AML Transaction Monitoring
Monitoring systems and procedures used by broker-dealers to detect suspicious activity under the Bank Secrecy Act and FINRA Rule 3310, with SAR filing to FinCEN as the required reporting output.
Definition
AML transaction monitoring encompasses the monitoring systems and procedures used to detect, investigate, and report suspicious activity indicative of money laundering, terrorist financing, or other financial crimes. The primary legal authority is the Bank Secrecy Act (BSA); FinCEN is the primary regulator; FINRA Rule 3310 translates those obligations into examination requirements specific to broker-dealers. Broker-dealers are the financial intermediaries best positioned to observe suspicious securities activity — coordinated transactions, structured deposits, on-chain asset movements designed to obscure origin, and patterns that only become visible across the full lifecycle of an account. Industry practitioners increasingly refer to the combined technology, workflow, and regulatory program as an AML compliance platform — encompassing transaction monitoring, case management, SAR workflow, and blockchain analytics for digital asset rails.
BSA Authority and FINRA Rule 3310
The Bank Secrecy Act (31 U.S.C. § 5311 et seq.) is the foundational law establishing AML obligations for financial institutions in the United States. FinCEN, operating under the authority of the Treasury Department, issues implementing regulations — including 31 CFR Part 1023, which sets specific obligations for broker-dealers: SAR filing, CTR reporting, recordkeeping, and program requirements. FINRA Rule 3310 does not create independent AML obligations; it requires broker-dealers to establish written AML programs reasonably designed to achieve compliance with the BSA and FinCEN's implementing regulations, and makes those program obligations examinable by FINRA. The program must be approved by senior management, administered by a designated AML compliance officer, and tested annually by independent personnel. Rule 3310 imposes a "reasonably designed" standard — adequacy is assessed relative to the firm's specific business model, customer base, product mix, and risk profile, not against a universal threshold.
SAR Filing Requirements
Under 31 CFR 1023.320, a broker-dealer must file a SAR with FinCEN when it knows, suspects, or has reason to suspect that a transaction of $5,000 or more involves funds from illegal activity, is designed to evade BSA reporting requirements, lacks a lawful purpose, or facilitates criminal conduct. The 30-day filing window begins at the date of initial detection of facts suggesting suspicious activity — not when an internal investigation concludes or when the compliance officer formally reviews the alert. FINRA enforcement actions have repeatedly cited this distinction as a primary cause of untimely filings. If no suspect is identified at the time of initial detection, the period may be extended to 60 days. Continuing activity SARs are required when suspicious activity persists after an initial filing — FinCEN guidance calls for re-filing on a 90-day cycle for as long as the activity continues. The existence of a SAR may not be disclosed to the subject of the report.
AML Monitoring Architecture
Effective AML monitoring operates across multiple analytical layers. Transaction-level screening evaluates individual transactions against rule-based parameters: cash activity meeting CTR thresholds, wire transfers to or from high-risk jurisdictions, OFAC sanctions list matches, and discrete events matching known typologies. Pattern-level monitoring analyzes transaction sequences over time — identifying structuring sequences where multiple below-threshold transactions form a suspicious aggregate, velocity spikes, or round-trip patterns. Customer-level behavioral analysis tracks account activity against a rolling baseline for the customer's established profile; deviations — sudden volume increases, new counterparty types, activity inconsistent with stated business purpose — generate anomaly scores fed into the alert queue. More sophisticated programs add a fourth layer: network analysis, which examines relationships across the firm's entire customer population to identify account rings, coordinated structuring distributed across nominally unrelated accounts, and common counterparty clusters that are invisible at the individual account level. The layered architecture addresses the fundamental limitation of threshold-only monitoring, which sophisticated actors deliberately circumvent by operating below known reporting thresholds.
