I just read FINRA’s release on the Scottrade fine, the one that alleges failure to establish and implement an adequate AML program to detect and trigger reporting of suspicious transactions.
Yikes!
The period of most egregious failure was from April 2003 to January 2005. Geez, back then, NASD’s testing of AML compliance consisted of seeing if firms knew what A-M-L stood for. It’s only in the past couple of years that FINRA’s examination program has raised its expectations…that is, instead of being satisfied that a firm had a program in place, they actually look at the components and consider their reasonableness. To look back at a period in which AML rules were brand new seems a bit unfair (I know—the Rule came out in April 2002--but CIP didn’t come out until October 2004, and this whole emphasis on REPORT! REPORT! REPORT! didn’t take shape until about two years ago). If their expectations were low back then, why is it okay to apply the heightened standard retroactively?
I don’t have any information on this case, so I’m reacting to the summary provided by FINRA. So I might not be fair, either.
But reading the summary leads to me a few other hysterical reactions—er, I mean, thoughtful considerations: Why was it unreasonable, in the early days of AML regulation, to assume that monitoring movement of money was a good means of detecting suspicious activity? Why was it unreasonable to let designated personnel like branch (front-line), cashiering (appropriate, non?) and margin employees refer suspicions to compliance? Why was is a bad thing that Scottrade got progressively more attuned to the challenge of AML monitoring and thus hired a risk management analyst to review its system and later developed a proprietary, automated monitoring system? Why is Scottrade being criticized, in this context, for not preventing ID theft and account intrusions back before 2007, when those hot topics were only in the early stage of regulatory focus (Nov. 1, 2009 is the effective date for compliance with the ITPP requirements under the FACT Act and to my knowledge, Reg. S-P amendments have yet to be made effective—email me if I’m wrong on this)? And Scottrade’s volume report being used back in 2006 to detect pump-and-dump schemes and unauthorized trading activity, but not to detect suspicious activity by bona fide account holders?... if NASD required this back then, why didn’t they tell them? I’m sure they were in there reviewing general and AML compliance every year.
I’m wondering, how much of this longed-for monitoring would have led to SAR reporting that would have resulted in actual cases proving terrorist financing? Was that factored into the findings? (Oops, there I go again, forgetting that BD’s are law enforcement agencies charged with uncovering fraud and tax evasion, too.) Or is this finding just a hypothetical exercise in retroactive nit-picking for the sake of making an example out of the ‘failure’ or – I’m not really a cynic – to make money?
I have to admit: I see small firms being examined on the bare basics of AML and I find that FINRA continues to be gentle with these small firms. It’s almost like ‘principle-based’ compliance, but not really. It’s more like, “Okay, you’ve met the minimum requirements under 3011, but don’t forget to get exception reports” and all ends well. Personally, I’m okay with this, especially in the context of very small firms with a limited business whose clientele is local and very familiar. To expect anything more than token AML compliance is wrong in those cases. For bigger firms, yeah, sure, take it to the next level—but don’t mix subject areas and don’t retroactively apply developing standards to a time when AML was new and little understood. Even for the big firms that’s not fair. They are slow-moving beasts and should have been afforded a learning curve.
I think I’m too tolerant. That’s my problem. The world might very well be a charred sinkhole had it been under my watch until now. Never elect me President*.
(*Attorney General, maybe. I promise I’ll follow in Holder’s footsteps. --here I go again, with that tolerance thang.)
Monday, October 26, 2009
Thursday, October 15, 2009
Internal Testing of AML: Loophole Closed
Just yesterday I was blathering about the loophole in NASD IM-3011-1, which allows firms to have internal staff do annual testing of their AML programs. This rule lets firms have someone in the AML chain of command do the testing. The way it was written was always a bit curious: as if meant to strictly limit firms, but with a nice rabbit hole to jump into to safely avoid the limitation. Don't get me wrong: I've been a fan of the loophole, since I tend to sympathize with really small firms that have to meet onerous, big-firm requirements....and that's who would have relied on the loophole until now: very small firms with no staff remote enough from the AML staff and supervisor (usually the same person) to be considered independent. Well, thanks to FinCEN, these small firms will henceforth have no choice but to pay up for their annual independent AML testing.
You see, in Notice 09-60 FINRA announced its recent slate of rule consolidation changes. One of those is new FINRA Rule 3310, replacing NASD Rule 3011 and its IM's. The rule essentially stays the same except for the removal of the independence carve-out.
Firms can still appoint an internal staff member to conduct the testing, but that person must absolutely meet the following requirements:
1. The person must not perform the functions being tested,
2. The person may not be the designated AML compliance person, and
3. The person may not report to either anyone performing AML functions or the designated AML compliance person.
So if your firm is big enough such that you have senior staff who do not get involved at all in AML stuff, and you have employees who are well-versed in BSA/other AML requirements who do not do any AML work, you should be able to continue to rely on in-house AML testing.
The reason for the change? FINRA blames it on FinCEN, which stated that "the independent testing provision of the BSA precludes AML program testing by personnel with an interest in the outcome of the testing..." Seems reasonable--if you believe that our current AML rules, regulations and applied guidance have proven useful in fighting terrorism and if you believe that it is the role of the broker and the brokerage firm to police its clientele. Might seem unreasonable if you closely run a very small firm with a local, familiar clientele and have seen the cost of compliance sky-rocket right along with the increase in regulatory expectations, and you now have to pay a third-party to come in and verify the obvious: you're trying hard to follow the rules.
(Oops. I let myself go for a second, there... back to the subject at hand...)
The rule change is effective Jan. 1, 2010. You tiny firms out there will have to find someone to do your independent testing next year. (This is not a sales pitch, by the way--could you tell?)
You see, in Notice 09-60 FINRA announced its recent slate of rule consolidation changes. One of those is new FINRA Rule 3310, replacing NASD Rule 3011 and its IM's. The rule essentially stays the same except for the removal of the independence carve-out.
Firms can still appoint an internal staff member to conduct the testing, but that person must absolutely meet the following requirements:
1. The person must not perform the functions being tested,
2. The person may not be the designated AML compliance person, and
3. The person may not report to either anyone performing AML functions or the designated AML compliance person.
So if your firm is big enough such that you have senior staff who do not get involved at all in AML stuff, and you have employees who are well-versed in BSA/other AML requirements who do not do any AML work, you should be able to continue to rely on in-house AML testing.
The reason for the change? FINRA blames it on FinCEN, which stated that "the independent testing provision of the BSA precludes AML program testing by personnel with an interest in the outcome of the testing..." Seems reasonable--if you believe that our current AML rules, regulations and applied guidance have proven useful in fighting terrorism and if you believe that it is the role of the broker and the brokerage firm to police its clientele. Might seem unreasonable if you closely run a very small firm with a local, familiar clientele and have seen the cost of compliance sky-rocket right along with the increase in regulatory expectations, and you now have to pay a third-party to come in and verify the obvious: you're trying hard to follow the rules.
(Oops. I let myself go for a second, there... back to the subject at hand...)
The rule change is effective Jan. 1, 2010. You tiny firms out there will have to find someone to do your independent testing next year. (This is not a sales pitch, by the way--could you tell?)
Subscribe to:
Posts (Atom)
