By Ed Wegener, Sarah Sutton and Bill ReillySubscribe to our original industry insights
AML Regulatory Expectations in 2022
The recent press attention and the increased use of sanctions as policy are additional drivers to this focus on AML. In today’s podcast, our experts share their thoughts on FINRA’s 2022 expectations around AML, as well as challenges and best practices they have seen with our clients.
Transcript provided by Temi
Libby Hall: Hi, and welcome to the Oyster Stew podcast. I’m Libby Hall, Director of Communications at Oyster Consulting. FINRA has again named AML or anti-money laundering as a priority in its 2022 examination and risk monitoring program report. The recent press attention and the increased use of sanctions as policy are additional drivers to this focus on AML. In today’s podcast, our experts share their thoughts on FINRA’s 2022 expectations around AML, as well as challenges and best practices they have seen with our clients. With me today, are Ed Wegner, manager of Oyster’s Governance, Risk and Compliance team and consultants, Sarah Sutton and Bill Reilly. Let’s get started. Sarah?
Sarah Sutton: Thank you, Libby. I’d like to introduce you to two Oyster Consulting employees. First, we have Ed Wegener, who is a Managing Director and is head of Governance, Risk and Compliance. And we also have Bill Reilly, who is an Associate Director, and he has been with the firm for a little over 10 years. So what we’d like to do today is talk about the ongoing concerns with AML, for our existing clients and focus on what the regulators are looking at and go over some things that will hopefully be helpful to you. One of the things that we’ve heard a lot about in the past few months has been the sanctions on individuals and businesses connected to Russia, the ongoing conflict in that area of the world. It’s caused us to take a look at several different things from a cyber security standpoint, from an AML standpoint, from an investment standpoint, as well, with the connection to Russia and the companies and/or the individuals and businesses that are associated with that area of the world. So one of the things that we want to talk about today is that FINRA has recently issued its report on its exam and risk monitoring program for 2022. One of the key areas the regulators are looking at are things that we want to discuss today. Ed, my first question to you, the topic that we want to cover is that FINRA has just issued its report on its exam and risk monitoring program for 2022. In this program, it identified AML as a continued area of focus. What are some of the key things they identified?
Ed Wegener: Thanks, Sarah. AML continues to be a focus area for regulators, and there’s a number of drivers behind this, including recent press attention from things such as the Panama papers, the paradise papers, and the increased use of sanctions for policy purposes, an example of which are the recent sanctions related to Russia’s invasion of Ukraine. So FINRA outlined a couple of key expectations that they’ll be looking for on their examinations in 2022. The first of which is that they want to make sure that AML programs not only assess the key components like CIP customer due diligence, suspicious activities, et cetera, but that they also keep up with changes at the firm – changes to the firm’s business, changes to the external environment and changes to the firm’s AML risk profile. They want to make sure that firms are conducting robust reviews for suspicious activities. And this includes transactions conducted by, at or through the firm.
Even if those transactions don’t originate with the firm’s customers, they want to make sure that your firm has appropriately designed procedures to identify and to respond to known indicators for suspicious activity involving low price securities and they reference regulatory notices 1918 and 2103. So take a look at those and make sure that your programs assess the issues that are identified in those regulatory notices. They want to make sure that robust, independent AML tests are done of the firm’s policies, procedures, systems, and controls, and they want to make sure that firms have a robust system for collecting identifying information as part of their CIP programs, which includes collecting information and verifying the identity of individuals and entities under the CIP rule. And that includes collecting required information related to beneficial owners of legal entities under the CDD rule. This is a relatively new rule, and they’re going to want to make sure that firms are collecting the beneficial owner information for beneficial owners that own 25% or more of a legal entity and one identified control person. And then finally, the thing I’d highlight is they want to make sure that you’re reviewing your automated surveillance systems that are designed to look for suspicious activity, and they want to make sure that you are testing those systems to make sure that they’re working as intended.
So as a follow up, what would you recommend to a client or a firm that has in the past had an individual that was doing the review of the firm’s AML requirements. And if they’ve been the ones doing this testing, what would be your recommendation for them going forward?
Ed Wegener: If a firm had somebody who is not independent?
Sarah Sutton: Right. If they’ve basically been using their AML officer to do their AML testing.
Ed Wegener: Sure. Well, if there’s a situation where you find that your tests were being conducted by somebody who wasn’t independent, I think the first thing I would do is to make sure that all the tests going forward are conducted by somebody that’s independent. Given the fact that the previous testing was done by somebody who wasn’t independent, I might want to consider taking a look back at those tests and make sure that some sort of testing is done in those periods, just to make sure that something wasn’t missed as a result of the fact that the tests were done by somebody who wasn’t independent.
Sarah Sutton: Thank you, Ed. Bill, during your time at Oyster, you conducted an AML independent test for many of our clients. What are some effective practices and challenges that you commonly see?
