By Ed Wegener, Frank Childress, Bill Reilly, Mark Norman and Mary Catherine Wilck-PondSubscribe to our original industry insights
Unmask the Risks: Protect Your Firm Against Financial Crimes
Many leaders at broker-dealers have a strong belief that there is no money laundering or manipulative trading occurring within their firm. Unfortunately, belief alone isn’t enough to satisfy the requirements and expectations of regulators. As part of our podcast series talking about FINRA’s 2023 Examination and Risk Monitoring Program report, today our experts dive into the Financial Crimes portion of the report around AML and manipulative trading.
Transcript by TEMI
Libby Hall: Hi, and welcome to the Oyster Stew Podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. As part of our podcast series about FINRA’s 2023 exam priorities, today, our experts dive into the financial crimes portion of the report, in particular, AML and manipulative trading. With me today are some of Oyster’s Governance, Risk and Compliance experts. Mary Catherine Wilck-Pond, Frank Childress, Mark Norman, Bill Riley, and Ed Wegner. You can find more information on our experts and on our services by visiting our website at oysterllc.com. Ed will be leading our discussion today. So, let’s get started. Ed,
Ed Wegener: Well, hello everyone. I am Ed Wegner, and I am head of Governance Risk and Compliance at Oyster Consulting. Today we wanted to follow up on our earlier discussion regarding FINRA’s 2023, examine risk monitoring report to do a deeper dive into the financial crimes portion of the report. And I’m very fortunate to have with me Mary Catherine Wilck-Pond, Frank Childress, Mark Norman, and Bill Riley joining me today to provide their perspective on these priority areas. So thank you all for joining me today. FINRA recently created their national cause in financial crimes and detection program and member supervision. And so I think that highlighting a section about financial crime seems to align with the work of this group. So the report highlighted cybersecurity, AML, and manipulative trading under this section. We’re going to talk about cybersecurity in more detail in later podcasts.
But today we wanted to focus on AML and manipulative training. And these are two areas that are very much connected and both areas that FINRA has been focused on for some time. So why don’t we start off by talking about AML. One of the things that FINRA has highlighted is the need to ensure that a firm’s AML programs are tailored to a firm’s business and kept up to date. So, Mary Catherine, why don’t you start with what you feel FINRA is really focusing on with respect to tailoring AML programs and keeping them up to date, and others feel free to add your perspectives as well.
Mary Catherine Wilck-Pond: Okay, thanks, Ed. In their 2023 report, FINRA emphasizes the need for firms to tailor their AML programs to address the AML risks associated with the firm’s customers, their geographic locations, and the products and services offered by the firm. Firms need to ensure that existing and new business and product lines and customers are incorporated into the firm’s program document by regular reviews and updates as needed. This is especially important if a firm is considering expanding by the acquisition of another firm, or even by onboarding new advisors with existing customers, or if the firm is considering offering new products or services. It’s also important for the AML compliance officer to keep up to date on publications from the SEC, FINRA and other regulatory bodies to ensure necessary changes are made to the AML program based on regulatory guidance and rule changes.
Finally, firms should create written AML risk assessments as an accompaniment to their AML program document. The risk assessment should be also reviewed regularly and updated as necessary to account for changes to customers, locations, products and services, or in the event the firm has findings based on internal, annual, independent or regulatory testing or reviews. And two key points to me with this past offender’s report are one)while FINRA has made available their AML program template document on their website, they consider it to be a guide, not a document that firms should use in lieu of their own program document. FINRA actually notes in the document itself that it is a helpful starting point. And then secondly, FINRA notes that an effective practice is for firms to conduct formal written AML assessments. That’s it.
Ed Wegener: Thanks Mary Catherine. Really appreciate that. You know, the one piece that that they seem to emphasize there, and you had mentioned it, is the expectation that firms are doing a risk assessment. FINRA is looking for the AML programs to be risk-based. And an important part of that is identifying what risks are associated with the firm’s business from an AML perspective. So doing those risk assessments is important. One of those risk areas for firms is identity theft, and I know that’s something that they had mentioned in the report. So, Mark, what did FINRA believe firms should be focusing on with regard to identity theft?
