AML Obligations of Broker-Dealers

Since 2002, as part of their anti-money laundering (“AML”) responsibilities, broker/dealers have had a gatekeeper-like obligation to monitor customers for “suspicious” activities and to report those activities to the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”). In the words of the Financial Industry Regulatory Authority (“FINRA”), “Just as firms have a primary responsibility to supervise their associated persons and ensure that they are not involved in fraudulent schemes, firms must also be vigilant regarding their customers.” [1]

Despite considerable resources that broker/dealers have devoted to meeting their AML responsibilities, many firms are falling short of FINRA’s expectations. Over the last decade, FINRA brought hundreds of enforcement actions against broker/dealers and AML compliance officers (“AMLCOs”) for AML violations. [2] In 2015 alone, AML was referenced in 33 FINRA Acceptance, Waiver and Consents (“AWC”), 18 Orders Accepting Offers of Settlement, and nine FINRA complaints initiating enforcement actions. In 2016, FINRA imposed its largest AML-related fine ever against two affiliated firms even though the firms had very substantial AML programs.

We review below 12 key ways broker/dealers and AMLCOs can reduce the likelihood of being named in FINRA AML-related enforcement actions. We base this analysis on a review of i) every litigated FINRA AML-related enforcement action, ii) every settlement of a FINRA AML-related enforcement action since January 2015, as well as many of the larger settlements before that time, iii) FINRA’s AML-related rules, and iv) guidance that FINRA has provided in the form of notices to members and yearly regulatory and examinations priorities letters. Many of the areas covered may seem basic, but deficiencies in these areas account for the vast majority of FINRA AML-related enforcement actions. The 12 areas are:

1. tailoring the firm’s AML procedures to the risks posed by the firm’s business and customer mix rather than relying on out-of-the-box policies and procedures, such as FINRA’s small-firm AML template;
2. providing resources adequate to address the risks;
3. implementing a strong customer identification program;
4. filing suspicious activity reports (“SARs”) when firms have “reason to suspect” unlawful or other “suspicious” activity even if a firm does not know that the activities are unlawful;
5. rigorously reviewing red flags rather than relying on self-serving or superficial responses, and fully documenting the reviews conducted;
6. avoiding or carefully addressing the risks posed by penny stock transactions, including both fraud risk and registration risk;
7. avoiding or carefully addressing “market access” (especially market access provided to high-frequency traders), including a robust, automated surveillance program for manipulative trading;
8. avoiding or carefully addressing correspondent accounts of foreign financial institutions, including enhanced due diligence;
9. avoiding or carefully addressing doing business with customers with questionable backgrounds;
10. analyzing and following up on regulatory inquiries into potentially suspicious activities;
11. undertaking meaningful and independent annual reviews of AML programs; and
12. checking the completeness and accuracy of the data sources on which AML surveillance is based.

After we provide a very brief overview of AML obligations in the Background section below, we turn to deficiencies that led to FINRA enforcement actions in the 12 areas. The discussion of the enforcement actions is designed to give the reader a practical feel for the types of AML-related shortcomings that have led to enforcement actions in the past. Deficiencies in these areas are also most likely to lead to enforcement actions in the future.

Background

In April 2002, in response to Congress’s enactment of the 2001 USA Patriot Act, the NASD adopted Rule 3011 (now FINRA Rule 3310). The rule requires broker/dealers to develop and implement written anti-money laundering programs. [3] At a minimum, the programs must:

• be approved in writing by a member of senior management;
• establish and implement policies and procedures that can be reasonably expected to detect and cause the reporting of “suspicious transactions” relevant to a possible violation of law or regulation,
• establish and implement policies, procedures, and internal controls reasonably designed to achieve compliance with the Bank Secrecy Act and its implementing regulations;
• provide independent testing of the AML program;
• designate and identify to FINRA an individual or individuals responsible for implementing and monitoring the AML program; and
• provide ongoing training for appropriate personnel.

