-readable and reasonably usable electronic formats.
What undertaking has been filed and who is responsible for production.
What outside entities prepare, maintain, host, or preserve required records.
Whether any claimed Rule 17a-4(i) independent access really works without vendor intervention.
When the firm last tested a regulatory-style production request.

A Practical Compliance Checklist

For firms trying to get this right, I would start with the following checklist:

Build a record inventory. Identify required records, systems, owners, retention periods, and production methods.
Identify communication channels. Include email, chat, text, social media, CRM, collaboration tools, video-conference chats, and mobile messaging.
Decide whether each system relies on WORM or the audit-trail alternative. Do not assume. Document the basis.
Review vendor contracts and undertakings. Confirm whether Rule 17a-4(f) and 17a-4(i) undertakings are required and have been completed.
Assess independent access. If the firm is relying on the alternative Rule 17a-4(i) undertaking, confirm the firm does not need the vendor to transfer, decrypt, or otherwise unlock the records before the firm can access them.
Review vendor contract language for access and nonpayment risk. Make sure the provider cannot withhold, delete, or discard required records because of a payment dispute, termination, or some other contract event.
Test export capability. Pull a sample date range, a sample custodian, a sample customer name, and a sample attachment set. Confirm that the results are complete and usable.
Test audit trails if using the audit-trail alternative. Confirm that modifications and deletions can be identified and that original records can be recreated.
Review retention settings after employee departures. Make sure terminated users’ records are not lost when licenses or accounts are removed.
Control administrator permissions. Limit who can change retention, delete archives, alter legal holds, or modify capture settings.
Update WSPs. The written supervisory procedures should describe the actual systems used, the channels permitted, the channels prohibited, the archive process, and the escalation process.
Train personnel. Representatives and supervisors should know what systems they may use and what systems they may not use.
Document exceptions. If a channel fails to capture, a vendor outage occurs, or a representative uses an unapproved channel, document the issue and remediation.
Conduct periodic testing. Recordkeeping should be tested as part of the firm’s supervisory controls, annual compliance review, or another documented review process.

One Common Misunderstanding: Backups Are Not Archives

This point is worth saying plainly: a backup is not the same thing as a compliant archive.

A backup is designed to restore a system after a failure. An archive is designed to preserve records for retention, supervision, search, review, and regulatory production. A backup may overwrite older versions, may not be indexed for compliance review, may not preserve audit trails, and may not allow targeted production in the format regulators expect.

I still see firms that believe they are compliant because “everything is backed up.” That may be good disaster recovery. It is not necessarily Rule 17a-4 compliance.

Another Common Misunderstanding: The Vendor Does Not Own the Obligation

Broker-dealers often rely on vendors, and there is nothing wrong with that. In fact, for many small firms, using a reputable archive vendor is the most practical way to satisfy the rule.

But an agreement with an outside entity does not relieve the broker-dealer of its responsibility to prepare, maintain, preserve, and produce its books and records. Rule 17a-4(i) says that directly. The firm owns the obligation even when a vendor owns the servers.

That means the firm should not simply buy a tool and move on. It should understand what the tool captures, what it does not capture, how retention is configured, how production works, what undertakings exist, whether the firm truly has independent access where it claims to have it, and what happens if the vendor relationship ends. It should also understand whether the contract contains any provisions that could interfere with access to the records when the firm most needs them.

What Has Not Changed Since 2014

When I wrote about this topic in 2014, I made a simple point: broker-dealer records must be permanent, indexed, and accessible. The technical vocabulary has changed. The technology has changed. The rule has changed. But that basic point remains true.

Records must be preserved for the required period. They must be protected from improper alteration or deletion. They must be organized so the firm can find them. And when FINRA or the SEC asks for them, the firm must be able to produce them promptly.

The most expensive recordkeeping systems are not the ones that cost money every month. The most expensive systems are the ones that fail during an examination.

Final Thoughts

SEA Rule 17a-4 is an old rule in a new world, but it is not a dead rule. If anything, it matters more now because broker-dealer records are scattered across more systems than ever before. Email is only the beginning. The modern recordkeeping program has to account for cloud platforms, messaging tools, CRM systems, supervisory workflows, mobile devices, third-party vendors, and off-channel communications.

The SEC’s modernization of Rule 17a-4(f) was helpful because it acknowledged that WORM is no longer the only technological answer. But the modernization did not lower the bar. It changed the way firms can meet the bar. And the separate amendments to Rule 17a-4(i) did not create a general cloud carve-out. They created a narrower alternative undertaking for certain qualifying electronic recordkeeping arrangements where the broker-dealer has true independent access.

For broker-dealers, the practical question is not whether the record sits on paper, microfiche, optical disk, a WORM archive, an audit-trail-compliant cloud system, or a third-party platform. The practical question is whether the firm can prove that the record was preserved, locate it, produce it, explain the controls around it, and show that any required undertakings and vendor arrangements actually work.

That is what FINRA and the SEC care about. And that is what firms should be testing before an examiner asks.

Mitchell Atkins, CRCP, is a former FINRA executive and the founder of FirstMark Regulatory Solutions. FirstMark assists broker-dealers with written supervisory procedures, supervisory controls testing, AML independent testing, electronic recordkeeping reviews, branch office issues, FINRA membership applications, and broader broker-dealer compliance matters. If you have questions about SEA Rule 17a-4, electronic communications retention, WORM or audit-trail recordkeeping systems, or vendor undertaking requirements, contact FirstMark at 561-948-6511 or through the FirstMark contact form.

FINRA Anti-Money Laundering Independent Testing

April 27, 2026/by Mitchell Atkins, CRCP

It is that time of year again. After the calendar winds down, broker-dealers across the country are scheduling, or in some instances scrambling to schedule, their annual independent test of the firm’s anti-money laundering program. It is a ritual that has been part of broker-dealer life for two decades.

But the AML world that surrounds that test today bears almost no resemblance to the one I wrote about back in 2014. The Customer Due Diligence (“CDD”) Rule was just a Treasury proposal back then. The Anti-Money Laundering Act of 2020 didn’t exist. FinCEN had no national priorities. Investment advisers had no AML obligations on the horizon. And FinCEN had never imposed an $80 million penalty on a broker-dealer.

All of that has changed. If you are still running the same independent test you ran in 2014, or if you are using a vendor template that has not been meaningfully refreshed, you have a problem. Examiners have moved on. So has the rule. So have the bad actors.

