No Products in the Cart
Anti-Money Laundering (AML) Program:
Compliance and Supervisory Procedures
UPDATED AS OF MONTH DAY, YEAR
This template is provided to assist small firms in fulfilling their responsibilities to establish an Anti-Money Laundering (AML) Program as required by the Bank Secrecy Act (BSA) and its implementing regulations and FINRA Rule 3310 (AML Compliance Program). Nothing in this template creates any new requirements for AML programs. Furthermore, following this template does not guarantee compliance with AML Program requirements or provide a safe harbor from regulatory responsibility. There is no exemption from the AML rules for small broker-dealers.
Your firm’s AML program should be “risk-based.” That means that the program’s AML policies, procedures and internal controls should be designed to address the risk of money laundering specific to your firm. Your firm can identify that risk by looking at the type of customers it serves, where its customers are located, and the types of services it offers. It is a good practice to develop a written analysis of your firm’s money laundering and terrorist financing risk and how your firm’s AML procedures manage that risk. This “risk-assessment” will help to ensure that the AML program is the right one for your firm and is a useful tool for demonstrating to your firm’s examiner that the firm used a reasonable approach for designing its AML program.
In addition, where certain AML rules may be inapplicable due to the limited nature of your firm’s business, FINRA expects your firm to have internal controls in place to identify when circumstances change in such a way as to trigger previously inapplicable AML requirements and to amend your AML policies and procedures to accurately reflect all AML requirements that are applicable to your business. For example, a firm with no customer accounts within the definition of the Customer Identification Program (CIP) rule would not be expected to have a CIP. However, the firm must have procedures in place to identify when the firm’s business activities have shifted in such a way as to require compliance with the CIP rule. In addition, notwithstanding the fact that the firm does not have accounts for CIP purposes, the firm is expected to identify and develop procedures for any additional AML requirements that do apply (e.g., suspicious activity monitoring and reporting).
The language in this template is provided only as a helpful starting point to walk you through developing your firm’s program. If any of the language does not adequately address your firm’s business situation in any respect, you will need to prepare your own language. You are responsible for ensuring that the program fits your firm’s risk level and that you implement the program.
TEXT EXAMPLES are provided to give you sample language that you can modify, as necessary, to fit your firm’s needs in creating your firm’s program.
Material in italics provides instructions and citations to the relevant rules, and other resources that you can use to develop your firm’s program.
The FINRA AML web page includes important information and links to other websites with useful information. You should also consult the websites maintained by the Financial Crimes Enforcement Network (FinCEN) and the Securities and Exchange Commission (SEC), including the SEC’s AML Source Tool and Spotlight on AML Rulemaking for additional information and guidance. For historical guidance and background, you may wish to consult NASD Notices to Members (NTM) 02-21, 02-47, 02-50, 02-78, 02-80, 03-34, 06-07, 06-41 and 07-17. Regulatory Notices 07-42, 08-66, 09-05, 12-08 and 17-40 provide additional guidance information about firms’ AML obligations. In order to submit BSA filings, including Suspicious Activity Reports (SARs) to FinCEN firms must use FinCEN’s BSA E-Filing System.
TEXT EXAMPLE: It is the policy of the firm to prohibit and actively prevent money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities by complying with all applicable requirements under the Bank Secrecy Act (BSA) and its implementing regulations.
Money laundering is generally defined as engaging in acts designed to conceal or disguise the true origins of criminally derived proceeds so that the proceeds appear to have derived from legitimate origins or constitute legitimate assets. Generally, money laundering occurs in three stages. Cash first enters the financial system at the "placement" stage, where the cash generated from criminal activities is converted into monetary instruments, such as money orders or traveler's checks, or deposited into accounts at financial institutions. At the "layering" stage, the funds are transferred or moved into other accounts or other financial institutions to further separate the money from its criminal origin. At the "integration" stage, the funds are reintroduced into the economy and used to purchase legitimate assets or to fund other criminal activities or legitimate businesses.
Although cash is rarely deposited into securities accounts, the securities industry is unique in that it can be used to launder funds obtained elsewhere, and to generate illicit funds within the industry itself through fraudulent activities. Examples of types of fraudulent activities include insider trading, market manipulation, ponzi schemes, cybercrime and other investment-related fraudulent activity.