Rule 3310 is similar to Department of Treasury Rule 31 CFR 1023.210, “Anti-Money Laundering Program Requirements for Brokers or Dealers in Securities,” except that the latter adds:

• appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
  • understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
  • conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

12 Critical Obligations

1. Tailoring AML Programs to the Most Significant Risks

AML policies and procedures are required to be risk-based. In a number of cases, FINRA has sanctioned firms in part because they used out-of-the-box AML policies and procedures rather than policies and procedures tailored to the risks posed by their businesses. Similarly, the SEC National Associate Director for the Broker-Dealer Examination Program stated, “In our examiners’ experience, the ‘reasonably designed’ standard is not met where firms rely on boilerplate language or templates or ‘off-the-shelf’ programs that are not tailored to their customers, products, services, geographic locations, or methods of customer interface.” [4]

For example, in a decision by FINRA’s National Adjudicatory Council, FINRA stated that a market maker’s policies and procedures with respect to suspicious activities enumerated 25 examples of AML issues identified in Special NASD Notice to Members 02-21 and the template provided by FINRA to small firms to assist these firms in establishing AML programs, and that the procedures should, instead, have focused on the risks that might arise in connection with its market-making activities, such as market manipulation, noncompetitive trading, or fictitious trading. While the firm also had a “Capital Markets Manual” that covered trading abuses, FINRA stated that these were not addressed in the context of AML concerns. FINRA deemed the AML procedures “not reasonably designed” because they included red flags that were largely irrelevant to its business and omitted red flags that were central to its business. Other cases have also found AML procedures deficient when firms used FINRA’s small-firm AML template or other out-of-the-box procedures without tailoring those procedures to the risks of their businesses.

In a more recent case, involving the largest fines FINRA has ever imposed for AML-related violations, the AWC stated that two affiliated firms failed to establish AML programs tailored to each firm’s business and instead relied on a patchwork of written procedures and systems across different departments to detect suspicious activities. FINRA stated that the firms lacked adequate written procedures to monitor certain high-risk activities, including:

• transfers of funds to unrelated accounts without any apparent business purpose;
• journaling securities and cash between unrelated accounts for no apparent business purpose, particularly internal transfers of cash from customer accounts to employee or employee-related accounts; and
• movements of funds, by wire transfer or otherwise, from multiple accounts to the same third party.

They also lacked adequate procedures to monitor for high-risk incoming wire activity, such as third-party wires and wires received from known money laundering or high-risk jurisdictions.

As we discuss below, firms whose customers engage in penny stock transactions, firms that provide “market access” to customers, firms that do business with correspondent accounts of foreign financial institutions, and firms whose customers have a history of regulatory problems are at particular risk if they fail to tailor their AML procedures to the risks posed by these businesses and customers.

2. Providing Resources Adequate to Address the Risks

AML programs must not only be reasonably designed, they must be adequately resourced as well. The larger the business and the greater the risk posed by the business, the larger the commitment of resources FINRA expects. Similarly, the head of the SEC’s broker-dealer examination program, has emphasized, “Examiners assess the capacity of designated compliance officers, including their background and experience and whether they have the resources to perform their jobs adequately.” [5]

For example, in a FINRA hearing panel decision accepting an offer of settlement, FINRA stated that a firm that had a large market access business “assigned an inadequate number of employees to establish, implement and enforce regulatory risk management controls and supervisory systems for its market access business,” and that the employees “lacked a fundamental understanding of multiple forms of manipulative trading.” It stated that the supervisor charged with developing and overseeing post-trade manipulation reviews was inadequately trained and “grossly understaffed” to handle the required compliance tasks delegated to her supervision.

In an AWC, FINRA found that a firm that cleared hundreds of thousands of trades a day for over 200 correspondent firms failed to allocate sufficient resources to the Firm’s AML compliance program and that the failure resulted in, at times, inadequate and untimely reviews. FINRA stated, “Given the limited resources allocated to conduct these reviews, at times these exception reports were not consistently reviewed or, in some instances, reviewed at all.” In another AWC, FINRA found that two affiliated firms that grew from 2400 registered reps to 5300 registered reps over an eight-year period failed to dedicate sufficient AML resources to match the firms’ growth. It found that the six-employee AML Department was inadequate in light of “the extensive responsibilities assigned to the few individuals, including the labor-intensive manual reviews….”

FINRA has also found AML procedures inadequate when firms relied on manual rather than automated reviews of high-volume trading to identify suspicious transactions.