Below is a refreshed and expanded look at what FINRA Rule 3310 independent testing requires today, what the most recent enforcement actions tell us about how programs fail in practice, and what the proposed FinCEN AML/CFT Program Rule issued in April 2026 means for the year ahead.

What Rule 3310 Requires — The Core Has Held, But the Edges Have Moved

FINRA Rule 3310 still requires every member firm to develop and implement a written AML compliance program that is approved in writing by senior management and is reasonably designed to comply with the Bank Secrecy Act and its implementing regulations. The familiar pillars are:

Establishing and implementing policies, procedures, and internal controls reasonably designed to detect and cause the reporting of suspicious transactions (Rule 3310(a))
Establishing and implementing policies, procedures, and internal controls reasonably designed to achieve compliance with the BSA, including the Customer Identification Program and beneficial ownership rules (Rule 3310(b))
Independent testing for compliance (Rule 3310(c))
Designating an AML compliance person and providing FINRA with that person’s contact information (Rule 3310(d))
Ongoing training for appropriate personnel (Rule 3310(e))

What has been added is paragraph (f) of Rule 3310. When FINRA conformed Rule 3310 to FinCEN’s 2016 CDD Rule, it added an explicit obligation to maintain risk-based procedures for ongoing customer due diligence. That includes understanding the nature and purpose of customer relationships in order to develop a customer risk profile, and conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information on a risk basis. Beneficial ownership identification of legal entity customers (at the 25% ownership threshold and for the individual exercising control) is no longer “proposed.” It has been live since May 2018, and it is squarely within the scope of any competent independent test.

Frequency has also become more nuanced. Independent testing is required annually on a calendar-year basis for member firms that execute transactions for customers, hold customer accounts, or act as introducing brokers. For firms that engage solely in proprietary trading or do business only with other broker-dealers, the test is required every other year. That said, the supplementary material to Rule 3310 has long made clear that more frequent testing should be performed if circumstances warrant. And “circumstances warrant” is something examiners will judge with the benefit of hindsight.

The Independence Requirement: External Is Not Synonymous With Independent

The most common confusion about independent testing is what “independent” actually means.

The test must be conducted by a person with a working knowledge of the BSA and its implementing regulations. If conducted internally, the tester must not perform any of the functions being tested, must not serve as the AML Compliance Officer, and must not report to either the AMLCO or to anyone performing the functions being tested. If conducted externally, the consultant must be free of conflicts that compromise independence.

That second point gets firms in trouble. Hiring a consultant from outside the firm does not automatically make that consultant independent. If the same consultant wrote your AML procedures, drafted your customer risk-rating methodology, or trained your AML staff during the test period, that person may compromise independence for purposes of Rule 3310(c) where they are testing their own work. FINRA has cited firms for exactly that conflict, and it is one of the easier deficiencies to avoid simply by separating the function of writing procedures from the function of testing them.

A related point that often gets overlooked: the FINRA designated AML contact must be kept current. Rule 3310.02 requires firms to review and update the contact information for the AML compliance person, and Rule 4517 requires updates within 30 days of any change and a review within 17 business days after the close of each calendar year. Examiners check this. It is a small thing, and it is almost always the first thing they look at.

The Bigger Picture: What Has Actually Changed

The independent test does not exist in a vacuum. It is a check on whether the program meets the regulatory framework. That framework has expanded considerably:

The FinCEN CDD Rule. Finalized in 2016 and effective May 11, 2018, the CDD Rule made the “fifth pillar” of AML compliance, ongoing customer due diligence and beneficial ownership identification, a formal regulatory requirement rather than a best practice. Any independent test today must look at how the firm collects, verifies, and refreshes beneficial ownership information for legal entity customers, and how it builds and updates customer risk profiles. FinCEN’s February 2026 order relieved covered institutions from re-identifying or re-verifying beneficial owners each time an existing legal entity customer opens another account. Firms must still identify and verify beneficial owners at the first account opening, when facts call prior information into question, and as required by risk-based ongoing CDD procedures.

The Anti-Money Laundering Act of 2020 (AMLA). Tucked into the National Defense Authorization Act, AMLA was the most consequential rewrite of U.S. AML law in a generation. It expanded whistleblower protections, broadened FinCEN’s authority, mandated the issuance of national AML/CFT priorities, and set the stage for AML coverage of investment advisers and antiquities dealers. AMLA is the reason regulators are now talking openly about “effectiveness” instead of just “compliance.”

The National AML/CFT Priorities. In June 2021, FinCEN issued the first government-wide priorities for anti-money laundering and countering the financing of terrorism. Today’s priorities cover corruption, cybercrime (including virtual currency), terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking and smuggling, and proliferation financing. Firms are expected to consider these priorities in their risk assessments. A 2026 independent test that does not look at how the firm has incorporated the national priorities into its risk assessment is incomplete.

The Investment Adviser AML Rule and Its Delay. FinCEN finalized the Investment Adviser AML Rule on August 28, 2024, with an original effective date of January 1, 2026. In 2025, Treasury announced its intent to delay the effective date, and FinCEN ultimately moved it to January 1, 2028, while reopening the rulemaking. For broker-dealers that are dually registered or affiliated with investment advisers, this is a moving target. But the eventual application of BSA obligations to RIAs is a “when,” not an “if,” and dual registrants should not let the delay lull them into complacency.

The April 2026 FinCEN AML/CFT Program Rule Proposal. On April 7, 2026, FinCEN issued a Notice of Proposed Rulemaking that would substantially revise the AML/CFT program requirements applicable to banks, broker-dealers, money services businesses, mutual funds, and other covered institutions. The proposal explicitly shifts the supervisory focus from technical process-and-documentation compliance to program effectiveness, formalizes a risk assessment requirement, and instructs institutions to incorporate the national AML/CFT priorities into their risk assessments and resource-allocation decisions. FinCEN has proposed a 12-month implementation period after a final rule. FINRA’s 2026 Report already reflects similar themes.

