“Failed to establish and implement automated systems to monitor and report activity” and “unreasonably relied on manual review.”
These were the words of the U.S. Securities and Exchange Commission (SEC) in an alert to financial institutions signaling that it is ramping up enforcement of anti-money laundering (AML) compliance requirements. It would seem that financial services firms using manual methods for compliance management and monitoring are not only punishing themselves with cumbersome ways of managing the back office, but are also now potentially non-compliant for doing so.
The SEC has continued to focus on AML compliance for financial firms in its routine examinations. This year, the SEC has specifically emphasized AML compliance as a priority in its 2021 Examination Priorities Report. The SEC’s Enforcement Division is now prioritizing AML cases and has brought a series of actions against broker-dealers for AML missteps where financial firms failed to appropriately file suspicious activity reports (SARs) on clients making suspicious transactions under an expanded criterion.
The SEC Division of Examinations has issued a risk alert reminding broker-dealers of their AML obligations. The alert follows a slew of SEC examinations uncovering deficiencies across multiple firms’ AML policies, procedures, and practices. It highlights broker-dealers’ obligations under the Bank Secrecy Act (BSA) to establish and implement policies and processes designed to identify and continuously monitor suspicious transactions and to file SARs.
In recent litigation against Alpine Securities Corporation, the SEC beat the organization’s appeal in court and was able to uphold a lower court decision to levy a $12 million civil penalty—citing the SEC’s authority to mandate compliance with the BSA’s reporting, record-keeping, and record retention requirements, as well as seeking penalties when broker-dealers fail to comply with these provisions.
The risk alert is only the latest step by the SEC to emphasize the importance of AML issues to the broker-dealer community and likely confirms that the Commission will continue to focus on this issue. The SEC risk alert thus provides a roadmap for what failings the regulator may be looking for in each of these areas. Some of the key highlights of the risk alert include:
This is a new precedent in AML compliance and an example of how reliance on manual processes can be both costly and legally inadequate.
Organizations will now have to prove that AML monitoring and procedures are agile and electronic. The government is now looking at spreadsheets like they’re paper ledger books and notepads. Automation is becoming a mandate to ensure that smaller financial institutions are not complicit in suspicious activity or finding themselves the victims of exploitation.
The precedent is becoming that if an organization is not using sufficient processes and procedures to adequately monitor and report, it may have something to hide. A transparent firm is an organized firm, and reliance on manual processes is not only going to hurt the institution’s bottom line in wasted time but may also increase the risk of non-compliance.
The fact of the matter is that relying on labor-intensive, error-prone processes for managing AML and compliance information leads to inevitable failure. Manual management methods leave no audit trail or history of changes. Anyone can easily go back and cover up their trail to paint an entirely different picture than the one that exists in reality, and things often slip through the cracks without a clear structure for regulating task management and inconsistencies within assessments.
Organizations of all sizes benefit from implementing an integrated approach to governance, risk, and compliance (GRC) that allows different departments to have their view of risk and compliance that can roll into enterprise risk management and reporting to support business objectives. This is accomplished through a shared GRC strategy, process, and technology architecture to support overall business operations and risk management.
Understanding the full GRC picture, as well as selecting the right solution and technology architecture, is key to meeting your risk and compliance management needs.