Unreasonable AML Policies Cited In Trading Platform Fraud

January 29, 2015

There are lots of bad guys out there, and on Wall Street, brokerage firms need to protect not only their customers but also themselves from some of the online scams and cons.  In a recent regulatory settlement, we see how one firm was cited for not having implemented reasonable compliance policies, not asking the right questions, and not being suspicious enough. Then there are questions as to whether the regulator was asleep at the switch.

Case In Point

For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, OptionsHouse LLC submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of OptionsHouse LLC, Respondent (AWC  #2012032988501, January 22, 2015).

Since 2005, OptionsHouse has been a FINRA regulated broker-dealer and it is characterized in the AWC as an online, introducing broker-dealer that allows customers to place stock and option trades online for their own accounts. The firm employs about 44 registered and non-registered person out of its sole office.

 Sidetracked On The Platform

The AWC alleges that in May 2010, and again from February 2011 through April 2011, OptionsHouse opened 15 accounts for persons who intended to engage in fraudulent activity through the firm's trading platform -- and, in fact, seven of the cited accounts did engage in fraud.  Apparently the fraudsters accessed online brokerage accounts maintained at other firms and engaged in trading that caused losses in the away accounts but resulted in profits for the fraudsters n their OptionsHouse accounts. 

Victim2

The AWC asserts that although OptionsHouse had written policies and procedures in place to verify the identity of any person seeking to open an account, those procedures were inadequately risk-based, and, as a result, the firm could not have formed a reasonable belief that it knew the customer's  true identity. Notably, there is NO suggestion that OptionsHouse was complicit in the underlying fraud.  To some extent, the firm was also victimized by the fraudsters.

AML

Essentially, we have entered the realm of Anti-Money Laundering compliance, better known in industry lingo as "AML."  To better understand what is at stake here, let's go to the rulebook:

FINRA Rule 3310. Anti-Money Laundering Compliance Program

Each member shall develop and implement a written anti-money laundering program reasonably designed to achieve and monitor the member's compliance with the requirements of the Bank Secrecy Act (31 U.S.C. 5311, et seq.), and the implementing regulations promulgated thereunder by the Department of the Treasury. Each member's anti-money laundering program must be approved, in writing, by a member of senior management. The anti-money laundering programs required by this Rule shall, at a minimum,

(a) Establish and implement policies and procedures that can be reasonably expected to detect and cause the reporting of transactions required under 31 U.S.C. 5318(g) and the implementing regulations thereunder;
(b) Establish and implement policies, procedures, and internal controls reasonably designed to achieve compliance with the Bank Secrecy Act and the implementing regulations thereunder;
(c) Provide for annual (on a calendar-year basis) independent testing for compliance to be conducted by member personnel or by a qualified outside party, unless the member does not execute transactions for customers or otherwise hold customer accounts or act as an introducing broker with respect to customer accounts (e.g., engages solely in proprietary trading or conducts business only with other broker-dealers), in which case such "independent testing" is required every two years (on a calendar-year basis);
(d) Designate and identify to FINRA (by name, title, mailing address, e-mail address, telephone number, and facsimile number) an individual or individuals responsible for implementing and monitoring the day-to-day operations and internal controls of the program (such individual or individuals must be an associated person of the member) and provide prompt notification to FINRA regarding any change in such designation(s); and
(e) Provide ongoing training for appropriate personnel.

*** Supplementary Material ***
.01 Independent Testing Requirements

(a) All members should undertake more frequent testing than required if circumstances warrant.
(b) Independent testing, pursuant to Rule 3310(c), must be conducted by a designated person with a working knowledge of applicable requirements under the Bank Secrecy Act and its implementing regulations.
(c) Independent testing may not be conducted by:
(1) a person who performs the functions being tested,
(2) the designated anti-money laundering compliance person, or
(3) a person who reports to a person described in either subparagraphs (1) or (2) above.
.02 Review of Anti-Money Laundering Compliance Person Information
Each member must identify, review, and, if necessary, update the information regarding its anti-money laundering compliance person designated pursuant to Rule 3310(d) in the manner prescribed by NASD Rule 1160.

In addition to establishing and implementing the compliance policies set forth under FINRA Rule 3310(b), member firms are also required under the USA PATRIOT Act to implement a written customer identification program ("CIP") to: 
  1. verify the identity of any person seeking to open an account, to the extent reasonable and practicable;
  2. maintain records of the information used to verify the person's identity; and
  3. determine whether the person appears on any lists of known or suspected terrorists or terrorist organizations.