AML compliance framework — obligations, technology, and documentation output
| AML Obligation | Regulatory Authority | Monitoring Technology | Documentation Output |
|---|---|---|---|
| AML Compliance Program | BSA / FINRA Rule 3310 | Transaction monitoring system, alert workflow | Written AML program; annual independent test |
| Suspicious Activity Report (SAR) | FinCEN · 31 CFR 1023.320 | Pattern and behavioral detection | SAR filed within 30 days of initial detection (60-day extension if no suspect) |
| Currency Transaction Report (CTR) | FinCEN · 31 CFR 1023.310 | Cash transaction monitoring | FinCEN CTR for cash transactions ≥ $10,000 |
| Travel Rule (Funds Transfer Rule) | FinCEN · 31 CFR 1010.410 | Messaging interoperability — TRUST, Veriscope | Originator / beneficiary data for transfers ≥ $3,000 (FATF: $1,000) |
| Customer Due Diligence (CDD) | FinCEN CDD Rule (2018) | KYC and PEP screening | Beneficial ownership records; CIP documentation |
| On-Chain AML | FATF Recommendation 15 / FinCEN guidance | Blockchain analytics; wallet clustering | Risk scoring report; SAR if warranted |
Structuring and Peeling Chains
Structuring — the deliberate fragmentation of cash transactions to avoid the $10,000 CTR filing threshold — is a federal crime under 31 U.S.C. § 5324 regardless of whether the underlying funds are lawful. In securities accounts it typically manifests as multiple below-threshold wire or cash transactions timed to avoid aggregation triggers. The digital asset equivalent is a peeling chain: on-chain fragmentation where a large cryptocurrency amount is progressively peeled through a sequence of intermediate addresses — each hop sending a small portion to a destination while passing the remainder to a new address — to obscure origin and ownership. The detection methods differ by chain architecture. Peeling chains on UTXO-based chains such as Bitcoin are identified through co-spending analysis, which clusters addresses controlled by the same entity based on inputs appearing in common transactions. On account-based chains such as Ethereum, clustering relies on transaction pattern analysis, contract interaction history, and gas payer behavior rather than UTXO co-spending. AML monitoring systems serving firms with digital asset capabilities must address both the fiat and on-chain dimensions, as the evasion objective is identical regardless of the asset type.
Travel Rule and Messaging Interoperability
FinCEN's Funds Transfer Recordkeeping Rule (31 CFR 1010.410) — the U.S. Travel Rule — requires financial institutions to transmit originator and beneficiary identifying information when processing transfers of $3,000 or more. The Financial Action Task Force (FATF) Recommendation 16 — the global equivalent — sets a lower threshold of $1,000 for cross-border transfers; many firms dealing with international virtual asset service providers apply the lower FATF threshold to avoid compliance gaps when transacting with counterparties in other jurisdictions. FinCEN guidance confirmed that these obligations apply to stablecoin and convertible virtual currency transfers processed by regulated broker-dealers. Because blockchain infrastructure does not natively carry identity data, compliance requires messaging interoperability solutions — such as TRUST (Travel Rule Universal Solution Technology) or Veriscope — that allow regulated institutions to exchange originator and beneficiary data alongside the on-chain transfer. Firms without connectivity to these networks cannot fulfill Travel Rule obligations for institutional stablecoin transactions and face the practical consequence that other Travel Rule-compliant counterparties may refuse to transact with them.
Correspondent Account Monitoring
Broker-dealers that maintain accounts for foreign financial institutions — including omnibus accounts through which foreign intermediaries hold positions on behalf of undisclosed underlying clients — face heightened AML monitoring obligations. Omnibus account structures limit the firm's ability to apply transaction monitoring at the individual beneficial owner level, since the account appears as a single entity in the firm's records. FinCEN has identified correspondent and omnibus account structures as a mechanism through which proceeds of foreign corruption and organized crime enter U.S. markets. Firms maintaining these accounts must apply enhanced due diligence: ongoing monitoring of overall account activity patterns, review of the intermediary's AML program where available, and heightened scrutiny of transactions inconsistent with the correspondent's stated business profile. FINRA has cited inadequate correspondent account monitoring as a recurring examination finding in broker-dealers with significant international business.
Pre-Trade AML Gating
Traditional AML monitoring is reactive: suspicious activity is identified after the transaction has settled, in surveillance logs reviewed hours or days later. For broker-dealers with custodial control over transaction submission — including those authorizing USDC and stablecoin transfers on behalf of institutional clients — on-chain transactions offer a proactive alternative. Pre-trade AML gating screens a counterparty wallet address against OFAC's SDN list and blockchain analytics risk scores before the transaction is authorized or broadcast to the network. This pre-authorization screening is only available where the firm controls when transactions are submitted; it does not apply to non-custodial transfers where the client broadcasts transactions independently. Where it is available, it converts AML from a reactive detection function to a proactive compliance gate — preventing prohibited transactions from occurring rather than identifying them after on-chain finality, when remediation is substantially more complex.
