On March 6, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) announced a consent order with an $80 million civil money penalty against Canaccord Genuity LLC (“Canaccord” or the “Firm”), an SEC-registered broker-dealer, for violations of the Bank Secrecy Act (“BSA”) during the period March 2018 to June 2024.[1] FinCEN noted that this enforcement action marks “the largest penalty ever imposed against a broker-dealer for violating the BSA,” and FinCEN Director Andrea Gacki stated that this action is as “a wake-up call to broker-dealers that willfully fail to comply with their obligations to safeguard the financial system from illicit actors.”[2] The Securities and Exchange Commission (“SEC”) and Financial Industry Regulatory Authority (“FINRA”) separately announced resolutions with the company for $20 million each, with FinCEN crediting Canaccord’s payment of those penalties.[3]
These coordinated enforcement actions underscore regulators’ continued focus on broker-dealers’ anti‑money laundering (“AML”) programs. FinCEN’s findings emphasize that AML programs must be risk‑based, adequately resourced, and supported by effective data and governance. In this memorandum, we discuss the enforcement actions and provide key takeaways for broker-dealers.
Background
The Consent Order focused on the Firm’s role as an “active market maker[] in OTC low-volume and low-priced securities,” particularly between 2018 and 2022. FinCEN noted that regulators have “repeatedly highlighted heightened risks and ‘red flags’ associated with these types of securities,” including because they “often lack public information, have no minimum listing standards, lack liquidity, and have high volatility.”
FinCEN’s Findings
Overview: FinCEN’s findings covered “several different issues, but at its core, Canaccord failed to devote adequate resources to ensure compliance with the BSA.” FinCEN noted that the Firm failed to “sufficiently invest in the hiring, training, and oversight of AML personnel,” and reports “often went unreviewed for months or years at a time by AML personnel.” FinCEN noted that the resources dedicated to the Firm’s AML program were “inadequate to manage the risks the Firm’s business model entailed,” and for many years “the team responsible for reviewing Canaccord’s full suite of reports consisted of just four employees, all of whom had additional responsibilities.” Further, the Firm had no formal AML compliance training prior to November 2021. Regular exams by FINRA identified “deficiencies in Canaccord’s AML program, including Canaccord’s failure to implement an adequate program for detecting and reporting suspicious activity,” but Canaccord allegedly failed to remediate the issues. Canaccord also allegedly did not conduct adequate independent testing, with audit reports reflecting an “inadequate understanding of the risks presented” by Canaccord’s business lines and failing to identify “apparent gaps” in its controls.
The major AML issues identified by FinCEN include:
- Deficiencies in the Firm’s Trade Surveillance Reports: To monitor for potentially suspicious activity, the Firm relied on “trade surveillance reports” that FinCEN found suffered from “fundamental design flaws and longstanding data issues.” Certain reports were generated using a “manual filter” designed to “manage the scope of the review,” including the use of “arbitrary numbers” without “consideration for the actual risk profile of transactions captured by the report.” As a result, thresholds were “not reasonable” under a risk‑based framework, and some reports were “simply ‘too long’ to review.” These design and data weaknesses were compounded by severe resourcing and governance failures. Oversight of the program was delegated to a Head of Trading Compliance who “lacked prior AML experience” and received minimal training, while “just four Canaccord employees”—each with other non-trade surveillance responsibilities—were responsible for “reviewing more than 100 unique reports,” many of which were run on a daily basis. FinCEN found that these deficiencies “caused critical reports to go unreviewed—and suspicious activity undetected—for extended periods of time,” with some alerts going unreviewed for years.[4]
- Customer Due Diligence (“CDD”) Failures: FinCEN found systemic “failures in conducting CDD at onboarding and on an ongoing basis,” citing multiple “relationships that posed heightened AML risk but were not identified or monitored as such.” At onboarding, Canaccord applied “the same, basic diligence for all customers without consideration of the risk the customer posed.” As a result, “higher‑risk applicants were subject to the same level of CDD as lower‑risk customer applicants,” and the Firm “lacked processes to reasonably address red flags” at account opening, including for foreign financial institutions posing elevated AML risks. Ongoing CDD was similarly deficient: for a significant period, Canaccord had not “implemented a process to consistently update customers’ due diligence files after the customer’s initial onboarding,” and when a process was introduced in November 2023, it was not retroactively applied to existing customers. FinCEN identified numerous high‑risk customers that were not subject to appropriate CDD.
