FINRA AML Program Expectations
2024 FINRA Annual Regulatory Oversight Report
By Ed Wegener, Mary Catherine Wilck-Pond, Bill Reilly and Bryan Jacobsen
Subscribe to our original industry insightsGet The AML Expertise You Need
Welcome to today’s episode of the Oyster Stew Podcast, where we delve into the AML portion of FINRA Annual Regulatory Oversight Report, shedding light on essential focus areas, common deficiencies, and effective practices to fortify your AML program. From customer due diligence to transaction monitoring, our experts guide you through the key considerations identified by FINRA and explore the findings unearthed in FINRA’s examinations. Get the AML expertise you need as they discuss prevalent issues discovered, offering tangible solutions to address them head-on. Whether it’s enhancing customer risk assessments or optimizing Suspicious Activity Reporting (SAR) processes, you’ll gain actionable strategies to bolster your AML program. Our industry practitioners draw from their own experiences, providing real-world examples of how these practices can transform compliance efforts.
The AML Partner You Need
Oyster Consulting has the knowledge and experience to help you adhere to these new regulations. Our experienced compliance team has extensive expertise creating and testing AML programs. Our AML experts can also serve as outsourced AML Compliance Officers.
Part of successfully detecting and preventing money laundering and terrorist financing comes from having a modernized compliance program. The right compliance software ensures that your team consistently follows your firm’s procedures to AML risks. When you implement Oyster Solutions compliance software, you will know your policies and procedures are being followed and enforced through automated workflows. Oyster Solutions also provides a tailored risk assessment, so you know where your highest risks are and can prioritize where to focus your team.
Transcript
Transcript provided by TEMI
Bob Mooney: Welcome to the Oysters Stew Podcast. I’m Bob Mooney, General Counsel for Oyster Consulting. Each year, FINRA produces a report highlighting areas of focus considerations, common deficiencies, and effective practices. In today’s podcast, Oyster’s experts will take an in-depth look at FINRA’s AML priorities, sharing their experiences and expertise, so you can effectively use the report to assess and improve your AML program. With me today are Oyster consultants, Bill Reilly, Mary Catherine Wilck-Pond, Bryan Jacobsen, and our Governance Risk and Compliance Managing Director, Ed Wegener. Ed will be leading our discussion today, so let’s get started. Ed.
Ed Wegener: Well, hello everyone. I am Ed Wegener and I am the head of Governance Risk and Compliance here at Oyster Consulting. I want to welcome you to one of a series of blogs and podcasts that we’re doing that are focusing on FINRA’s 2024 regulatory oversight report. In this series, we’re going to do deep dives into the priority areas that FINRA’s highlighted in the report. As part of this here, we’ve recently conducted a blog on FINRA’s focus on Consolidated Audit Trail or CAT requirements. And in future podcasts, we’re going to be discussing areas such as cyber security and communications and sales obligations. But today we want to talk about FINRA’s focus on anti-money laundering, or AML. AML has been an area of focus for FINRA for some time. It’s an area that they look at in examinations regularly. We’ve seen a number of enforcement actions come out related to anti-money laundering findings.
And in their report this year, they highlight key considerations, examination findings, and effective practices that they’ve identified related to AML programs and their execution as they’ve done examinations in the past year. So, we did want to talk about those and really do a deep dive into that. And today I’m very fortunate to have three of our AML experts at Oyster here with me to discuss those findings. We have Mary Catherine Wilck-Pond, Bill Reilly, and Bryan Jacobsen joining us today. Thank you all for joining. Bill, why don’t we start with you? FINRA’s identified a number of key things that firms should consider as they assess their AML programs. Can you discuss what those considerations are and how firms might want to focus on those?
Bill Reilly: Well, thank you Ed, and it’s always a pleasure working with you and my other co-panelists. The related considerations that have been identified by FINRA and are listed in their examination priorities relate to scope of the AML program, suspicious activity reports, customer onboarding, and what comprises an AML independent testing program. So, let’s go ahead and start out with the scope of the program, and there’s a number of components that FINRA feels is important when we’re actually determining a firm’s AML program. I think the most important part really deals with does the firm reasonably address the AML risks associated with its business model. And what we’re talking about are things like business lines, products, services offered customers, and one thing that’s also extremely important are the geographic areas that the firm is operating in. Whether it be a geographical area that may have high incidents of money laundering or an area that may be potentially on a restricted list or may cause more exposure based upon the clientele from that region.
