AML for Broker-Dealers: What Regulators Expect

Anti-money laundering (AML) compliance is non-negotiable for a broker-dealer operating in the US financial system. 

If you’re building or scaling a fintech brokerage, even one with no customer cash or only digital onboarding, regulators still expect a complete and functional AML program from day one. 

The stakes are high: enforcement actions, license risk, and reputational damage are all on the table if you miss the mark.

This article breaks down what AML for broker-dealers means in practice. We’ll cover the legal and regulatory framework, what regulators like FINRA, the SEC, and FinCEN expect, and the most common AML pitfalls, especially for fintechs with fast-moving models. 

What AML Means for Broker-Dealers Today

Anti-money laundering obligations aren’t limited to banks. Since the early 2000s, broker-dealers have been subject to AML requirements under the Bank Secrecy Act (BSA) and related rules enforced by the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Financial Crimes Enforcement Network (FinCEN). 

These rules apply regardless of firm size, customer type, or business model.

Regulators don’t want a generic AML policy. They want one that reflects how your firm actually works. If you’re opening accounts, moving money, or processing trades, you’re expected to monitor those activities and flag anything that doesn’t make sense.

For fintechs, the challenge isn’t just checking the boxes but integrating compliance into fast-moving, often unconventional product structures. Regulators expect broker-dealers to apply AML controls that integrate with their workflows. A generic policy copied from a traditional firm won’t cut it.

See how Regly’s AML screening module helps broker-dealers flag matches with global sanction lists, identify politically exposed persons, and monitor adverse media mentions →

Who Regulates Anti-Money Laundering for Broker-Dealers

Three main regulators oversee AML compliance for broker-dealers in the US: FINRA, the SEC, and FinCEN. 

Each has a different role:

• FINRA applies its own AML rule (Rule 3310) and actively checks how firms follow it. If red flags go unchecked or SARs aren’t filed, FINRA is usually the one knocking.
  
  

• The SEC oversees compliance with the Bank Secrecy Act under Rule 17a-8 and focuses on how well broker-dealers tailor their AML programs to actual business risks.
  
  

• FinCEN is the Treasury bureau that writes the rules. It sets the AML standards broker-dealers must follow, including customer identification, SAR filing, and beneficial ownership rules.

If your AML program breaks down, you’ll hear from more than just one agency. FINRA, the SEC, and FinCEN can, and do, coordinate on investigations and penalties. That’s why it’s worth your while to understand how each regulator operates to help avoid blind spots, especially if your firm is introducing new technology or working in a nontraditional model.

Core AML Program Requirements for Broker-Dealers

AML requirements for broker-dealers are clear. The program needs to align with how a firm operates: who you serve, how you move money, and where risks can arise. 

This section explains what regulators look for, and how each part of your AML framework is supposed to function:

Written Policies and Senior Management Approval

Every broker-dealer must have a written AML compliance program that’s formally approved by senior management. That approval is a signal to regulators that leadership is aware of and accountable for the firm’s AML risk.

Your policies should describe how your firm spots and handles money laundering risks, based on how you actually operate. If you’re onboarding retail users through an app or supporting niche trading strategies, that needs to show up in the design of your program.

Regulators often ask for documentation of who approved the program, when it was last reviewed, and how updates are handled. If those answers aren’t clear, that’s usually the first red flag in an exam.

Customer Identification Program (CIP)

Broker-dealers must have a Customer Identification Program (CIP) in place before opening any new account. This is a required part of the firm’s AML program and applies to both individual and legal entity clients.

Many fintechs use automated tools to verify identities, but that’s not enough on its own. Regulators expect firms to catch issues like fake IDs, reused customer data, or patterns that don’t add up. CIP is one of the first places they look when things start to break.

Your CIP should make sense for your business model. If you onboard users entirely through a mobile app, your verification process needs to account for remote risk factors like deepfakes, synthetic IDs, or foreign actors trying to pass as domestic users. Regulators are watching closely.

See how Regly’s KYC/KYB module helps broker-dealers verify clients’ identity using AI tools →

Beneficial Ownership and CDD Rule

For legal entity customers, broker-dealers must go beyond basic identity checks. Under FinCEN’s Customer Due Diligence (CDD) Rule, firms are required to collect and verify beneficial ownership information, which means identifying the individuals who own or control the business.

