The SEC continues to focus a portion of its enforcement attention on registrants' obligations with regard to anti-money laundering (AML) compliance and transaction monitoring. In this post, we provide a refresher on the agency's interest in Suspicious Activity Report (SAR) filing requirements applicable to financial institutions and the continued importance for broker-dealers to carefully and continually evaluate the efficacy of their internal monitoring systems and compliance programs.

SAR Reporting Requirements

The U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) and the Bank Secrecy Act (BSA) require broker-dealers to file SARs for transactions that they suspect involve fraud or lack an apparent lawful business purpose. Generally speaking, a SAR is a standard form document used by broker-dealers and other financial institutions to report suspicious or otherwise out-of-the-ordinary conduct. SARs can aid in the detection and analysis of questionable financial trends and patterns and, as a result, often provide information that can help law enforcement agencies uncover and prevent money laundering, criminal financial schemes and other illegal activity.

FinCEN requires firms to file a SAR no later than 30 days after the initial detection of a suspicious transaction. The filing time frame can be extended to an additional 30 days (but in no case shall reporting be delayed more than 60 days after the date of initial detection). Failure to file SARs can result in significant civil and criminal penalties. Moreover, in recent years, the government has stepped up its enforcement of firms – including broker-dealers – that fail to timely file SARs, with FinCEN, the SEC and U.S. Department of Justice leveling civil and criminal charges against a number of firms, assessing tens of millions of dollars in civil and criminal penalties, and entering into deferred prosecution agreements.

The SEC's Perspective

Broker-dealers must timely file SARs with FinCEN to report any transaction (or a pattern of transactions of which a transaction is a part) involving or totaling at least $5,000 and for which the broker-dealer knows, suspects or has reason to suspect:

• involves funds derived from illegal activity or is conducted to disguise funds derived from illegal activities
• is designed to evade any requirement of the BSA
• has no business or apparent lawful purpose and the broker-dealer knows of no reasonable explanation for the transaction after examining the available facts or
• involves use of the broker-dealer to facilitate criminal activity

31 C.F.R. § 1023.320(a)(2).¹

Under Rule 17a-8 of the Securities and Exchange Act of 1934, broker-dealers must comply with the BSA's reporting, recordkeeping and record retention requirements, and a broker-dealer's failure to file a SAR, as required, is considered a violation of Section 17(a) of the Exchange Act and Rule 17a-8 thereunder.

Following a March 2021 risk alert focusing on the topic, the SEC's Division of Examinations (Exams) identified anti-money laundering as one of its Fiscal Year 2022 examination priorities. In its report, Exams notes that financial institutions must:

establish AML programs that are tailored to address the risks associated with the firm's location, size, and activities, including customers they serve, the type of products and services offered, and the means by which those products and services are offered. These programs must, among other things, include policies and procedures reasonably designed to identify and verify the identity of customers and beneficial owners of legal entity customers, perform customer due diligence (as required by the Customer Due Diligence rule), monitor for suspicious activity, and, where appropriate, file Suspicious Activity Reports (SARs) with the Financial Crimes Enforcement Network. SARs are used to detect and combat terrorist financing, public corruption, market manipulation, and a variety of other fraudulent behaviors.

With this in mind, we believe that Exams in FY 2022 and beyond will continue to focus on whether firms have "established appropriate customer identification programs and whether they are satisfying their SAR filing obligations, conducting due diligence on customers, complying with beneficial ownership requirements, and conducting robust and timely independent tests of their AML programs." Id.

For its part, the SEC's Division of Enforcement is authorized to, and regularly does, make use of SARs in its investigations, albeit with limitations on their use. For instance, the Division's Enforcement Manual observes that BSA information is highly sensitive in nature and that SARs, and "related information that would reveal the existence of a SAR, must be protected from inadvertent disclosure."² Even so, Enforcement staff can receive information from the Division's BSA Review Group, including SAR information, when it relates to open enforcement matters or could warrant additional enforcement consideration, and they can use this information to identify leads and build investigations and, ultimately, enforcement actions. However, SARs cannot be shown to witnesses during an SEC interview or testimony, marked as exhibits, or disclosed outside of the investigation. They also must be segregated within the staff's records. Id.

As a critical gatekeeper in the securities markets, the SEC has demonstrated its willingness to enforce applicable rules when it believes brokers-dealers or other firms have failed to make and submit SARs when required or operated under a lax compliance program in which suspicious activity could or did go unreported, notwithstanding the sensitivity of the information SARs contain and limitations on their use. And when it does flex its enforcement muscle, the agency typically extracts injunctive relief from alleged violators and imposes civil penalties on them, taking into consideration remediation efforts such as implementing new SAR drafting procedures, retaining outside consultants and implementing new policies and procedures.

Common Missteps and Practical Considerations

When addressing SAR activity, the SEC tends to focus its enforcement attention on broker-dealers whom it contends operate with ineffective internal AML monitoring systems.

For instance, in prior SEC actions charging a failure to file SARs, many broker-dealers were alleged to have monitoring systems that failed to flag suspicious activity as a result of changes or updates to the systems and failed to properly test or assess such changes or updates to determine whether their systems were working effectively. As a result, those firms arguably missed, and therefore failed to report, suspicious activity such as:

• large currency deposits through ATMs to offshore company accounts, when there was no apparent business reason for such deposits
• movement of large funds through transactions involving third-party institutions in high-risk jurisdictions
• bad actors gaining or attempting to gain unauthorized access to accounts
• frequent large withdrawals that are immediately deposited into other accounts

Broker-dealers must be vigilant in their AML compliance responsibilities, ensuring that their compliance programs are robust and tailored to address AML risks. For example, broker-dealers should:

• establish customer identification programs, conduct customer due diligence and take necessary steps to ensure they are able to identify suspicious activity and timely report it, including employing and regularly reviewing and updating written supervisory procedures that identify various red flags to be aware of and monitor
• conduct recurring AML training for staff and subject matter experts
• maintain documentation of process development and governance
• review and refresh, as warranted, SAR drafting procedures
• implement internal procedures for 1) monitoring the effectiveness of SAR-related controls, policies and procedures; and 2) updating or modifying SAR-related controls, policies and procedures, including to identify new red flags
• consider implementing case management systems to track all reports of unusual activity from intake through SAR filing
• consider partnering with consultants who have expertise in developing, enhancing and monitoring AML compliance processes and procedures

Of course, any updates or changes to a broker-dealer's monitoring system should be carefully vetted and documented to ensure that the system is continuing to flag all suspicious activity and that the appropriate teams are notified and kept up to date as information changes. In any SEC examination or investigation involving SAR activity, the staff will undoubtedly focus on a firm's thoughtfulness, judgment and commitment of resources to ensure an effectively operating system of controls, as well as its staff's aptitude in accurately following policies and procedures for identifying, recording and reporting suspicious activity in a timely manner.

Notes

¹ "In the investment company context, the registered 'funds' must comply with Rule 38a-1 of the Investment Company Act of 1940 ('Investment Company Act'). Rule 38a-1 states that funds must adopt and implement written policies and procedures reasonably designed to prevent violation of the 'Federal Securities Laws,' which, for purposes of that rule, include the BSA. Rule 38a-1(e)(1), 17 C.F.R. § 270.38a1(e)(1)." See SEC Enforcement Manual.

² See SEC Enforcement Manual.