SEC Settles Charges Against Broker-Dealer for SAR-Related Deficiencies

On May 12, 2021, the US Securities and Exchange Commission (SEC or Commission) announced that GWFS Equities Inc. (GWFS), a registered broker-dealer, had settled charges that it violated the federal securities laws governing a broker-dealer’s obligations under the Securities Exchange Act of 1934 (Exchange Act) to file Suspicious Activity Reports (SARs) for certain suspicious transactions. The enforcement action taken by the SEC against GWFS is another in a line of recent actions against broker-dealers involving SAR-related deficiencies, and it may portend further SEC enforcement activity in this area in the future.

Background

The Bank Secrecy Act and implementing regulations (BSA) establish anti-money laundering (AML) program requirements for broker-dealers, similar to other types of financial institutions. The Exchange Act requires broker-dealers to monitor and report suspicious activity as part of their AML compliance programs. Generally, broker-dealers must file complete and accurate SARs for certain suspicious transactions involving funds or other assets of at least $5,000 that are conducted or attempted by, at, or through the broker-dealer.

In 2003, the Financial Crimes Enforcement Network (FinCEN) issued guidance to financial institutions about preparing the narrative portion of SARs. According to that guidance, in general, “a SAR narrative should identify the five essential elements of information—who? what? when? where? and why?—of the suspicious activity being reported.” In addition, in a series of decisions in the Southern District of New York and the Second Circuit, the courts relied on the FinCEN guidance and established that a SAR is “deficient as a matter of law” when it “lack[s] basic information regarding the Five Essential Elements.” SEC v. Alpine Sec. Corp., 308 F. Supp. 3d 775, 800 (S.D.N.Y. 2018), aff’d, 982 F.3d 68 (2d Cir. 2020).

Section 17(a) of the Exchange Act imposes reporting, recordkeeping, and record retention obligations on registered broker-dealers. 15 U.S.C. § 78q(a)(1). In particular, Exchange Act Rule 17a-8 requires that registered broker-dealers comply with reporting, recordkeeping, and record retention requirements of certain US Department of Treasury and FinCEN regulations, including those relating to SARs. 17 C.F.R. § 240.17a-8.

The SEC’s Settled Action Against GWFS

GWFS, a Colorado-based broker-dealer, provides services to employer-sponsored retirement plans and is the nation’s second largest recordkeeping retirement service provider. According to the SEC’s order, from September 2015 through October 2018, GWFS “began detecting increasing numbers of attempts by bad actors to gain unauthorized access” to the retirement accounts of individual plan participants. The SEC found that, while GWFS’s systems were not breached, these bad actors tried to access the accounts by, among other things, using improperly obtained personal identifying information of the plan participants, such as user names, email addresses, and passwords. According to the SEC’s order, while some incidents involved successful distributions, GWFS stopped most of these attempts before the bad actors could request a distribution from a plan participant’s account.

The SEC found that GWFS personnel, including its BSA Officer, identified fraudulent transactions that required SAR filings, yet GWFS failed to file approximately 130 SARs. The SEC also determined that, for almost 300 SARs that GWFS actually filed, the broker-dealer did not include the “five essential elements” of information that it knew and was required to report, including persons, phone numbers, bank accounts, URL addresses, and IP addresses. For these SARS, according to the SEC, GWFS disclosed only that an unauthorized person had accessed a plan participant’s account and omitted any details about the bad actor or the bad actor’s activity. The SEC found that GWFS omitted this information despite having compiled and provided it to its SAR Committee and BSA Officer. Instead, similar to the Commission’s allegations in its high-profile contested enforcement action against Alpine Securities Corp. (Alpine) for pervasive Exchange Act violations of applicable recordkeeping requirements, the SEC found that GWFS used a template narrative that plainly lacked specificity about the activities or transactions the broker-dealer was reporting as suspicious.

