Yesterday FINRA settled yet another major case involving AML surveillance system deficiencies. This is one more in a series of cases in which FINRA has found that a broker-dealer’s electronic surveillance systems were insufficient to detect potentially suspicious transactions. In this case, FINRA fined the firm $13 million (which was duplicated by the SEC bringing the total sanction to $26 million) for failures related to an automated system the firm used for monitoring transactions for potentially suspicious activity. In 2010, firm connected the system to a larger, enterprise-wide system that risk-scored the results in such a way that limited the reviews of alerts from the original system. This means that, according to the settlement document, for a four-month period, the firm did not investigate suspicious activity detected by the original system. It appears from the settlement language that the firm believed its system was generating too many “false positives” and during a transition period simply determined not to investigate those items. All in all, it seems that the firm failed to investigate 1,015 instances of potentially suspicious activity. The firm designed the system parameters such that it also excluded multiple occurrences of potentially suspicious money movements that involved high-risk counterparties and entities only once. Thus, because there was no linkage between related accounts, it did not consistently identify or monitor these customers, which apparently included some in high-risk jurisdictions and who were senior foreign political figures (PEPs). Also, quite interestingly, the settlement states that millions of accounts were excluded from the firm’s automated monitoring system.
This case is an obvious demonstration of FINRA’s increasing ability to conduct highly sophisticated AML investigations. FINRA’s last several major AML actions have sought progressively higher fine amounts for failures to adequately implement AML surveillance technology. No doubt, the investment in staffing and technology to address this issue proactively would have cost less than $26 million. But of course, hindsight is always 20/20. That said, the message is abundantly clear. It is time to invest in top-notch AML surveillance systems. And, such an investment is not simply the installation, but the ongoing periodic maintenance, which in the industry is often called tuning. It is also important that firms utilizing AML surveillance systems employ experts in FINRA AML requirements to ensure that the systems are tested and tuned in a manner similar to that which is performed by FINRA.
Finally, I have previously explained that while tuning is an important aspect of the maintenance of AML surveillance systems, it is important to take a measured approach to managing false positives generated by these systems. On one hand, false positives are a fact of life with AML surveillance systems. However, changes to rules and thresholds that are not validated or tested by experts against prior results can end up causing costly mistakes. I’m a firm believer in eliminating as many false positives as possible, because by their nature a good percentage of them are just noise and interfere with proper AML surveillance and detecting potentially suspicious activity. I’ve written about this before. However, I worry that FINRA actions such as this will have a chilling effect on those firms wishing to fine tune these systems. I fully support modification of thresholds and rules to result in the maximum efficiency of the AML surveillance system overall. Also, it often makes sense to implement enterprise-wide surveillance. As with many things, however, this case illustrates that the devil is in the details.
Mitch Atkins, CRCP is the founder and principal of FirstMark Regulatory Solutions, a compliance consulting organization based in Boca Raton, Florida that specializes in AML compliance.