On July 31, 2023, the United States Securities and Exchange Commission (“SEC”) published an alert outlining deficiencies the Department of Examinations has observed in broker-dealers’ (“BD”) compliance with anti-money laundering (“AML”) and countering terrorism financing (“CTF”) requirements. While the alert addresses overarching compliance requirements for BDs, it focuses on deficiencies the Department of Examinations has observed with regard to independent testing of BDs’ AML programs, personnel training and identification and verification of customers and their beneficial owners.
The alert makes two over-arching observations. First, BDs “did not appear to devote sufficient resources, including staffing, to AML compliance given the volume and risks of their business.” Second, the “effectiveness of policies, procedures, and internal controls was reduced when firms did not implement those measures consistently.” Emphasizing the key elements of an adequate AML program BDs must implement, the Alert then shifts its focus to independent testing and training and customer identification and customer due diligence.
As to the independent testing requirement, Enforcement staff observed numerous inadequacies among BDs. For instance, some BDs failed to conduct any program testing at all or failed to do so on a consistent and timely basis. When such testing did occur, Enforcement has found it could often be inadequate because it did not sufficiently account for the BD’s specific business. In other instances, testing was not conducted independent personnel or individuals with adequate experience or training. Furthermore, in some cases, when testing did identify issues with the compliance program, the BDs failed to take steps to address or remedy those issues.
Next, Enforcement staff observed that BDs often failed to update training materials or tailor them to any particular risks their specific business line presents. Nor could BDs consistently demonstrate that all appropriate personnel received ongoing training.
As to customer identification issues, the Alert reminds BDs that they must maintain a customer identification program (“CIP”) “appropriate for its size and business” that includes: obtaining customer identifying information from each customer prior to account opening; verifying the identity of each customer; and maintaining records of information obtained under the CIP policies. Overall, “[t]he procedures of the CIP must enable to broker-dealer to form a reasonable belief that it knows the true identity of each customer and be based on the broker-dealer’s assessment of the relevant risks, including risks involved in the types of accounts and methods of opening accounts, types of identifying information available, and a broker-dealer’s size, location, and customer base.” Enforcement staff observed numerous failures to meet these obligations.
Overall, “staff observed broker-dealers whose CIPs appears not to be properly designed to enable the firm to form a reasonable belief that it knows the true identity of customers.” In some cases, BD’s failed to perform any CIP procedures in connection with private placements. In others, BDs failed to collect relevant customer identifying information, including dates of birth and addresses. In others still, BDs failed to verify customer identification even when the firm’s files indicated verification occurred. Finally, BDs often failed to follow their own CIP procedures, including reviewing and documenting the resolution of discrepancies in customer information.
Onboarding deficiencies were not limited to individual customers. Noting that the 2016 CDD Rule requires BDs’ AML policies to be “reasonably designed to identify and verify the identity of beneficial owners of legal entity customers,” “[t]he staff observed broker-dealers that had not updated their AML programs and, as appropriate, new account forms and procedures to account for the adoption of the CDD Rules. Specifically, Enforcement staff observed procedures allowing an entity to be listed as a beneficial owner of an entity customer; the opening of new accounts for entity customers without identifying its beneficial owners; and failures to obtain appropriate documentation.
Finally, and consistent with U.S. regulators’ current laser focus on potential sanctions violations, the alert states that Examination staff “observed certain weaknesses in OFAC compliance programs, including instances in which entities did not adopt or implement reasonable, risk-based internal controls for (1) following-up on potential matches with the sanctions lists and documenting the outcome of such follow-up; (2) performing periodic or event-based screening of existing clients or customers based on, among other things, changes in ownership or to the sanctions lists; and (3) conducting OFAC searches in a timely manner (or documenting that such searches were completed).”
The 2021 Alert and Subsequent Enforcement Cases
Thematically, the alert echoes the SEC’s previously expressed concerns that broker-dealers generally failed to develop and implement AML programs specifically tailored to their specific business and customers. On March 29, 2021, the SEC published an alert (the “2021 Alert”) observing significant deficiencies in BDs’ suspicious activity monitoring and reporting. Like the Alert, the 2021 alert identified numerous deficiencies arising from BDs’ failures to appropriately tailor their AML programs. The 2021 alert was soon followed by enforcement actions against BDs for suspicious activity monitoring and reporting failures, including (1) a May 12, 2021 action against a BD for allegedly failing to file Suspicious Activity Reports (“SARs”) (primarily on “account takeovers” by cyber criminals), which resulted in a $1,500,000 penalty and a cease and desist order; (2) a May 20, 2022 action against a large BD for an alleged failure to file at least 34 SARs, which was settled for $7,000,000; and (3) a March 2, 2023 action against a BD for an alleged failure to file SARs that resulted in a cease and desist order, a censure and a $100,000 penalty.
Of course, AML compliance has been a top SEC enforcement priority for years. In setting forth its 2023 enforcement priorities, the SEC stated:
The Division will continue to prioritize examinations of broker-dealers and certain registered investment companies for compliance with their AML obligations in order to assess, among other things, whether firms have established appropriate customer identification programs and whether they are satisfying their SAR filing obligations, conducting ongoing due diligence on customers, complying with beneficial ownership requirements, and conducting robust and timely independent tests of their AML programs.
With the Alert, the SEC has put BDs on notice that testing, training and customer onboarding will remain among its key focuses.