Without admitting or denying the SEC’s findings, GWFS agreed to a settlement that imposed a censure, a $1.5 million penalty, and an order to cease and desist from committing or causing any future violations of Exchange Act Section 17(a) or Rule 17a-8 thereunder.

The GWFS Case in the Context of the SEC’s Contested Action Against Alpine

The SEC’s settlement with GWFS represents the latest in the Commission’s expanded enforcement of SAR-related violations, following contentious litigation in the Southern District of New York against Alpine. The SEC charged Alpine in 2017, alleging that the broker-dealer’s failure to comply with the reporting requirements for filing SARs violated Section 17(a) and Rule 17a-8. Alpine Sec. Corp., 308 F. Supp. 3d at 787. Alpine primarily argued that the SEC lacked authority to bring such a suit because the Treasury Department has sole authorization to enforce the BSA. Id. at 781.

In a series of orders following cross-motions for summary judgment, the district court held, among other things, that the Commission had authority to bring an enforcement action under Section 17(a) and Rule 17a-8 on the basis of Alpine’s failure to comply with the SAR provisions of the BSA. Id. at 797. As a result, the district court concluded that Alpine was liable for violations of Section 17(a) and Rule 17a-8 on the basis of its deficient SARs, and imposed a $12 million civil penalty. Id. at 812.¹ In December 2020, the Second Circuit affirmed the district court’s judgments on appeal, agreeing that the SEC had authority under Section 17(a) and Rule 17a-8 to enforce compliance with BSA standards imposed by FinCEN. SEC v. Alpine Sec. Corp., 982 F.3d 68, 77 (2d Cir. 2020). In doing so, the Second Circuit stated: “The fact that Rule 17a-8 requires broker-dealers to adhere to the dictates of the BSA in order to comply with the recordkeeping and reporting provisions of the Exchange Act does not constitute SEC enforcement of the BSA.” Id.

Other Activity Related to SARs, and Implications Going Forward

Having defended its authority under the Exchange Act to enforce BSA recordkeeping requirements in Alpine, the SEC and other federal financial regulators are likely to continue focusing on broker-dealers’ compliance with AML requirements, including their obligations to monitor, detect, and accurately report suspicious activity. For example, earlier this year, the SEC’s Division of Examinations issued a Risk Alert to the broker-dealer and mutual fund industry regarding compliance issues related to suspicious activity monitoring and reporting. And, last year, the SEC, the Financial Industry Regulatory Authority (FINRA), and the Commodity Futures Trading Commission (CFTC) instituted settled actions against a broker-dealer for failing to file SARs, AML program deficiencies, and supervisory issues, which was the first action of its kind for the CFTC.²

The SEC’s enforcement action against GWFS indicates that the Commission continues to prioritize broker-dealer AML compliance. Fresh off its victory at the Second Circuit in Alpine, the SEC’s Division of Enforcement wasted little time solidifying compliance with the Exchange Act’s AML recordkeeping rules as an area of primary enforcement interest. As the GWFS case illustrates, broker-dealer non-compliance with Rule 17a-8 is low-hanging fruit for the SEC and FINRA, and it should be a priority on every compliance officer’s review list. Broker-dealers should consider reviewing and enhancing their AML compliance programs to ensure they are reasonably designed to allow for the identification and reporting of suspicious activity and to take into account the particular risks presented to the firm. Among other things, broker-dealers also should review policies and procedures to ensure that they incorporate guidance and expectations of the regulators (including procedures ensuring for sufficient and complete SAR narratives) and provide training to firm personnel on their AML obligations. Finally, in light of the constant daily attempts to hack the systems of financial institutions, broker-dealers should pay special attention to determining whether a particular hacking attempt merits SAR reporting.

Arnold & Porter is continuing to monitor developments in this area for our financial institution clients. If you are seeking advice on how to mitigate risks in connection with AML compliance and suspicious activity reporting, please reach out to any author of this Advisory or your regular Arnold & Porter contact.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.