Anti-Money Laundering (AML) Compliance Program
Following the terrorist attacks of September 11, 2001, Congress passed the USA PATRIOT Act, in part, to strengthen the anti-money laundering (AML) and counter-terrorist financing provisions of the Bank Secrecy Act (BSA) and extend them to broker-dealers. Among other provisions, the BSA requires firms to monitor for, detect and report suspicious activity to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN).
FINRA Rule 3310 requires that members develop and implement a written AML program reasonably designed to comply with the requirements of the BSA, and the implementing regulations promulgated thereunder by the Department of the Treasury.7
FINRA observed that firms with effective AML programs actively tailor their risk-based AML program to the firm’s business model and associated AML risks as opposed to simply implementing a more “generic” program. They also conducted independent testing that included sampling customer accounts in order to test whether the firm was collecting and verifying customer identification information on all individuals and entities that would be considered customers under the BSA, as well as trading and money movement activity to test whether the firm was performing adequate monitoring for and investigations of potentially suspicious activity. In addition, they designed training programs that were specific to the roles and responsibilities of the participating employees and captured current and evolving aspects of the AML landscape.
Selected Examination Findings
FINRA observed instances where firms failed to establish and implement an AML program reasonably designed to detect, and cause the reporting of, suspicious activity.
- Maintaining Adequate Policies and Procedures for Suspicious Activity – Some firms failed to establish and implement risk-based policies and procedures to detect and report suspicious transactions. FINRA identified these deficiencies where, for example, a firm’s business growth far outpaced the growth of its AML programs, a portion of a firm’s business involved a high-risk product (such as microcap securities or dual currency bonds), or a firm’s business evolved over time and AML policies and procedures were not updated and adequately tailored to the firm’s current risks, including with respect to how potentially suspicious activity would be monitored and documented.
- Responsibility for AML Monitoring – While firms are permitted to delegate aspects of their suspicious activity monitoring program to non-AML staff (e.g., to business line staff responsible for trade surveillance), in some cases where this was done, FINRA observed that problems sometimes arose with the appropriate and adequate escalation of potentially suspicious activity. Those problems typically occurred when the AML and surveillance staff did not share a common understanding of the types of activities that merited escalation or when staff did not escalate such activities appropriately. In some cases, the problems occurred because firms did not: (1) clearly define the activities that were being delegated; (2) articulate those delegations and related surveillance responsibilities in their written supervisory procedures; or (3) adequately train non-AML staff on AML surveillance policies and procedures.
- Exclusions From Data Feeds Used for AML Monitoring – FINRA also observed instances where firms’ monitoring systems were deficient due to gaps in the data feeding those systems that were created, for example, by the use of “suspense accounts” to process foreign currency money movement and conversion. The use of suspense and other operational accounts sometimes obscured the source of funds to firms’ surveillance systems, resulting in weaker monitoring of high-risk transactions. FINRA also observed instances where firms made decisions to exclude certain types of customer accounts from monitoring programs, but failed to document or, if circumstances changed, revisit the risk-based rationale for the decision, again resulting in unidentified suspicious activity.
- Resources for AML Monitoring – FINRA also identified deficiencies due to policies and procedures not being implemented as a result of firms not providing adequate resources to AML departments to carry out the responsibilities of the AML program. This result was more common when a firm experienced significant growth but did not grow the firm’s AML program commensurately. The lack of resources can lead to deficient monitoring or inadequate investigations of potentially suspicious activity.
- Independent Testing of AML Monitoring – FINRA also observed that some firms did not ensure the independent testing required under FINRA Rule 3310(c) included a review of how the firm’s AML program was implemented. Other weaknesses included firms not ensuring the independence of the test, or not completing tests on an annual calendar year basis where the firm’s business warranted that regular testing.
7 FINRA provides a free template for small firms to assist them in fulfilling their responsibilities to establish the AML compliance program required by the BSA, its implementing regulations, and FINRA Rule 3310. The template provides text examples, instructions, relevant rules and links to other resources that are useful in developing an AML plan for small firms.