US Turns Up AML Compliance Heat on RIAs, Broker-Dealers and Others

On May 11, 2018, broker-dealers and other financial institutions currently covered by the US Anti-Money Laundering (AML) regime will need to become compliant with FinCEN’s new customer due diligence (CDD) requirements. These requirements significantly expand the scope of CDD, and although Financial Industry Regulatory Authority (FINRA) has yet to promulgate an update to its own rules in this area, it has indicated that it expects broker-dealers to have the CDD program in place by the deadline.

Registered investment advisors (RIAs) are facing the prospect of increased scrutiny of their AML programs during Securities and Exchange Commission (SEC) exams in the coming year. While RIAs currently sit outside the official US AML regime, FinCEN is continuing to review its proposal for explicit RIA rules drafted in 2015.

Broker-dealers must enhance CDD

FINRA expects firms to update their AML programs to comply with new CDD requirements that have been published by FinCEN by the May 11th deadline.

The new CDD rules make several significant changes. CDD programs will now need to have:

1. Customer identification and verification
2. Beneficial ownership identification and verification
3. An understanding of the nature and purpose of customer relationships
4. Ongoing monitoring for reporting suspicious transactions and, in a risk-based way, maintaining and updating customer information.

The first component should already be a part of a broker-dealer’s existing AML program, so firms will need to focus on the other three components. The second item requires firms to identify the beneficial owners of an account upon opening – usually those with a 25% or larger equity stake – except when certain exclusions apply.

The third and fourth items were considered by FinCEN to be implicit in the existing AML rules, but in this new version they have been called out to form an explicit “fifth pillar” of the traditional AML framework (the other four pillars are discussed below.)

Most broker-dealers will need to review – if they have not done so already – their existing policies and processes in all four areas to ensure they are compliant with the new regulatory framework. For many firms, the depth of information gathering about beneficial owners, as well as the need for ongoing risk-based monitoring of customer relationships, could prove challenging.

Ongoing focus on broker-dealer AML continues

FINRA is increasing its focus on overall AML program compliance, too. The regulator published a report on areas where its examiners found weaknesses in firms’ AML programs in December 2017. These included:

• Maintaining adequate policies and procedures for suspicious activity reporting

• Defining responsibility for AML monitoring
• Excluding customers from data feeds used for AML monitoring
• Providing adequate resources for AML monitoring
• Undertaking independent testing of AML monitoring

If they have not already done so, broker-dealers and other covered firms should review these areas with a view towards closing any gaps that may exist within their own firms as soon as possible.

Exams, new rules await RIAs

Historically, RIAs have not been subject to the same AML regulations as other financial institutions.  However, RIAs are part of a multi-trillion dollar sector that is not immune to fraud, money laundering, and other financial crimes.  Bad actors can potentially see this sector as a low-risk entry into the US financial system.

In 2015, FinCEN proposed a rule that would require RIAs to implement AML policies and procedures, as well as file suspicious activity reports (SARs) with FinCEN, as demanded by the US Bank Secrecy Act (BSA) of 1970.  The rule has not been finalized, and as it stands, RIAs do not have any specific AML requirements.

However, FinCEN stated publicly at the end of last year that it is continuing to work on the rule, and that its intention is to eventually publish rulemaking in this area.  More recently, in February of 2018, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published its annual exam priorities, which stated that it would be allocating resources to assess the AML programs of SEC-regulated entities.  The OCIE will be focusing on program implementation, CDD, SARs and independent program testing.

RIAs will be expected to have an AML program in place, ensure that their key service providers have adequate AML policies and CDD/Know Your Customer (KYC) procedures, and report any unusual activity.

Establishing an AML program does not need to be an arduous task.  The policies and procedures should be based on the firm’s risks and types of products offered. Overall the program should contain the following elements:

• Appointing an AML compliance officer
• Providing annual employee training
• Engaging in an annual independent program audit
• Outlining risk-based procedures and controls

These elements are referred to as the four pillars of an AML program. The fifth pillar of AML – the enhanced CDD discussed above – is being added to these as of May 11, 2018.  Firms should confirm they are compliant with this new fifth pillar.

Most RIAs should already have an AML program in place. Many firms with international operations will have had to establish AML programs. Several RIAs have had to establish programs to be able to operate within their financial ecosystem – for example, to be compliant with AML requirements for third-party service providers.

RIAs should also consider consulting with the custodians, broker-dealers, and administrators they work with to ensure that they too have robust AML and CDD/KYC policies and procedures in place – the onus is on the RIA to ensure that all of its service providers are compliant.

RIAs need to ensure that awareness of red flags is a part of the firm’s corporate culture.  They must educate relevant personnel on monitoring and detecting suspicious activity.  Examples of red flags include:

• Reluctance from investors or customers to provide identifying information or appropriate representation
• Wire transfers or transactions from or to unbeknownst third parties or non-FATF countries or regions
• Reluctance from acting agent or investor to disclose beneficiary information or information regarding business activities
• Unusual transaction activities from the RIA’s own personnel

All suspicious activity should be brought to the attention of the AML compliance person or Chief Compliance Officer. Cordium recommends that the program be tested on an annual basis by either an outside consulting firm or employees not directly involved in administering the program.

Money laundering gives rise to a number of other illicit activities.  FinCEN, FINRA, the SEC, and other regulators are increasing their efforts to strengthen AML practices at all US firms.  Broker-dealers and advisers play a critical role in safeguarding the US financial system from money laundering, terrorist activities, and other financial crimes.  It is in the best interest of broker-dealers and RIAs to ensure that they have satisfactory AML policies and procedures to protect the firm, its clients and its investors from potential fraudulent acts, and potential damage from reputational risk.