On April 5, 2016, Brad Bennett, FINRA's EVP, Enforcement, delivered a thoughtful, serious speech to the audience at the Securities Industry and Financial Markets Association (SIFMA) Anti-Money Laundering and Financial Crimes Conference. His speech focused on three topics of importance in this area.
The first was firm culture. Many of the problems FINRA sees "have their roots in firm culture and in the culture inherent in the business they choose to accept." While we are all aware of regulators' focus on a regulated entity's "culture of compliance," this was the first time I have seen a regulator be so direct in addressing the culture of the "business they [the regulated entities] choose to accept." This speaks directly to the major focus of the Financial Crimes Enforcement Network's (FinCEN's) most recent release (discussed in a different article) that requires financial market companies—including broker-dealers—to (1) know the beneficial owners of the businesses they accept as customers; (2) understand the nature and purpose of the customer (and develop a corresponding risk profile ); and (3) conduct ongoing monitoring of the customer's activities. (The FinCEN release is available at 81 Fed. Reg. 29398 (May 11, 2016).)
The second topic was assessing risk. Mr. Bennett approached this issue systemically and with a special focus on microcap securities. He focused not just on the importance of the practices and procedures a firm uses to monitor the activity in customers' accounts, but also on the systems used to test, calibrate, and tailor these techniques. FINRA is making it clear that a firm's cultural approach to its customers must be matched by monitoring systems capable of identifying improper activity by these customers. This is "risk-based" monitoring required in real time.
The third topic focused on recent cases. In comparing two matters, one in which a compliance officer was charged and another where the AML officer was not, Mr. Bennett examined an important point—when does FINRA charge individuals? The answer was that FINRA looks at potential liability for "individuals in every case." The distinction between the two cases may be reduced to a single proposition: In the case where the AML officer was not charged, the officer did his or her job. The officer questioned the unlawful activity and the inadequate supervisory system that led to FINRA sanctioning the company, but not the compliance officer.
By mid-May, FINRA again demonstrated that it puts its "talk" into action. FINRA fined a major brokerage $17 million for "systemic anti-money laundering compliance failures." The company's now-former AML compliance officer was also fined $25,000 and suspended for three months.
This case is a direct application of Mr. Bennett's April 5 speech to a concrete set of facts. The brokerage, already sanctioned in 2012 for inadequate AML procedures, failed to update its compliance systems to match the company's growth. One result was that certain "red flags" went completely undetected or were inadequately investigated. Another consequence was that the firm failed to conduct required due diligence and periodic risk reviews of foreign financial institutions. Finally, FINRA concluded that the firm failed to establish an adequate, required, customer identification program.
In this case, the AML officer apparently did not carry out the officer's obligation to ensure that the firm's AML program was adequate, or that required reviews were conducted. In addition, the compliance officer did not question the inadequate compliance systems and activities, or raise these issues with the appropriate corporate officers.
There is a direct correlation between FINRA's annual regulatory priorities letters, as highlighted by Mr. Bennett's April 5 speech at the SIFMA Conference, and the following:
- There are a growing number of cases finding personal responsibility for AML compliance failures; and
- There is increased responsibility of FINRA-regulated entities to involve all aspects of their businesses in knowing their customers, monitoring ongoing business activity, and, in short, developing or improving their "culture of compliance."