United States: SEC Risk Alert Highlights Observations From Anti-Money Laundering Compliance Examinations Of Broker-Dealers

SEC exam staff highlights issues regarding independent testing and personnel training, customer identification, due diligence and beneficial ownership requirements, and OFAC compliance

On July 31, 2023, the Division of Examinations (the "Division") of the U.S. Securities and Exchange Commission ("SEC") published a risk alert (the "Alert") highlighting observations from examinations of broker-dealers regarding their compliance with certain key anti-money laundering ("AML") obligations.¹ Specifically, the Alert discusses the Division's observations relating to independent testing of firms' AML programs and training of their personnel, Customer Identification Programs ("CIPs"), as well as Customer Due Diligence ("CDD") and beneficial ownership requirements. Moreover, the Division observed weaknesses in firms' Office of Foreign Assets Control ("OFAC") compliance programs. The Alert emphasizes the importance of firms dedicating sufficient resources (including staffing) to the performance of AML and sanctions compliance functions, particularly in the current environment of new and increasing sanctions imposed by OFAC against individuals and entities. This Legal Update provides a brief summary of the Division's observations.

Background

As background, broker-dealers' compliance with applicable AML and financial sanctions laws and regulations has been a consistent focus of the Division for years. For example, the Division highlighted compliance issues in the suspicious activity monitoring and reporting components of broker-dealers' AML programs in a 2021 risk alert.² Additionally, the Division has included AML as an annual examination priority for at least five consecutive years, including most recently in 2023.³ Over the same period, the SEC has brought numerous enforcement actions against broker-dealers for AML-related deficiencies. Likewise, FINRA's 2023 report on its examination and risk monitoring program includes a section addressing AML and sanctions related compliance considerations, examination findings and effective practices.⁴

Firms should use the Alert to review and, as appropriate, enhance/update their AML policies, procedures and controls to ensure that issues highlighted in the Alert are appropriately addressed and that such policies, procedures and controls are fully implemented and enforced by firm personnel.

General Observations on Broker-Dealer AML Programs

The staff observed that certain firms did not appear to devote sufficient resources (including staffing) to AML compliance given the volume and risks of their business, which is an issue that can be exacerbated by the current environment of new and increasing OFAC-imposed sanctions against individuals and entities, particularly where the same firm personnel perform both AML and sanctions compliance functions. In addition, the effectiveness of policies, procedures and internal controls was reduced when firms did not implement those measures consistently. These observations reinforce the importance of each firm fully implementing and enforcing its AML program and providing it with sufficient resources.

Independent Testing and Training

Broker-dealers are required to implement and maintain a written AML program that includes, among other things, an independent test of the firm's AML program (annually for most firms) and ongoing employee AML training.

With respect to the independent testing requirement, the staff observed:

• Broker-dealers that either did not conduct testing in a timely manner or could not demonstrate (for example, by a report or other documentation) that they conducted such testing.
• Independent tests that appeared ineffective because: (i) they did not cover aspects of the firm's business or AML program; (ii) the personnel conducting the testing was not independent or did not have the appropriate level of knowledge of the requirements of the Bank Secrecy Act; or (iii) the testing was conducted under requirements not applicable to the securities industry. In other instances, the firm was unable to demonstrate (via documentation or otherwise) that the independent testing adequately tested the firm's compliance with its AML program.
• Broker-dealers that did not timely address, or have procedures for addressing, issues identified by independent testing.

With respect to ongoing employee AML training, the staff observed:

• Training materials that were not updated based on changes in the law (e.g., the adoption of the CDD rule, 31 C.F.R. § 1010.230 (the "CDD Rule") in 2016) or tailored to the risks, typologies, products and services, and business activities of the broker-dealer (e.g., training materials focused on bank AML requirements).
• Broker-dealers that could not demonstrate all appropriate personnel attended the firms' ongoing training or did not establish a process for following up with personnel who did not attend required training.

CIP Rule

The staff observed broker-dealers whose CIPs appeared not to be properly designed to enable the firm to form a reasonable belief that it knows the true identity of customers. For example, the staff observed firms that did not:

• Perform any CIP procedures as to investors in a private placement, where customer relationships established with the registrant to effect securities transactions appeared to be formal relationships for purposes of the CIP rule for broker-dealers, 31 C.F.R. § 1023.220 (the "CIP Rule").
• Collect customers' dates of birth, identification numbers, or addresses, or permitted accounts to be opened by individuals providing only a P.O. box address.
• Verify the identity of customers, including instances in which the firms' files indicated that verification was complete but required information was missing, incomplete, or invalid.
• Use exception reports to alert the firm when a customer's identity is not adequately verified in accordance with the CIP Rule, even though such use would be appropriate given the size and nature of the firm's business.
• Accurately document aspects of a firm's CIP regarding the firm's review of alerts generated by third-party vendors to monitor for missing, inconsistent, or inaccurate information.
• Follow procedures of their own CIP (such as reviewing and documenting the resolution of discrepancies in customer information and conducting searches through third-party vendors).

CDD and Beneficial Ownership Requirements

The staff observed broker-dealers that had not updated their AML programs and, as appropriate, new account forms and procedures to account for the adoption of the CDD Rule in 2016. Additionally, with respect to CDD and beneficial ownership requirements, the staff observed:

• Procedures that, in violation of the CDD Rule, permitted an entity to be listed as a beneficial owner without a corresponding requirement to obtain adequate information about beneficial owners of the entity.
• The opening of new accounts for legal entity customers without identifying all of the legal entity's beneficial owners, including where no beneficial ownership information was obtained, required information was missing, or no control person was identified.
• Firms that did not obtain documentation necessary to verify the identity of beneficial owners of legal entity customers (including by accepting expired government issued identification) or otherwise did not perform such verification, or did not document the resolution of discrepancies noted by firm personnel or a firm's third-party identity verification vendor.
• Failure to follow internal procedures that required obtaining information about certain underlying parties acting through omnibus accounts.

OFAC Compliance

The Alert highlights certain weakness in firms' OFAC compliance programs. In particular, these weaknesses included instances in which firms did not adopt or implement reasonable, risk-based internal controls for: (1) following-up on potential matches with the sanctions lists and documenting the outcome of such follow-up; (2) performing periodic or event-based screening of existing clients or customers based on, among other things, changes in ownership or to the sanctions lists; and (3) conducting OFAC searches in a timely manner (or documenting that such searches were completed). Firms should ensure they allocate sufficient staffing and other resources necessary for the performance of these compliance functions given the current environment of new and increasing OFAC-imposed sanctions against individuals and entities.

Footnotes

1. SEC Division of Examinations, Observations from Anti-Money Laundering Compliance Examinations of Broker-Dealers (Jul. 31, 2023).

2. See SEC Division of Examinations, Compliance Issues Related to Suspicious Activity Monitoring and Reporting at Broker-Dealers (Mar. 29, 2021).

3. See, e.g., the Division's examination priorities letters for 2019, 2020, 2021, 2022 and 2023.

4. See FINRA, 2023 Report on FINRA's Examination and Risk Monitoring Program (January 2023).

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.