Anti-Money Laundering: An Often-Overlooked Cornerstone of Effective Compliance
Kevin W. Goodman, National Associate Director, Broker-Dealer Examination Program, Office of Compliance Inspections and Examinations
Securities Industry and Financial Markets Association
June 18, 2015
I would first like to thank our hosts, SIFMA, and everyone who worked so diligently to coordinate this conference. Before we begin, I would also like to state that my comments here today are mine and mine alone, and do not necessarily represent the views of the SEC, the Commissioners, or the Staff.
I appreciate the opportunity to speak with you today about the critical importance of broker-dealers’ anti-money laundering or “AML” programs. My speech is intended to further elaborate on a speech given by my colleague, Andrew Ceresney, on February 25, at SIFMA’s recent AML conference, in which he highlighted the importance of strong AML programs. I want to discuss Mr. Ceresney’s remarks in the context of the role of OCIE’s examination program, including how we will evaluate your firm’s compliance with AML obligations.
As you all know, AML includes far more than just preventing traditional money laundering. Broker-dealers must report large cash transactions and retain records on wire transfers regardless of whether any potential criminal activity is suspected. Broker-dealers must also monitor for and report suspicious activity, including activity that has no business or apparent lawful purpose. This goes beyond activity that implicates drug cartels or terrorist rings – it also includes activity that might indicate fraud, insider trading, or manipulative trading schemes.
As you also know, OCIE expects you and your firms to implement robust compliance programs that are targeted to the specific risks at your firms, and AML is no exception. In fact, implemented properly, I believe an AML compliance program can serve as a cornerstone of a firm’s overall compliance program. AML, however, has important implications that proliferate far beyond your firms. Widespread AML lapses threaten our standing in the international community – not only for you as individual firms but for the United States as a whole.
In fulfilling their important AML obligations, broker-dealers play a vital front line role in assisting regulators and law enforcement in identifying and addressing suspicious activities to prevent our financial systems from being used for criminal purposes. Your obligation is a proactive one, not a ministerial one. OCIE strives to be transparent about our focus areas and concerns, so I want to highlight that we take AML very seriously and will take great exception to firms that view AML as a peripheral or unimportant component of their compliance program. Quite the opposite in fact, I believe that a minimal or weak AML program implicates the entire compliance program, while a strong AML program can serve as the cornerstone.
In the absence of regular risk assessments as to how your firm could be used by sophisticated individuals and entities seeking to evade the law, it is difficult to know how you could meet your critically important AML obligations. It isn’t enough to say that your firm did not have intent to break the law, that you did not know what a customer was doing, that you relied on a vendor’s system that other firms have found useful, or that the information was gathered and reviewed for other surveillance purposes. Your firm must be able to demonstrate that it has an AML program that is tailored to the risks posed by your business and customers. I challenge you here today to think beyond technical compliance and to consider your AML responsibilities as critical to your firm and to our financial system.
With that backdrop, today I plan to discuss the main components of an AML program, what factors you may want to consider in evaluating your program’s adequacy, what examiners will be looking for, and where the SEC and other regulators have found deficiencies. In particular, I will highlight innovative methods that we are using to detect weaknesses in broker-dealers’ AML programs. I want to encourage you to evaluate your current program against the points I raise today so that when OCIE examiners walk in your door, they will find a robust AML program that is worthy of the important gatekeeper role you play.
Significance of AML 
While at first blush AML obligations may seem to be the mechanical process of monitoring and reporting cash flows and securities transactions, AML programs are actually much more.  When implemented well, they provide protections against misuse of the nation’s financial system for criminal activity – activity that ranges from financial fraud (endangering people’s financial security) to profiting from drug businesses to funding terrorist activities. For example, federal authorities have used filed suspicious activity reports (“SARs”) to identify fraud schemes such as purported investments in non-existent high yield investments, Ponzi or pyramid schemes, and market manipulation. In describing how the SEC’s Enforcement Division will assess SARs, Mr. Ceresney noted that SARS reporting “contributes directly to our work at the SEC to protect investors and ensure that our markets operate fairly,” and he identified the many times when SARs played a part in SEC regulatory actions as well as prompted examinations and investigations.
It is therefore understandable that when firms are not meeting their obligations, the consequences are severe. I point to two recent cases that, while not brought against broker-dealers, illustrate lessons that, I believe, can and should be learned by all firms. I would add that the SEC has also brought several actions against broker-dealers for violations in the AML arena, some of which I will discuss in a few minutes.
In 2012, HSBC Bank USA settled claims with regulators, including the Financial Crimes Enforcement Network – or FinCEN, the bureau of Treasury charged with implementing the Bank Secrecy Act or BSA, with penalties exceeding $1.9 billion for failure to have an adequate AML program. Regulators raised concerns of an understaffed AML compliance function, a failure to monitor numerous transactions from high risk jurisdictions, and even the classification of one such jurisdiction as the lowest AML risk category. FinCEN’s assessment stated over and over again that HSBC’s fundamental flaw was a failure to conduct risk-based evaluations in designing its program – ignoring the need to evaluate the risks of products and services offered, its customer base, and countries from and to which moneys flowed. So, I suggest to you that conducting an overall analysis of the risk posed by your business is a critical step towards implementing an effective AML program where you employ adequate resources and put them where they are needed the most. And, please be sure that you are providing resources commensurate with the risks identified.
