New AML Compliance Requirements For Qualifying Digital Asset Brokers Go Into Effect on Jan. 1, 2024. Are You Ready??
INTRODUCTION:
Section 80603, of the 2021 Infrastructure Investment and Jobs Act expands the definition of a digital asset broker. This change goes into effect on January 1, 2024 and will significantly impact the digital assets space, as it brings a host of entities under enhanced Know Your Customer (KYC) and IRS reporting requirements for digital asset transfers exceeding $10,000. Though criticism surrounds this new law due to its potential to impose heavy regulatory burdens and hinder innovation, it's important for those involved in the digital asset sector to prepare for its implications.
Entities that fall under the new broker definition include cryptocurrency exchanges, crypto wallet providers, Decentralized Finance (DeFi) platforms, cryptocurrency ATM operators, peer-to-peer trading platforms, crypto payment processors, Initial Coin Offering platforms, crypto custodial service providers, and blockchain-based gaming platforms. Even traditional financial institutions that offer crypto services will need to reassess their compliance measures under Section 80603.
Consumers will also be affected, particularly in transactions that exceed $10,000. These include large digital asset purchases or sales, crypto-to-crypto exchanges, deposits or withdrawals on crypto exchanges, peer-to-peer transactions, crypto payments for goods and services, DeFi transactions, and Crypto ATM transactions.
It's critical for both brokers and consumers to understand their responsibilities under these new regulations. All parties involved should be prepared to adapt to these changes, ensuring compliance with the new rules, enhancing transparency, and promoting accountability within the digital asset ecosystem. In the following sections, we will discuss more specifically how digital asset brokers will be required to comply with these regulatory requirements, including Customer Identification Programs (CIP), Suspicious Activity Reporting (SAR), third-party wires, and compliance with the U.S. Treasury's Office of Foreign Asset Control (OFAC) sanctions lists.
So what are broker/dealers currently required to comply with under the Bank Secrecy Act standards?
Under the Bank Secrecy Act (BSA), financial institutions, including broker-dealers, are legally obligated to develop, implement, and maintain effective Anti-Money Laundering (AML) compliance programs. This mandate is further emphasized in the Financial Industry Regulatory Authority (FINRA) Rule 3310, which outlines the minimum requirements for AML compliance programs within broker-dealers.
AML Compliance Program Prerequisites
An AML compliance program should adhere to several criteria as stipulated by FINRA Rule 3310. At its core, it necessitates that firms develop and put in place a written AML compliance program that has the approval of a member of senior management.
Here are the core elements the program should include:
Suspicious Transactions Detection & Reporting: The establishment and implementation of policies and procedures that are expected to detect and trigger the reporting of suspicious transactions.
Compliance Procedures & Internal Controls: Establishment and implementation of policies, procedures, and internal controls designed to achieve compliance with the BSA and its implementing regulations.
Independent Compliance Testing: Annual independent testing for compliance conducted by member personnel or a qualified external party. For firms involved exclusively in proprietary trading or dealing only with other broker-dealers, this testing is required biennially.
AML Compliance Officer: Firms must designate and identify to FINRA an individual or individuals responsible for implementing and monitoring the day-to-day operations and internal controls of the program. Any changes regarding the AML compliance officer should be updated within 30 days following the change and verified within 17 business days after the end of each calendar year.
Ongoing Training: Provision of ongoing training for the appropriate personnel.
Risk-based Customer Due Diligence: The program should include risk-based procedures for ongoing customer due diligence, understanding customer relationships, maintaining and updating customer information, and identifying and reporting suspicious transactions.
BSA's Applicability to Broker-Dealers
The Bank Secrecy Act applies to all broker-dealers without exception. However, it is important to understand that AML compliance programs can and should be tailored to fit the specific nature of each firm's business and risks. Factors to consider in tailoring these programs include the size of the firm, its location, business activities, types of accounts maintained, and the types of transactions their customers engage in.
Senior Management's Role in AML Program Amendments
The FINRA Rule 3310 necessitates a member of senior management to approve in writing the AML compliance program. If there are subsequent material changes to the program, these too must be endorsed by a member of senior management. Moreover, if there is a change in senior management, the AML program should be re-approved by the new management.
