On March 29, 2021, the U.S. Securities and Exchange Commission (“SEC”) Division of Examinations (“EXAMS”) issued a Risk Alert citing frequent shortcomings found in compliance reviews of Anti-Money Laundering (AML) reporting at broker-dealer and mutual fund firms. Find the Risk Alert here.
It’s important to note that the Risk Alert was issued three months after the U.S. Court of Appeals for the Second Circuit ruled that the SEC has the authority to bring an enforcement action against broker-dealers under Section 17(a) and Rule 17a-8 of the Securities Exchange Act of 1934, on the basis of alleged failures under the Bank Secrecy Act (BSA), including failures to comply with the Suspicious Activity Reporting (SAR) Rule.
What the SEC Wants to See
The Risk Alert summarizes the AML Program Rule and the SAR Rule as they apply to broker-dealers. Under the AML Program Rule, “a broker-dealer is required to establish and implement policies, procedures, and internal controls reasonably designed to, among other things, identify and report suspicious transactions as required by the BSA and its implementing regulations.
“An AML program should be tailored to address the risks associated with a firm’s particular business, taking into account factors such as size, location, activities, customers, and other risks of or vulnerabilities to money laundering. A broker-dealer should look for indicators of illicit activities and incorporate those red flags into its policies and procedures. Awareness by firm personnel of red flags and how to respond to those red flags, including escalating awareness of the red flags to appropriate firm personnel, will help ensure that a firm is in a position to identify the circumstances that warrant further due diligence and possible reporting.”
The SAR Rule requires broker-dealers to report any potentially illegal transactions to FinCEN, and mandates filing a SAR for any completed or attempted transaction involving at least $5,000, or its equivalent in assets, that the broker-dealer “knows, suspects, or has reason to suspect that the transaction or pattern of transactions involves funds derived from illegal activity or is intended or conducted to hide or disguise funds or assets derived from illegal activity as part of a plan to violate or evade any federal law or regulation.”
A SAR’s narrative section should include the who, what, where, when and why of the suspicious activity being reported. The Risk Alert states a SAR is required if “a reasonable broker-dealer in similar circumstances would have suspected the transaction was subject to SAR reporting.” SARs must be filed within 30 calendar days after the discovery of facts that may constitute the basis for filing the SAR, which also should include a “clear, complete, and concise narrative of the activity, including what was unusual or irregular that caused suspicion” in order to enable law enforcement to understand the “nature and circumstances of the suspicious activity and its possible criminality.”
Steps Your Firm Should Take
The Risk Alert identifies four main areas of concern for the SEC – inadequate AML policies and procedures and internal controls, failure to implement AML procedures, failure to respond to suspicious activity, and filing inaccurate or incomplete SARs.
With that in mind, compliance personnel and senior management from applicable departments should check to see if your firm has appropriate policies, procedures, and internal controls in place as they relate to suspicious activities. Consistent with the information provided in the Risk Alert, we have seen examples where firms not only had inadequate policies and procedures but also had failed to implement them.
Your firm can have best-in-class policies, but if you fail to implement them and train your employees, the procedures are rendered useless, leaving your firm vulnerable to bad actors, regulatory scrutiny, and the very inability to carry out your responsibilities under the rules. If you do not implement adequate controls, you will not be able to detect events that may trigger the requirement to file a SAR. It is also a common oversight for firms to fail to perform thorough due diligence on the suspicious activity, thereby leaving them without the necessary details required when filing a suspicious activity report (SAR) with regulators.
Why Smaller Firms Are Susceptible
Smaller firms or firms that do not have a dedicated department responsible for detecting and following up on suspicious activity are highly susceptible to violating AML rules and regulations. Often, smaller firms do not understand their reporting obligations, especially those that do not have experience in developing appropriate policies and procedures related to reports required by the Bank Security Act (BSA) and AML measures. They are likely to have inadequate policies and if they did have a policy, they fail to implement necessary controls to detect fraudulent activity.
Filing inaccurate or inadequate suspicious activity reports with the FinCEN is problematic because those reports, gathered from a variety of sources including other financial institutions, are used to track drug smugglers, human and other traffickers, insider trading, and those individuals engaging in illicit activity. Also, people who want to launder money tend to target smaller firms, many in small towns, to thwart the system. It is those entities the SEC likely will focus on during its enhanced enforcement efforts in this area.
Suspicious activity is high on the SEC’s 2021 priority list in terms of risk because regulators have an increasing number of examples, some of which have resulted from remote work environments firms implemented in response to the COVID-19 pandemic. A stark reality is that as more advisors want to become broker-dealers these days, they often fail to realize the scope of what their obligations are from a compliance perspective.
I liken perpetrators of money laundering to terrorists who will first try to go through smaller, regional airports so they have fewer security measures to contend with. Smaller airports, like many smaller firms, do not have the necessary bandwidth to implement robust measures designed to keep the terrorists off planes. Going through smaller firms allows the bad actors to get into the system, counting on the lack of controls to prevent them from engaging in the untoward activity.
The experienced specialists at Core Compliance & Legal Services can help your firm develop and implement the policies and procedures the SEC looks for when conducting a review of your firm’s safeguards in place for suspicious activity monitoring and reporting. Contact us today at (619) 278-0020 or online at corecls.com to schedule a consultation.