Bill Singer's Comment: When promulgating a written AML policy, FINRA member firms must be mindful of the "reasonableness" standard that is the basis for judging their good-faith compliance efforts. For starters, the AML written policies will be examined to determine whether they were "reasonably designed." If a firm's approach is to copy or cut-and-paste another firm's AML policies, that may not be deemed an effort to reasonably design guidelines for that firm. Similarly, merely hiring a third-party service provider and implementing that party's cookie-cutter AML procedures may also fall short of the test. 

An important attribute of your AML procedures is whether they assist in an effort to reasonably "detect" violations. Too often, compliance departments take false comfort in a massive binder of AML policies, erroneously believing that the mere weight of that binder or the number of bytes in the online version offer a safety-net  should anything go wrong. In fact, if something does come to the attention of a regulator, the firm will be judged by its policies in place to detect violations and, further, what steps were taken to comply with those surveillance obligations. Keep in mind that FINRA requires annual independent testing as a meaningful effort by its member firms to debug their AML procedures. The guts of a reasonable AML program is how it handles detection, reporting, and ongoing verification.

A CIP Shot

According to the AWC, OptionsHouse's  CIP called for the initial verification of a customer's identity via a third-party vendor ("CIP Vendor"), who then compared customer information to various lists and databases maintained or accessed by the CIP Vendor. Upon completion of this threshold inquiry, the CIP Vendor rated the customer either "eligible" or "ineligible." "Eligible" meant that the CIP Vendor had confirmed the provided customer information: name, date of birth, social security number and address. "Ineligible" meant that at least one piece of customer information could not be verified. At the conclusion of its review, the CIP Vendor would note any discrepancies between the submitted information and its lists/databases.

Bring In the Second Team

What happens when the CIP Vendor rated an OptionsHouse customer as "ineligible" ?According to the AWC, OptionsHouse forwarded the customer information to a second CIP Vendor, who would then run its own review with the possible outcomes of "eligible" or "ineligible." 

2X Ineligible

The AWC asserts that if the second CIP Vendor came up with an "ineligible" rating, OptionsHouse required the customer to produce a: 
  • social security card if the report had indicated that the social security number provided by the client was invalid or had not yet been issued; or
  • driver's license if the report indicated that the CIP Vendor was unable to verify the customer's address. 
Upon its receipt of the social security card or driver's license, OptionsHouse purportedly reviewed the submitted documentation for "some obvious form of fraud." In the absence of such a finding, the AWC alleges that the firm went ahead and opened the account without further steps to verify the social security number or address given by the customer. FINRA deemed OptionsHouse's failure to undertake further verification as unreasonable.

Split In The Vendor Circuits

In situations where the CIP Vendor rated an account as "ineligible," but the second CIP Vendor rated as "eligible," the AWC characterized the firm's policy as unreasonable in that it resulted in opening the account without requiring any additional documentation. Similarly, the AWC asserted that OptionsHouse's failure to adequately understand why such a rating discrepancy arose in the first place was also an unreasonable protocol. 

Going To The Checkbook

FINRA deemed that OptionsHouse violated FINRA Rules 3310(b) and 2010 by failing to establish and implement a CIP that had adequate risk-based procedures for verifying the identity of their customers. In accordance with the terms of the AWC, FINRA imposed upon OptionsHouse a Censure and $60,000 fine. 

Bill Singer's Comment

A fairly strong presentation by FINRA and one that offers guidance to member firm compliance departments.  Sadly missing from the AWC, however, is how and who discovered the fraud.  Frankly, that strikes me as an important bit of industry education that has been lost. 

While we're talking about compliance policies for FINRA member firms that should "reasonably" detect and, thereafter, address warning signs, howsabout someone at FINRA explain to me why AML issues that cropped up at OptionsHouse in 2010 and 2011 were only resolved via settlement in 2015?  Not that a Wall Street regulator would ever see itself as coming off as sanctimonious, and hypocritical . . . but . . . isn't it fair to question the reasonableness of FINRA's timeframes for detecting, investigating, and resolving its members' alleged misconduct? In this case we have an apparent lapse of about three-plus years from the last act of alleged AML non-compliance and FINRA's settlement. Perhaps a bit more meat on this AWC's bones could have explained that seemingly unreasonable regulatory delay.

Oh yeah, I know, it's different when a member firm fails to timely detect red flags and warning flares and, on the other hand, when a regulator may find itself confronted by the same untimely detection and resolution. Sure it is. Yup. Very different. Why? Well, you know, just because it is.