On September 1, 2010, the Financial Crimes Enforcement Network (“FinCEN”) assessed a $50,000 civil penalty against Pinnacle Capital Markets, LLC (“Pinnacle” or the “Firm”) — an online, registered broker-dealer based in North Carolina — for the Firm’s failure to comply with the customer identification program (“CIP”) rule, and its failure to implement an adequate AML program and report suspicious transactions, as required by the Bank Secrecy Act (“BSA”) and its implementing regulations.1
In a parallel action announced the same day, the U.S. Securities and Exchange Commission (the “SEC”) instituted administrative cease-and-desist proceedings against Pinnacle and its President and Chief Compliance Officer, Michael Paciorek, for violations of Securities Exchange Act Section 17(a) and Rule 17a- 8, which require a broker-dealer to comply with the reporting and recordkeeping requirements in regulations implemented under the BSA, including, among other things, the CIP rule. Pinnacle and Paciorek consented to the cease-and-desist order. Pinnacle also agreed to be censured and to pay a $25,000 fine.2
These two enforcement actions follow on the heels of Pinnacle’s settlement with FINRA earlier this year3 for the same conduct, in which Pinnacle consented to a censure, a $300,000 fine and other corrective actions for violations of NASD Conduct Rules 3011 (a) and (b) and 2110.
At the heart of all three actions is Pinnacle’s alleged failure to identify and verify the identity of sub-account holders of the Firm’s omnibus corporate accounts. According to FinCEN, the “Firm’s business model encompassed heightened AML risk due to concentrated exposure to high risk foreign jurisdictions.” According to the SEC Order, over 99% of Pinnacle’s customers live outside the U.S. and Pinnacle’s business focused primarily on processing securities orders for foreign financial institutions (mostly banks and brokerage firms) and foreign individuals, using direct market access (“DMA”) software. DMA software allowed the Firm’s customers, including the sub-account holders, to enter orders directly from their own computers and route those orders to various market centers without intermediation by either the Firm or, in the case of sub-account holders, the foreign financial intermediary holding the omnibus account.
FinCEN ENFORCEMENT ACTION
FinCEN found that Pinnacle’s violations were systemic, occurring in large part between October 2002 and September 2009. These involved (i) lack of adequate controls combined with deficiencies in training and independent testing, and an AML program not tailored to its business risks; (ii) failure to conduct CIP; and (iii) deficiencies in monitoring. Each of these alleged failures is broken down into several components, as summarized below.
Pinnacle failed to implement an adequate AML program reasonably designed to ensure compliance with the BSA.
According to FinCEN, Pinnacle failed to establish and implement (i) an AML program that complies with the rules, regulations, or requirements of the Firm’s designated, self-regulatory organization and (ii) a due diligence program for any correspondent accounts maintained with foreign financial institutions.
First, Pinnacle failed to implement four of the five core elements4 of an AML program as required by NASD Rule 3011:
- From January 2006 to September 2009, Pinnacle failed to implement adequate procedures and internal controls for detecting and reporting suspicious transactions. Given Pinnacle’s business model of providing its largely foreign customer base direct access to U.S. securities markets without any intermediation, as well as the volume of transactions the Firm processed daily, its reliance on manually reviewing transaction activity was inadequate to identify suspicious wire and trading activity. FinCEN noted that the Firm did not employ an automated system of review or use the exception reports generated by its clearing firm.
- During the same period, Pinnacle failed to establish adequate procedures and internal controls reasonably designed to ensure compliance with the BSA. Even though Pinnacle acquired AML procedures from a third party, it failed to tailor its AML procedures to reflect the heightened risks that some of its foreign customers posed, including compiling a list of red flags or other criteria to identify and manage these heightened risks. According to FinCEN, Pinnacle did not conduct a BSA/AML risk assessment to identify correspondent accounts with heightened AML risks, including accounts from Eastern Europe, South America and the Middle East, despite the fact that the International Narcotics Control Strategy Report (“INCSR”) classified certain countries in these regions as posing a heightened money laundering risk (e.g., “Jurisdictions of Primary Concern” or “Jurisdictions of Concern”).
- Pinnacle failed to implement independent testing of its AML program and, once it finally implemented such testing, the Firm failed to identify deficiencies. FinCEN found that Pinnacle did not conduct independent testing of its AML program until 2006, four years after it was required to do so. Even after Pinnacle began conducting such testing, however, it failed to identify the deficiencies in its AML compliance program that are the subject of FinCEN’s action.
- From 2002 through 2007, Pinnacle failed to implement ongoing BSA training. Pinnacle failed to provide specific training to its AML Compliance Program Officer or to several other individuals that were directly responsible for carrying out specific components of the AML program on a daily basis.
Second, the Firm also failed to establish and implement a risk-based due diligence program for correspondent accounts, which FinCEN described as an “essential element” of an adequate AML program.
According to FinCEN, Pinnacle failed to perform heightened risk-based due diligence for the overwhelming majority of its correspondent accounts with foreign financial institutions, including sub-account relationships. During the relevant time period, nearly half of Pinnacle’s fully disclosed customers and foreign financial institutions with correspondent accounts resided in “Jurisdictions of Primary Concern,” and the other half of each of these two categories of accounts resided in “Jurisdictions of Concern.”
FinCEN found that Pinnacle failed to implement an adequate risk-rating methodology that evaluated correspondent accounts “based on specific customer information, with balanced consideration of all relevant factors including country/jurisdictional risks, products and services provided, nature of the customer’s business, and volume of transactions.”5 Lastly, the Firm did not document its risk rating methodology in a consistent manner, which impaired its ability to identify suspicious activity.
