FINRA 3310: What It Requires and Who It Applies To

What is FINRA Rule 3310?

FINRA Rule 3310 is the Financial Industry Regulatory Authority's primary anti-money laundering rule for broker-dealers. It requires every FINRA member firm to establish and implement a written AML compliance program designed to achieve and monitor the firm's compliance with the Bank Secrecy Act and its implementing regulations.

The rule took effect on April 24, 2002. Congress passed the USA PATRIOT Act in October 2001, and Section 352 of that law directed FinCEN to require broker-dealers to establish AML programs. Before 2002, broker-dealers had no formal statutory obligation to maintain written AML programs, despite their exposure to money laundering through securities transactions, wire transfers, and cash equivalents. The PATRIOT Act closed that gap.

FINRA issues Rule 3310, but FinCEN retains underlying regulatory authority over BSA compliance. FINRA examiners test Rule 3310 adherence during routine cycle examinations. FinCEN can act independently for BSA violations, as it did when it imposed a concurrent $11.5 million fine on Interactive Brokers in 2020 alongside FINRA's own action.

The Anti-Money Laundering Act of 2020 updated BSA priorities and directed Treasury to establish national AML/CFT priorities that firms must incorporate into their risk assessments. FINRA's recent examination priorities letters have consistently flagged transaction monitoring effectiveness and SAR filing quality as focus areas, signaling that paper-compliant programs without operational results draw real scrutiny. A written policy that sits in a drawer and hasn't been updated since the firm launched a new product line is not a compliant program.

Who does FINRA Rule 3310 apply to?

Rule 3310 applies to all FINRA member firms. That covers a wide range of registered entities:

• Full-service broker-dealers: Firms like Morgan Stanley, Merrill Lynch, and Raymond James that execute trades, provide investment advice, and hold customer assets
• Discount and online brokers: Self-directed retail trading platforms where customers direct their own trades
• Introducing brokers: Firms that accept customer orders but pass execution and custody to a clearing firm
• Clearing and custodial firms: Back-office entities that settle trades and hold assets on behalf of introducing brokers
• Dually registered firms: Broker-dealers also registered as investment advisers under the Investment Advisers Act
• Alternative trading systems (ATS): Electronic platforms that match buyers and sellers of securities
• Market makers: Firms that provide liquidity in equity or fixed-income markets

There's no size exemption. A two-person introducing broker with a single clearing relationship carries the same written-program obligation as a bulge-bracket dealer. FINRA expects program scope to match firm size, business model, and risk profile. A firm executing institutional-only government bond trades doesn't need the same onboarding controls as a retail broker accepting cash equivalent deposits from thousands of individual customers.

Jurisdictionally, Rule 3310 applies to any FINRA member regardless of where its customers are located. A US-registered broker-dealer serving foreign nationals is still subject to the rule in full. For cross-border transactions, Section 314(a) information-sharing requirements and applicable OFAC sanctions screening obligations layer on top of the base AML program.

What does FINRA Rule 3310 require?

Rule 3310 mandates four minimum program elements, commonly called the "four pillars":

1. Written internal policies, procedures, and controls: The firm must document its AML program. Policies must cover customer identification, account monitoring, suspicious activity identification, SAR filing, record retention, and escalation procedures. FINRA expects these policies to reflect the firm's actual business, not generic language lifted from an industry template.

2. Designation of a qualified AML compliance officer: One individual must be named as responsible for day-to-day program administration. That person must have sufficient knowledge of BSA/AML requirements and actual authority to implement the program. A nominal designation with an unqualified person in the role won't satisfy examiners, and FINRA has cited firms for exactly this.

3. Ongoing employee training: All relevant employees must receive AML training appropriate to their role. Front-office staff who open accounts need different training than back-office operations staff. FINRA hasn't set a specific annual hour requirement, but documented training records are expected for every covered employee.

4. Independent testing: The AML program must be tested for adequacy and effectiveness by someone independent of the AML function. For most firms, testing must occur at least annually. The tester must have no reporting line to the AML officer, either an external firm or a separate internal audit team.

Beyond the four pillars, firms must file Suspicious Activity Reports within 30 calendar days of detecting suspicious activity involving $5,000 or more. If no suspect can be identified, the deadline extends to 60 calendar days. SARs and their supporting documentation must be retained for five years.

Customer Due Diligence obligations, reinforced by the FinCEN CDD Final Rule that took effect in May 2018, require broker-dealers to verify the identity of beneficial owners of legal entity customers. This is often called the "fifth pillar." Firms must collect beneficial ownership certifications at account opening and update them when material changes occur. Record retention under Rule 3310 and the BSA is five years from the date the record was created or the account was closed.

What evidence do regulators expect?

FINRA examiners arrive with a detailed document request. Firms that maintain the following in order move through examinations faster and with fewer findings.

Written program and risk assessment:

• Current written AML program, dated and signed by senior management or the board
• Risk assessment documenting the firm's customer base, products, geographies, and corresponding risk ratings
• Annual review records showing the program was updated to reflect regulatory changes or business model shifts

Customer identification and due diligence:

• Know Your Customer (KYC) procedures documenting how customers are identified, verified, and risk-rated at onboarding
• Beneficial ownership certification forms for legal entity accounts, with update records
• Documentation showing enhanced due diligence was applied to higher-risk customers: politically exposed persons, customers in high-risk jurisdictions, complex ownership structures

Transaction monitoring:

• Documentation of monitoring system rules, alert thresholds, and the logic behind them
• Alert disposition records showing why each alert was closed or escalated to investigation
• Case files for SAR investigations including underlying evidence and the decision rationale

SAR filing records:

• All SAR filings retained for five years, with supporting documentation
• Records of transactions considered for SAR filing but not filed, with written rationale ("SAR not filed" documentation)

Training:

• Attendance records for all AML training sessions
• Training content with version history showing updates for new typologies and regulatory changes
• New hire onboarding records showing when AML training was completed

Independent testing:

• Most recent audit report with findings, firm responses, and remediation deadlines
• Evidence that prior findings were actually closed out
• Tester's independence documentation

Examiners also pull transaction data directly. They'll sample wire transfer records, cash equivalent transactions, and account opening files to test whether the firm's monitoring would have flagged anomalous patterns in practice. A firm whose alert system generated three alerts in twelve months for an active retail book is going to have a difficult conversation.

