FINRA AML Testing Collage

FINRA Anti-Money Laundering Independent Testing

/by

Mitchell Atkins, former FINRA South Region Director and regulatory consultantIt is that time of year again. After the calendar winds down, broker-dealers across the country are scheduling, or in some instances scrambling to schedule, their annual independent test of the firm’s anti-money laundering program. It is a ritual that has been part of broker-dealer life for two decades.

But the AML world that surrounds that test today bears almost no resemblance to the one I wrote about back in 2014. The Customer Due Diligence (“CDD”) Rule was just a Treasury proposal back then. The Anti-Money Laundering Act of 2020 didn’t exist. FinCEN had no national priorities. Investment advisers had no AML obligations on the horizon. And FinCEN had never imposed an $80 million penalty on a broker-dealer.

All of that has changed. If you are still running the same independent test you ran in 2014, or if you are using a vendor template that has not been meaningfully refreshed, you have a problem. Examiners have moved on. So has the rule. So have the bad actors.

Below is a refreshed and expanded look at what FINRA Rule 3310 independent testing requires today, what the most recent enforcement actions tell us about how programs fail in practice, and what the proposed FinCEN AML/CFT Program Rule issued in April 2026 means for the year ahead.

What Rule 3310 Requires — The Core Has Held, But the Edges Have Moved

FINRA Rule 3310 still requires every member firm to develop and implement a written AML compliance program that is approved in writing by senior management and is reasonably designed to comply with the Bank Secrecy Act and its implementing regulations. The familiar pillars are:

  • Establishing and implementing policies, procedures, and internal controls reasonably designed to detect and cause the reporting of suspicious transactions (Rule 3310(a))
  • Establishing and implementing policies, procedures, and internal controls reasonably designed to achieve compliance with the BSA, including the Customer Identification Program and beneficial ownership rules (Rule 3310(b))
  • Independent testing for compliance (Rule 3310(c))
  • Designating an AML compliance person and providing FINRA with that person’s contact information (Rule 3310(d))
  • Ongoing training for appropriate personnel (Rule 3310(e))

What has been added is paragraph (f) of Rule 3310. When FINRA conformed Rule 3310 to FinCEN’s 2016 CDD Rule, it added an explicit obligation to maintain risk-based procedures for ongoing customer due diligence. That includes understanding the nature and purpose of customer relationships in order to develop a customer risk profile, and conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information on a risk basis. Beneficial ownership identification of legal entity customers (at the 25% ownership threshold and for the individual exercising control) is no longer “proposed.” It has been live since May 2018, and it is squarely within the scope of any competent independent test.

Frequency has also become more nuanced. Independent testing is required annually on a calendar-year basis for member firms that execute transactions for customers, hold customer accounts, or act as introducing brokers. For firms that engage solely in proprietary trading or do business only with other broker-dealers, the test is required every other year. That said, the supplementary material to Rule 3310 has long made clear that more frequent testing should be performed if circumstances warrant. And “circumstances warrant” is something examiners will judge with the benefit of hindsight.

The Independence Requirement: External Is Not Synonymous With Independent

The most common confusion about independent testing is what “independent” actually means.

The test must be conducted by a person with a working knowledge of the BSA and its implementing regulations. If conducted internally, the tester must not perform any of the functions being tested, must not serve as the AML Compliance Officer, and must not report to either the AMLCO or to anyone performing the functions being tested. If conducted externally, the consultant must be free of conflicts that compromise independence.

That second point gets firms in trouble. Hiring a consultant from outside the firm does not automatically make that consultant independent. If the same consultant wrote your AML procedures, drafted your customer risk-rating methodology, or trained your AML staff during the test period, that person may compromise independence for purposes of Rule 3310(c) where they are testing their own work. FINRA has cited firms for exactly that conflict, and it is one of the easier deficiencies to avoid simply by separating the function of writing procedures from the function of testing them.

A related point that often gets overlooked: the FINRA designated AML contact must be kept current. Rule 3310.02 requires firms to review and update the contact information for the AML compliance person, and Rule 4517 requires updates within 30 days of any change and a review within 17 business days after the close of each calendar year. Examiners check this. It is a small thing, and it is almost always the first thing they look at.

