Firm Settles FINRA Charges for Inadequate AML Program
Commentary by Thomas Delaney
A firm settled FINRA charges for failing to implement an anti-money laundering ("AML") program tailored to its business of providing cash management securities accounts to corporate customers.
According to the AWC, FINRA said that the firm relied on an automated identity-verification algorithm and manual reviews of certain account applications. FINRA found that the firm's algorithm failed to collect all necessary customer information and did not properly assess potential fraud indicators, which resulted in the approval of "hundreds of potentially fraudulent accounts that attempted over $15 million of transactions using deposited funds that failed to settle." FINRA noted that, subsequently, "those deposits were recalled as unauthorized, rejected due to insufficient funds, or refused for other reasons," and that "in most cases [the firm] could not recover the funds or confirm the customers' true identities."
FINRA further found that the firm's AML procedures did not:
- include a risk-based customer identification program suitable for its expanded customer base, which now included small businesses and other higher-risk entities;
- implement reasonable procedures for verifying the identities of beneficial owners of legal entity customers, or account for potential identity fraud in its automated systems;
- have adequate policies to ensure the filing of suspicious activity reports in cases where there were red flags of potential fraud or unauthorized account activity;
- provide for effective ongoing monitoring of accounts and transactions, particularly for accounts that raised fraud alerts; and
- document the processes and decisions made during manual reviews of flagged accounts to verify customer identities or detect suspicious activity.
As a result, FINRA determined that the firm violated FINRA Rules 3310 ("Anti-Money Laundering Compliance Program") and 2010 ("Standards of Commercial Honor and Principles of Trade").
To settle the charges, the firm agreed to (i) a censure and (ii) a $900,000 fine. The firm also committed to improving its AML program, which included updating policies and procedures, hiring additional experienced staff and engaging a third-party consultant to review its AML practices.
Commentary
When it comes to meeting AML compliance requirements, firms cannot "mail it in." When expanding services to customers, firms have to consider whether the additional services or an expanded customer profile alters their AML risk assessment, and if so, what needs to be done procedurally, with respect to the implementation of controls, to manage additional risk to acceptable levels.
In addition to continually ensuring that customer due diligence procedures align with a changing customer population, transaction monitoring protocols—including the investigation of flagged transactions—should be assessed to ensure that they are appropriately robust in light of the firm's risk profile. This entails ongoing evaluation, not a fix it once and forget about it approach.