At a minimum, the firm must identify:

• Each individual who owns 25% or more of the entity (ownership prong)

• One person with significant control over the entity (control prong)

This information must be verified through reliable means and updated when the customer’s risk profile changes. Regulators expect firms to understand who’s behind the account, not just the name on the application.

Some fintechs overlook beneficial ownership, assuming it’s handled elsewhere or irrelevant for smaller clients. That’s a risk. When you're dealing with legal entities, your process should look beyond the business name to the people holding the keys.

Learn more about Customer Due Diligence (CDD) →

Suspicious Activity Monitoring and SAR Filing

One of the core responsibilities of any AML broker-dealer program is the ability to detect and report suspicious activity. This includes identifying transactions that lack a clear business purpose, show signs of layering, or suggest potential fraud or manipulation.

When red flags appear, whether in trading patterns, money movement, or account behavior, firms are required to evaluate and, if appropriate, file a Suspicious Activity Report (SAR) with FinCEN. That filing must happen within 30 days of detection.

Regulators pay close attention to how firms handle SARs. If you rarely file or skip documenting why you didn’t, that can trigger scrutiny. It’s not just about volume, but whether your team knows how to spot real issues and act when something doesn’t add up.

OFAC Screening and Sanctions Controls

Broker-dealers are required to comply with US sanctions administered by the Office of Foreign Assets Control (OFAC). That means screening customers, counterparties, and transactions against OFAC’s lists, including the Specially Designated Nationals (SDN) list, and blocking or reporting any prohibited activity.

See how Regly’s AML screening module helps broker-dealers screen clients against sanction lists →

This obligation isn’t limited to onboarding. Firms should also screen name changes, wire instructions, and other activities that could expose them to sanctions risk. If your platform supports account access from outside the US, those controls matter even more.

A common fintech oversight is assuming their bank or clearing partner handles OFAC. Regulators expect broker-dealers to own their part of the process, even when vendors are involved. You don’t need to reinvent screening tech, but you do need documented procedures, reliable data sources, and a clear response plan when you get a hit.

Independent Testing and Ongoing Training

Regulators expect broker-dealers to test their AML program regularly to make sure it’s working as intended. That testing must be independent, either performed by someone outside the day-to-day compliance function or by a qualified third party.

The review should cover:

• How well the firm’s policies are applied in practice

• Whether alerts are being reviewed and documented

• How SAR decisions are made and tracked

• Any gaps in transaction monitoring or CIP

Firms that skip or rush this step often get flagged during exams. Testing shouldn’t be a rubber stamp; it should be detailed, written up, and followed by real updates to the program where needed.

In addition to testing, ongoing AML training is required for relevant staff. That includes front-line teams, trading desks, onboarding personnel, and anyone handling customer activity. Training should match the firm’s actual risk profile and evolve as the business changes. Templates don’t cut it here either.

Appointing an AML Compliance Officer

Every broker-dealer must designate at least one person responsible for overseeing the firm’s AML program. This is your AML Compliance Officer, and regulators expect them to have both authority and expertise.

FINRA and the SEC often ask detailed questions about this person during exams. Who they are, what they know, and how involved they are in the firm’s actual operations all matter.

In many early-stage fintechs, the role gets folded into other duties or outsourced entirely. That can work, but it needs structure. Whether in-house or external, the AML officer must be able to make decisions, push back when needed, and document what’s done. 

What Regulators Actually Expect in Practice

Having an AML program on paper isn’t enough. Regulators want to see how that program functions in the real world, how it’s applied, maintained, and scaled as your business evolves.

It’s not just about missing steps. Examiners track patterns, like controls that haven’t evolved as your product or customer base changed. For fintech broker-dealers, it’s not enough to say you're compliant. You have to show that the program actually functions.

Common AML Challenges Broker-Dealers Face

Even with the basics in place, broker-dealers often miss key AML details. The most common issues stem from rapid growth, vague oversight, or controls that don’t match the business model.

Startups Using Generic Templates

Copying a boilerplate AML policy might check a box, but it rarely holds up in an exam. Regulators expect your AML procedures to reflect how your business actually works: your products, your customers, and your risks.

A retail-focused trading app with rapid account growth won’t face the same threats as a broker-dealer handling microcap securities or API-based order flow. If your procedures don’t address your real exposure, they’ll be flagged as inadequate, even if they’re technically complete.