The Bigger Picture: What Has Actually Changed

The independent test does not exist in a vacuum. It is a check on whether the program meets the regulatory framework. That framework has expanded considerably:

The FinCEN CDD Rule. Finalized in 2016 and effective May 11, 2018, the CDD Rule made the “fifth pillar” of AML compliance, ongoing customer due diligence and beneficial ownership identification, a formal regulatory requirement rather than a best practice. Any independent test today must look at how the firm collects, verifies, and refreshes beneficial ownership information for legal entity customers, and how it builds and updates customer risk profiles. FinCEN’s February 2026 order relieved covered institutions from re-identifying or re-verifying beneficial owners each time an existing legal entity customer opens another account. Firms must still identify and verify beneficial owners at the first account opening, when facts call prior information into question, and as required by risk-based ongoing CDD procedures.

The Anti-Money Laundering Act of 2020 (AMLA). Tucked into the National Defense Authorization Act, AMLA was the most consequential rewrite of U.S. AML law in a generation. It expanded whistleblower protections, broadened FinCEN’s authority, mandated the issuance of national AML/CFT priorities, and set the stage for AML coverage of investment advisers and antiquities dealers. AMLA is the reason regulators are now talking openly about “effectiveness” instead of just “compliance.”

The National AML/CFT Priorities. In June 2021, FinCEN issued the first government-wide priorities for anti-money laundering and countering the financing of terrorism. Today’s priorities cover corruption, cybercrime (including virtual currency), terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking and smuggling, and proliferation financing. Firms are expected to consider these priorities in their risk assessments. A 2026 independent test that does not look at how the firm has incorporated the national priorities into its risk assessment is incomplete.

The Investment Adviser AML Rule and Its Delay. FinCEN finalized the Investment Adviser AML Rule on August 28, 2024, with an original effective date of January 1, 2026. In 2025, Treasury announced its intent to delay the effective date, and FinCEN ultimately moved it to January 1, 2028, while reopening the rulemaking. For broker-dealers that are dually registered or affiliated with investment advisers, this is a moving target. But the eventual application of BSA obligations to RIAs is a “when,” not an “if,” and dual registrants should not let the delay lull them into complacency.

The April 2026 FinCEN AML/CFT Program Rule Proposal. On April 7, 2026, FinCEN issued a Notice of Proposed Rulemaking that would substantially revise the AML/CFT program requirements applicable to banks, broker-dealers, money services businesses, mutual funds, and other covered institutions. The proposal explicitly shifts the supervisory focus from technical process-and-documentation compliance to program effectiveness, formalizes a risk assessment requirement, and instructs institutions to incorporate the national AML/CFT priorities into their risk assessments and resource-allocation decisions. FinCEN has proposed a 12-month implementation period after a final rule. FINRA’s 2026 Report already reflects similar themes.

Effectiveness Over Form: What Examiners Are Looking For Now

The shift toward effectiveness is showing up in FINRA’s exam findings. The Anti-Money Laundering, Fraud, and Sanctions topic in the 2026 FINRA Annual Regulatory Oversight Report continues to flag firms whose AML programs are static while their businesses are dynamic. The themes are consistent year over year, and they should drive how you scope an independent test:

  • AML programs that did not grow with the firm’s business, particularly where the firm added high-risk products, customer types, geographies, or distribution channels without commensurate updates to its surveillance, customer due diligence, and SAR investigation processes
  • Customer risk profiles that exist on paper but are not actually used to drive monitoring or escalation
  • Suspicious activity surveillance that runs but is not meaningfully reviewed, or where the underlying data feeds are incomplete (suspense accounts, omnibus structures, foreign affiliate flows)
  • 314(a) information requests that are not addressed within the required two-week window
  • Independent tests that are too narrow in scope, that are completed late, or that are completed by personnel whose independence is compromised

A theme cuts across all of these: existence of a policy is not evidence of compliance. The independent test must look at whether the program worked during the test period, not just whether it was written.

What Recent Enforcement Tells Us — and Why You Should Be Reading It

I tell every client I work with the same thing: read the FINRA disciplinary actions monthly, and read the FinCEN and SEC AML orders as they come out. They are the cheapest education available. A handful of recent matters illustrate where programs are breaking down.

