SEC Division of Examination issues Risk Alert on AML for Broker-dealers



Before discussing those specific observations, the Division would like to highlight two other, more general staff observations about registrants’ AML programs.


Some registrants did not appear to devote sufficient resources, including staffing, to AML compliance given the volume and risks of their business.

This issue can be exacerbated in the current environment of new and increasing sanctions imposed by the Office of Foreign Assets Control (OFAC) against individuals and entities, particularly where the same firm personnel perform both AML and sanctions compliance functions.

Second, the staff observed

  • policies and procedures that can be reasonably expected to detect and cause the reporting
    of transactions under 31 U.S.C. § 5318(g) and the implementing regulations thereunder;
  • the designation of an AML compliance officer responsible for implementing and
    monitoring the operations and internal controls of the program (including notification to
  • ongoing employee AML training
  • an independent test of the firm’s AML program, annually for most firms appropriate risk-based procedures for conducting ongoing CDD.
  • understand the nature and purpose of customer relationships to be able to develop a risk profile, and
  • conduct ongoing monitoring to identify and report suspicious transactions as well as maintain and update customer information, including beneficial ownership information for legal entity customers.

Information gathered as part of CDD should also be used for compliance with OFAC regulations. With respect to beneficial ownership information for legal entity customers, brokerdealers are reminded that Rule 17a8 under the Securities Exchange Act of 1934 requires compliance with the reporting, recordkeeping, and record retention requirements of the BSA—including the recordkeeping obligations set forth in the CDD Rule.

Regarding the independent testing requirement, the staff observed:

  • Broker-dealers that did not conduct testing in a timely manner or could not demonstrate (for example, by a report or other documentation) that they
    conducted such testing.
  • Independent tests that appeared ineffective because: they did not cover aspects of the firm’s business or AML program; the personnel conducting the testing was not independent or did not have the appropriate level of knowledge of the requirements of the BSA; or the testing was conducted under requirements not applicable to the securities industry.
  • In other instances, the firm was unable to demonstrate, via documentation or otherwise, that the independent testing adequately tested the firm’s compliance with its AML program.
  • Broker-dealers that did not timely address, or have procedures for addressing, issues identified by independent testing.
  • Training materials that were not updated based on changes in the law (e.g., the adoption of the CDD Rule) or tailored to the risks, typologies, products and services, and business activities of the broker-dealer (e.g., training materials focused on bank AML requirements).
  • Broker-dealers that could not demonstrate that all appropriate personnel attended the firms’ ongoing training or did not establish a process for following up with personnel who did not attend required training.
  • Obtaining the minimum specified customer identifying information from each customer
    prior to account opening;
  • Verifying the identity of each customer, to the extent reasonable and practicable, within a
    reasonable time before or after account opening—and,
  • in circumstances in which the firm cannot verify a customer’s identity, implementing follow-on procedures describing: when 
    the firm should not open an account for the customer;
  • the terms under which a customer may conduct transactions while the firm attempts to verify the customer’s identity; when
  • the firm should close an account after attempts to verify a customer’s identity fail; and when the firm should file a Suspicious Activity Report; and

The procedures of the CIP must enable the broker-dealer to form a reasonable belief that it knows the true identity of each customer and be based on the broker-dealer’s assessment of the relevant risks, including risks involved in the types of accounts and methods of opening accounts, types of identifying information available, and a broker-dealer’s size, location, and customer base. The rule permits the use of documentary or non-documentary methods, or a combination of both, to verify a customer’s identity. The staff observed broker-dealers whose CIPs appeared not to be properly designed to enable the firm to form a reasonable belief that it knows the true identity of customers. For example, the staff observed registrants that did not:

Perform any CIP procedures as to investors in a private placement, where customer relationships established with the registrant to effect securities transactions appeared to be formal relationships for purposes of the CIP Rule.

Collect customers’ dates of birth, identification numbers, or addresses, or permitted accounts to be opened by individuals providing only a P.O. box address.

Verify the identity of customers, including instances in which the firms’ files indicated that verification was complete but required information was missing, incomplete, or invalid.

Use exception reports to alert the firm when a customer’s identity is not adequatelyerified in accordance with the CIP Rule, even though such use would be appropriate given the size and nature of the firm’s business.

La Meer Inc.’s GRACE AML system is a single unified system for AML life cycle management with Policies and Procedures management, risk assessments, AML compliance monitoring, attestation, training. For each client GRACE helps collect client information conduct pep, sanctions list verification for various client types, conduct KYC,CDD and record finding and supporting documents, provides account opening functions, and bring in information for sanctions information, beneficiary ownership and adverse media on an initial and periodic basis.

It provides interfaces for money movement and trading transactions to be bought into the system with automated red flagging based transaction monitoring based on configurable business rules, reports and graphical analysis

With easy issues recording and management, keeping track of notes and automated risk scoring for each customer, GRACE provides an easy workflow for management of client AML and provides an online dashboard of clients and their AML risk profiles for easy management of Anti-money laundering obligations