For many securities firms, anti-money laundering has always been a priority. Other firms only honed in on AML once formal rules were laid out in 2001's USA PATRIOT Act. Regardless of how much time firms have had to prepare their AML plans, though, regulators want results. Many addresses on Wall Street have already received an AML visit from regulators, as part of a routine audit or a specific AML investigation. And those that haven't yet can be sure that they will get a request to examine their AML processes sometime soon.
"There's no question that self-regulatory organizations [such as the NYSE] and the Securities and Exchange Commission have been including anti-money laundering as part of their regulatory exams," notes Alan Sorcher, associate general counsel for the Securities Industry Association.
Sorcher attributes much of the recent focus on AML to a case in late spring that involved Washington-based Riggs Bank. After fining the bank for failing to report suspicious customer transactions, Daniel Stipano, deputy chief counsel with the Office of the Comptroller of the Currency (OCC), admitted to Congress that a "more probing inquiry should have been made into the bank's high-risk accounts, and that stronger, more forceful enforcement action should have been taken sooner."
Sorcher points out that while the bank may be governed by different agencies and regulations than securities firms, the case still begged the question as to whether firms had their AML systems up to par, as well as whether agencies were diligent enough in inspecting those systems. "It heightened the regulatory agencies' awareness," he says. "No other regulator wanted to feel like they were missing something and might be called up on [Capitol] Hill to testify about it."
Karen Burgess, senior advisor with the Office of Compliance Inspections and Examinations at the SEC, concedes that the SEC has upped the ante in AML auditing. Burgess says that the SEC began conducting "sweeps," a small number of targeted AML exams, within the last few months. "The idea is to go in directly and get an idea of where firms are in their compliance," she explains. "The rules are in place, and we're out there examining for them. We expect that, at this point, firms should have systems and procedures in place."
What to Expect
Steven Shine, senior regulatory counsel at Prudential Securities, says that every firm should expect to be audited by regulators at least once a year, adding that "AML is a big component of that." Shine says that AML examinations can take
a variety of forms. First, a firm's AML processes can be inspected during a general sales audit. Second, a firm can be audited specifically for AML. And last, he says, a firm can receive a "for cause" audit if a regulatory agency determines that there may be some sort of deficiency in its AML processes. The SEC, a self-regulatory organization [SRO] - such as the NYSE or NASD - or, on occasion, even a state regulator, can conduct those audits.
The SEC's Burgess says that the agencies are all working together to be watchdogs for the industry. "Anti-money laundering is the poster child for examination coordination and communication between SROs and the SEC," she relates, noting that SROs typically conduct routine examinations, while the SEC's investigations tend to maintain SRO oversight.
While there is no obligation of advance notice, agencies generally alert firms a few weeks before a sales audit. "Depending on the type of exam, you may or may not have advance notice," Shine says. But, "Regulators are not looking for a 'Gotcha!'" he continues. Besides, he adds, the comprehensive requirements of AML regulations would make it impossible for a firm to try to get itself up to speed in a short amount of time. "It's not something firms could just go do in a few weeks," he says.
Due to the array of forms an audit can take, and the various regulatory agencies that can conduct them, it is difficult to pinpoint exact requirements for each audit, Shine notes. Still, some similar elements can be expected.
Shine says that firms should be prepared to present assurance of their compliance with Section 352 of the PATRIOT Act. This requires that firms designate a compliance officer, create internal AML policies and procedures, institute ongoing training within the firm on those policies and procedures, and test themselves with independent audits. Firms must also prove that they have established a customer-identification program for all new accounts, as part of Section 326 of the PATRIOT Act, in effect since October of last year.
Suspicious-activity reporting (SAR) is expected as well, which maintains that a firm must report any questionable transaction activity that might relate to a possible violation of a law or regulation. Shine notes that regulators are more concerned with the thought process than the exact amount of SARs that a firm may file. "It's not about whether regulators agree with the conclusion to file an SAR, but more as to what the justification is behind filing or not filing it," he says.
The SIA's Sorcher says that, like SAR filing, much of AML audits are about processes rather than consistent results or documentation. "Most of the [AML] rules require a risk-based approach," he says. "Firms can set up their own processes based on their line of business or type of clients."
In addition to assessing compliance with the PATRIOT Act, a retail brokerage can expect regulators to examine branch policies and procedures on AML, and ensure that all necessary documentation is kept within that branch, says Prudential's Shine. Regulators will also likely investigate the role of the anti-money laundering or compliance officer at the firm's corporate location and make sure that systems and processes are applied to all personnel firm-wide.
How to Prepare
The best defense for a regulatory examination, says Sorcher, is to pay attention to the firm's yearly independent audit. "An audit will find your inadequacies and make recommendations, and you must address them," he says. In addition, Sorcher points out that ongoing audits help identify evolving risk management. "Mergers and acquisitions, opening new lines of business and world events change risk factors," he explains.
Shine contends that, due to the interpretive nature of anti-money laundering, firms should use a combination of technological and manual processes to address AML activity. While systems have come a long way in the last few years, he says, "Anti-money laundering systems are never enough. You must tweak them for individual firms and lines of business. And human beings who know the area of anti-money laundering must be able to make judgments on suspicious activity."
Although many tweaks have already been made to the PATRIOT Act, Shine argues that, despite its potential to change again, firms should be proactive in protecting themselves. "Firms want to be ahead of the curve in anticipating changes in AML regulations - and not because of the audits," he says. "It's in a company's best interest to have effective anti-money laundering programs. The audits should be the easy part."