On June 1, the SEC announced that a Wall Street-based brokerage firm agreed to pay a $300,000 penalty to settle charges that it failed to sufficiently evaluate or monitor customers’ trading for suspicious activity and to file suspicious activity reports (SARs) in an alleged willful violation of Section 17(a) of the Exchange Act and Rule 17a-8. The broker-dealer was required to have written AML policies and procedures, which outlined specific examples of suspicious activities that, according to the SEC, “should have triggered internal reviews and, in a number of instances, [(SAR)] filings.” According to the SEC, the broker-dealer failed to file SARs on the following activity: (i) accounts that traded an aberrational percentage of a given stock in a particular day; (ii) accounts of entities that had executives charged with criminal securities fraud; (iii) customer trading that was the subject of grand jury subpoenas and regulatory inquiries; (iv) liquidation of securities followed immediately by large cash transfers; (v) transactions in securities that were subsequently subject to SEC trading suspensions; and (vi) rejections by other broker-dealers of attempts by the firm to transfer customers’ securities. Despite these red flags, the brokerage firm failed to file SARs for more than five years. The case represents the SEC’s first against a firm for solely failing to file SARs.
On August 30, the Department of the Treasury, along with the OCC, FDIC, Federal Reserve and NCUA, issued a joint fact sheet on foreign correspondent banking. The fact sheet provides a summary of the agencies’ (i) expectations for BSA/AML and OFAC risk management at U.S. depository institutions; (ii) risk-based approach to the supervisory examination process; and (iii) use of enforcement as an “extension of the supervisory process.” As highlighted in a corresponding blog post, the fact sheet explains that about “95% of BSA/OFAC compliance deficiencies identified by the [Federal Banking Agencies], FinCEN, and OFAC are corrected by the institution’s management without the need for any enforcement action or penalty.” The fact sheet notes that, under existing regulations there is no general requirement for depository institutions to conduct due diligence on an individual customer of a foreign financial institution (FFI). But it also notes that “[i]n determining the appropriate level of due diligence necessary for an FFI relationship, U.S. depository institutions should consider the extent to which information related to the FFI’s markets and types of customers is necessary to assess the risks posed by the relationship, satisfy the institution’s obligations to detect and report suspicious activity, and comply with U.S. economic sanctions. This may require U.S. depository institutions to request additional information concerning the activity underlying the FFI’s transactions in accordance with the suspicious activity reporting rules and sanctions compliance obligations.”
On April 5, FinCEN assessed a civil money penalty against a Nevada-based casino for willfully violating the anti-money laundering provisions of the BSA. From 2010 through November 2013, the casino allegedly failed to (i) establish and implement an effective, written anti-money laundering program; (ii) establish and maintain appropriate internal controls in compliance with the BSA’s reporting requirements; (iii) conduct independent testing of its AML program; (iv) implement automated data processing systems that ensured compliance with the BSA and the casino’s AML program; (v) report suspicious activity; and (vi) secure and retain certain required records. According to FinCEN, the casino generally “lacked a culture of compliance” and had a “blatant disregard for AML compliance permeat[ing] at all levels.” The casino agreed to a $1 million civil money penalty and admitted to willfully violating the BSA’s program, reporting, and recordkeeping requirements.
On January 19, FinCEN issued an advisory, FIN-2016-A001, to provide financial institutions with guidance on reviewing their obligations and risk-based approaches with respect to certain jurisdictions. According to the advisory, on October 23, the Financial Action Task Force (FATF) updated two documents identifying the following: (i) jurisdictions that are either subject to the FATF’s call to apply countermeasures, or to Enhanced Due Diligence (EDD) due to their AML/CFT deficiencies; and (ii) jurisdictions with AML/CFT deficiencies. FinCEN’s recently issued advisory summarizes the changes made to the respective lists and reiterates that a financial institution must file a Suspicious Activity Report if it “knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity or that a customer has otherwise engaged in activities indicative of money laundering, terrorist financing, or other violation of federal law or regulation.”
On December 9, FinCEN Director Calvery highlighted at a joint FBIIC-FSSCC meeting the role of FinCEN in gathering and analyzing financial intelligence and the value of Suspicious Activity Reports (SARs) in curtailing malicious cyber activity. Calvery noted the importance of attribution information, such as IP addresses, timestamps, e-mail addresses, and the nature of the suspicious activity, when included in SAR filings, in helping FinCEN and law enforcement agencies deflect cyber-attacks, detect the source of such attacks, and identify members of money laundering networks. “For example, SARs filed by several different financial institutions played a vital role in furthering an investigation where a regional Florida bank had nearly $7 million fraudulently wired out of one of its accounts,” Calvery explained. Calvery emphasized the importance of including cyber-derived information (such as IP addresses and bitcoin wallet addresses) in SAR filings, noting that while less than two percent of filed SARs contain IP addresses, the information is “incredibly important to FinCEN analysts and law enforcement investigators working to combat cyber-crimes.”