Regulator calls for AML teams to keep tabs on cyber-security and seniors-related issues
A top regulator has urged broker-dealers to combine their anti-money laundering (AML) and other compliance efforts to help tackle issues that traditionally may not have been on AML teams’ radars, such as cyber-security and safeguarding elderly clients.
‘As the industry relies more on big data analytics for customer identification and suspicious activity identification, it’s important that firms continue to fuse their AML compliance programs with other compliance functions and not create siloes that can inhibit risk assessment and identification,’ Susan Axelrod, executive vice president of regulatory operations at the Financial Industry Regulatory Authority (Finra), told delegates at a conference in New York last week.
‘Cyber-security and senior investor protection are two examples of interrelated areas that should concern AML compliance staff.’
Specifically, Axelrod noted that firms are required to report patterns of cyber-intrusion in their suspicious activity reports (Sars), adding: ‘So it’s essential your cyber-security staff remain in close contact with your AML staff.’
Firms should also be monitoring for elder abuse and reporting instances of it in their Sars, Axelrod said. Finra has observed an increase in the use of aggressive sales tactics by unregistered people in pump-and-dump schemes targeting elderly investors, and continues to see such activity with micro-cap securities, she noted.
There are a number of controls broker-dealers can implement to enhance protection for elderly clients from such financial exploitation, Axelrod said. For example, they can question a customer about inquiries to buy or sell penny stocks held outside the firm and can ask a customer about instructions to transfer funds to people who may be tied in some way to the issuer.
Protecting senior investors has become a major focus for Finra, the SEC and state regulators. Last October Finra proposed requiring firms to make reasonable efforts to obtain the name and contact details of a trusted contact person for a customer’s account. The self-regulatory organization (SRO) also proposed a rule that would permit firms to place a temporary hold on a disbursement of funds or securities when there is reasonable belief financial exploitation may be occurring, and to notify the trusted contact of the temporary hold.
Officials writing in the SRO’s 2017 regulatory and examination priorities letter, released last month, stated that calls to the Finra Securities Helpline for Seniors ‘have exposed troubling scenarios of senior and unsophisticated investors buying into sales pitches for speculative energy-based investments’ (CorporateSecretary.com, January 9).
Even as technology provides additional ways to enhance AML-related supervisory activities, data accuracy and integrity are key to implementing a successful AML compliance program, Axelrod said. ‘We continue to see common violations related to suspicious activity reporting that are caused by bad data,’ she told attendees. ‘For example, we see gaps in data fed into automated surveillance systems and exception reports, including firms’ failure to include a certain type of account or customer in a particular alert type.’
She added that Finra officials are also seeing cases where parameters of alerts or exceptions are not sufficiently risk-based. For instance, she said, the parameters on an exception report may be set at a level that captures so many false positives it is impossible to separate the meaningful data from the useless filler, in effect rendering the exception report useless.
In some cases, firms detect suspicious activity but fail to adequately investigate it, according to Axelrod. For example, analysts may rely on outdated or inaccurate information to close out alerts, fail to ascertain the business purpose of a wire transfer exhibiting red flags, or conduct an abbreviated review of potentially suspicious activity in an effort to get through a backlog of alerts, she said. ‘It is important that firms do not [take shortcuts in] their reviews,’ she added.
Axelrod urged firms to review and test on a regular basis the information they feed into automated systems. This includes assessing whether changes to broker-dealers’ business models and risks would require corresponding changes to the parameters and scenarios in firms’ automated systems, she said.
Another area of concern is firms’ independent testing efforts. ‘Put simply, we continue to see tests that are inadequate, such as tests reflecting a review of procedures, but not implementation of those procedures,’ Axelrod said. ‘A good independent test should include testing of your suspicious activity monitoring program. An independent test is a good time to be checking your systems to ensure they are working as you believe they should be.’