Executive Vice President, Regulatory Operations
New York, NY
Good morning. It’s great to have this opportunity to be with you today to talk about anti-money laundering (AML), an area of significant regulatory focus both for the industry and regulators alike.
AML isn’t just a regulatory issue; it is a national security concern. AML is essential to ensuring the continued functioning of our financial system; and every firm, no matter the size, needs to get it right for the safety of our nation. Lapses in AML compliance can reverberate well beyond firms and their customers, with potentially devastating effects.
Criminals, terrorists, and drugs, weapons and human traffickers—that’s who benefit when we aren’t doing our best to combat money-laundering activity. As such, we all need to put our competitive instincts aside and work together—firms and regulators alike—so we can learn, adapt, and become better at detecting and preventing money laundering.
Working together and learning from each other will strengthen the security of our financial system and make our country safer and our financial system more secure.
For our part, FINRA has identified money laundering as one of the nine risks that inform our examination and surveillance programs. On January 18, we published a video on FINRA.org defining the nine risks and what staff looks for when assessing a firm’s risk. Our surveillance team is actively assessing each firm’s ability to mitigate money-laundering risk through quantitative and qualitative measures. We consider these assessments when determining the strategy for a firm’s examination, and if a review of a firm’s AML efforts is warranted, we have developed specific examination content to guide the examiners in their reviews.
In addition, in 2013, FINRA established the AML Investigative Unit to conduct examinations where highly complex or novel money-laundering and AML compliance program concerns exist. In addition to conducting examinations, these AML regulatory specialists provide technical assistance to other examiners and constantly pursue an expansion of knowledge and professional development in the AML arena. Our goal is to develop a greater understanding of firms’ business activities and risks before beginning an examination. We have found that this approach leads to better-informed examiners and higher-quality exams.
We also have a dedicated team that monitors rule filings, including FinCEN rules, to ensure examination policies and content are current.
FINRA receives both public and non-public intelligence from FinCEN, meeting with staff to discuss trends and issues, as appropriate. We also meet with the SEC on a quarterly basis and with the SIFMA AML Committee several times a year to discuss trends, as well as issues and areas of concern to the industry. The more educated both firms and regulators are about what each is seeing—FINRA in its exams, and you at your firms—the better off we will all be.
Still, the number of AML-related enforcement cases underscores the fact that we have more work to do. Last year, more than 350 examinations had an AML focus, with nearly a third resulting in an examination finding or informal action.
AML will remain a critical area of focus for both the industry and regulators, and as such, an area where we need to remain vigilant. Leveraging the information firms already collect to bolster AML compliance efforts and sharing our best practices are examples of how, through greater transparency, we can become smarter together.
Compliance is on the threshold of a seismic shift driven by “big data” and analytics and bolstered by robust technology solutions. These cutting-edge solutions are already helping regulators and compliance departments strengthen their compliance functions by improving risk-identification processes to foster an environment where emerging issues can be addressed quickly. The ability to intake large amounts of data and use that data to generate meaningful analytics has enabled firms to surveil like never before. In the AML space, providers are looking at how big data can be leveraged to uncover risks and track the flow of illicit funds across borders.
But even as the industry relies more on big data analytics for customer identification and suspicious activity identification, it’s important that firms continue to fuse their AML compliance programs with other compliance functions and not create siloes that can inhibit risk assessment and identification. For example, cybersecurity and senior investor protection are two examples of interrelated areas that should concern AML compliance staff.
More specifically, in the cybersecurity area, firms are required to report patterns of intrusion on their suspicious activity reports (SARs). So it’s essential that your cybersecurity staff remain in close contact with your AML staff. And in the senior space, firms should be monitoring for elder abuse and reporting instances of it on their SARs. As FINRA noted in our 2017 Regulatory and Examination Priorities Letter, we have observed an increase in the use of aggressive sales tactics by unregistered persons in pump-and-dump schemes targeting elderly investors. We continue to see such activity with microcap securities. There are a number of controls firms can implement to enhance protection for elderly clients from such financial exploitation. For example, firms can question a customer about inquiries to buy or sell penny stocks held outside the firm and can ask a customer about instructions to transfer funds to persons who may be tied in some way to the issuer. The key point is that firms must report instances of suspicious activity that involve elderly or vulnerable investors.
