Yesterday, the SEC Office of Compliance Inspections and Examinations (OCIE) announced its 2018 examination priorities, released in order to “improve compliance, prevent fraud, monitor risk, and inform policy.” OCIE announced five priorities, with Anti-Money Laundering (“AML”) programs being one of them. This emphasis on AML is consistent with the SEC’s increasing willingness to bring enforcement actions relating to AML and the Bank Secrecy Act (“BSA”). As we also discuss, here and in our sister blog, CyberAdviser, another priority announced by OCIE is cybersecurity, an issue which increasingly overlaps with AML issues.
OCIE conducts the SEC’s National Exam Program (NEP) whose mission is to protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies that: (1) improve compliance; (2) prevent fraud; (3) monitor risk; and (4) inform policy. The results of the NEP’s examinations are used by the SEC to inform rule-making initiatives, identify and monitor risks, improve industry practices and pursue misconduct. OCIE is responsible for conducting examination on broker-dealers, investment advisers, transfer agents, and other SEC-regulated entities.
OCIE developed these priorities based on feedback from financial professionals, market participants, and attorneys regarding compliance challenges, recent trends, and high risk areas. SEC Chairman Jay Clayton noted that this year the priorities were directed at “asset verification, market infrastructure, and duties owed to retail investors.” OCIE Director Pete Driscoll reiterated those sentiments, stating that the risk-based strategy this year prioritized “the interests of retail investors and examined the aspects of securities firms that pose risks to investors and the functioning of the capital markets.”
Scrutiny of AML Programs
Under the BSA, some securities firms regulated by the SEC, such as broker-dealers and mutual funds, are required to establish AML programs which identify their customers, perform customer due diligence, and monitor accounts for suspicious activity. These firms are required to file Suspicious Activity Reports (“SARs”) with the Financial Crimes Enforcement Network (“FinCEN”) when suspicious activity is noted. OCIE highlighted the important role SARs play for law enforcements efforts to combat terrorist financing, organized crime, and public corruption. For these reasons, OCIE stated “ensuring financial institutions meet their AML program obligations is an important and critical task for financial regulators.”
OCIE will focus resources on examining whether firms are adapting their AML programs to address these obligations, by specifically assessing: (1) whether firms are taking reasonable steps to understand the nature and purpose of customer relationships under FinCEN’s new customer due diligence rule (about which we have blogged; please see here and here), and properly address those risks, (2) whether firms are timely and accurately filing SARs, and (3) whether entities are conducting robust independent testing of their AML programs.
Indeed, the SEC has become increasingly interested in broker-dealer compliance with AML laws and regulations. In January of last year, the SEC created a research guide or a source tool to assist broker-dealers in their compliance efforts. The source tool walks through the basic statutes and regulations governing AML program compliance and lays out guidance and resources issued by self-regulatory bodies, such as FINRA addressing compliance. The SEC made good on their promise later in the year, as we have previously written about here and here, and filed suit against a broker-dealer which routinely and systematically failed to file SARs and omitted key information in the SARs that were filed such as the criminal and regulatory history of customers.
The SEC continues to aggressively pursue enforcement of the AML compliance obligations of the firms it regulates and has recovered fines in the 7 and 8 digits. Given the reiteration of its priorities, we believe 2018 will see a continued effort by the SEC to ensure AML compliance of its regulated entities.
Another priority announced by OCIE is cybersecurity, which has increasingly become an important part of OCIE’s focus. In June 2017, the SEC issued an alert in the wake of the WannaCry ransomware attack. The alert details observations from examinations conducted in connection with OCIE’s Cybersecurity 2 Initiative, during which OCIE examined 75 businesses, including investment companies, investment advisers, and broker-dealers.
In recent years, we’ve witnessed a growing convergence between cybersecurity and AML. In October 2016, for instance, FinCEN issued a cyber threat advisory and FAQs discussing the use of SARs to report cyber threat activity. Noting that “the proliferation of cyber-events and cyber-enabled crime represents a significant threat to consumers and the U.S. financial system,” FinCEN’s guidance was aimed at assisting “financial institutions in understanding their Bank Secrecy Act (BSA) obligations regarding cyber-events and cyber-enabled crime.” FinCEN’s advisory also explained “how BSA reporting helps U.S. authorities combat cyber-events and cyber-enabled crime.”