- Correspondent Banking Due Diligence Failures: In addition to the failures with regard to CDD generally, the FinCEN enforcement action specifically notes that “Canaccord operated foreign financial institution correspondent accounts without confirming that the customer information satisfied regulatory requirements” and consistently did not require or even request “critical information,” including the “nature of the foreign financial institution’s business and the markets it serves” in order to “properly mitigate the risks associated with such accounts.” For example, Canaccord onboarded a Bahamas-based foreign bank without conducting sufficient due diligence and failed to conduct enhanced due diligence even after the Firm’s BSA Officer, law enforcement, and another financial institution raised concerns about the client.
- Failure to Report Suspicious Activity: FinCEN found that Canaccord’s control failures allowed its platform to be “used by illicit actors engaged in securities fraud,” while the Firm failed to report suspicious activity “despite readily apparent red flags.” A preliminary SAR lookback by an independent consultant retained by the Firm identified at least 160 SARs that should have been filed. FinCEN cited multiple examples involving “market manipulation” of microcap securities, including instances in which Canaccord, despite its “role as a market maker buying and selling millions of shares,” “failed to detect red flags of suspicious activity.” In one case, following an SEC trading suspension citing “unusual and unexplained market activity,” the Firm “resumed trading in the business’ stock and did not appear to review its own activity.” Despite an internal recommendation to file a SAR, Canaccord “never filed a SAR on suspicious transactions” involving the stock.
- SEC Order: Similarly, the SEC’s Order addressed the Firm’s failure to file SARs from February 2019 through March 2022 in violation of Exchange Act Rule 17a-8.[5] The SEC noted that the Firm failed to file SARs during this period concerning suspicious activity involving “pump and dump schemes,” instances where a “single or small number of traders” made up “a significant portion of trading volume in a thinly traded or low-priced security,” and “significant trading in a thinly traded or low-priced security leading up to and/or following a Commission trading suspension.” The SEC noted remedial acts undertaken by the Firm, including “an increase in AML compliance staffing, updated AML exception reports, revised processes for SAR consideration and filing, retention of third-party consultants to conduct a comprehensive review of the Firm’s AML compliance program, new supervision and review protocols, and new trade surveillance tools.”
Enforcement Factors
In assessing the $80 million civil money penalty, FinCEN applied the factors set forth in its 2020 Statement on Enforcement of the BSA. FinCEN emphasized that Canaccord’s deficiencies affected fundamental aspects of its AML program, persisted over an extended period, and resulted in significant harm to investors through fraud schemes. FinCEN credited the FINRA and SEC penalties against the $80 million penalty and suspended $5 million of the penalty based on Canaccord’s completion of the SAR lookback, resulting in a net payment of $35 million to the Department of the Treasury.
Key Takeaways and Practical Implications
In the enforcement action, FinCEN emphasized that AML programs must be risk‑based and commensurate with the risks posed by a firm’s business model, including fraud risks inherent in microcap and penny stock trading. The Canaccord resolution highlights regulators’ expectations that broker‑dealers invest adequately in transaction monitoring systems, data quality, staffing, and training, particularly where higher‑risk products or customers are involved.
The action coincides with the March 2026 release of the U.S. Department of the Treasury’s 2026 National Money Laundering Risk Assessment.[6] Among other areas, it addresses the money laundering risks posed by broker-dealers, noting that “broker-dealers have exposure from customers seeking to disguise illicit proceeds within otherwise legitimate trades or engage in fraudulent trading activity (e.g., pump-and-dump schemes involving low-priced securities).” The Consent Order observes that “customers based in high-risk jurisdictions impose other AML/CFT-related risks on broker-dealers, such as those associated with their source of wealth or the counterparties with which they may transact.”