3. Implementing a Strong Customer Identification Program

Broker/dealers are required to have risk-based Customer Identification Programs (“CIPs”) that enable a firm to form “a reasonable belief that it knows the true identity of each customer.” [6] The CIP must contain procedures for verifying the identity of each customer within a reasonable time after the customer’s account is opened, and must describe when a broker/dealer will use documents, non-documentary methods, or a combination of both methods for verification. The CIP must also include procedures for responding to circumstances in which the broker/dealer cannot form a reasonable belief that it knows the true identity of a customer—including when the broker/dealer should not open an account, when it may conduct transactions while it attempts to verify the customer’s identity, when the broker/dealer should close an account, and when the broker/dealer should file a SAR.

In the only litigated AML-related case we found largely rejecting the staff’s allegations, a FINRA hearing panel accepted that the following CIP was adequate with one exception discussed below:

• the AML Manual set forth the customer identification program;
• the program required the firm to collect a variety of identifying information for each customer when opening new accounts;
• the New Account Department examined the new account documents to look for obvious fraud and forgery, and to look for signs of suspicious activity in new account items;
• the firm checked the Specifically Designated Nationals and Blocks Persons List maintained by Treasury’s Office of Foreign Asset Control;
• if a customer’s name was found on the list, the AML Manual required the AML compliance officer to follow whatever government directives were applicable;
• the firm also consulted the Financial Action Take Force’s list of non-cooperative countries and territories to verify that the customer was not doing business with any of them;
• the firm used the Equifax service to verify basic customer information—for example, Equifax checked a customer’s social security number to see if the number had been issued to someone who was deceased, or if it was issued before the customer’s date of birth;
• the firm also checked with the Compliance Data Center (“CDC”), an Equifax affiliate, that monitors newspapers and other public information sources, and maintains a database of people with negative information (including whether they had been fined by FINRA);
• the firm forwarded the CDC reports to its introducing firms;
• for foreign customers, the firm required the introducing firm to obtain a copy of a government-issued picture identification document.

While the hearing panel found most of the firm’s procedures adequate, it found that the CIP was deficient with respect to obtaining customer identification information for delivery versus payment (“DVP”) accounts, i.e., accounts in which delivery of securities occurs simultaneously with payment at a custodian institution. The panel stated that although the firm believed there was a very low risk to the firm of money laundering through DVP accounts, the absence of customer identification procedures for such accounts violated AML requirements because “[t]here is no exclusion from the customer identification requirements for DVP accounts.”

In other recent settlements, FINRA stated that CIPs were deficient because:

• in multiple instances, the firm failed to obtain photo identification from new customers or otherwise verify their identifies in connection with the opening of an account;
• a clearing firm for 86 correspondent firms relied on introducing firms to populate customer identification information, but some introducing firms failed to provide the information and the clearing firm nevertheless executed transactions for those accounts;
• the firm failed to uncover a customer’s prior regulatory history because it failed to use the customer’s full name in its search, and, as a result, failed to include the accounts of the customer and the customer’s children on its heightened customer account monitoring list;
• the firm failed to obtain and verify business or other documents for correspondent accounts, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or a trust instrument, which led to customers being permitted to participate in suspicious activities without appropriate documents in the files;
• the firm relied on foreign finders to collect and submit customers’ documentary verification data and was unable to verify the information provided;
• the firm failed to collect and verify identifying information for most of its institutional accounts;
• the firm failed to retain evidence of its use of documentary methods to verify identifying information for most of the individual and joint accounts and failed to provide notice to its customers that it was collecting identifying information;
• when clients closed accounts, the firm’s system recycled previously assigned account identifiers, in which case the CIP system treated the new accounts as if they had already gone through the CIP system and did not verify the identities of the new customers with recycled identifiers;
• when the firm obtained inconsistent identifying information, the firm failed to employ reasonable procedures to address those inconsistencies to form a reasonable belief that it knew the true identity of the customer; and
• the clearing firm did not have a formal agreement with its affiliated introducing firm detailing the scope and parameters of the CIP procedures.

