FINRA 3310: What It Requires and Who It Applies To

What is FINRA Rule 3310?

FINRA Rule 3310 is the anti-money laundering compliance program requirement for all FINRA-member broker-dealers in the United States. The Financial Industry Regulatory Authority adopted the rule in 2002 to implement Section 352 of the USA PATRIOT Act, which extended Bank Secrecy Act AML obligations to the securities industry for the first time.

Before the PATRIOT Act, most BSA requirements applied to banks and deposit-taking institutions. Congress explicitly extended those obligations to broker-dealers in 2001, recognizing that securities accounts are equally viable conduits for laundering criminal proceeds. FINRA codified the obligation into Rule 3310, replacing the older NASD Rule 3011.

The rule's operative standard is that a broker-dealer must have a written program "reasonably designed to achieve and monitor" the firm's compliance with the BSA and its implementing regulations. That phrase does real work. A program built for a firm processing $200 billion in annual transactions looks nothing like one at a two-person introducing broker. Risk-based calibration is expected, not a generic template.

FINRA examines member firms for Rule 3310 compliance through regular cycle exams and targeted investigations. As a self-regulatory organization operating under SEC oversight, FINRA runs its own disciplinary process before any referral to the SEC or FinCEN.

The rule has been updated periodically. The most significant revision followed FinCEN's Customer Due Diligence Final Rule in 2018, which added explicit beneficial ownership verification requirements for legal entity customers. FINRA issued guidance making clear that broker-dealers must incorporate those CDD obligations into their Rule 3310 programs.

Who does FINRA Rule 3310 apply to?

Rule 3310 applies to every FINRA member firm, which as of 2024 means approximately 3,400 registered broker-dealers. There's no size exemption. A two-person operation in Kansas and a bulge-bracket bank subsidiary in New York are both covered.

Covered entity types include:

• Full-service broker-dealers that execute trades, hold customer accounts, and provide investment advice (wirehouses, regional firms, independent broker-dealers)
• Introducing brokers that route orders to clearing firms but carry no customer accounts directly
• Clearing firms that settle and custody trades on behalf of introducing brokers and other correspondents
• Dual-registrants operating as both broker-dealers and registered investment advisers
• Prime brokers serving hedge funds, family offices, and institutional clients through margin lending and securities lending
• Alternative trading system (ATS) operators that are FINRA members
• Municipal securities broker-dealers registered with FINRA, noting that MSRB has parallel AML rulemaking authority in that sector

Risk-based program design is explicitly permitted. FINRA's guidance acknowledges that a firm selling only direct participation programs faces materially different risks than a firm handling tens of thousands of retail accounts with cross-border transfers. The program's depth should match the risk profile, but the four core structural elements are not negotiable regardless of firm size.

What Rule 3310 doesn't cover: registered investment advisers that aren't also broker-dealers. FinCEN proposed a separate AML rule for RIAs in 2024; that rulemaking is ongoing. Futures commission merchants fall under CFTC jurisdiction.

The rule is firm-wide. A broker-dealer operating across 20 states runs one AML compliance program covering all offices, business lines, and employee populations.

What does FINRA Rule 3310 require?

The rule specifies four mandatory elements drawn directly from the USA PATRIOT Act Section 352 framework:

1. Written AML policies and procedures, approved in writing by a senior manager, that are reasonably designed to achieve and monitor BSA compliance. The program must match the firm's actual business model. A generic template copied from an industry association doesn't satisfy the "reasonably designed" standard if it doesn't reflect the firm's specific products, client types, and transaction patterns.

2. Independent testing, conducted at a minimum annually. The tester must be qualified and independent from the AML function being tested. Qualified internal audit staff and outside AML consulting firms both qualify. Testing must cover transaction monitoring, SAR filing processes, customer identification, and customer due diligence (CDD) procedures. Findings must be documented, with management responses tracked through to closure.

3. A designated AML compliance officer responsible for day-to-day program management. The officer must be a registered person under FINRA rules and have the authority and resources to run the program. Naming a junior analyst as AML officer while compliance decisions flow to general counsel creates significant exam risk. FINRA examiners ask specifically about escalation authority.

4. Ongoing employee training appropriate to each employee's role. Traders and customer-facing staff need different training than operations and back-office personnel. Training must be documented with completion dates by employee and updated when material rule changes occur.

Beyond the four pillars, FINRA's interpretive guidance requires integration with FinCEN's SAR filing obligations for broker-dealers: firms must file SARs on transactions of $5,000 or more involving suspected money laundering, structuring, or terrorist financing. The customer identification program under Section 326 CIP and beneficial ownership collection under the FinCEN CDD Final Rule must be integrated into the written program as well.

Record retention follows BSA minimums: five years for AML records, SAR-related documents, and training logs. FINRA examiners routinely request five-year lookbacks.

What evidence do regulators expect?

FINRA examiners typically send a document request 30 to 60 days before an exam. Here's what they actually want:

Written program documentation

• The AML compliance program itself, dated and signed by a senior manager with authority
• Version history showing the program was reviewed and updated within the past 12 months
• Board or senior management approval on record

Independent testing

• The most recent testing report, including scope, methodology, findings, and management responses
• Evidence that deficiencies identified in prior tests were remediated, with closure dates

Transaction monitoring

• Description of the monitoring system in use, whether rules-based, behavioral, or a combination
• Alert disposition logs showing how alerts were researched and resolved during the review period
• Documentation that monitoring thresholds were calibrated for the firm's client risk profile and product mix

SAR records

• SAR filing log with dates, BSA filing IDs, and subject information where applicable
• Written documentation of no-file decisions with rationale
• Evidence that SAR information was protected from unauthorized disclosure

CIP and CDD

• Customer identification procedures meeting Section 326 CIP requirements
• KYC records for a sample of accounts opened during the review period
• Beneficial ownership certifications for legal entity customers per the FinCEN CDD Final Rule

Training records

• Completion logs by employee name, date, and course title
• Training curriculum documentation

Examiners don't read policies in isolation. They sample actual transactions and accounts to verify the program runs the way the manual describes. If written procedures say one thing and the evidence file shows another, the gap is the finding.