Mark Norman: Yeah. With regard to identity theft, it’s really <laugh> not a matter of if, it’s when. I mean, everybody that I know at least has had their credit card hacked, your information is out there on the dark web. Somebody, a determined criminal, can find out anything and everything they want to know about Mark Norman. They could probably find my social security number, address, et cetera, and try and open an account in my name. And you do something with that. The identity theft red flags rule, says that every firm has to have policies and procedures designed to prevent that. And there’s actually guidelines out there. There’s templates out there, small firm templates. Just like everything else FINRA does, they give you a guide.
And just like MC said, tailor that guide to your firm and how your firm works. A firm that opens accounts online through an app is going to be substantially different than a traditional retail firm with a brick-and-mortar store where everybody opens an account in person and actually shows your id, and you meet that person. It’s your neighbor, it’s your friend, that you’ve known for a long time. So, your plan needs to be tailored to how your firm’s going to operate. The SEC knows that there are four main areas, that firms would want to cover, including identifying red flags, detecting the red flags, having appropriate responses to the red flags that you identify, and then, of course, updating your ID theft program as your firm evolves, as your business evolves, and as criminals find new ways to try and steal our identity, incorporate those new things into your program. I would say another key element is to, to train your people. Your people in your back office and your AML staff probably have a really good understanding of all this. It’s the people that are out in the branches, that are out in the field, that need to be aware of all these creative and inventive ways that people are trying to steal people’s identities.
Ed Wegener: Now that makes a lot of sense, Mark. And clearly, to the extent that you identify any red flags related to identity theft, it’s one of those items that you need to be considering as suspicious activity, which is another area that FINRA identified in their priorities report in terms of expectations around suspicious activity, monitoring and reporting. Bill, as firms look at their AML programs and think about suspicious activity monitoring and determinations of when to report, what should they be reviewing when assessing this aspect of the program?
Bill Reilly: Thank you, Ed. One of the things as I was preparing for this podcast, look back on, is that every firm and individuals within the firm that have certain responsibilities, and in this case we’re dealing with AML. It is absolutely imperative that they’re aware of what the obligations are. And when those obligations are not met, there are some sort of repercussions to be paid. And in this situation, it could be anything from sanctions against the firm to reputational types of problems and so forth. So, one of the ways to really prevent that as you’ve indicated, is through suspicious activity reports. There’s a whole process that goes along with establishing these, the review of suspicious activity, everything from designing a program that can identify red flags.
We’ve talked a lot about red flags and we’ll talk a lot more about red flags, but I think one of the things when you’re designing your program, the question is, are you using a manual system, a blotter system, something like that, or are you using some form of extensive technology to assist you with the process. I think what you’re going to find is that most firms in this age are using some form of technology to assist them with information that can occur over a long period of time. And, that’s a situation when you’re dealing with red flags. You may be looking over a period of 30 days, 90 days, six months or a year to determine how often a red flag in an account may have occurred. And I think the thing that’s important about red flags is that’s exactly what it is. It’s a red flag.
What it means is that some parameter that’s been established by the firm has been broken. And that’s why I’m saying it’s imperative that people that are establishing AML programs, people that are establishing the parameters of that program, know what the requirements are, that they have a good idea through experience. training, and also looking at information such as this report that was recently issued by FINRA. But I think the situation is basically when you’re establishing a suspicious activity monitoring program, you’re talking about are you aware of what your obligations are. What we’re talking about is putting programs in place that can identify red flags. But I think the thing that’s just as important, or maybe even more important, is what do you do with those red flags. One of the things that regulators are looking for, do you have a program?
Do you have a program to identify unusual activity? And when you have that program and information is provided to you on that red flag, do you have a program out there that is adequate? And what I’m talking about is to reasonably establish whether or not a potential red flag may actually move from just being a red flag to an investigative stage, and then also on to consideration for filing a suspicious activity report. So again, these are all very important, determining the red flag, more importantly, determining whether or not there’s any sort of activity there that reaches a certain standard. And I think a couple things that, FINRA has found in some of their common finding that they list in this release is that firms failed to establish and implement written AML procedures that can be reasonably expected, the cause of reporting of suspicious activities.
And as I said before, the second issue, failing to reasonably review for and respond to red flags associated with asset movements within a firm. We’re talking cash or securities, we’re talking into accounts within the firm count, uh, activity where wires and checks and so forth are issued to third parties outside of, uh, outside of the firm. Do they have proper procedures in place? Mary Catherine talked out the beginning, uh, you know, about, you know, some of the establishment. And, you know, one of the first steps, of course, is opening a new account. dDdoes the firm have activity? Do they have processes by which people or companies that may be high risk, are identified at the account opening time, which will allow for some ongoing monitoring. And also, I think firms need to identify, those products that may be more conducive to potential money laundering.
