Broker-dealer firms have another warning from the SEC to do better with AML compliance and suspicious activity reporting, and particularly to do better with customers’ trading in penny stocks and acting on known red flags with that type of transaction.
The message came from the SEC’s Division of Examinations, which published its latest risk alert for broker-dealers and other financial firms on Monday. Risk alerts aren’t formal guidance per se, but they do dissect certain common mistakes that regulatory examiners see when reviewing firms’ compliance programs. Compliance officers are then supposed to read between the lines and understand that the SEC is telling us where it wants to see improvement, before regulatory examiners get all up in your face next time.
The Risk Alert grouped its observations into two categories: anti-money laundering policies, procedures, and internal controls; and suspicious activity reporting. Let’s take a look at each in turn.
AML Compliance Concerns
First the SEC walked through several examples of poorly designed policies, procedures, and controls for suspicious activity. Among the examples:
- Some firms omitted red flags from their policies and procedures to help identify activity that might need further due diligence. Along similar lines, other firms didn’t tailor the red flags they did include, to address the risks associated with their customers’ typical transactions. For example, if your clients usually trade in penny stocks, your red flags should be tailored to help detect pump-and-dump schemes.
- Some firms with large volumes of daily trading didn’t establish automated systems to monitor and report suspicious activity associated with trading in large volumes. Instead, those firms relied on a manual review of trading, and didn’t establish procedures or controls designed to identify suspicious patterns across multiple accounts.
- Where firms did incorporate penny stock transactions into their automated monitoring, some firms set their alerting thresholds too low. For example, they set their threshold at trading prices below $1, when regulators actually consider penny stocks to be any security trading below $5.
- Some firms set suspicious activity reporting thresholds higher than the $5,000 threshold specified in the SAR rule, so they missed any suspicious activity happening between $5,000 and whatever higher number they did set.
Notice the recurring themes here. The SEC stresses that firms must actually think about their policies and procedures, and tailor those things to your specific customers and operations. Slapping generic red flags into your compliance program won’t cut it; nor will relying on manual review. You need to design policies and procedures that are, ya know, relevant to your business.
SEC examiners also faulted numerous firms that did have suitably designed policies and procedures, but then failed to implement them. For example, some firms didn’t file suspicious activity reports (SARs) on transactions that were identical in nature to prior transactions where the firm had filed SARs. Other firms failed to follow up on red flags that their monitoring systems had detected; or processed trades on certain ultra-low penny stocks, despite having policies against such transactions.
All in all, these issues are nothing we haven’t heard before from the SEC Division of Examinations. If anything, this latest risk alert just demonstrates how persistent these compliance issues are — or, alas, the lethargic attitude about compliance that some firms persistently take.
Issues With Suspicious Activity Reporting
The second half of the risk alert then discussed the consequences of those weak policies and procedures. Namely, firms weren’t performing the appropriate due diligence on hinky transactions that did cross their desks; and consequently, firms weren’t filing suspicious activity reports in a timely or appropriate manner either.
The alert listed several red flags that SEC examiners have warned about previously, where firms were still not following up even when they had clear evidence that those issues were present in their customer base. For example:
- Large deposits of low-priced securities, followed by nearly immediate liquidations of those securities and then wiring out the proceeds.
- Patterns of trading activity common to several customers, such as those customers selling large quantities of multiple penny stocks at the same time.
- Trading in thinly traded penny stocks that resulted in sudden spikes in price or that represented most (if not all) of the stocks’ daily trading volumes.
- Trading in the stock of issuers that were shell companies or had been subject to trading suspensions or whose affiliates, officers, or other insiders had a history of securities law violations.
And within the suspicious activity reports themselves, examiners noted lots of times where a firm did know details that should have been included in the SAR, but the firm omitted those details anyway; or firms that filed SARs that didn’t use the standard data fields in the SAR form properly.
“As a result, [examiners] observed firms who each filed hundreds of SARs or more containing the same generic boilerplate language,” the SEC said in the alert, “which failed to make clear the true nature of the suspicious activity and the securities involved — rendering the SAR less valuable to law enforcement and regulators trying to understand the activity and its criminal or regulatory implications.”
Translated: plenty of firms were mailing in the bare minimum with SARs, rendering the information next to useless for the cops.
So those are some of the sore points for SEC examiners these days. Broker-dealers and other firms subject to examinations might want to consider these issues, the exam priorities for 2021 — and then put your nose back to the grindstone, arguing (yet again) in favor of building a robust compliance program.