As we have highlighted in prior posts, regulators of financial institutions, including FinCEN, FINRA and SEC, have increasingly brought actions to bring organizations – and individuals – into compliance with AML / BSA obligations. This enforcement activity is consistent with FinCEN’s August 2014 Advisory, now nearly three years old, emphasizing the idea that U.S. financial institutions must promote a culture of compliance, one that does not allow the pursuit of profits to overshadow obligations prescribed by applicable laws.

The latest example of an enforcement action against both involves a New York broker-dealer and its chief compliance / AML officer. The SEC initiated cease-and-desist proceedings (Complaint) against Windsor Street Capital, L.P. and its chief compliance officer. In the Complaint, the SEC alleges violations of the Securities Act of 1933 and Securities Exchange Act of 1934, stemming from the “unregistered sale of hundreds of millions of penny stock shares.” (¶ 3.) The SEC further alleges that the broker-dealer failed to file suspicious activity reports with FinCEN. (¶ 4.) As a result of these violations, the firm recognized nearly $500,000 in commissions and fees.” (¶ 5.) Finally, the CCO was allegedly personally responsible for “monitoring customer transactions for suspicious activity and ensuring the firm’s compliance with SAR reporting requirements,” a task he failed to fulfill. (¶ 6.)

The Complaint cites broker-dealers’ requirements under the BSA regulations (31 C.F.R. § 1023.320) and the obligation under the Exchange Act (Rule 17a-8) to comply with the SAR rule promulgated by FinCEN. The Complaint also points to the firm’s and the CCO’s awareness of these obligations, both through their internal written AML program (¶ 15), and January 2009 FINRA guidance for broker-dealers titled “‘Unregistered Sales of Registered Securities,’ which lists many of the same red flags listed in the AML Program.” According to the Complaint, the firm ignored these red flags when they permitted customer transactions to occur without filing SARs. (¶¶ 15, 17, 21.)

Key Take-Aways:

  • Profits cannot come at the expense of compliance. As we have seen more frequently over the last several years, financial regulators are exhibiting a willingness to bring actions against individuals, not just companies. This individual risk should embolden CCOs and others in compliance oversight roles to request and receive sufficient resources reasonably necessary to discharge their responsibilities.
  • Written AML programs must be current and reasonably designed to address risk. The regulations require the creation of a written AML policy tailored to the company and reasonably designed to achieve compliance with applicable laws. (31 C.F.R. §§ 1023.200-220.) The policy should include a clear protocol for identifying red flags, escalation of the issues to senior management, resolution and documentation. It is important that these programs be maintained continually and reflect the collective experience of the enterprise. As demonstrated with this case, regulators will look at the written compliance program as putting an entity (or individual) on notice of the required conduct under the law.
  • Most importantly, the written AML program must be followed. It would be a challenge for any enterprise to contradict (or ignore) its written AML policies. Follow-through with execution is imperative to avoid significant – potentially criminal – consequences, enhanced regulator scrutiny, reputational harm and business disruption.