Independent Testing – Anti-Money Laundering

Independent Testing – Anti-Money Laundering

As we wrote earlier this year, FINRA included a heavy emphasis on Anti-Money Laundering, Fraud, and Sanctions as examination priorities for 2023.  At B/D Compliance Associates, we have been asked to assist a number of registrants in responding to AML examinations.  Based on our experience, it is clear that FINRA is highly focused on each firm’s AML Program, AML Procedures – and perhaps most importantly – independent annual testing of the firm’s AML Program.



Each firm is required to conduct independent testing every calendar year to confirm that it has established and implemented reasonably designed procedures for customer identification and verification, customer due diligence, and suspicious activity reporting.  A comprehensive Customer Identification Program (or CIP) and a reasonable Customer Due Diligence (or CDD) procedure are required and critical elements of understanding and confirming the identity of your customers as well as the nature and purpose of each customer’s account.


Each calendar year, independent testing must be conducted by a designated person with a working knowledge of applicable requirements under the Bank Secrecy Act and its implementing regulations. However, many firms make the mistake of designating the testing internally, oftentimes to the firm’s designated AML Compliance Officer.  In most cases, that’s a no-no under the Rules.  The independent test may not be conducted by a person who performs the functions being tested, the designated anti-money laundering compliance officer, or any person who reports to one of those persons.  For these reasons, depending on the size of the firm, the best decision is to outsource the testing to an independent and experienced compliance consulting firm.



Your AML program should fit your unique business model and the associated AML risks. That is also true of your annual independent risk-based testing protocol. The testing should be heavily focused on those functions within your firm that are the most likely to be able to detect, defend against, and report suspicious activity.  Among other things, these areas might include sales, client onboarding, identity verification, beneficial owners, private placements, M&A, recordkeeping, surveillance, cashiering, money movement, foreign accounts, and cybersecurity.  The central idea is to customize your annual independent testing to your business and the inherent risks that are distinctive to your firm.  Far too often, consultants are hired to conduct annual independent testing and they skip this critical step in understanding the business of the firm and designing testing that is appropriate and focused on the reoccurring exam findings cited by FINRA.


In their 2021 report, FINRA detailed the following Exam Findings and Effective Practices:


  • Inadequate AML Transaction Monitoring– Not tailoring transaction monitoring to address firms’ business risk(s).
  • Limited Scope for Suspicious Activity Reports (SARs) – Not requiring staff to notify AML departments or file SARs for a range of events involving suspicious transactions, such as financial crime-related events, including but not limited to cybersecurity events, account compromises, account takeovers, new account fraud, and fraudulent wires.
  • Inadequate AML Framework for Cash Management Accounts– Failing to incorporate, or account for, in their AML programs, the AML risks relating to Cash Management Accounts, including the following:
    • monitoring, investigating, and reporting suspicious money movements;
    • a list of red flags in their WSPs indicative of potentially suspicious transactions; or
    • expanding or enhancing their AML compliance program resources to address Cash Management Accounts.
  • Unclear Delegation of AML Responsibilities – Non-AML staff failing to escalate suspicious activity monitoring alerts to AML departments because firms did not: (1) clearly define the activities that were being delegated; (2) articulate those delegations and related surveillance responsibilities in their WSPs; or (3) train non-AML staff on AML surveillance policies and procedures.
  • Data Integrity Gaps – Excluding certain types of data and customer accounts from monitoring programs as a result of problems with ingesting certain data, inaccuracies, and missing information in data feeds.
  • Failure to Document Investigations – Not documenting initial reviews and investigations into potentially suspicious activities identified by SARs.
  • Concerns About High-Risk Trading by Foreign Legal Entity Accounts – Inadequate identification of or follow-up on increased trading by foreign legal entity accounts which raised concerns about potential ownership or control by beneficial owners.
  • Insufficient Independent Testing – Not reviewing how the firm’s AML program was implemented; not ensuring the independence of the testing; and not completing tests on an annual calendar year basis.
  • Improper Reliance on Clearing Firms – Introducing firms relying primarily or entirely on their clearing firms for transaction monitoring and suspicious activity reporting, even though they are required to monitor for suspicious activity attempted or conducted through their firms.

If you have endured a FINRA AML examination in recent years, chances are you have experienced this level of scrutiny and testing.  If you haven’t been visited by FINRA, now would be a good time to consider a thorough review of your AML program, past independent testing results, your current training programs, and your current AML written policies and procedures to make sure you’re up to date and protected against potential sanctions and fines.