In a second more recent case (January 2014), J.P. Morgan paid a $1.7 billion fine for its failures to report suspicious activity relating to the Bernard Madoff Ponzi scheme. Between 1986 and 2008, the scheme was conducted almost exclusively through accounts at J.P. Morgan Chase Bank. Over a multi-year period, multiple red flags were identified. J.P. Morgan was concerned enough that it reduced its financial exposure to Madoff funds in response to those red flags. However, even after J.P. Morgan’s UK affiliate reported its concerns to the U.K. authorities, no such report was made in the U.S. In part, this failure appears to have resulted from communication lapses between business and compliance, and between different compliance groups. So, what is the lesson learned here? Note that having a sophisticated surveillance system alone did not satisfy the firm’s obligations. You need to know that all relevant information is flowing through to the employees with responsibility to file SARs.
Now, I’ll focus on where broker-dealers have faced regulatory action for failing to meet their AML obligations. The Commission has brought multiple cases against firms such as Hold Brothers, Biremis, Park Financial Group, and Gilford, among others, in which customers or employees of a broker-dealer engaged in manipulative trading schemes – layering, pump and dump schemes, and/or sales of unregistered shares. Each of these cases is fact specific but all have a common theme: broker-dealers had multiple red flags brought to their attention – whether it be a customer’s explanation of trading that didn’t align with the facts, a large quantity of low-priced shares deposited at the broker-dealer, or the absence of information about the customer – and the firm’s personnel essentially ignored red flags, with severe consequences, including bars from the securities industry and significant fines against the firm and firm personnel.
I would now like to walk through three major AML requirements – the AML compliance program, the customer identification program, and monitoring and reporting suspicious activity. I will provide some color on steps examiners will take in their review. I will also highlight certain regulatory actions that provide examples of where firms have gone wrong. I would suggest as a take-away that firms assume unacceptable risk when they fail to consider the characteristics of the businesses in which they are engaged, and I emphasize the need to evaluate your business activities, the unique risks they present, and what controls would be reasonable to address these risks.
AML Compliance Program
FINRA Rule 3310 requires members to establish a risk-based AML compliance program, which includes at a minimum, reasonably designed policies and procedures, the designation of an AML compliance officer, ongoing AML employee training, and independent testing of the AML program. I also echo Mr. Ceresney’s statement that “it is critical to ensure that AML compliance is integrated fully into the other compliance operations of the firm to ensure that suspicious activity detected by other compliance functions makes its way to the AML compliance function and vice versa.”
Examiners will begin by evaluating whether your program is reasonably designed. In our examiners’ experience, the “reasonably designed” standard is not met where firms rely on boiler-plate language or templates or “off-the-shelf” programs that are not tailored to their customers, products, services, geographic locations, or methods of customer interface. Firms should also be aware of when its automated programs are not operating correctly and should confirm that any technical fixes to the program are appropriate. Examiners assess the capacity of designated compliance officers, including their background and experience and whether they have the resources to perform their jobs adequately. Examiners consider whether the training provided to employees takes into account the function being performed by the employee, the specific business activities of the firm, and the specific AML program of the firm. I would caution against the use of generic training that does not explain to employees the specific roles and responsibilities that they have. OCIE expects that the scope of independent testing reasonably covers the lines of business in which your firm engages. Finally, we expect to see documentation of the independent testing performed on the effectiveness of your AML program. A simple sign-off that the testing occurred is almost never deemed compliant; it should specify the testing conducted and the results.
You might take a look at the Brown Brothers Harriman case settled with FINRA in February 2014, to see the application of FINRA Rule 3310 and, in particular, the need for an AML program tailored to the specific risks that a firm faces. The case involved omnibus accounts being used to conduct penny stock transactions for undisclosed underlying customers of foreign banks, and the broker-dealer’s inability to obtain critical information such as the identity of the stock’s beneficial owner, how the stock was obtained, and the owner’s relationship with the issuer. I believe this case illustrates the need to identify and address high risk business activities – such as penny stock trading. You might also consider the concerns raised by omnibus accounts or other instances (such as DBA or “doing business as” accounts) in which an entity trades through different names, and how it impacts your ability to monitor trading in a meaningful fashion. Finally, you might also want to consider that FINRA discussed that the firm’s failure to review its penny stock activities flowed through multiple aspects of its AML program – with gaps in its monitoring, independent testing, and employee training. So, the cases show that you not only need to identify the high risk areas, you need to tailor each AML control component accordingly.