Pinnacle failed to implement an adequate Customer Identification Program for the period October 2003 to September 2009.
Pinnacle failed to obtain required CIP information for sub-account holders who were affiliated with foreign financial institutions that had opened master accounts with Pinnacle. FinCEN found that these sub-account holders were considered “customers” under the CIP rule6 as they could transmit orders directly to, or through, Pinnacle, and did not require the master account holders to act as intermediaries in the securities transactions effected.7 FinCEN found that the no-action relief provided in October 2003 with respect to omnibus relationships with sub-accounts8 was not applicable here because of the direct relationship between the subaccounts and Pinnacle.
In addition, between January 2004 and August 2006, Pinnacle did not verify the identity of at least 34 out of 55 sampled new corporate customer accounts, either because it failed to collect the required information or obtained it in the form of foreign language documents without obtaining English translations. Lastly, Pinnacle failed to use non-documentary methods, such as checking references or obtaining financial statements, to verify the identities of corporate account holders.
Pinnacle failed to have effective policies and procedures for reporting of suspicious transactions.
Citing a twenty-nine percent (29%) failure rate for reporting suspicious transactions, FinCEN pointed to the Firm’s ineffective policies and procedures as the cause for Pinnacle’s failure to file SARs on suspicious transactions involving millions of dollars during the period October 2005 and March 2007. Among other transactions, Pinnacle failed to investigate or report suspicious activity related to an international pump-anddump scheme, which had been publicly reported in March 2007 as the subject of an SEC investigation. The publicly available information also indicated that the subjects of the pump-and-dump scheme included some of Pinnacle’s foreign customers, who resided in countries that were identified in the INCSR as posing a heightened money laundering risk; yet Pinnacle failed to identify these risks and review transactions originating from these foreign customers.
FinCEN also found that Pinnacle failed to review and report suspicious transactions carried out by an individual customer, who, during a 7-month period, received and sent wires from his account totaling over $2.5 million, resided in a country that the INCSR identified as a Jurisdiction of Concern, and did not have the net worth to support the magnitude of wire activity noted above.
SEC ENFORCEMENT ACTION
The SEC’s enforcement action is more narrowly focused on Pinnacle’s alleged failure to identify and verify the identity of sub-account holders of the Firm’s omnibus corporate accounts.
Of the SEC’s three findings regarding the inadequacy of Pinnacle’s CIP compliance, two are essentially identical to FinCEN’s findings related to the Firm’s CIP, as discussed above.9 In addition, the SEC cited Paciorek for failing to ensure that Pinnacle complied with its AML obligations, including its obligation to maintain an adequate CIP compliance program. Paciorek was Pinnacle’s President and Chief Compliance Officer during the entire relevant period and was responsible for the Firm’s compliance with its AML obligations.
In announcing the proceedings, SEC Enforcement staff emphasized the nature of Pinnacle’s business model in evaluating the adequacy of its CIP program. Robert Khuzami, Director of the SEC’s Division of Enforcement, commented “[i]f a broker-dealer provides customers with direct access to the U.S. securities markets, it must comply with the applicable customer identification rules.” Thomas Sporkin, Chief of the SEC’s Office of Market Intelligence, added that “[d]irect market access was a big selling point to Pinnacle's customers. The sub-account holders of the omnibus accounts held at Pinnacle were permitted to place trades directly in their own accounts using the DMA software and functioned as customers. The customer identification rules require that they be treated as such.”10
FINRA ENFORCEMENT ACTION
As noted above, Pinnacle settled disciplinary proceedings with FINRA earlier this year based on the same underlying facts. FINRA charged Pinnacle with failing to establish and implement AML procedures reasonably designed to (i) verify the identity of customers in violation of NASD Conduct Rules 3011(b) and 2110 and (ii) detect and cause the reporting of suspicious activity in violation of NASD Conduct Rules 3011(a) and 2110, during the period January 2006 through September 2009.
FINRA’s findings were similar to FinCEN’s in that they focused on Pinnacle’s failure to tailor its AML compliance program, including its CIP, to the Firm’s business model and the fact that its customer base was nearly entirely composed of foreign customers, whose identities were not readily identifiable with traditional databases. For example, FINRA found that several aspects of the Firm’s CIP were rendered impractical or went ignored by the Firm because they were not designed with foreign customers in mind. Moreover, many of these foreign investors transacted business through sub-accounts that Pinnacle failed to identify, in accordance with the Firm’s CIP obligations. FINRA also cited the Firm for not tailoring its suspicious activity review procedures to the Firm’s business and its failure to identify and report suspicious transactions, particularly those involving penny stocks and market manipulation.
To resolve the FINRA proceeding, Pinnacle consented to a censure, a $300,000 fine, and an undertaking to have all registered persons sign up within 60 days for three hours of AML training. In addition, the Firm agreed to retain an Independent Consultant to review its AML compliance program, and to make recommendations for modifications and additions to the Firm’s policies, systems, procedures and training.
To further underscore its concerns relating to sub-accounts, FINRA issued Regulatory Notice 10-18 in April 2010, which specifically reminded members that, under certain circumstances, they are required to recognize sub-accounts as separate customer accounts for purposes of applying FINRA rules and the federal securities laws.11 Among other things, Regulatory Notice 10-18 states that, in situations where the member firm has actual or inquiry notice that sub-accounts of a master omnibus account have different beneficial owners, the member firm must inquire further and satisfy itself as to the beneficial ownership of each sub-account.
Regulatory Notice 10-18 also outlines a non-exclusive list of “red flags” that should put a firm on inquiry notice that sub-accounts may have separate beneficial owners.