AML compliance program — BSA and FINRA Rule 3310 framework
Devancore Glossary · devancore.com
How it works
1. Customer Identification and Due Diligence
Before monitoring begins, the broker-dealer fulfills Customer Identification Program (CIP) obligations under 31 CFR 1023.220: collecting name, date of birth, address, and identification number for each customer. For legal entity customers, the FinCEN CDD Rule (effective 2018) requires identifying and verifying beneficial owners — individuals with 25% or more ownership interest, plus at least one control person. Politically exposed persons (PEPs) are screened at onboarding and rescreened as databases are updated. The CDD record establishes the customer risk profile and stated business purpose against which all subsequent transaction activity is benchmarked. For customers conducting digital asset transactions, wallet addresses associated with the customer are linked to the identity record at this stage where possible.
2. Transaction Ingestion and Normalization
The monitoring system ingests transaction data from connected sources: order management systems, wire transfer systems, banking integrations, and blockchain analytics feeds for on-chain activity. Data is normalized into a common format — counterparty, amount, instrument type, jurisdiction, channel, timestamp — enabling rule-based and behavioral monitoring to apply consistently regardless of transaction rail. For digital asset transactions, the system also captures wallet addresses, on-chain transaction hashes, blockchain analytics risk scores, and Travel Rule identity data received from the sending institution.
3. Rule-Based Parameter Screening
Normalized transactions are evaluated against configured rule sets: cash activity thresholds (≥ $10,000 for CTR); transfer thresholds (≥ $3,000 for Travel Rule); high-risk jurisdiction flags; OFAC SDN list matches; PEP exposure; and structuring indicators — multiple below-threshold transactions within a defined time window. Each rule is calibrated to the firm's risk profile. Parameters set too broadly generate excessive false positives; too narrowly and legitimate suspicious activity escapes detection. Calibration decisions and any subsequent changes to parameters must be documented in tuning logs — the record of why thresholds were set or adjusted. These logs are a standard FINRA examination request: examiners use them to assess whether the firm is actively maintaining its program or running static rules set at deployment.
4. Behavioral Baseline and Network Analysis
Behavioral monitoring compares current activity against a rolling baseline for each customer account — typically derived from 90 to 180 days of history, segmented by customer type and stated business purpose. Deviations generate anomaly scores: sudden volume increases, new counterparty types, activity inconsistent with stated purpose, or significant product mix changes. Network analysis adds a fourth dimension: mapping transactional relationships across the firm's customer population to identify account rings, coordinated structuring distributed across nominally unrelated accounts, and common counterparty clusters. Where blockchain analytics are integrated, on-chain transaction graphs extend this network analysis to wallet clusters associated with the firm's digital asset customers.
5. Alert Generation and Case Opening
When a transaction triggers a rule-based flag or crosses a behavioral anomaly threshold, the monitoring system generates an alert and queues it for analyst review. The 30-day SAR filing clock begins at this point — at the date of initial detection, not when the analyst opens the alert or when the compliance officer receives an escalation. Alerts meeting escalation criteria — by dollar amount, rule type, or pattern severity — are converted to formal cases and assigned to an AML analyst. The distinction between alert management and case management is operationally and examinably important: an alert is a system-generated event; a case is an investigated record with a documented disposition. FINRA examiners review both queues as separate compliance artifacts.
6. Case Investigation and SAR Decision
For each open case, the assigned analyst reviews KYC documentation, historical transaction records, account activity, and — for digital asset transactions — blockchain analytics output. The analyst documents reasoning, supporting evidence, and disposition: cleared with a documented explanation, placed under enhanced surveillance, or escalated to the AML compliance officer for SAR determination. All investigative steps must be retained as a complete evidentiary record. The compliance officer makes the final SAR filing decision; the "knows, suspects, or has reason to suspect" standard does not require proof of criminal activity, and good-faith filings are protected under the safe harbor at 31 U.S.C. § 5318(g)(2).
7. SAR Preparation and Filing
When a SAR is warranted, the filing is prepared and submitted to FinCEN via the BSA E-Filing System within 30 calendar days of the initial detection date — or 60 days if no suspect was identified at that time. The SAR narrative must describe the suspicious activity with sufficient specificity for law enforcement assessment. For digital asset transactions, the narrative should include on-chain transaction hashes, wallet addresses, blockchain analytics findings, and any Travel Rule identity data obtained. Filed SARs are retained for five years under 31 CFR 1023.320(d). Continuing activity SARs are scheduled on a 90-day cycle for persistent suspicious patterns.