Bill Reilly: I guess the best way to start this is just indicate that there’s a wide array of issues that we look at while when we conduct AML reviews. And as Ed said, importantly, part of it is to make sure that the person conducting it is independent, but I’ve actually taken a look at some of the more recent examinations that we’ve done and come up with a handful. I think the first one and one of the more important issues is a fact that firms may not have controls in place to be able to monitor examination, priority letters and regulatory notices and other issues that are issued by regulators. It’s very important to stay on top of those issues, to make sure that you remain current in the AML world. And I think the second part of that is when you avail yourselves of staying on top of these issues, you then need to look at the issues and priorities and so forth to determine which of those are applicable to your firm.
No one firm is the same – different policies, different procedures. So once you make the determination as to what those priorities and notices are applicable, what you need to do as quickly as possible iis adopt those policies and procedures, into your policies and procedures and manual. Make sure that your investment advisor representatives are aware and actually begin implementation of that as part of the whole AML program. I think the other thing that’s also important is that firms need to have meaningful policies and procedures. And one thing that I think some firms may lack are definitions. Let me give an example of that. A lot of firms indicate they don’t have high risk client accounts, but one thing that they don’t do is they don’t provide a definition of what a high risk client is. And in my discussions with firms, I’ll sit down with them and have the discussion. If you don’t have a definition, then how are your first line of defense, and what I’m talking about here is your registered representatives and investment advisor representatives, how are they able to determine when an account is opened, whether it’s high risk? So one of the things that we tell them, you’ve got to have certain definitions in place in order to make sure that all people in compliance, supervision and sales have good understanding in this situation, what a high definition, what a high risk client is. I think another thing that’s also important is that what happens is firms change business models all the time. Okay. So it’s important that when you change your business model, that you make applicable changes. As I mentioned before, one of the things that’s critical is the involvement of technology. As you make technological enhancements, to be able to address, monitor and review this new activity.
Let’s talk for a second about SARS. The rules require that a SAR be filed within 30 days of the detection of activity that will lead to the filing of a SAR. I think there’s a lot of confusion on this part of the regulation and the firms will say, my 30 days starts the day that exception is printed out or provided. Other firms will say that it’s the day that I file the SAR. So I think it’s very important for firms to make determinations and have policy in place that will allow them to ensure that they meet the 30 day filing requirement. I think another big area that we also find is – has the firm identified all red flags. If you don’t identify a red flag, then it’s very difficult, if not impossible, to track it for exceptions, to investigate it properly, and make some sort of resolution.
One of the things that I also tell clients is key in any of these processes that I’ve talked about and these are three words that I generally repeat almost verbatim document, document, document. As Ed mentioned before, regulators have a high priority for AML. And in any situation and any type of review or investigation, you need to document why you filed the SAR. That’s imperative. You would be able to do that, but also more importantly, document why the firm elected not to file the SAR. It’s very important to document and also maintain those records, because one day the regulators will make a visit to your firm and want that documentation to be produced.
Thank you, Bill. So, key takeaway – document, document, document. Well, Bill, thank you for going through that. One thing that FINRA pointed out in its exam and risk monitoring report is the effective practice of conducting AML risk assessments. Bill, can you describe what that might look like for a client?
Bill Reilly: Thank you, Sarah. Yeah, I think it’s very important for firms to realize from a regulatory standpoint and especially now with resources and so forth, and also dealing with the pandemic for the last couple years, resources are very tight. So regulators have adopted their risk-based approach to their examination program. And like you said, at the same time, there’s an expectation that firms will also create a risk based approach to the overall activity at their firm and one other particular area of prime importance, the anti-money laundering program. So I think it’s also important to indicate that whether you’re dealing in AML or any other facet with a client from a consultant viewpoint, the process is collaborative. It’s a situation where you are dealing with the firm, working with a number of people and coming up with a product that reflects the true attributes of their program.
And you can sit down at, at the end of their review with the various parties at the firm, discuss it, have the firm understand what your issues are and so forth. There are typically a number of issues as we talked before, when you’re setting up programs and so forth, there’s a wide array and I did touch on a couple areas the same for the risk assessment. A couple areas that I would like to talk about include different types of customers, depending upon some of these attributes of clients will determine, what the appropriate risk to the firm is. So some of the things we look at when we’re looking at customer types, are we talking US residents? Are we talking entities? Ed talked for a few minutes about the entity. We’re talking businesses, trust foundations with known and unknown beneficial owners. And also just as important who are the individuals that are able to act on behalf of those entities? Another area that we look at, and is very important to include in a risk assessment, foreign nationals. As I talked about before, when a firm changes its policy to allow foreign national, foreign accounts, the risk assessment program also needs to be adjusted. And one other item that adds significantly to the risk of a firm is dealing with foreign financial institutions.
