By Anne Sherry, J.D.
In a new risk alert, staff of the SEC’s Division of Examinations shared their observations from examinations of broker-dealers and mutual funds regarding their compliance with anti-money-laundering (AML) regulatory requirements. Staff found some deficiencies in firms’ policies and procedures, and in their implementation of procedures, designed to identify and report suspicious activity (Suspicious Activity Reports, or SARs). Some broker-dealers also failed to conduct adequate due diligence in response to indicators of suspicious activity, meaning they did not file suspicious activity reports as required.
Under FinCEN’s AML Program Rule (31 C.F.R. § 1023.210), a broker-dealer must have policies, procedures, and internal controls reasonably designed to identify and report suspicious transactions. Under the SAR Rule (31 C.F.R. § 1023.320), a broker-dealer must file a suspicious activity report for a transaction of at least $5,000 where certain circumstances are present. Broker-dealers are expected to conduct due diligence in determining whether to file a SAR, and if a report is warranted, it should include a narrative of the activity that can help law enforcement understand the nature and circumstances of the suspicious activity.
Policies and procedures. Examinations staff observed that some broker-dealers did not establish adequate policies, procedures, and internal controls designed to identify and support suspicious activity. For example, some firms did not include any red flags to help identify activity for further due diligence or did not tailor their red flags to the activities their customers typically engaged in. Firms with large volumes of trading relied on manual reviews instead of implementing automated monitoring and reporting systems. The staff also found deficiencies in some of the thresholds firms set, such as generating alerts only when securities were priced under $1 per share, while failing to monitor penny stocks above that threshold. Conversely, some broker-dealers set SAR reporting thresholds well above the $5,000 specified in the SAR Rule.
Among firms that had reasonably designed policies and procedures, some nevertheless failed to adequately implement those procedures, to carry out due diligence, or to report suspicious activity that qualified under their own procedures. For example, some broker-dealers did not file SARs on transactions that looked identical in nature to transactions on which they had previously filed SARs. Other deficiencies included a failure to reasonably use available reports to monitor for suspicious activity; failure to follow up on red flags; and failure to comply with firm prohibitions on accepting trades in securities priced below a penny per share.
Monitoring and reporting. The staff also observed that weak policies or implementation led to firms’ ultimate failure to file SARs. In some cases, firms presented with activity in low-priced securities that also included one or more red flags reflected in a prior risk alert and FINRA notice still did not review the activity and follow up to consider filing SARs. Some broker-dealers also failed to reasonably account information that was public or was otherwise in the firms’ possession, such as customer sales of the shares of issuers subject to simultaneous promotional activity; trading by customers that were affiliates or control persons of the issuer; or liquidations of large volumes of securities where other risk factors were present.
Furthermore, when they did file a SAR, broker-dealers sometimes did not include known details or make use of specific data fields on the SAR. Firms used the same boilerplate language in hundreds of SARs, rendering the reports less valuable to law enforcement and regulators. Some firms reported the deposit of low-priced securities but failed to report the liquidation of the same securities and the disposition of the proceeds, or reported that a deposit was an "initial" deposit even though the customer had previously made deposits of the same security. Finally, for cyber-intrusions, reports omitted details known at the time of reporting about the method of transferring funds, how the account was accessed, and other information about the incident.