GWFS Equities, Inc., is a registered broker/dealer headquartered in Greenwood, Colorado, and an affiliate of Great-Western Life & Annuity Company (“Great Western”). GWFS’s “core business concerns executing transactions on behalf of…[the insurance company’s] employer-sponsored retirement plan clients.” According to the May 12, 2021, Administrative Proceeding brought by the U.S. Securities and Exchange Commission (“SEC”), Great Western’s business “focuses primarily on the retirement services market, with an emphasis on defined contribution plans, including plans commonly known as ‘401(k)’ and ‘403(b)’ plans.” Great Western is the “second-largest record-keeping retirement service provider, with approximately 9.4 million participant accounts holding over $700 billion in assets.”

Broker/Dealer Affiliate of An Insurer

On Monday, March 29, 2021, the Division of Examinations of the SEC issued a Risk Alert on “Compliance Issues Related to Suspicious Activity Monitoring and Reporting at Broker-Dealers,” which I discussed at length in my April 20, 2021, blog post, “Red Flags and SARs: The SEC Warns Broker/Dealers on AML.” Now the proverbial chicken has come home to roost. On Wednesday, May 12, 2021, the SEC settled charges against GWFS for failing to file Suspicious Activity Reports (“SARs”). The SEC alleged, and GWFS acknowledged, that from September 2015 through October 2018, GWFS knew that external, unauthorized entities increasingly attempted to gain access to the retirement accounts of individual retirement plan participants.

The SEC alleged that “GWFS was aware that the bad actors attempted or gained access by, among other things, using improperly obtained personal identifying information of the plan participants, and that the bad actors frequently were in possession of electronic login information such as user names, email addresses, and passwords.” The SEC enforcement action found that GWFS failed to file approximately 130 SARs, including in situations where GWFS knew that third parties had attempted to or in fact had gained access to the retirement accounts of plan participants. Further, for the approximately 297 SARs that GWFS did file, it failed to include sufficient information to address the questions who, what, when, where, and why, nor did it include data which it had, such as URL addresses and IP addresses, rendering the Reports less than useful.

Catering to Retirement Plans

In the May 12, 2021, Administrative Proceeding that the SEC instituted against GWFS, the SEC notes that several retirement plan participants had their accounts accessed, including the following:

• The unauthorized withdrawal of $128,000 from a plan participant, using a telephone number that was used to take over at least two other accounts

• A plan participant received a check for $43,000 which he did not request because his PII was changed using an IP address that GWFS identified in connection with another account take-over; GWFS determined that nine plan participant accounts were accessed in the same way

• In October 2016 another plan participant was the victim of two unauthorized withdrawals totaling $250,000; GWFS determined that the plan participant’s account had been taken over using a bank account associated with the account takeover of another plan participant

• Another plan participant in August 2016 was the victim of multiple withdrawals totaling over $400,000 using a telephone number that GWFS identified as associated with other recent fraud attempts, through which GWFS learned the name of the perpetrator

Despite having these details GWFS filed generic (“boilerplate”) SARs about the incidents, making almost no effort to protect the plan participants and their accounts.

Too Much Bother

In the face of these facts, the SEC determined that GWFS willfully violated its obligations under Section 17(a) of the Securities Exchange Act of 1934, as amended and Rule 17a-8 adopted thereunder. The SEC Administrative Proceeding did note the “remedial acts promptly undertaken by …[GWFS] and cooperation afforded the Commission staff.” The Proceeding reports that GWFS “undertook significant remedial measures, including implementing new SAR drafting procedures: retaining an outside AML consulting firm…, increasing both the size and experience of its AML compliance team; restructuring its AML process…, implementing new SAR-related policies, procedures, standards, and training, and implementing a new case management system…” GWFS also conducted a “thorough investigation of its AML Program” and “identified numerous transactions for which no SAR had been filed.”

As a result, GWFS was ordered to cease and desist from violating Rule 17a-8 and censured. Further, it was ordered to pay a civil money penalty of $1,500,000. This underscores that there are consequences from a failure to take legal responsibilities seriously. It wasn’t that GWFS was a “bad actor”; it just could not be bothered to take the time and trouble to comply with the law, in the context of KNOWN exploitation of its systems AND losses by the plan participants (one suspects, made up by Great Western). As Edmund Burke said in his Speech to the Electors of Bristol:

All that is necessary for the forces of evil to win in this world, is for enough good men to do nothing.

If you are involved in financial transactions you should be aware that the laws and regulations concerned with anti-money laundering and terrorist financing are becoming stricter and more far-reaching in our digital age when even a pipeline for petroleum products is not safe.