The U.S. Securities & Exchange Commission (SEC) has made it abundantly clear over the last several years that anti-money laundering (AML) is one of its top examination priorities.1 While traditionally many other regulatory and enforcement agencies such as the Financial Industry Regulatory Authority (FINRA), the Office of the Comptroller of Currency (OCC), the U.S. Department of Justice, and the Federal Reserve have been the ones to enforce AML deficiencies, the SEC recently started regularly using Rule 17a-8 under the Securities and Exchange Act of 1934 as a tool to enforce AML deficiencies with broker-dealers.2
SEC-registered broker-dealers are already considered “financial institutions” per the Bank Secrecy Act (BSA), and they are also required to be members of FINRA. Therefore, they must have an AML program as required by FINRA Rule 3310. Yet the SEC has started using Rule 17a-8 more regularly as an enforcement mechanism to ensure that a broker-dealer’s AML program isn’t simply a paper tiger and is actually operating effectively.3 This SEC enforcement trend indicates yet another shift in the regulatory landscape for broker-dealers.
A number of AML laws are relevant to broker-dealers, and recent enforcement actions related to Rule 17a-8 provide numerous key takeaways for broker-dealers to operate an effective AML program.
Broker-dealers are required to either be registered with a state or with the SEC and FINRA, depending on a variety of legal considerations.4 For those broker-dealers that are registered with the SEC and FINRA , there are a few fundamental AML-related rules and regulations that are relevant and applicable.
First, FINRA Rule 3310 requires member broker-dealers to “develop and implement a written [AML] program reasonably designed to achieve and monitor the member’s compliance with the requirements of the [BSA], and the implementing regulations promulgated there under by the Department of the Treasury.” 5 The AML program should be risk-based and is required to have the following four pillars:6
Policies and procedures that are reasonably designed to detect and report suspicious activity
Periodic independent testing of the AML program
Designation of an individual responsible for the AML program
Ongoing training for appropriate personnel
Next, the rules promulgated by FinCEN under the BSA requires broker-dealers to implement a customer identification program (CIP), report certain cash transactions, retain wire transfer records, and monitor and report suspicious activity. More specifically, the BSA requires broker-dealers to:
Implement a CIP that is designed to have a process in place for obtaining and verifying certain basic customer information such as name, address, date of birth, and identification number7
Report all cash transactions greater than $10,000 (by filing a Currency Transaction Report)
Create and maintain adequate wire transfer records, regardless of whether the activity is believed to be suspicious or illegal8
Monitor for, and report activity by filing a Suspicious Activity Report (SAR) where a broker-dealer “knows, suspects, or has reason to suspect that [a] transaction (or pattern of transactions of which the transaction is a part)” is greater than $5,000 and: 1) involves or is designed to hide funds derived from illegal activity; 2) is intended to evade BSA requirements; 3) does not have an apparent business or lawful purpose and is otherwise out of the norm for the customer; or 4) involves facilitating criminal activity.9
Finally, SEC Rule 17a-8 requires broker-dealers to “comply with the recordkeeping, retention, and reporting obligations of the BSA and its implementing regulations.”10 This rule requires broker-dealers to maintain accurate books and records, including having policies and procedures that reflect the actual processes in place;11 file suspicious activity reports that are complete, accurate, and timely;12 and retain supporting documentation as required by the BSA.13
Even though the SEC’s use of Rule 17a-8 as a means to enforce AML violations dates back to 2006, the actions prior to 2016 were few and far between. The older actions were also more focused on CIPs rather than the failure to file SARs. Nevertheless, all the actions follow the same trend – that is, broker-dealers must not only have adequately documented AML policies, but also they must have processes and procedures in place that are consistent with those policies. Thus, all the actions amount to the SEC enforcing deficiencies in the implementation of the broker-dealers’ AML programs, rather than the documented design of the program.14 Accordingly, broker-dealers must not only have a comprehensive documented AML program, but that program must be operating effectively in order to pass regulatory muster.
