Adherence with the Anti-Money Laundering (AML) rules is a critical component of the compliance program for broker-dealers. Under FINRA Rule 3310 broker-dealers are required to develop and implement an AML program that is “reasonably expected to detect and cause the reporting of suspicious transactions.” The 2023 Report on FINRA’s Examination and Risk Monitoring Program summarizing findings from recent examinations identifies areas to be considered when assessing the effectiveness of an AML compliance program. Key areas highlighted within the report include customer identification and due diligence, suspicious activity reporting, and independent testing. Below, we will discuss specific practices firms may want to consider to help prevent non-compliance in these areas.
Customer Identification and Due Diligence
Firms have an obligation to have a formal Customer Identification Program (CIP) program to identify and verify their customers when they establish a relationship. Firms should also have an appropriate understanding of their customer relationships to ensure that potentially suspicious activity can be identified and reported when it occurs. Customer due diligence (CDD) is a fundamental aspect of this requirement. Firms should have a proper understanding of the nature of their customers and their expected behavior so that activity outside of the norm without reasonable explanation can be appropriately investigated.
According to the report, firms are struggling with correctly recognizing the nature of the customer relationship and at times not considering CIP or CDD requirements. Failing to obtain the necessary information and recognize that the rules apply can result in significant AML violations with the potential to impact a large volume of customer relationships. Particularly, the rules apply when the firm establishes a formal relationship to effect transactions in securities (including sales of securities, security lending, holding of securities, or safekeeping). Firms will want to specifically review the definition of “account” and “customer” under the AML regulations to ensure that they can avoid mistakenly excluding a relationship as an account subject to the rules.
FINRA has also identified circumstances where firms fail to collect all necessary information at the time of an account opening to satisfy CIP and beneficial ownership rules. Firms should have strict and defined standards that customer-facing personnel must follow regarding collecting and verifying the required information. Firms should also establish internal controls, such as a quality control review, exception reporting, or other activities that can help identify situations where the information has not been collected or reported.
Even if a firm has identified that CDD applies, the firm needs to also ensure that it properly conducts the CDD analysis. This applies not only when the relationship is initially established, but also on a periodic basis thereafter. Firms should establish a risk-based timeline whereby their customers are reviewed for any potential suspicious activity. The higher the risk that the customer presents, the more often the firm should perform this review. Standardizing the process may be helpful, such as creating a formal review schedule.
Suspicious Activity Monitoring and Reporting
The identification and reporting of suspicious activity is one of the most fundamental purposes of AML rules. It is critical for firms to ensure their controls for identifying and reporting such activity are appropriate. The FINRA report identified a variety of findings with inadequate monitoring and/or reporting of suspicious activity.
Firms must have appropriate policies and procedures in place that ensure the detection of suspicious activity. Such procedures should be in writing and referenceable by the staff. The procedures need to be of appropriate depth to encompass the various types of suspicious activity that can occur throughout the relationship. Rather than including just a list of areas where suspicious activity can occur, more detailed instructions that are customized for the firm’s operations provide more value. Firms should also identify red flags for possible suspicious activity and sufficiently train staff to be aware of their existence and occurrence.
Additionally, firms should ensure that any external requests relating to potential criminal activity, such as a subpoena or court order, are considered for suspicious activity investigation and reporting purposes. Simply responding to the request is not sufficient. If actual suspicious activity occurred at or through the firm and reaches the reporting threshold, the firm also has an obligation to make a suspicious activity report filing. Firms should expand such considerations beyond just formal law enforcement requests but also apply them to any requests from clearing firms, regulators, or other parties that may indicate that an investigation is warranted.
It is also important to consider that AML obligations are not a responsibility solely for the AML and compliance staff. Any individual within the firm who could interact with customers or their transaction activity is able to identify suspicious activity. In fact, at times, such individuals will be in a better position to identify such activity than the AML/compliance staff. These employees should be trained to identify any possible scenarios and understand the importance of communicating it to the AML staff. The firm’s notification process should be simple enough to comply with without creating any unnecessary reporting barriers.
Independent Testing
The FINRA report identified areas of criticism regarding an independent AML testing program. An effective independent AML audit will not only help the broker-dealer comply with technical requirements but will also present an opportunity to identify areas where mistakes are occurring or where improvements can be made before a regulatory examination. Most firms need to ensure that the independent testing occurs on an annual basis, with the period being extended up to two years for entities with special circumstances (firms that don’t execute transactions or hold customer accounts).
The report stressed the importance that the person performing the testing is appropriately independent and has the necessary qualifications. For example, having the firm’s compliance officer perform the audit testing would not be considered sufficiently independent if that individual also plays a key role in the day-to-day performance of AML duties. Furthermore, an individual with extensive experience auditing financials but limited to no experience with AML compliance could also fail to perform an effective audit.
It is critical for the scope and depth of the independent testing to be appropriate to comply with the regulatory requirements. Beyond simply checking for the existence of a policy and asking about the existence of internal controls, appropriate testing must occur. Proper testing is utilized to validate policies and controls, and determine whether there are any significant gaps where potential money laundering or other reportable activity is being missed. The testing should drill down not only to suspicious activity reports filed, but also the reports and systems that are utilized to identify any potentially reportable activity. The unique nature of the firm and its customers should factor into the testing scope and performance. Matters such as the firm’s AML risk profile, any changes in products, services, or customers, internal changes, as well as the risks and threats that specifically impact the firm should be considered.
Conclusion
Following the practices above should reduce the risk of the firm being cited for a violation or AML program deficiency in an examination. As a best practice, firms should keep a continuous watch on new FINRA reports and guidelines. Reviewing publicly announced penalties or other actions taken against firms and companies with AML obligations is another helpful source of areas of possible concern and examiner scrutiny. Firms should also periodically review their existing policies and procedures and assess staff knowledge to ensure that they avoid any potential breakdowns.
If you need any assistance developing, implementing, or assessing the effectiveness of your AML program, or if you have any questions about AML in general, reach out to our team.
