On March 29, 2021, the SEC’s Division of Examinations released a Risk Alert reminding broker-dealers of their AML obligations and highlighting concerns it has observed regarding monitoring and reporting of suspicious transactions by broker-dealers.
Broker-Dealers’ AML Responsibilities
Several rules adopted under the BSA govern broker-dealers’ AML obligations. The Risk Alert focuses on the "AML Program Rule," which requires broker-dealers to develop and implement policies, procedures, and controls reasonably designed to detect and respond to suspicious activity. Under the rule, brokers’ AML programs must be designed to address a firm’s specific risk profile and identify markers of suspicious activity, or "red flags." The Risk Alert also highlights the "SAR Rule," which requires broker-dealers to report certain suspicious transactions, generally those over $5,000, which the broker knows, suspects, or has reason to suspect may involve illegal activity. As the Alert explains, the Department of the Treasury, Financial Crimes Enforcement Network ("FinCEN") has provided guidance requiring that SARs include a clear, concise narrative describing the suspicious activity, answer key questions, and be filed within 30 days after the date of initial identification of facts forming the basis for filing a SAR.
Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-8 thereunder require broker-dealers to comply with the requirements of the BSA, including those relating to SARs. The Alert warns that failure to comply with the BSA—including the AML Program and SAR Rules—could constitute a violation of Section 17(a) and Rule 17a-8. FinCEN, the SEC, and certain self-regulatory organizations also impose additional AML requirements on financial institutions and have published detailed guidance.
Exam Staff Observations
The Risk Alert outlined several deficiencies observed by EXAMS relating to broker-dealers’ AML compliance programs and reporting practices.
Deficient Policies, Procedures, and Controls: The Alert observed that a number of broker-dealers have failed to establish adequate policies, procedures, and controls necessary to identify and report suspicious activity as required under the BSA. Observations included:
- Failure to incorporate known "red flags" or business-specific risks in the design of AML programs. EXAMS staff expressed particular concern with respect to red flag identifiers used by firms whose customers engaged in the trading of low-priced securities, which sometimes can signal participation in an unregistered distribution, pump-and-dump schemes or market manipulation.
- Failure to implement automated monitoring of large-volume trading data, relying instead on manual review.
- Failure to set the correct parameters for automated detection and reporting of suspicious trading activity, such as setting the detection threshold for "penny stocks" trading at $1 instead of $5.
- Setting SAR reporting thresholds significantly higher than the $5,000 threshold specified in the SAR Rule.
- Improperly relying on clearing firms for reporting compliance, and failing to take into account high-risk activity by customers when designing procedures.
EXAMS noted that some brokers with reasonably designed policies and procedures did not implement them effectively and, as a result, did not report suspicious activity that triggered reporting obligations under their own policies. For example, some firms were not consistent in filing SARs for apparently identical activity, failed to use available reports and systems to monitor for suspicious activity, and failed to follow-up on red flags (e.g., wash or cross trades and potential insider trading).
Monitoring and Reporting: The Alert outlined several issues with broker-dealers’ monitoring and reporting of suspicious transactions, particularly regarding transactions in low-priced securities, which EXAMS described as "particularly susceptible to market manipulation." These included:
- In certain cases, deficient policies, procedures, and controls—or the failure to adequately implement policies and procedures—resulted in brokers failing to detect, investigate, or file SARs relating to known indicators of suspicious activity, such as certain high-risk transactions in thinly traded, low-priced securities, patterns of similar trading across multiple customer accounts, trading in the stock of shell companies or issuers that have been subject to trading halts or whose associated persons are so-called bad actors, and transactions involving customers with a history of legal and regulatory violations.
- Brokers, on occasion, failed to include basic information relating to customers or issuers that was publicly available or otherwise known to the firm from its own records (e.g., where customers were affiliates of control persons of the issuers whose shares they were trading). Brokers sometimes failed to use the specific structured data fields in SARs filings or relied on "generic boilerplate language" to describe the suspicious activity, thereby limiting the utility of the SAR to law enforcement and regulators.
Some broker-dealers failed to include information known about the method and manner of cyber-intrusions and schemes to "take over" customer accounts, including the manner of transferring funds, how the account was accessed, bank account information, email addresses, and IP addresses.
Looking Ahead: Further Enforcement Actions Loom
The Alert follows EXAMS’ inclusion of broker-dealers’ AML programs in its 2021 Examination Priorities as an area in which it intends to focus its resources for examinations in the coming year. The SEC and other regulators have brought a series of enforcement actions against financial institutions for failure to comply with AML requirements, such as an August 2020 action in which a major brokerage agreed to pay over $38 million to resolve actions brought by the SEC, Commodities Futures Trading Commission, and Financial Industry Regulatory Authority for failure to file SARs and maintain adequate AML policies and controls. The Department of Justice has likewise recently brought charges against financial institutions for BSA violations predicated on willful failures to file SARs or to maintain effective AML compliance programs.
In December 2020, the Second Circuit in SEC v. Alpine Securities Corp. rejected a challenge to the SEC’s authority to enforce the BSA’s AML reporting and recordkeeping requirements, removing a potential obstacle to continued enforcement activity by the Commission and others in this area. With publication of the Risk Alert, broker-dealers and other registrants are on notice of the SEC’s continued focus on strengthening AML compliance, and all financial institutions should carefully consider the specific and thematic observations regarding policies, procedures, and controls relating to the reporting of suspicious transactions.
Stephanie M. Pryor, in the New York Office, assisted in the preparation of this Commentary.