Another area, does your AML program continue to evolve? You know, firms are not stagnant. Firms add additional clients, products, regulations change, and does the firm stay on top of these? Does the firm update its AML written supervisory procedures as necessary? Does it review it on an annual basis? So, very important part of the program. And another area that’s also very important is dealing with issues such as trading, and things such as low price securities, are there are a number of clients and transactions that take place with foreign clients and institutions. Now, these are just a couple of examples that firms should take under consideration when designing their AML program. The next area that FINRA addressed is suspicious activity reporting. This is one of the most important focuses when we’re dealing with looking at the firm’s activity, both clients and also looking at transactions.
Does the firm’s AML program recognize that suspicious activity reporting obligations may apply to any transaction within the firm? We’re not just looking at trading of clients that have a very low risk, but also those clients that may engage in a more sophisticated trading activity. Does the firm identify certain illicit activity? And many people are aware that we refer to these as red flags. Does the firm have procedures designed to report cyber events and cyber enabled crime? This is an area that’s changed over the last couple of years. Everyone’s heard of cyber hacks and intrusions. So, has the firm addressed those areas? Does the firm have procedures and use automation to detect these transactions, these red flag movements of funds, movements of securities? And I think it’s also important to realize that even though we’re really in an age of tremendous technology, but there’s also room out there in many situations, where it’s also necessary that when firms receive these transactional reports that may in fact be red flags, that there’s some sort of manual process.
And many firms will actually engage in this manual review when it gets down to the last couple steps before they may make the determination to file a suspicious activity report. I think one other part of this that’s extremely important is the integrity of its data fields. I mean, one of the things is you may go out and do an exam and find out that the firm that you’re examining has never gone out and done some testing of the information that it’s receiving, whether it be from an outside vendor or if it’s an introducing firm, from its clearing firm. So understanding and determining the integrity of your data feeds is extremely important. The next area that FINRA addresses in the 2024 report is customer onboarding. And I think what it comes down to is, does your firm have reasonable AML procedures to collect identifying information that will allow them to definitively identify and verify its customers to the extent necessary by the CIP rule?
Not only relating to individuals, but also beneficial owners of legal entities. That’s one of the issues that we find a lot when we’re conducting exams. Firms may not go far enough on the beneficial owners and the control persons for CIP purposes. When I was doing some research recently, I came across a new regulation that FINRA has put into place as of January 1st, 2024. This regulation requires legal entities, primarily corporations, LLCs, and so forth, unless they’re exempt pursuant to a provision under the new FINRA rule, to file a report with FinCEN. And one of the things that I think is important for firms to know is that, starting in January, just a month ago, this new process takes place any entity that is created. And the threshold is that they file generally with a Secretary of State division of corporations for that state, is that they are then required to file a report with FINRA.
Now, one of the things that we need to make people aware of is, there are a lot of exemptions available, and some of those exemptions relate to broker dealers, investment advisors, banks. I believe there may be upwards of 15 to 20 exemptions that are available. The reason I bring this up is it’s another avenue by which firms can utilize information to determine beneficial ownership and control of a legal entity. And one of the tools that I’ve also seen that a lot of firms do when trying to determine ownership of a legal entity is that they’ll have some form like a certification that’s required to be completed by a firm that is a corporation or an LLC that will provide information regarding beneficial owners and control persons. Very valuable tool to start out your CIP process for legal entities.
The last item I want to talk about, and this is also very important, is your AML testing independent? Are you utilizing an outside third party? And a couple things that you need to when you’re determining which independent testing vendor to utilize. One of the things you want to make sure is that the vendor and the person who’s conducting the testing is independent and knowledgeable. What’s their experience and conducting AML independent testing? Is this the first exam they’ve done? If it is, are they going to work with someone on some sort of guidance? Or is it an individual that may have a designation and substantial testing experience? Another requirement that’s also very important, are you conducting these annually? Are there reviews indicating general compliance? Which is what we find with most firms.
And those that I’ve conducted over the last few years generally have some sort of written procedures that they’ve followed general compliance. But there are some situations where you may find deficiencies. And one of the things that you want to do is work with your third-party independent vendor in determining what those deficiencies are and potential remedies to address those. And one of the main things that I see a lot, and I recommend if firms don’t have them, is they create some sort of tracking mechanism, maybe a matrix or something. And what the purpose of the matrix would be, determine and document, you know, what the deficiencies are. And some firms will use this matrix to identify the issue, the owner of the deficiency, status of the deficiency. Is it something where the, the review has started, so the status would be pending. And I think what’s also very important is what is the resolution of that deficiency review?
