Table of Contents
SERIES 7 | SERIES 65 | FINANCIAL REGULATION COURSES
FINRA Rule 3310 — Anti-Money Laundering Compliance Program — requires every FINRA member firm to develop and implement a written anti-money laundering compliance programme that is approved in writing by a member of senior management and is reasonably designed to achieve and monitor the firm's compliance with the Bank Secrecy Act and its implementing regulations — establishing at the self-regulatory organisation level the foundational AML framework that federal law requires of all financial institutions, including broker-dealers, as participants in the United States financial system's defence against money laundering, terrorist financing, and other financial crimes.
Money laundering — the process through which criminals attempt to disguise the illegal origin of funds by moving them through the legitimate financial system in ways that make them appear to be the proceeds of lawful activity — poses a fundamental threat to the integrity of financial markets and the stability of the financial system. The securities industry's position as a conduit for moving capital across markets, jurisdictions, and asset classes makes it a potential vehicle for money laundering if adequate controls are not in place to detect and report suspicious transaction patterns that may indicate criminal activity.
FINRA Rule 3310 implements the Bank Secrecy Act's requirements for broker-dealers at the self-regulatory organisation level — ensuring that every FINRA member firm maintains AML compliance as a core operational function rather than an afterthought, and subjecting AML programme adequacy to FINRA examination alongside all other aspects of the firm's regulatory compliance.
The Bank Secrecy Act requires financial institutions to maintain AML programmes built on four foundational elements — commonly called the four pillars — that together constitute the minimum components of an effective AML compliance framework. FINRA Rule 3310 implements these four pillars as the baseline requirements that every member firm's AML programme must satisfy.
The first pillar is the establishment and implementation of policies and procedures reasonably designed to detect and cause the reporting of suspicious transactions and to achieve compliance with the Bank Secrecy Act and its implementing regulations. These policies and procedures must address the specific money laundering risks presented by the firm's business model — the types of customers it serves, the products and services it offers, the geographic markets in which it operates, and the transaction patterns that its business generates — ensuring that the AML controls are tailored to the firm's actual risk profile rather than being a generic compliance document with no operational connection to the firm's business.
The policies and procedures must specifically address suspicious activity reporting — establishing the processes through which potentially suspicious transactions are identified, escalated for review, investigated, and reported to the Financial Crimes Enforcement Network through the filing of Suspicious Activity Reports as required by 31 CFR 1023.320. Suspicious activity reporting is the primary mechanism through which the financial services industry contributes to law enforcement's detection and prosecution of financial crimes — the quality of the firm's suspicious activity detection and reporting is therefore one of the most important measures of the firm's AML programme effectiveness.
The second pillar is independent testing for compliance — requiring that the firm's AML programme be tested at least once per calendar year by personnel or a qualified outside party who are independent of the functions being tested. The independence requirement is strict — the independent testing may not be conducted by the designated AML compliance officer, by anyone who performs the AML functions being tested, or by anyone who reports to a person who performs those functions or who reports to the AML compliance officer. Member firms that do not execute transactions with customers or otherwise hold customer accounts may conduct independent testing every two calendar years rather than annually.
The independent testing must be conducted by a designated person with a working knowledge of applicable Bank Secrecy Act requirements and its implementing regulations — ensuring that the tester has the expertise to meaningfully evaluate the firm's AML controls rather than merely confirming the existence of written procedures without assessing their operational effectiveness. The testing must examine whether the firm's AML policies and procedures are being implemented as written, whether the suspicious activity detection mechanisms are functioning as designed, whether customer due diligence is being conducted in accordance with the programme's requirements, and whether the firm's AML controls are adequate to address the specific money laundering risks of its business.
The third pillar is the designation of an AML compliance officer — an individual or individuals responsible for implementing and monitoring the day-to-day operations and internal controls of the AML programme. The designated AML compliance officer must be identified to FINRA by name, title, mailing address, email address, telephone number, and facsimile number through the FINRA Contact System — and the firm must provide prompt notification to FINRA of any change in the designation.
The AML compliance officer serves as the operational focal point of the firm's AML programme — overseeing the daily implementation of AML policies and procedures, reviewing suspicious activity escalations and making filing decisions on Suspicious Activity Reports, coordinating responses to regulatory examinations and law enforcement requests, and ensuring that the firm's AML programme evolves in response to changing regulatory requirements and emerging money laundering risks.
The fourth pillar is ongoing training for appropriate personnel — ensuring that the employees who are responsible for implementing the firm's AML programme understand their obligations and have the knowledge needed to identify suspicious activity, escalate concerns appropriately, and fulfil their individual responsibilities under the firm's AML policies and procedures. Training must be provided on an ongoing basis — not merely at the time of initial employment — and must be updated to reflect changes in applicable regulations, new money laundering typologies, and the firm's specific AML experience and findings.
