On July 31, 2023, the US Security and Exchange Commission’s Division of Examinations (“EXAMS”) issued a new risk alert based on its examination of broker-dealer practices and their compliance with anti-money laundering and countering the financing of terrorism requirements in federal securities laws, including the Bank Secrecy Act (“BSA”) and Consumer Due Diligence (“CDD”) Rule. While the last risk alert, published in 2021, focused on compliance issues involving suspicious activity monitoring and reporting in broker-dealers’ AML programs, this risk alert concentrates on broker-dealers’ ability to comply with AML requirements related to independent testing of their AML programs, the provision of ongoing training to AML personnel, and their ability to identify and verify customers and their beneficial owners. Before discussing specific observations, EXAMS noted generally that some registrants had also not devoted sufficient resources to AML compliance and had implemented AML policies and procedures already in place in an inconsistent manner. EXAMS also urged registrants to closely monitor for changes or amendments to applicable laws to ensure that their AML programs comply not only with federal securities laws but also financial sanctions laws implemented by Department of the Treasury’s Office of Foreign Assets Control.
While the Financial Industry Regulatory Authority (“FINRA”) Rule requires most firms to conduct a test of their AML program annually, EXAMS staff observed that independent testing was not conducted in a timely manner or broker-dealers were unable to produce documentation to show that testing was conducted at all. EXAMS also found that independent testing in some instances was ineffective because it was not conducted by an independent party; it failed to cover key aspects of the firm’s business; or it was conducted by an independent party with insufficient knowledge of BSA requirements. Other observations included broker-dealers who had trouble addressing issues uncovered by the independent testing or failed to have procedures in place to address these issues.
EXAMS staff also found that training materials for AML personnel were not updated to include changes in the law or were not tailored to address the specific risks and business activities of the broker-dealer. Registrants also had trouble confirming that all personnel had received required training or failed to have a process in place to follow up regarding missed training.
The Customer Identification Program (“CIP”) Rule requires broker-dealers to maintain a written CIP that, at the very least, enables them to form a reasonable belief that they know the true identity of each of their customers. However, EXAMS staff observed CIPs that failed to follow procedures for investors in a private placement; permitted the opening of accounts with just a PO box address; and failed to verify the identity of customers with missing, incomplete or invalid information. EXAMS staff also observed instances where broker-dealers failed to follow their own CIP procedures.
Since the adoption of the CDD Rule in 2016, broker-dealers have been required to establish AML programs designed to identify and verify the identity of beneficial owners of each legal entity customer at the time a new account is opened. EXAMS generally described beneficial owners as no more than four individuals who own 25 percent or more of the equity interests of a legal entity or a single individual with a significant ability to control, manage, or direct a legal entity. EXAMS staff noted that certain broker-dealers had not updated their AML programs to comply with the CDD Rule and also observed CIPs that listed entities as beneficial owners without a requirement to obtain adequate information about the beneficial owners of that entity. EXAMS staff also observed CIPs that allowed new accounts to be opened without identifying all of an entity’s beneficial owners or without obtaining documentation to verify the identities of the beneficial owners.