And most important, your AML written supervisory procedures is the remedy. If you’ve got a situation where you are the firm is not doing a great job on, we’ll say, beneficial owner or control persons of legal entities, what is the remedy and where is that remedy placed within those procedures to make sure that the firm is following its policy? So I think this has a lot to do with what’s the program about? Does it have suspicious activity, monitoring the validity of that information, customer onboarding, and then again, testing. Is the firm taking the testing seriously? Is it determining that it wants to make corrections and move forward with enhancing its AML written supervisory procedures. So I think those are a lot of areas that firms need to be aware of as we move forward into 2024.
Ed Wegener: Well, thanks for that Bill. And there’s a lot to unpack in those considerations. But just a couple of things to highlight in what you were talking about. I think importantly, in terms of the overall programs, one of the things that you mentioned is making sure that the AML program is tailored to the specific firm in terms of the nature of the firm and their products and services that they offer their customers. The complexity of the firm and the risk associated with the business from anti-money laundering, don’t just set it and forget it, that it’s something that must evolve and must be reviewed. And those annual testing are good opportunities to be able to do that. Another thing that you mentioned that I think was really important, has to do with the surveillance for suspicious activities.
And FINRA had issued regulatory notice back in a 2019 regulatory notice, 19-18, where they highlight a number of AML red flags. So, it’s important that firms as part of their risk assessments or part of their testing, reconcile those red flags to their surveillance system. So how are you able to identify these red flags as part of your ongoing surveillance? So doing that type of reconciliation is important. And then also, as you point out, importantly going into this year, there’s the requirement for beneficial ownership reporting for legal entities. So this isn’t the broker dealer’s responsibility at this point. Legal entities have to report to FINRA themselves who their beneficial owners are. But that will definitely have an impact at some point in terms of broker dealers and other financial institutions requirements in terms of how they collect that information, what tools they have at their disposal to review those. So, it’ll be important to understand and keep an eye out for how that’s going to impact the expectations that broker dealers going forward. And that leads into the next point, Mary Catherine, FINRA has all these considerations, the requirements, now they’re conducting routine examinations, and one of the areas that they tend to focus on is the effectiveness of firm’s procedures and controls. Can you talk a little bit about what are some of the things that they mentioned that they’ve been finding in their examinations around AML?
Mary Catherine Wilck-Pond: Yeah, absolutely, Ed. Thank you. FINRA’s report cited a handful of common deficiencies that they’re seeing among broker dealers, and these were the basis for their 2024 report considerations that Bill spoke about.
The common deficiencies are, one, inadequate verification of customer identity. Firms are failing to collect identifying information at account opening to reasonably verify within a reasonable period of time the identity of customers and beneficial owners of legal entity accounts.
Second common deficiency, inadequate responses to red flags. Firms are auto approving customer accounts despite red flags or potential red flags associated with information that the customer provided. Additionally, FINRA noted that firms do not have written policies and procedures that can reasonably be expected to detect identity theft in connection with new account opening. It’s been my experience, many firms do not have in place an identity theft prevention program as required by SEC, reg SID.
Third common deficiency, inadequate due diligence. Firms are failing to conduct initial and ongoing risk-based customer due diligence to understand the nature and purpose of customer relationships to develop risk profiles.
Fourth, inadequate ongoing monitoring and reporting of suspicious transactions. Firms are failing to establish and implement written AML procedures that can reasonably be expected to detect and allow for the reporting of suspicious activity.
Additionally, FINRA noted that firms are failing to review and respond to red flags associated with high-risk products and services such as a CH and debit card, ATM transactions and low priced thinly traded securities and crypto trading. And last in this category of inadequate ongoing monitoring is the issue that firm personnel are not notifying the AML Department of events that may require the filing of a SAR such as a cybersecurity event, an account takeover or attempted takeover, or a fraudulent wire, a CH or ACAS transfer.
Fifth common deficiency, inadequate handling of FinCEN information requests, inform request firms are not reviewing and responding timely to FINRA Section 314A requests.
And lastly, inadequate testing. Firms are failing to conduct adequate independent testing of their AML programs by not providing for annual testing or testing every two years where applicable, not testing for the adequacy of the program when the firm has taken on new products, services, or client base. And lastly, conducting testing that is not reasonably designed for the firm’s business model. Bill talked about designing a program around your firm’s business model and not ensuring that the person performing the testing has the qualifications and independence to perform the testing.
