When the CCO Is Not Compliant: Failure To Have Independent Testing of Broker/Dealer AML Compliance
Broker/dealers, which function as intermediaries between buyers and sellers of securities, are registered with and regulated by both the U.S. Securities and Exchange Commission (“SEC”) and the Financial institution Regulatory Authority (“FINRA”). They may also be subject to regulatory requirements as part of having trading privileges by particular exchanges such as the NYSE and NASDAQ. Enacted in 1970, the Bank Secrecy Act (“BSA”) established a monitoring and reporting system for banks and all other financial institutions, including broker/dealers, specifically designed to prevent “money laundering.” Money laundering is the transmission of funds either obtained from illegal activities (such as selling narcotics) or intended for illegal activities (such as terrorism). Hence, broker/dealers are obligated to have both strong policies and strong procedures that are anti-money laundering (“AML”).
When the CCO Is Not Compliant
Those policies and procedures are intended to deter money laundering, and if it occurs, to detect it and report it as Suspicious Activity Reports (“SAR”) to the designated authorities, typically FinCEN (the Financial Crimes Enforcement Network, a unit of the U. S. Department of the Treasury). As part of the requisite AML program, the program of each broker/dealer and its effectiveness must be tested at least annually. This is consistent with other aspects of compliance, as the author has written about in the November 19 Risk Alert concerning registered investment advisers “Meeting Specified Standards: The SEC’s OCIE Assess Compliance.” However, unlike the case regarding registered investment advisers, with broker/dealers, the Chief Compliance Officer (“CCO”) may NOT oversee all.
A major difference between registered investment advisers and broker/dealers is that broker/dealers handle, or at least have access to, the cash and securities owned by customers. That key difference has had more than one substantial regulatory consequence. Under the SEC’s Custody Rule, any registered firm with custody of customer assets must be subject to a no-notice audit at least annually as a way of inhibiting careless and/or intentional dissipation of those assets. It is not enough for the registered firm’s compliance or audit personnel, or even the firm’s regular outside auditor, to conduct the custody audit. Custody audit results are given both to senior management and to the SEC. For those who have served in the U.S. Air Force, as did the author, these audits bring to mind Operational Readiness Inspections. Making matters even more complex, “Custody” for these purposes goes far beyond physical possession and includes the authority to direct others to sell or transfer assets (including possession of computer access codes).
Independent Testing of Broker/Dealer AML Compliance
Similarly, under FINRA’s Rule 3310, “Anti-Money Laundering Compliance Program,” the at least annual test of a broker/dealer’s AML program must be conducted by independent persons not subordinate to or otherwise likely to be influenced by the person(s) responsible at the broker/dealer for its AML compliance program. In November 2020, FINRA found that a broker/dealer had not met the AML compliance program independent test requirement in 2016, 2017, and 2019 because the testing was not conducted by independent persons; in one year the “tester” was actually supervised by the firm’s CCO. As part of a settlement with FINRA, the broker/dealer agreed to a revised independent testing program in future years and paid a $5,000 civil money penalty.
Interestingly, one national BigLaw firm advertises in its blogs about compliance: “HOW’S YOUR AML PROGRAM? An AML Audit by …Compliance [an affiliate of the BigLaw firm] provides your firm with an independent AML Audit as required under FINRA Rule 3310© – it’s a lot more cost-effective than the potential fine!”