KYC AML Compliance for US Broker-Dealers

Broker-dealers operate under one of the most layered KYC and AML compliance frameworks in US financial services. FinCEN sets mandatory BSA/AML programme requirements. FINRA — as the SEC-designated self-regulatory organisation — enforces its own AML and KYC rules on top of the BSA. The SEC independently examines broker-dealers for BSA compliance under SEC Rule 17a-8. And OFAC sanctions obligations apply to every US broker-dealer, separately from all of the above.

In 2025, FINRA imposed $154 million in total monetary sanctions — a 77% increase from 2024 — with AML, fraud, and sanctions failures among the most cited deficiencies. A broker-dealer that meets FinCEN’s baseline BSA requirements but fails FINRA’s examination standards, or that has gaps in its OFAC screening programme, is not fully compliant.

This page outlines the specific KYC and AML requirements of each regulatory authority that governs US broker-dealers and explains how KYCsphere’s unified platform helps firms meet all of them without managing multiple disconnected compliance systems.

The Broker-Dealer Regulatory Framework

US broker-dealers answer to four distinct regulatory authorities, each with its own set of KYC and AML requirements and its own examination or enforcement function.

  • FinCEN (Financial Crimes Enforcement Network) — Administers the Bank Secrecy Act for broker-dealers under 31 CFR Part 1023. Sets mandatory AML programme requirements, CIP rules, SAR filing obligations, and the Funds Travel Rule. The BSA is the foundational compliance obligation on which all other regulators build.
  • FINRA (Financial Industry Regulatory Authority) — The SEC-designated self-regulatory organisation for broker-dealers. FINRA Rule 3310 sets minimum standards for written AML compliance programmes. FINRA Rules 2090 and 4512 govern Know Your Customer obligations and customer account recordkeeping. FINRA conducts examinations and imposes disciplinary sanctions for deficiencies.
  • SEC (Securities and Exchange Commission) — Regulates broker-dealers under the Securities Exchange Act of 1934. SEC Rule 17a-8 requires broker-dealers to comply with all BSA reporting and recordkeeping obligations. The SEC’s Office of Compliance Inspections and Examinations (OCIE) conducts independent AML examinations alongside FINRA.
  • OFAC (Office of Foreign Assets Control) — Administers US economic sanctions programmes. Every US broker-dealer must screen customers, counterparties, and transactions against OFAC sanctions lists — separately from and in addition to all BSA/AML obligations.

Unlike banks, which are primarily examined by one prudential regulator, broker-dealers face simultaneous examination authority from both FINRA and the SEC — and must satisfy FinCEN’s BSA requirements and OFAC’s sanctions framework as independent compliance layers on top of that. KYCsphere is built to address all four authorities on one platform.

FinCEN: BSA/AML Programme Requirements for Broker-Dealers

FinCEN governs broker-dealers as financial institutions under 31 CFR Part 1023. The Bank Secrecy Act is the foundational compliance layer — every FINRA rule and SEC requirement for AML compliance is built on top of FinCEN’s BSA framework.

Regulatory RequirementHow KYCsphere Meets It
Written AML programme — 31 CFR 1023.210 — broker-dealers must develop and implement a written AML compliance programme approved by senior management, reasonably designed to detect and prevent money launderingKYCsphere provides the complete technology infrastructure for a BSA-compliant AML programme — configurable written policies and controls, documented workflows, risk-based monitoring, and audit-ready records — all within a single platform approved and maintained by the firm’s compliance team
Customer Identification Programme (CIP) — 31 CFR 1023.220 — collect and verify name, date of birth, address, and identification number for every customer before account opening; documentary and non-documentary verification methods permittedDigital Account Opening and KYC Onboarding collect all mandatory CIP data fields. Identity Verification authenticates documents and verifies identity in real time using AI-powered liveness detection and selfie-to-document face matching — supporting both documentary and non-documentary verification
Customer Due Diligence (CDD) Rule — 31 CFR 1023.210 — understand the nature and purpose of customer relationships, identify beneficial owners of legal entity customers at the 25% ownership threshold plus the control prong, and conduct ongoing monitoringCustomer Due Diligence handles beneficial ownership identification at the 25% threshold with automated legal entity hierarchy mapping and control-prong documentation. Ongoing monitoring workflows update customer risk profiles as circumstances change
Suspicious Activity Reports (SARs) — 31 CFR 1023.320 — file within 30 days of detection (60 days if no subject is identified) for transactions of $5,000 or more involving suspected money laundering, fraud, or terrorist financingRegulatory Reporting automates SAR filing through FinCEN’s BSA E-Filing System with built-in narrative guidance, data completeness validation, and documented internal approval workflows
Section 314(a) law enforcement requests — respond within 14 calendar days to FinCEN requests to search customer records; voluntary 314(b) information sharing with other financial institutions also availableKYCsphere provides automated search across the full customer database with documented response tracking and a complete audit trail within the 14-day FinCEN deadline
Funds Travel Rule — 31 CFR 1010.410transmit originator and beneficiary information with wire transfers of $3,000 or more; five-year recordkeeping obligationTransaction Monitoring captures and retains required wire transmittal data in immutable cloud storage with five-year retention and a full audit trail meeting FinCEN recordkeeping standards
Currency Transaction Reports (CTRs) — file for cash transactions exceeding $10,000Regulatory Reporting automates CTR generation and electronic filing through FinCEN’s BSA E-Filing System with automated detection of qualifying cash transactions

