Table of Contents
SIE PREP | SERIES 7 | SERIES 65 | FINANCIAL REGULATION COURSES
The USA PATRIOT Act — formally the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, enacted October 26, 2001 as Public Law 107-56 in the immediate legislative response to the September 11, 2001 terrorist attacks — is the sweeping federal statute that dramatically expanded the anti-money-laundering obligations of financial institutions including broker-dealers, investment advisers, mutual funds, and other securities industry participants by amending the Bank Secrecy Act of 1970 to impose comprehensive new requirements for customer identification, anti-money-laundering programme construction, suspicious activity reporting, due diligence on foreign correspondent accounts, and the blocking of transactions with designated terrorist organisations and state sponsors of terrorism.
Title III of the USA PATRIOT Act — the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 — is the section of most direct relevance to the securities industry, imposing the anti-money-laundering programme requirements implemented by FINRA through Rule 3310 and the customer identification programme requirements implemented through SEC rules adopted jointly with the Financial Crimes Enforcement Network of the Department of the Treasury under 31 CFR 1023.220. The USA PATRIOT Act operates as the keystone of a comprehensive AML framework that also includes the Bank Secrecy Act of 1970, the FinCEN Customer Due Diligence Rule of 2016, OFAC sanctions compliance, and FINRA Rule 3310 — a layered regulatory structure whose combined requirements govern every aspect of how broker-dealers identify their customers, monitor their transactions, detect suspicious activity, and report it to law enforcement authorities.
The USA PATRIOT Act's requirements for broker-dealers are directly and extensively tested on the SIE, Series 7, and Series 65 examinations as foundational elements of the regulatory compliance framework governing securities firms' obligations to prevent the use of the financial system for money laundering and terrorist financing.
The terrorist attacks of September 11, 2001 exposed significant weaknesses in the United States financial system's ability to detect and prevent the movement of funds used to finance terrorism — the nineteen hijackers had used United States bank accounts and financial services firms to move approximately five hundred thousand dollars in attack financing through the system over several years without triggering meaningful detection or reporting. Congress responded within weeks by passing the USA PATRIOT Act with overwhelming bipartisan support — the Senate voted ninety-eight to one and the House voted three hundred and fifty-seven to sixty-six, with President George W. Bush signing the legislation on October 26, 2001, forty-five days after the attacks.
The PATRIOT Act built upon the existing anti-money-laundering framework of the Bank Secrecy Act of 1970 — which had required financial institutions to maintain records of currency transactions and file reports useful for investigating money laundering — by substantially expanding the scope and rigour of those requirements and extending them to financial institutions including broker-dealers that had previously been subject only to limited BSA obligations. The legislative strategy was to treat terrorist financing as a species of money laundering and to apply the anti-money-laundering infrastructure already partially in place for drug trafficking and organised crime to the new threat of terrorist financing — recognising that the financial flows used to fund terrorism and those used to launder criminal proceeds share many structural similarities and can be addressed through similar detection and reporting mechanisms.
Before examining the PATRIOT Act's specific provisions it is essential to understand the Bank Secrecy Act of 1970 — formally the Currency and Foreign Transactions Reporting Act — as the foundational statute that the PATRIOT Act amended and dramatically strengthened rather than replaced.
The Bank Secrecy Act — codified at 31 U.S.C. 5311 through 5336 — was the original federal anti-money-laundering law, enacted to create a paper trail of financial transactions that law enforcement could use to investigate money laundering and other financial crimes. The BSA's foundational requirement is the Currency Transaction Report — requiring financial institutions to file a report with the Financial Crimes Enforcement Network for every cash transaction exceeding ten thousand dollars in a single business day, whether the transaction involves a single payment or multiple related payments that aggregate to more than ten thousand dollars. The CTR requirement creates a mandatory disclosure obligation for large cash transactions — ensuring that law enforcement has visibility into the movement of significant amounts of physical currency through the financial system.
