Regulators Provide No Meaningful Relief or Guidance to Financial Institutions Struggling with Bank Secrecy Act and Compliance Due to COVID-19
While many disclosure and reporting requirements imposed on regulated entities are being relaxed in response to the COVID-19 pandemic, the Financial Crimes Enforcement Network (FinCEN) has taken a different approach with respect to financial institutions’ duties to comply with the Bank Secrecy Act (“BSA”). In an April 3, 2020, release – one of just two issued by the agency in response to COVID-19 – FinCEN recognized that “financial institutions face challenges related to the COVID-19 pandemic,” but confirmed that it “expects financial institutions to continue following a risk-based approach” to combat money laundering and related crimes and “to diligently adhere to their BSA obligations.” 1
Thus, even as financial institutions reduce personnel to attempt to weather the economic downturn caused by the COVID-19 and limit in-office personnel to comply with state quarantine orders, financial institutions must maintain adequate staff and resources to ensure BSA compliance. In the world of broker-dealers in securities, these BSA obligations generally revolve around complying with anti-money laundering (AML) compliance program requirements, analyzing transactions for potentially suspicious activity and preparing and timely filing suspicious activity reports (SARs).
As detailed below, with very limited exceptions, regulators have offered broker-dealers no relief from these obligations as a result of business disruptions caused by COVID-19. Indeed, these already onerous burdens may be heightened by the increased risks of fraud, insider trading and other unusual financial activity by customers in these times of financial uncertainty. This “business as usual” attitude denies the reality that companies are coping with stay-at-home orders in the best-case scenarios and employees at home infected and unable to work in the worse-case scenarios.
FinCEN Requires Broker-Dealers to Implement Anti-Money Laundering (AML) Programs and SAR Reporting
In the PATRIOT Act of 2001, Congress required that all broker-dealers establish and implement AML programs designed to achieve compliance with the Bank Security Act (BSA) and the regulations promulgated thereunder, including the requirement that broker-dealers file Suspicious Activity Reports (SARs) with FinCEN.2
Under FinCEN’s regulation, a broker-dealer “shall be deemed” to satisfy the requirements of Section 5318(h) if it, inter alia, “implements and maintains a written anti-money laundering program approved by senior management” that complies with any applicable regulations and requirements of the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) for anti-money laundering programs.3 Required program requirements include the implementation of “policies, procedures and internal controls reasonably designed to achieve compliance with the BSA,” independent testing, ongoing training, and risk-based procedures for conducting ongoing customer due diligence.4 FinCEN also required broker-dealers to establish and maintain a “customer identification program” (CIP) designed to help broker-dealers avoid illicit transactions through “know your customer” directives.5 FINRA largely duplicated these requirements in FINRA Rule 3310.
FinCEN also promulgated broker-dealer SAR filing requirements that largely mirror those applicable to banks. In short, a broker dealer is required to file a SAR on any transaction “conducted or attempted by, at or through a broker-dealer,” involving an aggregate of at least $5,000, where the broker-dealer “knows, suspects or has reason to suspect that the transaction” or “a pattern of transactions” involves money laundering, structuring, unusual and unexplained customer activity or the use of the broker-dealer to “facilitate criminal activity.”6 Broker-dealers must file SARs within “30 calendar days after the date of the initial detection” by the broker-dealer “of facts that may constitute a basis for filing a SAR.”7
These requirements are strictly enforced and sanctions for noncompliance can be extreme for both broker-dealers and their responsible officers and employees. Enforcement actions for “willful” noncompliance frequently result in civil money penalties against firms exceeding $10 million. In December of 2018, the U.S. Attorney’s Office for the Southern District of New York brought the first ever criminal action against a U.S. broker-dealer for a willful failure to file a SAR to report the illicit activities of one of its customers.8 In addition, because the primary purpose of an AML program is to detect and report suspicious activity, a failure to file SARs frequently gives rise to separate claims for violations of both the SAR filing and AML compliance program requirements.
Regulators Offer No Meaningful Relief from BSA Obligations Regardless of the Logistical issues Resulting from the COVID-19 Crisis
Despite recognizing the challenges broker-dealers and other financial institutions face in responding to the COVID-19 pandemic, to date regulators have offered no meaningful relief from the regulatory burdens imposed by the SAR and AML program requirements of the BSA. These steps are currently limited to:
FinCEN has created an “online contact mechanism” for “financial institutions to communicate to FinCEN COVID-19 related concerns while adhering to their BSA obligations,” but indicated that volume constraints may limit it to responding “via an automated message confirming receipt to communications regarding delays in filing of BSA reports due to COVID-19.”9
FinCEN also opaquely encouraged “financial institutions to consider, evaluate and, where appropriate, responsibly implement innovative approaches to meet their BSA/anti-money laundering compliance obligations.”10
FINRA “reminded” broker-dealer members that they have until December 31, 2020 to perform the annual independent testing of the member’s AML compliance program.11
The creation of a hotline and a directionless suggestion to “innovat[e],” at the risk that doing so incorrectly may expose a firm to criminal charges or regulatory enforcement actions, are of little practical use or comfort to firms. In short, it is business as usual for broker-dealers and other financial institutions with respect to their AML and SAR obligations under the BSA, even as they grapple with heightened compliance challenges because of COVID-19.