FINRA: AML and KYC Rules for Member Broker-Dealers

FINRA is the primary day-to-day regulator for most US broker-dealers. Its rules operationalise FinCEN’s BSA requirements into specific programme standards, KYC obligations, customer recordkeeping requirements, and supervisory procedures — and FINRA’s examination authority means deficiencies are identified and sanctioned through its disciplinary process.

Regulatory RequirementHow KYCsphere Meets It
FINRA Rule 3310 — Written AML Compliance Programme — senior management-approved written programme reasonably designed to detect and report suspicious transactions, independently tested annually, with a designated AML compliance officer and ongoing employee trainingKYCsphere provides the technology backbone for all five Rule 3310 programme elements — configurable detection and reporting workflows, audit-ready independent testing documentation, compliance officer oversight tools, and training record management — within one platform
FINRA Rule 3310 — Five-Pillar AML Programme (including CDD fifth pillar) — policies and procedures, AML compliance officer designation, annual independent testing, employee training, and risk-based ongoing customer due diligence to understand customer relationships and conduct ongoing monitoringCustomer Risk Assessment and Customer Due Diligence support the fifth pillar — risk-based customer risk profiling at onboarding and continuous monitoring of customer activity for consistency with the established risk profile
FINRA Rule 3310 — Suspicious Activity Detection and SAR Filing — written policies and procedures reasonably expected to detect and cause the reporting of suspicious transactions; common red flags include structuring, layering, unusual trading patterns, and low-priced security activityTransaction Monitoring applies configurable rule-based and AI-driven detection for broker-dealer-specific suspicious activity patterns including securities fraud typologies, layering through trading accounts, and unusual wire activity. Alert Management manages alert review and escalation to SAR filing
FINRA Rule 3310 — Annual Independent Testing — AML programme must be independently tested each calendar year by member personnel or a qualified outside party with working knowledge of BSA requirementsKYCsphere generates complete, examiner-ready audit documentation — risk assessments, CDD records, alert dispositions, SAR decisions, and programme metrics — providing internal and external auditors with the evidence base for annual independent testing without manual record reconstruction
FINRA Rule 2090 — Know Your Customer — use reasonable diligence to know and retain essential facts about every customer: identity, financial situation, investment objectives, risk tolerance, and account purpose; maintain records of essential facts throughout the customer relationshipKYC Onboarding captures and retains all Rule 2090-required customer profile information. Customer Due Diligence maintains ongoing customer profiles with update workflows triggered by material changes in customer circumstances
FINRA Rule 4512 — Customer Account Information — obtain and maintain specified account information for each customer including name, tax identification number, address, occupation, and for legal entities, the names of persons authorised to transact; update records within 30 days of changesKYC Onboarding collects and maintains all Rule 4512-required account information fields in a structured customer record with automated update workflows and full change history — producing the account documentation FINRA examiners request during examinations
FINRA Rule 2111 — Suitability — have a reasonable basis to believe that a recommended transaction or investment strategy is suitable based on the customer’s investment profile, including financial situation, objectives, experience, time horizon, liquidity needs, and risk toleranceKYCsphere maintains a current, documented customer investment profile that supports suitability determination — ensuring the customer data underlying suitability assessments is complete, current, and retrievable during examinations
FINRA Rule 3110 — Supervision — establish and maintain a supervisory system reasonably designed to achieve compliance with applicable rules, including written supervisory procedures (WSPs) covering AML and KYC obligationsKYCsphere’s configurable workflow engine supports documented supervisory procedures — with approval workflows, escalation rules, and supervisor review requirements built into each compliance process — providing the documented supervisory framework FINRA examiners review

SEC: Broker-Dealer AML Compliance Under Rule 17a-8 and Exchange Act Oversight

The SEC regulates broker-dealers under the Securities Exchange Act of 1934 and independently examines firms for BSA/AML compliance. SEC Rule 17a-8 integrates FinCEN’s BSA requirements directly into the SEC’s regulatory framework, giving the SEC independent enforcement authority alongside FINRA for AML failures.

