The Financial Industry Regulatory Authority issued a Regulatory Notice reminding members of their obligation to maintain a written policy reasonably designed to detect and report qualifying suspicious activities to the Financial Crimes Enforcement Network of the US Department of Treasury. (Click here to access FINRA Rule 3310.) Generally member broker-dealers must report all suspicious activities (including attempted misconduct) that aggregates funds or other assets in excess of US $5,000 that the BD knows or has a reasonable basis to believe are transactions (1) involving funds obtained from illegal activity or to hide funds or assets obtained from illegal conduct as part of a plan to evade federal law or regulation or to avoid a required transaction reporting requirement; (2) designed to avoid anti-money laundering requirements; (3) that have no business or apparent lawful purpose; or (4) that use the BD to facilitate criminal conduct. FinCEN’s guidance lists 97 potential red flags that it advises BDs to consider when evaluating the need to file a SAR.
Compliance Weeds: SAR reporting requirements apply not only to BDs but also to Commodity Futures Trading Commission-registered futures commission merchants and introducing brokers. (Click here for background.)
Not only traditional red flags of potential money laundering must be reported as suspicious activities to FinCEN, but also certain cybersecurity breaches and potential breaches.
In October 2016, FinCEN issued an advisory stating that covered financial institutions must file a suspicious activity report following certain cyber-events. Mandatorily reportable incidents are those where a financial institution is targeted by a cyber-event where it knows, or has reason to suspect, the event “was intended, in whole or in part, to conduct, facilitate, or affect a transaction or series of transactions” that involves or aggregates or could involve or aggregate to US $5,000 or more in funds or other assets. It would not matter whether the transaction or series of transactions ended up actually occurring. (Click here for details regarding this FinCEN advisory in the article “FinCEN Issues Advisory Saying Cyber Attacks May Be Required to Be Reported Through SARs” in the October 30, 2016 edition of Bridging the Week.)
Recently, FINRA fined LPL Financial, LLC, a broker-dealer, US $2.75 million for not reporting as suspicious activities to FinCEN unsuccessful attempts by third parties to gain unauthorized access to customers’ email or brokerage accounts. According to FINRA, LPL mistakenly believed that only successful hacking incidents were subject to SAR reporting and advised its employees accordingly; however, this understanding was incorrect. As a result, FINRA concluded that LPL failed to investigate and file over 400 SARs with FinCEN from January 1, 2013, through May 31, 2016. (Click here for further details in the article “Broker-Dealer Fined US $2.75 Million by FINRA for Breakdowns in AML Program and Customer Complaint Reporting” in the November 4, 2018 edition of Bridging the Week.)