31 CFR Part 1023 — Rules for Brokers or Dealers in Securities

Part 1023 of 31 CFR is the FinCEN rulebook applicable to brokers or dealers in securities (as defined in Section 3(a)(4) and (a)(5) of the Exchange Act). It implements the Bank Secrecy Act with respect to this industry sector and is the operative source for the broker-dealer AML program requirement, the Customer Identification Program (CIP) rule, the Suspicious Activity Report (SAR-SF) rule, the Currency Transaction Report (CTR) rule, and ancillary recordkeeping requirements.

Subpart A — General Definitions (cross-references to 31 CFR 1010).

"Broker or dealer in securities" is defined by cross-reference to the Exchange Act. "Account" is defined for CIP purposes at § 1023.100(a). Other defined terms (e.g., "customer," "U.S. person," "non-U.S. person") track the definitions in 31 CFR Part 1010.

---

§ 1023.210 — Anti-money laundering program.

(a) Compliance program requirement.

Each broker or dealer in securities shall develop and implement a written anti-money laundering program that is reasonably designed to prevent the broker-dealer from being used to facilitate money laundering and the financing of terrorist activities. The program must be approved in writing by a member of senior management and made available to the Department of the Treasury and the SEC upon request.

(b) Minimum requirements.

The program shall, at a minimum:

1. Establish and implement written policies, procedures, and internal controls reasonably designed to achieve compliance with the Bank Secrecy Act and the implementing regulations; 2. Provide for independent testing for compliance to be conducted by the broker-dealer's personnel or by a qualified outside party; 3. Designate an individual or individuals responsible for implementing and monitoring the operations and internal controls of the program (the "AML Compliance Officer"); 4. Provide ongoing training for appropriate personnel; 5. Include appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to: (i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

(c) Relationship to other requirements.

Compliance with the AML program requirement is separate from, and in addition to, compliance with the CIP rule (§ 1023.220), the SAR-SF rule (§ 1023.320), and other applicable regulations. FINRA Rule 3310 incorporates the requirements of paragraph (b) for FINRA-member broker-dealers; FINRA-enforcement cases frequently cite both the FinCEN rule and Rule 3310.

---

§ 1023.220 — Customer Identification Program (CIP).

(a) Minimum requirements.

A broker-dealer must implement a written Customer Identification Program appropriate for its size and business that, at a minimum, includes the procedures described below. The CIP must be a part of the broker-dealer's AML program required under § 1023.210.

(1) Identity verification procedures.

The CIP must include risk-based procedures for verifying the identity of any person seeking to open an account, to the extent reasonable and practicable. The CIP must contain procedures that describe when the broker-dealer will use documents, non-documentary methods, or a combination of both methods to verify identity.

(2) Required customer information.

Before opening an account, the broker-dealer must obtain from the customer the following identifying information (subject to exceptions for accounts that are opened via a non-U.S. person customer):

- Name; - Date of birth (for an individual); - Address, which must be: (A) for an individual, a residential or business street address; (B) for an individual who does not have a residential or business street address, an Army Post Office or Fleet Post Office box number, or the residential or business street address of next of kin or of another contact individual; or (C) for a person other than an individual (such as a corporation, partnership, or trust), a principal place of business, local office, or other physical location; and - Identification number, which must be: (A) for a U.S. person, a taxpayer identification number (e.g., Social Security Number, individual taxpayer identification number, or employer identification number); or (B) for a non-U.S. person, one or more of the following: a taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.

(3) Verification.

The CIP must contain procedures for verifying the identity of the customer, using the information obtained in accordance with paragraph (a)(2), within a reasonable time after the account is opened. The procedures must describe when the broker-dealer will use documents, non-documentary methods, or a combination of both.

- Documents. For an individual, an unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard (e.g., a driver's license or passport). For a person other than an individual, documents showing the existence of the entity (e.g., certified articles of incorporation, a government-issued business license, a partnership agreement, or a trust instrument). - Non-documentary methods. Contacting the customer, independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement. Non-documentary methods must address situations where an individual is unable to present an unexpired government- issued identification document that bears a photograph or similar safeguard; the broker-dealer is not familiar with the documents presented; the account is opened without obtaining documents; the customer opens the account without appearing in person at the broker-dealer; and where the broker-dealer is otherwise presented with circumstances that increase the risk that the broker-dealer will be unable to verify the true identity of a customer through documents.

(4) Lack of verification.

The CIP must include procedures for responding to circumstances in which the broker-dealer cannot form a reasonable belief that it knows the true identity of a customer. These procedures should describe: when the broker-dealer should not open an account; the terms under which a customer may use an account while the broker-dealer attempts to verify the customer's identity; when the broker-dealer should close an account, after attempts to verify the customer's identity have failed; and when the broker-dealer should file a SAR-SF in accordance with applicable law and regulation.

(5) Recordkeeping.

The broker-dealer must maintain a record of all information obtained under the CIP. At a minimum, the record must include:

- All identifying information about the customer obtained under paragraph (a)(2); - A description of any document relied on pursuant to paragraph (a)(3)(i), noting the type of document, any identification number contained in the document, the place of issuance, and, if any, the date of issuance and expiration date; - A description of the methods and results of any measures undertaken to verify the identity of the customer pursuant to paragraph (a)(3)(ii); and - A description of the resolution of any substantive discrepancy discovered when verifying the identifying information obtained.