4. Filing SARs When Firms Have “Reason to Suspect” Unlawful or Other Suspicious Activity Even if Firms Do Not Know the Activities Are Unlawful

A broker/dealer’s obligation to file a SAR may arise well before the broker/dealer knows of unlawful activity. The obligation arises when a broker-dealer “knows,” “suspects,” or even has “reason to suspect” that a transaction of at least $5,000 i) involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity as part of a plan to violate or evade any federal law or regulation, ii) is designed to evade any requirement of the Bank Secrecy Act, iii) has no apparent business or lawful purpose or is not the sort of activity in which the particular customer would normally be expected to engage, or iv) involves the use of the firm to facilitate criminal activity. [7]

The SEC and FINRA are highly focused on whether firms file SARs that they should have filed and whether the SARs adequately describe the facts giving rise to the suspicion of unlawful activity. Last year, the Director of the SEC’s Division of Enforcement expressed concern about both the number and quality of SARs that broker/dealers file. [8] With regard to the number, he stated that the average broker/dealer (of the roughly 4,800 broker/dealers in the United States) files about five SARs per year, and added:

This is disconcerting and hard to understand. Think about your businesses—is it possible that only five transactions a year were suspicious enough to justify a SAR filing? The nature of your industry and the sheer volume of transactions executed each year suggest to me that this number is far too low.

He stated that the SEC was reviewing the number of SARs filed by particular firms compared to the number of registered reps associated with the firms, the number of customer accounts, whether the firm retailed microcap securities, the number of regulatory, civil and criminal disclosures related to the firms, and the number of times the firm was involved in transactions that the Division has investigated in the past. Earlier this year, the SEC fined a firm $300,000 for not filing SARs when it “knew, suspected, or had reason to suspect” that its penny-stock customers were using their accounts to facilitate unlawful activity.

With regard to the content of the SARs, he stated that some firms provided narratives that were far too skeletal and revealed a “check-the-box” mentality—for example, they might say that there was a deposit and sale of shares, but provide no explanation of the basis of suspicious. He stated that such narratives suggest that the firm does not take its AML responsibilities seriously.

FINRA’s principal focus with respect to the filing of SARs has been not on whether a firm should have filed a SAR, but whether a firm gave adequate consideration to whether to file a SAR. Going forward, we expect that FINRA, like the SEC, may increasingly focus on firms that appear to have filed fewer SARs than would be expected given their size and businesses, especially firms whose customers engage in substantial penny stock transactions, or are given “market access,” or are correspondent accounts of foreign financial institutions, or have questionable regulatory backgrounds or have prompted repeated regulatory inquiries. FINRA can easily make comparisons among firms, and the firms with the fewest filings within their peer groups may attract more regulatory scrutiny.

5. Rigorously Reviewing Red Flags and Documenting the Reviews

Many AML enforcement actions involve the failure to adequately follow up on red flags. In some cases, FINRA found that the firms’ policies and procedures failed to provide sufficient guidance on properly investigating red flags. For example, in one case, FINRA acknowledged that the firm’s AML procedures contained a section that identified red flags, but stated, “[E]ven as to those red flags that were identified, the Firm’s AML procedures provided inadequate guidance regarding what steps should be taken to detect and investigate them.”

In other cases, FINRA has not focused on whether the procedures set forth adequate guidance but has concluded that the investigations into red flags were inadequate. For example, in one case FINRA faulted a firm for relying too much on an explanation provided by a registered rep and, instead, should have conducted its own independent investigation. It stated that the firm should have used some combination of the following in responding to red flags involving trading in microcap securities:

• a more comprehensive review of electronic communications than the email sampling typically performed for routine supervisory surveillance;
• obtaining detailed explanations of account activity and communications from the customers in question;
• ascertaining which accounts were transacting or coordinating with one another and towards what end;
• evaluating the size of the deposits of securities in relation to the issuer share float and the size of sales in relation to average volume or to look for signs of red flags of violative activity; and
• searching for evidence of touting to identify potentially misleading communications indicative of pump and dump activities.

FINRA has also faulted firms for failing to document their reviews, investigations, and determinations with respect to suspicious trading.

6. Avoiding or Carefully Addressing the Risks Posed by Penny Stock Transactions

Perhaps the largest number of FINRA AML-related enforcement actions involve inadequate procedures with respect to preventing and detecting violations involving the liquidation of large volumes of low-priced securities, including both fraud and registration violations.