On another note, I know firms may be developing systems to comply with the new Customer Due Diligence, or CDD, rule that becomes effective in May 2018, requiring firms to collect and verify beneficial ownership information. I want to encourage you to leverage the information you might already collect and use for other purposes, such as complying with FINRA’s Know Your Customer and Suitability rules. Just as information that firms capture within their trade compliance systems for supervisory purposes may also be used for suspicious activity monitoring, customer-related information you already have may prove useful in creating a method to comply with this new rule.
Even as technology provides additional ways to enhance AML-related supervisory activities, data accuracy and integrity are crucial components to implementing a successful AML compliance program. We continue to see common violations related to suspicious activity reporting that are caused by bad data. For example, we see gaps in data fed into automated surveillance systems and exception reports, including firms’ failure to include a certain type of account or customer in a particular alert type. Automated data can be helpful in implementing an AML program, but data accuracy and integrity are crucial to the effectiveness of any automated system.
We also see that parameters of alerts or exceptions are not sufficiently risk based. For instance, the parameters on an exception report may be set at a level that captures so many false positives it is impossible to separate the meaningful data from the useless filler, essentially rendering the exception report useless.
In some cases, firms detect suspicious activity but fail to adequately investigate the activity. For example, analysts may rely on outdated or inaccurate information to close out alerts, fail to ascertain the business purpose of a wire transfer exhibiting “red flags,” or conduct an abbreviated review of potentially suspicious activity in an effort to get through a backlog of alerts. It is important that firms do not short cut their reviews.
Last year, FINRA censured and fined a firm $16.5 million for having significant deficiencies in its AML program, principally related to its inability to adequately surveil potentially suspicious trading and money movements. During a five-year period, the firm failed to adequately investigate suspicious trading involving microcap stocks and unregistered securities to determine whether SARs needed to be filed.
The firm also relied on a deficient automated surveillance system to monitor client activity using “scenarios” that the firm chose to implement. Unfortunately, the firm failed to effectively implement those scenarios, and failed to adequately review and investigate alerts generated by specified activity.
The firm also failed to conduct adequate due diligence on correspondent accounts of certain affiliates that were foreign financial institutions, and failed to conduct enhanced due diligence of correspondent accounts of certain foreign bank affiliates.
So we encourage firms to make sure they review and test on a regular basis the information they feed into automated systems. This includes assessing whether changes to your business models and risks would also require corresponding changes to the parameters and scenarios in your automated systems.
Another commonly cited area is a firm’s independent testing efforts. Put simply, we continue to see tests that are inadequate, such as tests reflecting a review of procedures, but not implementation of those procedures. A good independent test should include testing of your suspicious activity monitoring program. An independent test is a good time to be checking your systems to ensure they are working as you believe they should be.
In another case last year, FINRA censured and fined a firm nearly $6 million for failing to implement an AML program specially tailored to its business. The firm’s business was based in Puerto Rico and served clientele primarily in jurisdictions of heightened AML concern. The firm failed to implement an adequate surveillance program and relied principally on a manual system of review. Given the firm’s volume of business, which involved processing more than $50 billion worth of securities during the review period, this manual review was insufficient.
The firm also delegated certain functions to a banking affiliate but failed to ensure a common understanding of the tasks to be delegated. And finally, to further complicate matters, because the firm didn’t have an adequate independent test, some of these tasks were not performed for some time.
To a lesser degree, we see violations of other BSA implementing regulations such as CIP, or customer identification program, as well as Section 314(a) of the Patriot Act, which requires firms to regularly conduct searches of their customers and others with whom they have conducted transactions.
