SEC’s Division of Examinations Signals Continuing Focus on Broker-Dealer AML Compliance Obligations
The Situation: The Securities and Exchange Commission’s Division of Examinations ("EXAMS") released a Risk Alert on March 29, 2021, reminding broker-dealers of their obligation to comply with anti-money laundering ("AML") requirements imposed by the Bank Secrecy Act ("BSA") and related regulations—in particular, those relating to the filing of Suspicious Activity Reports ("SARs").
The Result: The Risk Alert highlighted deficiencies observed by EXAMS and encouraged broker-dealers to review and improve their AML policies, procedures, and controls related to the monitoring and reporting of suspicious activity.
Looking Ahead: The Alert, together with EXAMS’ 2021 Examination Priorities, signals a continuing focus by the SEC on AML issues. To diminish the possibility of an enforcement action, brokers and other financial institutions should ensure that their AML and SARs policies, procedures, and practices comply fully with regulatory requirements.
On March 29, 2021, the SEC’s Division of Examinations released a Risk Alert reminding broker-dealers of their AML obligations and highlighting concerns it has observed regarding monitoring and reporting of suspicious transactions by broker-dealers.
Broker-Dealers’ AML Responsibilities
Several rules adopted under the BSA govern broker-dealers’ AML obligations. The Risk Alert focuses on the "AML Program Rule," which requires broker-dealers to develop and implement policies, procedures, and controls reasonably designed to detect and respond to suspicious activity. Under the rule, brokers’ AML programs must be designed to address a firm’s specific risk profile and identify markers of suspicious activity, or "red flags." The Risk Alert also highlights the "SAR Rule," which requires broker-dealers to report certain suspicious transactions, generally those over $5,000, which the broker knows, suspects, or has reason to suspect may involve illegal activity. As the Alert explains, the Department of the Treasury, Financial Crimes Enforcement Network ("FinCEN") has provided guidance requiring that SARs include a clear, concise narrative describing the suspicious activity, answer key questions, and be filed within 30 days after the date of initial identification of facts forming the basis for filing a SAR.
Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-8 thereunder require broker-dealers to comply with the requirements of the BSA, including those relating to SARs. The Alert warns that failure to comply with the BSA—including the AML Program and SAR Rules—could constitute a violation of Section 17(a) and Rule 17a-8. FinCEN, the SEC, and certain self-regulatory organizations also impose additional AML requirements on financial institutions and have published detailed guidance.
Exam Staff Observations
The Risk Alert outlined several deficiencies observed by EXAMS relating to broker-dealers’ AML compliance programs and reporting practices.
Deficient Policies, Procedures, and Controls: The Alert observed that a number of broker-dealers have failed to establish adequate policies, procedures, and controls necessary to identify and report suspicious activity as required under the BSA. Observations included:
- Failure to incorporate known "red flags" or business-specific risks in the design of AML programs. EXAMS staff expressed particular concern with respect to red flag identifiers used by firms whose customers engaged in the trading of low-priced securities, which sometimes can signal participation in an unregistered distribution, pump-and-dump schemes or market manipulation.
- Failure to implement automated monitoring of large-volume trading data, relying instead on manual review.
- Failure to set the correct parameters for automated detection and reporting of suspicious trading activity, such as setting the detection threshold for "penny stocks" trading at $1 instead of $5.
- Setting SAR reporting thresholds significantly higher than the $5,000 threshold specified in the SAR Rule.
- Improperly relying on clearing firms for reporting compliance, and failing to take into account high-risk activity by customers when designing procedures.
EXAMS noted that some brokers with reasonably designed policies and procedures did not implement them effectively and, as a result, did not report suspicious activity that triggered reporting obligations under their own policies. For example, some firms were not consistent in filing SARs for apparently identical activity, failed to use available reports and systems to monitor for suspicious activity, and failed to follow-up on red flags (e.g., wash or cross trades and potential insider trading).
Monitoring and Reporting: The Alert outlined several issues with broker-dealers’ monitoring and reporting of suspicious transactions, particularly regarding transactions in low-priced securities, which EXAMS described as "particularly susceptible to market manipulation." These included:
- In certain cases, deficient policies, procedures, and controls—or the failure to adequately implement policies and procedures—resulted in brokers failing to detect, investigate, or file SARs relating to known indicators of suspicious activity, such as certain high-risk transactions in thinly traded, low-priced securities, patterns of similar trading across multiple customer accounts, trading in the stock of shell companies or issuers that have been subject to trading halts or whose associated persons are so-called bad actors, and transactions involving customers with a history of legal and regulatory violations.
- Brokers, on occasion, failed to include basic information relating to customers or issuers that was publicly available or otherwise known to the firm from its own records (e.g., where customers were affiliates of control persons of the issuers whose shares they were trading). Brokers sometimes failed to use the specific structured data fields in SARs filings or relied on "generic boilerplate language" to describe the suspicious activity, thereby limiting the utility of the SAR to law enforcement and regulators.
Some broker-dealers failed to include information known about the method and manner of cyber-intrusions and schemes to "take over" customer accounts, including the manner of transferring funds, how the account was accessed, bank account information, email addresses, and IP addresses.
Looking Ahead: Further Enforcement Actions Loom
The Alert follows EXAMS’ inclusion of broker-dealers’ AML programs in its 2021 Examination Priorities as an area in which it intends to focus its resources for examinations in the coming year. The SEC and other regulators have brought a series of enforcement actions against financial institutions for failure to comply with AML requirements, such as an August 2020 action in which a major brokerage agreed to pay over $38 million to resolve actions brought by the SEC, Commodities Futures Trading Commission, and Financial Industry Regulatory Authority for failure to file SARs and maintain adequate AML policies and controls. The Department of Justice has likewise recently brought charges against financial institutions for BSA violations predicated on willful failures to file SARs or to maintain effective AML compliance programs.
In December 2020, the Second Circuit in SEC v. Alpine Securities Corp. rejected a challenge to the SEC’s authority to enforce the BSA’s AML reporting and recordkeeping requirements, removing a potential obstacle to continued enforcement activity by the Commission and others in this area. With publication of the Risk Alert, broker-dealers and other registrants are on notice of the SEC’s continued focus on strengthening AML compliance, and all financial institutions should carefully consider the specific and thematic observations regarding policies, procedures, and controls relating to the reporting of suspicious transactions.
Stephanie M. Pryor, in the New York Office, assisted in the preparation of this Commentary.
Four Key Takeaways
1. The Risk Alert makes evident that the SEC is scrutinizing broker-dealers’ compliance with their AML obligations. The Alert is part of a broader continuing focus on AML compliance across the federal government. Altogether, these reviews create the imperative for financial institutions to examine and refine their AML programs, particularly if they have significant trading activity in low-priced securities.
2. Firms must have policies, procedures, and controls that are well implemented, not just well designed. EXAMS will view policies and procedures that look good on paper but are not followed in practice unfavorably.
3. When preparing SARs, quality matters. SARs should avoid boilerplate language and must answer basic questions about the transactions at issue. Firms should ensure that they have policies and procedures in place to capture relevant information known to the firm about the transaction and parties.
4. While the Risk Alert focuses on the AML obligations of broker-dealers, many observations are applicable to other financial institutions. All financial institutions with BSA reporting obligations should pay close attention to EXAMS’ observations on AML issues, as well as those articulated by other agencies, to diminish the possibility of an enforcement action.