The U.S. Securities & Exchange Commission (SEC) has made it abundantly clear over the last several years that anti-money laundering (AML) is one of its top examination priorities.¹  While traditionally many other regulatory and enforcement agencies such as the Financial Industry Regulatory Authority (FINRA), the Office of the Comptroller of Currency (OCC), the U.S. Department of Justice, and the Federal Reserve have been the ones to enforce AML deficiencies, the SEC recently started regularly using Rule 17a-8 under the Securities and Exchange Act of 1934 as a tool to enforce AML deficiencies with broker-dealers.²

SEC-registered broker-dealers are already considered “financial institutions” per the Bank Secrecy Act (BSA), and they are also required to be members of FINRA.  Therefore, they must have an AML program as required by FINRA Rule 3310. Yet the SEC has started using Rule 17a-8 more regularly as an enforcement mechanism to ensure that a broker-dealer’s AML program isn’t simply a paper tiger and is actually operating effectively.³  This SEC enforcement trend indicates yet another shift in the regulatory landscape for broker-dealers.

A number of AML laws are relevant to broker-dealers, and recent enforcement actions related to Rule 17a-8 provide numerous key takeaways for broker-dealers to operate an effective AML program.

Specific AML Laws

Broker-dealers are required to either be registered with a state or with the SEC and FINRA, depending on a variety of legal considerations.⁴  For those broker-dealers that are registered with the SEC and FINRA , there are a few fundamental AML-related rules and regulations that are relevant and applicable. 

First, FINRA Rule 3310 requires member broker-dealers to “develop and implement a written [AML] program reasonably designed to achieve and monitor the member’s compliance with the requirements of the [BSA], and the implementing regulations promulgated there under by the Department of the Treasury.” ⁵ The AML program should be risk-based and is required to have the following four pillars:⁶   

1. Policies and procedures that are reasonably designed to detect and report suspicious activity

2. Periodic independent testing of the AML program

3. Designation of an individual responsible for the AML program

4. Ongoing training for appropriate personnel

Next, the rules promulgated by FinCEN under the BSA requires broker-dealers to implement a customer identification program (CIP), report certain cash transactions, retain wire transfer records, and monitor and report suspicious activity. More specifically, the BSA requires broker-dealers to:

• Implement a CIP that is designed to have a process in place for obtaining and verifying certain basic customer information such as name, address, date of birth, and identification number⁷

• Report all cash transactions greater than $10,000 (by filing a Currency Transaction Report)

• Create and maintain adequate wire transfer records, regardless of whether the activity is believed to be suspicious or illegal⁸ 

• Monitor for, and report activity by filing a Suspicious Activity Report (SAR) where a broker-dealer “knows, suspects, or has reason to suspect that [a] transaction (or pattern of transactions of which the transaction is a part)” is greater than $5,000 and: 1) involves or is designed to hide funds derived from illegal activity; 2) is intended to evade BSA requirements; 3) does not have an apparent business or lawful purpose and is otherwise out of the norm for the customer; or 4) involves facilitating criminal activity.⁹ 

Finally, SEC Rule 17a-8 requires broker-dealers to “comply with the recordkeeping, retention, and reporting obligations of the BSA and its implementing regulations.”¹⁰  This rule requires broker-dealers to maintain accurate books and records, including having policies and procedures that reflect the actual processes in place;¹¹  file suspicious activity reports that are complete, accurate, and timely;¹²  and retain supporting documentation as required by the BSA.¹³

Even though the SEC’s use of Rule 17a-8 as a means to enforce AML violations dates back to 2006, the actions prior to 2016 were few and far between. The older actions were also more focused on CIPs rather than the failure to file SARs. Nevertheless, all the actions follow the same trend – that is, broker-dealers must not only have adequately documented AML policies, but also they must have processes and procedures in place that are consistent with those policies. Thus, all the actions amount to the SEC enforcing deficiencies in the implementation of the broker-dealers’ AML programs, rather than the documented design of the program.¹⁴  Accordingly, broker-dealers must not only have a comprehensive documented AML program, but that program must be operating effectively in order to pass regulatory muster.

Takeaways for Broker-Dealers

Below is a high-level overview of some key takeaways for broker-dealers from these enforcement actions, and related statements and comments by regulators, which may help with developing and enhancing an operationally effective AML program. 