Specifically, we cited firms for failing to conduct CIP in some cases where the firm didn’t realize that it had customers under the meaning of the CIP rule. Even if your firm is involved in non-traditional brokerage business such as private placements, you may have customers subject to the CIP rule.
In 2016, FINRA fined a firm and its affiliated introducing firm $17 million for their failure to maintain an adequate customer identification program, among other things.
The firm experienced exponential growth between 2006 and 2014 both in the number of registered representatives it employed and the number of transactions it executed and cleared. Despite this growth, the firm failed to dedicate resources with reasonable AML compliance systems and procedures experience. As a result, the firm failed to maintain an adequate CIP program, and failed to conduct required and enhanced due diligence and periodic risk reviews for foreign financial institutions. FINRA also cited the firm for its failure to have a suspicious activity monitoring program tailored to its business, which included high-risk activity such as microcap transactions.
We still see—although not as much as we used to—suspicious activity programs that are not tailored to the risks of the firm. In other words, if a firm takes on a new business line or opens a new branch office in a high-risk jurisdiction or begins selling a new product, the firm must make sure its suspicious activity monitoring program reflects those new risks of the business.
This includes microcap securities. The main point is: If you’re doing a high-risk business, no matter what percentage of your overall business it entails, make sure your AML covers it. For example, in 2015, FINRA fined a firm $6 million and ordered disgorgement of $1.3 million in commissions for selling more than 73 billion shares of microcap securities without conducting adequate due diligence. Our investigation found that the firm expanded its microcap business and gradually worked to expand its microcap business by developing seven high-risk customers.
However, the firm failed to supplement and update its procedures to account for the additional risks this new business line posed to the firm, and the firm missed several red flags, including repeated deliveries of large volumes of recently issued, thinly traded securities, followed by the immediate liquidation of the securities and the wiring out of the proceeds.
So if your firm chooses to enter new business lines, you must have processes in place to identify suspicious trading activity and properly train the principals and staff on what their responsibilities are.
Before I close, I want to underscore FINRA’s commitment to provide more guidance to firms and encourage the industry to provide specific feedback about the areas more guidance is needed. This year, we are contemplating various ways where we can provide more transparency around findings from our regulatory programs so that firms can learn from what we are seeing in practice.
And we are also identifying additional compliance tools and resources that we can provide to smaller firms. In the AML space, we are revising the Small Firm AML template to reflect the regulatory changes that have occurred since we last updated the template. In addition to the template, we are developing additional guidance on independent tests as well as updated red flags of suspicious activity.
Our goal is to be more transparent and to engage with the industry in order to draw on your expertise and knowledge and use these to enrich our regulatory programs. Again, I encourage you to let us know where we can provide more guidance and where we can work closer when it comes to AML.
Returning to one of the points I made at the beginning of my remarks: Working together and learning from each other will strengthen the security of our financial system. The approach to the issue of senior investors is a great example of how this kind of collaboration can enhance the regulatory environment. For example, in 2015, FINRA and the SEC published a report to help broker-dealers assess their policies and procedures related to senior investors. The report included observations and practices that focused on how firms conduct business with senior investors. We followed up that report with a senior investors conference, co-sponsored with SIFMA, last October to share best practices.
And our Senior Helpline is another tool that has had benefits for the industry and regulators. Specifically, the helpline has helped firms become better informed about their clients, and put them in a better position to address issues that have come to FINRA’s attention. It has also highlighted issues firms confront when serving older investors—particularly those with diminished capacity. And in response, FINRA has proposed rules that would give added protection to senior investors.
The point is, sharing practices between and among regulators and firms and working together to enhance AML practices is the right approach for the industry.
We are committed to helping firms build strong compliance programs, particularly because we recognize that a strong AML program is a significant crime-fighting tool.
Thanks for listening.