So, I would say in summary, FINRA is saying to ensure your AML program is reasonable for your firm’s business model, that it addresses customer due diligence at onboarding, that your firm develops customer risk profiles, and that your firm reviews and responds to red flags with high-risk products and services. And lastly, perform your FINRA 314A searches timely and have your AML program tested annually.
Ed Wegener: Oh, well, thanks Mary Catherine. And you could see how the considerations that Bill talked about flow into the types of things that FINRA’s looking at, and also importantly, that FINRA’s finding in terms of deficiencies on their exam programs. And one of the things that I think it’s really important to make sure that you’re looking at, and you had mentioned this in terms of the red flags, we’ve talked about that under the considerations, but not only being able to identify the red flags, but importantly, what do you do once you identify those? And so it’s really important to make sure that when you identify red flags as part of your surveillance program, that you’re doing a deep dive in assessing those red flags, identifying whether there is an issue that might need reporting. And importantly, critical to this is that you’re documenting what was done and the results of the review so that you have an audit trail when FINRA does come in and conduct a review.
Because one of the challenges we’ve seen are situations where a firm may be doing the suspicious activity reporting, but they don’t have any documentation to demonstrate that they have or what they’ve done. So that’s really critical. And all of these things, the considerations, the things you should be thinking about, the types of things that FINRA’s looking for and finding in their examination program lead into what are some effective practices that firms can put in place in order to make sure that their programs are strong and they’re going to be able to pass a regulatory examination and be deemed as reasonably designed. And so, Bryan, you’ve worked with us as a consultant for a number of years. You have experience as an anti-money laundering compliance officer with broker dealers. What are some of the effective practices that FINRA’s identified or that you have used in order to make sure that you have a really strong program?
Bryan Jacobsen: Yeah, great question and thank you, Ed. So, if you’re like me, when you read these effective practices that FINRA puts out, you’ll probably come away thinking, well, gee, that’s the same or similar practices that they might’ve mentioned the year before, even the last couple years. And as I thought about that, it reminded me of a situation when I was a kid and my mom was less than happy about something that I did, and she lectured me about why I went astray and did wrong. And five minutes later, she re-lectured me on the same thing. And when I mentioned that to her, she said, well, I wanted to lecture you twice because A, it’s extremely important, and B, if you don’t comply, then consequences will abound.
So, I think, that’s the takeaway here, right? I mean, FINRA’s not putting these out because they want to just repeat the same thing. They’re saying that, look, these are important things that they’ve seen in other programs that really do lead to better overall AML programs. So with that being said, there’s a lot of good stuff here to talk about. The first thing is regulatory updates and reviewing alerts. Now, we can truly appreciate how inundated everyone is with just the data overload, right? I mean, whether it’s from Oyster or any number of a thousand other sources, you can probably have news overkill. But it’s important to find the sources that you find reliable and to really pay attention to the things that are coming out, right? Are there significant cases, are there new AML requirements?
Are there things like the Corporate Transparency Act that you have a new source that’s going to keep you up to date. And then also, are you joining different organizations? And I’ll stick to AML obviously, but organizations such as ACAMS being probably one of the larger ones if your people are not ACAM certified, then that’s something to definitely look at. If they are certified, having them join the local round tables. And pretty much every mid to large city will have an ACAMS round table at this point. Having them join that and do the monthly meetings, those are invaluable because that’s when you can network with people not just in your industry, but people that are local to you that hopefully can give you some pretty good insight and things that they’re seeing.
And then of course, just overall regulator communications, just being on the lookout for any notice to members or anything like that. The second thing I’d like to point out, and this is something that I do see quite often when I review firms AML programs is their risk assessment, or I should say lack of a risk assessment. So I think there’s still some confusion on when and where should a firm conduct a risk assessment. It’s important to note that an AML risk assessment is not a regulatory requirement. However, that being said, most regulators at this point have made it to the point where they almost expect it to be an arsenal that the AML program is using. And not that they could quote a rule saying that you violated rule, but they’re certainly going to have a less positive view of your AML program.