Below is a high-level overview of some key takeaways for broker-dealers from these enforcement actions, and related statements and comments by regulators, which may help with developing and enhancing an operationally effective AML program.
Broker-dealers should perform a comprehensive AML risk assessment that is designed to assess the risk related to its services, products, customers, locations, transactions, etc. The risk assessment should be documented, and the results of the risk assessment should be used to tailor the AML program.15
Broker-dealers should create an AML program, including policies and procedures, which are tailored to the unique and specific characteristics and risks of the entity and address all four pillars of an effective program.16
Broker-dealers’ policies and procedures should accurately reflect what the firm actually does in practice.17
Broker-dealers should establish a written CIP and incorporate the program as part of their overall AML program. The CIP should clearly delineate the policies and procedures used by the broker-dealer for identifying and verifying customer identities using documentary or non-documentary methods, or both. The CIP must accurately describe, and be consistent with, the actual processes in place.18
Broker-dealers should perform a customer risk assessment at the time of account opening to gain an understanding of the customer’s expected type of activity, volume, risk profile, etc.19
Broker-dealers should not only gain an understanding of their direct customers (by following their CIP and know your customer (KYC) policies) but also, where applicable, understand who the beneficial owners are of subaccounts and/or those individuals/entities for whom transactions may be executed.20
Broker-dealers should treat beneficial owners of corporate accounts who interface directly with the broker-dealer as direct customers for purposes of the CIP rule.21
Broker-dealers’ CIP should include collecting, verifying, and maintaining identification not only for direct customers, but also for individuals who are transacting through customer accounts.22
Broker-dealers who directly engage, or have customers that engage, in transactions related to microcap stocks should gain an understanding of their unique and specific risks, and incorporate specific AML policies, procedures, and monitoring for these transactions and their customers.23
Broker-dealers must monitor for potentially suspicious or illegal activity; illegal activity includes the offers and sales of restricted securities.24
If so-called red flags (i.e., potentially suspicious activity) are identified, broker-dealers should perform an investigation into the activity and/or customer, determine whether a SAR should be filed, and the results of the investigation and decision whether or not to file a SAR should be thoroughly documented.25 This especially includes circumstances where the broker-dealer makes a decision to cease the business relationship.26
When a broker-dealer determines that a SAR should be filed, the SAR should be complete and contain the “who, what, when, where, and why” of the activity,27 including “a clear, complete, and concise description of the activity, including what was unusual, irregular or suspicious about the transaction(s)” so that the information can be used effectively by law enforcement, regulatory, and intelligence agencies.28
Broker-dealers must include information on the SAR that is accurate, and cannot omit information known to the firm that may deem the SAR to be misleading.29
Broker-dealers should use qualified, trained staff who have experience researching transactions, performing investigations, and completing SARs to draft SARs.30
Broker-dealers should implement a management-level SAR review and quality control process.31
Broker-dealers must file SARs “no later than 30 calendar days after the date of the initial detection by the reporting broker-dealer of facts that may constitute a basis for filing.”32
Broker-dealers should cooperate fully with examinations and, if applicable, resulting inquiries and investigation.33
Broker-dealers should take remedial action as soon as practical where deficiencies and issues are identified.34
Broker-dealers should, where appropriate, retain an independent third-party firm to perform an internal investigation, conduct independent testing, perform a gap analysis, and/or assist with strengthening the AML program.35
Corporate officers and owners may be held individually and personally liable for civil, and potentially criminal, liability for willful violations of the BSA and/or aiding and abetting violations of the BSA.36
Given the continued emphasis on combatting money laundering and terrorist financing, it is highly likely that that this SEC enforcement trend is likely to continue, and broker-dealers should take note and be prepared. Accordingly, broker-dealers should review these key takeaways and, where gaps are identified, implement changes to the AML program that address these areas. Doing so will help minimize the risk of a routine SEC examination identifying deficiencies in the AML program or even resulting in an investigation or enforcement action.