• Broker-dealers should perform a comprehensive AML risk assessment that is designed to assess the risk related to its services, products, customers, locations, transactions, etc. The risk assessment should be documented, and the results of the risk assessment should be used to tailor the AML program.¹⁵ 

• Broker-dealers should create an AML program, including policies and procedures, which are tailored to the unique and specific characteristics and risks of the entity and address all four pillars of an effective program.¹⁶ 

• Broker-dealers’ policies and procedures should accurately reflect what the firm actually does in practice.¹⁷

• Broker-dealers should establish a written CIP and incorporate the program as part of their overall AML program. The CIP should clearly delineate the policies and procedures used by the broker-dealer for identifying and verifying customer identities using documentary or non-documentary methods, or both. The CIP must accurately describe, and be consistent with, the actual processes in place.¹⁸

• Broker-dealers should perform a customer risk assessment at the time of account opening to gain an understanding of the customer’s expected type of activity, volume, risk profile, etc.¹⁹

• Broker-dealers should not only gain an understanding of their direct customers (by following their CIP and know your customer (KYC) policies) but also, where applicable, understand who the beneficial owners are of subaccounts and/or those individuals/entities for whom transactions may be executed.²⁰

• Broker-dealers should treat beneficial owners of corporate accounts who interface directly with the broker-dealer as direct customers for purposes of the CIP rule.²¹

• Broker-dealers’ CIP should include collecting, verifying, and maintaining identification not only for direct customers, but also for individuals who are transacting through customer accounts.²²

• Broker-dealers who directly engage, or have customers that engage, in transactions related to microcap stocks should gain an understanding of their unique and specific risks, and incorporate specific AML policies, procedures, and monitoring for these transactions and their customers.²³ 

• Broker-dealers must monitor for potentially suspicious or illegal activity; illegal activity includes the offers and sales of restricted securities.²⁴ 

• If so-called red flags (i.e., potentially suspicious activity) are identified, broker-dealers should perform an investigation into the activity and/or customer, determine whether a SAR should be filed, and the results of the investigation and decision whether or not to file a SAR should be thoroughly documented.²⁵  This especially includes circumstances where the broker-dealer makes a decision to cease the business relationship.²⁶

• When a broker-dealer determines that a SAR should be filed, the SAR should be complete and contain the “who, what, when, where, and why” of the activity,²⁷  including “a clear, complete, and concise description of the activity, including what was unusual, irregular or suspicious about the transaction(s)” so that the information can be used effectively by law enforcement, regulatory, and intelligence agencies.²⁸

• Broker-dealers must include information on the SAR that is accurate, and cannot omit information known to the firm that may deem the SAR to be misleading.²⁹

• Broker-dealers should use qualified, trained staff who have experience researching transactions, performing investigations, and completing SARs to draft SARs.³⁰ 

• Broker-dealers should implement a management-level SAR review and quality control process.³¹

• Broker-dealers must file SARs “no later than 30 calendar days after the date of the initial detection by the reporting broker-dealer of facts that may constitute a basis for filing.”³²

• Broker-dealers should cooperate fully with examinations and, if applicable, resulting inquiries and investigation.³³ 

• Broker-dealers should take remedial action as soon as practical where deficiencies and issues are identified.³⁴

• Broker-dealers should, where appropriate, retain an independent third-party firm to perform an internal investigation, conduct independent testing, perform a gap analysis, and/or assist with strengthening the AML program.³⁵

• Corporate officers and owners may be held individually and personally liable for civil, and potentially criminal, liability for willful violations of the BSA and/or aiding and abetting violations of the BSA.³⁶

Given the continued emphasis on combatting money laundering and terrorist financing, it is highly likely that that this SEC enforcement trend is likely to continue, and broker-dealers should take note and be prepared. Accordingly, broker-dealers should review these key takeaways and, where gaps are identified, implement changes to the AML program that address these areas. Doing so will help minimize the risk of a routine SEC examination identifying deficiencies in the AML program or even resulting in an investigation or enforcement action.