I also want to point you to a case brought by FinCEN against a broker-dealer, Oppenheimer & Company, in 2005, which settled for $2.8 million. FinCEN charges were based on Oppenheimer’s failure to have an adequate AML program, including an absence of procedures for reviewing wire transfer and journal transactions between unrelated and related customer accounts from foreign branch offices; reliance on manual review of transactions by one employee; reports that did not aggregate incoming and outgoing wire transfers by customer, account, branch office, or destination; and a lack of independent testing of the effectiveness of the program. Moving ahead about 10 years, Oppenheimer once again is the subject of significant AML enforcement actions, one brought by FINRA and settled for $1.425 million, and one brought by the SEC and settled for $20 million, both resulting from failing to detect and report suspicious transactions in connection with unregistered sales of penny stock. So please be mindful of regularly assessing and reassessing the risks your firm faces and its compliance with the regulatory framework.
The second fundamental AML obligation is that broker-dealers must implement a customer identification program (or “CIP”) to obtain all of the required information – the name, address, date of birth for an individual, and identification number – for each customer and have a method to verify that information. Examiners will review a firm’s verification policies and procedures to ensure they are reasonable given the firm’s assessment of the risk factors associated with its customer base. Further, examiners will be looking to ensure firms correctly understand and are meeting their CIP obligations for anyone who qualifies as a customer – that is, generally, a person who establishes a formal relationship with your firm to effect transactions in securities. You and your firms should give careful consideration as to whether each of the businesses you’re engaging in triggers the CIP requirements. For example, to give some color as to when a person might be a customer for BSA purposes, FINRA has taken action against firms whose CIP programs did not capture persons who purchased securities from the broker-dealers in private placements.
I also refer you to the SEC’s settled action against Pinnacle Capital Markets. Pinnacle primarily engaged in providing direct market access to its customers, 99% of which resided outside the United States. Pinnacle’s direct customers sometimes offered subaccounts to other entities to trade through Pinnacle. Pinnacle failed to conduct CIP reviews of the subaccount holders. An important point highlighted by this case is that omnibus sub-account holders were considered customers under the CIP rule because Pinnacle treated the sub-account holders in the same manner as it did its regular account holders, allowing them to use direct market access software to enter securities trades with Pinnacle directly and instantly through their own computer. These sub-account holders had direct control over how the trades were made in their accounts and did not require the omnibus account holder to initiate or intermediate the transactions. Again, I would suggest that the takeaway here is that you should carefully evaluate who is covered under your CIP – have you taken into account not just direct customers but other persons who may effect securities transactions directly to or through your firm?
Detecting and Reporting Suspicious Activity
Detecting and reporting suspicious activity is a third fundamental aspect of AML compliance because, as set forth by Mr. Ceresney, the information you and your firms provide to regulators and law enforcement in SARs plays a vital role in helping regulators identify securities violations and bad actors in the markets. The SAR rule requires broker-dealers to report suspicious activity that involves or aggregates funds or other assets of at least $5,000 and for which the broker-dealer knows, suspects, or has reason to suspect: 1) involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity as part of a plan to violate or evade any Federal law or regulation, 2) is designed to evade any requirement of the Bank Secrecy Act, 3) has no apparent business or lawful purpose or is not the sort of activity in which the particular customer would normally be expected to engage, or 4) involves the use of the firm to facilitate criminal activity. Once again I note that this goes far beyond traditional money laundering or terrorist financing.
Under this rule, in identifying activity with “no apparent business or lawful purpose,” you should question trading activity that does not have a discernible investment or profit objective, companies with complex ownership structures that transfer money between accounts with unclear objectives, or the use of front companies to hide illicit sources of funds. Important red flags include the use of securities accounts for predominantly non-securities related types of transactions (e.g., wire transfers) and customers who seem to not care about high fees or losses in their accounts and appear more focused on the movement of funds. Broker-dealers with significant online access channels may want to take into account the source of login transmissions, particularly use of anonymous Internet nodes.
Examiners will evaluate whether firms are using monitoring processes and tools commensurate with the volume and types of activity occurring in accounts. Examiners will test the thresholds, parameters, and the data that is fed into automated systems for SAR monitoring, as well as look at the process by which AML alerts coming from these automated systems are reviewed and escalated.
For further color on when SARs reporting may be required, you should look to the SEC’s actions in Gilford Securities, Hold Brothers On-Line Investment Services, and Bloomfield. In each case, the firm did not file SARs even though firm personnel knew or should have known about activity that indicated potential market manipulation such as a pump and dump scheme, layering, or artificially raising the market price of a thinly traded security. Both the HSBC and JP Morgan actions also included charges of failures to file SARs. I cannot emphasize enough the importance of filing SARs, and it is no coincidence that both Mr. Ceresney’s and my remarks highlight this aspect of AML compliance. With that, I will turn to OCIE’s efforts to address failures to file SARs.
