United States: SEC Exam Staff Issues Alert Highlighting Deficiencies In Broker-Dealers' AML Programs

On July 31, 2023, the staff of the US Securities and Exchange Commission's ("Commission") Division of Examinations ("Exam Staff") issued a risk alert ("Alert") highlighting various deficiencies in the anti-money laundering ("AML") programs of certain broker-dealers during the most recent SEC examination cycle.¹ The Alert highlights the Exam Staff's observations regarding inadequacies in broker-dealers' AML programs, including with respect to compliance with independent testing and training requirements, as well as inadequacies relating to implementation of the broker-dealers' customer identification program ("CIP") and procedures relating to the customer due diligence ("CDD") requirement.² The Alert reminds broker-dealers of the Exam Staff's previous guidance³ regarding the requirement to implement adequate policies and procedures related to identifying suspicious activity and filing suspicious activity reports ("SARs") timely.⁴

We summarize each of the Exam Staff's identified AML program deficiencies below.

Independent Testing

The Exam Staff observed that many firms failed to adequately conduct or document the independent testing of their AML programs, including failing to: conduct testing in a timely manner (e.g., on a calendar-year basis) or more frequently, if needed; or maintain documentation sufficient to demonstrate to Exam Staff that the firm conducted such testing and/or to demonstrate that the independent testing adequately tested the firm's compliance with its AML program. Further, Exam Staff pointed out that in some instances where issues were identified by independent testing, firms failed to timely address such issues or have procedures for addressing such issues.

In addition, the Exam Staff noted that a number of independent tests appeared ineffective because the tests: did not cover aspects of the firm's business or AML program; the personnel conducting the testing were not independent or did not have the appropriate level of knowledge of the requirements of the BSA; or the testing was conducted under requirements not applicable to the securities industry.

In addition to these findings by the Exam Staff, the Alert reminds broker-dealers that FINRA has provided additional guidance concerning a broker-dealer's obligations related to independent testing of the AML program.⁵ Exam Staff notes that, with respect to the independent testing requirements of the AML rules, broker-dealers often failed to conduct adequate independent testing of their AML program by: not testing critical aspects of the AML program for reasonableness; or conducting testing that is not reasonably designed, such as testing that fails to consider whether the reports and systems used in the firm's AML compliance program are accurately capturing suspicious transactions or are reasonably tailored to the AML risks of the member's business.

Exam Staff specifically notes that many firms failed to adequately conduct testing in those instances where firms have taken on new products, services or clients that had a material impact on the firm's AML risk profile.

Training

With regard to AML training, the Exam Staff observed that a number of firms failed to provide adequate training to appropriate personnel, including by:

• Failing to update training materials based on changes in the law, industry developments impacting AML risk, and/or regulatory developments (e.g., the change in law requiring the adoption of the CDD rule);
• Utilizing training materials that were not tailored to the products, services and business activities of the broker-dealer and that failed to address the risks associated with such activities (e.g., training materials focused on bank AML requirements); or
• Failing to demonstrate that all appropriate personnel attended the firms' training or by not implementing a process for ensuring that personnel who did not attend required training, ultimately completed the training.

CIP Compliance

Exam Staff observed that a number of broker-dealers failed to adequately maintain CIP procedures that were reasonably designed to enable the firm to form a reasonable belief that it knows the true identity of customers, including by failing to:

• Perform any CIP diligence as to investors in a private placement, in instances where a formal customer relationship was established to effect securities transactions;
• Verify the identity of customers, collect adequate customer identifying information (e.g., dates of birth, identification numbers or addresses), or permitted accounts to be opened by individuals providing only a P.O. box address;
• Maintain adequate documentation regarding customer identity, including instances where firms indicated that verification was complete but required information was missing, incomplete or invalid;
• Use exception reports to alert the firm when a customer's identity is not adequately verified in accordance with the CIP Rules;
• Accurately document the firm's review of alerts generated by third-party vendors to monitor for missing, inconsistent or inaccurate information; or
• Review and document the resolution of discrepancies in customer information and conducting searches through third-party vendors.

CDD Compliance

Exam Staff also observed that certain broker-dealers failed to update their AML programs, including, where applicable their new account forms, to address the mandate to collect beneficial ownership from certain persons under the CDD rule. Specifically, Exam Staff found that certain firms:

• Maintained procedures that permitted an entity to be listed as a beneficial owner without a corresponding requirement to obtain adequate information about beneficial owners of the entity;
• Permitted the opening of new accounts for legal entity customers without identifying all of the legal entity's beneficial owners;
• Did not obtain documentation necessary to verify the identity of beneficial owners of legal entity customers, including by accepting expired government issued identification, or did not document the resolution of discrepancies noted by firm personnel or a firm's third-party identity verification vendor; or
• Failed to obtain information about certain underlying parties acting through omnibus accounts.

Staffing and Compliance Resources

The Exam Staff also found a number of firms failed to devote sufficient resources, including staffing, to AML compliance given the volume of transactions and risks present in their business. Moreover, where a firm's AML compliance function also devotes resources to sanctions compliance, the Exam Staff observed that firms lacked compliance resources sufficient to properly comply with applicable AML and financial sanctions laws and regulations, especially in light of the frequency in which new and increasing sanctions are currently imposed by the Office of Foreign Assets Control.

Conclusion

AML continues to be an examination priority for the Commission⁶ and FINRA. Firms should expect increased scrutiny by regulators of their AML compliance programs and, in particular, whether any of the deficiencies identified in the Alert are present in the firm's AML program and compliance function. Firms should continue to proactively review and enhance their AML programs to ensure that their policies, procedures and internal controls are tailored to their specific business risks and appropriately implemented.

Footnotes

1. See Securities and Exchange Commission, Division of Examinations, Risk Alert: Observations from Anti-Money Laundering Compliance Examinations of Broker-Dealers (July 31, 2023), available here.

2. The Bank Secrecy Act and its implementing regulations, requires that broker-dealers develop, implement, and maintain AML compliance programs, among other requirements. 31 U.S.C. §§ 5311-5336; 31 C.F.R. Part 1023. Broker-dealers who are FINRA members are also governed by the anti-money laundering requirements in FINRA Rule 3310.

3. Securities and Exchange Commission, Division of Examinations, Risk Alert: Compliance Issues Related to Suspicious Activity Monitoring and Reporting at Broker-Dealers (March 29, 2021), available here.

4. See SRZ's previous Alert regarding the substance of this alert, available here.

5. See 2023 Report on FINRA's Examination and Risk Monitoring Program, FINRA (Jan.10, 2023), available here.

6. See Securities and Exchange Commission, Division of Examinations, 2023 Examination Priorities (Feb. 7, 2023), available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.