For the first time, the Securities and Exchange Commission (SEC) brought an enforcement action under the USA PATRIOT Act against a broker-dealer, Crowell, Weedon & Co., Los Angeles, CA. The reason? Failure to follow its USA PATRIOT Act-required Customer Identification Program (CIP).

Under the USA PATRIOT Act’s amendments to the anti-money laundering laws (AML), every “financial institution” — which includes broker-dealers — must have a CIP meeting certain requirements, and follow it. The CIP requirements became applicable to broker-dealers on October 1, 2003. (68 Fed. Reg. 25113 (May 9, 2003)). Crowell, Weedon consented on May 22, 2006, to a cease and desist order from “committing or causing” violations of Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-8. Section 17(a) and Rule 17a-8 require broker-dealers to comply with AML record keeping requirements, including the Customer Identification Program.

Under a CIP, a financial institution must adopt and implement “reasonable customer identification procedures” for:

  1. Verifying the identity of any person seeking to open an account (to the extent reasonable and practicable);
  2. Maintaining records of the information used to verify the person’s identity, including name, address and other identifying information; and,
  3. Determining whether the person appears on any lists of known or suspected terrorist organizations provided to the financial institution by any government.

31 U.S.C. § 5318(l); 31 C.F.R. §103.122 (2005).

Crowell, Weedon apparently adopted a satisfactory CIP in a timely manner and then disregarded it for months. What procedures had the company adopted? Identification though a government issued form of identification, public data-base search, and other specified non-documentary and documentary procedures.

What did the company do? It failed to document how it verified its customers’ identifications. In addition, it relied upon its registered representatives’ “attestations” of personal knowledge of the new customers, a method of identification not allowable under its CIP. (Whether such an identification procedure would have complied with the law in this instance, even if it had been included in the company’s written CIP, is an open question.)

Crowell, Weedon, therefore, violated both ends of the CIP requirements. While it adopted a program as required, Crowell, Weedon neither followed its own CIP program nor documented the procedures it used.

Several lessons flow from this compliance proceeding:

  • Customer Identification Procedures, as adopted and as implemented, should match the potential risk to each line of business.
  • Train staff to follow the procedures.
  • Maintain appropriate records.
  • Have the compliance officer and internal audit check compliance regularly.
  • Report compliance (and compliance failures) to senior management and the Board.
  • Document the reports.

How does this decision apply to other financial institutions, including hedge funds? First, it means that the functional regulators (such as the SEC for broker-dealers) are serious about compliance. For a number of years AML compliance took a back seat to a functional regulator’s “primary” statutes, here the securities laws. Bill Fox, the recent head of the Financial Crimes Enforcement Network (FinCEN) at Treasury, and his replacement, Bob Werner, have made working with functional regulators for increased compliance enforcement a goal. The Crowell, Weedon case is an example of this emphasis bearing fruit.

Second, it shows that a financial institution will be held to the AML policies and procedures it has adopted. For example, in the Crowell, Weedon case, it might have been permissible to use its registered representatives’ “attestations” of personal knowledge of the new customers to verify some identities. But Crowell, Weedon policies did not allow this type of verification.

The proposed AML rules for hedge funds (“unregistered investment funds”), issued in draft almost four years ago, did not include a CIP requirement. The proposed regulations, which would require “standard” AML programs for unregistered investment funds, have not yet been issued in final form. The notice of proposed rule making, however, notes that hedge funds may become subject to both the CIP and Suspicious Activity Reports (SAR) requirements in the future. In view of the fact that CIP and SAR frequently have been added by FinCEN to ALM requirements over time, the Crowell, Weedon case is a reasonable illustration of the type of regulatory burden that may well be placed on hedge funds in the future.