Terrorist financing may not involve the proceeds of criminal conduct, but rather an attempt to conceal either the origin of the funds or their intended use, which could be for criminal purposes. Legitimate sources of funds are a key difference between terrorist financiers and traditional criminal organizations. In addition to charitable donations, legitimate sources include foreign government sponsors, business ownership and personal employment. Although the motivation differs between traditional money launderers and terrorist financiers, the actual methods used to fund terrorist operations can be the same as or similar to methods used by other criminals to launder funds. Funding for terrorist attacks does not always require large sums of money and the associated transactions may not be complex.
Our AML policies, procedures and internal controls are designed to ensure compliance with all applicable BSA regulations and FINRA rules and will be reviewed and updated on a regular basis to ensure appropriate policies, procedures and internal controls are in place to account for both changes in regulations and changes in our business.
Rules: 31 C.F.R. § 1023.210; FINRA Rule 3310.
Designate your firm’s AML Compliance Person and describe his or her duties.
The firm has designated Millionmerch as its Anti-Money Laundering Program Compliance Person (AML Compliance Person), with full responsibility for the firm’s AML program. Millionmerch has a working knowledge of the BSA and its implementing regulations and is qualified by experience, knowledge and training, including [describe]. The duties of the AML Compliance Person will include monitoring the firm’s compliance with AML obligations, overseeing communication and training for employees, and [add any other duties your firm will assign to the AML Compliance Person; review NASD Rules 1021 and 1031 for any applicable registration requirements]. The AML Compliance Person will also ensure that the firm keeps and maintains all of the required AML records and will ensure that Suspicious Activity Reports (SARs) are filed with the Financial Crimes Enforcement Network (FinCEN) when appropriate. The AML Compliance Person is vested with full responsibility and authority to enforce the firm’s AML program.
The firm will provide FINRA with contact information for the AML Compliance Person through the FINRA Contact System (FCS), including: (1) name; (2) title; (3) mailing address; (4) email address; (5) telephone number; and (6) facsimile (if any). The firm will promptly notify FINRA of any change in this information through FCS and will review, and if necessary update, this information within 17 business days after the end of each calendar year. The annual review of FCS information will be conducted by Millionmerch and will be completed with all necessary updates being provided no later than 17 business days following the end of each calendar year. In addition, if there is any change to the information, Millionmerch will update the information promptly, but in any event not later than 30 days following the change.
Rules: 31 C.F.R. § 1023.210; FINRA Rule 3310; FINRA Rule 4517.
Pursuant to the BSA and its implementing regulations, financial institutions are required to make certain searches of their records upon receiving an information request from FinCEN. Describe your firm’s procedures for FinCEN requests for information on money laundering or terrorist activity.
In order for a firm to obtain information requests from FinCEN, the firm must first designate an AML Contact Person in FCS. You should be aware that if you want to change the person who receives FinCEN requests, you must change the AML contact information in FCS. When you are faced with a change in personnel who will receive this information, you should be aware that FinCEN receives a data feed of this revised information from FCS every other week and that it may take several weeks for a firm’s new AML contact person to receive information from FinCEN. Therefore, it is advisable for a firm that is aware that a person who had been receiving FinCEN requests is leaving the firm to change the information on FCS as soon as practical to ensure continuity of receiving FinCEN information.
TEXT EXAMPLE: We will respond to a Financial Crimes Enforcement Network (FinCEN) request concerning accounts and transactions (a 314(a) Request) by immediately searching our records to determine whether we maintain or have maintained any account for, or have engaged in any transaction with, each individual, entity or organization named in the 314(a) Request as outlined in the Frequently Asked Questions (FAQ) located on FinCEN’s secure website. We understand that we have 14 days (unless otherwise specified by FinCEN) from the transmission date of the request to respond to a 314(a) Request. We will designate through the FINRA Contact System (FCS) one or more persons to be the point of contact (POC) for 314(a) Requests and will promptly update the POC information following any change in such information. (See also Section 2 above regarding updating of contact information for the AML Compliance Person.) Unless otherwise stated in the 314(a) Request or specified by FinCEN, we are required to search those documents outlined in FinCEN’s FAQ. If we find a match, Millionmerch will report it to FinCEN via FinCEN’s Web-based 314(a) Secure Information Sharing System within 14 days or within the time requested by FinCEN in the request. If the search parameters differ from those mentioned above (for example, if FinCEN limits the search to a geographic location), Millionmerch will structure our search accordingly.