FINRA has specifically addressed members’ obligations with respect to registration issues in a 2009 notice to members. [9] In enforcement actions, FINRA found that firms:

• failed to classify certain penny stock trades as suspicious activities even though the customers deposited large blocks of unregistered and newly issued penny stocks in their accounts and then immediately liquidated their positions and often wired out all of the proceeds from the sales;
• in concluding that securities were exempt from registration and freely-tradeable, relied too much on the absence of restrictive legends and representations by third parties (such as transfer agents or attorneys) or the acceptance of the stock by a clearing firm;
• failed to inquire into how the relevant customers received their shares of unregistered penny stocks, the customers’ relationships with the issuers, or other facts that could have revealed whether the shares were, in fact, exempt from registration;
• even though it placed the registered rep under heightened supervision, failed to exercise sufficient supervision over a new registered rep who brought in penny stock business, which was not an area in which the firm had prior experience;
• did not adequately respond to red flags regarding penny stocks, including:
  • the relevant customers maintained multiple accounts under the names of multiple newly incorporated entities with no business purpose;
  • the relevant customers deposited into their accounts millions of shares of unregistered penny stocks involving issuers with questionable or unknowable operating histories;
  • the relevant customers immediately sold the unregistered stock and wired the proceeds from their accounts;
  • the relevant customers repeatedly received new issuances as they sold down the stock received in prior issuances;
  • certain of the relevant customers formed corporate entities with no known business purpose shortly before opening accounts;
  • certain of the relevant customers incorporated entities in states that provide for exemptions from the state’s registration requirements, allowing the entities to purchase unrestricted and unregistered stock pursuant to SEC Rule 504;
  • the relevant customers appeared to have opened accounts for the sole purpose of depositing large amounts of unregistered shares;
  • the relevant customers sold their unregistered shares as soon as the newly issued stock certificates were deposited in the accounts, and promptly wired out the funds received from the sales; and
  • the relevant customers agreed to pay the firm exceptionally large commissions (e.g., commissions of 20-26%).

7. Avoiding or Carefully Addressing the Risks Posed by Providing “Market Access” to Customers

SEC Rule 15c3-5, adopted on November 3, 2010, provides that a broker/dealer that provides customers or other persons with access to an exchange or alternative trading system through the use of the broker/dealer’s market participant identifier must establish risk management controls and supervisory procedures designed to limit the financial exposure of the broker/dealer and ensure compliance with all regulatory requirements applicable to market access. It also requires broker/dealers to review annually the effectiveness of their risk management controls and supervisory procedures relating to market access and to certify annually that the controls and procedures satisfy the requirements of the rule. A large number of FINRA AML-related cases are based on the failure to adequately surveil for suspicious activities involving direct market access. In one case that covers the waterfront of what can go wrong when a firm provides market access, FINRA found that the firm:

