Who's Independent Enough to Conduct AML Independent Testing? It Depends.
According to compliance consultant Ed McCabe, MD of ARC Consulting System, small firms are getting "push-backs from FINRA regarding the independence of the person who has tested their firms' AML compliance programs. Questions frequently arise around "Rent-a-FinOp" types who conduct the testing. Basic NASD Rules. As originally adopted, Rule 3011(c) required that a firm's AML program "provide for independent testing for compliance to be conducted by member personnel or by a qualified outside party." [emphasis provided by C-I] The amendments and IM-3011-1 provide further guidance on this requirement in 2 ways. First, is the expectation that, for most firms, the independent test should be performed at least once each calendar year. Some firms may conduct such tests every 2 years - as in the case of a firm that does not execute transactions for customers or otherwise hold customesr accounts, among other criteria. Second, IM-3011-1 clarifies certain types of individuals who NASD would not consider to be "independent," and, hence,not eligible to perform the required independent testing. As an initial matter, the interpretation clarifies that the person conducting the the independent test must have a working knowledge of applicable requirements under the Bank Secrecy Act and its implementing purposes. To ensure sufficient separation of functions, testing cannot be conducted by the AML compliance person(s) designated in Rule 3011, by any person who performs the AML functions being tested or by any person who reports to any of these persons. Inherent Limitations for Certain Small Firms. Recognizing certain limitations, NASD allows, under IM-3011-1(c), tests to be conducted by persons who report to either the AML compliance person or persons performing AML functions if...
the firm has no other qualified personnel to conduct the test;
the firm establishes written pols and procedures to address potential conflicts that can arise from allowing the test to be conducted by a person in the reporting chain;
to the extent possible, the results of the test are reported to someone senior to the person to whom the test conductor reports; and,
the firm documents its rationale, which must be reasonable, for determining that it has no other alternative than to comply in this manner.
C-I Take Away. As Mr. McCabe notes, firms that use Rent-A-FinOp types frequently forget how closely aligned that person is to the firm. The Rent-A-FinOp is an associated person of the firm, a registered principal and, in many instances, the person who wrote the firm's WSP. These outside FinOps might also be the designated AML compliance officer of the firm.
The bottom line, and safest approach to take when deciding who will conduct the AML independent testing, is simply to follow the guidelines noted above (which were summarized from NASD NtM 06-07) and document the basis for any determination - especially if the person selected is the "outside" Rent-A-FinOp. In all cases, the person must, in fact, be independent or fulfills the exception criteria noted above. Be Ready! [NASD NtM 6-07, February 2006] Howard L. Haykin Managing Director, Compliance Insights New York, NY (917) 855 - 0965