In March 2026, FinCEN imposed an $80 million civil money penalty against Canaccord Genuity LLC, the largest AML penalty ever assessed against a broker-dealer, with parallel $20 million penalties from the SEC and FINRA. The order documented a years-long failure to maintain an effective AML program despite repeated regulator warnings going back to 2013. The firm had four employees reviewing more than 100 surveillance reports producing thousands or millions of line items annually. Key reports went unreviewed for stretches as long as four years. Alert filters were used to suppress volume rather than focus attention. And, critically, certain employees falsified records during a FINRA examination. The firm failed to file at least 160 SARs. There are several lessons here, but the one most relevant to independent testing is this: a competent test would have surfaced the unreviewed reports, the suppressed alert volumes, and the under-resourcing of the surveillance team long before it became an expensive enforcement matter.

In October 2025, a Miami-headquartered broker-dealer settled an AWC with FINRA for $650,000, the firm’s second AML penalty in roughly seven years. Among other findings, the firm consented to findings that it failed to monitor approximately 900 wire transfers totaling $305 million for suspicious activity, did not complete required periodic reviews that drove its automated monitoring’s risk parameters, and did not investigate when other financial institutions rejected wire transfers from customers the firm itself had designated as high risk. Recidivism is expensive. It is also avoidable, especially when the independent test gets at the actual implementation of the procedures rather than just confirming that the procedures exist.

In August 2025, FINRA fined a firm $500,000 for using the wrong SAR filing threshold, applying the $25,000 bank threshold to brokerage account activity instead of the $5,000 broker-dealer threshold. That mistake led to 42 unfiled SARs covering account intrusions, identity theft, and internet scams. The firm only discovered the error after reading a similar enforcement action against another company. A robust independent test sample-checks SAR thresholds, timeliness of filings, quality of SAR narratives, and the firm’s process for identifying when a SAR is required. This is exactly the kind of foundational error that surfaces quickly when somebody who knows what they are looking for actually tests the work.

I have seen the same patterns in both my consulting work and when I reviewed examinations at FINRA. Quite often, I opened a small firm’s AML procedures manual and found a generic list of red flags that did not match the firm’s actual business in any recognizable way. I once saw “cash-intensive businesses” listed near the top of a red flags inventory when the firm cleared institutional trades exclusively and had never accepted a cash deposit in its history. Another firm had a penny-stock business but kept procedures that read as if the firm sold mutual funds to retail customers. Generic templates do not satisfy Rule 3310, and a competent independent test will say so. Tailoring red flags surveillance and training to what the firm actually does is the foundation of an effective AML program.

Common Independent Testing Pitfalls

FINRA has frequently provided insights on AML testing pitfalls. FirstMark has also observed similar issues. Some are easy to fix. Others reflect deeper problems that can take time to remediate. The most common include:

  • Scope that is too narrow. Tests that look at the AML written supervisory procedures, training records, and FinCEN contact information but never sample customer accounts, never review SAR decisioning, and never validate that surveillance alerts were actually worked.
  • Lack of true independence. External consultants who wrote or substantially revised the procedures during the test period; internal testers who report to the AMLCO; testers without working knowledge of the BSA.
  • Failure to review the risk assessment and the national priorities. An AML test that does not look at the firm’s current risk assessment, and at how the firm has considered the national AML/CFT priorities, is going to look thin to an examiner.
  • No review of beneficial ownership compliance. The CDD Rule has been live for over seven years. Sample-test beneficial ownership records for legal entity customers, and look at how the firm handles renewal, refresh, and changes in ownership.
  • Surveillance system gaps. Validate that the data feeding the AML surveillance system is complete. Suspense accounts, foreign affiliate accounts, omnibus and wrap structures, and journal entries are common sources of blind spots.
  • Wire and ACH activity not tested. Wire and ACH activity is where suspicious activity actually occurs. If the test does not pull a sample of wires, including outbound wires to high-risk jurisdictions and inbound wires from third parties, it is not a serious test.
  • No look at 314(a) and OFAC processes. These are bread-and-butter exam items. The test should confirm timely 314(a) responses and validate the OFAC screening process and exception handling.
  • Stale documentation, current findings. A test report that recycles last year’s findings without confirming whether they were actually remediated is worse than no test at all.

A Practical Approach for AML Independent Testing

If you are scoping your next AML independent test now, or hiring a consultant to do it, there are a few things I would build into the engagement.