So they need to look at accounts, they need to look at activity, and they need to look at products. And that’s something that has all been outlined in the report. So, we’ve talked about what the red flags are. We talked about monitoring, we talked about reviewing, and making an investigation to determine if in fact there are violations or a strong possibility of violations, where these matters need to be referred for further investigation by law enforcement members out there. And I think one of the other things that I have seen is the fact that what happens is, in addition to the red flag monitoring, there’s also a bit of a human intervention here, or human involvement here. And there are situations where this is a finding that FINRA has made that reps, operations people, people that might work at a front desk, at a brokerage firm may become aware of some suspicious activity, and they fail to report it. So again, policy, technology follow-up, appropriate review disposition. But again, don’t forget about the human involvement. Technology can only do so much, but again, very important for people outside of the technology area to be cognizant and report activity. I can’t appropriately be referred and followed up.
Ed Wegener: Thanks, Bill. Well, you mentioned some really important pieces. You know, one piece being the coordination between the technology that you’re using and the people that are using those technologies. So one of the things that FINRA did mention with respect to the technology is making sure that you’re assessing the effectiveness of the tools that you’re using, including assessing data feeds to make sure that the data that’s going in there, and the way that data is presented is being done effectively. And then the people piece, which a big part of that comes down to training people on the types of things that they should be looking for. And FINRA issued a couple of helpful pieces of guidance, with respect to that. They highlighted that regulatory notice 1918 provides a number of different red flags and things that you should be reviewing for if they’re applicable to your firm.
The same thing with regulatory notice 2103. And so making sure that your systems are reflecting those things, that the data is accurate, and then also that you’re training people to be on the lookout for those things, is all part of that combination that you were talking about in terms of the technology and the people. Another thing that’s important, is making sure that everybody’s clear on what they need to do, and that there’s coordination between the introducing firm and the clearing firm with respect to the review and assessment of these red flags. So all important things that that firm should be taking a look at and making sure that they’re focused on. Monitoring begins at the time the accounts are open, and that includes the customer identification program and customer due diligence. And, Mary Catherine, can you talk about what FINRA is considering when they’re assessing a Affirm CIP and CDD programs?
Mary Catherine Wilck-Pond: Yeah. Ed. We’ve talked today about the importance of firms identifying their AML risk, establishing risk-based AML programs, and the effective practice for firms to have formal documented risk assessments. FINRA notes in the 2023 report, that firms are still not establishing risk-based customer identification programs and conducting customer due diligence that’s risk-based. FINRA noted that there’s still gaps with validating the identities of control persons and beneficial owners of entity accounts within reasonable timeframes. FINRA also noted inadequacies in initial and ongoing risk-based customer due diligence that firms are not conducting their CDD to understand the nature and purpose of the customer relationship in order to develop a customer risk profile.
Mary Catherine Wilck-Pond: FINRA specifically called out effective CIP practices for those firms that open online accounts, and several specific items noted are requiring both documentary and non-documentary validation of customer identities or including multiple forms of documentary information contracting with third party vendors to help verify potential suspicious information. We talked about that in account applications, reviewing the customer’s IP address, obtaining a copy of the customer’s account statement prior to initiating an account transfer, and reviewing account applications for common identifiers such as email addresses, telephone numbers, physical addresses located in other applications, and any existing accounts, especially if the accounts appear unrelated. So my takeaway on the customer identification program and customer due diligence section offenders report is clear, these programs need to be risk-based, and firms have a clear obligation to understand the purpose and nature of each customer relationship.
Ed Wegener: Thanks, MC. That’s all very important. And, you talk about setting the policies and procedures and having all these set-in place, but then it really comes down to the implementation of those policies and procedures, and then testing to make sure that the policies and procedures have been implemented appropriately. And so there’s the training and the testing components, which are critical and generally addresses both of these pieces in their report. And Bill, if you could just provide some of the considerations and things that they talked about with respect to testing and training. And others, feel free to jump in as well.
