Staying true to its Chairman’s message regarding its focus in 2016 on anti-money-laundering (“AML”) compliance, the Financial Industry Regulatory Authority (FINRA) just settled claims of inadequate AML controls with the investment arm of a major global bank for US$16.5 million. This amount is over 17% of the entire amount FINRA assessed in fines in all 1,512 disciplinary actions in 2015 and reflects a remarkable trend of increasing penalties in this space. As we wrote in April 2016 when noting the increased enforcement risks — particularly in the microcap trading arena — a similar AML case in April 2015 was settled for US$950,000, with another similar case in December 2015 settling for US$7.3 million. Our prior alert covering the 2015 cases, the Chairman’s remarks, and the applicable laws may be found here. For updates and the lessons learned from this most recent case, please keep reading.

I. FINRA AML Settlements Are Trending Upward The upward trend of the settlement amounts reflects the tendency for enforcement actions to become harsher as regulatory expectations become more clearly established. Broker-dealers and other financial companies that fail to routinely maintain, audit, and upgrade their AML programs to address evolving high-risk threats — particularly when those threats are outlined in prior enforcement actions against other companies in the same line of business — are more likely to be the subject of significant enforcement actions with larger monetary penalties.

II. FINRA Has Identified Specific Suspicious Activities It Expects AML Programs to Monitor The broker-dealer at the heart of this newest FINRA case is headquartered in New York City, employing approximately 3,000 registered persons. By all accounts, it had no prior disciplinary history and indeed had an AML program in place. The alleged failings related to an automated system that had not been properly programmed to detect the potentially suspicious transactional scenarios that the broker-dealer’s compliance department wanted to review. FINRA thus claimed:

  • The obviously suspicious scenarios were not contemplated or had thresholds set too high, which led to the failure of alerts being triggered.
  • The broker-dealer’s compliance system was not programmed to “identify deposits or withdrawals in same or similar amounts, transactions associated with high-risk geographies, round dollar transactions, significant changes in transaction activity, offsetting trades, and the movements of funds without corresponding trade activity.”[1]
  • The broker-dealer had no mechanism to detect and report suspicious trading in “penny stocks for which no registration statement was in effect”; “thinly traded or low-priced securities” that suddenly spiked in value amid similarly spiking customer demand; “shell companies”; securities of companies whose “SEC filings were not current, incomplete or non-existent”; and securities for companies where “there was limited public information available about the issuers or most of the information available about the issuers was derived from questionable press releases.”

III. Qualified and Sufficient Numbers of Analysts and Supervisors Are Expected in Broker-Dealer Compliance Departments When the broker-dealer’s automated system did flag scenarios for manual review, FINRA alleged that the subsequent review was not always adequately done — allegedly because of insufficient resources dedicated to AML compliance, as only three to five analysts were employed to cover tens of thousands of alerts. These failures occurred despite the use of an outside consulting firm to implement and audit parts of the program, which may reflect the potential shortcomings of commoditized AML service-providers or the broker-dealer’s allegedly inadequate culture of compliance in not having compliance recommendations implemented by supervisors in a timely and global manner under General Counsel oversight using qualified IT personnel.

Among the more fundamental failings of the broker-dealer was an alleged failure to have written supervisory procedures over its AML compliance function. Regulators increasingly expect AML personnel to have a clear chain of communication leading directly to qualified personnel in the C-suite or on the board.

IV. Correspondent, Nested, and Foreign Accounts Continue to Be Targeted for Enhanced Customer Due Diligence Additionally, the broker-dealer’s AML program allegedly failed to conduct adequate due diligence on correspondent or nested accounts, which — as we have noted here — has been a major focus of international AML efforts. Indeed, FINRA criticized strongly the broker-dealer’s procedures for failing to provide employees with guidance on how to determine the owner of microcap securities or the manner in which they were obtained.

These specific failings were cited by FINRA as an example of the real-life consequences of the broker-dealer’s inadequate AML controls, as “Customer X, a New York-based hedge fund, … trading followed patterns commonly associated with microcap fraud, such as securities deposited, quickly sold and proceeds wired out of the account shortly thereafter.”[2] Despite the purportedly obvious nature of this private-banking customer’s activity, the broker-dealer did not have anyone review “activity in Customer X’s account for AML purposes” and furthermore failed to “employ an automated scenario designed to detect the type of potentially suspicious activity engaged in by Customer X.” Additionally, over the course of eight months, the broker-dealer’s clearing firm contacted the broker-dealer three times about Customer X’s suspicious activity, but the broker-dealer failed to document any investigation into the activity.

In another alleged failure, the investment banking arm of the broker-dealer failed to analyze “microcap sales on behalf of customers of [its] affiliate located in a bank secrecy jurisdiction that maintained an omnibus account” with the broker-dealer. Most of the affiliate’s orders came electronically, which evaded the sales traders upon whom the broker-dealer relied to detect and escalate potential suspicious activity. Additionally, had the data been properly assessed in an automated or manual fashion, FINRA suggested that it would have been filled with “red flags,” as the affiliate (and its nested customers) often “sold a substantial number of shares of microcap securities during periods in which the issuers were the subject of promotional activities and during which the trading volume and stock price experienced dramatic spikes.”[4] These sales “represented a significant percentage of the daily trading volume in the stock of numerous issuers on repeated occasions,” sometimes “accounting for 100 percent of the trading in a particular security.”[5]

V. Conclusion FINRA continues to emphasize a top-to-bottom culture of compliance that requires policies, people, training, and independent auditing and updating, with a particular emphasis on known high-risk suspicious-activity scenarios and customer due diligence. Both automated quantitative monitoring programs and qualitative human review are likely needed to detect the gamut of reportable suspicious activity. Adequate resources to implement these policies, programs, and reviews are expected, with supervisors in need of such resources increasingly being empowered by regulators to go to the C-suite, General Counsel, or board level to effectuate meaningful AML compliance programs.