Start with the firm’s most current risk assessment. If the firm doesn’t have a current risk assessment, that is itself a finding. The risk assessment should consider the firm’s products, customers, geographies, and distribution channels, and it should explicitly address the national AML/CFT priorities. Everything else in the test flows from this. I have walked into more than one engagement where the risk assessment carried a date stamp three or four years old. In the meantime the firm had added new product lines, opened branches in new states, or built relationships with foreign affiliates, and none of those changes were reflected anywhere in the assessment. The procedures described one firm. The business had become a different firm.

Build the sample around risk. High-risk customers, foreign customers, low-priced and microcap securities activity, cash management products, large or unusual wires, and any business line that has grown materially during the test period should be over-sampled relative to lower-risk activity. The proposed FinCEN program rule explicitly endorses this kind of risk-based resource allocation, and examiners are looking at it now.

Test implementation, not just policy. Pull surveillance alerts and trace them through investigation, escalation, and disposition. Pull SARs and read them. Pull customer files and verify CIP and beneficial ownership documentation. Pull rejected wires and confirm that the firm investigated them. Read what the AML team actually did, not what the procedures say it should have done.

Document everything, and write a real report. The test report should describe scope, methodology, sample sizes, findings, severity, and recommended remediation. It should be specific enough that, a year from now, the firm can point to exactly what was tested and what was concluded. Vague reports can be an enforcement liability.

Don’t sit on the findings. Build a remediation plan with owners and target dates, and follow up. The Miami case I mentioned above is a good reminder that examiners view recidivism harshly, and that “we identified the issue but didn’t fix it” is in many ways worse than “we missed the issue entirely.”

Looking Forward: The FinCEN Reform and AML Program Effectiveness

The April 2026 FinCEN proposal is the most important AML development of the year for broker-dealers, and it deserves serious attention even before it is finalized. A few practical implications worth thinking about now:

The proposed rule formalizes a risk assessment requirement. Many broker-dealers already have one. Many do not, or have a document that has not been meaningfully updated in years. Either way, the risk assessment is about to become the foundation on which the entire program, including the independent test, rests.

The proposed rule pushes institutions to incorporate the national AML/CFT priorities into the risk assessment in a meaningful, non-superficial way. FinCEN has explicitly cautioned that boilerplate treatment will not satisfy supervisory expectations. Firms should be prepared to explain why each priority is, or is not, material to their business.

The proposed rule preserves and arguably elevates the role of independent testing. Testing is expected to focus on whether the program is effective and to identify issues for remediation, with objective criteria designed to assess whether the firm has effectively established and maintained an AML program and allocated resources consistent with its risk profile. That standard is higher than “did the firm follow its written procedures.”

The proposed rule is not yet final. Comments are due June 9, 2026, and FinCEN has proposed a 12-month implementation window after a final rule is issued. But the direction of travel is clear, and a thoughtful 2026 independent test should already be looking at the firm’s program through the effectiveness lens.

Closing Thought

I oversaw the creation of FINRA’s National AML Investigative Unit in 2012, and I have watched the AML space evolve through every major change in the years since. The cases that hurt firms the most have a common thread: nobody, internally or through the independent test, was meaningfully checking whether the program actually worked. Procedures existed. Boxes were ticked. Reports were generated. But there was often a failure to take an honest look at the implementation, and the gaps grew until the regulators found them.

The annual independent test is the single most efficient mechanism a broker-dealer has to find its own problems before someone else does. It is worth doing well.

Mitchell Atkins, CRCP, is a former FINRA executive and the founder and Principal of FirstMark Regulatory Solutions. FirstMark provides AML independent testing for broker-dealers, FINRA Rule 3120 supervisory controls testing, Rule 3130 certification support, FINRA new member and continuing membership applications, and broader regulatory consulting services to broker-dealers across the country.

