Speech by SEC Staff:
The Next Phase: Implementing the Patriot Act
Lori A. Richards
Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
Securities Industry Association Conference on Anti-Money Laundering Compliance for Broker-Dealers
New York City
March 27, 2003
The Securities and Exchange Commission (Commission or SEC), as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or the staff of the Commission.
Good morning. I am indeed honored to be with you again for the third time as part of the Securities Industry's Association's annual conference on anti-money laundering (AML) compliance. When Alan called and asked me to speak again, I wondered, was there anything more I could say on the subject of anti-money laundering compliance that could be useful to the industry? Alan convinced me, however, that the "third time is a charm." So here I am. During the next half-hour, I hope to share with you some insights that I hope will be helpful from the perspective of the SEC's examiners as we enter the implementation phase of the USA Patriot Act (Patriot Act).1
Let me take a moment to acknowledge the SIA and the constructive role it has played in promoting AML compliance. In addition to sponsoring gatherings like this, last fall, the SEC and the SIA co-sponsored an anti-money laundering compliance webcast that reached over 1800 people. Many thanks to Alan and his colleagues at the SIA for helping make that happen. It's also still available on our website, if you missed it.
This morning, I hope to give you an idea of some of the questions that we are asked most frequently regarding AML compliance. Let me put this into context. We are now deep into the implementation phase of the Patriot Act. As you all know, the Act itself was passed in 2001 and much of 2002 was devoted to rulemaking. While there are still a few outstanding rules to be finalized, this year marks the implementation phase of the Act. At the SEC, we have been rolling up our sleeves and pulling our socks up. That is, together with our colleagues at the securities self-regulatory organizations (SROs), we have been training our examiners in the regional offices. Our examiners have gone into the field, and are beginning to evaluate the industry's compliance efforts. We will be visiting your firm soon, if we have not already. I also note that you should soon have in hand your first year's "independent reviews" of your AML compliance programs. Remember, these reviews are required by April of this year. (Hopefully, you are not reaching for your cell phones to jump start this review.) So this is perhaps a good time to pause and reflect on where we are and where we are going.
SEC's AML Examinations
Let me begin by overviewing the SEC's AML exam program: in particular, the genesis of our AML efforts.
SEC examiners have been examining firms for books and records violations under the Bank Secrecy Act (BSA) since the 1970's, after the BSA was adopted. Following a series of examination sweeps in the 1980's that focused on broker-dealer compliance with the BSA, and again in the early 1990's, the SEC brought a number of enforcement actions against securities firms and their employees for violations of the BSA's currency reporting requirements.2
Early in 2001, before the Patriot Act was adopted, the SEC, together with the SROs, conducted a coordinated examination "sweep" of about 30 securities firms. The goals of the sweep were to assess what securities firms were doing in the money laundering area, and, honestly, to raise the consciousness of securities firms about money laundering. We wanted firms to put AML compliance on their "front burner," as we said at the time.3
In general, our exam sweep found that the largest securities firms had AML programs in place many of them with sophisticated computerized exception reporting systems. Moreover, even though many large broker-dealers were unaffiliated with banks and had no legal obligations to be filing suspicious activity reports (SARs) some of them had already begun to file SARs. We found that medium-sized firms had a more mixed record, and that smaller firms needed to engage in significant work to develop AML programs.4
Our sweep findings included some "best practices" that I discussed in greater detail with this group last year. Among other things, we found that firms with successful programs:
- had dedicated staff AML compliance "teams" that worked alongside of traditional supervisory personnel;
- were able to identify and keep"watch lists" of clients who had previously exhibited suspicious behavior; and
- had vigorous employee training programs that were ongoing, that incorporated real world examples, and that were geared to the different roles that each department in the firm could play in detecting money laundering.5
Following the enactment of the Patriot Act, the SEC really focused on working closely with the SROs and making sure that securities examiners at the SEC and the SROs had a coordinated approach to examining for AML compliance. AML exams are examination priorities this year both for the SEC and the SROs, and we all fully intend to ensure that we are consistent and coordinated in what we do. In general, we expect that the SROs will be conducting examinations of broker-dealers' AML programs during their routine cyclical examinations. The SEC will conduct oversight exams reviewing a sample of the SRO exams to assess their work. SEC examiners will also look generally at AML compliance programs during our other examinations. Finally, the SEC will conduct a series of comprehensive AML examinations once all the new rules are in place to review compliance with all the AML rules.
