AML Testing: Unlock the Power of Outsourcing

The financial and reputational cost of an inadequate AML program can be high, and regulators have not been shy about sharing disclosures, fines and suspensions related to poorly run AML programs.

FINRA’s 2023 priorities note the following common findings:

• Failure to conduct initial and ongoing risk-based customer due diligence in order to understand the nature and purpose of customer relationships in order to develop a customer risk profile
• Failure to establish and implement written AML procedures that can reasonably be expected to detect, and allow for, the reporting of suspicious activity
• Failure to notify the AML department of events that may require SAR reporting, including cybersecurity events, account compromise/takeover and fraudulent wire or ACH activity
• Failure to timely review and respond to FinCEN information requests
• Failure to conduct adequate independent testing, including testing critical aspects of the program where firms have taken on new products, services or customers

Regularly reviewing and updating your firm’s written AML policies, procedures and controls is vital to reducing the exposure your firm has to these potential penalties. Testing your Customer Identification Program as well as your trade and activity surveillance systems should occur in conjunction with any AML program changes to ensure processes are occurring as defined in policies and procedures.

What’s Required?

The Bank Secrecy Act (“BSA”) requires financial institutions, including all broker-dealers, to develop and implement AML compliance programs, which are also governed by FINRA’s Rule 3310.  Rule 3310 spells out the minimum requirements of an AML program and notes that the program (and subsequent changes) must be approved in writing by a member of senior management.  AML programs should be reviewed annually to ensure they are up to date with any changes to rules and requirements.

One of the minimum requirements of an AML program is that it be independently tested annually.  A firm may test its own program (with qualified personnel independent of the staff that oversees and enforces the program) or outsource the testing to a qualified third party.  An exception to annual testing is for firms who do not hold customer accounts or execute customer transactions or act as an introducing broker for customers.  In these cases, independent testing is required every two years.

The most common areas tested during an annual review include:

• Results from prior testing and remediation efforts, where applicable
• Customer Identification Program (“CIP”)
• Beneficial Ownership of Legal Entity Accounts
• Office of Foreign Assets Control (“OFAC”)
• Enhanced Due Diligence (“EDD”)
• BSA Compliance
• Financial Crimes Enforcement Network (“FinCEN”) Information Requests and Sharing
• Suspicious Activity Monitoring and Reporting (“SARs”)
• AML Training
  
  

Consider Outsourcing Your AML Testing

As firms plan for their annual testing, the benefits of outsourcing should be considered. Does your firm have a qualified internal, independent employee with the necessary AML expertise and capacity to devote to an AML review?

While your firm may have the requisite expertise to conduct AML testing, not all firms have the capacity or independence to call upon internal resources who are already engaged in performing day-to-day responsibilities. Outsourcing your AML testing can provide a fresh perspective on AML rules and processes that your firm may not have considered.  An outside perspective can also help identify inefficiencies and potential cost savings.

From self-clearing firms to firms that specialize in private placements, Oyster consultants have experience with clients of all sizes and complexities.  Oyster brings to each of its testing engagements not only the required independence, but the experience and expertise of its consultants.