A well-crafted AML compliance program, outlined by experts

Creating a comprehensive, well-communicated, appropriate and consistently anti-money laundering (AML) program will go a long way in serving one’s firm, a panel of experts said at an event on February 28 at the Marriott Marquis in New York City. The gathering was a conference sponsored by the Securities Industry and Financial Markets Association (SIFMA), and the experts hailed from some of the largest financial services firms in the nation.

Qualified AML officers

But before getting in to the details of a sound AML program, the first order of business is to make sure there is a qualified person in each firm to oversee the AML compliance program.

A qualified person in this regard is someone who has the experience, time and understanding of the business in which he or she works (and its customer base), plus the authority to make material decisions, says Jeanine Larrea, executive director and head of AML compliance at Morgan Stanley Smith Barney.

She noted that it’s important to know the PATRIOT Act and the Bank Secrecy Act, but it’s also critical to understand the risks involved with your business (for example, the risks involved in making wire transfers, or of doing business in certain jurisdictions or with certain types of clients) to be able to analyze them and mitigate them.

And since the AML officer at a firm is ultimately responsible for the AML program, it is essential that this professional has the authority to terminate certain relationships and make certain judgment calls pertaining to the risks posed by certain activities and client interactions. “The title of the AML officer should reflect this authority, and the AML officer must be given the time and instruments to carry out his or her role. You cannot have the AML officer working on a host of non-AML projects, nor can you have this person hidden from view inside the business.”

Additionally, AML compliance officers should be at all of the meetings that involve discussions of potentially new activities, new client types, transaction types or business locations, since these actions pose a potential “AML impact” on the firm, notes Milena Reyes, vice president and senior AML risk manager at Bank of America.

The comprehensive and well-communicated AML program

A sample AML policy can be found on the FINRA site, particularly one suitable for smaller firms (http://www.finra.org/Industry/Issues/AML/p006340). That provides a good first step in creating one from scratch, informs Linda Busby, AML officer for Raymond James Financial, Inc. Busby advises compliance professionals to consider including some language that addresses activities your firm does not even engage in (e.g., addressing the receipt of cash at a broker-dealer – which should never occur), just to be safe.

“Your policies should detail the flow of steps that should be taken to execute your responses to various instances of misconduct and each type of risk that could be exposed,” she says.  “They should be specific, but, with that said, you have to provide some latitude and be nimble enough to be able to anticipate that situations will arise that you could never have anticipated.”

In addressing the concept of specificity, Busby noted that your detailed policies should address all of your business lines, transaction types and client types, as well as the geographical distribution of your offices and clientele. For example, policies should address (depending on the business at hand): check-writing, debit-card access to accounts, foreign disbursements, alternative investments, unregistered private securities, micro-caps and penny stocks, foreign exchanges and cash equivalents, among many others.

The policies are only as good as they are communicated to others in the firm, Busby cautioned. The PATRIOT Act requires that the AML policies and procedures of a firm be written and receive approval from the board of directors and senior management (if you’re a BD) and by just the board of directors (if you’re another financial services firm).

Just as importantly, the policies and procedures must be communicated to the employees of the firm, Busby says, and they should be clear as to who to contact and how to report violations or other types of information.  Communications methods could include:

1. The employee handbook (with an attestation page to sign and hand in)

2. An employee intranet site

3. At a training session held in person

4. Within a webcast held live, so questions and answers could be included, or

5. An annual distribution of the policy guide as a standalone document, with an attestation signature page.

Milena Reyes noted that the Bank Secrecy Act, PATRIOT Act and FINRA Rule 3310 require this training of employees.  “You can contract out your training obligations to a vendor,” she explains. And they can use the webcast or in-person trainings or written documents noted above. They just have to be tailored to the business and include all of the persons inside and outside of the organization who could potentially spot risk and escalate the matter to the right people.

She noted that these persons include upper management and the board; front-office staff; back-office staff (including support staff and operations); the rest of the compliance team, and all risk and legal personnel, plus your vendors, suppliers and contractors. “These third-party persons and entities can have an abbreviated version given to them that addresses what they have control over, such as client selection or trades,” she says.

“Do not forget that employees need to know what role they play in risk mitigation, and the red flags they should be on the alert for, as well as the implications for non-compliance.” These sessions should be recorded, if held in person, and the attendees and what documents were handed out should be recorded, she advised.

An appropriate and well-tested AML program

Arlene Semaya, senior vice president and compliance managing director for JP Morgan Chase Company, emphasized the need to test the AML program for its effectiveness and employees’ understanding of it.

“You can use a variety of sources to monitor suspicious activity and make sure your risk-mitigation tactics are working,” she notes. “Use the traditional methods, such as trade surveillance tools and human intelligence sharing, but remember to check the list screenings.” These lists include the Office of Foreign Assets Control (OFAC) list of sanctions against certain countries and individuals, negative press accounts, politically exposed persons (PEP) listings offered by a variety of companies, and PARTRIOT Act 314(a) requests. These 314(a) requests obligate law enforcement to communicate with banks and other financial services firms about suspected money launderers and terrorists, and vice versa.

The suspicious activity report (SAR) is where you store this information, and since these are critical documents, make sure you have back-up systems in place for them, she warns. “FinCEN [Financial Crimes Enforcement Network] has key terms it looks for in SARs, and you should include them,” she advises. These terms include: official corruption, elder abuse, Mexican currency restrictions, and account takeover, among others.

Busby warned against labeling everything “high-risk” so as to make the term seem meaningless to the employees at the firm. “Have some gradations of risk. They can change, but it’s important to note which ones pose the most immediate risks to your organization.”

“You need to review your risk assessments periodically, and this means at least annually,” Busby instructed. At the end of the day, she notes, you want to say that you have the policies in place that cover the risks you aware of, that you have systems designed to learn the risks you do not know of yet, and that you have the procedures – the how-tos – implemented to tackle these problems head-on.

Julie DiMauro, 2/29/12, http://accelus.thomsonreuters.com

Leave a Reply

%d bloggers like this: