Anti-Money Laundering
Regulatory Obligations and Related Considerations
Regulatory Obligations:
The Bank Secrecy Act (BSA) and implementing regulations form the foundation for member firms’ Anti-Money Laundering (AML) obligations. (The BSA has been amended several times, including by the USA PATRIOT ACT of 2001 and the Anti-Money Laundering Act of 2020.) The implementing regulations impose a number of requirements on broker-dealers, which include implementing and maintaining both AML programs and Customer Identification Programs (CIPs); filing reports of suspicious activity; verifying the identity of legal entity customers; maintaining procedures for conducting ongoing customer due diligence; establishing due diligence programs to assess the money laundering risk presented by correspondent accounts maintained for foreign financial institutions; and responding to information requests from the Financial Crimes Enforcement Network (FinCEN) within specified timeframes.
FINRA Rule 3310 (Anti-Money Laundering Compliance Program) requires that members develop and implement a written AML program reasonably designed to comply with the requirements of the BSA and its implementing regulations. FINRA Rule 3310 also requires FINRA member firms to, among other things, establish and implement policies, procedures and internal controls that can be reasonably expected to detect and cause the reporting of suspicious activity; provide for an independent test of the AML program each calendar year (or every two years in some specialized cases); and provide ongoing training for appropriate personnel.
Related Considerations:
- Does your firm’s AML program reasonably address your business model, new and existing business lines, products, customers, geographic locations and associated AML risks?
- Has your firm experienced substantial growth or changes to its business? If so, has its AML program reasonably grown and evolved alongside the business?
- Do your firm’s AML procedures recognize that the suspicious activity reporting obligation may apply to any transactions conducted by, at or through the firm, even transactions that do not originate with your firm’s customers?
- Does your firm have appropriately designed AML procedures to identify and respond to known indicators of suspicious activity involving low-priced securities, such as those detailed in FINRA Regulatory Notices 19-18 and 21-03?
- Does your firm’s independent AML testing confirm that it maintains and implements reasonably designed procedures for suspicious activity detection and reporting?
- Does your firm collect identifying information and verify the identity of all individuals and entities that would be considered customers under the CIP Rule, and beneficial owners of legal entity customers under the Customer Due Diligence (CDD) Rule?
- If your firm uses automated surveillance systems for suspicious activity monitoring, does your firm review the integrity of its data feeds and assess scenario parameters as needed?
- If your firm introduces customers and activity to a clearing firm, how does your firm coordinate with your clearing firm, including with respect to the filing of Suspicious Activity Reports (SARs)?
- Has your firm established and implemented appropriate procedures to: communicate cyber events to its AML department, Compliance department or both; fulfill regulatory obligations, such as the filing of SARs; and inform reviews of potentially impacted customer accounts?
- Has your firm reviewed FinCEN’s first government-wide priorities for AML and countering the financing of terrorism (AML/CFT) policy (“AML/CFT Priorities”), and considered how the AML/CFT Priorities will be incorporated into its risk-based AML program?
Emerging Low-Priced Securities Risk
FINRA has observed an increase in several types of activity in low-priced securities that could be indicative of fraud schemes—including an increase in such activity through foreign financial institutions (FFIs) that open omnibus accounts at U.S. broker-dealers. Recent trends indicate that FFIs may be “nesting”2 within omnibus accounts of financial institutions based in jurisdictions that are generally considered to be lower risk, such as Canada or the United Kingdom.
To assist member firms in detecting and preventing these schemes—as well as mitigating the harm they cause to investors and the market—FINRA is sharing some of the signs of potentially illicit trading activity in low-priced securities that it has recently observed, which include:
- trading that coincides with a sudden increase in share price or trading volume, in the absence of legitimate news surrounding the company;
- investors depositing large blocks of shares of low-priced securities originating from convertible debt acquired from the issuer or a third party, immediately selling the shares and then transferring the proceeds out of the account;
- transactions in securities of issuers making questionable claims regarding their products or services related to a recent, major event (e.g., the COVID-19 pandemic) or a new trend (e.g., cryptocurrency or non-fungible tokens (NFTs)) or both; and
- increased trading that overlaps with a surge in relevant promotional activity on social media, investor chat rooms and message boards.
Firms can find additional resources concerning potential warning signs of fraudulent activity:
- FINRA’s Investor Alerts and Investor Insights webpages
- Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities)
- Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations)
- SEC’s Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities
- SEC’s Risk Alert on Compliance Issues Related to Suspicious Activity Monitoring and Reporting at Broker-Dealers
Exam Findings and Effective Practices
Exam Findings:
- Inadequate Ongoing Monitoring and Reporting of Suspicious Transactions – Failing to establish and implement an AML program reasonably expected to detect and report suspicious activity in compliance with FINRA Rule 3310(a) by, for example:
- not using AML reports or systems that accurately and reasonably capture potentially suspicious activity, and are free of data integrity issues;
- not conducting and accurately documenting AML surveillance reviews;
- not implementing appropriate risk-based procedures to understand the nature and purpose of customer relationships in order to develop a customer risk profile;
- not implementing procedures that are reasonably designed to investigate inquiries from clearing firms that concern “red flags” of potentially suspicious activity;
- not tailoring AML programs to risks presented by products, customers, business lines and transactions (e.g., cash management products, low-priced securities trading) and wire and ACH transfers; and
- not notifying AML departments of events that involve suspicious transactions (e.g., cybersecurity events, account compromises or takeovers, new account fraud, fraudulent wires and ACH transfers).
- Inadequate AML Independent Tests – Failing to comply with FINRA Rule 3310(c) by conducting AML tests that fail to review key aspects of the AML program, are not performed within the required timeframe, are not completed by persons with the requisite independence or are not completed at all.
