SEC and FINRA Actions Emphasize Continued Focus on Broker-Dealer AML Compliance
On July 11, 2023, the U.S. Securities and Exchange Commission (SEC) announced a settled action involving a registered broker-dealer and its parent company for allegedly failing to file hundreds of Suspicious Activity Reports (SARs) from 2009 to late 2019. On the same day, the Financial Industry Regulatory Authority (FINRA) announced that it too had settled an action with the broker-dealer for failing to file approximately 1,500 SARs as a result of the same compliance failures. The parallel enforcement actions highlight the continued focus of the SEC and FINRA on broker-dealers’ compliance with their Bank Secrecy Act (BSA) and anti-money laundering (AML) obligations.
In the press release announcing the FINRA settlement, Christopher J. Kelly, Senior Vice President and Acting Head of FINRA’s Department of Enforcement, noted that law enforcement and regulators depend on financial institutions to properly report potential fraud and other suspicious activities and called the obligation to file SARs a “basic responsibility.” As discussed in a prior Advisory on the SEC’s 2021 action against GWFS Equities Inc. and a prior Advisory on the SEC’s 2022 action against a dually registered broker-dealer and investment adviser, the SEC has pursued at least one enforcement action against a broker-dealer related to AML program deficiencies in each of the last several years. These actions also follow the SEC’s recent success at the Second Circuit, where the court affirmed the SEC’s independent authority as the primary federal regulator of broker-dealers to enforce Rule 17a-8 under the Securities Exchange Act of 1934 (Exchange Act) and its requirements to comply with the BSA. 1
Filing Obligations Imposed on Registered Broker-Dealers
Section 17(a) of the Exchange Act and Rule 17a-8 thereunder require registered broker-dealers to “comply with the reporting, recordkeeping, and record retention requirements” promulgated by the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). As part of their AML compliance program, among other things, broker-dealers must develop risk-based procedures that allow for the identification of suspicious activity attempted or conducted by, at, or through the broker-dealer and, when such transaction meet certain dollar thresholds, reporting of that activity, through the filing of SARs, to FinCEN. For broker-dealers, the threshold is $5,000, regardless of whether the activity involves an insider at the broker-dealer or no suspect can be identified responsible for the suspicious activity.2 In contrast, for banks, bank holding companies, and their subsidiaries, the threshold amount is $0 if an insider at the bank is involved, $5,000 if a suspect is identified, and $25,000 if no suspect is identified.3 FINRA imposes similar AML compliance program and reporting obligations on member firms under its Rule 3310. These AML program requirements also require broker-dealers to establish and maintain other program components applicable to traditional banks and other financial institutions.
According to the findings in the SEC and FINRA orders, which the companies neither admitted nor denied, the failure to file hundreds of SARs resulted from the improper use of a $25,000 threshold instead of the required $5,000 threshold at the broker-dealer level for reporting suspicious transactions where a suspect for the suspected criminal activity could not be identified. The SEC order explained that the parent company assumed responsibility for creating and implementing the broker-dealer’s SAR policies and procedures, which incorrectly included the bank $25,000 threshold for filing no-suspect criminal activity SARs applicable to the broker-dealer’s bank affiliates, which resulted in the broker-dealer not reporting suspicious activity above $5,000 but below $25,000. The SEC and FINRA found that the broker-dealer failed to file hundreds of SARs over a ten-year period involving suspicious activity concerning broker-dealer customers who were victims of unauthorized withdrawals, check fraud, account intrusions, and other scams. In failing to properly report such activity, the SEC found that the broker-dealer committed a primary violation of Section 17(a) of the Exchange Act and Rule 17a-8, and that the parent company was liable for causing the broker-dealer’s violation. FINRA found that the broker-dealer violated NASD Rule 3011(a) and FINRA Rules 3310(a) and 2010.
The SEC and FINRA credited the broker-dealer and the parent company’s actions to remediate the issues, which included (1) updating policies, procedures, and automated surveillance systems to properly account for the $5,000 threshold and training the personnel responsible for filing SARs; (2) reviewing all other thresholds with respect to the broker-dealer and confirming that they were using correct thresholds across the SAR program; (3) reporting the issue to the SEC, FINRA, and FinCEN; and (4) conducting a look-back review to the earliest date for which the broker-dealer retained records and then filing 865 SARs. The SEC and FINRA also gave credit to the broker-dealer and the parent company for voluntarily conducting and reporting the results of an internal investigation to the SEC, FINRA, and FinCEN. To settle the matter, the broker-dealer and its parent agreed to pay a civil money penalty of US$6 million to the SEC. It additionally agreed to pay a fine of US$6 million to FINRA in the separate action. To date, FinCEN has not taken any public enforcement action.
These recent actions follow the SEC and FINRA 2017 actions alleging that the broker-dealer committed violations for failing to file SARs on the suspicious movement of funds by its customers. It is not clear what role the prior actions played in the settlements, but the companies’ extensive remediation may have been a factor.
These actions highlight the risks inherent in implementing a uniform, one-size-fits-all AML program across affiliated entities when each may have varying risk exposures and regulatory obligations. Broker-dealers and other financial institutions should design, implement, and maintain policies and procedures that meet current obligations expectations and are reasonably designed to identify and detect potentially suspicious activity based on the particular risks presented to the institution. The SEC’s 2023 examination priorities, as well as prior years’ examinations priorities, emphasize AML compliance as a focus of the examiners. Evaluating broker-dealer AML compliance before the examiners show up is always prudent.
It is also notable that, as of the date of this advisory, FinCEN has not taken any public enforcement action related to this conduct, which may be an acknowledgement of the broker-dealer’s voluntary disclosure to FinCEN as described in the FINRA order. In August 2020, FinCEN issued its Statement on Enforcement of the Bank Secrecy Act, describing its approach to enforcing the rules and regulations within the BSA and outlining a number of considerations for determining an appropriate disposition upon the identification of actual or possible violations of the BSA. Among those factors is “timely and voluntary disclosure of the violations to FinCEN.” Since the issuance of the Statement, all eight of FinCEN’s public enforcement actions have involved respondents that failed to provide voluntary disclosure.
Arnold & Porter is continuing to monitor developments in this area for our financial institution clients. If you are seeking advice on how to mitigate risks in connection with AML compliance and suspicious activity reporting, prepare for or respond to an examination, or with SEC compliance more broadly, please reach out to the authors or your regular Arnold & Porter contact.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
See 12 C.F.R. §§ 208.62, 211.5(k), 211.24(f), and 225.4(f) (Board of Governors of the Federal Reserve System); 12 C.F.R. § 353 (Federal Deposit Insurance Corporation); 12 C.F.R. § 748 (National Credit Union Administration); 12 C.F.R. §§ 21.11, and 163.180 (Office of the Comptroller of the Currency).