AML Examination Initiatives
Mr. Ceresney’s remarks provided an excellent analysis of how the SEC reviews SARs filings and the concerns raised by filings that do not provide sufficient detail. He also identified statistics that raise red flags for me as well. On average, each firm in the U.S. files about five SARs a year. A large number of firms file zero or one SAR per year. I agree with Mr. Ceresney’s statement that it is “hard to believe that the industry as a whole is fulfilling its obligation,” and OCIE is looking into whether firms are filing SARs appropriately. Mr. Ceresney in his speech outlined the Enforcement initiatives to address this concern, I will focus now on where the examination program is directing its resources.
Because examiners are forced to be risk-based in their reviews, one particular area of focus will be the AML programs of clearing firms. OCIE believes that those institutions often have the “birds-eye view” of the market and are in the best position to identify patterns of activity engaged in by persons or entities that use more than one introducing broker. Examiners would expect clearing firms to use that high-level view of trading to monitor for suspicious patterns and report the activity on SARs. During examinations of clearing firms, examiners, too, are able to review activity transacted through a large number of broker-dealers. Examiners can then select introducing broker-dealer(s) for targeted, risk-based examinations based on the analysis, which may take into account concerns about whether the introducing firms appropriately reported suspicious activity. Remember, under the legal requirements, both the introducing firm and the clearing firm have responsibilities to detect and report suspicious activity that occurs by, at, or through their firm. Among other concerns, clearing firms should consider whether SARs should be filed if they identify trading patterns that may indicate potentially fraudulent activity such as churning of customer accounts or manipulation of the prices of microcap stock.
In choosing firms to examine for AML compliance, staff uses technology to identify firms that do not file or rarely file SARs, and we assess whether those firms have robust AML programs and monitoring processes in place. We assess the quality of SARs filed to ensure that firms are reporting in a meaningful enough way for the information to be helpful to the regulatory and law enforcement communities. For example, a SAR that identifies a possible Ponzi or insider trading scheme is most helpful when it includes the underlying information or transaction detail on which the firm is raising the concern. As another example, a SAR that reports thinly traded securities being deposited into an account and immediately sold for a large profit is most helpful if the SAR also provides how much the security was purchased for, when it was purchased, and who the shares are being sold to in the reported transaction. Note that FinCEN has provided guidance that stresses the need to file a complete and sufficient SAR.
Examiners are also using enhanced data analytics and pattern recognition to evaluate whether broker-dealers are reasonably monitoring and reporting suspicious activity. The algorithms aren’t being used to set a standard but rather to check the reasonableness of the parameters set by firms. We are increasingly incorporating into our reviews enhanced technology and tools to review vast amounts of data so that we can identify suspicious activity from the source trade data rather than relying on the broker-dealer’s surveillance reports. We compare the activity we identify to activity identified by the firm, to test for weaknesses in a firm’s monitoring and reporting of suspicious activity. Examiners are assessing the tools used by firms, including the firm’s ability to detect patterns of customer activity and customers’ aggregate activity, taking into account such factors as activity across related business and individual accounts and aggregation based on known beneficial owners. We are also planning to build learning algorithms, or artificial intelligence-like programs, that can help to identify the behavior trends of potentially illicit actors.
Areas of Focus
I would now like to highlight a few business activities that OCIE has identified as potential sources of AML concerns. While some of these products and services or account relationships may not be inherently suspicious or high risk, they do present vulnerabilities that firms need to address from an AML perspective.
Thinly Traded or Low Market Value Securities
Broker-dealers that provide services related to thinly traded or low market value securities need to consider the risks involved in such products. For example, the market price for these securities is often subject to significant fluctuations, and such companies have been in the past the target of spam campaigns to “pump” up the price, with quick sales to take advantage of the inflated market value. Firms should evaluate whether they have controls to identify suspicious activity such as deposits of large quantities of shares followed by immediate sales, frequent transactions between accounts, or ties between the account holder and parties with a relationship to the company. Such activities may require that you file a SAR. Recently, OCIE has issued a National Exam Program Risk Alert that provides insight into issues and risks that broker-dealers might face when their customers actively trade low priced securities. The alert highlights trading patterns that might trigger the need to file a SAR and omnibus account types that appeared to be frequently associated with unregistered sales of low priced securities. I urge you to review this risk alert and consider whether your AML program has appropriately taken into account the concerns raised in designing appropriate controls.
Direct Market Access
OCIE’s 2015 Examination Priorities Memo identified as a focus area the AML programs of proprietary trading firms that allow customers to directly access the markets from higher risk jurisdictions. In November 2010, the Commission adopted Exchange Act Rule 15c3-5, which requires broker-dealers that provide customers with direct market access to adopt a system of risk management controls, including restricting access to persons and accounts pre-approved and authorized by the broker-dealer. Broker-dealers offering these services should carefully evaluate how it may impact their CIP and SARs monitoring obligations. Your obligation to report suspicious activity is based on transactions that are conducted “by, at, or through” the firm, which includes direct market access activity. In addition, as discussed in the Pinnacle action I cited earlier, entities granted trading privileges at your firm may be customers under the CIP rule. So, we would expect to see reasonably designed controls to address these activities.