I guess I would say that, looking back on the last few years, our goal has been to help firms get educated and get started with their new AML obligations.
Patriot Act Examination Questions
Let me move on to 2003. Most of you here are probably most interested in how examiners will be examining for the Patriot Act's requirements this year. I think it is fair to suggest given the SEC and SRO examination priorities for this year that many of you can expect first-hand experience with an AML exam over the next year.
I'd like to provide you with a sense of what to expect in these examinations. Let me do this by answering a few frequently asked questions:
- First: What is OCIE's overall approach to AML compliance examinations?
- Second: Will examiners actually assess how well a firm's AML program works?
- Third: How will the SEC review for SAR reporting, since the SAR rule just recently went into effect?
- Fourth: What approach will OCIE take to "know your customer" requirements until a Customer Identification Program rule is in effect?
Question One: What is OCIE's overall approach to AML compliance examinations? This year, a principal focus of our examinations will be to ensure that firms have taken steps to establish and fully implement an AML compliance program that complies with each aspect of the Patriot Act and related SRO rules. Examiners will be wanting to see that firms have implemented each element. Specifically:
- Examiners will be looking to see that a firm's AML compliance program includes: (1) policies, procedures and controls; (2) a designated AML compliance officer; (3) ongoing training for employees; and (4) independent reviews of the effectiveness of the firm's AML program (these are the requirements of the Patriot Act).
- Examiners will be looking to ensure that a firm's procedures include: (1) procedures to detect and report suspicious activity; (2) procedures to ensure compliance with the Bank Secrecy Act; and (3) when final rules are in effect, procedures to identify customers and verify their identity.
- Finally, examiners will want to ensure that a firm's AML procedures are in writing and approved in writing by a member of senior management (remember, this is required by SRO rules).
This approach is no surprise the minimum standards for AML compliance programs are explicit in the law, and you can expect examiners to ask about each one.
Question Two: Will SEC examiners go beyond checking for each element of a firm's AML compliance program, and actually assess the quality of a firm's program? The answer is yes. Examiners will look at the overall risk-based design of the program, as well as how it is actually being implemented. What does this mean in practical terms? What will examiners specifically look at?
Most broadly, examiners will assess whether a firm's AML program makes sense given the nature of a firm's business. Recall that regulators have often said, the SEC included, that one-size-doesn't-fit-all, and that firms must adopt a program tailored to their own business. Examiners will assess how your firm's procedures relate to the nature of your firm's business and the potential risks for money laundering associated with your firm's type of business. In developing your own "risk-based" program, some questions that you will have considered, would be:
- What types of activities and operations does the firm conduct? How are systems set up? Does the firm offer online account opening? Where is the firm located? Who are its customers does the firm have a large foreign customer base? Are they political officials? What is the nature of the firm's international activities? What types of accounts does the firm offer its customers does the firm offer or maintain offshore trusts or accounts in jurisdictions known for weak anti-money laundering laws? Has the firm considered "risk indicators" or "red flags" identified by regulators and industry guidance in determining the risks of its particular business and operations?
As I noted, examiners understand that "one-size-doesn't-fit-all." So, during an AML examination, your firm should be prepared and able to demonstrate how your AML program is tailored to your firm's risks.
At a more "micro" level, examiners will assess a firm's AML program by testing to see how and if a firm's AML compliance procedures are actually implemented. Examiners will start by reviewing your firm's written procedures, and will then look to see how they are being implemented. That means that if your procedures say that your firm's wire transfer clerks are responsible for monitoring and reviewing account history for wire transfers, we will be checking to see if your clerks are actually doing this.
