Credit Suisse Securities (USA) LLC agreed to pay a fine of US $16.5 million to the Financial Industry Regulatory Authority for alleged breakdowns in its anti-money laundering program from January 2011 through December 2015. According to FINRA, from January 2011 through September 30, 2013, the firm failed to “effectively review trading from an AML standpoint.” This is because, said FINRA, during this relevant time, the firm principally relied on its registered representatives to identify and report to the firm’s AML Compliance department activity or transactions that were unusual or suspicious based on red flags highlighted in the firm’s AML policies. However, alleged FINRA, these policies were not “effective” because there were gaps in the review of potentially suspicious or unusual trading and, during the relevant time, certain potentially problematic trading occurred – such as certain microcap stock transactions and sales of unregistered securities – that was not escalated to AML Compliance to assess whether the firm should file a required suspicious activity report. Also, claimed FINRA, during the entire relevant time, Credit Suisse relied on an automated surveillance system to monitor client activity for potentially suspicious money and securities transfers using certain scenarios that the firm determined to implement. However, in fact, the firm failed to implement the scenarios Credit Suisse determined to use or other scenarios that were designed to identify certain “common” suspicious patterns or activities, alleged FINRA. Moreover, said FINRA, Credit Suisse failed to ensure that data fed into its surveillance system was complete (it was not) and failed always to adequately review and investigate identified problematic activity. FINRA claimed that the firm did not have sufficient staffing to review the number of alerts its automated system generated.

Compliance Weeds: Recently, the Financial Crimes Enforcement Network of the US Department of Treasury issued an advisory stating that covered financial institutions must file a suspicious activity report following certain cyber-events (click here for details). Mandatorily reportable incidents are those where a financial institution is targeted by a cyber-event where it knows, or has reason to suspect, the event “was intended, in whole or in part, to conduct, facilitate, or affect a transaction or series of transactions” that involves or aggregates or could involve or aggregate to US $5,000 or more in funds or other assets. It would not matter whether the transaction or series of transactions ended up actually occurring. In addition, FinCEN indicated that it encourages but does not require SAR filings when a financial institution sustains “egregious, significant or damaging cyber-events” that may not require mandatory reporting. An example of this would be a barrage of messages aimed at a financial institution (known as a “DDoS attack”) that damages its website and prevents customers from accessing their accounts for a prolonged period of time. Covered financial institutions include banks, broker-dealers, future commission merchants, introducing brokers and mutual funds.