You may want to read closely the SEC’s action and FINRA’s allegations in its complaint against Wedbush Securities, which provide good sources of potential AML issues to consider for broker-dealers offering direct market access.  In particular, broker-dealers should consider whether their AML policies and procedures are tailored to their market access business, including monitoring for layering, spoofing, and other forms of manipulation, and that SARs are appropriately filed to respond to such activity.
Master/Sub Account Relationships
In 2011, OCIE issued a risk alert that identified the master/sub account trading model as a vehicle that could be used to further violations of securities laws as well as other laws and regulations, including AML. The 2014 risk alert that I referenced above on low priced securities identified master/sub accounts as structures that may be used in unregistered sales of low priced securities. OCIE remains concerned about consistent application of suspicious activity monitoring and reporting relating to master/sub account relationships.
In a master/sub account, a company opens up a brokerage account or master account through which numerous individuals or other entities are allowed to trade as sub account holders. In some reviews conducted by staff, as identified in the risk alert, the broker-dealer did not know the identity of the sub account holders. The respective introducing and/or clearing firm holding the master account, although generally aware of the master/sub account structure, may be monitoring solely on the aggregate master account activity and either ignoring red flags or failing to monitor the patterns of sub account activity. Firms that offer master/sub arrangements are reminded that the SAR rule, unlike the CIP rule, is not a customer-driven rule, but rather a transaction-driven rule. Failure to adequately monitor for activity occurring through the firm because such monitoring is done solely on an account or direct customer basis may put firms at risk for AML deficiencies. What this means is that although you may find, based on your analysis of your business, that a person may not be a ‘customer’ of your firm and hence does not trigger the CIP requirement, you are nevertheless obligated to monitor any transaction occurring by, at or through your firm on behalf of that person.
Banking-Oriented Products and Services
Examiners will evaluate the use of brokerage accounts that offer “comprehensive asset management” or “cash management” features. These accounts may present new avenues for potential money laundering. They allow customers to engage in not only securities transactions but also offer products and services traditionally associated with bank accounts, such as check writing ability, journaling among accounts, debit card/ATM access, credit cards, credit-line cash advances, ACH electronic funds transfers, and wire transfers. Firms that offer these services need to account for all of these transactional capabilities when reasonably designing an AML program.
Examiners will assess all transaction methods for movement of cash and securities and testing the SAR monitoring thresholds accordingly to check for consistency with the firm’s obligations. Staff will look for monitoring that captures patterns of activity; aggregate activity; structuring of currency transactions to attempt to evade reporting and recordkeeping obligations; securities accounts that only have money movements and no securities investments; high-frequency check-writing, journaling, and wiring funds; and other activity that is not commensurate with a customer’s stated business or investment objectives.
Examiners have identified certain customers of firms that are using comprehensive asset management accounts as traditional retail banking or demand deposit relationships. Broker-dealers’ transaction monitoring program should, I believe, take into account how such accounts are being used. For example, if the account is being used primarily for banking rather than securities services, the firm should understand why the customer is holding funds in a securities account rather than a traditional banking account. For business accounts and personal accounts that are being used for commercial purposes, our examiners will determine how much your firms know about the purpose for which the account is being used by the customer (e.g., what products and services your customer is offering). If you do not know enough about your customer’s businesses, you may not be in a position to determine if the activity is consistent with that business type, size, and location.
Today, I have highlighted some of the many challenges you all face in designing and implementing effective AML programs and the critical importance of meeting these challenges. Let’s recap some of the major considerations in the process:
- You must analyze the risks associated with your business activities – understand which products and services have higher risks and/or require unique controls and consider geographic locations and methods of customer interface – and take this analysis into account in designing your AML program;
- You must have an adequately staffed AML compliance function with appropriate information flows and an effective escalation process;
- You must document your program in written procedures and be able to demonstrate the monitoring and the testing that occurs;
- You must understand the scope of activities that may need to be reviewed and in particular consider that SAR reporting is based on all transactional activities that run through your firm; and your CIP may need to include indirect customers if they have unintermediated ability to direct trading in an account held at your firm;
- For most firms, you must have a well-tailored electronic system to spot red flags among your thousands (or even millions) of daily transactions, and your staff must properly follow-up to determine whether the red flags must be reported on a SAR; and
- Finally, and perhaps most importantly – always consider the need to file SARs. Don’t fail to file because you believe that the activity has been reported by someone else or that you don’t have definitive proof that illegal activity has occurred or you have reported the activity through other channels – you are still required to file a SAR in these instances. Essentially, if you see activity that raises concerns or which you can’t explain, we would encourage you to file a report. Also note that the SEC has established a SAR alert message line to be used when a filed SAR may require immediate attention (202-551-SARs).
Let me close by reiterating that AML compliance is an especially critical component of a firm’s overall compliance program, the cornerstone over which all else is built. To design and implement effective AML programs, I encourage all of you to share information and approaches with one another to promote the development of the critical infrastructure that is needed and required. Investors and citizens deserve nothing less.
Please feel free to reach out to Commission staff within the Division of Trading and Markets and OCIE with any issues you want to discuss. We stand ready to do what we can to assist you in meeting your AML obligations.