The Canaccord enforcement action marks the largest FinCEN enforcement action against a broker-dealer, reinforcing a trend of regulators bringing AML and sanctions-related enforcement actions against broker-dealers. In the past two calendar years, the SEC brought 12 enforcement actions against broker-dealers in connection with AML failures and FINRA brought 34 such enforcement actions.[7]
In addition to AML obligations, broker-dealers must comply with OFAC sanctions regulations. On March 17, 2026, OFAC imposed a civil penalty against TradeStation Securities, Inc., a Florida-based brokerage firm for allegedly “provid[ing] investment services to customers located in Iran, Syria, and the Crimea region of Ukraine” based on failures in the firm’s geo-blocking systems and failures to test or validate those systems. OFAC noted that the action highlights “the importance of regular testing and auditing to ensure sanctions compliance controls are effectively mitigating risk and preventing sanctions violations.”[8] Similarly, as noted in our 2025 Year in Review report, OFAC brought an enforcement action against broker-dealer Interactive Brokers LLC in July 2025 for providing brokerage and investment services to more than 200 accountholders located in comprehensively sanctioned jurisdictions, resulting in nearly 12,000 apparent violations.[9] OFAC highlighted that broker-dealers making use of real-time automated systems to manage large amounts of transactional activity “should consider appropriate investments to ensure the modernization of their sanctions compliance programs alongside the innovation and development of their customer-facing platform technologies that interact with the U.S. financial system.”
Looking ahead, the SEC’s examination priorities for FY2026 suggest that the Division of Examinations will continue to focus on broker-dealers’ AML programs, noting that AML “programs should be tailored to address the risks associated with a firm’s location, size, and activities, including the customers they serve, the types of products and services offered, and how those products and services are offered.”[10] The SEC noted that examiners will “continue to focus on AML programs and review whether broker-dealers” are taking appropriate measures, including “appropriately tailoring and updating their AML program to their business model and associated AML risks.”[11]
Given this sustained regulatory attention, broker‑dealers may wish to consider proactively reviewing their AML and sanctions compliance programs to ensure they are appropriately tailored, adequately resourced, and aligned with regulatory expectations.
* * *
[1] FinCEN, “FinCEN Assesses Historic $80 Million Penalty Against Canaccord Genuity LLC for Securities Fraud-Related Bank Secrecy Act Violations” (Mar. 6, 2026), available here (the “FinCEN Penalty”).
[2] Id.
[3] Id.; U.S. Securities and Exchange Commission, “SEC Charges Registered Broker-Dealer Canaccord Genuity LLC with Failing to File Suspicious Activity Reports,” (March 6, 2026), available here (the “SEC Penalty”).
[4] In 2021, Canaccord determined that certain reviews required under its policies “were not performed” and that “certain employees had falsified documentation of their purported reviews.” See SEC Penalty. Canaccord reported these issues to FINRA and “subsequently terminated these employees after completing an investigation of the issue.” Id.; FinCEN Penalty.
[5] Exchange Act Rule 17a-8, promulgated under Section 17(a) of the Securities Exchange Act of 1934, requires broker-dealers registered with the SEC to comply with the reporting, recordkeeping, and record retention requirements of the BSA, including SAR-filing requirements. See SEC v. Alpine Sec. Corp., 308 F. Supp. 3d 775, 798–800 (S.D.N.Y. 2018), aff’d, 982 F.3d 68 (2d Cir. 2020), cert. denied, 142 S. Ct. 461 (2021).
[6] U.S. Department of the Treasury, “2026 National Money Laundering Risk Assessment,” (March 2026), available here.
[7] Id. These reflect the assessment period of January 1, 2024 to December 31, 2025.
[8] OFAC, “TradeStation Securities, Inc. Settles with OFAC for $1,110,661 Related to Apparent Violations of Multiple Sanctions Regulation,” March 17, 2026 (available here).
[9] Paul, Weiss, “Economic Sanctions and Anti-Money Laundering Developments: 2025 Year in Review,” available here.
[10] U.S. Securities and Exchange Commission Division of Examinations, “Examination Priorities,” (November 2025), available here.
[11] The SEC also noted that examiners will review whether broker-dealers are “accounting for risks associated with omnibus accounts maintained for foreign financial institutions; [] adequately conducting independent testing; [] establishing an adequate customer identification program, including for beneficial owners of legal entity customers; and [] meeting their Suspicious Activity Report filing obligations.”
Related Insights
