AML Program
Audit Deficiency Update

Sheila Haney, Examination Director, NYSE Regulation, recently reflected on the top deficiencies the NYSE Regulation staff has observed through their examination program. The leading deficiencies noted by the NYSE included:

• Inadequate or Weak AML Programs
• AML Training
• Third Party Vendors and Outsourcing
• Customer Identification Program
• Section 314(a) of the USA PATRIOT Act
• Foreign Bank Certificates
• Bearer Share Accounts
• OFAC Weaknesses
• Independent Testing
• Identifying and Reporting Suspicious Activity

While the issues discussed were insightful, they were generally consistent with observations being identified and documented during NASD examinations. A number of observations found by the NYSE during reviews and member organization's independent tests were clearly thought provoking for those with responsibilities related to AML Programs. These additional items included:

Politically Exposed Persons ("PEPs") Accounts
In general, these accounts were being incorrectly coded as such and this was exacerbated by the fact that Peps do not have to be located overseas. They both can be, and are located in the United States. The other obvious lesson related to these clients is that "Knowing Your Customer" continues to be critical to the foundation of your AML program.

Third Party Vendor Patches
Firms were either unaware of, or they failed to apply, software patches required by third party vendors which provide technology solutions for their AML program. This failure to update software ultimately resulted in failures in the respective programs.

Customer Identification Program
Firms failed to:

• Verify a customer's identity;
• Code accounts with common ownership;
• Notify clients that their identity will be verified; and
• Utilize readily accessible public information to confirm a customer's identity.

Independent Testing
Firms failed to:

• Perform a risk assessment during the testing of the program in the current year;
• Follow up on a prior year identified weakness and/or recommendation; and
• Be assured that the reviewer had adequate experience.

Business Continuity Plan (BCP)
AML surveillance system was not available as a part of the firm's BCP.

Escalation
Firms did not have documented procedures related to the escalation of actions necessary to address identified deficiencies discovered during the testing of the AML program.

Foreign Bank Accounts
Firms failed to adequately screen for foreign bank accounts, and or obtain the required certificates and or close the foreign bank accounts in a commercially reasonable period of time.

Updating of Procedures
Firms failed to update their procedures to address changes in their business activities and or changes in rules in a timely manner.