• failed to provide adequate staff to ensure appropriate regulatory risk management controls and supervisory systems and procedures;
• provided inadequate training to persons responsible for monitoring and filing SARs with respect to its market-access business;
• relied on a compensation system in which employees charged with monitoring trading by market access customers were paid in substantial part based on trading revenue generated by such customers;
• enabled market access customers to flood the Exchanges with potentially manipulative trades;
• largely relied on market access customers to self-monitor and self-report their own suspicious trades without sufficient oversight by the broker/dealer;
• failed to adequately respond to alerts from regulators and Exchanges about suspicious and potentially manipulative customer transactions;
• failed to track the activity identified in regulatory inquiries or attempt to identify whether any accounts or types of activity were the focus of multiple inquiries;
• did not attempt to determine whether trading that resulted in regulatory inquiries violated FINRA rules or the securities laws;
• failed to adequately monitor, detect, and report suspicious and potentially manipulative transactions by its direct market access customers;
• lacked an adequate process for investigating suspicious activity and filing appropriate SARs with respect to its market access business;
• exercised insufficient oversight over three market access customers who provided heightened risk: i) an unregistered foreign-based customer; ii) a former FINRA broker- dealer that was expelled by FINRA in connection with its failure to monitor manipulative trading activity by overseas day traders; and iii) a former FINRA broker-dealer that was fined and then expelled in connection with manipulative trading activity;
• lacked systems or written supervisory procedures designed to detect and prevent various forms of market manipulation, such as layering, spoofing, and the entry of orders with no intention of execution;
• failed to monitor for patterns of order cancellations by high-frequency traders;
• failed to effectively monitor for potentially violative wash trades (trades with no change in beneficial ownership);
• failed to specify how to review the wash sale reports to determine whether transactions may have been executed with the intent to manipulate the market;
• conducted reviews that were “superficial” and “merely administrative” and “lacked any meaningful substantive scrutiny for potential manipulation”;
• accepted at face value its customers’ explanations for suspicious trading without conducting its own investigation of the potential problematic trades;
• failed to conduct any cross-market reviews for wash trades that arose from orders entered on one market center but executed on another;
• failed to place certain customers under heightened supervision;
• conducted no reviews of apparent pre-arranged trades for its market access customers in numerous different securities across multiple market centers;
• made no effort to ensure that each authorized trader was only issued one trader ID or to terminate inactive trader IDs;
• failed to establish and implement effective controls relating to the deactivation and sharing of trade IDs, the assignment of multiple trader IDs to a single trader, and trading suspensions of disciplined traders;
• failed to ensure that it had restricted trading to only those persons who had been approved and authorized by the broker/dealer.
• with respect to a high-risk customer, failed to inquire into the customer’s trading strategy, how it selected its traders, or whether the customer performed any due diligence on them; and
• for much of the period at issue, failed to monitor market access customers for marking- the-close.

In other market access cases, FINRA found that firms:

• relied on an ad hoc, undocumented, manual system of surveillance for potential manipulative activities even though hundreds of trades a minute were coming across the trading desk;
• relied on an exception report for potential wash sales but failed to specify the procedures for investigating such suspicious trading and determining whether a SAR should be filed;
• failed to document the actual review, investigation, and determination of any particular potential suspicious trading;
• although the firm restricted or disabled traders who engaged in potentially manipulative activity, the firm did not keep a record of all of the disciplined traders and did not assess whether the activity warranted the filing of a SAR;
• monitored the activities on a trader-by-trader basis rather than at the customer level to gauge whether groups of traders at the customer were potentially working together;
• failed to monitor trading activity to detect recurring types or patterns of activity by various traders within a customer’s account; and
• confronted traders with respect to problematic trades, but, when they provided non- credible explanations, failed to investigate sufficiently to determine whether the firm should file a SAR.

8. Avoiding or Carefully Addressing the Risks Posed by Correspondent Accounts of Foreign Financial Institutions

Treasury Regulation 31 C.F.R. 1010.610 requires that broker/dealers establish a risk-based due-diligence program for “correspondent accounts” maintained by foreign financial institutions. A correspondent account is an account established for a foreign financial institution to receive deposits from, or to make payments on behalf of, the foreign financial institution, or to handle other financial transactions related to the foreign financial institution. As part of the due-diligence program, broker/dealers are required to have procedures that identify foreign correspondent accounts and conduct due diligence taking into account: i) the nature of the foreign financial institution’s business; ii) the type, purpose and anticipated activity of the account; iii) the nature and duration of the broker/dealer’s relationship with the foreign financial institution; iv) the AML and supervisory regime of the jurisdiction in which the foreign financial institution is located; and v) information known or reasonably available to the broker/dealer about the foreign financial institution’s AML record.

The rule also requires broker/dealers to conduct a periodic review of the correspondent account activity to determine i) whether the activity in the account is consistent with the information initially obtained, and ii) whether, given the volume and/or type of activity in the account, the broker/dealer can adequately identify suspicious transactions.

Many of FINRA’s AML enforcement actions involve deficiencies with respect to accounts of foreign financial institutions. For example, FINRA found that a firm failed to maintain documentation evidencing that:

• it had determine whether each correspondent account was subject to enhanced due diligence;
• it had assessed the money laundering risk presented by each correspondent account;

and

• it had applied risk-based procedures and controls to each correspondent account reasonably designed to detect and report known or suspected money laundering activity, including a periodic review of the correspondent account activity sufficient to determine the consistent with information obtained about the type, purpose, and anticipated activity of the account.

