FINRA Rule 3310 - Anti-Money Laundering Compliance Program

FINRA Rule 3310 requires every FINRA member broker-dealer to maintain a written anti-money laundering (AML) program, implement it in day-to-day operations, and obtain written approval from senior management. To operationalize it fast, you need a risk-based written program mapped to your business model, assigned ownership (AMLCO), monitoring and SAR workflows, annual independent testing, and role-based training ¹.

Key takeaways:

• Your written AML program must be “reasonably designed” for your actual products, customers, geographies, and channels, not a generic template ¹.
• Senior management must approve the AML program in writing, and you must be able to produce that evidence on demand ¹.
• FINRA enforcement shows large penalties for weak monitoring, SAR failures, and inadequate controls for online account opening and fraud risks ².

The operational question behind the finra rule 3310 - anti-money laundering compliance program requirement is simple: can your broker-dealer show, with documents and system evidence, that it can identify suspicious activity, investigate it consistently, and escalate to SAR decisions under the Bank Secrecy Act (BSA) obligations ¹?

FINRA does not grade you on whether your policy binder is thick. Examiners look for alignment between (1) your business model and risk profile and (2) the controls you built to manage those risks, including suspicious activity reporting, customer onboarding controls, and independent testing ³. The “reasonably designed” standard is where firms get into trouble: if your firm offers fully online account opening, clears or introduces for foreign customers, supports wires, or touches crypto-related activity, your AML program has to show specific, implemented controls for those realities ³.

This page is written for a Compliance Officer, CCO, or GRC lead who needs to stand up or remediate Rule 3310 quickly. It focuses on what to build, how to prove it works, and what FINRA commonly challenges in exams and enforcement.

Plain-English interpretation (what Rule 3310 expects)

FINRA Rule 3310 requires a FINRA member to:

1. Have a written AML program and implement it.
2. Design it so it is reasonably expected to achieve and monitor compliance with the BSA and Treasury regulations.
3. Obtain written senior management approval for the program.
   ¹

Rule 3310 also sets minimum required elements for the program, including policies to detect and cause reporting of suspicious transactions, internal controls to achieve BSA compliance, annual independent testing, an identified AML Compliance Officer (AMLCO), and ongoing training ¹.

Who it applies to (scope and operational context)

Applies to: all FINRA member broker-dealers ¹.

Operational contexts that change how you implement controls:

• Fully online account opening: exam focus on new account fraud using stolen or synthetic identities ³.
• Higher-risk transaction flows (e.g., foreign wires, high-risk jurisdictions, complex movement of funds): your monitoring and investigations must match the risk ⁴.
• Crypto-asset related activity (if you offer, facilitate, or supervise associated persons’ involvement): FINRA flags AML compliance challenges tied to crypto risks ³.

Regulatory text

“Each member shall develop and implement a written anti-money laundering program reasonably designed to achieve and monitor the member's compliance with the requirements of the Bank Secrecy Act (31 U.S.C. 5311, et seq.), and the implementing regulations promulgated thereunder by the Department of the Treasury. Each member's anti-money laundering program must be approved, in writing, by a member of senior management.” ¹

Operator translation (what you must be able to demonstrate):

• A current, written AML program exists, and staff follow it in real workflows ¹.
• The program is tailored: the controls and scenarios reflect what your firm actually does (products, customers, channels, geographies) ³.
• A senior manager reviewed and approved the AML program in writing, and you can produce that approval record during an exam ¹.

What you actually need to do (step-by-step)

1) Build or refresh the written AML program (policy + procedures)

Create a single “AML Program” document (or controlled set of documents) that clearly covers the Rule 3310 minimum elements ¹:

• Policies and procedures reasonably expected to detect and cause reporting of SAR-triggering activity ¹.
• AML internal controls (roles, approvals, monitoring governance, recordkeeping) to support BSA compliance ¹.
• Annual independent testing requirement and how you schedule and scope it ¹.
• AMLCO designation and responsibilities ¹.
• Ongoing training scope and cadence by role ¹.

Implementation note: Write procedures so an analyst can follow them without tribal knowledge. Include queue ownership, SLAs you set internally, escalation points, and decision documentation expectations. Those are the “show me” items in exams.

2) Tailor controls to your business model and exam priorities

Map your AML program to your actual risk drivers and explicitly address areas FINRA calls out:

• Online account opening and new account fraud: document identity verification steps, exception handling, and fraud red flags that trigger AML review ³.
• Suspicious Activity Reporting workflow: define what gets alerted, who investigates, what evidence is collected, who decides SAR vs. no SAR, and how you document rationale ¹.
• Crypto-related risks (if applicable): add scenarios, due diligence triggers, and supervision expectations for crypto-asset related activity and communications ³.

