2019 FINRA and SEC exam priorities explained

AML compliance focuses on the customer due diligence rule

Deloitte provides an overview of key AML compliance-related topics in the FINRA and SEC 2019 exam priorities letters for covered financial institutions.


Earlier this year, the US Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) published their annual examination priorities letters (the Priorities Letters or the Letters).1 Both the SEC’s and FINRA’s anti-money laundering (AML) priorities remain consistent from the prior year and focus on two main AML topics—customer due diligence (CDD) and transaction monitoring. The Letters' discussion of CDD notes the expectation that firms appropriately identify beneficial owners and associated parties, while their expectations for transaction monitoring is that programs are tailored and include systems and controls to identify and report on potentially suspicious behavior.

A new and notable focus in the Letters is on how firms adopt RegTech, not only to facilitate CDD processes but also to enhance transaction monitoring capabilities. In addition, FINRA recently issued two reports which provide additional context to the Priorities Letters—Report on FINRA Examination Findings (2018) (the Examination Findings Report)2 and Technology-Based Innovations for Regulatory Compliance (RegTech) in the Securities Industry (2018) (the FINRA RegTech Report).3

2019: SEC and FINRA highlight AML risk monitoring in their exam priorities

Enforcement action spotlight—FINRA fined a firm for failure to identify beneficial ownership information on penny stocks and establish a system reasonably designed to detect and report suspicious penny stock activity. FINRA noted that the firm had facilitated the purchase or sale of penny stocks through an omnibus account for customers without identifying the stocks' beneficial owner or the beneficial owner's relationship with the issuer.

Customer due diligence and CDD rule

Consistent with last year's AML examination priorities, both the SEC and FINRA will continue to concentrate on assessing firms' compliance with the Financial Crimes Enforcement Network's final rule on CDD requirements for financial institutions (the CDD Rule). FINRA notes that the CDD Rule "requires that firms identify the beneficial owners of legal entity customers, understand the nature and purpose of customer accounts, conduct ongoing monitoring of customer accounts to identify and report suspicious transactions and on a risk basis update customer information."

The Examinations Findings Report highlighted instances where firms faced challenges with respect to identifying the beneficial owners of legal entity customers. One such example was trading by foreign legal entities in accounts in similar low-float and low-priced securities. FINRA noted that in some instances, firms considered these accounts unrelated, but uncovered shared commonalities, raising concerns about common ownership and control of apparently unrelated accounts.

Similarly, another FINRA priority is appropriate CDD to safeguard investors against fraud and sales practice abuse. FINRA expects that firms understand their customer’s investment objectives and goals to provide a reasonable basis for the investment strategy that also aligns to the customer’s sophistication and investment time horizon. The depth of diligence that is required will vary depending on the complexity of the proposed products. Specifically, FINRA and the SEC will focus on whether a customer's investment sophistication is sufficient to warrant investment recommendations to purchase novel and/or complex products such as leveraged, inverse, and/or floating rate loan exchange-traded funds and securities products that package leveraged loans (e.g., collateralized loan obligations).

Complex products carry more risk than traditional products/investments due to multiple features that affect investment returns, thus making it unreasonable to expect the average investor to discern the investment risks in relation to potential investment loss. In order to reasonably ensure that the sale of complex products is suitable, a firm's CDD program will need to include policies, procedures, systems, and controls to document a thorough understanding of the customer’s liquidity needs, investment time horizon, and investment sophistication, as part of the nature and purpose of the customer's account.

FINRA and the SEC emphasized the need for CDD programs to capture sufficient information to protect senior investors from fraud, sales practices abuse, and exploitive practices, such as abuse of trustee status. Accordingly, in conducting CDD, firms must gain an understanding of who is authorized to act on a senior’s account (e.g., trustees, individuals with power of attorney, or other significant roles). As part of identifying the customer and the nature and purpose of the account, FINRA expects that firms identify and document situations where the registered representative is acting in a fiduciary capacity to the client or has a "beneficiary relationship with non-familial accounts."

To the extent either situation exists, FINRA expects that firms have policies, procedures, systems, and controls in place documenting how these types of accounts are supervised, in addition to any unusual and/or potentially suspicious activity occurring in the account.

number screen

Enforcement action spotlight—FINRA fined a firm for failure to appropriately market a complex product, Variable annuity (VA), and for making recommendations without a reasonable basis to believe they were suitable for its investors. Variable annuities are complex investments commonly marketed and sold to retirees. FINRA found that the firm had inadequate systems and procedures governing its VA exchange business.

Transaction monitoring and suspicious activity reviews

In addition to CDD, both the SEC and FINRA Priorities Letters, as well as recent enforcement actions, emphasize the importance of transaction monitoring. More specifically, identifying, investigating, and reporting of suspicious activity, as well as implementing the procedures, systems, and controls to detect such activity.

FINRA noted in its Examination Findings report that it continues to find problems with the adoption of comprehensive transaction monitoring programs as well as the adequacy of firms’ allocation of technology resources to support those programs. As a result, it is reasonable to expect that FINRA will likely be assessing the entirety of the transaction monitoring program, particularly if there is a reliance on manual reports to identify potentially suspicious activity, as well as the adequacy of transaction monitoring systems, particularly when it’s evident that firms have failed to file suspicious activity reports (SARs) despite the existence of clear red flags.