Heightened BSA Compliance Challenges Surrounding COVID-19
The AML program and SAR reporting requirements under the BSA create substantial compliance burdens even in the best of times. These obligations are resource-heavy, requiring yearly testing, ongoing monitoring of customers and transactions at the broker-dealer for potentially suspicious activity and dedicated personnel and systems to review transactional and customer information and to prepare SARs.
In addition, determining when a SAR filing is required is no easy task. The SAR regulation, as detailed above, is both expansive and vague, equally applying to transactions that may be criminal in any respect, may involve funds from other illegal activity or that may simply be unusual for a customer. Most broker-dealer compliance personnel are not trained in law enforcement, and yet are expected to analyze a host of characteristics about a particular customer and a particular trade to determine whether the transaction crosses an ill-defined threshold of suspiciousness, and to do so within 30 days. Law enforcement and regulators, such as the SEC, by contrast, frequently take years to investigate potentially illicit activity. While guidance issued by regulators has identified a number of “red flags” designed to help compliance personnel identify suspicious transactions, any of these red flags may seem innocuous or explainable in a given transaction, particularly in the limited time provided for review, leaving firms and compliance personnel open to regulatory second-guessing, with the benefit of hindsight, and at the risk of significant sanctions for interpreting the situation incorrectly.
A recent GAO report from August 2019, evaluating the effectiveness of BSA reporting, indicated that affected industry participants have raised questions about “the lack of a feedback loop or clear communication from FinCEN, law enforcement and supervisory agencies on how to most effectively comply with BSA/AML requirements, especially BSA reporting requirements.”12 Representatives from the securities industry in particular raised concerns that “compliance expectations are communicated through enforcement actions rather than through rulemaking or guidance.13
Of course, these are not the best of times. On March 16, 2020, FinCEN warned financial institutions to “remain alert about malicious or fraudulent transactions similar to those that occur in the wake of natural disasters.”14 As relevant to broker-dealers, FinCEN warned about an increase in insider trading, imposter scams, and COVID-19 related “investment scams,” such as promotions that falsely claim the products or services of publicly traded companies can prevent, detect or cure coronavirus.15
While this conduct, if occurring, is undoubtedly criminal, it is often unclear what steps a broker-dealer must take and what indicia of suspicion it must find before it is required to identify a trade as sufficiently suspicious for SAR reporting. For example, with respect to the COVID-19 related “investment scams,” at what point does the broker-dealer, in the exercise of due diligence, unearth enough indicia that this issuer may be misrepresenting the efficacy of its product or services in preventing or treating COVID-19 to create at least a “reasonable suspicion” of fraud? The signs may be very subtle and overlooked by compliance personnel at the time, but characterized as glaring red flags by regulators after the fact.
Similarly, a sudden spike in trading volume and price could be indicative of a pump-and-dump scheme, particularly where media coverage and a microcap stock are involved. However, with the current volatility of this market, large volume and price swings are increasingly common. And, the media is adding to the frenzy, and following the lead of the administration, by rushing to report any and all potential COVID-19 treatments. Such developments can make it difficult for firms to separate suspicious trading activity from innocuous activity, causing them to either fail to file a SAR where they should or filing a SAR where they should not.
Compounding the difficulty of the analysis, the broker-dealer’s customer – and the putative subject of the SAR – will not be the issuer, but generally someone who is trading in the stock. Accordingly, even if the there is a reason to suspect that the issuer or persons associated with the issuer are involved in an “investment scam,” this does not necessarily mean that the transaction at issue is suspicious within the meaning of the SAR regulation. The trading customer may simply be reacting to the news in buying or selling the securities at issue, as either an opportunistic trader or a victim of a potential issuer fraud, neither of which would appear to raise any indicia of suspicion for SAR reporting.
An examination of the totality of the circumstances of a transaction can help firms make the crucial distinctions between transactions that warrant a SAR and those that do not. For example, determining the source of the publicity –is it a CNN article or a paid newsletter – or whether the customer is affiliated in some way with the issuer or the promotion are questions, among many others, that must be investigated.
It is unfortunate that FinCEN has failed to provide any meaningful or practical guidance for financial institutions dealing with these heightened risks of fraud during a period when they may have difficulty in even staffing their offices. Performing this work remotely creates its own challenges, given high level of confidentiality of SAR filings under Section 5318(g)(2), and the consequences – including criminal liability – for violating these confidentiality provisions.
Nonetheless, that is the situation broker-dealers are in, and this is likely the point: FinCEN, law enforcement and regulatory agencies do not want to relax these requirements because of the heightened risks of financial crime during the pandemic and the government has become accustomed to this front-line reporting from private businesses. Even in these unprecedented times of economic disruption, broker-dealers must protect themselves from regulatory criticism and enforcement actions by continuing to follow their AML compliance programs and conducting the necessary due diligence on each transaction they process.
2 31 U.S.C. §5318(h), (g)
3 31 C.F.R. § 1023.210
5 31 C.F.R. § 1023.220
6 31 C.F.R. § 1023.320(a)(2)
7 31 C.F.R. § 1023.320(b)(3)
12 See GAO-19-583, Agencies and Financial Institutions Share Information but Metrics and Feedback Not Regularly Provided (August 2019), at pp. 3-4.
13 Id. at 24