Effectiveness Over Form: What Examiners Are Looking For Now

The shift toward effectiveness is showing up in FINRA’s exam findings. The Anti-Money Laundering, Fraud, and Sanctions topic in the 2026 FINRA Annual Regulatory Oversight Report continues to flag firms whose AML programs are static while their businesses are dynamic. The themes are consistent year over year, and they should drive how you scope an independent test:

AML programs that did not grow with the firm’s business, particularly where the firm added high-risk products, customer types, geographies, or distribution channels without commensurate updates to its surveillance, customer due diligence, and SAR investigation processes
Customer risk profiles that exist on paper but are not actually used to drive monitoring or escalation
Suspicious activity surveillance that runs but is not meaningfully reviewed, or where the underlying data feeds are incomplete (suspense accounts, omnibus structures, foreign affiliate flows)
314(a) information requests that are not addressed within the required two-week window
Independent tests that are too narrow in scope, that are completed late, or that are completed by personnel whose independence is compromised

A theme cuts across all of these: existence of a policy is not evidence of compliance. The independent test must look at whether the program worked during the test period, not just whether it was written.

What Recent Enforcement Tells Us — and Why You Should Be Reading It

I tell every client I work with the same thing: read the FINRA disciplinary actions monthly, and read the FinCEN and SEC AML orders as they come out. They are the cheapest education available. A handful of recent matters illustrate where programs are breaking down.

In March 2026, FinCEN imposed an $80 million civil money penalty against Canaccord Genuity LLC, the largest AML penalty ever assessed against a broker-dealer, with parallel $20 million penalties from the SEC and FINRA. The order documented a years-long failure to maintain an effective AML program despite repeated regulator warnings going back to 2013. The firm had four employees reviewing more than 100 surveillance reports producing thousands or millions of line items annually. Key reports went unreviewed for stretches as long as four years. Alert filters were used to suppress volume rather than focus attention. And, critically, certain employees falsified records during a FINRA examination. The firm failed to file at least 160 SARs. There are several lessons here, but the one most relevant to independent testing is this: a competent test would have surfaced the unreviewed reports, the suppressed alert volumes, and the under-resourcing of the surveillance team long before it became an expensive enforcement matter.

In October 2025, a Miami-headquartered broker-dealer settled an AWC with FINRA for $650,000, the firm’s second AML penalty in roughly seven years. Among other findings, the firm consented to findings that it failed to monitor approximately 900 wire transfers totaling $305 million for suspicious activity, did not complete required periodic reviews that drove its automated monitoring’s risk parameters, and did not investigate when other financial institutions rejected wire transfers from customers the firm itself had designated as high risk. Recidivism is expensive. It is also avoidable, especially when the independent test gets at the actual implementation of the procedures rather than just confirming that the procedures exist.

In August 2025, FINRA fined a firm $500,000 for using the wrong SAR filing threshold, applying the $25,000 bank threshold to brokerage account activity instead of the $5,000 broker-dealer threshold. That mistake led to 42 unfiled SARs covering account intrusions, identity theft, and internet scams. The firm only discovered the error after reading a similar enforcement action against another company. A robust independent test sample-checks SAR thresholds, timeliness of filings, quality of SAR narratives, and the firm’s process for identifying when a SAR is required. This is exactly the kind of foundational error that surfaces quickly when somebody who knows what they are looking for actually tests the work.

I have seen the same patterns in both my consulting work and when I reviewed examinations at FINRA. Quite often, I opened a small firm’s AML procedures manual and found a generic list of red flags that did not match the firm’s actual business in any recognizable way. I once saw “cash-intensive businesses” listed near the top of a red flags inventory when the firm cleared institutional trades exclusively and had never accepted a cash deposit in its history. Another firm had a penny-stock business but kept procedures that read as if the firm sold mutual funds to retail customers. Generic templates do not satisfy Rule 3310, and a competent independent test will say so. Tailoring red flags surveillance and training to what the firm actually does is the foundation of an effective AML program.

Common Independent Testing Pitfalls

FINRA has frequently provided insights on AML testing pitfalls. FirstMark has also observed similar issues. Some are easy to fix. Others reflect deeper problems that can take time to remediate. The most common include:

Scope that is too narrow. Tests that look at the AML written supervisory procedures, training records, and FinCEN contact information but never sample customer accounts, never review SAR decisioning, and never validate that surveillance alerts were actually worked.
Lack of true independence. External consultants who wrote or substantially revised the procedures during the test period; internal testers who report to the AMLCO; testers without working knowledge of the BSA.
Failure to review the risk assessment and the national priorities. An AML test that does not look at the firm’s current risk assessment, and at how the firm has considered the national AML/CFT priorities, is going to look thin to an examiner.
No review of beneficial ownership compliance. The CDD Rule has been live for over seven years. Sample-test beneficial ownership records for legal entity customers, and look at how the firm handles renewal, refresh, and changes in ownership.
Surveillance system gaps. Validate that the data feeding the AML surveillance system is complete. Suspense accounts, foreign affiliate accounts, omnibus and wrap structures, and journal entries are common sources of blind spots.
Wire and ACH activity not tested. Wire and ACH activity is where suspicious activity actually occurs. If the test does not pull a sample of wires, including outbound wires to high-risk jurisdictions and inbound wires from third parties, it is not a serious test.
No look at 314(a) and OFAC processes. These are bread-and-butter exam items. The test should confirm timely 314(a) responses and validate the OFAC screening process and exception handling.
Stale documentation, current findings. A test report that recycles last year’s findings without confirming whether they were actually remediated is worse than no test at all.

A Practical Approach for AML Independent Testing

If you are scoping your next AML independent test now, or hiring a consultant to do it, there are a few things I would build into the engagement.

Start with the firm’s most current risk assessment. If the firm doesn’t have a current risk assessment, that is itself a finding. The risk assessment should consider the firm’s products, customers, geographies, and distribution channels, and it should explicitly address the national AML/CFT priorities. Everything else in the test flows from this. I have walked into more than one engagement where the risk assessment carried a date stamp three or four years old. In the meantime the firm had added new product lines, opened branches in new states, or built relationships with foreign affiliates, and none of those changes were reflected anywhere in the assessment. The procedures described one firm. The business had become a different firm.

Build the sample around risk. High-risk customers, foreign customers, low-priced and microcap securities activity, cash management products, large or unusual wires, and any business line that has grown materially during the test period should be over-sampled relative to lower-risk activity. The proposed FinCEN program rule explicitly endorses this kind of risk-based resource allocation, and examiners are looking at it now.

Test implementation, not just policy. Pull surveillance alerts and trace them through investigation, escalation, and disposition. Pull SARs and read them. Pull customer files and verify CIP and beneficial ownership documentation. Pull rejected wires and confirm that the firm investigated them. Read what the AML team actually did, not what the procedures say it should have done.