If Millionmerch searches our records and does not find a matching account or transaction, then Millionmerch will not reply to the 314(a) Request. We will maintain documentation that we have performed the required search by [add the details on how your firm will document its searches here. For example, printing a search self-verification document from FinCEN’s 314(a) Secure Information Sharing System confirming that your firm has searched the 314(a) subject information against your records OR maintaining a log showing the date of the request, the number of accounts searched, the name of the individual conducting the search and a notation of whether or not a match was found].
We will not disclose the fact that FinCEN has requested or obtained information from us, except to the extent necessary to comply with the information request. Millionmerch will review, maintain and implement procedures to protect the security and confidentiality of requests from FinCEN similar to those procedures established to satisfy the requirements of Section 501 of the Gramm-Leach-Bliley Act with regard to the protection of customers’ nonpublic information.
We will direct any questions we have about the 314(a) Request to the requesting federal law enforcement agency as designated in the request.
Unless otherwise stated in the 314(a) Request, we will not be required to treat the information request as continuing in nature, and we will not be required to treat the periodic 314(a) Requests as a government provided list of suspected terrorists for purposes of the customer identification and verification requirements.
Rule: 31 C.F.R. § 1010.520.
Resources: FinCEN’s 314(a) web page; NTM 02-80;. FinCEN also provides financial institutions with General Instructions and Frequently Asked Questions relating to 314(a) requests through the 314(a) Secured Information Sharing System or by contacting FinCEN’s Regulatory Helpline at (800) 949-2732 or via email at email@example.com.
National Security Letters (NSLs) are written investigative demands that may be issued by the local Federal Bureau of Investigation (FBI) and other federal government authorities conducting counterintelligence and counterterrorism investigations to obtain, among other things, financial records of broker-dealers. NSLs are highly confidential. No broker-dealer, officer, employee or agent of the broker-dealer can disclose to any person that a government authority or the FBI has sought or obtained access to records. Firms that receive NSLs must have policies and procedures in place for processing and maintaining the confidentiality of NSLs. If you file a Suspicious Activity Report (SAR) after receiving a NSL, the SAR should not contain any reference to the receipt or existence of the NSL.
TEXT EXAMPLE: We understand that the receipt of a National Security Letter (NSL) is highly confidential. We understand that none of our officers, employees or agents may directly or indirectly disclose to any person that the FBI or other federal government authority has sought or obtained access to any of our records. To maintain the confidentiality of any NSL we receive, we will process and maintain the NSL by [describe procedure]. If we file a SAR after receiving an NSL, the SAR will not contain any reference to the receipt or existence of the NSL. The SAR will only contain detailed information about the facts and circumstances of the detected suspicious activity.
Grand juries may issue subpoenas as part of their investigative proceedings. The receipt of a grand jury subpoena does not in itself require the filing of a Suspicious Activity Report (SAR). However, broker-dealers should conduct a risk assessment of the customer who is the subject of the grand jury subpoena, as well as review the customer’s account activity. If suspicious activity is uncovered during this review, broker-dealers should consider elevating the risk profile of the customer and file a SAR in accordance with the SAR filing requirements. Grand jury proceedings are confidential, and a broker-dealer that receives a subpoena is prohibited from directly or indirectly notifying the person who is the subject of the investigation about the existence of the grand jury subpoena, its contents or the information used to reply to it. If you file a SAR after receiving a grand jury subpoena, the SAR should not contain any reference to the receipt or existence of it. The SAR should provide detailed information about the facts and circumstances of the detected suspicious activity.
TEXT EXAMPLE: We understand that the receipt of a grand jury subpoena concerning a customer does not in itself require that we file a Suspicious Activity Report (SAR). When we receive a grand jury subpoena, we will conduct a risk assessment of the customer subject to the subpoena as well as review the customer’s account activity. If we uncover suspicious activity during our risk assessment and review, we will elevate that customer’s risk assessment and file a SAR in accordance with the SAR filing requirements. We understand that none of our officers, employees or agents may directly or indirectly disclose to the person who is the subject of the subpoena its existence, its contents or the information we used to respond to it. To maintain the confidentiality of any grand jury subpoena we receive, we will process and maintain the subpoena by [describe procedure]. If we file a SAR after receiving a grand jury subpoena, the SAR will not contain any reference to the receipt or existence of the subpoena. The SAR will only contain detailed information about the facts and circumstances of the detected suspicious activity.
BSA regulations permit financial institutions to share information with other financial institutions under the protection of a safe harbor if certain procedures are followed. If your firm shares or plans to share information with other financial institutions, describe your firm's procedures for such sharing.