Another area that I also think that needs to be included in a risk assessment are the channels. And what I mean by that are the channels by which accounts are opened. Are accounts opened in person? With the pandemic over the last couple of years, opening accounts sitting across from your registered rep or investment advisor rep is a little more difficult. Sometimes those meetings have been held through Zoom or Microsoft teams or other social media. So that’s also very important. Are accounts opened online okay when we don’t have any face-to-face interaction or action between individuals, either the client and or a representative of the firm. Also when we’re talking about transactions that are occurring for those accounts that have been open, are these accounts solicited or unsolicited makes a big difference when you’re looking at assigning risk to your risk assessment program.
One other area that we look at – products. One of the things that Ed talked about just a few minutes ago was low price, thinly traded securities in a situation where some of these securities may be sold within certain accounts. The client makes a determination. They don’t care whether they make money or lose money. That’s not the point of establishing the account if you’re involved in the money laundering area. So looking at these kind of products are especially important. And one other area that is a big area only becoming bigger in the next couple years are a cryptocurrency. You know, this is a relatively new area emerging area, and will drive up the risk of your compliance program, and so forth, tremendously. Let’s talk for a minute about jurisdiction, one of the issues that’s very important. And I talked about this just a few minutes ago, where we’re talking about US residents, foreign residents. Where are your clients based?
Are they based in middle America? Are they based in Europe? Are they based in South America? Are they based in a country where the financial business aspects of that country are not as safe and secure as they would be here in the United States? So very important to determine where your clients live when you’re opening accounts. And again, this would also drive up the risk assessment for your program. I think the last thing I’d like to talk about when we’re dealing with a risk assessment program is a scoring mechanism, As with any type of program there’s high risk, there’s low risk, there’s medium risk. And also you may see a situation where a risk program has a risk ranking of one to five, one being the lowest risk, five being the highest risk. So whether you look at it as being high, medium, low, whether it’s a risk of one to five, it doesn’t matter how you do that. What’s important is categorizing each risk from a low to high, from a low to high or on a one to five scale to determine the amount of attention that the firm will need to pay to that aspect of their business. And the last thing I’d like to say about risk assessments, just like any other aspect of your business, they are fluid. It is not a stagnant document and that the risk assessment should be updated when necessary.
Sarah Sutton: Can you discuss how a firm can go in and do that?
Ed Wegener: Sure, Sarah. It’s important to make sure that you’re regularly reviewing your surveillance system to make sure that these systems are highlighting the appropriate red flags, to make sure that they’re working as intended, and that the data that’s being used is accurate. I’d start by taking a look at the common red flags and typologies that regulators have identified and make sure that if they’re applicable to your firm, that you have an alert that is designed to highlight when those red flags exist. So FINRA, Fincen, FATF, they’ve all put out lists of red flags and typologies that should be considered. Clearly FINRA put out lists that are specifically geared towards broker dealers. But it’s important to understand those activities that Fincen and fatfF have identified as well to the extent that they’re applicable to your firm. So, when I conduct AML testing, one of the things that I do is I go through an exercise where I try to map each of the red flags that the regulators have identified that are applicable to the firm to a corresponding alert.
Ed Wegener: If there isn’t a corresponding alert, I assess whether there’s a gap that needs to be filled. And then for each alert, I also conduct testing to make sure that the underlying data that’s being used is accurate. You can assess whether you’re receiving too many false positives or not enough alerts. If you notice either one, it should be an indicator that the alert needs to be assessed and potentially tuned. As important as having the alerts are, it’s just as important that you’re following up appropriately. When I was at FINRA we would often see cases where alerts weren’t adequately followed up on by the analysts that were responsible for following up on the alerts. So we would see cases where we would look at what the follow up was and how it was documented. And it would look as though, the alerts were just rubber stamped with a brief explanation about why it was okay. It’s really important to make sure that the assessments, the follow up, and the documentation be adequate and regulators are looking to make sure that there’s adequate follow up on alerts when they happen. And that an assessment is done as to whether a SAR report is necessary.
Sarah Sutton: Thank you, Ed. Thank you, Bill. A lot of really good information today in regards to AML and what firms can do to assess their level of risk areas that they need to focus on and, maybe, dive into update policies and procedures. And just make sure that you’re following the regulatory guidelines that are provided through FINRA’s exam and risk monitoring program, as well as just staying up to date with specific guidelines regulators are recommending and/or discussing not just from FINRA, but from the SEC and from other government agencies as well. I’d like to thank you both for joining us today. And we look forward to talking about AML topics more in the future.
Libby Hall: Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm, visit our website at oysterllc.com. And if you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews make it easier for people to find us. Have a great day.
Subscribe to our original industry insights
"*" indicates required fields