Regulatory RequirementHow KYCsphere Meets It
SEC Rule 17a-8 — BSA Compliance — broker-dealers must comply with all reporting, recordkeeping, and record retention requirements of the Bank Secrecy Act; the SEC uses 17a-8 as the basis for its own AML enforcement actions independent of FINRAKYCsphere provides comprehensive BSA reporting and recordkeeping — SAR and CTR filing, Funds Travel Rule data retention, CIP records, and five-year immutable audit logs — satisfying the BSA compliance obligations that Rule 17a-8 incorporates and that SEC examiners review
SEC Rule 17a-3 and 17a-4 — Customer Records and Retention — broker-dealers must create and retain specified customer account records including account opening documentation, customer identification records, and account statements; records must be retained for three to six years depending on record typeKYC Onboarding creates structured, timestamped customer account records at onboarding. All CIP, CDD, and account information records are retained in immutable cloud storage within KYCsphere’s Microsoft Azure infrastructure — meeting SEC Rule 17a-4 retention periods and the WORM-compliant storage expectations for broker-dealer records
SEC OCIE examination readiness — the SEC’s Office of Compliance Inspections and Examinations reviews AML programme documentation, SAR filing timeliness and quality, suspicious activity monitoring procedures, and CDD record completeness during broker-dealer examinationsKYCsphere produces a complete, audit-ready compliance record for every customer, screening result, transaction alert, and SAR filing decision — with immutable logs, timestamps, and documented decision trails that provide OCIE examiners with the programme evidence they expect without manual file preparation
SEC enforcement focus on SAR timeliness and quality — SEC enforcement actions against broker-dealers have specifically cited late SAR filings, incomplete SAR narratives, and failure to investigate suspicious transactions within a reasonable time as violations (including actions against Robinhood Financial, 2025, and Deutsche Bank Securities, 2024)Alert Management and Case Management provide structured investigation workflows with documented timelines from alert creation to SAR filing decision — directly addressing the SAR timeliness and completeness deficiencies that have generated SEC enforcement actions
SEC Rule 15c3-3 and customer protection — broker-dealers must protect customer assets and maintain complete, accurate records of customer positions and accounts; KYC and customer identification obligations support the accuracy of these recordsIdentity Verification and KYC Onboarding ensure that customer identities are verified and records are accurate at account opening — supporting the customer account integrity requirements that underpin SEC Rule 15c3-3 protections

OFAC: Sanctions Compliance for Broker-Dealers

OFAC administers US economic and trade sanctions programmes. Sanctions obligations apply to every US broker-dealer as a US person — entirely separately from FinCEN’s BSA/AML framework and FINRA’s rules. OFAC enforcement actions against broker-dealers and securities firms have resulted in penalties ranging from hundreds of thousands to hundreds of millions of dollars.

Regulatory RequirementHow KYCsphere Meets It
SDN List and Consolidated Sanctions List screening — screen all customers, beneficial owners, counterparties, and transaction parties against OFAC’s Specially Designated Nationals List and Consolidated Sanctions List before account opening and on an ongoing basisSanctions Screening provides continuous real-time screening against the OFAC SDN List, Consolidated Sanctions List, UN Consolidated List, EU Sanctions, and UK Sanctions — with AI-powered fuzzy-matching to catch name variations, aliases, transliterations, and spelling variants that exact-match screening misses
Country-based sanctions programmes — block all transactions involving prohibited jurisdictions including Iran, North Korea, Russia, Cuba, and Syria; cannot process securities transactions involving sanctioned-country parties or jurisdictionsAutomated country-based sanctions controls flag all transactions involving OFAC-prohibited jurisdictions, counterparties, or payment routing through sanctioned financial institutions — before transaction execution
OFAC 50% Rule — entities owned 50% or more directly or indirectly by an SDN are themselves blocked even if not listed separately on the SDN List; requires beneficial ownership screening through the full ownership chainCustomer Due Diligence traces UBO ownership chains through legal entities to identify indirect OFAC exposure under the 50% Rule — the critical screening gap that direct-name screening of only the account holder cannot address
Blocking and rejecting transactions — immediately block transactions involving SDNs; reject transactions that cannot be processed without violating sanctions; document all blocking and rejecting actionsAlert Management and Case Management provide structured workflows for reviewing, escalating, blocking, and documenting potential OFAC matches — with a complete internal decision audit trail for each match disposition
OFAC reporting — report all blocked transactions and blocked property to OFAC within 10 business days; file annual reports of blocked assetsRegulatory Reporting handles documentation and reporting of blocked transactions within OFAC’s 10-business-day deadline and supports annual blocked asset report preparation
OFAC Framework for Compliance Commitments — management commitment, risk assessment, internal controls, testing and auditing, and trainingKYCsphere provides the technology infrastructure for all five OFAC framework commitments — risk-based screening controls, documented alert workflows, audit-ready compliance records, programme metrics, and integration with the firm’s existing training and testing processes

