Study guide
Roughly a third of the Series 99 tests professional conduct: spotting money laundering, handling complaints, protecting customer information, and understanding how a firm supervises itself. This chapter covers the anti-money-laundering duties that fall on operations staff, complaint and event reporting rules, the privacy regulations, and the supervisory architecture from written procedures to business continuity planning.
AML in Operations: Red Flags, SARs, and Escalation
The Bank Secrecy Act, expanded by the USA PATRIOT Act, requires every broker-dealer to maintain an anti-money-laundering program with several required elements: written policies and internal controls, a designated AML compliance officer, ongoing employee training, independent testing of the program, and customer due diligence procedures, including identifying the beneficial owners of legal entity customers. Section 326 supplies the Customer Identification Program at account opening, but AML duty does not end there; operations employees sit where the money actually moves, so they are the front line for detection. Classic operational red flags include deposits structured just under the currency reporting threshold, incoming wires promptly wired out with no business purpose, funds arriving from or leaving to unrelated third parties, journals between accounts with no apparent relationship, customers indifferent to cost or risk, and deposits of large blocks of low-priced stock followed by immediate liquidation and withdrawal. A broker-dealer must file a Suspicious Activity Report, a SAR, with FinCEN for transactions of 5,000 dollars or more that it knows, suspects, or has reason to suspect involve illegal funds, evasion of the BSA, or no lawful purpose, generally within 30 days of detection, extended to 60 days when no suspect is identified. SAR filings are strictly confidential; disclosing to the customer that a SAR was or may be filed is itself a violation. The operations employee's job is escalation, not investigation. When Omar in cashiering notices a customer making 9,500 dollar deposits three days running, he documents what he saw and reports it to the AML officer; he does not question the customer or delay quietly on his own.
Customer Complaints and Regulatory Reporting: Rules 4513 and 4530
A customer complaint, for FINRA purposes, is a written grievance, and written includes email and other electronic messages, from a customer or someone acting on the customer's behalf, alleging mishandling of the account or misconduct connected with the firm's business. FINRA Rule 4513 requires firms to keep records of written customer complaints at each office of supervisory jurisdiction, either the complaints themselves or a clear record of where they are kept, and to preserve those records for at least four years. FINRA Rule 4530 adds two reporting streams. First, the firm must report specified events to FINRA within 30 calendar days of learning of them, including findings that the firm or an associated person violated securities laws, certain regulatory actions, criminal matters, and settlements above rule-defined dollar thresholds. Second, the firm must file quarterly statistical and summary information about written customer complaints, due by the fifteenth day of the month following the end of each calendar quarter. None of this works unless complaints actually reach the compliance department, which is why the exam emphasizes the duty of every employee, very much including operations staff, to forward complaints rather than resolve them informally. If a customer emails the cage complaining that a transfer was mishandled and hints the representative misled her, the operations clerk who fixes the transfer and deletes the email has created a reporting violation. The correct sequence is to route the complaint to supervision or compliance immediately, let the firm log it, investigate it, and respond through proper channels, and keep any records intact.
Privacy: Regulation S-P, Regulation S-ID, and NOBO versus OBO
Regulation S-P is the SEC's privacy rule for broker-dealers. It requires a clear notice of the firm's privacy practices at account opening and, in most cases, annually thereafter, although the annual notice may be omitted when the firm shares information only under the rule's exceptions and its practices have not changed, and it generally requires giving customers the ability to opt out before nonpublic personal information is shared with nonaffiliated third parties, subject to exceptions for service providers and legally required disclosures. Its safeguards provisions require written policies reasonably designed to protect the security and confidentiality of customer records, and its disposal provisions require that consumer report information be destroyed properly, shredded or securely wiped, not tossed in a dumpster. Amendments adopted in 2024 go further, requiring firms to maintain incident response programs and, in general, to notify affected individuals of breaches of sensitive customer information within about 30 days, with compliance dates that phased in by firm size and are now fully in effect as of June 2026. Regulation S-ID, the identity theft red flags rule, requires firms offering covered accounts to maintain a written program to detect, respond to, and mitigate identity theft red flags, such as a suspicious address change followed by a request to wire funds. A separate privacy distinction involves shareholder communications for street name positions. Beneficial owners are classified as NOBOs, non-objecting beneficial owners, or OBOs, objecting beneficial owners. A firm may give an issuer a list of its NOBOs so the issuer can communicate with them directly, but OBO identities are withheld, and the issuer must reach OBOs through the firm or its proxy distribution agent. Operations staff process these elections and must code them correctly.
