AML compliance testing – An essential for RIAs
Firms without a robust and regularly tested anti-money laundering (AML) approach may find themselves failing to meet expectations. Although US registered investment advisors (RIAs) technically have no explicit AML compliance program requirements, firms are finding that examiners and investors are now asking to see evidence of AML policies and procedures.
Before working with an RIA, many investors and customers need evidence of AML policies and procedures and the annual testing or validity of these programs as part of their own due diligence process. The request for information about the RIA’s AML program may be driven by regulations in the client’s jurisdiction, or it may be the result of the client’s own approach to governance and ethics. In either case, RIAs are now facing client requests for these materials more regularly.
Targeted AML scrutiny for RIAs
In February, the Securities and Exchange Commission (SEC’s) included AML program compliance and testing in its Office of Compliance Inspections and Examinations 2018 Examination Priorities. As a result, firms should be prepared to hand over policy and procedures materials during a targeted AML examination, as well as evidence that the program is regularly tested.
The industry should also be cognizant of the impending rules for RIAs from FinCEN. It has been three years since the original consultation document was published and final rules are long overdue. The US’s lack of a formal AML regulatory framework for RIAs means it is behind many other countries, such as those in the EU, that have implemented the Financial Action Task Force’s (FATF’s) approach in this sector.
Testing AML compliance
Annual testing of AML programs is a salient idea. In the current environment of increased regulatory focus on AML programs, annual testing can help ensure that a firm does not encounter unexpected difficulty during examinations. RIAs also need to be sure that the programs are delivering the level of compliance required for a firm, given its own exposure to related risks. Annual testing can also help a firm feel confident that it will be in a good place to affirm compliance once AML rules are finalized in the US.
A good AML compliance testing program should include:
- Reviewing AML policies and procedures – A robust review of a firm’s AML program should always start with a thorough check of the written policies and procedures. They must be adequate for the type of firm and the business it conducts and aligned with the company’s overall policies and procedures as well as its risk factors.
- Testing AML policies and procedures – The next step is testing – making sure the firm does what it says it is doing when it comes to AML. For example, if the firm has a Know Your Customer (KYC) program or a Customer Identification Program (CIP), the AML auditor would confirm that the firm is following the steps outlined in these policies and procedures. This should include:
- Obtaining ID for new investors
- Running Office of Foreign Assets Control (OFAC) checks
- Conducting Enhanced Due Diligence (EDD) if a new investor is from a jurisdiction where there are lax AML policies and procedures
- Diving deeper into the KYC and CIP procedures. For example, checking to see if the administrator and custodian are adhering to AML requirements. Do they have a robust policy in place? Is the adviser capturing all of the information needed in their subscription documents?
There are a range of other checks that should be performed as well to ensure that an AML program is operating effectively and delivering the compliance that investors, regulators, and other stakeholders need to see.
- Evaluating employee training – Employees are the first line of defense in a robust AML program. AML compliance testing should look at the adequacy of the AML training for employees. Individuals in particular roles, such as those in investor relations or on the investment committee, should be receiving training that is specifically tailored to their role.
For many firms, it can make sense to bring in an independent AML compliance testing expert to review the program.
Looking at CDD and PEPs
RIAs should pay particular attention to two areas of compliance when they are reviewing their AML programs this year. First, they should make sure their handling of politically exposed persons (PEPs) is adequate. PEPs are often investors and firms need to be sure that they have the right policies and procedures in place and that they are being followed.
Secondly, firms should be sure they are up-to-date with the new Customer Due Diligence (CDD) rules. As of mid-May, FinCEN requires broker dealers and other financial institutions which have AML requirements to comply with its new CDD rule. These requirements include:
- Identifying and verifying the identity of customers
- Identifying and verifying the identity of the beneficial owners of companies opening accounts
- Understanding the nature and purpose of customer relationships to develop customer risk profiles
- Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information
While RIAs are technically not obligated to have this updated CDD framework in place, it would make sense for firms to take steps to ensure compliance. Any new FinCEN rules for RIAs that come into existence are likely to include this new CDD framework.
In short, the increased focus that clients and regulators are putting on AML means RIAs need to increase their focus and periodically test these programs for efficacy. Contact us if you have questions regarding AML compliance testing or program remediation projects.