By abiding by these comprehensive legal guidelines, financial institutions can substantially mitigate the risks of money laundering and other illegal financial activities, thereby contributing to the overall integrity and security of the financial system.
Designation and Requirements of an AML Compliance Officer
AML Compliance Officer's Registration Status
According to FINRA rules, a member's compliance personnel needs to register only if they are executing functions that explicitly require registration. For instance, per FINRA Rule 1220(a)(3), individuals identified as a Chief Compliance Officer as per FINRA Rule 3130 must register with FINRA as a Compliance Officer. Neither the Bank Secrecy Act nor the FINRA Rule 3310 necessitates the AML compliance officers to be registered with FINRA. However, if an AML compliance person is performing other functions or activities, firms should scrutinize the related FINRA rules to establish if these other functions mandate registration.
While the AML compliance officer is not obligated to be a registered person merely by serving that function, some firms may opt to register such individuals. It is important to note that, regardless of the registration status of the AML compliance officer, they are considered associated persons as per NASD Notice to Members 02-80, fn.5 and NASD Notice to Members 06-07.
Information Provision about the AML Compliance Person to FINRA
Members are mandated to provide to FINRA the following details of the AML compliance officer: name, title, mailing address, email address, telephone number, and facsimile number. This information is collected by FINRA through the "Contacts" feature in the FINRA Gateway. Optionally, members can also provide similar contact information for an alternate AML compliance person.
In line with FINRA Rule 3310.02 and FINRA Rule 4517, members must review and, if necessary, update the contact details of the AML compliance person. This needs to be done promptly, but in no event later than 30 days following any changes in the contact information. Additionally, firms must review and, if needed, update their required contact information within 17 business days after the end of each calendar year.
This clarification on the designation and requirements of an AML Compliance Officer under the Bank Secrecy Act and FINRA Rule 3310 sheds light on their registration status and the necessary information that firms must provide to FINRA. This transparency enhances the efficacy of the AML compliance program and contributes to the firm's adherence to the regulatory requirements.
This section details the Customer Identification Program (CIP) requirements for opening a DVP (Delivery versus Payment) account and for maintaining customer identification records. Here are the key points:
Firms must have established identification requirements for all customers, including those opening DVP accounts. Verification can use a variety of methods and documentation such as certified articles of incorporation, government-issued business licenses, partnership agreements, or trust formation records.
Recordkeeping requirements stipulate that a CIP should include procedures for maintaining records of all identification information for a customer. These records should include descriptions of documents and non-documentary methods used for verification.
Broker-dealers are required to retain customer identification records for five years after the account is closed.
"Account" is defined as a formal relationship with a broker-dealer for transactions in securities. Some exclusions to this definition include accounts acquired through acquisitions, mergers, purchases of assets, or assumption of liabilities, and accounts opened for participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974 (ERISA).
A "customer" is defined as a person that opens a new account, or an individual who opens a new account for an individual who lacks legal capacity or for an entity that is not a legal person.
Broker-dealers are generally not required to look through a trust or similar account to its beneficiaries. However, if the account is determined to be high-risk, the firm may require additional information, including identification of beneficial owners.
Personal acquaintance of a potential customer cannot be used as the sole method to meet identity verification obligations.
Firms are not required to verify the identity of those with trading authority over accounts, although there may be instances where extra steps are needed.
A broker-dealer can rely on the performance of another financial institution for some or all elements of a firm's CIP, provided certain conditions are met.
The term "reasonable time" for verification of customers' identities is not explicitly defined but is left to the discretion of broker-dealers, and is expected to depend on the firm's risk assessment.
If standard documentary and non-documentary methods prove insufficient, the firm's CIP must include additional measures to obtain information about the customer's identity, especially for accounts posing a heightened risk.
The verification procedures of a CIP must be risk-based and take into account factors such as the types of accounts, the methods of opening accounts, the identifying information available, and the broker-dealer's size, location, and customer base.
What are the obligations of the member firms under the 'Know Your Customer' (KYC) rules?