A practical method: maintain a “Business-to-Control Matrix” that lists products and workflows (e.g., cash funding, wires, journals, ACATs, low-priced securities, options, overseas customers, online onboarding) and ties each to monitoring scenarios, investigation playbooks, and escalation rules. FINRA’s focus on “scope of AML program” makes this mapping a high-value artifact ³.

3) Implement transaction monitoring calibrated to your firm

Rule 3310 does not mandate a specific technology, but it expects monitoring that can reasonably detect suspicious activity relevant to your firm ¹. Enforcement shows what happens when monitoring fails to match the business ⁴.

Minimum operational requirements you should implement:

• Alert sources: transactional feeds (funding, disbursements, trading activity, profile changes), onboarding signals, and fraud/cyber events that could indicate account takeover ⁵.
• Scenario tuning: document what scenarios exist, why they exist, and who approves changes.
• Case management: every alert should become a case with evidence capture, notes, disposition, and escalation path.

If you don’t have a mature tooling stack, you can start with rules-based monitoring and sampling, but you still need documented rationale, consistent triage, and management oversight.

4) Establish escalation procedures and SAR decisioning documentation

Your AML program must “detect and cause the reporting” of suspicious transactions that require SAR reporting ¹. Operationalize that with:

• Investigation playbooks by alert type (what to check, what data sources to pull, what questions to ask).
• Escalation triggers (e.g., repeat alerts, high-risk customer, suspicious pattern).
• SAR committee or decision authority: clear approvers, meeting cadence you set internally, and documented outcomes.
• Decision log: SAR filed vs. no SAR, the rationale, and supporting evidence.

This is where teams fail quietly: they investigate but do not preserve decision evidence. Treat the decision log as a primary exam artifact.

5) Designate an AML Compliance Officer (AMLCO) and evidence authority

Rule 3310 requires you to designate and identify an individual(s) responsible for day-to-day AML operations and internal controls ¹. Make it real:

• Document AMLCO role description, authority to demand information, and escalation route to senior management.
• Ensure staffing aligns with volumes, especially for online onboarding and alert backlogs, which can create SAR timeliness risk ³.

6) Deliver ongoing AML training with completion evidence

Training must be ongoing and provided to appropriate personnel ¹. Build role-based tracks:

• Front office, onboarding operations, AML analysts, supervisors, customer support (especially for fraud/account takeover), and engineering teams that build onboarding flows ³.
• Include short knowledge checks and track completion.

7) Run annual independent testing and track remediation to closure

Independent testing is required annually on a calendar-year basis ¹. Do not treat it as a checklist.

• Define scope based on risk: onboarding/CIP, monitoring coverage, SAR workflow, training, governance, and data quality.
• Require a written report with findings, severity, and recommendations.
• Assign owners, due dates you set internally, and maintain a remediation tracker with evidence of closure.

Required evidence and artifacts to retain (exam-ready checklist)

FINRA exams commonly request the following ⁶:

• Written AML program document(s) and written senior management approval record ¹.
• AMLCO designation and identification details ¹.
• Annual independent testing reports and remediation tracking ¹.
• Training materials, training completion logs, and knowledge check results ¹.
• Risk assessment or business model mapping showing how the AML program addresses firm-specific risks ³.
• Monitoring documentation: scenario inventory, tuning/change approvals, data lineage notes.
• Case management artifacts: alert queues, investigation notes, evidence attachments, escalation records.
• SAR decision log and supporting documentation ¹.
• Documentation of program enhancements/remediation after issues are identified ⁵.

If you use Daydream to manage compliance evidence, set up a single Rule 3310 evidence workspace with standardized filenames and an “exam packet” export. The goal is fast, consistent production of the same core artifacts across exam cycles.

Public enforcement cases

FINRA’s public settlements show recurring failure modes: weak tailoring to the business model, inadequate monitoring, and breakdowns around investigating and reporting suspicious activity.

Case	What it signals for operators	Outcome
In the Matter of Robinhood Financial LLC and Robinhood Securities, LLC (FINRA AWC 2020066723701, 2025-03-07)	FINRA expects controls that match a high-volume, online model, including addressing fraud/account takeover signals as AML-relevant inputs and maintaining effective suspicious activity processes 5.	$26,000,000 FINRA penalty 5 and $3.75 million restitution referenced in FINRA’s press release 7.
In the Matter of Interactive Brokers LLC (FINRA AWC 2018058166401, 2020-08-10)	Monitoring must be calibrated to the firm’s risk, including cross-border and higher-risk flows, with effective investigation and escalation 4.	$15,000,000 FINRA penalty 4.

Risk implication: These cases show Rule 3310 failures can escalate into eight-figure outcomes, plus reputational damage, remediation cost, and potential multi-regulator exposure ⁸.