In addition, examiners will review how you are assessing your own AML program. For that purpose, we will look to the first independent reviews of firm AML compliance programs, which should be completed by April 24, 2003.
In fact, if your exam takes place after April 24, 2003, we will ask to review the independent test to see if testing covers all areas and that it was completed in a timely manner. We will evaluate whether the person or persons responsible for conducting the audit are appropriate and if they have an appropriate understanding of what the firm's AML program is supposed to do. We will look to see if testing is scheduled to occur in the future on a regular basis. Finally, we will review the report's findings and suggested corrective measures and then look for appropriate follow-up to implement those measures.
Question Three: How will examiners review for suspicious activity monitoring and reporting, given that the SAR reporting requirement only became effective in January 1, 2003? In this area, we have encouraged firms to get their suspicious activity monitoring programs up and running so that they would be in place when the SAR reporting requirement "kicked in" in January 2003. Examiners will expect suspicious activity detection and reporting to be a major portion of a firm's AML compliance program. Here are some specific things examiners will focus on in this area.
- Procedures. Examiners will review firm procedures outlining how the firm complies with the SAR monitoring and reporting rule. Examiners would expect the procedures to cover:
- the process for assessing suspicious activity;
- areas of the firm that are covered and the reports to be generated;
- who is responsible for detecting and reporting functions and what they do; and
- how the decision is made to file a SAR-SF, including: who is responsible for preparing the form, who is responsible for filing the form, and who is responsible for SAR record-keeping.
- Exception Reports. Examiners also will review any forms or reports that are generated to assist in the monitoring or detection of suspicious activity. We will expect a firm's procedures to identify the reports, state what the reports are intended to find, who monitors the reports, and who signs off on the reports. We will ask questions about the scope of the reports, what exceptions they are intended to reveal, and how the firm used "red flags" or risk indicators to develop their reports. In situations where exceptions were generated, but no SAR-SF filed, we will want to review to determine how the discrepancies or suspicions were resolved.
- SARs and SAR Recordkeeping. In the recordkeeping area, we'll expect a firm's procedures to include the maintenance of SAR-SFs, the documentation for the SAR-SFs, and the preservation of confidentiality. Remember that the SAR-SF rule requires that securities firms maintain copies of the SAR-SFs that they file, and the original related documentation, for a period of 5 years from the date of filing.
Examiners will also ask to see copies of SAR-SFs that you have filed and any related documents. Related documents would consist of any document obtained by the firm during the course of investigating the suspicious activity that weighed in the decision to file the SAR-SF. It could consist of: identification verification documents (such as copies of drivers' licenses, social security cards or passports), corporate documents (such as articles of incorporation, bylaws, trust agreements, etc.), and file memos relating to the assessment of the suspicious activity, transaction records, e-mail messages, or telephone recordings.
In sum, we expect full access to your SAR-SF files and anticipate that the SROs will expect full access also.
Let me also note here that the SAR reporting requirement requires reporting of what some might not think of as classic money laundering behavior. As you know, the SAR reporting requirement generally covers the reporting of a suspicious transaction of $5000 or more conducted by or through a broker-dealer. But, this extends beyond suspected money laundering and terrorist financing, and includes other conduct that could involve the use of the broker-dealer to facilitate a whole range of illegal activity. For example, the SAR-SF form refers to suspicious behavior including: identity fraud, mail fraud, securities fraud, wash trading, and market manipulation. There are only very limited exceptions to these broad reporting requirements. The exceptions cover specific items that are already subject to a formal system of regulatory reporting, such as the reporting of lost and stolen securities and U-5 reporting. Broker-dealers should be aware of this, and conscious of the fact that reporting a violation to the SEC or an SRO except in very narrow circumstances will not relieve your firm of an obligation to file an SAR-SF.
Finally, examiners will want to see that filed SAR forms are complete. In order for the SARs to be an effective law enforcement tool, they must be completely filled out and the narrative must be thorough and informative. This is an issue that is important to the law enforcement community.