Information Barriers, Segregation of Duties, and the Supervisory Framework
Broker-dealers routinely possess material nonpublic information, and information barriers, historically called Chinese walls, are the policies, physical separations, and system entitlements that keep it from leaking between departments, for example from investment banking to trading or from operations staff processing a tender offer to anyone who might trade on it. Watch lists and restricted lists let compliance monitor or restrict trading in affected securities. Inside the operations department itself, the parallel control is segregation of duties: the person who sets up wire instructions should not be the person who releases the wire, the person who reconciles the bank account should not be the person moving money through it, and dual approval should protect high-risk actions. Vacations and rotation matter because frauds often surface when the perpetrator is away. The supervisory rules form a three-layer structure worth memorizing. FINRA Rule 3110 requires a supervisory system, including written supervisory procedures, WSPs, reasonably designed to achieve compliance, with designated principals, supervision of each office, and review of correspondence and transactions. Rule 3120 requires a separate system of supervisory control policies that test and verify the supervisory procedures themselves, with a report to senior management at least annually. Rule 3130 requires the chief executive officer to certify annually that the firm has processes in place to establish, maintain, review, test, and modify its compliance policies, following consultation with the chief compliance officer. Senior operations personnel, those with decision-making authority over covered operations functions, must themselves register as Operations Professionals.
Business Continuity, Vendor Due Diligence, and Communications
FINRA Rule 4370 requires every member firm to maintain a written business continuity plan, a BCP, addressing how the firm will meet its obligations to customers during a significant business disruption. The plan must be tailored to the firm's business and address, as applicable, data backup and recovery, mission-critical systems, alternate communications with customers and employees, alternate physical locations, regulatory reporting, and how customers will get prompt access to their funds and securities if the firm cannot continue. The BCP must be reviewed and updated as needed, at least annually is the common practice, and a disclosure summarizing it must be given to customers at account opening, posted on the firm's website, and mailed on request. Firms must also designate two emergency contact persons with FINRA. Outsourcing is the second theme: firms routinely hire vendors for statement printing, data processing, or back-office functions, but responsibility cannot be outsourced. The firm must perform due diligence before engaging a vendor and monitor it afterward, evaluating the vendor's ability to perform, its information security, its financial stability, and its use of subcontractors, and certain functions requiring registration or supervision cannot be delegated to a non-member at all. Finally, communications with the public under FINRA Rule 2210 fall into three categories: correspondence, sent to 25 or fewer retail investors within 30 days; retail communications, to more than 25; and institutional communications. Retail communications generally require approval by a registered principal before use, and all communications must be fair, balanced, and free of exaggerated or misleading claims, a standard that applies just as much to an operations status letter as to an advertisement.
Key terms
- Suspicious Activity Report (SAR)
- — The confidential FinCEN filing required for transactions of 5,000 dollars or more that the firm knows or suspects involve illicit funds or lack lawful purpose, generally due within 30 days of detection.
- Structuring
- — Breaking cash transactions into amounts below the 10,000 dollar reporting threshold to evade a Currency Transaction Report; a federal crime and an automatic escalation.
- PATRIOT Act Section 326
- — The statutory basis for the Customer Identification Program, requiring collection and verification of identifying information before an account is opened.
- Customer complaint (Rule 4513)
- — A written grievance, including electronic messages, alleging account mishandling or misconduct; records must be kept at the OSJ for at least four years.
- FINRA Rule 4530
- — The rule requiring firms to report specified events within 30 calendar days and to file quarterly statistical summaries of written customer complaints.
- Regulation S-P
- — The SEC privacy rule requiring privacy notices, opt-out rights before sharing nonpublic personal information with nonaffiliated third parties, safeguards, and breach response.
- Regulation S-ID
- — The identity theft red flags rule requiring a written program to detect, respond to, and mitigate identity theft indicators for covered accounts.
- NOBO / OBO
- — Non-objecting beneficial owners may be identified to the issuer for direct communication; objecting beneficial owners must be reached only through the carrying firm.
- Information barrier
- — Policies, physical separation, and system controls that prevent material nonpublic information from flowing between departments of a firm.
- Written supervisory procedures (WSPs)
- — The written procedures required by FINRA Rule 3110 documenting how the firm supervises its business, personnel, and offices to achieve compliance.
- Rule 3130 certification
- — The annual certification by the chief executive officer, after consulting the chief compliance officer, that the firm has processes to establish, review, and test its compliance policies.
- Business continuity plan (Rule 4370)
- — The required written plan describing how a firm will meet obligations to customers during a significant business disruption, summarized in a disclosure provided to customers.
Exam tips
- Keep SAR and CTR separate: a CTR is mechanical, currency over 10,000 dollars in a day; a SAR is judgment-based, suspicious activity of 5,000 dollars or more, filed confidentially within 30 days.
- Never tip the customer: revealing that a SAR has been or may be filed is itself a violation, and the operations employee's role is to escalate to the AML officer, not investigate.
- For Rule 4530, remember two clocks: 30 calendar days to report specified events, and quarterly complaint statistics due by the fifteenth day after quarter end.
- Distinguish the supervision trio: 3110 is the supervisory system and WSPs, 3120 tests the system with an annual report to senior management, and 3130 is the CEO's annual certification.
- NOBO versus OBO is a frequent one-liner: issuers may contact NOBOs directly but must reach OBOs through the broker-dealer.