FINRA amended Rule 3310 to incorporate the Financial Crimes Enforcement Network's final Customer Due Diligence rule — adopted in 2016 and requiring broker-dealers to implement risk-based procedures for conducting ongoing customer due diligence that go beyond the identity verification required by the customer identification programme.
The customer due diligence requirement — sometimes called the fifth pillar of AML compliance — requires member firms to understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile and to conduct ongoing monitoring to identify and report suspicious transactions. The customer risk profile provides the baseline against which unusual or suspicious activity can be identified — a customer whose account activity is consistent with the risk profile established at account opening presents different AML implications than one whose activity diverges significantly from that established profile.
The customer due diligence requirements also include the beneficial ownership requirement — applicable to legal entity customers — requiring firms to identify and verify the identity of the natural persons who own or control legal entity customers. The beneficial ownership requirement is addressed in detail in the Regulatory Notice 17-40 entry of this dictionary — and connects the customer due diligence framework to the broader financial system transparency agenda through which regulators seek to prevent the use of shell companies and other legal entity structures to obscure the true ownership of funds being moved through the financial system.
The primary operational output of a functioning AML compliance programme is the Suspicious Activity Report — the regulatory filing through which broker-dealers alert law enforcement and financial intelligence authorities to transactions that may involve money laundering, fraud, terrorist financing, or other criminal activity.
A Suspicious Activity Report must be filed within thirty days of the initial detection of the suspicious activity — or within sixty days if no suspect has been identified at the time of initial detection. The SAR filing is made to the Financial Crimes Enforcement Network through the FinCEN e-filing system — and is subject to strict confidentiality requirements that prohibit the filing firm from informing the customer or any other unauthorised person that a SAR has been filed with respect to their activity.
The suspicious activity that triggers a SAR filing obligation encompasses a wide range of transaction patterns — including transactions involving amounts above the ten thousand dollar currency transaction reporting threshold that appear to have no legitimate business purpose, transactions that appear to be structured to avoid reporting thresholds, transactions involving known or suspected criminal activity, and transactions involving customers who appear on government sanctions lists maintained by the Office of Foreign Assets Control.
The Bank Secrecy Act's customer identification programme requirements — implemented for broker-dealers through 31 CFR 1023.220 — require member firms to verify the identity of each customer before opening an account, through a risk-based process that includes obtaining the customer's name, date of birth, address, and identification number, and verifying that information through documentary or non-documentary means.
The customer identification programme operates alongside the know your customer requirements of FINRA Rule 2090 — with the customer identification programme focused specifically on identity verification for AML purposes and Rule 2090 focused more broadly on understanding the essential facts about each customer for account management and suitability purposes. Together the two frameworks ensure that member firms both know who their customers are — for AML purposes — and what their customers need — for account servicing and suitability purposes.
Rule 3310's AML compliance programme framework encompasses the member firm's obligations under the sanctions programmes administered by the Office of Foreign Assets Control — the agency within the United States Department of the Treasury responsible for administering and enforcing economic and trade sanctions against targeted foreign countries, terrorists, drug traffickers, and other entities whose transactions with United States persons are restricted or prohibited.
Member firms must screen customers and transactions against the OFAC Specially Designated Nationals and Blocked Persons list — and must refuse to execute transactions involving designated persons or entities, block any assets belonging to designated persons that come into the firm's possession, and report blocked transactions to OFAC as required. Sanctions compliance failures — transacting with designated persons or entities — can result in significant civil and criminal penalties against both the firm and the individuals involved in the transactions.
FINRA Rule 3310 is tested on the Series 7 and Series 65 examinations in the context of anti-money laundering compliance, the Bank Secrecy Act, the four pillars of AML compliance, suspicious activity reporting, and customer due diligence.
The key points to retain are these.
FINRA Rule 3310 — Anti-Money Laundering Compliance Program — requires every member firm to develop and implement a written AML programme approved in writing by senior management and reasonably designed to achieve and monitor compliance with the Bank Secrecy Act. The four pillars are policies and procedures reasonably designed to detect and report suspicious transactions, independent testing at least annually by qualified personnel independent of the functions tested, designation of an AML compliance officer identified to FINRA, and ongoing training for appropriate personnel.
The customer due diligence fifth pillar requires risk-based procedures for understanding the nature and purpose of customer relationships to develop customer risk profiles and conduct ongoing monitoring — including beneficial ownership verification for legal entity customers. Suspicious Activity Reports must be filed within thirty calendar days of initial detection of suspicious activity — or sixty days if no suspect has been identified — and are strictly confidential. The customer identification programme requires identity verification of all customers before account opening using name, date of birth, address, and identification number. Government sanctions compliance — screening against the OFAC Specially Designated Nationals list — is an integral component of the AML compliance programme framework.