Under FINRA's Know Your Customer (KYC) rules, member firms are required to establish the essential facts about every customer before entering into a business relationship. This includes ascertaining the customer's identity, understanding the nature of the customer's business, and the reason for the customer's transactions. This is aimed to protect against fraud, identity theft, money laundering, and terrorist financing.
What role does a Suspicious Activity Report (SAR) play in AML compliance?
A Suspicious Activity Report (SAR) is a tool for reporting suspicious activity that might signal criminal activity, including money laundering. Filing a SAR is a primary means for financial institutions to meet their obligations under the Bank Secrecy Act. The information contained in a SAR, and the identity of the institution submitting it, is confidential, and cannot be disclosed except as specifically authorized by law.
Are member firms required to maintain a separate AML compliance officer?
Yes, FINRA rules require that every member firm designate a qualified individual or individuals responsible for implementing and monitoring the operations and internal controls of the AML program. This person is known as the Anti-Money Laundering Compliance Officer (AMLCO). The AMLCO's role is to ensure that the firm is in compliance with all AML laws and regulations.
Can a member firm use third-party vendors to assist with AML compliance?
Yes, FINRA allows member firms to use third-party vendors to assist with certain AML duties. However, the member firm must ensure that the third-party vendors are appropriately qualified and that the firm maintains ultimate responsibility for AML compliance. Firms must also maintain proper oversight of third-party vendors and ensure that they are compliant with AML regulations.
How often should member firms review and update their AML program?
FINRA requires member firms to review their AML program at least annually. However, if a member firm's business, operations, or customers change significantly, it may be prudent to review the program more frequently. Any changes made to the AML program should be documented and approved by a member of senior management.
Suspicious Activity Reporting
Exceptions exist for the Suspicious Activity Reporting (SAR) requirement, which include instances of robbery or burglary that have already been reported, lost or stolen securities reported under Rule 17f-1, and violations of federal securities laws or SRO rules reported to the SEC or a SRO, with the exception of Rule 17a-8 which still needs to be reported via a SAR.
Broker-dealers are not required to reject third-party wires, but they are required to adhere to FINRA Rule 3110(c)(2)(A)(iv), which necessitates the testing and verification of procedures relating to fund transmittals. Third-party wires are identified as potential red flags for money laundering, which may warrant additional due diligence. This could include contacting the customer, obtaining written authorization, or understanding the reason behind the third-party wire.
Both introducing and clearing firms hold independent responsibility for compliance with suspicious activity reporting requirements. Though a clearing firm can provide tools to help monitor potential suspicious activity, all broker-dealers must comply with the requirements independently.
OFAC
The U.S. Treasury's Office of Foreign Asset Control (OFAC) offers a free Sanctions List Search Tool that helps with compliance regarding sanctions programs. The tool aids in using the Specially Designated National and Blocked Persons list and other sanctions lists managed by OFAC. OFAC also provides its sanctions lists in formats for automated systems and software, and commercially available software packages can also assist with OFAC compliance. More detailed guidance on obligations under the OFAC regulations is available on the OFAC website.
CONCLUSION
The newly expanded definition of digital asset brokers under Section 80603 of the 2021 Infrastructure Investment and Jobs Act, effective from January 1, 2024, will undoubtedly have a significant impact on the digital asset landscape. A wide variety of entities, from cryptocurrency exchanges and DeFi platforms to crypto payment processors and blockchain-based gaming platforms, will now fall under enhanced compliance requirements.
Digital asset brokers will need to adhere to stringent Customer Identification Programs (CIP), monitor and report Suspicious Activity (SAR), handle third-party wires with increased diligence, and ensure compliance with OFAC sanctions lists. As a result, they may face increased operational costs and regulatory burdens, necessitating a significant ramp-up in their compliance infrastructures.
For consumers, the enhanced reporting and KYC requirements for transactions exceeding $10,000 could impose additional hurdles and potentially influence their willingness to engage in larger transactions.
While this regulatory shift is significant, it is a reminder of the maturation of the digital asset space, marking its increased integration into mainstream financial systems. Digital asset brokers that proactively adapt to these changes and prioritize compliance can position themselves well in this evolving environment, potentially gaining increased trust from users and regulatory bodies alike.