The structuring prohibition under 31 U.S.C. 5324 is the criminal counterpart to the CTR requirement — prohibiting any person from deliberately breaking up transactions into amounts below ten thousand dollars for the specific purpose of evading the CTR filing obligation. Structuring is a federal crime regardless of whether the underlying funds are from legal or illegal sources — the act of intentionally designing transactions to avoid the reporting threshold is itself criminal, even if the cash being moved was legitimately earned. A customer who makes nine deposits of nine thousand nine hundred dollars rather than one deposit of eighty-nine thousand one hundred dollars to avoid triggering CTR filing has committed structuring under 31 U.S.C. 5324 — and broker-dealers are required to detect and report these patterns through their suspicious activity reporting obligations. The structuring prohibition is directly tested on the SIE and Series 7 examinations as a specific form of reportable suspicious activity.
The BSA also requires financial institutions to file Suspicious Activity Reports when they detect transactions that may involve illegal activity — a reporting obligation that the PATRIOT Act substantially strengthened and extended to broker-dealers as discussed below. Together the CTR filing obligation, the structuring prohibition, and the SAR reporting requirement form the three foundational transaction monitoring pillars of the BSA framework that underlies the entire AML compliance structure.
Title III of the USA PATRIOT Act — the International Money Laundering Abatement and Anti-Terrorist Financing Act — amended the Bank Secrecy Act to impose comprehensive new AML obligations on the securities industry. The most significant Title III provisions for broker-dealers are Section 352, which requires a written AML programme, and Section 326, which requires a customer identification programme.
Section 352 requires every financial institution — including every broker-dealer registered under the Securities Exchange Act of 1934 — to establish and implement a written AML programme that includes at minimum four components. These four components form what is sometimes called the Four Pillars of AML compliance, and they are among the most directly examined facts in the SIE and Series 7 AML curriculum.
The first pillar is the establishment and implementation of policies, procedures, and internal controls reasonably designed to achieve compliance with the Bank Secrecy Act and its implementing regulations — including detecting and reporting suspicious activity, monitoring transactions for patterns indicating money laundering or terrorist financing, maintaining required records, and filing required reports. The written policies and procedures must be tailored to the firm's specific business model, customer base, geographic footprint, and risk profile rather than being generic boilerplate.
The second pillar is the designation of a compliance officer — an individual or individuals responsible for the day-to-day implementation and monitoring of the AML programme. The AML Compliance Officer must be identified to FINRA through the FINRA Contact System by name, title, mailing address, email address, telephone number, and facsimile number. The AML Compliance Officer need not be a registered principal but must have sufficient knowledge, authority, and resources to effectively implement and monitor the programme.
The third pillar is an ongoing employee training programme covering the firm's AML policies and procedures, how to recognise red flags of suspicious activity specific to the firm's business, and the legal requirements applicable to the firm's AML compliance obligations. Training must be provided to all relevant personnel — not only compliance staff — including registered representatives, operations personnel, and supervisors who may encounter potential AML issues in their day-to-day activities.
The fourth pillar is an independent testing function — requiring that the AML programme be tested at least annually on a calendar-year basis by firm personnel or a qualified outside party who are independent of the compliance function being tested. The AML Compliance Officer and the personnel directly responsible for implementing the programme cannot perform the independent testing — the testing must be conducted by someone who can objectively evaluate the programme's design and effectiveness. FINRA specifies in its Regulatory Notice 17-40 guidance that firms that do not execute transactions with customers or hold customer accounts require independent testing only every two years rather than annually.
Section 326 of the PATRIOT Act — implemented through 31 CFR 1023.220 — requires broker-dealers to establish written customer identification programmes as a component of their AML programmes. The CIP requirements are discussed in detail in the following section.
The customer identification programme mandated by Section 326 and implemented through 31 CFR 1023.220 requires broker-dealers to collect, verify, and maintain records of specified identifying information for every customer who opens a new account. The four minimum categories of identifying information — sometimes called the NDAI requirement — are the most directly and consistently examination-tested PATRIOT Act facts in the SIE and Series 7 curricula.
The first minimum element is the customer's full legal name — the complete legal name as it appears on government-issued identification documents, not a nickname or abbreviated version. For legal entity customers this is the full legal name of the entity as registered with the applicable state authority.
The second minimum element is the customer's date of birth — applicable to individual natural person customers. Date of birth is not required for legal entity customers but is required for all individual account holders including joint account holders. The date of birth requirement helps verify the customer's identity by matching it against identification documents and database records.
