On July 31, 2023, the Division of Examinations (“Division”) of the U.S. Securities and Exchange Commission (“SEC”) released a risk alert presenting observations regarding broker-dealer anti-money laundering (“AML”) compliance program deficiencies (the “Risk Alert”). The Risk Alert highlighted issues relating to: (1) independent testing; (2) AML training; (3) customer identification program (“CIP”) compliance; and (4) customer due diligence (“CDD”) and beneficial ownership identification and verification. The Risk Alert also highlighted weaknesses in firms’ Office of Foreign Assets Control (“OFAC”) compliance programs.
KEY OBSERVATIONS BY DIVISION STAFF
Prior to addressing specifics, the Division made two overarching observations regarding AML and sanctions compliance programs. First, staff observed that certain firms are not devoting adequate resources, including staffing, to AML and sanctions compliance (which issue is exacerbated in the current environment of rapidly increasing OFAC sanctions). Second, staff observed that inconsistent implementation reduced the efficacy of certain firms’ policies, procedures and internal controls.
The Risk Alert then offered specific observations, summarized below:
- Independent Testing. Broker-dealer AML programs must include an independent testing element and, for most broker-dealers, testing is required on an annual basis. Division staff observed broker-dealers that (1) did not complete tests in a timely manner (or could not provide evidence of having done so); (2) had inadequate independent testing, which did not cover aspects of their business, was conducted by personnel lacking independence or AML expertise or was conducted under requirements not applicable to the securities industry; and (3) did not address, or have procedures to address, testing observations in a timely manner.
- AML Training. Broker-dealer AML programs are required to include ongoing training but Division staff noted training deficiencies. Specifically, the Risk Alert noted training materials that were not appropriately updated and/or tailored. Also, some firms could not demonstrate that personnel attended necessary trainings (or that processes were in place to follow up with those who missed required trainings).
- Customer Identification Program. The CIP rule requires broker-dealers to implement procedures to identify and verify the identity of each customer. Division staff observed broker-dealers whose CIP “appeared not to be properly designed to enable the firm to form a reasonable belief that it knows the true identity of customers.” Division staff observed a variety of more specific CIP compliance failures:
- Failure to apply CIP procedures to investors in a private placement “where customer relationships established with the [firm] to effect securities transactions appeared to be formal relationships for purposes of the CIP [r]ule.” (The requirement to apply CIP in private placement contexts has been controversial, and regulators have not provided guidance regarding when a customer relationship may be established in such contexts. It is noteworthy that the Risk Alert calls this point to attention.)
- Failure to collect required minimum customer identification information, such as street addresses (rather than P.O. boxes).
- Failure to verify customer identity, including instances where firm records indicated verification was complete but required identification information was missing, incomplete or invalid.
- Failure to use exception reports to alert the firm to failures to apply its CIP to a customer, even though such use would be appropriate given the size and nature of the firm’s business.
- Failure to document aspects of the CIP and failure to follow the firm’s own CIP procedures.
- Customer Due Diligence and Beneficial Ownership. Division staff observed broker-dealers that had not updated their AML programs and related forms and procedures to reflect the Financial Crimes Enforcement Network’s 2016 adoption of the CDD rule, which requires identifying and verifying the identity of certain natural person beneficial owners of legal entity customers and conducting and ongoing customer due diligence. Division staff also noted specific deficiencies, including:
- Procedures that permit an entity to be listed as a beneficial owner without information as to underlying individual beneficial owners.
- Opening of new accounts for legal entity customers without identifying all of their beneficial owners.
- Failure to obtain documentation to verify beneficial owner identity and failure to document resolution of discrepancies with regard to identity verification.
- Failure to follow internal procedures that required obtaining information about underlying parties in an omnibus account. (In this regard, the Risk Alert notes that the CDD rule does not require broker-dealers to collect information regarding underlying transacting parties in an omnibus account opened for another financial institution but broker-dealers “may determine that certain financial institutions present higher risks and, accordingly, collect additional information to better understand the customer relationships.”)
- OFAC Compliance. The Division observed certain weaknesses in sanctions compliance efforts. The Risk Alert cited a failure to adopt reasonable risk-based controls for (1) following up on potential sanctions matches and documenting the outcome of such follow-ups; (2) performing periodic or event-based screening of customers based on, among other things, changes in ownership or to sanctions lists; and (3) conducting timely sanctions screening and maintaining related documentation.
In light of these observations, the Risk Alert concludes by encouraging broker-dealers to review and strengthen their AML policies, procedures and internal controls and to monitor for developments with regard to the Anti-Money Laundering Act of 2020 and the Corporate Transparency Act. We have written extensively on those developments, including here.