Common failure modes

Most FINRA AML enforcement actions cluster around a handful of recurring problems.

• Inadequate transaction monitoring: The most common finding. Alert thresholds set too high to catch anything meaningful. Systems not updated for years, missing typologies that have been well-documented in FINRA notices and FinCEN advisories. In 2020, FINRA fined Interactive Brokers $38 million partly for a transaction monitoring system that failed to generate appropriate alerts for thousands of suspicious transactions.

• SAR filing failures: Missing the 30-day deadline, submitting incomplete SARs, or failing to file at all on transactions that clearly met the threshold. Each unfiled SAR can be treated as a separate violation, so systemic failures multiply fast.

• Deficient written procedures: Policies describing a generic program rather than the firm's actual business. Examiners flag firms whose procedures reference products they don't offer, while missing controls for products they do. Boilerplate is an examiner red flag.

• Untested or inadequately tested programs: Independent testing that amounts to a self-assessment, testing conducted by someone reporting to the AML officer, or gaps of more than 12 months between tests.

• Training gaps: New hires who don't receive AML training for months after joining. Customer-facing staff who can't identify red flags specific to their product lines.

• Failure to update for business changes: A firm that adds a new product line, customer segment, or geographic market without revising its AML program. FINRA expects the program to evolve with the business, not remain frozen at the point of initial adoption.

FINRA's 2015 action against Oppenheimer & Co. resulted in a $2.8 million fine for AML failures including weak transaction monitoring for penny stocks and failure to file SARs on suspicious trading patterns.

Penalties for non-compliance

FINRA can impose a range of sanctions for Rule 3310 violations. Fine levels track severity and duration.

Minor deficiencies (outdated policies, training documentation gaps, testing delays of a few months) typically draw fines in the $50,000 to $250,000 range, combined with a requirement to retain an independent compliance consultant.

Systemic failures (no effective monitoring, pattern SAR filing failures, program not updated for years despite business growth) draw fines in the millions.

The Interactive Brokers case set the recent benchmark. FINRA fined the firm $38 million in 2020 for failures including a transaction monitoring system that couldn't generate appropriate alerts, a SAR filing process that missed thousands of reportable transactions, and an AML program that hadn't kept pace with business growth. FinCEN assessed a concurrent $11.5 million fine for the underlying BSA violations. FinCEN's announcement details the BSA findings independently.

Beyond monetary fines, FINRA can suspend registered representatives, bar individuals from the securities industry, and require firms to hire independent compliance monitors at their own expense. Monitor engagements routinely run two to three years and cost more than the base fine. That's the real financial exposure most compliance officers underestimate.

FinCEN can act concurrently under the BSA, as the Interactive Brokers case demonstrates. The SEC can take action against dual registrants. In cases where AML failures were intertwined with actual fraud, DOJ referrals for criminal prosecution are possible. Rare, but not theoretical.

State regulators add another layer. Firms operating across multiple states can face parallel state investigations triggered by a federal enforcement action.

Related regulations and frameworks

Rule 3310 sits within a web of overlapping federal and international obligations.

US federal layer: Rule 3310 implements the Bank Secrecy Act for broker-dealers. FinCEN's regulations under 31 CFR Part 1023 set the substantive BSA requirements that Rule 3310 programs must address. The Anti-Money Laundering Act of 2020 directs Treasury to establish national AML/CFT priorities that firms must incorporate into their risk assessments. Section 314(a) requires broker-dealers to respond to FinCEN information requests about suspected money launderers and terrorists within 14 days. Missing a 314(a) response deadline is a separate BSA violation on top of any Rule 3310 deficiency.

International context: FATF Recommendation 20 on suspicious transaction reporting sets the global standard that US SAR requirements implement at the national level. FATF's risk-based approach in Recommendation 1 underpins the expectation that firms tailor program controls to actual risk rather than applying uniform rules to all customers and products regardless of their risk profiles.

Adjacent US requirements: Broker-dealers run sanctions screening against OFAC lists alongside Rule 3310 monitoring. Currency Transaction Report obligations under the BSA apply when cash equivalents cross the $10,000 threshold. SEC Rule 17a-8 requires compliance with BSA record-keeping rules and operates concurrently with Rule 3310's retention requirements.

Comparison with bank AML rules: Banks implement AML programs under 12 CFR Part 21 if OCC-supervised, or equivalent rules for Fed-supervised and FDIC-supervised institutions. The four-pillar structure is identical. The key difference is product exposure: broker-dealers face securities-specific typologies including layering through rapid trading, pump-and-dump schemes, and microcap fraud that rarely appear in commercial banking AML caseloads.

How FluxForce supports FINRA Rule 3310 compliance

FluxForce's AI agents automate the transaction monitoring, alert triage, and SAR workflow that Rule 3310's four pillars depend on. Nova Sentinel flags anomalous trading patterns in real time. Aiden Flux manages Customer Due Diligence reviews and beneficial ownership verification at onboarding. Every decision comes with a full evidence trail, which maps directly to FINRA's expectation of documented case files and SAR rationale. For broker-dealers preparing for a FINRA examination or remediating exam findings, book a demo to see how the platform handles Rule 3310 obligations end to end.