The third minimum element is the customer's address — for individual customers this is the residential street address, not a post office box. For legal entity customers this is the principal place of business address. The address requirement creates a geographic record of the customer's location that law enforcement can use in any subsequent investigation.
The fourth minimum element is the customer's identification number — for United States persons this is the Social Security number or individual taxpayer identification number. For non-United States persons it is a passport number and country of issuance, alien identification card number, or other government-issued document number evidencing nationality or residence and bearing a photograph of the individual. This identification number is the most critical element for identity verification purposes — it connects the account to a specific individual in government databases and tax records.
Once this information is collected the broker-dealer must verify the customer's identity through documentary or non-documentary means within a reasonable time before or after account opening. Documentary verification involves examining government-issued identification documents such as unexpired passports, driver's licences, and national identity cards that include the customer's name, date of birth, address, and photograph. Non-documentary verification involves confirming identity through database checks — credit bureau inquiries, public record searches, commercial identity verification services, and other data sources — without relying on physical documents.
The CIP must also include procedures for checking each customer's name against government lists of known or suspected terrorists and terrorist organisations — including the OFAC Specially Designated Nationals and Blocked Persons list, the consolidated list maintained by the Office of Foreign Assets Control of all parties with whom United States persons are prohibited from transacting.
Building upon the PATRIOT Act's CIP requirements, the Financial Crimes Enforcement Network issued the Customer Due Diligence Final Rule on May 11, 2016 — effective July 11, 2016 with mandatory compliance by May 11, 2018 — adding a fifth pillar to the AML framework specifically for legal entity customers. The CDD Rule is codified at 31 CFR 1010.230 and was implemented for FINRA member firms through FINRA Regulatory Notice 17-40.
The fifth pillar — beneficial ownership identification — requires covered financial institutions including broker-dealers to identify and verify the identity of the beneficial owners of legal entity customers at the time any new account is opened. A legal entity customer is defined as a corporation, limited liability company, general partnership, or similar entity created by the filing of a public document with a secretary of state or similar office, or a similar entity formed under the laws of a foreign jurisdiction.
Beneficial ownership is determined under two separate and independent prongs that together define who must be identified and verified.
The ownership prong requires identification of each natural person who owns twenty-five percent or more of the equity interests of the legal entity customer — directly or indirectly through any contract, arrangement, understanding, relationship, or otherwise. Because a legal entity can have at most four natural persons each owning exactly twenty-five percent before the total reaches one hundred percent, the ownership prong can result in between zero and four individuals being identified — zero when no single person owns twenty-five percent or more, and up to four when ownership is concentrated among a small number of individuals. FinCEN noted in its guidance that covered financial institutions may establish a lower percentage threshold — identifying owners of less than twenty-five percent — when their risk assessment warrants more conservative identification practices. If a trust owns twenty-five percent or more of the equity interests of a legal entity customer, the trustee of that trust is identified as the beneficial owner for ownership prong purposes under 31 CFR 1010.230(d)(3).
The control prong requires identification of a single natural person with significant responsibility to control, manage, or direct the legal entity customer — the individual with significant management control regardless of their ownership percentage. This is typically the chief executive officer, president, managing member, general partner, or treasurer — the individual who has the authority to make consequential decisions for the entity. Every legal entity customer always has at least one individual identified under the control prong — making the minimum total number of beneficial owners identified one and the maximum five — one control person plus up to four ownership prong individuals.
The broker-dealer may comply with the beneficial ownership requirement either by obtaining a completed certification form that FinCEN appended to the Final Rule — in which the individual opening the account on behalf of the legal entity certifies the accuracy of the beneficial owner information — or by obtaining the required information through other means that satisfy the substantive requirements of the rule. The certification form approach is operationally simpler and is widely used in the industry.
The Bank Secrecy Act as amended by the USA PATRIOT Act requires broker-dealers to file Suspicious Activity Reports with the Financial Crimes Enforcement Network when a transaction involves at least five thousand dollars and the firm knows, suspects, or has reason to suspect that the transaction involves funds from illegal activity, is designed to evade BSA reporting requirements — including structuring — lacks a lawful purpose or is not the type of transaction the customer would normally be expected to conduct, or involves the use of the firm to facilitate criminal activity.