Question Four: What will examiners be doing to review firms' practices with respect to customer identification and verification especially since the rule providing for customer identification programs is not yet in effect? Some background is in order. Last fall, Treasury indicated that broker-dealers and other financial institutions would not be required to comply with Section 326 requiring customer identification and verification until final regulations are issued and have become effective. Treasury has also committed to a reasonable implementation period for the new rule.
But, even though the customer identification rules are not yet in effect, SAR monitoring and reporting requirements went into effect in January 2003. Our view is that firms should have some way of identifying suspicious customers in order to identify suspicious transactions under the SAR monitoring and reporting rule.
Also, I note that very soon firms will be responsible for complying with new broker-dealer books and records rules that require that firms obtain more information about customers. These new rules are scheduled to go into effect in May 2003. One of the new requirements is that broker-dealers make and keep the following information about individuals (where a suitability obligation exists): a record containing the customer's name, tax identification number, address, telephone number, date of birth, employment status, annual income, net worth, and account investment objectives.6
And, existing "know your customer" requirements contained in the securities laws and SRO rules apply to securities firms. So you should be obtaining information about your customers that can aid in your firm's customer identification program.
In light of this, examiners will be asking what firms are doing today, under existing requirements, to know their customers. What does this mean in practical terms? Examiners will look generally at the type of information you collect regarding your new customers.
Finally, in a related area, examiners may also ask questions about what you are doing to meet OFAC requirements and what your firm does to screen for the names and countries on the OFAC list.7 At the SEC, we recently had an OFAC officer speak about OFAC's approach to implementing the OFAC screening requirements. As I understand their approach, it's: "In God we trust: everyone else, check with OFAC first." That is, they expect firms to do complete screening of customers for OFAC purposes. We will be checking for that too.
I hope that this helps answer the four most frequently asked questions: about our approach to exams; whether examiners will assess how well a program works; how we will review for SAR reporting, and what our approach is to "know your customer" requirements.
Special Examination Issues
Now I want to switch gears for a moment and talk briefly about a number of "special issues" that I understand are of particular industry interest. These generally concern the extent to which you can rely on others, whether they be affiliated banks, third party vendors, clearing brokers, or mutual fund service providers.
Bank/Bank-Affiliated Broker-Dealer Combined Programs. The first special issue I'll touch on relates to securities firms that are affiliated with banks can they "piggyback" on the bank's anti-money laundering program?
Regulators have heard from the SIA that broker-dealers would like to be able to rely on affiliated banks who may also have a customer relationship with the customer, to perform customer identification. While this issue is still being considered by regulators, it makes sense that, where banks have affiliates within the same organization that are subject to the Patriot Act, they will want to share information and coordinate their AML compliance programs. Broker-dealers and their affiliates that share information or information gathering programs should consider filing Section 314(b) notices with the Department of the Treasury to assure that they have the protection of the Section 314 safe harbor for information-sharing purposes.
We also have been asked if the bank holding company can file a SAR on the broker-dealer's behalf using the bank SAR form. The answer to that is that broker-dealers must use the SAR-SF form. This applies even if they are affiliates or subsidiaries of banks or bank holding companies. However, we do view it as permissible for the bank holding company and the broker-dealer subsidiary to enter into a contract providing that the bank holding company will be responsible for the filing of the SAR-SFs. This is conditional, however, on the SEC and SRO examiners having full access to copies of any filed SAR-SFs and all supporting documents, even if the bank holding company performed the investigation and filed the SAR-SF on behalf of the broker-dealer.
Introducing and Clearing Broker Relationships. The perennial issue here is whether introducing and clearing brokers can "allocate" SAR reporting responsibilities for their joint customers.
Treasury's SAR rule puts the SAR monitoring and reporting obligation on both the introducing and clearing firm with respect to their joint customers. It does, however, permit introducing and clearing brokers to file one SAR rather than two for suspicious customer activity involving their joint customers.