8. Travel Rule Compliance
For wire transfers and stablecoin transfers of $3,000 or more (or $1,000 where the firm applies the FATF threshold for international counterparties), the firm transmits originator and beneficiary identifying information to the receiving institution. For digital asset transfers, this requires connectivity to a Travel Rule messaging network — TRUST or Veriscope — through which regulated institutions exchange identity data alongside the on-chain transfer. Transfers to non-compliant or unidentified counterparties require manual information exchange or refusal pending counterparty identification.
9. Program Review and Recalibration
Annual independent testing under Rule 3310 evaluates whether monitoring parameters remain appropriate for the firm's current business activities — critical when new products, such as digital asset settlement, have been added since the last review. Testing results and corrective actions are documented and retained. AML compliance officers also conduct periodic parameter-tuning reviews outside the annual test cycle, documenting false positive rates, alert volumes, SAR conversion rates, and threshold change rationale. These tuning logs — the record of why parameters were set or modified and when — are as important to examiners as the alert history itself: they demonstrate that the program is actively governed, not deployed and forgotten.
AML alert workflow — detection through SAR filing decision
Devancore Glossary · devancore.com
AML alert workflow — detection through SAR filing decision
Devancore Glossary · devancore.com
In Devancore™
AML monitoring — hybrid rail architecture
Devancore Glossary · devancore.com
AML monitoring — hybrid rail architecture
Devancore Glossary · devancore.com
Broker-dealers operating across both traditional securities rails and digital asset settlement face a structural AML challenge: the monitoring obligation is uniform across all transaction types, but legacy AML systems were designed for wire transfers and securities trades — not on-chain USDC settlements, wallet address counterparties, and blockchain transaction graphs. Satisfying BSA and FINRA Rule 3310 obligations in a hybrid operating environment requires a monitoring architecture that normalizes both rail types into a single compliance view without creating separate, disconnected monitoring silos.
Unified Hybrid Monitoring
Devancore's AML monitoring layer ingests transactions across both traditional rails — wire transfers, securities trades, DTC settlements — and digital asset rails — USDC on-chain settlements, stablecoin transfers — into a unified surveillance engine. Rule-based parameters and behavioral baselines apply consistently regardless of rail type: a velocity threshold governs a sequence of wire transfers and a sequence of on-chain transfers under the same rule. Structuring and peeling chain detection run across both channels simultaneously, eliminating the compliance gap that arises when a firm's AML monitoring covers the securities leg of a trade but not the corresponding stablecoin settlement.
Pre-Trade Wallet Gating
For USDC settlements and on-chain transfers where Devancore controls transaction authorization, counterparty wallet addresses are screened against OFAC's SDN list and firm-configured risk policies before the transaction is submitted to the network. Addresses flagged against active sanctions designations or high-risk blockchain analytics profiles are blocked from settlement and routed to the AML compliance officer queue. This pre-authorization gate is available specifically because Devancore operates as a custodial submission layer — it does not apply where clients broadcast transactions independently.
Integrated Blockchain Analytics
Devancore integrates with leading blockchain analytics providers — including Chainalysis and TRM Labs — to supply wallet-level risk scores at the time of transaction authorization. Risk scores reflect transaction history, exchange attribution, darknet market exposure, mixing service linkage, and sanctions proximity. Scores above configured thresholds generate automatic holds on settlement authorization pending compliance officer review. The same analytics output is attached to any case and SAR prepared for the flagged transaction, providing the on-chain evidence record required for FINRA or FinCEN examination.
Automated SAR Preparation and Audit Trail
When a case is escalated to SAR status, Devancore pre-populates the FinCEN SAR filing with available transaction data: trade details, counterparty identifiers, on-chain transaction hashes, wallet addresses, blockchain analytics findings, and Travel Rule identity data where obtained. The SAR workflow tracks 30-day and 60-day filing deadlines from the initial detection date — not from the case assignment date — surfacing countdown timers to the AML compliance officer. Tuning log entries, exception records, case investigations, filing actions, and continuing activity SAR schedules are retained as a complete audit trail under Rule 17a-3 books-and-records obligations.