By Sarah Beth Felix
The US Securities and Exchange Commission (SEC) has published a very clear notice for OTC Link and a fine of $1.19 million for failure to file a SAR (Suspicious Activity Report).
As with any SAR.
Over a period of 38 months!
Below are some really good insights into the shortcomings of AML programs, regardless of the regulator.
1) Stop giving your Chief Compliance Officer (CCO) responsibility for combating money laundering.
I will say it again and again, even though it caused a lot of excitement last week. Companies should read the SEC’s very clear criticism of this practice on page five of its published notice. In short, the SEC noted that the OTC’s CCO was also appointed as the company’s anti-money laundering compliance officer.
If it doesn’t work for a broker-dealer like OTC Link, then it certainly won’t work (in the long term) for a
Bank.
We cannot continue to have this division of authority. The last 19 years of AML compliance have pushed us in that direction, and now we have federal banks and securities examiners all saying the same thing, but in consent and C&D (compliance and disclosure) orders. It doesn’t have to be that way.
2) Time spent on AML functions – the CCO spent only 2 hours per month on AML activities. This is despite OTC Link operating one of the largest alternative trading systems in the US. This goes back to point one above. Someone with shared responsibility has shared knowledge. This leads to insufficient oversight in one area or another.
3) The SEC’s order clearly sets out all published guidance relating to this company’s business (and even references FinCEN’s 2010 SAR guidance) and uses it to support the presumption that this company had access to the information and failed to implement it.
This means that if your financial institution has not yet reviewed and implemented FinCEN’s guidelines, you should start doing so today.
4) If your AML policy includes a list of red flags, it must be relevant to your company and implemented somewhere in your monitoring. On page five of their notice, the SEC explains exactly what this company missed.
5) Due diligence was not carried out on subscribers. There was no screening of persons known to be involved in public litigation related to corruption, crime or misuse of public funds.
6) Again, it’s about resources – we see this in every bank order. But this time, the SEC found that while it had some sort of automated monitoring in place to identify other forms of suspicious activity, it didn’t have enough people working on the problem.
For the sake of completeness, the SEC only identified two individuals. Both had “compliance” in their job title… but no AML compliance.
7) The “Commitments” section of the SEC notice is an interesting read.
This sentence stood out: “OTC Link must require the compliance adviser to provide Commission staff with a certification stating whether OTC Link has cooperated with the compliance adviser on each report submitted.” That would be helpful in bank recovery matters!