sphere with numbers


2018 FINRA and SEC exam priorities examined

AML compliance, 2018 CDD rule included in four top priorities

Find out why it’s more important than ever to revisit the 2018 examination priorities that the US Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) highlight in their examination priorities letters.

SEC exam priorities 2018

In 2018, both the SEC and FINRA explicitly identified specific examination priorities for covered financial institutions. In its 2017 examination findings report, FINRA included observations on concerns and effective practices that pertain to areas identified in the 2018 priorities letter.

Across the priorities letters and the FINRA examination findings report, the regulators address four priorities that we cover in more detail below:

  • Customer Due Diligence (CDD) program
  • Tailored risk assessment
  • Transaction monitoring surveillance controls and timely accurate reporting of identified suspicious activity
  • Independent testing of the firms’ anti-money laundering (AML) program

Customer identification/due diligence and FinCEN’s CDD rule

The first priority highlighted by the SEC and FINRA (collectively, the regulators) is the CDD rule 2018. The driving force behind the first priority was the Financial Crimes Enforcement Network’s (FinCEN) finalization of the long-awaited CDD rule on May 11, 2018, which is now considered the “fifth pillar.”

Along those lines, the regulators were consistent on the components of CDD, with FINRA going one step further and explicitly noting:

  • Customer identification and verification
  • Beneficial ownership identification and verification
  • Understanding the nature and purpose of customer relationships
  • Ongoing monitoring for reporting suspicious transactions and, on a risk basis, maintaining and updating customer information

Given that the SEC listed CDD as its first AML priority, and the extent to which FINRA quoted the FinCEN CDD rule, one can infer that the regulators prioritized CDD for firms. While existing customer identification program requirements, representing the first CDD component, have remained unchanged from 2001, the new CDD rule reiterates the obligation. In addition, the remaining components of the CDD rule can be summarized as a firm’s ability to illustrate how it knows its customers through beneficial ownership analysis, determination of economic purpose, and identification of deviations from expected behavior.

The regulators suggest accomplishing this customer understanding by developing customer risk profiles and implementing specific transaction monitoring surveillance controls based on those customer risks.

surveillance camera

Tailored risk assessment

The regulators’ second identified priority is examining how firms create a tailored risk assessment that’s specific to their business profiles (e.g., customers, products, and geographies.)

FINRA referenced its examination findings report for firms to understand how to assess risk and effective control practices related to tailoring a risk assessment. The report identified deficiencies where a firm’s business growth and new risks weren’t addressed in its AML program.

This was particularly apparent where firms’ businesses had grown to offer additional high-risk products or evolved and firms didn’t update their AML risk assessments to sufficiently identify and control for new risks. The regulators expect that firms commence quantifying the risks of new products and services upon offering them to their customers.

The regulators’ letters both include the emerging risks presented by cryptocurrencies and initial coin offerings (ICOs) to illustrate the expectation that firms quantify the new risk in their business model and implement associated controls. The FINRA examination findings report noted that firms with effective AML programs incorporate the quantification of risks and mitigating controls into their AML programs, which are tailored to the firm’s business model as opposed to simply implementing a more “generic” program.

Furthermore, as firms document and assess their tailored risks, the regulators then expect the firms to demonstrate controls, particularly with respect to specific transaction monitoring surveillance for the identified risks. FINRA assesses the adequacy of firms’ transaction surveillance programs to ensure that they have transaction monitoring system rules in place to enable monitoring of any new high-risk products and services such as cryptocurrencies and ICOs.

man writing on paper

Transaction monitoring and suspicious activity reporting

The regulators’ third priority is to conduct ongoing monitoring based on the firms’ identified risks and to file timely and accurate suspicious activity reports (SARs). FINRA noted that it continues to find deficiencies related to the adequacy of firms’ resources as well as their policies, procedures, and practices for detecting and reporting suspicious transactions. Firms are required to file SARs with FinCEN when potentially suspicious activity is detected and the SEC exam priorities letter indicated a focus on whether firms are filing timely, complete, and accurate SARs with FinCEN once firms detect any suspicious activity.

Firms need to adapt transaction monitoring rules designed to identify potential sales of unregistered securities to include cryptocurrencies and ICO transactions when they’re considered securities, as both regulators highlighted review of compliance with securities laws with respect to those products. FINRA noted that firms need to incorporate transaction monitoring for foreign affiliates that conduct high-risk transactions, such as microcap securities and dual currency transactions. Finally, FINRA advised firms to confirm that transaction monitoring includes securities-back lines of credit, including aggregation across multiple accounts.

tablet screen

Bank Secrecy Act (BSA)/AML independent testing

The regulators identify independent testing as the final priority. Firms must perform independent testing of the entire AML program, including the risk and controls for the above priorities. The SEC assesses firms’ independent testing to confirm that it’s “robust and timely.”

FINRA pointed to its examination findings report and two specific failures with independent testing: It didn’t adequately assess implementation of the firm’s AML program and/or where it occurred less frequently than warranted based on the firm’s business model. The regulators also state that BSA/AML independent testing should evaluate the CDD program, including the firm’s risk-based approach to collecting and updating customer information. The testing should also examine whether the suspicious activity detection and reporting program is based on firm-specific risks and is updated for newly offered products and services, including cryptocurrency and ICOs.

men doing a brainstorming activity

SEC and FINRA are aligned in their exam priorities

Together, SEC and FINRA are focusing on four AML program core principles:

  • Understanding customers
  • Identifying risks within firm business profiles
  • Controlling for the risks through transaction surveillance
  • Conducting independent testing of the AML program

Firms should understand their current business model, including changes to products offered (e.g., cryptocurrencies and ICOs), and adapt their AML program accordingly. In addition, firms shouldn’t lose sight of prior examination results, including independent testing to assess and ensure programmatic effectiveness. Where business changes necessitate or when examinations identify deficiencies, firms must promptly apply corrective action and incorporate necessary changes to policies, procedures, and controls.

people sitting at desk

Let's talk

For more information, please contact:

Joshua Hanna
Principal | Deloitte Risk and Financial Advisory
Deloitte Transactions and Business Analytics LLP
+1 404 220 1336

Brian Peres
Senior manager | Deloitte Risk and Financial Advisory
Deloitte Transactions and Business Analytics LLP
+1 571 882 6526

Jennifer Flannery
Manager | Deloitte Risk and Financial Advisory
Deloitte Transactions and Business Analytics LLP
+1 212 436 3786

talk bubble
Did you find this useful?