As part of a comprehensive transaction monitoring program, firms should be tuning transaction monitoring systems to identify red flags for potentially suspicious activity and developing, documenting, and implementing procedures to investigate such activity as well as filing SARs, when applicable. Lastly, firms should expect both the SEC and FINRA to assess not only that firms have allocated adequate resources to transaction monitoring programs, but that FINRA and the SEC expect those resources to be dedicated (i.e., not simultaneously performing other AML or compliance-related functions, and sufficiently skilled to perform transaction monitoring).

Given the number and size of FINRA and SEC enforcement actions over the last several years involving trading of low-priced securities, it should be no surprise that the Priorities Letters emphasized a focus on manipulative trading such as “pump and dump” schemes. The attention of both regulators on trading in low-priced securities and manipulative trading activity generally should emphasize to firms the importance of implementing an AML program that is tailored to the specific money-laundering risks posed by their business. Firms that engage in higher-risk activities such as trading in low-priced securities must establish a reasonable supervisory system to identify, investigate, and, as applicable, report suspicious trading activity.

In situations where firms engage in higher-risk activities, it is imperative that they monitor accounts for both deviations in expected activity as well as other red flags identified by FINRA and other regulators. An example scenario is where a customer that does not trade in low-priced, thinly traded securities deposits a large number of shares and then begins to liquidate those shares. This activity should result in questions to the customer due to not only the deviation from expected and historical activity but also that the activity is consistent with red flags previously identified by FINRA.4

An ongoing area of focus that FINRA continues to find problems with is the validation of firms’ transaction monitoring systems and the data those systems use. Firms should ensure that their AML transaction monitoring systems are capturing complete and accurate data and that they routinely test and verify the accuracy of data sources, particularly with respect to higher-risk accounts and activities. It is reasonable for firms to expect that FINRA will look for policies, procedures, and controls related to changes in transaction monitoring systems such as transaction monitoring rules, including thresholds used and “white list” criteria, and that any changes to such systems are supported by data and follow a documented review and decision/approval process.

number circle

Enforcement action spotlight—FINRA fined a firm engaged in the clearing of low-priced securities transactions for not having a reasonable AML program in place to monitor and detect suspicious transactions. The firm initially had no surveillance reports related to potentially suspicious liquidations of low-priced securities. FINRA further found that they lacked systems and procedures to monitor whether certain business activities were unusual for any given customer, despite the firm’s written AML procedures specifically identifying such items as red flags requiring monitoring.

Finally, FINRA found that the firm assigned critical suspicious activity monitoring duties to a nonexistent employee title, and these duties were not performed effectively by any firm employee. As a result of its unreasonable AML supervisory system, the firm failed to detect or reasonably investigate red flags indicating potentially suspicious activity involving penny stocks.


A new priority for FINRA this year is assessing how firms will be using regulatory technology to address risk, challenges, or regulatory concerns. RegTech is "the use of new technologies to solve regulatory and compliance burdens more effectively and efficiently."5

FINRA's RegTech report highlights the use of RegTech tools in five main areas: surveillance and monitoring; customer identification and AML compliance; regulatory intelligence; reporting and risk management; and investor risk assessment.6 They note that where firms are using a variety of innovative RegTech tools to bolster the effectiveness and efficacy of their compliance programs, they need to be aware that these tools may also raise operational challenges and regulatory implications.

An area where there has been growing interest in the adoption of RegTech tools is with customer identification programs. Firms are using it as a mechanism to create a more holistic view of the customer. This can be achieved by gathering information from multiple sources, both internally and externally, and applying advanced data analytics to expand the scope of the identification process. Consequently, firms will need to ensure that they have policies, procedures, and controls in place to identify and mitigate risks that may manifest as a result, and that they have viable workarounds that can be readily deployed in the event of malfunctions.

In addition, they need to ensure that they have the appropriate staff with the requisite skill set to use these tools and consider whether it would be beneficial to provide training to all compliance, supervisory, and operational staff. Another area in which RegTech is gaining substantial traction is surveillance and monitoring, particularly next-generation transaction monitoring solutions. RegTech tools generally aim to move beyond traditional rules-based systems to detect other anomalies/behavior patterns which may be more difficult for a traditional rules-based model to detect. Specific considerations for firms looking to deploy such a solution include how they plan to create a path to regulatory acceptance.

They will need to demonstrate to the regulators not only that the solution is a more efficient and effective AML detection engine, but also that it provides sufficient risk coverage.

split gear


To prepare for potential SEC and FINRA examinations, firms should consider all areas addressed in the examination’s Priority Letters and, in particular, CDD and transaction monitoring as they conduct their annual reviews of policies, procedures, and technology.

The regulators continue to see AML as a priority and are likely to examine all components of AML programs. More specifically, the regulators will test the firms program to ensure they are reasonably designed to identify and control for those risks through CDD and transaction monitoring systems.



1 FINRA 2019 Risk Monitoring and Examination Priorities Letter,;



4 See FINRA Regulatory Notice 09-05: Unregistered Resales of Restricted Securities.

5 RegTech, Institute of International Finance,

6 Technology Based Innovations for Regulatory Compliance in the Securities Industry; FINRA September 2018.

Contact us

For more information, please contact:

Brian Peres 
Senior manager

Deloitte Risk & Financial Advisory
Deloitte Transactions and Business Analytics LLP
+1 571 882 6526

Jennifer Flannery

Deloitte Risk & Financial Advisory
Deloitte Transactions and Business Analytics LLP
+1 212 436 3786

Joshua Hanna 

Deloitte Risk & Financial Advisory
Deloitte Transactions and Business Analytics LLP
+1 404 220 1336

chat icon

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?