The SAR filing obligation — implemented for broker-dealers through 31 CFR 1023.320 — requires that SARs be filed within thirty days of initial detection of facts that may constitute the basis for filing — extendable to sixty days if additional time is needed to identify a subject but the suspicious nature of the transaction has been identified. Once a SAR is filed its existence is absolutely confidential — broker-dealers are prohibited from disclosing to the subject of the SAR that a report has been filed or that the firm has reported any information related to them. This tipping-off prohibition — sometimes called the SAR confidentiality requirement — prevents warning potentially suspicious customers that they are under regulatory scrutiny and is directly tested on the Series 7 examination as a specific prohibited disclosure.
The tipping-off prohibition is so comprehensive that a broker-dealer that receives a subpoena or other legal process seeking disclosure of a filed SAR must notify FinCEN before disclosing the SAR — even to the party who issued the subpoena — to allow FinCEN to seek a protective order if appropriate. The prohibition applies to all employees who learn of the SAR filing and extends to the information in the SAR as well as the existence of the report itself.
The SAR obligation is supported by a safe harbour provision under 31 U.S.C. 5318(g)(3) — a financial institution that files a SAR in good faith is immune from civil liability for the disclosure, even if the reported transaction ultimately proves not to involve illegal activity and even if the reporting causes harm to the reported party. This safe harbour is essential to encouraging proactive SAR filing — without immunity from civil liability, firms might be reluctant to file SARs for fear of defamation or privacy tort claims from innocent customers whose transactions were incorrectly flagged.
FINRA's AML guidance identifies specific patterns of activity that should cause broker-dealers to investigate for potential suspicious activity and consider whether a SAR filing is warranted. Understanding these red flags is part of the employee training obligation of the Four Pillars framework and is directly relevant to how broker-dealers implement their transaction monitoring programmes.
In the securities industry context significant red flags include customers who are reluctant to provide identifying information required by the CIP, customers who provide information that appears false, incomplete, or inconsistent with other available information, large cash deposits or withdrawals inconsistent with the customer's investment profile or stated source of wealth, frequent wire transfers to or from foreign jurisdictions particularly those identified as high-risk by FinCEN or OFAC, patterns of round-dollar transactions that appear designed to avoid reporting thresholds — the structuring pattern — transactions in penny stocks or thinly traded securities that could facilitate pump-and-dump or market manipulation schemes, and rapid movement of funds through an account without any apparent investment purpose — sometimes called layering in the money laundering context.
The structuring pattern — a specific and important red flag — involves customers making multiple transactions in amounts just below the ten thousand dollar CTR threshold. A customer making repeated deposits of nine thousand five hundred dollars, nine thousand eight hundred dollars, or nine thousand nine hundred dollars is exhibiting a pattern consistent with deliberate structuring under 31 U.S.C. 5324. Broker-dealers must monitor for structuring patterns and file SARs when they detect such activity, regardless of whether any individual transaction would independently appear suspicious.
Section 311 of the USA PATRIOT Act — codified at 31 U.S.C. 5318A — grants the Secretary of the Treasury authority to impose special measures against foreign jurisdictions, foreign financial institutions, classes of international transactions, or types of accounts that the Secretary finds to be of primary money laundering concern. Section 311 special measures represent an escalating series of targeted restrictions ranging from enhanced recordkeeping and reporting requirements to the most severe measure of prohibiting United States financial institutions from maintaining correspondent accounts with designated foreign financial institutions.
When the Treasury Department designates a foreign bank as a primary money laundering concern under Section 311 and imposes the prohibition on correspondent accounts, every United States broker-dealer must close any existing correspondent accounts with the designated institution and refuse to open new ones. The practical effect is to cut off the designated institution from access to the United States financial system — a powerful enforcement tool that can be imposed without the lengthy process required for OFAC sanctions designations. FINRA notifies member firms of Section 311 designations through joint releases with other SROs and the SEC — and broker-dealers must have procedures to respond promptly to new designations.
The USA PATRIOT Act works in tandem with the sanctions programmes administered by the Office of Foreign Assets Control of the Department of the Treasury — which maintains the Specially Designated Nationals and Blocked Persons list and various country-based sanctions programmes governing who United States persons and financial institutions may transact with. Broker-dealers must screen every customer and every transaction against the OFAC SDN List and applicable country sanctions programmes.