Document everything, and write a real report. The test report should describe scope, methodology, sample sizes, findings, severity, and recommended remediation. It should be specific enough that, a year from now, the firm can point to exactly what was tested and what was concluded. Vague reports can be an enforcement liability.

Don’t sit on the findings. Build a remediation plan with owners and target dates, and follow up. The Miami case I mentioned above is a good reminder that examiners view recidivism harshly, and that “we identified the issue but didn’t fix it” is in many ways worse than “we missed the issue entirely.”

Looking Forward: The FinCEN Reform and AML Program Effectiveness

The April 2026 FinCEN proposal is the most important AML development of the year for broker-dealers, and it deserves serious attention even before it is finalized. A few practical implications worth thinking about now:

The proposed rule formalizes a risk assessment requirement. Many broker-dealers already have one. Many do not, or have a document that has not been meaningfully updated in years. Either way, the risk assessment is about to become the foundation on which the entire program, including the independent test, rests.

The proposed rule pushes institutions to incorporate the national AML/CFT priorities into the risk assessment in a meaningful, non-superficial way. FinCEN has explicitly cautioned that boilerplate treatment will not satisfy supervisory expectations. Firms should be prepared to explain why each priority is, or is not, material to their business.

The proposed rule preserves and arguably elevates the role of independent testing. Testing is expected to focus on whether the program is effective and to identify issues for remediation, with objective criteria designed to assess whether the firm has effectively established and maintained an AML program and allocated resources consistent with its risk profile. That standard is higher than “did the firm follow its written procedures.”

The proposed rule is not yet final. Comments are due June 9, 2026, and FinCEN has proposed a 12-month implementation window after a final rule is issued. But the direction of travel is clear, and a thoughtful 2026 independent test should already be looking at the firm’s program through the effectiveness lens.

Closing Thought

I oversaw the creation of FINRA’s National AML Investigative Unit in 2012, and I have watched the AML space evolve through every major change in the years since. The cases that hurt firms the most have a common thread: nobody, internally or through the independent test, was meaningfully checking whether the program actually worked. Procedures existed. Boxes were ticked. Reports were generated. But there was often a failure to take an honest look at the implementation, and the gaps grew until the regulators found them.

The annual independent test is the single most efficient mechanism a broker-dealer has to find its own problems before someone else does. It is worth doing well.

Mitchell Atkins, CRCP, is a former FINRA executive and the founder and Principal of FirstMark Regulatory Solutions. FirstMark provides AML independent testing for broker-dealers, FINRA Rule 3120 supervisory controls testing, Rule 3130 certification support, FINRA new member and continuing membership applications, and broader regulatory consulting services to broker-dealers across the country.

FINRA 5 Percent Policy – What Firms Actually Need to Know

March 20, 2026/by Mitchell Atkins, CRCP

A practitioner’s guide to FINRA Rule 2121 — covering the rule text, the governing case law, how the 5% and 10% thresholds actually work, what FINRA is finding in current exams, and what your firm needs to do to stay compliant.

The Core Obligation

FINRA Rule 2121 — titled “Fair Prices and Commissions” — governs how broker-dealers price transactions with their customers. The rule’s language is deceptively simple: when a firm buys or sells a security for its own account, acting as principal, it must do so at a price that is fair, taking into account all relevant circumstances, including market conditions, expense, and the firm’s entitlement to a profit. When a firm acts as agent, it must not charge more than a fair commission or service charge. Importantly, the obligation runs in both directions. The rule applies equally to markups — when a firm sells to a customer above the prevailing market price — and to markdowns, when a firm buys from a customer below the prevailing market price. Both must meet the same standard of fairness.

“It shall be deemed a violation of Rule 2010 and Rule 2121 for a member to enter into any transaction with a customer in any security at any price not reasonably related to the current market price of the security or to charge a commission which is not reasonable.”
FINRA Rule 2121, Supplementary Material .01

Every markup and markdown analysis is anchored to the prevailing market price (PMP) — the price that reflects current market conditions at the time of the transaction. The markup or markdown is the difference between what the customer pays or receives and that PMP. Getting the PMP right is not a technicality; it is the foundation of the entire analysis, and it is where FINRA examiners focus first.

The 5 Percent Policy: What It Is and What It Isn’t

Alongside the rule text, FINRA maintains what is known as the “5 Percent Policy” — an interpretive guideline adopted by the NASD Board in 1943, based on studies showing that the large majority of customer transactions were executed at markups of 5% or less. The Policy has been reviewed and reaffirmed by the FINRA Board of Governors multiple times since then.

Understanding what the 5% figure actually means in practice requires reading it carefully:

What the rule actually says about 5 Percent
The 5 Percent Policy is explicitly a guide, not a rule. Critically, the rule states that a markup pattern of 5% or even less may be considered unfair or unreasonable — and that the percentage of markup is only one of several factors that determine fairness. There is no “safe harbor” at 5%. There never has been.

In today’s markets — far more liquid and transparent than 1943 — FINRA applies considerably more pressure well below the 5% threshold, particularly for listed equities where inter-dealer spreads are tight and execution costs are minimal. A 5% markup on a listed equity transaction will attract significant examiner attention.

The 10% Threshold: Per Se Fraud

While FINRA guidance frames the 5% figure as a guideline, the SEC has established a considerably harder legal line at 10%. This is not a soft regulatory expectation — it is stated explicitly by the SEC in Release No. 34-24368 (April 21, 1987), transmitted to the industry via NASD Notice to Members 87-31:

“The Commission consistently has held that, at the least, undisclosed mark-ups of more than 10% above the prevailing market price are fraudulent in the sale of equity securities.”
SEC Release No. 34-24368 (April 21, 1987) — citing In re Alstead, Dempsey & Co.; In re Peter J. Kisch (Release No. 19005, 1982); In re Powell & Associates (Release No. 18577, 1982); James E. Ryan; In re Sherman Cleason (1944); Duker & Duker.

This line of administrative decisions — running from Duker & Duker in 1939 through multiple SEC releases — establishes that an undisclosed markup exceeding 10% on an equity security is fraudulent under Section 10(b) of the Exchange Act and Rule 10b-5, as well as Section 17(a) of the Securities Act of 1933.