This is a common early-stage mistake. Firms borrow policies from service providers, former employers, or open-source templates, then forget to adapt them. It’s not enough to have the sections in place; those sections need to say something meaningful about how you operate.

Fast Growth Outpacing Compliance

It’s common for new broker-dealers to split AML duties across departments. Client onboarding, monitoring, and vendor oversight all get assigned, but without a central owner, no one’s accountable for the full program. 

That lack of visibility is often what causes issues to build quietly.

When regulators show up, they don’t just want to see that tasks are being done. They want to know who’s steering the program. If that person doesn’t exist, or no one can name them, it’s a red flag.

See how Regly’s vendor management module helps broker-dealers centralize vendor records and prepare for audits → 

Overreliance on Vendors or Technology

Relying on vendors for things like KYC or monitoring is standard practice, but it doesn’t shift the responsibility. If something goes wrong, regulators still hold the broker-dealer accountable.

Automation helps scale monitoring, but it’s not hands-off. Without regular checks on system settings, alert logic, and vendor output, critical risks can go unnoticed. The software is a tool, not the solution.

Weak Surveillance and Missed SARs

Detecting suspicious activity takes more than running alerts through a system. It requires people to spot patterns, ask the right questions, and take action when something doesn’t line up.

When departments don’t share information, thresholds remain outdated, or when alerts aren’t reviewed carefully, real issues can slip through the cracks. 

That’s when regulators get involved, not just because something went wrong, but because no one was watching closely enough to catch it.

Confusion Over Clearing Firm Responsibilities

Clearing firms may handle settlement, custody, and other operational tasks. However, they don’t take on your AML obligations. That’s a common point of confusion, especially in early-stage broker-dealers where infrastructure is still evolving.

Your firm is expected to manage its own AML controls. Customer onboarding, risk classification, and ongoing surveillance all remain your responsibility. A clearing relationship might provide tools or data, but it doesn’t replace having your own program or team in place.

High-Risk Scenarios in Broker-Dealer AML

Some activities draw more attention from regulators. Whether you're facilitating retail trades or embedding investing into a broader fintech stack, these areas tend to carry higher exposure.

Penny Stocks and Microcap Trading

Low-float, thinly traded stocks have long been a focus for regulators. These markets are more susceptible to pump-and-dump schemes, layering, and other forms of market manipulation. If your platform supports trading in microcap or penny stocks, your AML program needs to account for that heightened risk.

This area tends to draw attention when firms allow microcap activity but fail to watch closely. If multiple accounts are moving in tandem or trades echo known schemes, FINRA is likely to take a closer look.

Simply relying on generic alerts won’t cut it; you’ll need tailored thresholds and escalation procedures that align with how these trades actually occur. And when you see something questionable, documenting why it wasn’t escalated or reported matters just as much as filing the SAR itself.

ACH and Instant Transfer Fraud

Real-time features come with delayed risks. A customer initiates an ACH, buys or moves assets, and disappears before the funds bounce. If no one’s watching how fast things move, it’s easy to miss.

These tactics don’t always trigger alerts on their own. The key is context, how quickly the flow changes, and whether that fits the customer’s profile.

The real challenge is timing. Fast movement calls for fast oversight: real-time limits, behavioral risk scores, and people who know what to look for.

Fintech Models Blending Crypto and Securities

Products that combine digital assets with traditional investing bring unique AML risks. Whether it’s tokenized equities, wallets linked to brokerage accounts, or platforms offering both crypto and securities trading, regulators expect firms to address the combined exposure, not treat them separately.

For example, a customer funding a crypto wallet, converting to USD, and then placing equity trades can fall outside traditional monitoring rules. Add cross-border access, and the picture gets more complex.

Blended products require blended oversight. If funds shift between crypto and securities, your AML approach should follow that path, covering both sides of the transaction.

—

The biggest AML risks for broker-dealers don’t always come from bad actors. They often come from misunderstandings, shortcuts, or assumptions made early on. 

If your policies don’t match your model, or no one owns the full picture, those gaps will show up eventually.

A solid AML program doesn’t have to be overbuilt. But it does need to be yours, not a borrowed template, not a vendor pitch deck, and not something your clearing firm covers.