Key Takeaways

• On July 31, 2023, following extensive examination of broker-dealers regarding their anti-money laundering (AML) compliance, the Securities and Exchange Commission’s (SEC) Division of Examinations (Division) released a risk alert recommending that broker-dealers tighten their AML compliance programs.
• In the alert, the Division presented examination observations about key elements of effective AML programs, noting deficiencies in independent testing, training, and complying with the Customer Identification Program (CIP) and Customer Due Diligence (CDD) Rules and U.S. sanctions programs.
• Importantly, the risk alert makes clear that broker-dealers’ AML programs must be more than just paper, meaning in practice, they are properly supported and tested and periodically revised.
• Given recent consent orders imposing multi-million dollar fines, broker-dealers should ensure that their AML programs are compliant with the Bank Secrecy Act (BSA) because the SEC is likely to be less lenient in AML-related enforcement actions brought after the publication of this most recent alert.

For years, the SEC has focused on broker-dealers complying with all applicable AML and financial sanctions laws and regulations, including the BSA and its implementing regulations. For example, in 2021, the Division issued a risk alert that focused on compliance issues related to suspicious activity monitoring and reporting. Since 2022, the SEC has brought several enforcement actions against broker-dealers related to deficiencies in their AML programs, each resulting in millions of dollars in fines. These risk alerts and enforcement actions reinforce the need for broker-dealers to review and update their AML compliance programs accordingly.

General Observations

The Division first discussed general observations about the broker-dealers’ AML compliance programs, noting that some broker-dealers did not appear to devote sufficient resources to their AML programs, given the volume and risks of their operations, which may have increased with recent additional sanctions imposed by the Office of Foreign Assets Control (OFAC). The Division was particularly concerned about under-resourced compliance programs where the same firm personnel perform both AML and sanctions compliance functions. The Division also noted that the effectiveness of policies, procedures and internal controls was reduced when firms did not implement those measures consistently.

Specific Observations

Independent Testing and Training

The BSA requires broker-dealers to independently test their AML programs to assess the firm’s compliance with BSA regulatory requirements, relative to their risk profiles, and the overall adequacy of their programs. According to the Federal Financial Institutions Examination Council’s BSA/AML Manual, this independent testing should be conducted by the firm’s internal audit department, outside auditors, consultants or other qualified independent parties. Firms that do not employ outside auditors or consultants or do not have internal audit departments may comply with this requirement by using qualified staff who are not involved in the function being tested. The BSA also requires broker-dealers to train their personnel involved with BSA compliance on aspects of the BSA that are relevant to the firm and its risk profile.

The Division highlighted deficiencies in broker-dealers’ implementation of the independent testing requirement. In the most egregious instances, broker-dealers could not demonstrate that they had conducted independent testing at all, or they had failed to conduct testing in a timely manner. When firms did conduct independent testing, the Division observed that the personnel conducting the testing were not independent or did not have the appropriate level of knowledge of the requirements of the BSA; the testing was ineffective because it did not cover aspects of the firm’s business or AML program; and/or firms did not timely address or have procedures to address issues identified during independent testing.

With respect to training, the Division observed that broker-dealers’ training materials did not reflect updates in the law, specifically the adoption of the CDD Rule, and were not tailored to the risks, products and business activities of the broker-dealer. Broker-dealers also could not demonstrate that the appropriate personnel attended the ongoing trainings or that they established a process for following up with personnel who did not attend.

Customer Identification Program

The BSA’s CIP Rule requires broker-dealers to establish, document and maintain a written CIP tailored to the size and nature of their business. Broker-dealers must, at a minimum, obtain customer information at account opening, verify customer identities, implement follow-up procedures when the customer’s identity cannot be verified – including potentially filing a Suspicious Activity Report – and maintain the information collected.

The Division observed that broker-dealers’ CIPs were not properly designed to enable the firms to form a reasonable belief that they know the true identity of their customers. For example, broker-dealers generally did not perform any CIP procedures for private placement investors; collect basic information such as dates of birth, ID numbers or addresses; verify customers’ identities where information was missing, incomplete or invalid; or generate alerts when a customer’s identity was not adequately verified. The Division also observed that the firms did not accurately document aspects of their CIPs regarding the firm’s review of third-party alerts on missing, incomplete or inaccurate information, or follow their own CIPs, including reviewing and documenting resolution of discrepancies.

Customer Due Diligence

Adopted in 2016, the CDD Rule requires AML programs to contain written risk-based procedures that are reasonably designed to identify and verify the identity of the beneficial owners of legal entity customers.[1] The Division observed that broker-dealers had not updated their AML programs and new account forms and procedures to account for the adoption of the CDD Rule. In addition, the Division observed that broker-dealers, in violation of the CDD Rule, maintained procedures that permitted entities to be listed as beneficial owners without a corresponding requirement to obtain information about the beneficial owners of the entity. The Division flagged the opening of new accounts for legal entity customers where no or inadequate beneficial ownership was obtained; inadequate verification of the identity of beneficial owners that were identified; and failure to follow internal procedures that required information about certain underlying parties acting through omnibus accounts.

OFAC Compliance

Finally, the Division reminded broker-dealers that they must comply with OFAC regulations, which require all U.S. persons to refrain from transacting with sanctioned persons and maintain risk-based sanctions compliance programs as appropriate. During the examinations, the Division observed certain weaknesses in OFAC compliance programs, including instances where broker-dealers did not adopt or implement reasonable, risk-based internal controls for (1) following up on potential sanctions list matches and documenting the outcome of such follow-up; (2) performing periodic or event-based screening of existing clients or customers based on, among other things, changes in ownership or to the sanctions lists; and (3) conducting OFAC searches in a timely manner (or documenting that such searches were completed).

[1] Generally, up to four individuals directly or indirectly owning 25 percent or more of the equity interests of the legal entity and also a single individual with significant responsibility to control, manage or direct the legal entity.

[View source.]