When there is an introducing/clearing relationship, examiners will ask about how the suspicious activity monitoring is effected between the two entities and also ask about what information the two entities are sharing to ensure that the monitoring is complete. Let me mention that during our exam sweep back in 2001, we took a look at the information and computerized exception programs that clearing brokers were offering their introducing brokers for monitoring purposes at that time and generally, we were not impressed. We realize that this is a sensitive area for firms, and may require doing things in a different way, but this is an area that needs attention.
Finally, introducing and clearing brokers may also file Section 314(b) notices with the Treasury Department so that they can share information with each other without worrying about it that is, with the protection of the safe harbor provided by the Patriot Act
Use of Third Party Vendors. The question that has been asked is: if we use a vendor, isn't the vendor responsible for our compliance efforts? The short answer is: if you use a third party vendor, you remain responsible for compliance. The responsibility for compliance never shifts to the vendor.
A recent enforcement case brought by the Department of the Treasury is worth noting here. In a case involving Sovereign Bank, the bank was relying on a third party vendor to prepare and file Bank Secrecy Act currency transaction reports. Treasury determined that the bank failed to implement sufficient internal controls and testing to ensure that the vendor actually filed accurate and timely CTRs. Treasury found that the bank willfully violated the BSA and imposed a $700,000 fine.8
Allocation of Activities by Mutual Funds. There has also been a lot of discussion about what kind of allocation of responsibilities is appropriate among the many different entities in a mutual fund complex.
Following Treasury's lead, our approach has been that delegating responsibility among mutual fund entities is permissible as long as it is reasonable. The AML program as a whole has to make sense and the mutual fund in any event retains responsibility for ensuring that all AML responsibilities are met. For the most part, this means that firms will have to do due diligence on the parties they are delegating to, or contracting with, and retain some ongoing responsibility to assure that the delegated obligations are being met. We would expect that fund boards would make inquiries and assure themselves that the overall plan is effective.
Our exam program will also take a wholistic approach we will be examining mutual fund AML programs in the context of the entire fund complex. How does the entire program function with the fund's adviser, its transfer agent, its principal underwriter, and its administrator.
I hope I have given you an idea of some of the questions that OCIE has been asked most frequently and will be asking relating to our examinations. In this year of implementing the Patriot Act, we are all continuing to work hard to ensure that firms and the markets are free of the taint of money laundering.
1 See Pub. L. No. 107-56, 115 Stat. 272 (2001).
2 See In re Dean Witter Reynolds, Inc., Fed. Sec. L. Rep. (CCH) ¶ 84, at 107 (Feb. 27, 1987); In re Seattle First National Bank, Release No. 34-34293, 1994 LEXIS 2095 (Jul.1, 1994). See also In re Padula, 25 Sec. Reg. & L. Rep. 1044, SEC Admin. Proceeding File No. 4-370 (July 14, 1993) (SEC ordering NASD to bar a broker-dealer from association with member firms due to the broker's failure to report currency transactions). In addition, the SROs have cited brokers and dealers for having inadequate Bank Secrecy Act compliance procedures. See In re Adler Coleman Clearing Corp., 1994 WF 741753 (N.Y.S.E. Dec. 19, 1994).
3 See "Money Laundering: It's on the SEC's Radar Screen," Remarks by Lori A. Richards, Director, SEC Office of Compliance Inspections and Examinations, May 8, 2001, (available at http://www.sec.gov/news/spch/spch486.htm).
4 See "Money Laundering: Life After the Patriot Act," Remarks by Lori A. Richards, Director, SEC Office of Compliance Inspections and Examinations, May 2, 2002, (available at http://www.sec.gov/news/speech/spch555.htm).
6 Securities Exchange Act Rule 17a-3(17)(i)(A).
7 OFAC refers to the Office of Foreign Assets Control, which is part of the U.S. Treasury Department. Various executive orders prohibit transactions with designated individuals and embargoes countries. Master lists of embargoed countries and certain designated individuals are maintained on OFAC's web site and updated frequently (available at www.treas.gov/ofac).
8 See In the Matter of Sovereign Bank, No. 2002-01, April 8, 2002.