In one case, FINRA found that the firm:

• failed to identify the money laundering risk associated with two large correspondent accounts of Venezuelan financial institutions, and failed to address this risk in its AML policies even though it accounted for a majority of its revenues;
• did not have AML policies and procedures:
  • addressing the money laundering risks presented by foreign correspondent accounts and foreign financial institutions, particularly those located in higher-risk jurisdictions;
  • for applying risk-based procedures and controls to each correspondent account reasonably designed to detect and report known or suspected money laundering;
  • for conducting ongoing review of activity in foreign financial institution accounts;
• did not sufficiently consider the risks of corruption, politically exposed persons, sanctioned individuals/entities, and narco-trafficking with regard to the foreign financial institution and its correspondent accounts even though Venezuela is a high-risk country for AML purposes;
• did not obtain sufficient information to confirm the accuracy of the representations made by the foreign financial institutions; and
• did not adequately address facts inconsistent with the representations made by the foreign financial institutions.

In another case involving a wide range of AML compliance issues, FINRA found that a firm:

• sometimes failed to enforce an internal requirement that the firm obtain information through a Foreign Financial Institution Questionnaire designed to obtain information regarding a correspondent account holder’s business, markets served, client base, types of activity, and nature of the account; and
• had no reliable periodic review process in place to ensure that the activities in the foreign financial institution’s accounts were consistent with representations made by the foreign financial institutions at the time of the account opening.

In another case, the foreign financial institutions used a master/subaccount and omnibus- account structures, which FINRA stated “present significant regulatory risks due to their potential to mask beneficial ownership and to be used as vehicles to engage in illegal activity, such as money laundering, insider trading, and market manipulation.” FINRA found that the firm failed to conduct periodic reviews of the activities of each foreign financial institution correspondent account, as required by its AML policies. In another case, the firm’s AML Procedures incorrectly stated that the firm had no correspondent relationships with foreign financial institutions, and the firm failed to inquire further.

9. Avoiding or Carefully Addressing the Risks Posed by Customers with Prior Regulatory Problems

Not surprisingly, firms are at heightened risk of enforcement actions when the customers who engage in suspicious activities are customers who have a prior history of securities fraud or similar violations. Indeed, a questionable background may itself be a red flag requiring investigation, and FINRA has criticized AML procedures that:

• did not state when and how often the firm should undertake a background check (e.g., at account inception or from time to time thereafter or if triggered by concerns or certain types of account activity);
• how and by what means the firm would conduct a search; or
• what further investigation or action should be taken upon discovery of matters that constituted a questionable background as described in the red flag.

10. Analyzing and Following Up on Regulatory Inquiries into Potentially Suspicious Activities

Many of FINRA’s AML enforcement programs involve firms that received numerous inquiries from FINRA Market Regulation or other regulators about potential illegal activity by customers and did not adequately follow up on the customers whose activities generated the inquiries. It is often not enough simply to respond to FINRA’s requests for information. The failure to conduct one’s own investigation may lead to findings that the firm failed to adequately follow up on red flags and thus violated its AML responsibilities.

For example, in one case, the firm received dozens of regulatory inquiries regarding potentially manipulative trades, but FINRA found that “[t]he firm did not attempt to determine whether the trading activity that resulted in regulatory inquiries had violated FINRA rules or the securities laws.”

In another case, the firm received 36 separate inquiries from FINRA’s Market Regulation Department and the Market Surveillance section of NYSE Arca related to trading in approximately 30 separate master accounts, but “did not attempt to determine whether the trading activity that resulted in regulatory inquiries violated FINRA rules or the securities laws” and “took no steps to understand the trading activity of the subaccount traders who provided written statements in response to FINRA’s inquiries—even when the traders’ written statements to [the firm] suggested that they were engaged in market manipulation.” In addition, the firm “did not review trading outside of responding to FINRA’s inquiries, even when an account appeared on multiple FINRA inquiries, or when multiple responses provided the same explanation for the trading at issue.” Despite the number of inquiries, it did not place any of the accounts under heightened supervision and “did not track the activity identified in regulatory inquiries to determine if any accounts or types of activity were the focus of multiple reviews.”