If they don’t see the risk assessment, the next question I often get is, well, you’re doing the audit, the independent audit, isn’t that the same as doing the risk assessment? And the answer is absolutely not, right? Because I come in and I’ll look at your policies and procedures, and then I will do a testing of those against the previous 12 months. And then I’m going to let you know what weaknesses I saw in your policy, anything that you maybe didn’t carry out like you should have. And I’ll make recommendations like that. A risk assessment done well should really be a holistic view of your entire program, right? It’s going to look at everything from the type of products that you sell, the type of client base, the location of those clients. Are you subscribing to things like high known areas that have higher drug trafficking and that sort of thing that can obviously lead to money laundering issues.
So, that’s the purpose of the risk assessment, and what that really should do is draw you a blueprint to say, okay, I’m going to draw two lines. The first point is going to be, what is the risk of this? If I had absolutely no control in place, how, how risky is it? And then when I implement my control that I do have in place, where does that risk lie? And then at the end of the day, you’re going to be able to formulaically look at these things and decide, where should I focus attention for the coming year? Where do I have items that maybe are presenting more risks than I’m willing to take? And, therefore, should more resources be put in? So, looking at the risk assessments, I would say that of the firms that I review, there’s still a lot of them that have not done the risk assessment.
And again, I would highly recommend that that’s being done. The next thing is, and I think we’ve mentioned this a couple times, but the independent audits, now I’m going to look at this a little bit differently, right? I mean, obviously every firm is required to go through an independent audit. So, that’s nothing new. But what I would like to stress is the quality of the audit. And this is not going to be a commercial for Oyster by any means. What I would say is that when you interview firms that you’re interested in having them do the independent audit, and that could be whether it’s Oyster or any number of other firms, really ask detailed questions and not just about the quality and the qualifications of the person doing the review, but also ask them to walk you through the process that they’re going to take to conduct the review, right?
Because the last thing you want is someone that comes in and does a check the box review, or maybe just puts a lot of fluff in the report, but at the end of the day, the report does not present any meaningful recommendations that you can then take to strengthen your program. So it, it really is important that you invest the time to find those consulting firms that are going to do a good independent audit. The last thing that I’ll touch on is really the overall CIP practice. So obviously, CIP is nothing new. But there are certain practices that time and time again the firms that have really strong AML programs will have strong CIP practices. And some of the things to point out would be things like requiring both documentary such as an unexpired government issued ID and non-documentary, like using an Experian or one of those systems and using the combination of the results to then do the CIP and the KYC for that customer and bringing them on board.
What I’ve seen quite a bit, and this is probably more prevalent in fintech or firms that have a stronger online account opening process, is there is a natural tendency to say, Hey, we want to really just do non documentary methods to be much more efficient and expedient for the customer to get on board, which is true, but doing both is always going to be a better practice. And then even then especially some of these firms that open up online accounts, one thing to also think about is what I would call a selfie check. So a lot of firms I’ve seen more and more will invest in a software program that actually does have the customer take a selfie. That picture is then identified against the driver’s license or government ID picture to compare and to make sure it’s the same person.
And not only that, but the better programs will actually take three rapid succession pictures. And what they’re looking for is the subtle movements, whether it’s the blinking of the eye or the subtle movement that everyone makes subconsciously, and they use that to know that, okay, this is an actual live person and not like some picture that they got off the internet or what have you. So, those type of things. Follow up questions is key, right? When I review a program based on the type of questions they’re asking their customers, if they do need additional information and the quality of those questions, a lot of times that by itself will indicate a strong AML program. One of the things I I’ll touch on is IP address. So I think a lot of firms currently do incorporate some type of IP address check.
So namely, if you’re using an IP address in North Korea as an example, that’ll probably be blocked. But where I still see a little bit of a need for improvement is VPN blockers. So especially certain parts of China where they, if you’re not familiar, there’s a term called pig butchering because they’re going to find a customer and they’re going to butcher that pig from snout to tail and take everything in between. But this is a true situation where there are actually old towns in places like China and North Korea, where literally it’s a hundred, 200,000 people, and that’s all they’re doing is finding ways to data mine and to find information so that they can impersonate people and get their hard-earned assets.
So, the point being is that the way they tend to come into other firms is by use of VPN, so that they can disguise, instead of coming from North Korea, they’re coming from Timbuktu or whatever. The software to prevent that is pretty readily available. It’s not foolproof like no software is, but it’s something that firms really need to incorporate. And then the other thing, and I think we’ve talked about red flags, but the overall surveillance process, I have seen a shift over the last few years where a lot of firms are focusing so highly on the front end supervision and AML checks on the front end especially when it comes to like a check coming in or maybe a transaction occurring, but they’re not really spending as much time on the backend surveillance, looking for more of the holistic view of that account and what’s going on with that client.
