On December 5, 2016, FINRA fined Credit Suisse's USA securities branch $16.5 million for alleged deficiencies in its anti-money laundering (AML) supervision and enforcement systems. FINRA, the private self-regulatory authority for broker-dealers, found Credit Suisse's suspicious activity monitoring program lacking in two important respects:
- The firm did not adequately monitor and investigate client activity, resulting in high-risk and other suspicious client activity that was not investigated; and
- The firm's automated surveillance system was not sufficiently calibrated or tailored for its activities, and relied, in many cases, on inaccurate data, or did not receive data that was required as part of the program.
The hefty penalty, set forth in an Accept, Waiver and Consent (AWC) settlement, is yet another case where implementing an AML surveillance system alone is not sufficient to demonstrate compliance with FINRA's rules or U.S. AML laws. FINRA expects firms to monitor transactions and assess their procedures on an ongoing basis. The AWC demonstrates the seriousness of FINRA's 2016 Priorities Letter. There FINRA focused on suspicious activity monitoring and cautioned firms to "verify the accuracy of data sources to ensure that all types of customer accounts and customer activity, particularly higher-risk accounts and activity, are properly identified and reviewed in a manner designed to detect and report potentially suspicious activity."
Where Did the Firm's AML Program Go Wrong?
Under FINRA Rule 3310(a), member firms are required to develop and implement risk-based, written AML programs reasonably designed to achieve and monitor for compliance with the Bank Secrecy Act (31 U.S.C. §§ 5311 et seq.) and its implementing regulations promulgated by the Financial Crimes Enforcement Network (FinCEN), part of the U.S. Treasury. FinCEN's regulations require covered firms to monitor for, and report on, suspicious activity involving customer transactions and related activities. FINRA determined that Credit Suisse's compliance system was deficient, particularly with respect to the firm's monitoring program and automated surveillance system.
FINRA found that these same compliance failures led to violations of Section 5 of the Securities Act of 1933, which makes it unlawful to sell a security unless a registration statement is in effect. FINRA determined that Credit Suisse's procedures resulted in inadequate compliance with this prohibition, as they did not instruct representatives on how to determine whether securities were registered or subject to an exemption from registration. As a result, FINRA found that the firm facilitated the illegal distribution of at least 55 million unregistered shares of securities.
(1) Ineffective AML Monitoring
Although the firm procedures contemplated a "lines of defense" strategy, the firm relied primarily on its registered representatives for identifying and reporting potential money laundering activity, and the firm's other "departments and branches did not assume responsibility for reviewing trading for AML reporting purposes." FINRA found this system ineffective because it failed to identify many actions that should have been flagged as suspicious. Specifically, FINRA found the following deficiencies in the firm's supervision system:
- Inefficient systems, procedures, and training. In several instances, accounts were not reviewed for AML purposes. Clients of Credit Suisse that followed patterns commonly associated with microcap fraud were not examined by any firm personnel.
- Big gap in monitoring foreign affiliate accounts. Most of the orders Credit Suisse received from foreign affiliates came to the firm electronically and were not seen by the firm's registered representatives. As such, these transactions were not reviewed.
- Lack of interdepartmental coordination. The firm did not coordinate responsibility for reviewing trading for suspicious activity among its departments and branches. AML monitoring duties often rested with a single individual, which resulted in the firm's failure to review certain firm clients for suspicious activity altogether.
- Failure to follow up on suspicious activity. Even if suspicious activity was seen by a firm representative, the activity report was not always escalated to the firm's AML compliance department.
- Inadequate resources dedicated to AML surveillance. Credit Suisse did not dedicate sufficient resources to AML compliance, which inhibited the firm's ability to detect suspicious activity.
- Inadequate documentation. Credit Suisse sometimes failed to document that it was adequately reviewing the results of its investigations.
(2) Deficiencies in the Automatic Surveillance System
FINRA identified deficiencies in Credit Suisse's automated surveillance system used to detect suspicious activity. According to FINRA, the firm failed to calibrate the system to detect suspicious scenarios, which resulted in several high-risk transactions being run through Credit Suisse without detection. FINRA's findings included the following deficiencies:
- Improperly calibrated system. The system scenarios that analyzed data were deficient or ineffective at identifying suspicious activities. The system did not take into account factors such as counterparties, external entities involved in a transaction, or external geographies associated with a transaction.
- Inaccurate/missing data inputs. Much of the data put into the automatic surveillance system was inaccurate. The inaccurate data led to erroneous risk scores. Additionally, much of the data was duplicative, resulting in the rejection of more accurate data, and some data was not formatted in a manner that permitted the automated system to monitor transactions effectively. Finally, key identifying data for certain customers was missing altogether.
- Failure to review flagged activities. Even if the system triggered an alert, Credit Suisse did not always adequately review and investigate the activities.
- Inadequate staffing. Credit Suisse retained only 3-5 individuals to review the tens of thousands of alerts the automated system generated per year.
- Failure to remediate deficiencies. Although Credit Suisse identified a number of deficiencies, retained a consulting firm to evaluate them, and developed a plan to remediate the issues, the firm failed to devote adequate resources to issue resolution, and many of the deficiencies remained unresolved at the time of the AWC.
Key AML Lessons for Compliance
A number of lessons can be drawn from FINRA's action. Perhaps the two most important are that the firm failed to allocate sufficient resources to its AML function, and it failed to remediate issues with its program when identified. Other important takeaways for firms to consider include the following:
- Engage in regular training of employees. Firms should periodically instruct employees on how to monitor for suspicious money-laundering activity, and how to coordinate with other branches of a company to ensure no activity is overlooked.
- Investigate suspicious activities. When suspicious activity is identified, a firm must investigate the activity and, where appropriate, file a suspicious activity report. A firm should document that it exercised proper diligence in investigating flagged activities.
- Coordinate with firm branches to identify suspicious activities. A firm should not leave the responsibility of flagging suspicious activities to a single individual or part of the firm. Different branches of a firm must coordinate to identify suspicious transactions.
- Carefully calibrate an automated compliance system. An automated compliance system must implement scenarios designed to check for activity commonly associated with money-laundering, such as round-dollar deposits, withdrawals in the same or similar accounts, or transactions associated with high-risk geographies. A firm should use all available scenarios relevant to its clients' activities.
- Test and validate the data used by the monitoring system. A surveillance system is only as good as its data. A firm must ensure that the data feeding into its systems is not duplicative or inaccurate, and that the system is capturing all relevant data. In this regard, there is an increasing push in the AML world to move beyond basic rules-based models to incorporate machine learning that can learn from and make predictions based on data.
At a minimum, this action shows that FINRA expects vigorous self-monitoring by its member organizations, and will penalize firms not only for failing to flag suspicious transactions, but for developing subpar policies. Going forward, firms should implement measures to ensure their monitoring data is complete and accurate, and that they devote sufficient resources to their AML monitoring systems.