The broker-dealer must retain the information obtained under paragraph (a)(2) for five years after the account is closed; and the information described in the second and third bullets above for five years after the record is made.

(6) Comparison with government lists.

At the time an account is opened, the broker-dealer must have procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any federal government agency and designated by Treasury. The comparison must be made within a reasonable period of time after the account is opened.

(7) Customer notice.

The broker-dealer must provide customers with adequate notice that the broker-dealer is requesting information to verify their identity.

(8) Reliance on another financial institution.

The CIP may include procedures specifying when the broker-dealer will rely on the performance by another financial institution (including an affiliate) of any procedures of the CIP, with respect to any customer of the broker-dealer that is opening, or has opened, an account or has established a similar business relationship with the other financial institution. Reliance is permissible if (i) such reliance is reasonable under the circumstances; (ii) the other financial institution is subject to a rule implementing 31 U.S.C. 5318(h) and is regulated by a federal functional regulator; and (iii) the other financial institution enters into a contract requiring it to certify annually to the broker-dealer that it has implemented its AML program and that it will perform (or its agent will perform) specified requirements of the broker-dealer's CIP.

---

§ 1023.230 — Customer due diligence rule (beneficial ownership).

For each legal entity customer that opens a new account after May 11, 2018, the broker-dealer must establish and maintain written procedures that are reasonably designed to identify and verify the beneficial owners of the legal entity customer. "Beneficial owner" means:

1. Each individual, if any, who directly or indirectly, owns 25% or more of the equity interests of the legal entity customer (the "ownership prong"); and 2. A single individual with significant responsibility to control, manage, or direct the legal entity customer (the "control prong").

The broker-dealer must identify and verify the beneficial owners using risk-based procedures substantially similar to those used for CIP purposes for individual customers. The beneficial-ownership rule may be substantially modified upon the implementation of the beneficial ownership information reporting framework under the Corporate Transparency Act at 31 CFR 1010.380; firms should monitor FinCEN rulemaking in this area.

---

§ 1023.320 — Reports by brokers or dealers of suspicious transactions.

(a) General.

A broker-dealer shall file with FinCEN, to the extent and in the manner required by this section, a report of any suspicious transaction relevant to a possible violation of law or regulation. A broker-dealer may also file with FinCEN a report of any suspicious transaction that it believes is relevant to the possible violation of any law or regulation but whose reporting is not required by this section.

(b) Filing obligations.

A broker-dealer is required to file a SAR-SF if it knows, suspects, or has reason to suspect that a transaction conducted or attempted by, at, or through the broker-dealer involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity; is designed, whether through structuring or other means, to evade any requirements of the Bank Secrecy Act; has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the broker-dealer knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction; or involves use of the broker-dealer to facilitate criminal activity. A transaction requires reporting if it involves or aggregates funds or other assets of at least $5,000.

(c) Filing deadlines.

A broker-dealer must file the SAR-SF no later than 30 calendar days after the date of initial detection of facts that may constitute a basis for filing. If no suspect is identified on the date of such initial detection, a broker-dealer may delay filing for an additional 30 calendar days to identify a suspect, but in no case may reporting be delayed more than 60 calendar days after the date of initial detection.

(d) Confidentiality.

A SAR-SF, and any information that would reveal the existence of a SAR-SF, shall be confidential. No broker-dealer, and no director, officer, employee, or agent of such broker-dealer, shall disclose a SAR-SF or any information that would reveal the existence of a SAR-SF. Permitted disclosures include disclosure to FinCEN, the SEC, FINRA, the NFA, and other appropriate law enforcement or supervisory authorities.

(e) Retention of records.

A broker-dealer shall maintain a copy of any SAR-SF filed, and the original or business-record equivalent of any supporting documentation, for a period of five years from the date of filing. Supporting documentation must be made available to FinCEN and to other appropriate law enforcement and regulatory agencies upon request.

---

§ 1023.410 — Currency transaction report (CTR-SF).

A broker-dealer that is involved in a transaction in currency of more than $10,000 must file a CTR-SF with FinCEN within 15 days after the date of the transaction. Multiple currency transactions during one business day are treated as a single transaction if the broker-dealer has knowledge that they are by or on behalf of the same person and result in either cash-in or cash-out totaling more than $10,000.

---

Compliance notes for Kestrel Securities

- **AML program.** Kestrel maintains a written AML program, approved by the Board, refreshed annually. Independent testing is performed annually by an outside firm; results are reported to the Board's Audit Committee. - **AMLCO.** The designated AML Compliance Officer is a principal with FINRA registration and sits within the Compliance function. - **CIP.** Kestrel uses a vendor-hosted identity-verification service that performs document verification and non-documentary checks against OFAC, PEP, and third-party databases. "Account closed without verification" cases are logged and reviewed by Compliance monthly. - **Beneficial ownership.** For legal-entity customers (approximately 120 accounts, mostly corporate cash-management and trust accounts), a certification form is executed at account opening and refreshed every three years or upon a material change. - **SAR-SF.** A Transaction Monitoring System generates alerts that are reviewed by an analyst and escalated as warranted. SAR filings are approved by the AML Compliance Officer. In 2025 Kestrel filed 14 SAR-SFs, a small increase over 2024. - **CTR.** Kestrel does not accept physical cash and therefore has no CTR filings in the relevant period; the policy nonetheless preserves capacity to file if needed.