SEC Risk Alert: Broker-Dealers AML / CFT Programs

On July 31, 2023, the U.S. Securities and Exchange Commission’s (“SEC”) Division of Examinations (“Division”) published a Risk Alert sharing observations regarding anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) compliance from its examinations of broker-dealers.  This is a follow up to a 2021 Risk Alert, which discussed compliance issues in the suspicious activity monitoring and reporting components of broker-dealers’ AML programs.

The Risk Alert notes the critical importance of AML compliance to the SEC and law enforcement’s pursuit of misconduct that may threaten the safety of investor assets and the integrity of the financial markets.  The July 31 Risk Alert presents examination observations from staff of the Division (“Staff”) about other key AML requirements, such as independent testing of firms’ AML programs, training of personnel, and identification and verification of customers and their beneficial owners.

Sufficient Resources

During its examinations, the Staff observed some registrants did not appear to devote sufficient resources, including personnel, to AML compliance given the volume and risks of the firm’s business.  This issue can be exacerbated in the current environment of new and increasing sanctions imposed by the Office of Foreign Assets Control (“OFAC”) against individuals and entities, particularly where the same firm personnel perform both AML and sanctions compliance functions.  The Staff also observed the effectiveness of policies, procedures and internal controls was reduced when firms did not consistently implement these measures.

Core Requirements

Citing relevant statutes and rules from the Financial Industry Regulatory Authority (“FINRA”), the Risk Alert notes broker-dealers are required to implement and maintain a written AML program, approved in writing by senior management, that includes, at a minimum:

• policies, procedures, and internal controls reasonably designed to achieve compliance with the Bank Secrecy Act (“BSA”) and the BSA’s implementing regulations;
• policies and procedures reasonably designed to detect and cause the reporting of transactions as required under the law;

• the designation of an AML compliance officer responsible for implementing and monitoring the operations and internal controls of the program (including notification to FINRA);
• ongoing employee AML training;

• an independent test of the firm’s AML program, annually for most firms; and

• appropriate risk-based procedures for conducting ongoing customer due diligence (“CDD”). The Staff notes these should include, but are not limited to, procedures to: (1) understand the nature and purpose of customer relationships to be able to develop a risk profile, and (2) conduct ongoing monitoring to identify and report suspicious transactions as well as maintain and update customer information, including beneficial ownership information for legal entity customers.

The Staff also notes information gathered as part of the CDD process should also be used for compliance with OFAC regulations.  All U.S. persons, including broker-dealers as well as investment advisers and registered investment companies, must comply with regulations promulgated by OFAC, which administers and enforces sanctions against certain jurisdictions and foreign persons based on U.S. foreign policy and national security interests.  With respect to beneficial ownership information for legal entity customers, the Risk Alert reminds broker-dealers that Rule 17a-8 under the Securities Exchange Act of 1934 requires compliance with the reporting, recordkeeping, and record retention requirements of the BSA—including the recordkeeping obligations set forth in the CDD Rule.

Independent Testing Requirement

Regarding the independent testing requirement, the staff observed:

• Some broker-dealers did not conduct testing in a timely manner or could not demonstrate (for example, by a report or other documentation) they conducted such testing.

• Ineffective independent tests, citing tests (1) did not cover aspects of the firm’s business or AML program, (2) personnel conducting the testing was not independent or did not have the appropriate level of knowledge of the requirements of the BSA, or (3) the testing was conducted under requirements not applicable to the securities industry.  In other instances, the Staff found firms were not able to demonstrate, via documentation or otherwise, that the independent testing adequately tested the firm’s compliance with its AML program.

• In addition, the Staff found broker-dealers that did not timely address, or did not exhibit procedures for addressing, issues identified by independent testing.

Much like other areas of compliance, documenting your work is critically important.

Ongoing Training

The Staff found outdated training materials, which did not reflect changes in the law (e.g., the adoption of the CDD Rule) or were not tailored to the firm’s business activities (e.g., training materials focused on bank AML requirements, instead of broker-dealer requirements).  Also, many broker-dealers could not demonstrate all appropriate personnel attended the firms’ ongoing training or did not establish a process for following up with personnel who did not attend the required training.

It is important to maintain records of training sessions, including materials used and a list of attendees.  Compliance departments should follow up with employees who miss a training session and schedule a make-up session.