Why Broker-Dealers Choose KYCsphere

  • One platform across all four regulatory authorities — Customer data captured at CIP onboarding flows automatically into CDD, risk profiling, transaction monitoring, OFAC screening, and SAR filing — eliminating the compliance gaps that arise when FinCEN, FINRA, SEC, and OFAC obligations are managed on separate disconnected systems.
  • FINRA and SEC examination-ready at all times — Every CDD review, alert disposition, SAR filing decision, 314(a) response, and OFAC match escalation is immutably logged with timestamps, user actions, and supporting documentation. FINRA examiners and SEC OCIE staff get exactly what they need without manual file preparation before examination.
  • SAR timeliness and quality built into the workflow — KYCsphere’s structured investigation workflows with documented timelines from alert creation to SAR decision directly address the SAR timeliness and narrative completeness deficiencies that have generated SEC enforcement actions against broker-dealers.
  • AI that reduces false positives — Fuzzy-name matching for OFAC screening, AI-driven behavioural anomaly detection in transaction monitoring, and risk-based alert prioritisation reduce the alert noise that overwhelms compliance teams — so analysts focus on genuine suspicious activity rather than administrative noise.
  • No-code configuration for broker-dealer workflows — Risk rules, monitoring thresholds, screening parameters, EDD triggers, and SAR filing workflows are all configurable through an admin interface without IT tickets or developer involvement. Adjust detection rules as FINRA publishes new red flag guidance or the SEC issues new risk alerts.
  • Microsoft Azure cloud security meeting SEC and FINRA expectations — Deployed on Microsoft Azure with 99.9% uptime, SOC 2-compliant security, and WORM-compatible immutable storage meeting SEC Rule 17a-4 electronic recordkeeping requirements and FINRA’s cloud storage guidance.

Who KYCsphere Serves in the Broker-Dealer Sector

  • Full-service broker-dealers executing transactions and maintaining customer accounts who face the full scope of FinCEN, FINRA, SEC, and OFAC compliance obligations
  • Introducing broker-dealers managing customer onboarding and KYC while clearing trades through a carrying firm — requiring complete CIP, CDD, and FINRA Rule 2090 compliance at the introducing firm level
  • Online and fintech broker-dealers scaling customer acquisition rapidly and requiring automated CIP and KYC infrastructure that handles high onboarding volumes without proportional compliance headcount growth
  • Institutional broker-dealers dealing with complex legal entity customers, foreign institutional clients, and correspondent relationships requiring UBO identification, EDD, and correspondent screening
  • Dual-registered broker-dealers and RIAs maintaining compliance programmes across both broker-dealer and investment adviser regulatory frameworks within one platform

Conclusion

US broker-dealers face KYC and AML compliance obligations from four regulatory authorities simultaneously — FinCEN’s BSA rules, FINRA’s AML and KYC programme requirements, the SEC’s BSA enforcement authority under Rule 17a-8, and OFAC’s sanctions framework. Managing these obligations across multiple point solutions creates compliance gaps, examination vulnerabilities, and unnecessary technology cost — precisely the conditions that have produced FINRA’s record enforcement actions in recent years.

KYCsphere provides a single unified platform that automates the complete broker-dealer KYC and AML compliance lifecycle — from digital customer onboarding and CIP identity verification through beneficial ownership identification, FINRA Rule 2090 KYC profiling, OFAC sanctions screening, suspicious activity monitoring, alert management, SAR filing, and SEC-compliant recordkeeping — all in one connected system with the immutable audit trail that FINRA examiners, SEC OCIE staff, and FinCEN expect.

KYCsphere meets every layer of US broker-dealer KYC/AML compliance — automatically.