Thank you again for your time and attention.
 The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or of the author’s colleagues upon the staff of the Commission.
 See, e.g., FINRA Rules 3130 and 3310; 31 C.F.R. 1023.210 (The AML program rule of the Financial Crimes Enforcement Network or FinCEN applicable to broker-dealers) and 31 C.F.R. 1010.810 (FinCEN’s rule delegating authority to the SEC to examine broker-dealers for compliance with applicable FinCEN regulations).
 See, e.g., In the matter of Park Financial Group, Inc., Exchange Act Release No. 56902 (Dec. 5, 2007), available at http://www.sec.gov/litigation/admin/2007/34-56902.pdf (settled matter); In the matter of Hold Brothers On-Line Investment Services, LLC, Exchange Act Release No. 67924 (Sept. 25, 2012), available at http://www.sec.gov/litigation/admin/2012/34-67924.pdf (settled matter); In the matter of Biremis Corporation, Exchange Act Release No. 68456 (Dec. 18, 2012), available at https://www.sec.gov/litigation/admin/2012/34-68456.pdf (settled matter); FINRA Letter of Acceptance, Waiver and Consent No. 2010025241301 Re: Banorte-Ixe Securities International, Ltd. (Jan. 28, 2014), available at: http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=35121; FINRA Letter of Acceptance, Waiver and Consent No. 2012034123501 Re: Wells Fargo Advisors, LLC, and Wells Fargo Advisors Financial Network, LLC (Dec. 18, 2014), available at: http://disciplinaryactions.finra.org/Search/ViewDocument/38254. National Money Laundering Risk Assessment 2015 (“NML Risk Assessment”) Department of Treasury (June 12, 2015), at pages 82-84, available at: http://www.treasury.gov/resource-center/terrorist-illicit-finance/Documents/National%20Money%20Laundering%20Risk%20Assessment%20%E2%80%93%2006-12-2015.pdf.
 See, e.g., FINRA Letter of Acceptance, Waiver and Consent No. 2010025241301 Re: Banorte-Ixe Securities International, Ltd. (Jan. 28, 2014), available at: http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=35121.
 For links to all of the legal and regulatory sources referenced here, see Anti-Money Laundering Source Tool for Broker-Dealers, available at: http://www.sec.gov/about/offices/ocie/amlsourcetool.htm#1.
 In 1970, the Currency and Foreign Transactions Reporting Act of 1970, commonly known as the “Bank Secrecy Act” was enacted to require certain reports and records that have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings. The full complement of AML requirements came into effect with the USA Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism), which amended the Bank Secrecy Act. The Patriot Act was passed shortly after 9/11 to prevent the use of the U.S. financial system to aid terrorist activities. In the securities sector, the Treasury Department, along with the SEC and FINRA, has implemented these requirements by adopting rules addressing broker-dealers’ and mutual funds’ obligations to combat money laundering and terrorist financing, which require firms to implement a risk-based AML compliance program and a customer identification program, to monitor and report suspicious activity, and to conduct due diligence on foreign correspondent accounts and private banking accounts. 31 CFR Parts 1023 (broker-dealers) and 1024 (mutual funds). Broker-dealers’ obligations to file reports and maintain records pursuant to these requirements are also reflected in Exchange Act Rule 17a-8.
 Examples of cases identified through the use of SARS available at: http://www.fincen.gov/news_room/rp/sar_case_example_list.html?catid=00002.
 FinCEN’s assessment is set forth in: In the matter of HSBC Bank USA N.A., Case Number 2012-02 (Dec. 10, 2012), available at: http://www.fincen.gov/news_room/ea/files/HSBC_ASSESSMENT.pdf.
 FinCEN’s assessment is set forth in: In the matter of JPMorgan Chase Bank, N.A., Case Number 2014-1 (Jan. 7, 2014), available at: http://www.fincen.gov/news_room/ea/files/JPMorgan_ASSESSMENT_01072014.pdf.
 In the matter of Hold Brothers On-Line Investment Services, LLC, Exchange Act Release No. 67924 (Sept. 25, 2012), available at http://www.sec.gov/litigation/admin/2012/34-67924.pdf (settled matter); In the matter of Biremis Corporation, Exchange Act Release No. 68456 (Dec. 18, 2012), available at https://www.sec.gov/litigation/admin/2012/34-68456.pdf (settled matter).
 In the matter of Park Financial Group, Inc., Exchange Act Release No. 56902 (Dec. 5, 2007), available at http://www.sec.gov/litigation/admin/2007/34-56902.pdf (settled matter).
 In the matter of Gilford Securities, Incorporated, Exchange Act Release No. 65450 (Sept. 30, 2011), available at https://www.sec.gov/litigation/admin/2011/33-9264.pdf (settled matter); In the matter of Ronald S. Bloomfield, Robert Gorgia, and John Earl Martin, Sr, Exchange Act Release No. 71632 (Feb. 27, 2014), available at http://www.sec.gov/litigation/opinions/2014/33-9553.pdf.
