Post Primary Thoughts on AML

Hello from NH, where today, at last, we are free of pollsters, campaigners and political junk mail! Quick note: Chris Matthews said we lied to pollsters. We did not. The difference in the numbers was the weather. But we'll let him figure that out...

http://www.finra.org/web/groups/educ_progs/documents/education_programs/p037702.pdf
This is a link to Mary Shapiro's recent webcast text on what to expect in an exam, re: AML compliance. I wanted to comment on two things: independent annual exams and CIP for friends and relatives.

The Independent Exam Quandary
Independent exams must happen every year for almost all firms. If your BD is nothing but a prop desk, it can be every two years. For firms that have anything to do with customers and securities transactions (and yes, you private placement firms out there now know that your are, indeed, conducting securities business), audits of AML programs must take place once/calendar year. FINRA, back in early 2006, clarified this and also what it meant to be independent; they also offered exceptions to the independence standard. That's the background.

What I'd like to comment on is that, if a firm uses an outside party to do the audit, and that same party provided template language for the firm's AML program--but does not otherwise implement or control the firm's AML compliance process in any way--that outside party in my opinion is independent for the purposes of meeting FINRA's expectations. My belief is that, if you look at their exceptions for in-house auditors who are not independent, and imagine a scenario whereby a firm relies on those exceptions (for instance, trains some staff person to do AML testing and has that person report the results to someone other than the AML compliance officer), in most cases, the testing will not be sophisticated enough or adequate to detect important deficiencies. In that scenario, the tester will apply his/her limited knowledge of applicable regulation to broadly review evidence of compliance. This will not result in effective testing and the firm, if failing to comply with the more esoteric or topical requirements, will continue to do so, given the lack of focused and informed reviews.

The other scenario, where an outside consultant who has provided template language--either originally or on an on-going, update basis--and who is engaged daily in the business of compliance; that is, who spends his or her time researching new rules, interpretations and guidance put out by securities or federal regulators, and who visits clients once a year to ensure, in a lengthy and thorough examination process, all aspects of AML compliance, is bound to be more effective than the in-house model. That was a long sentence--my apologies. Remember too that many of these firms who may rely on the in-house model are those who downloaded FINRA's AML template and just barely customized it. The outside consultant procedures+audit model has to be preferable to the FINRA template+in-house audit model, in my opinion. Better to have expertise than confusion.

If your firm runs into an examiner who expresses displeasure with your outside AML auditor because that same auditor provided update language to your written program, you may want to use my argument to defend your choice. Or rely on the the Rule itself, which requires that, in summary, the tester should neither be one who performs the AML functions being tested, nor any designated AML compliance person or a person who reports to either one. You will be meeting this restriction and should be confident about doing so.

CIP for Friends and Relatives
Oh, my second point. In the recent guidance, Ms. Shapiro reiterates what was included in last year's online workshop--that you have to ID your own mother-in-law. Well, here's the exact quote: "Be sure to note that just because a customer is a registered representative’s personal acquaintance, this does not satisfy CIP verification requirements. But, the risk-based approach is flexible enough to make identity verification for personal acquaintances as unobtrusive as possible. For example, if the customer is a relative or a close personal friend of the registered
representative, the firm may not require more than the minimum verification required by the rules, such as checking her driver’s license. However, the verification that is undertaken must still be documented."

You see, the requirement to verify the identities of customers is so bound up in legalese and paranoid FederalSpeak, that broker-dealers cannot be trusted to vouch for the identities of their own family members. Crazy, huh? I'm sure the folks at FINRA hate enforcing this and also find it ludicrous, but as they always say, it's not their Rules, it's the government's. With that sad excuse in mind, don't forget to check your brother's driver's license next time he opens an account--just to be sure he really is your brother.