Frequently Asked Questions

Which regulatory authorities govern AML compliance for US broker-dealers?

US broker-dealers are subject to AML and KYC compliance requirements from four regulatory authorities. FinCEN administers the Bank Secrecy Act under 31 CFR Part 1023, setting mandatory programme requirements, CIP rules, and SAR filing obligations. FINRA enforces its own AML and KYC rules — primarily Rule 3310 for AML programmes and Rules 2090 and 4512 for KYC — on top of the BSA framework. The SEC independently enforces BSA compliance under Rule 17a-8 through OCIE examinations. OFAC sanctions obligations apply separately from all of the above. A complete broker-dealer compliance programme must address all four authorities simultaneously.

What does FINRA Rule 3310 require for broker-dealer AML programmes?

FINRA Rule 3310 requires every member broker-dealer to develop and implement a written AML compliance programme approved in writing by senior management. The programme must include five elements: policies and procedures reasonably designed to detect and report suspicious transactions; internal controls designed to achieve BSA compliance; annual independent testing by member personnel or a qualified outside party; a designated AML compliance officer identified to FINRA; and ongoing employee training. Following FinCEN’s adoption of the CDD Rule, Rule 3310 was amended to add a fifth pillar requiring risk-based ongoing customer due diligence — including developing customer risk profiles and conducting ongoing monitoring for suspicious activity.

How do FINRA Rule 2090 and Rule 4512 relate to KYC compliance?

FINRA Rule 2090 — the Know Your Customer rule — requires firms to use reasonable diligence to know and retain essential facts about every customer, including identity, financial situation, investment objectives, risk tolerance, and account purpose. Rule 4512 — Customer Account Information — specifies the particular data fields that must be collected and maintained in customer records, including name, tax identification number, address, occupation, and for legal entities, the names of persons authorised to transact. The two rules work together: Rule 2090 defines what a firm must know, and Rule 4512 defines how that information must be documented and maintained. Both are examined by FINRA and both feed directly into the CDD and suspicious activity monitoring obligations under Rule 3310.

What is SEC Rule 17a-8 and why does it matter for broker-dealer AML compliance?

SEC Rule 17a-8 requires broker-dealers to comply with all reporting, recordkeeping, and retention requirements of the Bank Secrecy Act. The rule integrates FinCEN’s BSA framework directly into the SEC’s regulatory authority — giving the SEC independent enforcement power for AML failures alongside FINRA. SEC OCIE examinations of broker-dealers include BSA compliance as a standard component, and the SEC has brought its own enforcement actions against broker-dealers for late SAR filings, incomplete SAR narratives, and failure to investigate suspicious transactions within a reasonable period — as seen in actions against Robinhood Financial and Deutsche Bank Securities in late 2024 and early 2025.

Is OFAC screening included in KYCsphere’s broker-dealer compliance platform?

Yes. KYCsphere includes real-time OFAC SDN List and Consolidated Sanctions List screening as a core capability — integrated into the customer onboarding workflow, ongoing customer screening, and transaction monitoring. OFAC compliance is treated as a distinct obligation from BSA/AML, with separate alert workflows, blocking and rejecting documentation, and 10-day OFAC reporting through the Regulatory Reporting module. KYCsphere also screens against UN, EU, and UK sanctions lists simultaneously. The platform’s beneficial ownership mapping addresses the OFAC 50% Rule — identifying indirect OFAC exposure through corporate ownership chains that direct-name screening of the account holder alone cannot detect.

Can KYCsphere support both introducing and full-service broker-dealers?

Yes. KYCsphere’s configurable workflow engine supports the compliance requirements of both introducing broker-dealers — who manage customer onboarding, KYC, and AML obligations while clearing through a carrying firm — and full-service broker-dealers who execute, clear, and custody customer accounts. The platform handles both retail and institutional customer onboarding within the same system, including the complex legal entity onboarding, UBO identification, and correspondent institution due diligence requirements of institutional broker-dealer operations.

How does KYCsphere address the SAR timeliness issues that have generated SEC enforcement actions?

KYCsphere’s Alert Management and Case Management tools provide structured investigation workflows with documented timelines from alert creation through investigation to SAR filing decision. Every step — alert triage, investigation assignment, evidence collection, supervisor review, and filing or no-file decision — is timestamped and logged with the responsible user and documented rationale. This structured timeline documentation directly addresses the SAR timeliness and investigation completeness deficiencies that have been cited in SEC enforcement actions against broker-dealers, giving compliance officers and examiners a clear, auditable record of how each suspicious activity alert was handled from detection to resolution.