Looking ahead to 2016, financial firms can expect examinations by the Securities and Exchange Commission and Financial Industry Regulatory Authority to place an even greater focus on anti-money laundering efforts, even as the Treasury Department’s enforcement arm hammers out new demands on that front.
On July 14, the SEC hosted an estimated 1,000 financial services professionals, in-person and online, for what was billed as its “Compliance Outreach Program.” Agency officials briefed banks, brokerages, and commodity traders on various compliance examination plans, and many involved AML protocols and customer due diligence.
“An AML compliance program can serve as the cornerstone of an effective overall compliance program,” Denise Saxon, assistant regional director of the SEC’s Denver office, said on one of the day’s panels. “AML will be treated as an exam priority.”
Expect continued scrutiny on Suspicious Activity Reports, a regulatory priority SEC officials have mentioned several times in the past several months. In a February speech before a gathering of AML professionals, Director of Enforcement Andrew Ceresney sounded the alarm over the seemingly lackadaisical approach broker-dealers were taking to SARs, averaging roughly five reports each year per firm. He also expressed concern with the quality of the reports that are filed.
“With some firms, narratives differ by only a few words from one SAR to another, revealing a check-the-box mentality,” he said. “With others, the narratives never exceed a total of about 14 words.”
“An AML compliance program can serve as the cornerstone of an effective overall compliance program.”
Denise Saxon, Assistant Regional Director, SEC’s Denver Office
Ceresney’s warning to take SARs seriously was repeated throughout the event. “There is a renewed focus on compliance with suspicious activity monitoring and reporting requirements,” Saxon said. “Statistics really call into question whether the industry as a whole is really fulfilling its obligations in this space. It is concerning.”
One underlying problem may be misperception of risk. “A lot of folks think they don’t have drug cartels or human traffickers, so they have no reason to file SARS, but there are a lot of things that can be reported and there are checkboxes for a lot of things that you might not otherwise think you need to report,” said Sarah Green, FINRA’s senior director of enforcement.
What exactly are those items you should report, but might not have occurred to you? Many were included with the most recent update to the SAR form nearly two years ago: insider trading, microcap fraud, wash trading, identity theft, and cyber-breaches, Green said.
“When you think about your [compliance] program, and whether you are filing the SARs that you should, start thinking about risk,” Green suggested. What are the products that have fraud or money laundering risk? What type of clients do you have? Do you have foreign clients? Are there systems in place to pick up on those risks?
If your firm has a system to monitor and flag potential problems, regardless of whether it is manual or automated, the SEC’s staff and examiners will assess whether those alerts are investigated properly with adequate staffing to do so.
What Examiners Want to See
A proper AML system, and one that generates and responds to SARs appropriately, will require an integrated approach to trade surveillance and asset movement because “the securities industry is one of the few, if only, industries where you can both generate illicit proceeds as well as launder them,” said Sterling Daines, managing director of Goldman Sachs’ global compliance division. “Many of the actions brought by FINRA and the SEC against AML programs involve illicit or suspicious trading activities, such as price manipulation and insider trading. There are a lot of different types of securities fraud that can occur. If your AML program isn’t set up to detect and report them, you are going to have an issue.”
The renewed focus on SARs likely means that compliance examiners will request even more often every alert generated over a given period of time. “You will have to have an appropriate audit trail on those decisions as to why you did or didn’t file a SAR,” Daines said.
REVISTING THE FOUR PILLARS
The following is from the Treasury Department’s Financial Crimes Enforcement Network’s proposed rule to clarify customer due diligence obligations for banks, broker-dealers, and other financial firms.
For FinCEN, the key elements of customer due diligence (CDD) include: (i) Identifying and verifying the identity of customers; (ii) identifying and verifying the identity of beneficial owners of legal entity customers (i.e., the natural persons who own or control legal entities); (iii) understanding the nature and purpose of customer relationships; and (iv) conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.
Collectively, these elements comprise the minimum standard of CDD, which FinCEN believes is fundamental to an effective AML program.
Accordingly, this Notice of Proposed Rulemaking (NPRM) proposes to amend FinCEN’s existing rules so that each of these pillars is explicitly referenced in a corresponding requirement within FinCEN’s program rules. The first element, identifying and verifying the identity of customers, is already included in the existing regulatory requirement to have a customer identification program (CIP).
Given this fact, FinCEN is addressing the need to have explicit requirements with respect to the three remaining elements via two rule changes. First, FinCEN is addressing the need to collect beneficial owner information on the natural persons behind legal entities by proposing a new separate requirement to identify and verify the beneficial owners of legal entity customers, subject to certain exemptions. Second, FinCEN is proposing to add explicit CDD requirements with respect to understanding the nature and purpose of customer relationships and conducting ongoing monitoring as components in each covered financial institution’s core AML program requirements.
Within this context, FinCEN is also updating its regulations to include explicit reference to all four of the pre-existing core requirements of an AML program, sometimes referred to as ‘‘pillars,’’ so that all of these requirements are visible within FinCEN’s rules.
As for the investigations that could ultimately lead to a SAR, firms shouldn’t be afraid to get creative. “We all have our systems, but always look for new ways to monitor,” said Pamela Ziermann, senior vice president at Dougherty & Co., an investment bank and brokerage firm. One tactic she uses is to set Google news alerts on a person or entity when “there is something out there that you have no reason to file a SAR, but you have that sixth sense.” Another trick: Map applications that feature street-level views can help verify that an office address is where it is purported to be.
Don’t think that filing a lot of SARs will absolve you, as regulators will focus on content as much as they will on frequency. “To me, a SAR is a story, so focus on who, what, where, when,” Ziermann said. “Somebody should be able to read it and know why you filed.” She stressed continued training for staff on how to write SARs.
Upcoming FinCEN rules, intended to revise and formalize customer due diligence requirements under the Bank Secrecy Act, will also influence how firms should approach AML compliance and the examinations that assess those efforts. The proposed rule, issued last year, is expected to be complete by early 2016. It will apply to both large and small institutions, including banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities transactions.
A key amendment to FinCEN’s current AML rules is a requirement that firms know and verify the identity of the “ultimate beneficial owners” of their customers, including individuals who own (directly or indirectly) 25 percent or more of the entity or exert significant control over it. Foreign regulators, as well as the International Monetary Fund in a recent report, have chided the United States for being a global laggard on beneficial ownership assessments.
The final rule will also expand obligations to identify and verify the identity of customers; understand the nature and purpose of the customer relationship for purposes of developing a customer risk profile; and require monitoring to maintain customer information and identify suspicious transactions. Many of these obligations are intended to be clarifications of existing FinCEN rules and its customer identification programs.
“This will be a real game changer for our industry and will mean big adjustments for firms,” Green says.
While many firms have already started identifying beneficial owners, the proposed rule adds a requirement to verify that information. “Firms will need to codify their approach and the tools they use, and draft policies and procedures to cover all this,” Daines says.
The upshot for compliance officers: Training on all this will be crucial. “Particularly in larger firms, the function of on-boarding a client is typically not done by compliance,” Daines explains. Compliance may have an oversight role, but the labor is typically the responsibility of operations staff. “Figuring out how to drill through to who the owners are at the bottom of that structure, the natural person, can be very difficult to do,” he says.
The other FinCEN requirements should not be dismissed either. “Every firm is going to have to try to figure out what they want to capture to create a customer profile,” Daines says. “While it seems straightforward—and certainly in the securities industry people have been risk ranking their customers to one degree or another over a long period of time—the concept of codifying it into a customer risk profile is a very different one that we are still trying to think through.”