Earlier this week, the US Securities and Exchange Commission’s (SEC’s) Division of Examinations published a Risk Alert outlining its examination observations about key AML requirements.
The Alert emphasized the independent testing of firms’ AML programs and training of their personnel, and the importance of identifying and verifying customers and their beneficial owner details.
AML program deficiency
The SEC said some registrants did not appear to devote sufficient resources, including staffing, to AML compliance in relation to the volume and risks of their business. The agency said it recognized that this issue can be exacerbated in the current environment of increasing sanctions imposed by the US Treasury’s Office of Foreign Assets Control (OFAC), particularly where the same firm personnel perform both AML and sanctions compliance functions.
The SEC also noted that the effectiveness of a firm’s policies, procedures, and internal controls was reduced when firms did not implement those measures consistently.
The SEC said that its examiners observed some broker-dealers that did not conduct testing in a timely manner or could not demonstrate (for example, by a report or other documentation) that they conducted such testing.
Bank Secrecy Act
And when independent testing appeared ineffective, it was for reasons such as those tests not covering aspects of the firm’s business or AML program or the personnel conducting the testing not being independent or not having the appropriate level of knowledge of the requirements of the Bank Secrecy Act (BSA) and its implementing rules.
The independent testing rule is encapsulated in FINRA Rule 3310.
In addition, some registrants’ training materials were not updated based on changes in the law or tailored to the risks, typologies, products and services, and business activities of the firm.
In some cases, firms’ files indicated that verification was complete, but some required information was missing, incomplete, or invalid.
Also, some firms could not demonstrate that all appropriate personnel attended the firms’ ongoing training or possess a process for following up with personnel who did not attend required training.
Customer Identification Program
The Customer Identification Program (CIP) Rule requires a broker-dealer to establish, document, and maintain a written CIP appropriate for its size and business. Customer identification and verification is a core element of the business’s customer due diligence (CDD) obligations under the Bank Secrecy Act.
SEC examiners found instances in which broker-dealers failed to collect customers’ dates of birth, identification numbers, or addresses, or permitted accounts to be opened by individuals providing only a PO box address.
In some cases, firms’ files indicated that verification was complete, but some required information was missing, incomplete, or invalid. And some businesses failed to perform any CIP procedures about investors in a private placement.
Vendors proved to be a challenge here, as some businesses failed to document aspects of their CIP that pertained to their firm’s review of alerts generated by third-party vendors, thereby not documenting how they were monitoring for any missing, inconsistent, or inaccurate information.
CDD and beneficial ownership
The CDD Rule requires a broker-dealer’s AML program to contain written procedures that are reasonably designed to identify and verify the identity of beneficial owners of legal entity customers, as that term is defined in the rule. (Generally, it means identifying up to four individuals directly or indirectly owning 25% or more of the equity interests of the legal entity and also a single individual with significant responsibility to control, manage, or direct the legal entity.)
The procedures should enable a broker-dealer to identify the beneficial owners of each of its legal entity customers at the time a new account is opened.
The SEC said deficiencies it found included the opening of new accounts for legal entity customers without identifying all of the legal entity’s beneficial owners, including where no beneficial ownership information was obtained or control person identified.
Some others just did the identification poorly, including by accepting expired government-issued identification.
The SEC encouraged registrants to consult its AML Source Tool for Broker-Dealers as guidance on how to comply with key AML laws, rules, orders, and guidance applicable to broker-dealers.