Bill Reilly: Well, thank you, Ed. One of the things, that I’ve always looked at in any type of testing program is and what happens is a lot of firms will use some sort of examination module to guide them through the process. And there are a lot of times when we’re doing various exams for clients, we will use those exam modules or manuals to guide us through the program. I think the one thing that is just absolutely of utmost importance is that the exam program, the exam module, whatever document you’re using has to be meaningful. It has to make a determination as to compliance or non-compliance with rules, regulations, best practices, and things like that. So I always look at it as, you’ve got to have a meaningful document to work from.
So that’s step number one. If your exam module, your exam document is not meaningful then the results that you’re going to get, you’re actually going to go out there and you’re going to meet the requirement. Hey, I had an annual review. Okay, which is the requirement. But I think more than that is the fact that you want to make sure that you’re reviewing, suspicious activity, red flags, CIP, the barest programs out there. It’s got to be meaningful and it’s got to be followed. And I think in a lot of areas, and a couple things that the report actually talked about, is the fact that not testing critical aspects of the program for reasonableness. And what we’re talking about is suspicious activity detection, movements of assets, whether it be cash or, or securities.
These things that are all vital to the program, and, I can’t say it enough, is the fact that when suspicious activity, when red flags are identified, it is absolutely imperative to have the person with the right knowledge and expertise follow up on it, document it. If it’s to be closed without filing a SAR document, why it did not meet the standard. On the other hand, if it’s going to result at a SAR being filed, document the important facts as to why the standard to file a SAR has in fact been met. And I think the other issue is that what you need to do is determine that the person, whether in many situations, all of us on the call today, a lot of us on the call from a consulting viewpoint have conducted AML reviews.
The key word is independent. You want to make sure that you’re getting someone that is coming in looking at the rules, looking at the written supervisory procedures, the rules of regulation, the modules, walking through the process, documenting compliance and non-compliance, but do it from an independent viewpoint. I think that is extremely important as far as training. There’s a couple things out here that we need to mention. It is imperative as with any program within a brokerage firm or investment advisory firm, or a hybrid. When new policies and procedures are determined, when new products are put in place, it is imperative that training take place for the people who it’s intended for, and that the training is applicable to their job duties. Offices are reopening now that we’re moving a little bit past the pandemic. People walk in; the level of training that might need to go to a receptionist would be different than it would be to a registered rep or a person in your compliance department.
So the training must be applicable to their job role. And one of the other requirements, is it should be held annually. Mary Catherine talked a little bit about the CIP and the hiring process. I think it’s also imperative, people should receive training when they go to a firm, depending upon how long they’ve been in the industry, in their experience within certain timeframes. If you’ve had the training, and maybe it’s done in person versus online you’re not going to wait a whole year for a person to sit for the AML, the money laundering training and so forth. So effective training, identifying people’s roles and providing them that effective training. I think also as new products, new services, new technology, is introduced to the firm, it’s imperative that the training keep up with those functions and products.
Ed Wegener: Yeah. Thanks, Bill. I think when you talk about testing a program, whether it’s testing the overall supervisory system that you have, or testing discreet aspects of it, like AML, the important thing is to make sure that you’re assessing the adequacy and the effectiveness of the policies and procedures, then testing their implementation. And then, like you had mentioned, when you find issues, making sure that those issues are addressed and you have some way of tracking to make sure that any identified issues get corrected, and that is part of the training. You know, making sure that those are tailored, just like your AML program is meant to be tailored to your firm. The training needs to be tailored to the individual roles within your program. So all very critical pieces. And another aspect that’s related to AML that FINRA identified in its financial crimes section of its report, has to do with manipulative trading. And it’s an area that’s very close to AML in that FINRA has viewed manipulative training through the AML lens and identifying any indications of manipulative trading as potentially suspicious activity that needs to be reported. And Frank, as part of the discussion that FINRA had in their report regarding manipulative trading, can you talk about what they highlighted and things that firms should be considering?
Frank Childress: Yeah, thank you, Ed. I certainly can. It’s interesting that a lot of our discussion today has been about AML and historically FINRA has highlighted within the AML sector as microcap securities and manipulation within the microcap space. Interestingly, they didn’t specifically call that space out this year, but I certainly wouldn’t use that as any indication of relief and their diligence towards that. That’s been a high item for them over the last couple years, and I suspect they will continue to focus strongly in that space this year. They identified manipulative trading in big, bold red letters. They said new for 2023 within their examination and risk monitoring priorities. They cited a half a dozen or so rules that this could fall under. Everything from standards of commercial honor and principles of trade to front running of block transactions, to requirements around publication of quotes for trading desks and others.