FinCEN CDD Rule Atkins

Atkins Discusses FinCEN CDD Rule on FINRA AML Panel

/by

Don’t miss the the AML Challenges panel at the 2018 FINRA Annual Conference on May 23, 2018 in Washington DC. FirstMark’s founder, Mitch Atkins, will present as a panelist. One of the key topics to be discussed is the FinCEN CDD Rule. The rule became fully effective May 11, 2018. If you’re ready, or even if you’re not, implementation questions still abound. As recently as April 2018. FinCEN issued additional guidance in the form of FAQs. This was the second round of FAQs issued on the FinCEN CDD Rule. The first round can be found here. Many firms have experienced challenges in understanding the nuances involved with the beneficial ownership requirements, including the ownership and control prong. There are numerous exceptions and interpretations to both. Also, perhaps more challenging has been the so-called “fifth pillar” requirements that involving ongoing monitoring to detect potential suspicious activity. The FinCEN CDD Rule codifies, for the first time, the requirement to conduct ongoing monitoring and to update customer information if there are red flags noted. Some AMLCOs have struggled with the concept of the fifth pillar, particularly with regard to the ongoing monitoring requirements. Questions have arisen as to whether the FinCEN CDD Rule requires that small firms implement an automated surveillance system. Guidance issued by Treasury on the FinCEN CDD Rule provides that this is not true – there is no new requirement to install a trade surveillance system. Instead, the FAQs explain that the monitoring can be done on a risk basis. However, during the course of the normal risk monitoring, if a red flag of potentially suspicious activity is noted, the customer profile that was developed based on the FinCEN CDD Rule “nature and purpose” provision should be revisited and if necessary updated. All of these issues will be addressed on the AML Challenges panel at the 2018 FINRA Annual Conference in Washington DC. If you haven’t signed up and were considering doing so, you can at this link. Also, you can view the conference video

Click on the image below to view the conference brochure:

FinCEN CDD Rule Atkins

Click on the image below to view FirstMark’s presentation materials (a practical quick reference guide to the FinCEN CDD Rule).

FinCEN CDD Rule Atkins

FirstMark Regulatory Solutions, Inc. is a compliance consulting organization based in Boca Raton, Florida. Mitch Atkins is FirstMark’s founder and principal. He focuses on broker-dealer compliance matters, including anti-money laundering independent testing, FINRA new member applications, FINRA CMAs, FINRA Enforcement litigation support, and supervisory controls testing. FINRA has increased focus on AML failures in recent years.

AML Surveillance

AML Surveillance – Major FINRA AML Case

/by

Yesterday FINRA settled yet another major case involving AML surveillance system deficiencies. This is one more in a series of cases in which FINRA has found that a broker-dealer’s electronic surveillance systems were insufficient to detect potentially suspicious transactions. In this case, FINRA fined the firm $13 million (which was duplicated by the SEC bringing the total sanction to $26 million) for failures related to an automated system the firm used for monitoring transactions for potentially suspicious activity. In 2010, firm connected the system to a larger, enterprise-wide system that risk-scored the results in such a way that limited the reviews of alerts from the original system. This means that, according to the settlement document, for a four-month period, the firm did not investigate suspicious activity detected by the original system. It appears from the settlement language that the firm believed its system was generating too many “false positives” and during a transition period simply determined not to investigate those items. All in all, it seems that the firm failed to investigate 1,015 instances of potentially suspicious activity.  The firm designed the system parameters such that it also excluded multiple occurrences of potentially suspicious money movements that involved high-risk counterparties and entities only once. Thus, because there was no linkage between related accounts, it did not consistently identify or monitor these customers, which apparently included some in high-risk jurisdictions and who were senior foreign political figures (PEPs). Also, quite interestingly, the settlement states that millions of accounts were excluded from the firm’s automated monitoring system.

This case is an obvious demonstration of FINRA’s increasing ability to conduct highly sophisticated AML investigations. FINRA’s last several major AML actions have sought progressively higher fine amounts for failures to adequately implement AML surveillance technology. No doubt, the investment in staffing and technology to address this issue proactively would have cost less than $26 million. But of course, hindsight is always 20/20. That said, the message is abundantly clear. It is time to invest in top-notch AML surveillance systems. And, such an investment is not simply the installation, but the ongoing periodic maintenance, which in the industry is often called tuning. It is also important that firms utilizing AML surveillance systems employ experts in FINRA AML requirements to ensure that the systems are tested and tuned in a manner similar to that which is performed by FINRA.