 NASD Rule 3011 was adopted in 2002. In 2010, FINRA Rule 3310 replaced NASD Rule 3011.
 See, e.g., FINRA Letter of Acceptance, Waiver and Consent No. 2012034123501 Re: Wells Fargo Advisors, LLC, and Wells Fargo Advisors Financial Network, LLC (Dec. 18, 2014), available at: http://disciplinaryactions.finra.org/Search/ViewDocument/38254, in which FINRA brought an action under FINRA Rule 3310, later settled for $1.5 million, based on a design flaw in the transaction processing system that resulted in certain customer accounts not being analyzed under the customer identification program.
 See, e.g., Letter of Acceptance, Waiver and Consent No. 2013035821401 re Brown Brothers Harriman & Co. (Feb. 4, 2014), available at: http://disciplinaryactions.finra.org/Search/ViewDocument/35225; NML Risk Assessment at pages 82-84, available at: http://www.treasury.gov/resource-center/terrorist-illicit-finance/Documents/National%20Money%20Laundering%20Risk%20Assessment%20%E2%80%93%2006-12-2015.pdf; Letter of Acceptance, Waiver and Consent No. 2010021211901 re Firstrade Securities, Inc. (May 7, 2013), available at: http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=33515; In the matter of Biremis Corporation, Exchange Act Release No. 68456 (Dec. 18, 2012), available at https://www.sec.gov/litigation/admin/2012/34-68456.pdf (settled matter); Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance, FIN-2014-A007 (August 11, 2014), available at http://www.fincen.gov/statutes_regs/guidance/pdf/FIN-2014-A007.pdf.
 See, e.g., Letter of Acceptance, Waiver and Consent No. 2013035821401 re Brown Brothers Harriman & Co. (Feb. 4, 2014), available at:: http://disciplinaryactions.finra.org/Search/ViewDocument/35225.
 See, e.g., Letter of Acceptance, Waiver and Consent No. 2010021162202 re Biremis Corp. (June 20, 2012), available at: http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=32132.
 Letter of Acceptance, Waiver and Consent No. 2013035821401 (Feb. 4, 2014), available at: http://www.finra.org/web/groups/industry/@ip/@enf/@ad/documents/industry/p443448.pdf.
 In the matter of Oppenheimer & Company, Case Number 2005-4 (Dec. 29, 2005), available at http://www.fincen.gov/news_room/ea/files/oppenheimerassessment.pdf.
 Dept. of Enforcement v. Oppenheimer & Co., Inc., Order Accepting Offer of Settlement (Aug. 5, 2013), available at: http://disciplinaryactions.finra.org/Search/ViewDocument/33961; In the matter of Oppenheimer & Co. Inc., Exchange Act Release No. 74141 (Jan. 27, 2015), available at: http://www.sec.gov/litigation/admin/2015/33-9711.pdf.
 31 C.F.R. 1023.220.
 31 C.F.R. 1023.100(a)(d)(1). Staffs of the Treasury and the Commission issued a question and answer that identified the following specific fact pattern in which a beneficial owner of an omnibus account or subaccount is not considered a customer: if (1) the omnibus account or relationship is established by or on behalf of a financial intermediary for the purpose of executing transactions that will clear or settle at another financial institution, or the omnibus accountholder provides limited information to the broker-dealer solely for the purpose of delivering assets to the custody account of the beneficial owner at another financial institution; (2) the limited information given to the broker-dealer about the beneficial owner is used primarily to assist the financial intermediary with recordkeeping or to establish sub-accounts that hold positions for a limited duration to facilitate the transfer of assets to another financial institution; (3) all transactions in the omnibus account or sub-accounts at the broker-dealer are initiated by the financial intermediary; and (4) the beneficial owner has no direct control over the omnibus account or sub-accounts at the broker-dealer. Guidance available at: https://www.sec.gov/divisions/marketreg/qa-bdidprogram.htm.
 FINRA Letter of Acceptance, Waiver and Consent No. 2012030436201 Re LWBJ Investment Services, LLC (July 10, 2014), available at: http://disciplinaryactions.finra.org/viewDocument.aspx?DocNb=36727; FINRA Letter of Acceptance, Waiver and Consent No. 2010021128601 Re The Carson Medlin Company (Nov. 30, 2011), available at:http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=27408.
 In the matter of Pinnacle Capital Markets LLC, Exchange Act Release No. 62811 (Sept. 1, 2010), available at http://www.sec.gov/litigation/admin/2010/34-62811.pdf.
 31 C.F.R. 1023.320.
 NASD Notice to Members 02-21 (April 2002) http://www.sec.gov/about/offices/ocie/aml2007/nasd-ntm-02-21.pdf.
 In the matter of Gilford Securities, Incorporated, Exchange Act Release No. 65450 (Sept. 30, 2011), available at: https://www.sec.gov/litigation/admin/2011/33-9264.pdf (settled matter).