So there’s a number of different rules that manipulative trading can be applied to, or rules that can be applied to manipulative trading. There’s a lot to look at here. Firm surveillance systems for patterns of suspicious activity are critically important to give managers some comfort that their systems are being properly monitored. This can be, there are a lot of third-party systems that do this type of monitoring for trading desks as well as certainly some people do have some homegrown systems. Then usually, typically the order management systems have some sort of capabilities built in within the order management system to identify this type of activity. So though it’s important that you’re using reports that are meaningful to your business practice, as Mary Catherine mentioned earlier in the call as you design your policies and procedures around monitoring for this type of activity, just like AML, it’s important to customize your policies and procedures to your specific client base.
So it’s going to look a little different for maybe a wealth management retail-based firm than it might for capital markets or a firm that just simply executes for other broker dealers. So design those policies and procedures that are tailor made for your particular business model. Then as we discussed earlier, it’s important that these policies and procedures are not only appropriately documented, but that you follow up on it and that you are reviewing these regularly with a cadence that’s described within the policies and procedures, and there’s follow up procedures, there’s escalation procedures and everything that’s incorporated within that. So, it’s interesting that they specifically call out manipulative trading this year as FINRA has a sort of a shiny new tool, that’s going to help them in the monitoring of this.
I think it’s extremely likely that they will aggressively implement their new CAT information that they’re now collecting to really aggressively pursue certain types of activity. And where monitoring has typically taken place, sort of in a one-dimensional looking at specific trades, CAT has the ability now and firms need to have the ability now to look across multiple customers, and in many cases, different timeframes as well over many days or different situations. It’s also important that the firms understand their client base and they recognize when there might be trades that might be considered by FINRA to be in concert, or if there’s activity that parallels itself within a firm, it’s important to be able to identify that and recognize and call that out. Also, within the written supervisory procedures, it’s important that they document not only the steps that they’re doing for reviewing, but the WSPs should identify what the position or individual person is that’s responsible for monitoring that type of manipulative conduct.
They mentioned a number of different sorts of trading schemes that they’re concerned about. They have their names like Momentum Ignition, layering spoofing, but generally speaking, all of these are just certain forms of deceitful trading where they might be trying to indicate one activity when they’re really trying to do something else, or maybe they’re just trying to make the market look bigger than it is, and they’re not intending to trade at all. So any type of activity that is not designed to reflect what their customer order flow is could be considered manipulative. So something for your systems to monitor. The only thing I’d add is, to consider if you are a trading desk manager or a senior manager, maybe even a compliance officer within a firm and you’re in an office or off the trading floor or in today’s world, where portions of your trading desk may be remote. How do you get comfortable with their trading activity? Do you have the tools in place to ensure that you are properly monitoring for any potential manipulative trading practices and consequently preventing any manipulative trading practices from taking place?
Ed Wegener: Thanks, Frank. I really appreciate that. One of the things that I really liked about the format of the report for both AML, manipulative trading, for all the areas that they had, was the organization of the report. It really kind of helps you be able to identify, pretty quickly what are the things that FINRA’s going to be looking at in terms of the considerations. What have they been seeing in their exams and the common findings, and then what are some effective practices that they’ve seen firms employ? And also having links to resources and guidance that you can quickly get to get more information about these. I think it really helps make the report a useful tool for firms to be able to assess their programs against. And so, as you’re doing your AML testing, as you’re doing your 31-20 reviews using this report to help you assess your programs, is a terrific tool and keeps you in front of the things that FINRA’s going to be looking at during their exam program for the given year.
So, this information has been extremely helpful. I want to thank all of you for joining today. Your perspectives, your perspectives are fantastic. And we’re going to be doing deep dives in the other areas in the report and future podcasts. So we really look forward to everyone joining us and listening into those future podcasts. Thank you very much and we’ll see you soon.
Libby Hall: Thanks everyone for listening. If you’d like to learn more about our experts and how oyster can help your firm, visit our email@example.com. And if you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews, make it easier for people to find us. Have a great day.
Subscribe to our original industry insights
"*" indicates required fields