Finally, I have previously explained that while tuning is an important aspect of the maintenance of AML surveillance systems, it is important to take a measured approach to managing false positives generated by these systems. On one hand, false positives are a fact of life with AML surveillance systems. However, changes to rules and thresholds that are not validated or tested by experts against prior results can end up causing costly mistakes. I’m a firm believer in eliminating as many false positives as possible, because by their nature a good percentage of them are just noise and interfere with proper AML surveillance and detecting potentially suspicious activity. I’ve written about this before.  However, I worry that FINRA actions such as this will have a chilling effect on those firms wishing to fine tune these systems. I fully support modification of thresholds and rules to result in the maximum efficiency of the AML surveillance system overall. Also, it often makes sense to implement enterprise-wide surveillance. As with many things, however, this case illustrates that the devil is in the details.

Mitch Atkins, CRCP is the founder and principal of FirstMark Regulatory Solutions, a compliance consulting organization based in Boca Raton, Florida that specializes in AML compliance.

 

AML Compliance Failure

Epic BD AML Compliance Failure Yields Another Record Fine

/by

On Monday, December 5, 2016, FINRA announced yet another record fine against a broker-dealer for AML compliance failure. This action follows another just seven months ago in which FINRA fined a broker-dealer complex $17 million for AML compliance failure. There are numerous messages here which you can read about in my LinkedIn article that analyzes the new case. The bottom line here is to remember that the days of a slap on the wrist for a firm with a serious AML compliance failure are over. FINRA has demonstrated that it will not hesitate to slap a broker-dealer with a significant sanction, and even to name individual AML compliance officers if violations are serious. There are parallels between this case and FINRA’s May 2016 action against a Florida BD complex. Read my summary of that case here.

The case involved several significant areas of compliance breakdowns. The firm utilized and automated surveillance system, but according to the FINRA settlement document, the data feeding into the system was inaccurate and/or missing information critical to its proper functioning. FINRA also found that the system did not utilize scenarios to detect specific types of activity that it believed the firm systems should have covered.

Another AML compliance failure was that there were deficiencies in the manner in which the firm determined ownership and saleability of microcap securities. FINRA noted that the firm was involved in the liquidation of over 3.7 billion shares of microcap issuers during its review period and earned $10.4 million in commissions from same. Because the system for determining whether the shares could be properly liquidated was inadequate, FINRA found that the firm violated NASD Rule 3010, FINRA Rule 3110, and FINRA Rule 2010.

The AML compliance failure also involved inadequate procedures covering suspicious activity reporting, and failure to conduct adequate due diligence on foreign financial institutions that were also firm affiliates.

AML Compliance

FINRA Tolerance for AML Compliance Failures Fading

/by

AML compliance failures are starting to get the “zero tolerance” message from FINRA. It recently announced its largest fine ever against two firms for AML compliance failures, including the suspension of the AML compliance officer. Mitch Atkins, a former FINRA official breaks down this action in a LinkedIn article. In reality, these sanctions are not too different in scope than that which was levied on Brown Brothers Harriman in 2014. The difference is there are two firms involved in this sanction. Also, the failures in the Brown Brothers case appear to be more limited to the area of low-priced securities and while that is an element of the recent action, it seems broader in scope as to the nature of the compliance failures.

At the recent FINRA Annual Conference in Washington, D.C., FINRA’s head of Enforcement, Brad Bennett, indicated in his comments during a panel discussion that there were more enforcement cases to come in the AML compliance space. Bennett stated that FINRA noted a signficant number of red flags in the recent case, but he suggested that future cases may involve actual money laundering rather than just compliance failures. I suspect these cases will be as significant or more significant given the apparent escalation of sanctions of late.

AML Compliance Failures Don’t Necessarily Mean AMLCOs will be Named

The good news is that Bennett reassured the attendees that the action against the AMLCO in this case was an exception and that FINRA is not out to get compliance officers. He insisted that FINRA carefully considers naming compliance officers and would rather not do it at all. FINRA has long stated that compliance officers who are doing their jobs and who take reasonable steps to address compliance issues will not be named in disciplinary actions. Bennett warned, however, that should senior executives ignore the calls of compliance officers for additional resources and compliance failures were the result of such decisions, FINRA would not hesitate to name them in an action.

Mitch Atkins is a consultant to broker-dealers, investment advisers and financial firms. He has over 23 years experience in the securities industry and is the founder and principal of FirstMark Regulatory Solutions based in Boca Raton, Florida.