Common failure modes

FINRA has been consistent about what it finds. These patterns appear repeatedly in enforcement actions:

• Transaction monitoring misaligned with the firm's actual risk profile. Using a generic rule set without calibrating thresholds for the firm's products and client base produces massive alert backlogs or blind spots. FINRA Regulatory Notice 14-52 documented this as one of the most common deficiencies found during AML examinations of broker-dealers. (FINRA Regulatory Notice 14-52, 2014)

• Gap between the written program and actual practice. The manual says accounts above a threshold receive enhanced due diligence. Examiners sample those accounts and find EDD was completed for fewer than half. The gap is the violation, not the threshold itself.

• Missing or unverified beneficial ownership data. Since the FinCEN CDD Rule took effect in 2018, broker-dealers must collect and verify UBO data for legal entity customers. Collecting a certification form but never verifying it against available data sources produces a citation.

• AML officer without real authority. FINRA has cited firms where the designated officer held the title but material compliance decisions were routinely overruled by senior management or general counsel.

• Training records that don't reflect actual completion. An LMS showing 40% completion rates for mandatory AML training is not a compliance defense.

• SAR failures on penny stock and microcap activity. FINRA fined Raymond James Financial Services $17 million in 2016 for AML program failures that included inadequate SAR filing procedures for high-risk accounts and microcap trading activity. (FINRA AWC No. 2012031024901)

• Merrill Lynch paid $8 million in 2015 for failing to detect and report potential manipulation of microcap securities. The AML program was faulted specifically for not monitoring transaction patterns across related accounts. (FINRA Enforcement Action, 2015)

Penalties for non-compliance

FINRA's enforcement toolkit includes censure, fines, suspension from all activities, and permanent bar from the securities industry. For AML violations, fines in contested cases have ranged from six figures to tens of millions.

Real cases:

• Raymond James Financial Services (2016): $17 million in fines and required remediation for AML program failures, including inadequate SAR filing procedures and deficient monitoring of high-risk accounts. (FINRA AWC No. 2012031024901)

• Merrill Lynch, Pierce, Fenner & Smith (2015): $8 million fine for maintaining an AML program that failed to monitor microcap securities transactions across related accounts. (FINRA Regulatory Action, 2015)

• Oppenheimer & Co. (2014): $1.4 million fine for failing to have adequate AML procedures for penny stock transactions processed for foreign financial institution customers. (FINRA AWC No. 2010024048101)

FINRA actions can trigger parallel proceedings. The SEC can bring its own enforcement under the Exchange Act. FinCEN can assess civil money penalties independently under the BSA. In extreme cases, DOJ may pursue criminal charges.

Individuals face real consequences. FINRA can bar a person from the securities industry permanently, not just fine the firm. An AML officer who ignored clear red flags faces personal liability and a potential lifetime industry bar. That personal exposure has moved AML compliance from a back-office function to a board-level priority at most mid-size broker-dealers.

Related regulations and frameworks

Rule 3310 doesn't stand alone. It sits at the intersection of several overlapping obligations:

The BSA foundation: Rule 3310 implements the Bank Secrecy Act obligations that the PATRIOT Act extended to broker-dealers. The BSA sets the minimum floor; Rule 3310 is the sector-specific codification. Broker-dealers file currency transaction reports and SARs through FinCEN's BSA E-Filing system.

AMLA 2020: The Anti-Money Laundering Act of 2020 directed FinCEN to update BSA examination priorities and introduced new whistleblower provisions. FinCEN published its National AML/CFT Priorities in June 2021; those priorities flow into FINRA's examination focus areas, most recently flagging corruption, cybercrime, and virtual asset-related money laundering as areas of heightened examiner attention.

Information sharing: Section 314(a) requires broker-dealers to search their records and respond to FinCEN requests within 14 days. Section 314(b) allows voluntary information sharing between financial institutions without incurring privacy liability. Both are operational components of a complete Rule 3310 program and should be addressed explicitly in the written procedures.

CDD and beneficial ownership: The FinCEN CDD Final Rule is effectively incorporated into Rule 3310 through FINRA guidance. Broker-dealers must collect and verify beneficial ownership data for legal entity accounts and maintain procedures for ongoing monitoring of account relationships over time.

At the international level, FATF Recommendation 26 calls on member countries to implement AML supervisory frameworks for financial institutions, including securities firms. Rule 3310 is the US implementation of that framework for broker-dealers. For EU-based entities with US broker-dealer subsidiaries, compliance teams navigate Rule 3310 alongside applicable EU AML directives simultaneously.

How FluxForce supports FINRA 3310 compliance

FluxForce's AI agents automate the transaction monitoring, alert triage, and SAR workflow documentation that FINRA examiners expect to see. Nova Sentinel flags unusual trading patterns and escalates with a full evidence package, cutting the time from alert to filing decision. Aiden Flux handles ongoing CDD refreshes and beneficial ownership verification against live data sources. Every decision includes a complete audit trail ready for examiner review. Request a demo to see how broker-dealers use FluxForce to pass FINRA AML exams without the last-minute scramble.