Monday, October 26, 2009

AML Non-Compliance Back in the Day

I just read FINRA’s release on the Scottrade fine, the one that alleges failure to establish and implement an adequate AML program to detect and trigger reporting of suspicious transactions.

Yikes!

The period of most egregious failure was from April 2003 to January 2005. Geez, back then, NASD’s testing of AML compliance consisted of seeing if firms knew what A-M-L stood for. It’s only in the past couple of years that FINRA’s examination program has raised its expectations…that is, instead of being satisfied that a firm had a program in place, they actually look at the components and consider their reasonableness. To look back at a period in which AML rules were brand new seems a bit unfair (I know—the Rule came out in April 2002--but CIP didn’t come out until October 2004, and this whole emphasis on REPORT! REPORT! REPORT! didn’t take shape until about two years ago). If their expectations were low back then, why is it okay to apply the heightened standard retroactively?

I don’t have any information on this case, so I’m reacting to the summary provided by FINRA. So I might not be fair, either.

But reading the summary leads to me a few other hysterical reactions—er, I mean, thoughtful considerations: Why was it unreasonable, in the early days of AML regulation, to assume that monitoring movement of money was a good means of detecting suspicious activity? Why was it unreasonable to let designated personnel like branch (front-line), cashiering (appropriate, non?) and margin employees refer suspicions to compliance? Why was is a bad thing that Scottrade got progressively more attuned to the challenge of AML monitoring and thus hired a risk management analyst to review its system and later developed a proprietary, automated monitoring system? Why is Scottrade being criticized, in this context, for not preventing ID theft and account intrusions back before 2007, when those hot topics were only in the early stage of regulatory focus (Nov. 1, 2009 is the effective date for compliance with the ITPP requirements under the FACT Act and to my knowledge, Reg. S-P amendments have yet to be made effective—email me if I’m wrong on this)? And Scottrade’s volume report being used back in 2006 to detect pump-and-dump schemes and unauthorized trading activity, but not to detect suspicious activity by bona fide account holders?... if NASD required this back then, why didn’t they tell them? I’m sure they were in there reviewing general and AML compliance every year.

I’m wondering, how much of this longed-for monitoring would have led to SAR reporting that would have resulted in actual cases proving terrorist financing? Was that factored into the findings? (Oops, there I go again, forgetting that BD’s are law enforcement agencies charged with uncovering fraud and tax evasion, too.) Or is this finding just a hypothetical exercise in retroactive nit-picking for the sake of making an example out of the ‘failure’ or – I’m not really a cynic – to make money?

I have to admit: I see small firms being examined on the bare basics of AML and I find that FINRA continues to be gentle with these small firms. It’s almost like ‘principle-based’ compliance, but not really. It’s more like, “Okay, you’ve met the minimum requirements under 3011, but don’t forget to get exception reports” and all ends well. Personally, I’m okay with this, especially in the context of very small firms with a limited business whose clientele is local and very familiar. To expect anything more than token AML compliance is wrong in those cases. For bigger firms, yeah, sure, take it to the next level—but don’t mix subject areas and don’t retroactively apply developing standards to a time when AML was new and little understood. Even for the big firms that’s not fair. They are slow-moving beasts and should have been afforded a learning curve.

I think I’m too tolerant. That’s my problem. The world might very well be a charred sinkhole had it been under my watch until now. Never elect me President*.

(*Attorney General, maybe. I promise I’ll follow in Holder’s footsteps. --here I go again, with that tolerance thang.)

No comments: