The SEC EXAMS Staff recently issued a Risk Alert highlighting specific concerns regarding the anti-money laundering practices of U.S. broker-dealers. In particular, EXAMS Staff is focusing on controls around AML compliance programs, including independent testing requirements and training of personnel, as well as required identification and verification of brokerage customers and beneficial owners. The Risk Alert follows prior EXAMS guidance regarding other key AML component obligations, including suspicious activity monitoring and reporting programs. In addition, this guidance comes in what the EXAMS Staff continues to view as an ongoing high-risk environment, as the combination of existing AML obligations and increasing sanctions activity by the Office of Foreign Assets Control ("OFAC") have the potential to strain understaffed broker-dealer compliance departments. In light of the Risk Alert's focus on the testing and verification of AML compliance programs themselves, and not just the execution of specific obligations, industry participants should ensure that required periodic reviews of their AML programs take into account the key deficiencies highlighted in the Risk Alert.

Broker-Dealer AML Obligations

AML Compliance Obligations: Generally

Broker-dealers are among the core "financial institutions" that are subject to the Bank Secrecy Act (the "BSA") and implementing regulations administered by the U.S. Department of the Treasury's Financial Crimes Enforcement Network ("FinCEN"). A broker-dealer's foundational obligation under the BSA and FinCEN is to implement and maintain a written AML program (an "AML Program") that provides for policies, procedures, and internal controls reasonably designed to achieve compliance with the BSA. In addition, a broker-dealer's AML Program is required to include policies and procedures for the detection and reporting of suspicious transactions and for conducting customer identification and due diligence, and to designate an AML compliance officer that implements and oversees the AML Program. The AML Program must also include provisions for ongoing employee training and regular independent testing of the AML Program (annually in most cases).

Key Risks: AML Testing & Education Requirements

A key focus of the SEC's Division of Examinations ("EXAMS") Staff Risk Alert is weaknesses in how broker-dealers fulfill the periodic testing requirement of their AML Programs. Specifically, EXAMS Staff notes that broker-dealers did not (i) test their AML Programs in a timely manner, i.e., within required timeframes; (ii) document their testing to adequately demonstrate fulfillment of their obligation; (iii) adequately cover all required areas or aspects of a firm's business and/or the specific requirements of the BSA in the context of the securities industry; or (iv) demonstrate that the firm was complying with its AML Program. Finally, the Risk Alert notes that, where issues were identified during independent testing, broker-dealers did not have effective procedures for remediating these issues, including doing so in a timely manner.

Related to independent testing, the Risk Alert also highlights deficiencies in connection with employee training under AML Programs. Specifically, EXAMS Staff notes that training materials had not been updated to account for changes in applicable legal requirements and/or that they had not been sufficiently tailored to the business model of the specific broker-dealer. EXAMS Staff further notes that broker-dealers could not demonstrate that employees who were subject to training requirements had attended training, or that there was any follow-up to ensure employees completed training.

Key Risks: Customer Identification & Customer Due Diligence Requirements

In addition to testing and education components, the Risk Alert underscores weaknesses observed with respect to identification of customers and beneficial owners of customers. Two key areas under AML Program requirements include Customer Identification Programs ("CIP") — which require obtaining and verifying minimum specific customer identifying information so the broker-dealer can form a reasonable belief that it knows the true identity of each customer — and Customer Due Diligence ("CDD") — which requires a broker-dealer to have procedures reasonably designed to identify the beneficial owners of legal entity customers.

Regarding CIP practices, the Risk Alert highlights the following weaknesses in broker-dealer practices:

  • Not performing CIP procedures in private placements where the broker-dealer appears to have had the requisite customer relationship to incur CIP obligations;
  • Collecting insufficient identifying information (e.g., dates of birth, identification numbers, and addresses);
  • Not verifying customer identities; and
  • Not using exception reporting where appropriate and/or not accurately documenting or following procedures to resolve discrepancies or missing, inconsistent, or inaccurate information.

Regarding CDD practices, the Risk Alert especially focuses on the failure of broker-dealers to update their AML Programs since the adoption of CDD requirements in 2016, including the implementation of proper procedures and new account forms to conduct CDD. More specifically, the Risk Alert focuses on the failure of broker-dealers to obtain (i) identification information regarding beneficial owners; (ii) information regarding all beneficial owners before allowing an account to be opened; and (iii) verification of, or resolution of discrepancies in the process of verifying, the identity of beneficial owners of legal entity customers.

Key Risks: OFAC Obligations

Although technically not a subcomponent of AML Program requirements, the Risk Alert highlights OFAC sanctions obligations as thematically relevant to AML obligations and as an area of increased risk for broker-dealers. Noting that broker-dealer personnel who oversee AML Program compliance also typically oversee OFAC sanctions compliance, EXAMS Staff notes in particular their concern that broker-dealers do not always adequately train AML Program personnel, and that new and increasing OFAC sanctions measures put added pressure on any understaffed AML Program resources. Similar to its observations with CIP and CDD AML obligations, EXAMS Staff notes several weaknesses in broker-dealer OFAC compliance practices, including failure to: (i) document and conduct timely checks against OFAC sanctions lists; (ii) conduct and document follow-up searches on potential matches with sanctions lists; and (iii) undertake "periodic or event-based screening" for current clients or customers when there are changes in ownership or to sanctions lists.

Conclusion

The themes of the EXAMS Staff Risk Alert will be familiar to many industry practitioners — the SEC and other regulators remain watchful for fundamental issues of compliance, like testing, education, and documentation of compliance. Broker-dealer and AML compliance personnel must be diligent in ensuring that their required written procedures are regularly tested and enforced, and that fulfillment of regulatory obligations is adequately documented in order to demonstrate compliance with applicable requirements.

We are also grateful to Bhavishya Barbhaya, Haanbee Choi, Michal Folczyk, Matthew Gallot-Baker, and Daniel Kim for their contributions to this regulatory update.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.