The standard is stricter for debt securities
For debt securities — corporate bonds, municipals, and government securities — the standard is stricter. The SEC has consistently held that markups on debt are expected to be lower than on equities. A markup that might be defensible on an equity may be clearly excessive on a bond of equivalent dollar value.
Disclosure does not cure an excessive markup under FINRA rules
Disclosing the amount of a markup to the customer before the transaction is a relevant factor under Rule 2121 — but it does not render an otherwise excessive or unfair markup permissible. The rule is explicit: disclosure itself does not justify a commission or markup that is unfair in light of all other circumstances. The disclosure defense is available only in the narrower federal fraud analysis — it may defeat the “undisclosed” element of a 10b-5 claim — but it carries no weight under the SRO fair pricing rules, where excessive markups are prohibited whether or not disclosed.

The Seven Factors: How Fairness Is Determined

Rule 2121’s Supplementary Material .01(b) sets out seven factors that firms and regulators must weigh in assessing whether a markup, markdown, or commission is fair. No single factor is determinative — the analysis is always holistic. All seven must be considered.

Type of security. Higher markups are more defensible on lower-grade, less liquid, or more complex instruments. Listed common stocks face the tightest standards. Bonds carry tighter standards than equities. Units of direct participation programs and condominium securities have historically carried higher acceptable markups than common stock.
Availability in the market. For inactive or thinly traded securities, the effort and cost of sourcing the security may justify a wider spread. The firm should document specifically what effort was required — dealer inquiries made, time spent, risk taken in positioning inventory.
Price of the security. Lower-priced securities generally support higher percentage markups. The rule acknowledges that low-price transactions may require more handling and expense. The key is whether the economics of the specific transaction actually bear this out.
Amount of money involved. Small-dollar transactions may justify a higher percentage to cover handling expenses. Larger transactions — particularly block trades — are expected to be more efficient. Sliding-scale grids tied to transaction size are common and appropriate when kept current.
Disclosure. Prior disclosure of the markup amount is one factor among seven — not a trump card. The rule is explicit that disclosure does not justify a charge that is otherwise unfair. It is relevant but limited in its protective effect under SRO rules.
Pattern of markups. Each transaction must individually meet the fairness standard. FINRA pays particular attention to patterns — a consistent pattern of elevated markups across a class of transactions or for a specific customer draws far more scrutiny than an isolated outlier that was promptly documented and addressed.
Nature of the firm’s business. Firms providing substantive, continuing services — research, market access, advisory capabilities — may have a stronger basis for higher charges than execution-only operations. Note: inventory losses or unrealized market losses the firm sustained are the firm’s risk and may not be passed through to the customer as a justification for a higher markup.

Determining the Prevailing Market Price

Every markup and markdown analysis begins with the prevailing market price. Rule 2121 and its Supplementary Material .02, for debt securities, establish a clear hierarchy for determining PMP. Firms must follow this waterfall in order — they cannot skip levels or use a lower-tier source when a higher-tier source is available:

Contemporaneous cost, the primary presumption. For a firm selling to a customer, its own contemporaneous cost of acquiring the security is presumptively the best evidence of PMP. For markdowns, contemporaneous proceeds from the firm’s own sales control. This presumption is strong: a firm must produce actual evidence to overcome it — not just assert that market conditions changed.
Inter-dealer transaction prices. If no contemporaneous cost exists, or if the presumption is legitimately overcome — for example, due to a material interest rate change, a significant credit quality shift, or market-moving news after the firm’s acquisition — the next source is contemporaneous inter-dealer transactions in the same security.
Institutional transaction prices. Contemporaneous dealer purchases or sales to institutional accounts with which the dealer regularly transacts in the same security.
Inter-dealer bid/offer quotations. For actively traded securities only, validated contemporaneous inter-dealer quotations through a mechanism where transactions generally occur at displayed prices. Quotations for inactively traded securities are frequently subject to negotiation and may not reflect actual PMP.
Similar securities and economic models. Only when none of the above yield relevant pricing information. Economic models, such as discounted cash flow or credit spread analysis, may be used, but only at the bottom of this hierarchy — not as a shortcut past the earlier steps. Isolated transactions or a limited number of non-representative transactions have little or no weight.

Firms cannot skip levels in this hierarchy
Using quotations from a limited number of market participants when inter-dealer transaction prices are available, or relying on economic models when contemporaneous transactions exist, is itself a Rule 2121 violation — regardless of whether the markup ultimately charged would have been found fair under a correct PMP analysis.

Transactions Covered — and One Key Exemption

The 5% Policy and Rule 2121’s fair pricing obligation apply broadly across transaction types. Firms should not assume the rule is limited to straightforward principal sales from inventory.

Transactions the rule covers

Principal sales from inventory to customers.
Principal purchases from customers, or markdowns.
Riskless and simultaneous principal transactions.
Agency transactions, including commissions.
Proceeds transactions, discussed below.
All security types: equities, bonds, direct participation programs, oil royalties, and others.

One key exemption

New issue / prospectus sales: the 5% Markup Policy does not apply where a prospectus or offering circular is required to be delivered and the securities are sold at the specific public offering price.

Note: municipal securities are subject to MSRB Rule G-30 for debt-specific pricing requirements. The general fair pricing obligation under Rule 2121 continues to apply.

Proceeds transactions require particular attention. When a customer liquidates a position and uses those proceeds to purchase another security at or about the same time, both legs are treated as a single transaction for markup purposes. Any profit the firm realized on the liquidation side must be included in calculating the total markup on the purchase. Firms that treat each leg as a separate, independent transaction — and calculate markups independently on each — are incorrectly applying the rule and likely charging the customer an aggregate amount that would not pass the fairness test if properly measured.