When a broker-dealer identifies a match to an OFAC designation, it must block the transaction or account — freezing the assets and preventing any movement — and report the blocked transaction to OFAC within ten business days using OFAC's blocked assets and rejected transactions reporting form. The penalties for OFAC violations are severe — civil penalties of up to three hundred and seven thousand nine hundred and twenty-two dollars per violation or twice the amount of the transaction, whichever is greater, with wilful criminal violations subject to up to twenty years imprisonment and individual fines of up to one million dollars.
The CIP requirement to check customer names against government lists of known or suspected terrorists — one of the four minimum CIP components specified in 31 CFR 1023.220 — encompasses the OFAC SDN List screening obligation and integrates OFAC compliance into the CIP framework established by Section 326 of the PATRIOT Act. Broker-dealers typically use automated screening software that checks customer names and transaction details against the SDN List and other watchlists in real time — flagging potential matches for manual review by compliance personnel.
FINRA Rule 3310 — the Anti-Money Laundering Compliance Programme rule — implements the USA PATRIOT Act's AML programme requirements for FINRA member firms and establishes the minimum standards that every broker-dealer must meet. FINRA Rule 3310 requires that the AML programme must be approved in writing by a member of senior management — creating executive accountability for the programme and ensuring it receives appropriate resources and attention. The programme must be re-approved whenever there is a change in senior management.
FINRA reviews member firm AML compliance as part of its regular examination programme — examiners evaluate the adequacy of the firm's written policies and procedures, the effectiveness of the transaction monitoring systems, the quality of SAR filings, the frequency and content of employee training, the independence and adequacy of the annual testing, and the overall risk-based approach to AML compliance that the firm has implemented. FINRA AML examination findings are published in FINRA's Annual Regulatory Oversight Report — providing the industry with current guidance on the most common AML deficiencies observed in examinations.
The most frequently cited AML deficiencies in FINRA examinations include inadequate customer risk assessment at account opening, insufficient transaction monitoring for red flags, failure to file SARs on transactions that should have been reported, inadequate CIP verification procedures particularly for legal entity customers and beneficial ownership, and insufficient employee training on AML obligations and red flag recognition. These deficiency patterns inform the content of AML questions on the Series 7 and SIE examinations — understanding what goes wrong in practice is as important as understanding the theoretical requirements.
The PATRIOT Act's CIP requirements are closely related to but legally and conceptually distinct from the Know Your Customer obligations of FINRA Rules 2090 and 4512. Understanding the distinction between these two obligations is a common examination point.
The CIP is specifically an anti-money-laundering identity verification requirement — its purpose is to confirm who the customer actually is to prevent anonymous account opening for money laundering or terrorist financing purposes. The four minimum CIP elements — name, date of birth, address, identification number — are the minimum information required to verify identity within the AML regulatory framework. The CIP obligation is a legal requirement under the Bank Secrecy Act as amended by the PATRIOT Act and is administered by the Treasury Department through FinCEN.
The KYC obligation under FINRA Rules 2090 and 4512 is a broader suitability and relationship management requirement — focused on understanding the customer's investment profile, financial situation, risk tolerance, investment objectives, and other characteristics needed to make suitable recommendations and appropriately manage the account. KYC collects information beyond the identity minimum — employment status, income, net worth, investment experience, and investment objectives — that serves the suitability framework rather than the AML framework. The KYC obligation is a securities regulatory requirement administered by FINRA rather than an AML requirement administered by FinCEN.
Both obligations are satisfied through the account opening process — the CIP collects and verifies the four minimum identity elements while the new account documentation under FINRA Rule 4512 collects the full investment profile. A broker-dealer that collects only the CIP minimum without gathering the investment profile information required by FINRA Rule 4512 has satisfied its AML obligation but violated its KYC obligation. A broker-dealer that gathers the investment profile without verifying identity through a proper CIP process has satisfied its KYC obligation but violated its AML obligation. Full compliance requires both.
The civil and criminal penalties for AML non-compliance under the Bank Secrecy Act as amended by the USA PATRIOT Act are substantial and represent genuine enterprise-level risks for broker-dealers that fail to maintain adequate AML programmes.