Customer Identification Program (CIP) Rule

The Risk Alert also shared observations regarding adherence to CIP requirements.  The Staff notes the CIP Rule requires a broker-dealer to establish, document, and maintain a written CIP appropriate for its size and business that includes, at a minimum, procedures for certain requirements including the following:

• Obtaining the minimum specified customer identifying information from each customer prior to account opening;

• Verifying the identity of each customer, to the extent reasonable and practicable, within a reasonable time before or after account opening—and, in circumstances in which the firm cannot verify a customer’s identity, implementing follow-on procedures describing:

• • When the firm should not open an account for the customer;
  • Terms under which a customer may conduct transactions while the firm attempts to verify the customer’s identity;
  • When the firm should close an account after attempts to verify a customer’s identity fail; and
  • When the firm should file a Suspicious Activity Report; and

• Making and maintaining a record of information obtained under the firm’s procedures.

Citing to relevant rules and FINRA notices, the Staff notes CIP procedures must enable a broker-dealer to form a reasonable belief that it knows the true identity of each customer.  This should be based on the broker-dealer’s assessment of the relevant risks, including risks involved in the types of accounts and methods of opening accounts, types of identifying information available, and a broker-dealer’s size, location, and customer base.  The rule permits the use of documentary or non-documentary methods, or a combination of both, to verify a customer’s identity.

The Staff observed broker-dealers whose CIPs were not properly designed in order to allow a firm to form a reasonable belief that it knows the true identity of customers.  Some examples from the Risk Alert include the following:

• Broker-dealers who did not perform any CIP procedures as to investors in a private placement, where customer relationships established with the registrant to effect securities transactions appeared to be formal relationships for purposes of the CIP Rule;

• Firms that did not collect customers’ dates of birth, identification numbers, or addresses, or permitted accounts to be opened by individuals providing only a P.O. box address;

• Failure to verify the identity of customers, including instances in which the firm’s files indicated that verification was complete but required information was missing, incomplete, or invalid;

• A failure to use exception reports to alert the firm when a customer’s identity is not adequately verified in accordance with the CIP Rule, even though such use would be appropriate given the size and nature of the firm’s business.

Customer Due Diligence and Beneficial Ownership Requirements

Finally, the Risk Alert described deficiencies around CDD and beneficial ownership requirements.  The CDD Rule requires a broker-dealer’s AML program to contain written procedures reasonably designed to identify and verify the identity of beneficial owners of legal entity customers.  To the extent reasonable and practicable, broker-dealers must use risk-based procedures, to verify the identities of each beneficial owner.  These procedures must, at a minimum, contain the elements required for verifying the identity of customers who are individuals under the CIP Rule.

The CDD Rule also has a recordkeeping component.  This requires a broker-dealer to establish procedures for creating and maintaining a record of all information obtained under its CDD procedures, including descriptions of documents relied on for identity verification and nondocumentary methods used, and the resolution of substantive discrepancies in the verification.

FinCEN’s AML Program Rule explicitly requires risk-based procedures for conducting ongoing customer due diligence, to include understanding the nature and purpose of customer relationships for the purpose of developing a “customer risk profile.”  This refers to “information gathered about a customer to develop the baseline against which customer activity is assessed for suspicious transaction reporting.”

The Staff observed broker-dealers that had not updated their AML programs and, as appropriate, new account forms and procedures to account for the adoption of the CDD Rule. Additionally, the Staff found:

• Procedures that, in violation of the CDD Rule, permitted an entity to be listed as a beneficial owner without a corresponding requirement to obtain adequate information about beneficial owners of the entity;

• The opening of new accounts for legal entity customers without identifying all of the legal entity’s beneficial owners, including where no beneficial ownership information was obtained, required information was missing, or no control person was identified;

• Some firms did not obtain documentation necessary to verify the identity of beneficial owners of legal entity customers, including by accepting expired government issued identification, or otherwise did not perform such verification, or did not document the resolution of discrepancies noted by firm personnel or a firm’s third-party identity verification vendor;

• Failure to follow internal procedures, including procedures requiring the firm obtain information about certain underlying parties acting through omnibus accounts.

This Risk Alert provides excellent insights into the Staff’s expectations of broker-dealers around AML and CFT requirements.  It also cites to other relevant authority, including OFAC, FINRA and FinCEN.  Broker-dealers should use this Risk Alert to evaluate its AML programs and consider addressing any areas of concern noted in the alert.