On March 29, 2021, the SEC's Division of Examinations issued a risk alert reminding broker-dealers of their anti-money laundering (AML) obligations. The alert comes on the heels of SEC examinations uncovering deficiencies in some firms' AML policies and practices, and highlights broker-dealers' duties under the Bank Secrecy Act (BSA) to establish and implement policies designed to identify suspicious transactions and to file Suspicious Activity Reports (SARs). The risk alert is only the latest step by the SEC to emphasize the importance of AML issues to the broker-dealer community and likely confirms the SEC will continue to focus on this issue. This client alert examines the SEC's historical focus, a recent SEC litigation victory enforcing these provisions, and the key takeaways from the risk alert.
The SEC's Historical Focus on AML Issues
The SEC has consistently emphasized that it would focus on AML compliance for broker-dealers in its routine examinations. This focus began when the SEC formed the broker-dealer task force in 2013, and has continued as the SEC has regularly listed AML as an examination priority. In fact, this has been specifically listed as a priority in each of its 2019, 2020, and 2021 Examination Priorities Reports. The SEC's Enforcement Division similarly has prioritized AML cases, and has brought a series of actions against broker-dealers for AML missteps where broker-dealers failed to appropriately file SARs on clients who liquidated thinly-traded securities.
The SEC also recently survived an important test of its approach to AML cases in litigation. Specifically, in SEC v. Alpine Securities Corp., the Second Circuit rejected the appeal of a broker-dealer against a partial summary judgement issued by the District Court that found the broker-dealer (who specialized in penny stocks) failed to comply with the reporting requirements for SARs and upheld the lower court's decision to impose a $12 million civil penalty. In doing so, the Second Circuit confirmed the SEC's power to use Section 17(a) of the Securities and Exchange Act of 1934 and Rule 17a-8 of the Exchange Act to require broker-dealers to comply with the BSA's reporting, recordkeeping, and record retention requirements and seek penalties when they fail to comply with these provisions.
Key Takeaways from the SEC's Risk Alert
The SEC's Division of Examinations (EXAMS) issued its recent risk alert after reportedly observing that broker-dealers failed to implement and administer AML programs. Specifically, according to the risk alert, EXAMS found that registered broker-dealers failed to have adequate policies and procedures, failed to implement procedures that were adopted, failed to appropriately respond to suspicious activity, and filed inaccurate or incomplete SARs.
The risk alert thus provides a roadmap for what failings the SEC may be looking for in each of these areas. Some of the key highlights of the risk alert include:
- Inadequate Policies and Procedures. The risk alert highlighted that some firms did not include any red flags in their policies to prompt additional diligence and/or did not tailor the red flags to the specific risks of their business. Similarly, it highlighted that some firms with a large volume of daily trading "failed to establish and implement automated systems to monitor and report" activity and instead "unreasonably relied on manual review."
- Failure to Implement Procedures. The risk alert highlighted that some firms did not appropriately use "available transaction reports and systems" to monitor for suspicious trading. It also faulted firms for not following up on red flags specifically identified in their procedures.
- Failure to Monitor for Suspicious Activity. The risk alert noted the failings that led to firms not following up on activity that appeared to be suspicious. This included firms not reviewing activity that had been listed in previous SEC or FINRA alerts, including: (a) patterns of customers depositing large amounts of low-priced securities, selling the securities, and then wiring out the proceeds; (b) "[t]rading in thinly traded, low-priced securities that resulted in sudden spikes" in price or volume; and (c) trading in the shares of companies that were shell companies, were subject to trading suspensions, or were subject to previous notices that their financial information was not up to date.
- Filing Inaccurate or Incomplete SARs. The risk alert also emphasized FinCEN's guidance that "filers include a clear, complete, and concise narrative of the activity." The risk alert faulted firms for not providing the key information despite having such information within its own records. This included failing to provide key facts related to cyber intrusions such as "the method and manner" of the scheme, including the "method of transferring out funds, how the account was accessed, bank account information, phone/fax numbers, email addresses, and IP addresses."
The SEC's risk alert thus serves as a reminder that the SEC expects broker-dealers to identify and ameliorate their AML risks. As detailed above, AML procedures should include red flags to assist with identifying suspicious activity in securities transactions, and those red flags should be tailored to address the risks associated with the type of activity in which the broker-dealer's customers regularly engage. The SEC expects that firms with large volumes of daily trading will have automated systems to monitor suspicious activity.
Broker-dealers looking to abide by their AML obligation and avoid intervention by the SEC should note that the alert cautions firms to affirmatively consider their supervisory, compliance, and risk management systems and make any appropriate changes to strengthen those systems. The SEC recognizes that the adequacy of these systems depends on the facts and circumstances of each specific broker-dealer, so what is required for one firm may not be required of another. A prudent step for all broker-dealers, though, is to review their policies and procedures in light of this updated guidance and make any appropriate changes.