Amid the current focus on pandemic-related issues in the financial industry and by its regulators, the SEC, CFTC, and FINRA announced a groundbreaking AML enforcement action against Interactive Brokers LLC (IB) on Aug. 10. This case is a first in several ways: the first CFTC enforcement action to charge a violation of its rule requiring registrants to comply with the Bank Secrecy Act (BSA); the first joint AML enforcement action by the SEC, CFTC, and FINRA; and the largest fine to date in an AML enforcement action involving the securities and futures industries, with monetary penalties totaling $38 million.
Beyond these novel developments, the IB case presents a familiar litany of failures to commit adequate resources to AML compliance, coupled with inadequate controls and a lack of strong management support. The consequences for such failures should be obvious to all financial institutions after years of AML enforcement actions with multi-million dollar penalties, but some firms continue to fail to heed this basic lesson. The IB enforcement action is a renewed warning to remember it.
The Securities and Futures AML Enforcement Context
AML compliance is a perennial examination favorite for the SEC and FINRA, and each agency has concluded numerous AML enforcement actions against securities firms. In recent years, the SEC and FINRA have been more aggressive in handing down hefty fines. Another recent trend has been for the SEC and FINRA to conduct joint AML enforcement actions in significant cases.
CFTC enforcement of AML compliance by futures firms has not followed these trends until recently. The CFTC did not fine a futures firm for AML compliance failures until 2019. The action, penalizing 1pool Ltd. and Patrick Brunner, was limited to findings of Customer Identification Program failures and a civil money penalty of $175,000.
The $38 million in total monetary penalties—$11.5 million each from the SEC and the CFTC, $15 million from FINRA—establishes a new high for AML enforcement actions against securities or futures firms. For the first time, the CFTC has charged a violation of its rule requiring compliance with the BSA and assessed monetary penalties in the millions of dollars for a BSA violation. These new developments have occurred in a joint AML enforcement action with the SEC and FINRA, also a first for the CFTC. The regulators of the securities and futures trading industries appear to be harmonizing their approaches to AML compliance enforcement, while also escalating the potential penalties.
Lessons of the Interactive Brokers Case
In the IB enforcement action, the SEC, CFTC, and FINRA sent clear messages in unison on common misunderstandings and AML compliance failures that firms should avoid.
No gaps exist in AML enforcement. AML compliance is essential throughout the securities and futures industries, and each agency will impose significant penalties for compliance failures by firms under its authority. Any impression, based on past enforcement history, that an agency is less concerned with AML compliance and enforcement is mistaken.
Risk assessment must change as business changes. Firms must periodically re-assess their AML risks as their businesses change. IB experienced dramatic growth in both the volume of its business and the number of high-risk countries among the domiciles of its clients, but did not reassess its money laundering risk profile, according to the enforcement action. This alleged failure was a key factor contributing to its AML compliance deficiencies.
AML compliance resource must be sufficient. Staffing and other resources must be sufficient to address a firm’s AML compliance risks, and must adapt as a firm’s risk assessment changes.
All three regulators cited IB for failure to staff its compliance function, with FINRA saying that IB added only two AML analysts between 2013 and 2016, a period of rapid business growth. FINRA also said IB was aware of its staffing deficiency: A compliance manager warned his supervisor in 2015 that “we are chronically understaffed” and “struggling to review reports in a timely manner.”
FINRA said the firm also lacked an effective case management system. As a result, analysts were impeded from knowing about prior AML investigations concerning the same customers. IB could not properly record analysts’ initiations of investigations, the status of those investigations, or the steps that analysts took to perform their investigations. Despite knowing of “bugs” in the existing system in 2015 and 2016, the firm rejected a proposal to use a non-proprietary tool to fix the bugs.
Policies and procedures must be reasonable, and followed. AML policies and procedures must be reasonably tailored to a firm’s business, and followed by the firm. The CFTC found that IB failed to have policies and procedures requiring compliance staff to document steps taken and decisions made regarding suspicious activity reports (SARs), leading to a lack of written records of investigations and SAR filing determinations. The CFTC also cited IB for failing to supervise its employees, who did not identify or adequately investigate suspicious activity that, per the firm’s compliance procedures, should have led to the filing of SARs.
Suspicious activity monitoring and reporting is crucial. SARs remain a top concern and focus for regulators. IB, like many other penalized firms in the securities industry and other sectors, was found to have failed to file large numbers of SARs. As in other cases, the firm’s deficiencies in staffing, policies and procedures, and other areas of AML compliance contributed to its failures to timely recognize red flags in transactions, properly investigate them, and file requisite SARs.
These lessons underscore a further fundamental principle: AML compliance is not a one-time investment. It is a commitment that compels ongoing support and assessment. The SEC, CFTC, and FINRA sent this message in the IB enforcement action, and if any financial institutions were not aware of it already, they should be now.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.