FINRA AML & KYC Compliance Checklist

The written AML program must be tailored to the firm's specific business model, products, customer types, and geographic markets. Generic programs copied from other firms are cited as deficiencies. The program must be reviewed and updated annually and formally approved by senior management.

The AML Officer must have direct access to senior management and the board, sufficient authority to investigate and escalate issues, and adequate resources (staff and systems) to fulfill the role. The AML Officer cannot be the firm's sole compliance officer for a large, complex firm.

For individuals: name, date of birth, address, and SSN/TIN are required. For entities: name, address, and TIN are required. Verify identity using documentary or non-documentary methods. Record the information collected and verification method. Provide CIP notice to customers.

FinCEN's CDD Final Rule (effective 2018) requires broker-dealers to identify and verify the beneficial owners of legal entity customers — any individual owning 25%+ and one person with significant control. Collect beneficial ownership information at account opening and update when the firm becomes aware of changes.

High-risk categories requiring EDD include: Politically Exposed Persons (PEPs), non-resident aliens, high-risk jurisdictions (FATF blacklist and greylist countries), cash-intensive businesses, correspondent banks, and customers with complex or opaque ownership structures. EDD must include additional source of funds verification.

Monitor for: large cash transactions (0,000+ reporting threshold), structuring activity (multiple transactions designed to avoid reporting), unusual wire transfer patterns, round-dollar transactions, and activity inconsistent with customer profile. Automated transaction monitoring systems are the industry standard for any firm with meaningful transaction volumes.

Any currency transaction or series of related transactions exceeding 0,000 must be reported to FinCEN within 15 days using FinCEN Form 112. Structuring transactions to avoid CTR filing is a federal crime (31 U.S.C. § 5324). Ensure tellers and operations staff recognize structuring patterns.

SARs are required when a transaction involves ,000+ and the firm knows, suspects, or has reason to suspect: proceeds of illegal activity, designed to evade reporting, no lawful purpose, or use of the firm to facilitate criminal activity. SAR filings are confidential — never tip off the subject of a SAR.

Transactions with Specially Designated Nationals (SDNs) and sanctioned countries are prohibited. Screen at account opening, on a daily basis against updated OFAC lists, and upon triggering events (new beneficial owner, change of name). OFAC violations carry strict liability — intent is not required.

The BSA requires broker-dealers to conduct independent testing of the AML program. Testing must be conducted by a qualified independent party — this can be internal audit (if independent from the AML function) or an outside firm. The test must evaluate all components of the AML program and produce a written report to senior management.

Annual AML training is required for all employees involved in customer-facing activities, account opening, transaction processing, and supervision. Training must cover: identification of suspicious activity, SAR filing procedures, CIP requirements, OFAC screening, and consequences for AML failures. Document completion.

Employees must have a clear escalation path when they identify suspicious activity. Red flags should be documented, reviewed by the AML Officer, and either resolved with documentation or escalated to a SAR. Ensure employees understand that failing to report red flags is itself a compliance failure.

The USA PATRIOT Act requires enhanced due diligence for correspondent accounts held for foreign financial institutions. This includes: identifying the owners of the foreign bank, evaluating its AML controls, and prohibiting accounts for foreign shell banks (banks with no physical presence).

PEPs — current or former senior foreign political officials and their close associates and family — present heightened corruption risk. Screen all new customers and beneficial owners against PEP databases at account opening and annually. If a PEP is identified, EDD applies: obtain senior management approval, verify source of funds, and conduct enhanced ongoing monitoring.

Wire transfers are among the highest-risk AML vectors. Monitor for: wires to/from high-risk jurisdictions, wires that reverse previous wires, multiple wires from multiple customers to the same beneficiary, and wires inconsistent with the customer's stated business. SWIFT gpi and LEI verification improve counterparty identification.

FINRA's 2024 examination priorities specifically target digital asset AML controls. Virtual asset transactions present unique AML challenges: pseudonymous addresses, cross-border peer-to-peer transfers, and mixing services. Firms facilitating digital asset transactions must apply blockchain analytics tools (Chainalysis, Elliptic) and apply source of funds requirements.

All AML program records must be maintained for five years: CIP records, CDD files, SAR filings, CTR reports, OFAC screening records, and training documentation. Retain SAR supporting documentation separately and securely — SAR tipping is a federal crime. Electronic records must meet 17a-4 WORM storage requirements.

Trigger events for AML program review: new FINRA or FinCEN guidance, new products or customer types, new geographic markets, significant growth in transaction volumes, or a SAR or CTR that reveals a program gap. Do not wait for the annual review cycle if a material change occurs.

When law enforcement serves a subpoena, civil investigative demand, or Section 314(a) information request, the firm must respond within 14 days (314(a)) or the deadline specified in legal process. Designate a point of contact for law enforcement. Ensure that records are accessible and can be produced in the format required.

New products — particularly those involving digital assets, international transfers, or anonymous funding mechanisms — should undergo an AML risk assessment before launch. The AML Officer should review and approve new product launches from an AML perspective. Post-launch monitoring requirements should be specified before product goes live.