TEXT EXAMPLE: We will share information with other financial institutions regarding individuals, entities, organizations and countries for purposes of identifying and, where appropriate, reporting activities that we suspect may involve possible terrorist activity or money laundering. Millionmerch will ensure that the firm files with FinCEN an initial notice before any sharing occurs and annual notices thereafter. We will use the notice form found at FinCEN’s website. Before we share information with another financial institution, we will take reasonable steps to verify that the other financial institution has submitted the requisite notice to FinCEN, either by obtaining confirmation from the financial institution or by consulting a list of such financial institutions that FinCEN will make available. We understand that this requirement applies even to financial institutions with which we are affiliated, and that we will obtain the requisite notices from affiliates and follow all required procedures.
We will employ strict procedures both to ensure that only relevant information is shared and to protect the security and confidentiality of this information, for example, by segregating it from the firm’s other books and records and [describe any other procedures].
We also will employ procedures to ensure that any information received from another financial institution shall not be used for any purpose other than:
Rules: 31 C.F.R. § 1010.540.
Resources: FinCEN Financial Institution Notification Form; FIN-2009-G002: Guidance on the Scope of Permissible Information Sharing Covered by Section 314(b) Safe Harbor of the USA PATRIOT Act (6/16/2009).
The obligation to identify and properly report a suspicious transaction and to timely file a SAR rests separately with each broker-dealer. However, one SAR may be filed for a suspicious activity by all broker-dealers involved in a transaction (so long as the report filed contains all relevant and required information) if the SAR is jointly filed. In addition, if a broker-dealer and another financial institution that is subject to the SAR regulations are involved in the same suspicious transaction, the financial institution may also file a SAR jointly (so long as the report filed contains all relevant and required information). For example, a broker-dealer and an insurance company may file one SAR with respect to suspicious activity involving the sale of variable insurance products. Disclosures that are made for the purposes of jointly filing a SAR are protected by the safe harbor contained in the SAR regulations. The financial institutions that jointly file a SAR shall each be separately responsible for maintaining a copy of the SAR and should maintain their own SAR supporting documentation in accordance with BSA recordkeeping requirements. See generally Section 12 (Suspicious Transaction and BSA Reporting) for information on a broker-dealer’s obligation to file a SAR to report suspicious transactions.
We will file joint SARs in the following circumstances, according to [describe procedures]. We will also share information about a particular suspicious transaction with any broker-dealer, as appropriate, involved in that particular transaction for purposes of determining whether we will file jointly a SAR.
[If an introducing firm:] We will share information about particular suspicious transactions with our clearing broker for purposes of determining whether we and our clearing broker will file jointly a SAR. In cases in which we file a joint SAR for a transaction that has been handled both by us and by the clearing broker, we may share with the clearing broker a copy of the filed SAR.
If we determine it is appropriate to jointly file a SAR, we understand that we cannot disclose that we have filed a SAR to any financial institution except the financial institution that is filing jointly. If we determine it is not appropriate to file jointly (e.g., because the SAR concerns the other broker-dealer or one of its employees), we understand that we cannot disclose that we have filed a SAR to any other financial institution or insurance company.
Rules: 31 C.F.R. § 1023.320; 31 C.F.R. § 1010.430; 31 C.F.R. § 1010.540.
Resources: FinCEN’s BSA E-Filing System.
Because we are a subsidiary, we may share SARs with [Name of parent entity (or parent entities)]. Before we share SARs with Millionmerch's, we will have in place written confidentiality agreements or written arrangements that [Name(s)] protect the confidentiality of the SARs through appropriate internal controls.
[If parent company is a non-U.S. entity:] The confidentiality agreement will state that the recipient foreign parent entity (or entities) may not disclose further any SAR, or the fact that such report has been filed. The agreement will allow for the foreign parent entity (or entities) to disclose without permission underlying information (that is, information about the customers and transaction(s) reported) that forms the basis for the SAR and that does not explicitly reveal that a SAR was filed and that is not otherwise subject to disclosure restrictions.
Resource: FinCEN’s BSA E-Filing System, FinCEN Guidance on Sharing of Suspicious Activity Reports by Securities Broker-Dealers, Futures Commission Merchants, and Introducing Brokers in Commodities (1/20/2006).
 As of October 1, 2018, NASD Rules 1021 and 1031 will no longer be effective. As of October 1, 2018, see FINRA Rule 1210.