Action Highlights that Even Sophisticated Companies Serious about Compliance are not Immune from AML Enforcement – and the Importance of Cooperation When Cutting a Deal
On May 12, 2021, the Securities and Exchange Commission (“SEC”) issued an Order instituting a cease-and-desist proceeding under Sections 15(b) and 21C of the Securities and Exchange Act of 1934 (the “Exchange Act”), and imposed a $1.5 million monetary penalty against broker-dealer, GWFS Equities, Inc. (“GWFS”) for its alleged violations of the Bank Secrecy Act (“BSA”) due to its claimed failure to file Suspicious Activity Reports (“SARs”) when it was required to do so, and because certain filed SARs were inadequate. The suspicious activity at issue involved primarily so-called “account takeovers” by cyber criminals, which is of course a growing and pernicious threat.
What is particularly notable about the case is that the SEC targeted GWFS for enforcement for allegedly filing 297 deficient SARs between September 2015 through October 2018 (the “Relevant Period”), despite GWFS having a seemingly otherwise robust anti-money laundering (“AML”) program, a designated and capable BSA/AML Officer, a SAR review committee, written supervisory procedures that stressed the importance of providing “clear, complete, and concise descriptions of” suspicious activity, including the five essential elements of the suspicious activity—who, what, when, where and why (the “five essential elements”)—and GWFS providing formal and informal training to combat and report suspicious activity. Stated otherwise, this AML enforcement action involves an actor clearly serious in general about compliance, rather than a compliance “outlier” representing an easy enforcement target. Crucially, cetain filed SARs allegedly omitted the “five essential elements” required in a SAR, even though GWFS allegedly knew the information and also knew that it was obligated to include the information in its SARs. Instead, GWFS utilized a generic format for its SARs that did not contain much useful information.
The lesson here is clear: in regards to the allegedly inadequate filed SARs, the SEC is sending a message that a perceived cookie-cutter, cut-and-paste approach to fulfilling one’s obligations under the BSA will not be enough to stave off scrutiny and potential costly liability from government regulators. With incidences of identity theft and other cybercrimes showing no signs of abating, and the government’s interest in ensuring that financial institutions are playing their role to guard against and to combat cybercrime, additional regulatory actions for deficient compliance are likely to follow. It is not enough to just have a compliance program in place. Broker-dealers should ensure that their compliance staff is well-trained and reports suspicious activity through the issuance of SARs that, at a minimum, contain the five essential elements.
GWFS is one of several affiliates of Great-West Life & Annuity Insurance Company (“Great-West Life”), which is the second largest record-keeping retirement service provider in the nation, overseeing over $700 billion in assets. GWFS is responsible for identifying suspicious transactions that occur in the Great-West Life plan participants’ accounts, and for reporting any suspicious transactions by filing SARs. During the Relevant Period, and due to increased cybercriminal activity, including but not limited to, identify theft, GWFS had enhanced its efforts to detect and prevent bad actors from gaining unauthorized access to plan participants’ accounts (“account takeovers”).
As a broker-dealer registered with the SEC, GWFS is subject to the SAR Rule set forth in 31 C.F.R. § 1023.320, in addition to similar obligations under Rule 17a-8 of the Exchange Act, which incorporates the BSA reporting and record-keeping obligations applicable to broker-dealers. Under the SAR Rule, GWFS was required to report any potentially illegal transactions to United States Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) and file a SAR for any completed or attempted transaction involving at least $5,000, or its equivalent in assets, that the broker-dealer “knows, suspects, or has reason to suspect: (1) involves funds derived from illegal activity or is conducted to disguise funds derived from illegal activities; (2) is designed to evade any requirement of the BSA; (3) has no business or apparent lawful purpose and the broker-dealer knows of no reasonable explanation for the transaction after examining the available facts; or (4) involves use of the broker-dealer to facilitate a criminal activity.”
The SEC found that GWFS failed to file 130 SARs when it was required to do so. Notably, GWFS’ BSA Officer and SAR Committee allegedly reviewed investigative reports concerning certain individual accounts that were suspected of being victims of an account takeover in excess of $5,000. Even though the BSA Officer and SAR Committee determined in multiple instances that a SAR should have been filed, GWFS allegedly did not take steps to ensure that it filed SARs.
The SEC further found that when GWFS did file SARs concerning account takeovers, at least 297 of its SARs were deficient because they omitted the “five essential elements” of the suspicious activity from their SAR narratives, even though GWFS often knew specific and detailed information about the underlying suspicious activity. The Order issued by the SEC cited the Southern District of New York’s decision in SEC v. Alpine Sec. Corp., 308 F. Supp. 3d 775, 800 (S.D.N.Y. 2018), aff’d 982 F.3d 68 (2d Cir. 2020), for the proposition that it is well-known that a SAR that lacks the five essential elements is deemed “deficient as a matter of law.” The Alpine case is important because the federal district court agreed with the SEC’s argument that it may enforce BSA compliance, directly.
As noted, what is noteworthy here is that GWFS had a seemingly robust investigative arm that enabled it to compile key detailed information concerning the account takeovers, including information identifying the bad actors, phone numbers and IP addresses linked to the bad actors, and details regarding how the bad actors used the ill-gotten funds once they illegally withdrew the funds from the plan participants’ accounts. Nonetheless, the SEC pursued an enforcement action, based at least in part on SARs that were filed but which were allegedly insufficent.
In the end, and importantly, GWFS received a reduced monetary penalty imposed against it due to its significant remedial measures, including, but not limited to, implementing new SAR drafting procedures, increasing the size and experience of its AML compliance team, and restructuring its SAR process to ensure greater quality control.