What FINRA Is Finding in Current Examinations

FINRA’s current examination priorities in this area focus heavily on fixed income and principal transactions. The following deficiencies are the most frequently cited:

Incorrect PMP determination. Firms not following the contemporaneous cost presumption, or bypassing the required waterfall by jumping to quotations or economic models when inter-dealer transaction prices are available. This is the most frequently cited deficiency in markup-related exam findings.
Inadequate oversight of third-party pricing software. Firms using vendor systems to determine PMP but lacking oversight of how the software establishes prices, not verifying that the firm’s own trade data feeds are complete and accurate, or allowing manual overrides without documented supervision and rationale for each override.
Stale markup and markdown grids. Relying on fixed pricing grids established years earlier and never updated to reflect changed market conditions, instrument characteristics, or current transaction economics.
No facts-and-circumstances analysis. Relying solely on grids or fixed thresholds to assess fair pricing — without conducting the actual multi-factor analysis required by the rule — is a supervisory deficiency even if no individual transaction is found to be priced excessively.
Yield impact not considered for short-term debt. Charging markups on short-maturity fixed income securities that materially reduce the investor’s yield to maturity — sometimes eliminating a significant fraction of available return — without accounting for that impact in the fairness analysis.
No PMP documentation. Firms are required to document the basis for PMP in each transaction, particularly when departing from the contemporaneous cost presumption. Without this documentation, the firm cannot meet its evidentiary burden if a transaction is challenged in an examination or enforcement proceeding.

Building a Compliant Markup and Commission Program

A sound compliance program in this area rests on three pillars: a written policy that accurately reflects the firm’s actual business and pricing practices; supervisory systems capable of detecting and investigating deviations; and documentation sufficient to support the firm’s positions under examination. Here is what each requires:

Written Policy

Standard markup and markdown ranges by security type — equities, investment-grade debt, high-yield, municipals, and direct participation programs.
An explicit PMP determination methodology that follows the Rule 2121 waterfall in the correct order.
A documentation standard for transactions where contemporaneous cost is not used as PMP, including the specific basis for departing from the presumption.
A proceeds transaction identification and calculation procedure.
A grid review schedule — pricing grids must be reviewed and updated periodically to reflect current market conditions.
Disclosure protocols for markups above standard policy thresholds.

Supervisory Systems

Automated exception reports flagging transactions above defined markup and markdown thresholds by security type.
Periodic recalibration of exception parameters — static exception reports become ineffective as market conditions shift and stop identifying genuine outliers.
Oversight of any third-party PMP software, including verification that firm trading data feeds are complete, accurate, and current.
Supervision of all manual PMP overrides, with documented rationale required for each.
Account-level monitoring, including cost-to-equity ratios and turnover ratios for active accounts, with a defined protocol for investigating outliers.

Documentation

PMP determination record for each principal transaction, particularly where the contemporaneous cost presumption is departed from.
Written rationale for exception transactions identifying which of the seven factors apply and what specific work was performed to justify the charge.
Investigation records for all exceptions flagged by supervisory systems, including disposition and any follow-up action taken.
Records of periodic grid and procedure reviews, including what was reviewed, who conducted the review, and what changes were made.

The practical test
If a FINRA examiner asks two questions — “how did you determine the prevailing market price for this transaction?” and “what specific factors justify this particular charge?” — can every person who prices transactions at your firm answer both clearly and consistently, with supporting documentation? If not, the compliance program has gaps worth addressing before the next examination cycle.

Mitchell Atkins, CRCP, is a former FINRA’s executive and the founder and Principal of FirstMark Regulatory Solutions. FirstMark provides broker-dealer compliance consulting, supervisory controls testing, AML independent testing, FINRA membership application support, and regulatory guidance on sales practice, supervision, and fair pricing issues. If you have questions about markup policy or FINRA Rule 2121 compliance, you can contact FirstMark here.

Atkins Discusses FinCEN CDD Rule on FINRA AML Panel

May 14, 2018/by Mitchell Atkins, CRCP

Don’t miss the the AML Challenges panel at the 2018 FINRA Annual Conference on May 23, 2018 in Washington DC. FirstMark’s founder, Mitch Atkins, will present as a panelist. One of the key topics to be discussed is the FinCEN CDD Rule. The rule became fully effective May 11, 2018. If you’re ready, or even if you’re not, implementation questions still abound. As recently as April 2018. FinCEN issued additional guidance in the form of FAQs. This was the second round of FAQs issued on the FinCEN CDD Rule. The first round can be found here. Many firms have experienced challenges in understanding the nuances involved with the beneficial ownership requirements, including the ownership and control prong. There are numerous exceptions and interpretations to both. Also, perhaps more challenging has been the so-called “fifth pillar” requirements that involving ongoing monitoring to detect potential suspicious activity. The FinCEN CDD Rule codifies, for the first time, the requirement to conduct ongoing monitoring and to update customer information if there are red flags noted. Some AMLCOs have struggled with the concept of the fifth pillar, particularly with regard to the ongoing monitoring requirements. Questions have arisen as to whether the FinCEN CDD Rule requires that small firms implement an automated surveillance system. Guidance issued by Treasury on the FinCEN CDD Rule provides that this is not true – there is no new requirement to install a trade surveillance system. Instead, the FAQs explain that the monitoring can be done on a risk basis. However, during the course of the normal risk monitoring, if a red flag of potentially suspicious activity is noted, the customer profile that was developed based on the FinCEN CDD Rule “nature and purpose” provision should be revisited and if necessary updated. All of these issues will be addressed on the AML Challenges panel at the 2018 FINRA Annual Conference in Washington DC. If you haven’t signed up and were considering doing so, you can at this link. Also, you can view the conference video

Click on the image below to view the conference brochure:

Click on the image below to view FirstMark’s presentation materials (a practical quick reference guide to the FinCEN CDD Rule).

FirstMark Regulatory Solutions, Inc. is a compliance consulting organization based in Boca Raton, Florida. Mitch Atkins is FirstMark’s founder and principal. He focuses on broker-dealer compliance matters, including anti-money laundering independent testing, FINRA new member applications, FINRA CMAs, FINRA Enforcement litigation support, and supervisory controls testing. FINRA has increased focus on AML failures in recent years.

AML Surveillance – Major FINRA AML Case

December 22, 2017/by Mitchell Atkins, CRCP

Yesterday FINRA settled yet another major case involving AML surveillance system deficiencies. This is one more in a series of cases in which FINRA has found that a broker-dealer’s electronic surveillance systems were insufficient to detect potentially suspicious transactions. In this case, FINRA fined the firm $13 million (which was duplicated by the SEC bringing the total sanction to $26 million) for failures related to an automated system the firm used for monitoring transactions for potentially suspicious activity. In 2010, firm connected the system to a larger, enterprise-wide system that risk-scored the results in such a way that limited the reviews of alerts from the original system. This means that, according to the settlement document, for a four-month period, the firm did not investigate suspicious activity detected by the original system. It appears from the settlement language that the firm believed its system was generating too many “false positives” and during a transition period simply determined not to investigate those items. All in all, it seems that the firm failed to investigate 1,015 instances of potentially suspicious activity. The firm designed the system parameters such that it also excluded multiple occurrences of potentially suspicious money movements that involved high-risk counterparties and entities only once. Thus, because there was no linkage between related accounts, it did not consistently identify or monitor these customers, which apparently included some in high-risk jurisdictions and who were senior foreign political figures (PEPs). Also, quite interestingly, the settlement states that millions of accounts were excluded from the firm’s automated monitoring system.

