AML governance best practices for broker-dealers

Even the most advanced anti-money laundering and countering of terrorist financing (AML/CFT) technology depends on a well-conceived underlying governance structure to serve its intended purpose. Indeed, U.S. regulators expect firms to designate specific individuals solely responsible for AML/CFT functions – and a specially-designated AML team. 

Firms relying on a department dedicated to other duties to carry out its AML functions can experience inefficiencies that could impact compliance and effective risk management. With this in mind, how can broker-dealers ensure their anti-money laundering compliance framework is built on sound governance practices?

6 best practices for broker-dealer AML governance

Based on key Financial Industry Regulatory Authority (FINRA) priorities, here are six areas broker-dealers should focus on to ensure sound AML/CFT governance.

1. Establish a proportionate risk profile

Any sound AML program must be risk-based, which means being built on a solid risk profile. To establish this, broker-dealers need to conduct regular and thorough risk assessments that allow them to determine their risk tolerance and appetite. 

Once a broker-dealer has established a sound risk profile, it can tailor its AML/CFT program to its needs. Still, the U.S. Securities and Exchange Commission (SEC) notes that it’s important to include the following, as relevant:

• A Customer Identification Program (CIP)
• Customer due diligence measures that can identify ultimate beneficial owners (UBOs), as well as conduct due diligence on partner businesses and private banking accounts. This may involve screening for adverse media, politically exposed persons, and sanctioned entities. Adverse media analysis, for example, should be tailored to look for things like recent enforcement actions, suspected wrongdoing, or association with specific typologies such as fraud.
• Ongoing monitoring that allows firms to comply with suspicious activity reporting requirements. This might include intelligent transaction monitoring and ongoing customer due diligence (CDD).

The SEC guide for broker-dealers is an excellent starting point for broker-dealers wishing to establish or revamp a risk-based AML/CFT program.

2. Design BSA-compliant procedures & policies

Passed in 1970 by the United States Congress, the Bank Secrecy Act (BSA) was modified to support the PATRIOT Act after the 2001 September 11 attacks. FINRA highlights that the BSA “applies to all broker-dealers, without exception” and calls on firms to create procedures and policies to ensure BSA compliance. Although exhaustive, broker-dealers’ strategies should include:

• Individual policies covering:
  • Anti-Money Laundering & Countering the Financing of Terrorism (AML/CFT)
  • Sanctions
  • Bribery & Corruption
  • Anti-Tax Evasion
• A controls catalog – This should document all controls and be reviewed for needed changes twice a year. Controls recorded in the catalog should be written with adequacy testing in mind (see item four.)

3. Integrate risk-based customer due diligence procedures

Any robust and BSA-compliant AML program should include appropriate risk-based ongoing customer due diligence (CDD) procedures. Every program should be tailored to a given firm’s risk assessments and appetite, but FINRA emphasizes that it should include: 

Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile
Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information, including information regarding the beneficial owners of legal entity customers.

Source: FINRA

Customer risk assessments should look at elements like the nature of the product taken out by the customer, any linked geographies (checked against firms’ internal country risk models), and specific risk indicators presented by the customer’s status, such as political exposure. 

Broker-dealers should document their customer assessment model and standardize their approach to all customers. And as with their policies, firms should review risk assessment models at least annually for relevancy and effectiveness.

4. Provide regular independent testing

Even the most robustly-conceived AML program can fall short of firms’ risk management goals in practice. Accordingly, broker-dealers must conduct annual, independent tests to validate their AML program. These evaluations should check for BSA compliance and the program’s ability to meet firms’ internal, risk-based criteria. As a rule, firms must schedule independent testing every calendar year per FINRA Rule 3310, with some exceptions.

How can broker-dealers be sure their tests are adequate and reliable? Though the details should be tailored to each firm’s unique profile, thorough tests should evaluate two main areas: 

• Adequacy – Can a clear description be made of what the control does? Does it capture who operates the control, how it operates, when it’s operated, and what the control is designed to do? Does the description make sense in light of risk profiles?
• Effectiveness – The evaluator should take a sample of whatever the control is used for (such as verification of new customers) and check whether the control has worked correctly for each given sample.

These evaluations can be performed either by a dedicated internal audit department or a qualified third party. If resources permit, enlisting a dedicated third-party Business Controls Partner is best, which helps ensure true independence.

5. Designate a FINRA-accountable AML compliance officer

The AML compliance officer is a business-critical role. Per FINRA, firms must nominate a team or person to carry out and supervise daily AML/CFT responsibilities. Once they’ve filled the role, firms must provide FINRA with the relevant contact information. If the compliance officer changes, the firm must update the relevant information within 30 days.

To ensure FINRA requirements are met, broker-dealers should establish written procedures to follow if the person performing that role changes. Somebody senior within the organization should own the process. That person should also commit to re-confirm the name of the chief AML compliance officer each new year.

6. Ensure ongoing training

Finally, FINRA Rule 3310 calls for firms to ensure that AML/CFT personnel receive continuous training. Once again, every broker-dealer must tailor their training program to their unique risk profile and needs. That said, here are a few practices that may increase training program effectiveness:

• Monitor training completion rates – Provide regular, mandatory AML/CFT training to personnel. This should include rule updates such as the CDD rules on beneficial ownership of legal entities. Also, keep risk staff informed of AML regulatory changes.
• Provide a feedback mechanism so staff can advise what they thought of the training.
• ‘Pop quiz’ staff on elements of the training throughout the year – Plan quizzes strategically to provide a clear picture of whether employees are retaining core crucial information. 
• Establish 1:1 or small-group mentoring programs as part of AML/CFT career development – By linking AML/FCT training to personal relationships, career goals, and networking, mentorship can help encourage employee ownership of AML/CFT knowledge and skills. In-person mentorship can also help validate employees’ mastery of key concepts from training.

As part of the change management process, it’s crucial to periodically assess whether recent business changes require a training content refresh.

Key takeaways

In a fast-moving financial services landscape, it can be tempting to make good governance practices an afterthought. Firms saturated with day-to-day work pressures may hesitate to plan sound governance from the ground up. But with rapidly evolving, vigilant AML regulations and the human cost of financial crime, the investment is worthwhile. Firms can see significantly improved efficiency and reduced risk when they standardize approaches, clarify roles, document processes, and plan regular reviews. And supported by effective risk management technology, well-governed AML programs stand prepared for many more changes ahead.