1. See “Examination Priorities for 2017,” U.S. Securities & Exchange Commission, Office of Compliance Inspections and Examinations, 2017; “Examination Priorities for 2016,” U.S. Securities & Exchange Commission, Office of Compliance Inspections and Examinations, 2016; “Examination Priorities for 2015,” U.S. Securities & Exchange Commission, Office of Compliance Inspections and Examinations, 2015.
2. See, e.g., In the Matter of Windsor Street Capital, L.P. (f/k/a Meyers Associates, L.P.) and John David Telfer, SEC, July 28, 2017 (hereinafter Windsor Street Capital); In the Matter of Lia Yaffar-Pena, SEC, October 19, 2016 (hereinafter Yaffar-Pena); SEC v. Alpine Securities Corporation, U.S. District Court, Southern District of New York, June 5, 2017 (hereinafter Alpine Securities).
3. SEC enforcement actions appear to be focused on three areas in particular: (1) the Customer Identification Program/Know Your Customer process in place is consistent with documented policies and procedures; (2) activities and transactions are being monitored; and (3) potentially suspicious activity is being detected and reported to FinCEN through the submission of a Suspicious Activity Report.
4. This article addresses broker-dealers registered with the SEC and FINRA, and not those who are only registered with a state.
5. Alpine Securities, p. 7, citing FINRA Rule 3310, Anti-Money Laundering Compliance Program (hereinafter FINRA Rule 3310).
6. FINRA Rule 3310.
7. 31 C.F.R. 1022.220.
8. Kevin W. Goodman, “Anti-Money Laundering: An Often-Overlooked Cornerstone of Effective Compliance,” Securities Industry and Financial Markets Association, Speech on June 18, 2015 (hereinafter AML Cornerstone of Effective Compliance).
9. See 31 C.F.R. § 1023.320.
10. See Alpine Securities, p. 2, citing SEC Rule 17a-8 of the Securities and Exchange Act of 1934.
11. See In the Matter of Crowell, Weedon & Co., SEC, May 22, 2016 (hereinafter Crowell).
12. Within 30 days after the date the suspicious activity is detected.
13. Broker-dealers must maintain a copy of any filed SAR and supporting documentation for a period of 5 years from the SAR filing date. See 31 C.F.R. § 1023.320(d).
14. Since in all these enforcement actions the SEC specifically highlights only the existence of broker-dealers’ AML related policies and procedures yet does not opine on their adequacy, whether the program design actually was adequate can only be presumed.
15. See AML Cornerstone of Effective Compliance; In the Matter of Albert Fried & Company, LLC, SEC, June 1, 2016 (hereinafter Albert Fried).
16. The four pillars of an AML program include: 1) written policies and procedures; 2) designation of an individual responsible for the AML program; 3) education and training of relevant personnel; and 4) periodic independent testing of the program. See “FINRA Model AML Policies for Small to Midsized Broker Dealers,” FINRA, January 1, 2010, for a FINRA template of AML related policies for small to midsized broker-dealers.
17. Alpine Securities.
18. See Crowell.
19. Albert Fried.
20. See In the Matter of Oppenheimer & Co., Inc., SEC, January 27, 2015 (hereinafter Oppenheimer); see also AML Cornerstone of Effective Compliance.
21. Yaffar-Pena.
22. Yaffar-Pena.
23. See Oppenheimer; Albert Fried; AML Cornerstone of Effective Compliance. For guidance on risks related to microcap stocks, see Holly Peck, “Between a Rock and a Regulator: Building an Effective AML Program in the Microcap Sphere,” Association of Certified Anti-Money Laundering Specialists (not dated); Eric Hess, “AML and Microcap Stocks: New Challenges, New Solutions,” January 7, 2017; “Broker-Dealer Controls Regarding Customer Sales of Microcap Securities,” SEC Office of Compliance Inspections and Examinations, October 9, 2014; “Unregistered Resales of Restricted Securities,” FINRA Regulatory Notice 09-05, January 2009.
24. Oppenheimer; Windsor Street Capital.
25. Albert Fried; Alpine Securities.
26. Albert Fried; Windsor Street Capital.
27. Alpine Securities; see also “Guidance on Preparing a Complete & Sufficient Suspicious Activity Report Narrative,” FINCEN, p. 3; AML Cornerstone of Effective Compliance.
28. Alpine Securities; see also “FinCEN Suspicious Activity Report Electronic Filing Requirements,” FINCEN, p. 110.
29. Alpine Securities.
30. Alpine Securities.
31. Alpine Securities.
32. Alpine Securities; see also 31 C.F.R. § 1023.320(b)(3).
33. Albert Fried.
34. Albert Fried; Alpine Securities.
35. Albert Fried
36. Yaffar-Pena; see also Sally Quillian Yates, “Individual Accountability for Corporate Wrongdoing,” U.S. Department of Justice, Office of the Deputy Attorney General, September 9, 2015.