On July 31, 2023, the U.S. Securities and Exchange Commission (SEC) Division of Examinations issued a Risk Alert highlighting observations made by Division staff during recent examinations of broker-dealers concerning anti-money laundering (AML) compliance. The Alert provides insights into areas of focus for future exams and is intended to assist firms in developing or enhancing their compliance practices.

This post examines important takeaways from the Risk Alert that broker-dealer management and compliance professionals should consider when building and enhancing compliance programs, designing internal controls, and conducting reviews of AML business risks. Patomak expects SEC scrutiny of AML compliance to always be an exam priority, especially as the Office of Foreign Assets Control (OFAC) continues issuing new sanctions against individuals and entities.

Key Risk Alert Observations

Re-emphasizing an alert issued in March 2021, the SEC 2023 Risk Alert reminds firms of their AML responsibilities, especially regarding sufficient implementation and ongoing staff training for AML policies and procedures. Importantly, this year’s risk alert highlights the adequacy of firms’ independent testing of these policies and procedures. The Risk Alert also discusses three new focuses for broker-dealers: implementing Customer Due Diligence (CDD) requirements, having sufficient Customer Identification Programs (CIP), and conducting sufficient CDD for beneficial owners of legal entity (LE) customers.

The Financial Crimes Enforcement Network (FinCEN) amended its AML Program Rule for broker-dealers in 2016 with the CDD Rule, primarily requiring firms to (i) identify and verify customers, (ii) identify and verify beneficial owners, (iii) understand the nature and purpose of customer relationships to create customer risk profiles, and (iv) conduct ongoing monitoring for reporting suspicious transactions and update customer information on a risk basis. SEC staff observed, however, that firms’ policies and procedures, specifically training materials for employees, were often not updated to reflect the CDD Rule. The SEC also emphasizes in its AML overview the latter of the two core requirements of the CDD Rule, along with associated recordkeeping requirements. The SEC further notes that information gathered as part of CDD compliance should also be used to meet OFAC requirements.

The alert reminds registrants that the CIP Rule requires broker-dealers to (i) obtain the minimum specified customer identifying information from each customer before account opening, (ii) verify the customer’s identity within a reasonable time frame before or after account opening, (iii) describe “follow-on” terms for customers whose identities cannot be verified, and (iv) keep records of information obtained in the process. SEC staff observed multiple deficiencies in firms’ CIP programs, such as allowing a P.O. box address to suffice as verified customer identity and failing to use “exception reports” to alert staff in cases of unverified identities. The alert draws specific attention to insufficient CIP procedures for investors in a private placement and firms making inadequate use of suspicious informational discrepancies obtained through third-party verification vendors.

The SEC carefully describes firms’ CDD Rule obligations to identify and verify all beneficial owners of their LE customers. Particular emphasis is placed on “risk-based procedures,” through which firms develop an understanding of their customer relationships and build a “risk profile” to assess suspicious transactions. Related deficiencies observed by SEC staff included opening accounts for LE customers without obtaining sufficient information on beneficial owners, failing to adequately verify information obtained, and failing to acquire information about underlying parties through omnibus accounts. The observations again note the failure to resolve informational discrepancies obtained through a third-party vendor.

Patomak Insight

While the AML rules and SEC observations are not new, the Risk Alert, as well as the Division of Examinations’ and FINRA’s annual priorities noting AML, remind firms that AML will continue to be a focus of examinations. The benefits of a strong AML program extend beyond money laundering and can aid firms in minimizing bad actors on their platforms. To strengthen AML programs and manage associated regulatory and compliance risks, firms should proactively revisit and update AML governance practices, including policies, procedures, controls, and systems. Firm management should revisit resource allocation toward training, testing, governance, CIP, CDD, and beneficial ownership. Finally, firms’ risk management roles should ensure that compliance and internal audit functions appropriately scope these evolving and critical areas to validate their operational effectiveness.

Put Patomak’s Expertise to Work

Patomak is well-prepared to help firms meet their AML and OFAC obligations. Patomak has aided firms in developing and enhancing AML compliance programs, including designing controls, conducting risk assessments, and supporting customer due diligence and beneficial ownership exercises. If you would like to learn more about how Patomak can partner with you, please reach out to Laura Magyar, Managing Director, at lmagyar@patomak.com or John Vivian, Senior Director, at jvivian@patomak.com.