In another case, FINRA stated that a firm received multiple inquiries from FINRA Market Regulation in connection with thousands of instances of potential manipulative trading, but “took no meaningful steps to improve its ability to detect possible manipulative activity” and “continued to rely on its manual-based real-time monitoring of order/trade activity.”

11. Implementing a Meaningful, Independent Annual Review of AML- Compliance Programs

FINRA Rule 3310(c) (formerly NASD Rule 3011(c)) requires that the AML program must “provide for annual (on a calendar-year basis) independent testing” to be conducted by member personnel or by a qualified outside party.” [10] FINRA has stated that the test must review and assess the adequacy of and level of compliance with the firm’s AML program. [11]

FINRA has frequently found that the testing of AML programs was inadequate, either because it was too cursory or because it was not independent. For example, in one case, FINRA found:

• the testing was not independent because the AMLCO participated with a third party in the testing and chose the documents that would be reviewed;
• the third party conducting the tests never reviewed new account applications, customer files, or visited the firm’s office to conduct the AML test;
• the test failed to determine whether AML training was provided to firm personnel and failed to examine the adequacy of any such training;
• the test did not ascertain whether the firm had been responding to information requests issued by FinCEN; and
• the test did not provide for a reasonable review of the firm’s customer identification program.

In other cases FINRA found the testing inadequate because:

• the testing failed to address penny stocks despite the fact that this was a high-risk activity for the firm’s customers;
• the tests failed to evidence any review of recently established surveillance systems;
• the tests failed to uncover shortcomings in trade monitoring and asset movement monitoring that FINRA identified;
• the testing failed to adequately assess the firm’s compliance with its AML procedures because the tester, though aware of red flags associated with penny stock accounts, did not note the red flags or explore whether the firm detected the red flags or whether the firm conducted adequate due diligence in response to such activity;
• the testing was limited in scope to those areas of “primary responsibility” for detecting money laundering rather than the full AML program;
• the testing was conducted by the firm’s chief financial officer, who was not independent;
• the tests were conducted by a person who was not experienced or trained in AML, and the testing consisted of a general review without a specific review period, specific instructions, or provisions for follow-up to ensure that recommendations would be implemented;
• no testing was conducted to ensure that the identities of the firm’s adviser customers were verified, and the test summaries did not evidence a review to determine whether any firm customers were excluded from the definition of customer for AML purposes;
• although the firm stated that a sample of customer applications, deposits, and outgoing wires had been reviewed, it was unable to evidence such reviews;
• the testing reports did not evidence the sampling or review of certain records, including i) records of any risk-based monitoring of the red flags described in the AML procedures to confirm that it was being performed; or ii) records of underlying securities transactions to confirm that any red flags were being effectively detected;
• the testing reports were inaccurate because the reports represented that the firm engaged in certain monitoring activity but the evidence showed that the firm did not monitor the activity;
• the testing did not address certain risks associated with the firm’s business and client base, including procedures for detecting suspicious activity related to transfer of low priced stocks via deposit/withdrawals at the custodian, through physical certificates, or journals; and
• the testing was not conducted on a timely basis.

12. Verifying the Completeness and Accuracy of Data Sources Used for AML Surveillance

FINRA’s 2016 Regulatory and Examination Priorities Letter stated that AML would be one of the four principal areas FINRA would focus on in 2016 (the others being management of conflicts of interest, technology, and outsourcing). For the first time in its annual priorities letters, it stated that it had observed problems with firms’ automated AML surveillance systems not capturing complete and accurate data, and that firms should routinely test systems and verify the accuracy of data sources, particularly with respect to higher-risk accounts and activities. While this has not produced noteworthy AML-related enforcement actions in the past, the priorities letters often foreshadow future enforcement actions. Thus, firms are well-advised to take steps to verify the accuracy of data sources used in connection with their AML-surveillance programs.

Conclusion

The above areas account for the vast majority of FINRA AML-related disciplinary actions brought to date and are likely to show up in future enforcement actions as well. Given the continued focus on AML and on these areas in particular, broker/dealers should give careful attention to each of these areas in their design, implementation and review of their AML compliance programs.