 In the matter of Hold Brother On-Line Investment Services, Exchange Act Release No. 67924 (Sept. 25, 2012), available at: http://www.sec.gov/litigation/admin/2012/34-67924.pdf (settled matter).
 In the matter of Ronald S. Bloomfield, Robert Gorgia, and John Earl Martin, Sr, Exchange Act Release No. 71632 (Feb. 27, 2014), available at: http://www.sec.gov/litigation/opinions/2014/33-9553.pdf.
 Customer Identification Program Rule No-Action Position Respecting Broker-Dealers Operating Under Fully Disclosed Clearing Agreements According to Certain Functional Allocations FIN-2008-G002 (March 4, 2008) (“a clearing firm’s anti-money laundering program should contain risk-based policies, procedures, and controls for assessing the money laundering risk posed by its fully disclosed clearing arrangements, for monitoring and mitigating that risk, and for detecting and reporting suspicious activity”), available at: http://www.sec.gov/about/offices/ocie/aml/fin-2008-g002.pdf. See, also¸ FINRA Letter of Acceptance, Waiver and Consent No. 2007007133001 Re Legent Clearing LLC (Dec. 5, 2008), available at: http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=19048.
 See, Guidance on Preparing a Complete & Sufficient Suspicious Activity Report Narrative (Nov. 2003), available at: http://www.fincen.gov/statutes_regs/files/sarnarrcompletguidfinal_112003.pdf.
 See, e.g., NML Risk Assessment at pages 81-82, available at: http://www.treasury.gov/resource-center/terrorist-illicit-finance/Documents/National%20Money%20Laundering%20Risk%20Assessment%20%E2%80%93%2006-12-2015.pdf.
 See, e.g., In the matter of Oppenheimer & Co. Inc., Exchange Act Release No. 74141 (Jan. 27, 2015), available at: http://www.sec.gov/litigation/admin/2015/33-9711.pdf (settled matter); In the matter of Gilford Securities, Incorporated, Exchange Act Release No. 65450 (Sept. 30, 2011), available at https://www.sec.gov/litigation/admin/2011/33-9264.pdf (settled matter); In the matter of Ronald S. Bloomfield, Robert Gorgia, and John Earl Martin, Sr, Exchange Act Release No. 71632 (Feb. 27, 2014), available at http://www.sec.gov/litigation/opinions/2014/33-9553.pdf; In the matter of Ferris, Baker Watts, Inc., Exchange Act Release No. 59372 (Feb. 10, 2009), available at: https://www.sec.gov/litigation/admin/2009/34-59372.pdf (settled matter).
 ational Exam Program Risk Alert: Broker-Dealer Controls Regarding Customer Sales of Micro-Cap Securities (October 9, 2014), available at: http://www.sec.gov/about/offices/ocie/broker-dealer-controls-microcap-securities.pdf.
 Available at: http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf.
 See, e.g., In the matter of Pinnacle Capital Markets LLC, Exchange Act Release No. 62811 (Sept. 1, 2010), available at http://www.sec.gov/litigation/admin/2010/34-62811.pdf (settled matter); In the matter of Hold Brothers On-Line Investment Services, LLC, Exchange Act Release No. 67924 (Sept. 25, 2012), available at http://www.sec.gov/litigation/admin/2012/34-67924.pdf (settled matter).
 In the matter of Wedbush Securities Inc., Exchange Act Release No. 73652 (Nov. 20, 2014) (settled action), available at http://www.sec.gov/litigation/admin/2014/34-73652.pdf. See, also, FINRA’s complaint against Wedbush Securities, FINRA Department of Market Regulation and Department of Enforcement v. Wedbush Securities Inc., Disciplinary Proceeding No. 20090206344-01 (August 18, 2014), available at: http://disciplinaryactions.finra.org/viewdocument.aspx?DocNB=37085.
 National Exam Risk Alert on Master/Sub-accounts (Sept. 29, 2011), available at: http://www.sec.gov/about/offices/ocie/riskalert-mastersubaccounts.pdf. See, also¸ NML Risk Assessment at pages 78-81, available at: http://www.treasury.gov/resource-center/terrorist-illicit-finance/Documents/National%20Money%20Laundering%20Risk%20Assessment%20%E2%80%93%2006-12-2015.pdf.
 Broker-dealers are required to report suspicious transactions that are “conducted or attempted by, at, or through a broker-dealer”, among other criteria. 31 C.F.R. 1023.320. As such, any limitation based on classification of a “customer” is not consistent with the rule.
 See, e.g., Letter of Acceptance, Waiver and Consent No. 2013035821401 re Brown Brothers Harriman & Co. (Feb. 4, 2014), available at: http://www.finra.org/web/groups/industry/@ip/@enf/@ad/documents/industry/p443448.pdf, for the proposition that to be reasonably designed, an AML program must take into account the services offered to customers. See, also, Letter of Acceptance, Waiver and Consent No. 2013035109701 re: LPL Financial LLC (May 6, 2015), available at: http://disciplinaryactions.finra.org/Search/ViewDocument/48016.