- Insufficient Compliance With Certain Requirements of the BSA – Failing to establish a risk-based CIP to verify the identity of each customer in compliance with FINRA Rule 3310(b), failing to verify the identity of the beneficial owners of legal entity customers in compliance with FINRA Rule 3310(f) or failing to conduct due diligence on correspondent accounts of foreign financial institutions in compliance with FINRA Rule 3310(b).
Update on Initial Public Offerings (IPOs) of China-Based Issuers
FINRA has observed that some firms are underwriting IPOs and subsequent trading of issuers based in the People’s Republic of China (China-based issuers), raising concerns that the investors in the IPOs may be serving as nominees for an undisclosed control person or persons. These IPOs are typically smaller in size (i.e., less than $100 million) and listed on the lower qualification tiers of U.S. stock exchanges.
FINRA has observed red flags of potentially manipulative trading associated with how these investors open new accounts and trade these securities after the IPO is completed, including:
- numerous unrelated accounts being opened at the same time, including with similar banking information, physical addresses, email address domains and current employer (which is often associated with the IPO issuer);
- documents investors provide in order to open an account or verify source of funds that may have been altered or could be fictitious;
- wire transfers received into these accounts that exceed the financial wherewithal of the investor as indicated on their new account documents, exceed the value of the shares purchased in the IPO and are either sent from similar banks, or bank accounts that share certain identifying information (e.g., employer of account holder, email domain);
- investor accounts being accessed by a different Internet Protocol (IP) or Media Access Control (MAC) address3 than is known for the customer, granting log in and trading capabilities to a third party or both;
- multiple orders with substantial similar terms being placed at or around the same time by seemingly unrelated investors in the same security that is indicative of “spoofing” or “layering”; and
- investors engaging in trading activity that does not make economic sense.
Given the potential risks, firms underwriting these IPOs and whose customers trade in these securities after the IPO should carefully evaluate whether they have controls in place necessary to identify and report market manipulation, other abusive trading practices and potential AML concerns. Firms can find additional information regarding the risks associated with China-based issuers in recent statements from the SEC:
Effective Practices:
- Risk Assessments – Conducting an initial, formal written risk assessment and updating it based on the results of AML tests, audits and changes in size or risk profile of the firm (e.g., business lines, products and services, registered representatives and customers).
- Verifying Customers’ Identities When Establishing Online Accounts – In meeting their CIP obligations, validating identifying information or documents provided by applicants (e.g., Social Security number (SSN), address, driver’s license), including, for example, through “likeness checks”; asking follow-up questions or requesting additional documents based on information from credit bureaus and credit reporting agencies, or digital identity intelligence (e.g., automobile and home purchases); contracting third-party vendors to provide additional support (e.g., databases to help verify the legitimacy of suspicious information in customers’ applications); limiting automated approval of multiple accounts by a single customer; reviewing account applications for repetition or commonalities amongst multiple applications; and using technology to detect indicators of automated scripted attacks.4
- Delegation and Communication of AML Responsibilities – When AML programs rely on other business units to escalate red flags of suspicious activity, establishing clearly delineated written escalation procedures and recurring cross-department communication with AML and compliance staff.
- Training – In meeting their obligations to provide ongoing AML training for appropriate personnel under FINRA Rule 3310(e), establishing and maintaining AML training programs that are tailored for the respective roles and responsibilities of the AML department, as well as departments that regularly work with AML; that address regulatory and industry developments impacting AML risk or regulatory requirements; and that, where applicable, leverage trends and findings from quality assurance controls.
- Detection and Mitigation of Wire and ACH Fraud – In meeting their obligations to conduct ongoing monitoring to identify and report suspicious transactions under FINRA Rule 3310(f), monitoring outbound money movement requests post-ACH setup and restricting fund transfers in certain situations (e.g., identity theft is detected in an investor’s account).5
Additional Resources
- SEC
- FinCEN
- Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic
- Advisory on Cyber-Events and Cyber-Enabled Crime
- Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments
- Anti-Money Laundering and Countering the Financing of Terrorism National Priorities
- Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs)
- FINRA
- Anti-Money Laundering (AML) Topic Page, which includes:
- Anti-Money Laundering (AML) Template for Small Firms
- Regulatory Notice 21-36 (FINRA Encourages Firms to Consider How to Incorporate the Government-wide Anti-Money Laundering and Countering the Financing of Terrorism Priorities Into Their AML Programs)
- Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts)
- Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities)
- Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection with Potential Account Takeovers and New Account Fraud)
- Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)
- Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations)
- Anti-Money Laundering (AML) Topic Page, which includes:
FinCEN National AML/CFT Priorities
- As noted in Regulatory Notice 21-36, on June 30, 2021, FinCEN issued the AML/CFT Priorities, which identify and describe the most significant AML/CFT threats currently facing the United States (e.g., cybercrime, domestic and international terrorist financing, securities and investment fraud).
- The publication of the AML/CFT Priorities does not create an immediate change in BSA requirements or supervisory expectations for member firms, and FINRA is not currently examining for the incorporation of the AML/CFT Priorities into member firms’ AML programs. Nevertheless, in preparation for any new requirements when the final regulations are effective, broker-dealers may wish to start considering how they will incorporate the AML/CFT Priorities into their risk-based AML programs.
2 “Nesting” refers to FFIs indirectly gaining access to the U.S. financial system through another FFI’s correspondent account at a U.S. financial institution. This practice can facilitate legitimate financial transactions, but member firms that maintain correspondent accounts with FFIs should have policies and procedures to identify and monitor for potentially illegitimate “nested” activity.
3 An IP address is a unique identifier assigned to an Internet-connected device, while a MAC is a unique identifier used to identify a specific hardware device at the network level.
4 See Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts)
5 See Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)