Cyber Crimes – Don’t Forget to File that SAR!
Stopping, or even slowing, the proliferation of cyber-event related criminal activities remains a chief goal in the broker-dealer and investment advisory communities. As pointed out in a 2016 advisory released by the Financial Crimes Enforcement Network (“FinCen”), “Cyber-events targeting financial institutions often constitute criminal activity and can serve as means to commit a wide range of further criminal activity. The FinCen Advisory went on to provide guidance on how Bank Secrecy Act (“BSA”) regulatory requirements, including the filing of Suspicious Activity Reports (“SARs”), apply to cyber-events.
The nexus between SAR filings and cybersecurity, as well as the need for close coordination between IT and AML compliance staff, was also highlighted in remarks at a SIFMA Conference by Susan Axelrod, FINRA Executive Vice President, Regulatory Operations. Axelrod reminded firms that “…in the cybersecurity area, firms are required to report patterns of intrusion on their suspicious activity reports (SARs). So, it’s essential that your cybersecurity staff remain in close contact with your AML staff.” To foster the kind of close contact recommended by Axelrod, Ascendant believes that, among other measures, AML compliance and IT staff should strongly consider performing ongoing risk assessments to identify specific cybersecurity and AML risks, and develop system countermeasures to thwart system intrusions.
SAR Reporting of Cyber-Events is Required
The FinCen Advisory noted that “cyber-events that could affect a transaction or series of transactions are reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
When determining if a cyber-event triggers a SAR filing, all available information must be evaluated to develop the fact pattern, such as the nature of the data, systems impacted and clients or firm accounts targeted. Ascendant has frequently observed that senior management, compliance, and, as applicable, in-house legal, and outside counsel, are involved in making the determination of whether to file a SAR. In deciding the monetary amount involved in the transactions or attempted transactions, the FinCen Advisory pointed out that firms “… should consider in aggregate the funds and assets involved in or put at risk by the cyber-event.”
Brief Background on SAR Filings – Who Must File:
Broker-dealers have been required to file SARs since December 30, 2002 when the Department of the Treasury (Treasury) issued new rules requiring such reports with the FinCEN, a bureau of Treasury. For investment advisers, filing SARs is voluntary, although under FinCen’s proposed AML rules, investment advisers will be required to file SARs.[3}
What are the SAR Reporting Requirements for Broker-Dealers?
A broker-dealer must report a transaction on Form SAR-SF if (a) the transaction is conducted or attempted by, at, or through a broker-dealer, (b) it involves or aggregates funds or other assets of at least $5,000, and (c) the broker-dealer knows, suspects, or has reason to suspect that the transaction (or a pattern of transactions of which the transaction is a part): involves funds derived from illegal activity or is intended or conducted to hide or disguise funds or assets derived from illegal activity; is designed, whether through structuring or other means, to evade the requirements of the BSA; appears to serve no business or apparent lawful purpose or is not the sort of transaction in which the customer would be expected to engage and for which the broker-dealer knows of no reasonable explanation after examining the available facts; or involves use of the broker-dealer to facilitate criminal activity.
SAR Filings – Potential Regulatory Consequences
Under the BSA rules, FinCEN may bring an enforcement action for violations of the reporting, recordkeeping, or other requirements of the BSA, including matters relating to the filing of or the failure to file SARs. FinCEN’s Office of Enforcement evaluates enforcement matters that may result in a variety of remedies, including the assessment of civil money penalties.
FinCen has assessed penalties for the failure to file SARs in a number of enforcement cases. To illustrate, in February 2015, FinCen assessed a civil money penalty of $1.5 million against a community bank for failing to file SARs on accounts held by one of its directors, a Pennsylvania judge who was convicted of judicial corruption. In this case, the bank failed to investigate the accounts after receiving a law enforcement subpoena. More recently, in November 2017, the SEC assessed $3.5 million in penalties against a wire-house for their failure to file or timely file a number SARs from approximately March 2012 through June 2013. The majority of these involved the failure to timely file SARs on ongoing suspicious activity that continued after an initial SAR filing by the firm on related suspicious activity.
Some Key Takeaways (Not an Exhaustive List)
- Review your firm’s internal policies regarding SAR filings to ensure that cyber-events are covered and that a thorough process is in place to determine when SAR filings are required, i.e. in particular, when should outside counsel or, as needed, regulators and/or law enforcement, be consulted?
- Include a tailored discussion of cyber events and SAR filings in your annual AML training. As part of the training, where relevant, provide examples of AML enforcement actions where SAR issues are noted as part of the fact pattern.
- AML and IT staff should conduct a risk assessment to identify cyber and AML risks and adopt policies to mitigate such risks, such as implementing enhanced AML surveillance systems.
- Monitor the progress of FinCen’s proposed AML rules for investment advisers, as the adoption of these rules will require investment advisers to file SARs.
 The Financial Crimes Enforcement Network (FinCEN), a bureau of the US Treasury Department, issued an advisory, dated October 26, 2016, regarding cyber-events and crime. A cyber-event can be defined as an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.
 In remarks on February 9, 2017, at the Securities Industry and Financial Markets Association’s (“SIFMA”) Anti-Money Laundering and Financial Crimes Conference.
 On August 25, 2015, FinCEN proposed a rule requiring investment advisers to establish anti-money laundering (AML) programs and report suspicious activity to FinCEN pursuant to the Bank Secrecy Act (BSA). While the proposed rule has not yet been adopted, indications are that it will, i.e. on March 8, 2017, in statements made to the trade publication Financial Planning, a FinCen spokesman said that FinCEN is currently in the process of reviewing public comments. “The next step is to draft a final rule and, beyond that, to work with OMB on how to proceed,” the agency spokesman said.
 A transaction includes a deposit; a withdrawal; a transfer between accounts; an exchange of currency; an extension of credit; a purchase or sale of any stock, bond, certificate of deposit, or other monetary instrument or investment security; or any other parent, transfer, or delivery by, through, or to a broker-dealer.