Common exam/audit questions and hangups (what to prep for)

Expect examiners to press on:

• “Show me” senior management approval. Who approved, when, and what version? ¹
• Reasonable design. Why are your scenarios and procedures sufficient for your business model? ³
• Online onboarding controls. How do you detect new account fraud, and how does it flow into AML review? ³
• SAR workflow evidence. Show investigations, escalation, and documented rationale for filings and no-filing decisions ¹.
• Independent testing quality. Who performed it, are they independent, what did they test, and did you remediate findings? ¹

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails under Rule 3310	Fix
Generic AML program copied from another firm	“Reasonably designed” is business-model specific 6.	Maintain a business-to-control matrix and document rationale for each monitoring scenario and onboarding control.
Senior management “approval” is verbal or missing version control	Rule requires written approval 1.	Capture approval in a signed attestation or board/committee minutes referencing the version/date.
Monitoring exists but is not tuned, not documented, or not reviewed	Enforcement highlights failures where monitoring did not detect suspicious patterns 4.	Create a scenario inventory, tuning/change log, QA sampling, and periodic management review meeting notes.
SAR decisions are made but not documented consistently	Exams test whether you can show detection, investigation, and decisioning 1.	Standardize case templates and require a no-SAR rationale memo for material cases.
Independent testing is treated as a formality	Annual independent testing is required and should surface gaps 1.	Expand scope based on your risk; track remediation with evidence of closure.
Online account opening scales faster than CIP/AML operations	FINRA flags increased new account fraud risk with online onboarding 3.	Add capacity planning, automated ID verification exception queues, and clear stop/go rules before account activation.

Practical 30/60/90-day execution plan

Days 1–30: Stabilize governance and produce exam-ready basics

• Inventory current AML documents, monitoring controls, and SAR workflow artifacts.
• Draft or refresh written AML program to cover Rule 3310 elements ¹.
• Identify AMLCO, confirm responsibilities, and document escalation path ¹.
• Stand up an evidence folder structure (policy approvals, training logs, testing reports, SAR log, scenario inventory).

Days 31–60: Tailor to business model and close high-risk gaps

• Create a business-to-control matrix aligned to FINRA’s focus on program scope and business model risks ³.
• Review online onboarding flow for new account fraud controls and AML escalation points if applicable ³.
• Implement or tune monitoring scenarios; document data sources, thresholds, and ownership.
• Standardize investigation templates and SAR decision log fields.

Days 61–90: Prove operating effectiveness and lock in the annual cycle

• Run a targeted internal QA review of closed investigations to test documentation quality and escalation consistency.
• Schedule annual independent testing and confirm independence and scope ¹.
• Deliver role-based training and produce completion and comprehension evidence ¹.
• Obtain written senior management approval for the current AML program version and store it with version control ¹.

Frequently Asked Questions

Does FINRA Rule 3310 require a written AML program even for small broker-dealers?

Yes. Rule 3310 applies to each FINRA member and requires a written AML program approved in writing by senior management ¹. Your program can be scaled, but the required elements still need to exist and operate.

What counts as “written approval” by senior management?

Keep a signed approval page, email approval that clearly references the AML program version/date, or approved meeting minutes that identify the document and version ¹. The key is that an examiner can tie the approval to the exact AML program in effect.

How do we show our program is “reasonably designed” for our business model?

Maintain a documented mapping between your products/workflows and your monitoring, onboarding controls, escalation procedures, and training scope ³. Examiners look for that alignment, not generic statements.

We have fully online account opening. What does FINRA focus on right now?

FINRA highlights increased new account fraud risk tied to fully online account opening and expects firms to address it through onboarding controls and AML program scope ³. Build clear exception handling and escalation to AML investigations for fraud signals.

What is the minimum expectation for independent testing under Rule 3310?

Independent testing must occur annually on a calendar-year basis and be conducted by member personnel or a qualified outside party ¹. Keep the written report and a remediation tracker that shows closure evidence.

Can we outsource parts of AML operations to a third party?

You can use third parties for tooling or support, but the broker-dealer remains responsible for having and implementing an AML program that meets Rule 3310 requirements ¹. Keep documented oversight, SLAs you set internally, and quality checks on third-party outputs.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. FINRA Rule 3310

2. Robinhood AML (March 2025); Interactive Brokers AML (Aug 2020); FINRA 2024 Report

3. FINRA 2024 Report

4. Interactive Brokers AML (Aug 2020)

5. Robinhood AML (March 2025)

6. FINRA Rule 3310; FINRA 2024 Report

7. Robinhood Press Release (2025)

8. Robinhood AML (March 2025); Interactive Brokers AML (Aug 2020)