Are there red flags that they need to put that client on some type of heightened review or some type of enhanced review type things. So some type of surveillance process. And that also goes along the lines of the SAR filings, but a lot of firms still tend to be lacking in what’s called a 90 day or continuation SAR, when you file a SAR, especially if that account is still open. But it was suspicious enough for you to file the SAR you do have a requirement to follow up in 90 days to then basically reassess and see if the suspicious activity is still continuing. I see a lot of deficiencies along those lines as far as firms not having those procedures in their WSP. So, something to really look at that’s what I would have. Ed, again, thank you for having me on the call.
Ed Wegener: Well, thanks so much, Bryan. And one of the things that I’m struck with is just as you can see, the risks are becoming much more complex. And I think the expectation of the regulators is that as those risks become more complex, that the controls and the tools that firms have in place in order to address those complex risks, continue to evolve and adapt to be able to address them. And one of those key tools that you had mentioned is the risk assessment. And I think to your point that while currently not specifically called out as being required as part of an AML program the regulators are really looking to it because one of the things that they have identified is that AML programs, compliance programs in general, but specifically AML programs be risk-based.
And it’s very difficult to have a true risk-based program unless you know where those risks are. So it’s important as part of a good, strong and effective practice to assess the risks regularly to identify and be able to distinguish between types of accounts, types of activities, types of product services, customers, et cetera, where the risk might lie, and make sure that your controls are tuned to that so that you have stronger controls or more focused controls in the areas of higher risk. And in order to be able to do that, doing a risk assessment is a key component of that.
And as I think you can all tell from the discussion today that AML continues to get more and more complex, the expectations of regulators continue to increase and put a lot of pressure on compliance programs to make sure that they’re keeping up with those issues. And so using something like this where the regulators put out these types of reports is really critical. I think it’s a great tool that the regulators provide to the industry in order to be able to do this. So I was wondering if maybe I’ll just throw it out to the group, if you guys could just talk about effectively using a report like this in assessing and enhancing your programs, how firms utilize this type of information to assess their program. So I’ll just throw it out there and whoever wants to jump in, please do.
Mary Catherine Wilck-Pond: I think one of the things that is very easy for a firm to do is look at the deficiencies that they cited and ask themselves, if a regulator came in today, would a regulator cite me for one of those deficiencies? And so, I think that’s pretty straightforward that you can pull out your AML program, look at this list of deficiencies and say, where do I land?
Bryan Jacobsen: Yeah, great point, Mary Catherine. One thing I would say is, at this point, most firms I think have some type of risk committee, and maybe they even have a specific AML committee, but most firms at least have a risk committee that meets monthly or maybe quarterly. And to me, this would be something that would be so valuable to have, you document each of these core items on a spreadsheet, and then you discuss each one and as a group, and the value of the risk committee is obviously it’s not just the AML officer, it’s not just the CTO, it’s business, it’s sales, it’s operations, it’s everyone that would have kind of a different perspective on what’s going on.
And then you talk about these issues and then obviously that’s probably going to lead to maybe recommendations for changes, updates, improvements, what have you. But the value is even if the program is doing a hundred percent of everything that they should do, the fact that you’re going through this and formalizing it in a committee type structure optically to FINRA, that just sings so beautifully, right? Because It shows that the value that you place on not just their communications, but also on the value of having an effective AML program. So again, I think documenting the review and discussion is just something that is just great to always have in your arsenal.
Ed Wegener: You know, we talked about the AML required tests that need to be done, and also broker dealers are required to do testing under 3120. I think it’s important to take these types of tools and incorporate them into that testing. You want to make sure that you have the required procedures and they’re executing those required procedures, but taking a look at what the regulators are looking for on their exams and then assessing your program in light of that to what you had mentioned, Mary Catherine, is a terrific practice to engage in, just to make sure that you’re ready for when the regulators do come out, but also they’re looking at these things for a reason, because these are the types of things that are the hallmarks of an effective program. And so, you want to make sure that you’re really incorporating these types of things into your programs to make sure that they’re effective. Well listen, I really appreciate it, these are all important areas. This is a great time to reflect back on the past year and look forward into the coming year using a report like this. And so your insights have been fantastic. I really appreciate your time and want to thank you all for joining and listening, and we’ll talk to you soon.
Bob Mooney: Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm, visit our website oysterllc.com. If you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews make it easier for people to find us. Have a great day.