This case is an obvious demonstration of FINRA’s increasing ability to conduct highly sophisticated AML investigations. FINRA’s last several major AML actions have sought progressively higher fine amounts for failures to adequately implement AML surveillance technology. No doubt, the investment in staffing and technology to address this issue proactively would have cost less than $26 million. But of course, hindsight is always 20/20. That said, the message is abundantly clear. It is time to invest in top-notch AML surveillance systems. And, such an investment is not simply the installation, but the ongoing periodic maintenance, which in the industry is often called tuning. It is also important that firms utilizing AML surveillance systems employ experts in FINRA AML requirements to ensure that the systems are tested and tuned in a manner similar to that which is performed by FINRA.

Finally, I have previously explained that while tuning is an important aspect of the maintenance of AML surveillance systems, it is important to take a measured approach to managing false positives generated by these systems. On one hand, false positives are a fact of life with AML surveillance systems. However, changes to rules and thresholds that are not validated or tested by experts against prior results can end up causing costly mistakes. I’m a firm believer in eliminating as many false positives as possible, because by their nature a good percentage of them are just noise and interfere with proper AML surveillance and detecting potentially suspicious activity. I’ve written about this before. However, I worry that FINRA actions such as this will have a chilling effect on those firms wishing to fine tune these systems. I fully support modification of thresholds and rules to result in the maximum efficiency of the AML surveillance system overall. Also, it often makes sense to implement enterprise-wide surveillance. As with many things, however, this case illustrates that the devil is in the details.

Mitch Atkins, CRCP is the founder and principal of FirstMark Regulatory Solutions, a compliance consulting organization based in Boca Raton, Florida that specializes in AML compliance.

Mitch Atkins Presenting at FINRA South Region Conference

November 30, 2017/by Mitchell Atkins, CRCP

Mitch Atkins, founder and principal of FirstMark Regulatory Solutions, will present at the FINRA South Region Compliance Seminar in Fort Lauderdale, Florida on December 6, 2017. Mitch Atkins will present as a panelist on FINRA’s panel entitled Writing and Maintaining Written Supervisory Procedures. The panel will discuss the FINRA’s Supervision Rule (Rule 3110), and in particular, best practices for developing effective supervisory and compliance procedures. As a panelist, Atkins will discuss the regulatory requirements for procedures, and will provide take-away resource materials to attendees that will serve as a guide for developing procedures, including procedures for FINRA’s new Rule 2165 on financial exploitation of seniors/specified adults.

One of the most commonly cited violations on FINRA examinations is the failure to develop and implement adequate written supervisory procedures (“WSPs”). Beyond simply satisfying regulatory requirements, effective WSPs are a compliance tool that broker-dealers utilize to delegate responsibilities for compliance with FINRA and SEC rules. Additionally, effective WSPs do more than simply state the requirements of a particular rule, rather, they serve as a blueprint of the firm’s supervisory system. A supervisory system collectively includes the processes, technology, personnel and related documentation. Before engaging in the development of WSPs a firm should first carefully consider all aspects of an overall supervisory system. Lastly, an effective supervisory system includes clear lines of authority. There have been numerous regulatory enforcement actions which cited firms for failure to designate authority, or worse, in which a problem arose, but the lines of authority were blurred such that nothing was done to correct the problem. In some of these cases, the identification of the problem was not the issue so much as who was responsible for the resolution of the issue. These issues will be covered by the panel, which includes industry and regulator participation. The FINRA South Region Conference is a cost-effective way to gain additional knowledge in this and many other areas.

To register, please visit http://www.finra.org/industry/2017-south-region-compliance-seminar

FirstMark offers a broad range of compliance consulting services, including AML independent testing, Rule 3120 supervisory controls testing, SRO relationship management, FINRA membership applications, training, and more. Mitch Atkins founded FirstMark in 2013.

For more information and to view the seminar brochure and agenda, simply click the image below.

Update: To view the session materials, click the image below:

Epic BD AML Compliance Failure Yields Another Record Fine

December 10, 2016/by Mitchell Atkins, CRCP

On Monday, December 5, 2016, FINRA announced yet another record fine against a broker-dealer for AML compliance failure. This action follows another just seven months ago in which FINRA fined a broker-dealer complex $17 million for AML compliance failure. There are numerous messages here which you can read about in my LinkedIn article that analyzes the new case. The bottom line here is to remember that the days of a slap on the wrist for a firm with a serious AML compliance failure are over. FINRA has demonstrated that it will not hesitate to slap a broker-dealer with a significant sanction, and even to name individual AML compliance officers if violations are serious. There are parallels between this case and FINRA’s May 2016 action against a Florida BD complex. Read my summary of that case here.

The case involved several significant areas of compliance breakdowns. The firm utilized and automated surveillance system, but according to the FINRA settlement document, the data feeding into the system was inaccurate and/or missing information critical to its proper functioning. FINRA also found that the system did not utilize scenarios to detect specific types of activity that it believed the firm systems should have covered.

Another AML compliance failure was that there were deficiencies in the manner in which the firm determined ownership and saleability of microcap securities. FINRA noted that the firm was involved in the liquidation of over 3.7 billion shares of microcap issuers during its review period and earned $10.4 million in commissions from same. Because the system for determining whether the shares could be properly liquidated was inadequate, FINRA found that the firm violated NASD Rule 3010, FINRA Rule 3110, and FINRA Rule 2010.

The AML compliance failure also involved inadequate procedures covering suspicious activity reporting, and failure to conduct adequate due diligence on foreign financial institutions that were also firm affiliates.