Civil monetary penalties under 31 U.S.C. 5321 for wilful violations of the BSA can reach the greater of the amount involved in the transaction — up to one hundred thousand dollars — or one hundred thousand dollars per violation for non-wilful violations, with substantially higher penalties for wilful violations and patterns of violations. Criminal penalties under 31 U.S.C. 5322 for wilful BSA violations include fines of up to two hundred and fifty thousand dollars and imprisonment of up to five years — and if the violation occurs in connection with another federal crime, the imprisonment term increases to ten years.
FINRA has levied significant AML-related fines against member firms for failures to implement adequate written AML programmes, failures to detect and report suspicious activity, and failures to maintain adequate CIP procedures. These FINRA enforcement actions are publicly disclosed and constitute part of the firm's permanent disciplinary record on FINRA BrokerCheck.
FinCEN civil money penalty authority — separate from FINRA's disciplinary authority — allows FinCEN to impose penalties directly against financial institutions and their compliance officers for systemic AML programme failures. Major bank AML enforcement actions have resulted in penalties in the hundreds of millions or billions of dollars — establishing the severe financial consequences of systemic AML compliance failures that extend beyond the securities industry to the entire financial sector.
The USA PATRIOT Act is tested on the SIE, Series 7, and Series 65 examinations in the context of AML programme requirements, the customer identification programme, beneficial ownership, suspicious activity reporting, the structuring prohibition, the tipping-off prohibition, OFAC compliance, and the relationship with the Bank Secrecy Act.
The key points to retain are these.
The USA PATRIOT Act — Public Law 107-56 enacted October 26, 2001 — amended the Bank Secrecy Act of 1970 to impose comprehensive AML obligations on broker-dealers following the September 11, 2001 terrorist attacks. The Bank Secrecy Act is the foundational statute — the PATRIOT Act amended and strengthened it rather than replacing it. The BSA requires currency transaction reports for cash transactions exceeding ten thousand dollars in a single business day. The structuring prohibition under 31 U.S.C. 5324 makes it a federal crime to deliberately break transactions into sub-ten-thousand-dollar amounts to avoid CTR filing — regardless of whether the underlying funds are legal.
Title III Section 352 requires every broker-dealer to maintain a written AML programme with the Four Pillars — written policies and procedures, a designated AML Compliance Officer identified to FINRA by name and contact information, ongoing employee training, and annual independent testing by personnel or a qualified outside party who are independent of the compliance function. FINRA Rule 3310 implements these requirements for FINRA member firms and requires senior management written approval of the programme.
Section 326 — implemented through 31 CFR 1023.220 — requires a written customer identification programme collecting four minimum elements from every new account customer — full legal name, date of birth, residential address, and identification number — the Social Security number for United States persons. Identity must be verified through documentary or non-documentary means and customer names must be checked against OFAC's SDN List and other government watchlists.
The FinCEN CDD Final Rule of 2016 — effective for compliance May 11, 2018 under 31 CFR 1010.230 — added the fifth pillar of beneficial ownership identification for legal entity customers. Under the ownership prong each natural person owning twenty-five percent or more of the entity's equity interests must be identified — resulting in zero to four individuals. Under the control prong one natural person with significant management control must always be identified — resulting in a minimum of one and maximum of five total beneficial owners. Compliance may be achieved through a FinCEN certification form or equivalent documentation.
SARs must be filed within thirty days of detecting suspicious transactions of five thousand dollars or more — extendable to sixty days if additional time is needed to identify a subject. The tipping-off prohibition absolutely prohibits disclosing to the subject that a SAR has been filed. The safe harbour under 31 U.S.C. 5318(g)(3) protects good-faith SAR filers from civil liability. Section 311 of the PATRIOT Act — codified at 31 U.S.C. 5318A — allows Treasury to designate foreign financial institutions as primary money laundering concerns and impose special measures up to prohibition of correspondent accounts — requiring broker-dealers to close accounts with designated institutions. The CIP is an AML identity verification requirement under the BSA and PATRIOT Act administered by FinCEN — distinct from the KYC obligation under FINRA Rules 2090 and 4512, which is a securities regulatory suitability requirement requiring collection of the full investment profile beyond the four minimum CIP identity elements.
