Enforcement News: Broker-Dealer Settles Charges for Failures Related to the Filing of Suspicious Activity Reports

• Posted on: May 19 2021

The proliferation of cyber-events and cyber-enabled crime represents a significant threat to consumers and the financial services system. See FinCEN, Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (October 25, 2016) (here). With today’s technology, the accessibility of the U.S. financial system “make[s] financial institutions attractive targets to traditional criminals, cybercriminals, terrorists, and state actors.” Id. These bad actors target the website, systems, and employees of financial institutions “to steal customer and commercial credentials and proprietary information; defraud financial institutions and their customers; or disrupt business functions.” Id. As noted in the Advisory, “financial institutions can play an important role in safeguarding customers and the financial system from these threats through timely and thorough reporting of cyber-events and cyber-related information in SARs” or suspicious activity reports.

SARs are governed by the Bank Secrecy Act (“BSA”) and implementing regulations promulgated by the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”). The law requires broker-dealers to file SARs with FinCEN to report a transaction (or pattern of transactions of which the transaction is a part) conducted or attempted by, at, or through the broker-dealer involving or aggregating funds or other assets of at least $5,000 that the broker-dealer knows, suspects, or has reason to suspect: (1) involves funds derived from illegal activity or is conducted to disguise funds derived from illegal activities; (2) is designed to evade any requirement of the BSA; (3) has no business or apparent lawful purpose and the broker-dealer knows of no reasonable explanation for the transaction after examining the available facts; or (4) involves use of the broker-dealer to facilitate criminal activity. 31 C.F.R. § 1023.320(a)(2) (the “SAR Rule”).

FinCEN’s regulations require that: “A suspicious transaction shall be reported by completing a Suspicious Activity Report.” 31 C.F.R. § 1023.320(b)(1). FinCEN instructs SAR filers to “provide a clear, complete, and concise description of the activity, including what was unusual or irregular that caused suspicion” in the narrative and to “include any other information necessary to explain the nature and circumstances of the suspicious activity.” See FinCEN, FinCEN Suspicious Activity Report (FinCEN SAR) Electronic Filing Instructions (October 2012) (here). To be effective, the SAR should describe “the five essential elements of information – who? what? when? where? and why? – of the suspicious activity being reported.” See, e.g., FinCEN, Guidance on Preparing a Complete & Sufficient Suspicious Activity Report Narrative (Nov. 2003), at 3 (here).

When a SAR is filed “it must include information about each of the Five Essential Elements of the suspicious activity.” See SEC v. Alpine Sec. Corp., 308 F. Supp. 3d 775, 804 (S.D.N.Y. 2018) [here], aff’d, 982 F.3d 68 (2d Cir. 2020). When a SAR “lack[s] basic information regarding the Five Essential Elements … [the] SAR [i]s deficient as a matter of law.” Id. at 800.

FinCEN has provided additional instruction regarding the obligations of financial institutions to report cyber-related events. In December 2011, for example, FinCEN issued an advisory to alert financial institutions to the increased threat of cyber account takeover activity. FinCEN, Account Takeover Activity, FIN-2011-A016 (Dec. 19, 2011) (here).

FinCEN advised that “[c]ybercriminals are increasingly using sophisticated methods to obtain access to accounts” and these “attacks aim to deliberately exploit a customer’s account and, in many instances, to gain seemingly legitimate access to another customer’s account.” Id. In order to assist financial institutions with identifying and reporting account takeover activity where cybercriminals attempt intrusions into a customer’s account in order to steal the customer’s funds, FinCEN also set forth detailed instruction for reporting account takeovers that emphasizes the importance of reporting cyber-related information—including cyber-event data, such as URL address and IP addresses with timestamps, as well as email addresses and other electronic identifying information—in the event of a cyber-enabled account takeover. See FinCEN, Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, FIN2016-A005 (Oct. 25, 2016) (here); see also Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs) (Oct. 25, 2016).

Rule 17a-8 promulgated pursuant to Section 17(a) of the Securities Exchange Act of 1934 requires broker-dealers registered with the Commission to comply with the reporting, record-keeping, and record retention requirements of the BSA. The failure to file a SAR as required by the SAR Rule—including omitting from a filed SAR “a clear, complete, and concise description of the activity, including what was unusual or irregular that caused suspicion” or failing to “identify the five essential elements of information – who? what? when? where? and why? – of the suspicious activity being reported”—is a violation of Section 17(a) of the Exchange Act and Rule 17a-8 thereunder. See Alpine Sec. Corp., 308 F. Supp. 3d at 798–800.

In the Matter of GWFS Equities, Inc.

On May 12, 2021, the Securities and Exchange Commission (“SEC” or “Commission”) announced (here) that it settled charges against GWFS Equities Inc. (“GWFS”), a Colorado-based registered broker-dealer and affiliate of Great-West Life & Annuity Insurance Company, for violating the federal securities laws governing the filing of Suspicious Activity Reports. GWFS provides services to employer-sponsored retirement plans.

The SEC found that from September 2015 through October 2018, GWFS was aware of increasing attempts by external bad actors to hack into the retirement accounts of individual plan participants. The SEC further found that GWFS was aware that the hackers attempted or gained access by, among other things, using improperly obtained personal identifying information of the plan participants, and that the hackers frequently were in possession of electronic login information, such as usernames, email addresses, and passwords.

In the SEC’s order (here), the Commission found that GWFS failed to file approximately 130 SARs, including in cases when it had detected hackers gaining, or attempting to gain, access to the retirement accounts of participants in the employer-sponsored retirement plans it serviced. Further, for the nearly 300 SARs that GWFS did file, the SEC found that GWFS did not include the “five essential elements” of information it knew and was required to report about the suspicious activity and suspicious actors, including cyber-related data, such as URL addresses and IP addresses.

“Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts,” said Kurt L. Gottschall, Director of the SEC’s Denver Regional Office. “By failing to file SARs and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees’ accounts, particularly when the unauthorized account access has been cyber-enabled.”

In agreeing to the settlement, the SEC noted that GWFS provided significant cooperation with its investigation and took subsequent efforts to address the issues identified by the Commission, which included adding dedicated anti-money laundering staff and systems, replacing key personnel, clarifying delegation of responsibility for filing SARs, and implementing new SAR-related policies, procedures, standards, and training.

The SEC found that GWFS violated Section 17(a) of the Securities Exchange Act and Rule 17a-8 thereunder. Without admitting or denying the SEC’s findings, GWFS agreed to a settlement that imposes a $1.5 million penalty, a censure, and an order to cease and desist from future violations.