In the latest anti-money laundering news, the Financial Industry Regulatory Authority published guidance on AML obligations of firms subject to FINRA supervision.
What happened
FINRA’s guidance supplements the Financial Crimes Enforcement Network’s (FinCEN) final rule on Customer Due Diligence for financial institutions.
The final rule on CDD, which applies to banks, brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities for the first time, requires covered entities to collect information on the “beneficial owner” of an account—the natural person who owns and controls the legal entity—in order to know the identity of the individual who owns and controls their “legal entity” customer. In addition, the final rule now makes ongoing monitoring for reporting suspicious behavior and, on a risk basis, updating customer information, explicit requirements, where previously, they were only implicitly covered.
The CDD Rule became effective July 11, 2016, and member firms must be in compliance with its provisions by May 11, 2018. In an effort to provide guidance to member firms regarding their obligations under FINRA’s existing Rule 3310, FINRA published Regulatory Notice 17-40, which relates to FinCEN’s final rule on CDD.
For the first time, identification of beneficial owner(s) is required under the CDD Rule. Covered entities must now collect and retain the required information—including name, date of birth, address, and Social Security number or other government identification number—of beneficial owners. Member firms can use FinCEN’s standard certification form or another means, FINRA noted.
Once the beneficial ownership information has been collected, member firms must then verify that identity, or that “they are who they say they are,” as the Notice put it, “within a reasonable time” after account opening and using risk-based procedures that at a minimum satisfy the elements required for member firms’ Customer Identification Program procedures for verifying the identity of individual customers.
“Member firms may rely on the beneficial ownership information supplied by the individual opening the account, provided that they have no knowledge of facts that would reasonably call into question the reliability of that information,” FINRA said. The CDD Rule also “permits member firms to rely on another financial institution for the performance of the CDD Rule’s requirements.”
FINRA noted that the CDD Rule’s requirements with respect to beneficial owners of legal entity customers apply only to new accounts opened on or after the date of the rule’s implementation. “However, a member firm should obtain beneficial ownership information for an existing legal entity customer if, during the course of normal monitoring, it receives information that is needed to assess or reevaluate the risk of the customer,” the notice added.
The second element of the CDD Rule covered by the FINRA guidance related to a member’s ongoing AML requirements. Currently, the Bank Secrecy Act requires covered entities to develop and implement AML programs that include the statutorily enumerated “four pillars”: (1) the establishment and implementation of policies, procedures and internal controls reasonably designed to achieve compliance with the applicable provisions of the BSA and implementing regulations; (2) independent testing for compliance by broker-dealer personnel or a qualified outside party; (3) designation of an individual or individuals responsible for implementing and monitoring the operations and internal controls of the AML program; and (4) ongoing training for appropriate persons.
The final CDD Rule now requires AML programs to include risk-based procedures for conducting ongoing customer due diligence. “This ongoing customer due diligence, or ‘fifth pillar’ required for AML programs, includes: (1) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (2) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”
The requirements for ongoing compliance are not new, FINRA noted, but “merely codify existing expectations for firms to adequately identify and report suspicious transactions as required under the BSA and encapsulate practices generally undertaken already by securities firms to know and understand their customers.” Thus, these elements must now be included in all AML programs, if they were not already there.
With regard to the customer risk profile, FINRA characterized it as a “baseline” against which customer activity is assessed for suspicious transaction reporting. “Information relevant to understanding the nature and purpose of the customer relationship may be self-evident and, depending on the facts and circumstances, may include such information as the type of customer, account or service offered, and the customer’s income, net worth, domicile, or principal occupation or business, as well as, in the case of existing customers, the customer’s history of activity,” according to the notice.
The CDD Rule does not prescribe a particular form of the customer risk profile but allows covered entities to establish their own means of assessing customer risk (individualized risk scoring, for example, or the placement of customers into risk categories). The goal for FinCEN is the interplay of this information with BSA obligations, FINRA explained.
FinCEN “expects firms to use the customer information and customer risk profile as appropriate during the course of complying with their obligations under the BSA in order to determine whether a particular flagged transaction is suspicious,” FINRA said.
Why it matters
Member firms have until May 11, 2018, to update their AML programs to comply with the CDD Rule and the guidance. FINRA noted that it is considering whether a further rulemaking is necessary to more closely align FINRA Rule 3310 with FinCEN’s CDD Rule in light of the now-codified fifth pillar requirement for member firms’ AML programs.