Yesterday I began an exploration of the potential individual liability of a Chief Compliance Officer (CCO) based upon the Financial Industry Regulatory Authority (FINRA) enforcement action against Raymond James Inc. and its former CCO, Linda Busby. Today, I will consider the specific deficiencies laid out in the Letter of Acceptance, Waiver and Consent (Letter of Acceptance) and what lessons might be drawn going forward.
It is incumbent to note the basis of liability is FINRA Rule 3310, which requires the company to “develop and implement a written anti-money laundering program reasonably designed to achieve and monitor the member’s compliance with the requirements of the Bank Secrecy Act…” The required policies and procedures needed are to detect and report suspicious activity and monitor transactions for specified red flags. If such red flags were detected, additional investigation was required and any clearance of such a red flag required documentation. Some of the specifics of 3310 included appropriate due diligence on both customers and corresponding accounts for foreign financial institutions, a risk-based assessment of new clients and a review of red flags that might be raised in the above. Busby, as CCO, was required to implement the foregoing.
As noted yesterday, Busby was sorely understaffed, underfunded and probably could never have overseen a functioning and effective compliance program, had the company deigned to put one in place. However, the company obviously thought it did not have to do so. As noted in the Letter of Acceptance, the company “did not have a single written procedures manual describing AML procedures; rather to the extent written procedures existed addressing supervision related to AML, they were scattered through various departments.” Moreover, Busby did not have control or even oversight into individuals in other departments handing anti-money laundering (AML) issues. Finally, the company did not have any oversight for monitoring suspicious activity. The Letter of Acceptance noted these shortcomings were failures of both the company and Busby.
FINRA dived deeper into the weeds when it faulted both the company and Busby for not monitoring known high-risk transactions or individuals. The Letter of Acceptance listed high-risk activity as:
- Transfers of funds to unrelated accounts without any apparent business purpose;
- Journaling securities and cash between unrelated accounts for no apparent business purpose, particularly internal transfers of cash from customer accounts to employee or employee-related accounts; and
- Movement of funds, by wire transfer or otherwise, from multiple accounts to the same third party account.
- The company did not have any procedures “in place to reasonably monitor for high-risk incoming wire activity, such as third-party wires and wires received from known money laundering or high-risk jurisdictions.”
All of this meant that neither the company nor Busby were able to monitor or later investigate suspicious activity. FINRA turned up 513 accounts that engaged in high-risk activity that were never even spotted let alone investigated. There was no overall risk assessment performed which might have allowed Busby to marshal her limited resources and focus on the highest risk transactions. As you would expect there was no technological solution in place that allowed Busby to “conduct any trend or pattern analysis or otherwise combine information generated by the multiple reports to look for patterns”. All of Busby’s analysis had to be done the old fashioned way, through manual review.
While there were some reports generated by the company that might have been of use in an AML analysis, they were either deficient or not tied to similar reports. Even when the information was available there was no overall risk ranking for the company’s customers that would have allowed transaction monitoring on a more proactive basis. Finally, and this one is perhaps the most unbelievable, there was no linking of customer accounts so no pattern of single customer activity could be reviewed.
In addition to these overall AML program deficiencies, the Letter of Acceptance listed failures by Busby when sufficient information was available to her. There were thousands of alerts generated regarding suspicious activities each month that were closed out with no documentation as to the rationale for closing the suspicious activity alert. There was no documented clearance of red flags raised, even in the process the company did have in place.
The customer due diligence report was not even provided to Busby or the AML team but to the company’s credit department, one of those departments that Busby had no visibility into. When there was sufficient information to investigate customers, Busby and her team failed to do so and the Letter of Acceptance listed several instances where Busby failed to document that customers had been sanctioned by the US Department of the Treasury. The Letter of Acceptance laid out some useful indicia of suspicious transactions including (1) rounded dollar amounts; (2) purpose of payment inconsistent with the customer’s prior activities; (3) the domicile of the individual receiving the funds was not the location where the funds were transferred; (4) the Letter of Authorization provided to the company was dated at or near the date of transfer.
Finally, and to no doubt warm the heart of every process analysis and professional out there, FINRA criticized the lack of oversight. Busby was criticized for failing to engage in appropriate oversight of the company’s AML risk. But the company also failed in its oversight role of providing oversight to the CCO and the compliance function. If it had done so perhaps the company would have realized the impossible position Busby was in and the utterly impossible role she had to accomplish.
Fortunately for the Foreign Corrupt Practices Act (FCPA) compliance CCO, the financial services industry has specific rules that require compliance programs. Such regulations do not exist around the FCPA. However the analysis that FINRA used to bring charges against Busby could well bleed over to CCOs and compliance professionals in the future. With the new Department of Justice (DOJ) compliance counsel, the role of the CCO may be given more scrutiny going forward. It is painful to picture an anti-corruption CCO assessed with liability for a corporation which views compliance as poorly as did Raymond James but they are out there.
The financial services industry has regs requiring compliance programs, which can lead to personal liability for the CCO.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2016