FINRA Tolerance for AML Compliance Failures Fading

June 2, 2016/by Mitchell Atkins, CRCP

AML compliance failures are starting to get the “zero tolerance” message from FINRA. It recently announced its largest fine ever against two firms for AML compliance failures, including the suspension of the AML compliance officer. Mitch Atkins, a former FINRA official breaks down this action in a LinkedIn article. In reality, these sanctions are not too different in scope than that which was levied on Brown Brothers Harriman in 2014. The difference is there are two firms involved in this sanction. Also, the failures in the Brown Brothers case appear to be more limited to the area of low-priced securities and while that is an element of the recent action, it seems broader in scope as to the nature of the compliance failures.

At the recent FINRA Annual Conference in Washington, D.C., FINRA’s head of Enforcement, Brad Bennett, indicated in his comments during a panel discussion that there were more enforcement cases to come in the AML compliance space. Bennett stated that FINRA noted a signficant number of red flags in the recent case, but he suggested that future cases may involve actual money laundering rather than just compliance failures. I suspect these cases will be as significant or more significant given the apparent escalation of sanctions of late.

AML Compliance Failures Don’t Necessarily Mean AMLCOs will be Named

The good news is that Bennett reassured the attendees that the action against the AMLCO in this case was an exception and that FINRA is not out to get compliance officers. He insisted that FINRA carefully considers naming compliance officers and would rather not do it at all. FINRA has long stated that compliance officers who are doing their jobs and who take reasonable steps to address compliance issues will not be named in disciplinary actions. Bennett warned, however, that should senior executives ignore the calls of compliance officers for additional resources and compliance failures were the result of such decisions, FINRA would not hesitate to name them in an action.

Mitch Atkins is a consultant to broker-dealers, investment advisers and financial firms. He has over 23 years experience in the securities industry and is the founder and principal of FirstMark Regulatory Solutions based in Boca Raton, Florida.

Atkins in Forbes: Email and Social Media Compliance

May 6, 2016/by Mitchell Atkins, CRCP

Last month in New York, I was invited to speak with a group of broker-dealer compliance staff at an event about email and social media compliance. More specifically, and to be technically correct, we call this “supervision of electronic communications” and you can read all about it in FINRA Rule 3110(b)(4). There, I had the opportunity to speak with Forbes contributor, Joanna Belbey. Before the event, we had a good discussion on the FINRA 2016 examination priorities and more specifically, how they relate to email and social media compliance. You can read the interview by clicking here: Mitch Atkins Forbes. See the follow-up piece to this (Don’t ‘Set it and Forget it’) by clicking here: Mitch Atkins Forbes Part II.

Email and Social Media Compliance Decrypted

After having worked in regulation for nearly 20 years, working as a consultant to broker-dealers and investment advisers has been truly enlightening, particularly in understanding the perspective of the chief compliance officer. I have had the opportunity to help design, audit and improve systems of supervision for electronic communications. What has become evident in my recent work with consulting clients is that FINRA has been very active in its email and social media compliance reviews. Today, more than ever, the term electronic communications includes far more than email. In the past, firms could be relatively confident if they had a decent email compliance system and banned the use of social media. But today, if talented advisors are not permitted to use popular communication channels, they may work elsewhere – read: competitors.

For these reasons more employers are ensuring that they have top-notch supervisory controls in place to allow the use of communication channels advisors want. To that end, firms wanting to beef up compliance might consider the following:

procedures – development of clear policies and procedures covering communications;
technology – implementation of a cutting edge email and social media compliance platform (but be careful and remember that simply buying the system isn’t enough – FINRA recently published an AWC in which a Chief Compliance Officer was suspended for failing to implement such a system – see FINRA Case 2014039194102 – Feb. 23, 2016);
personnel – ensuring that persons tasked with conducting email and social media compliance reviews are adequately trained and that adequate resources are devoted to conducting reviews;
controls – requiring annual compliance questionnaires in which advisors certify their compliance with policy and disclose all communication channels they use;
testing – some firms are hiring summer interns to search advisor names against social media sites (and who is better at social media?).

And finally, your keyword flagging database is the key (no pun intended) to the effectiveness of your supervisory system. Make sure that the database is reviewed frequently, that it is dynamic and evolves with both the business of the firm and the changing times. See my LinkedIn article about that for more details.

Mitch Atkins is Founder and Principal of FirstMark Regulatory Solutions, a broker-dealer and investment advisor compliance consulting practice in Boca Raton, Florida. Contact Mitch at 561-948-6511.

Electronic Communication “Let’s Talk Supervision”

April 5, 2016/by Mitchell Atkins, CRCP

Compliance risks exist in your electronic communication. How will you effectively manage these risks? With the volume and velocity of information flowing through electronic communications channels, supervision has become a real challenge. Mitch Atkins presented at the Actiance Executive Briefing Series in New York on April 7, 2016 on how organizations can leverage their electronic communications applications to comply with regulatory requirements. Entitled, “Let’s Talk Supervision: Freedom with Responsibility” the talk took place at the Viceroy hotel in Midtown Manhattan. Among the topics discussed were:

FINRA 2016 examination priorities
Electronic communications requirements
Managing volume in supervisory reviews
Common challenges in managing reviews
Supervision of non-email content

Atkins discussed recent FINRA disciplinary actions that involved electronic communications rules violations, including two from the 1st quarter of 2016 in which FINRA named individuals, including a Chief Compliance Officer. CCOs are faced with many challenges from day to day and some of those include managing the review of electronic communications. During the presentation, Atkins stated that excessive volume, low value keywords, lack of training for reviewers and representatives, and insufficient internal controls contribute to failures in thia area. He emphasized that electronic communication channels are dynamic as is the language that is used through these channels. As such, supervisory systems related to electronic communications must also be dynamic. Keyword flagging databases must be updated frequently and should be developed with the input of the supervisors of the departments for which electronic communications are being monitored. Additionally, broker-dealers must develop and document that training has been conducted for associated persons who use electronic communications. He advised that systems of supervisory controls such as annual attestations by associated persons as to the electronic communications channels they use and that they understand the prohibition of using outside email or non-email channels for business communications. He recommended periodic testing of electronic communication channels to ensure that all are being captured in supervisory systems. He also queried the audience whether, in light of FINRA’s recent emphasis on culture of compliance, they know what culture is appearing in their electronic communications.

Electronic Communication Live Webinar

Additionally, Mitch Atkins was a featured presenter at the Actiance “From Supervision to Surveillance” webinar on April 12, 2016. This session also cover challenges in surveillance of electronic communication. View more information about the live webinar here. Another session will occur on May 5, 2016, and it is not too late to register.