201-896-4100 info@sh-law.com

Failing to Understand Your SAR Reporting Obligations Can Result In Costly Penalties

Author: Paul A. Lieberman|July 28, 2021

The SEC recently brought another enforcement action this time against GWFS Equities Inc. (GWFS), a Colorado-based registered broker-dealer, for violating the federal securities laws governing the filing of Suspicious Activity Reports (SARs)...

Failing to Understand Your SAR Reporting Obligations Can Result In Costly Penalties

The SEC recently brought another enforcement action this time against GWFS Equities Inc. (GWFS), a Colorado-based registered broker-dealer, for violating the federal securities laws governing the filing of Suspicious Activity Reports (SARs)...

Failing to Understand Your SAR Reporting Obligations Can Result In Costly Penalties

The SEC recently brought another enforcement action this time against GWFS Equities Inc. (GWFS), a Colorado-based registered broker-dealer, for violating the federal securities laws governing the filing of Suspicious Activity Reports (SARs)...

The Securities and Exchange Commission (SEC) recently brought another enforcement action this time against GWFS Equities Inc. (GWFS), a Colorado-based registered broker-dealer, for violating the federal securities laws governing the filing of Suspicious Activity Reports (SARs). The company will pay a $1.5 million penalty and agreed to certain AML remedial efforts to settle allegations of SAR violations relating to the failure to report several cyber-related events, specifically account takeover activity where cybercriminals attempt intrusions into a customer’s account in order to steal the customer’s funds. Of the SAR reports that GWFS did file, the SEC found that they lacked key information the broker-dealer was required to report about the suspicious activity and suspicious actors.  Interestingly, no members of the SAR committee or the firm’s BSA officer were held personally accountable.

Kurt L. Gottschall, Director of the SEC’s Denver Regional Office, in a press statement declared: 

“Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts. By failing to file SARs and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees’ accounts, particularly when the unauthorized account access has been cyber-enabled.”

According to the SEC’s Order, during a three-year period, GWFS was aware of increasing attempts by external bad actors to gain access to the retirement accounts of individual plan participants. The Order further provides that GWFS was aware that the bad actors attempted or gained access by using improperly obtained personal identifying information of the plan participants, and that the bad actors frequently were in possession of electronic login information such as user names, email addresses, and passwords.

According to the SEC, GWFS failed to file approximately 130 SARs, including in cases when it had detected external bad actors gaining, or attempting to gain, access to the retirement accounts of participants in the employer-sponsored retirement plans it serviced. Further, the SEC determined that of the 297 SARs that were filed, GWFS did not include the “five essential elements” of information it knew and was required to report about the suspicious activity and suspicious actors, including cyber-related data such as URL addresses and IP addresses.

Despite investigating account takeover incidents, compiling specific, “detailed information about the underlying suspicious activity, including:  when and how the suspicious actor took control, or attempted to take control, of the plan participant’s account; identifying information regarding the suspected bad actors, IP addresses and email addresses linked to the bad actors; and details regarding how the bad actors used misappropriated funds once they had been improperly withdrawn from the GWFS plan participants’ accounts,” and sharing it with GWFS’ SAR Committee and BSA Officer, the firm failed to include it in its SAR narratives. “GWFS filed hundreds of SARs that disclosed only that an unauthorized person had accessed a plan participant’s account—and omitted any details about the bad actor or the bad actor’s activity.”

SAR Reporting Obligations

The Bank Secrecy Act (BSA), along with its implementing regulations, require various U.S. financial institutions to file a SAR when they detect a known or suspected violation of federal law meeting applicable reporting criteria. Entities that may be required to file SARs include banks, financial holding companies, casinos, money services businesses, broker-dealers, insurance companies, mutual funds, and residential mortgage lenders and originators. 

SARs are used to report a wide range of suspicious activity affecting depository institutions. Examples include cash transaction structuring, money laundering, check fraud and kiting, computer intrusion, wire transfer fraud, mortgage and consumer loan fraud, embezzlement, misuse of position or self-dealing, identity theft, and terrorist financing.

The BSA and its implementing regulations require that broker-dealers file SARs with the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) to report a transaction (or pattern of transactions of which the transaction is a part) conducted or attempted by, at, or through the broker-dealer involving or aggregating funds or other assets of at least $5,000 that the broker-dealer knows, suspects, or has reason to suspect:

  • Involves funds derived from illegal activity or is conducted to disguise funds derived from illegal activities;
  • Is designed to evade any requirement of the BSA;
  • Has no business or apparent lawful purpose and the broker-dealer knows of no reasonable explanation for the transaction after examining the available facts; or
  • Involves use of the broker-dealer to facilitate criminal activity.

When filing a SARs, financial institutions must provide certain information. The guidance for preparing SARs from FinCEN instructs SAR filers to “provide a clear, complete, and concise description of the activity, including what was unusual or irregular that caused suspicion” in the narrative and to “include any other information necessary to explain the nature and circumstances of the suspicious activity.”

FinCEN also advises that in order to be effective tools for law enforcement and fulfill their intended purpose, SAR narratives should include “the five essential elements of information – who? what? when? where? and why? – of the suspicious activity being reported.” When the reported transaction involves a cyber intrusion, broker-dealers must also include cyber-related data, such as URL addresses and IP addresses. The failure to file a complete SAR is a violation of Section 17(a) of the Exchange Act and Rule 17a-8 thereunder.

Enforcement Precedents

Prior to the GWFS action, on August 10, 2020, the SEC accepted a settlement offer of administrative cease and desist proceedings against Interactive Brokers, LLC[1], for a litany of violative conduct involving BSA evasions, failures to file SARs for U.S. microcap securities, and failure to recognize red flags of suspicious activity.

On December 17. 2018, the SEC accepted a settlement offer of administrative cease and desist proceedings against UBS Financial Services, Inc.[2], relating to deficiencies in the firm’s AML program and risk assessments which resulted in failures to file SARs on fund movements.

2021 SEC Priorities Have Been Announced.

The SEC’s 2021 Examination Priorities, Division of Entities FY 2021 guidelines contained a section on Anti-Money Laundering, reminding financial institutions of their Bank Secrecy Act (BSA)[3] obligation to establish “AML programs[4]…tailored to address risks associated with the firm’s location, size and activities…” (p. 27).  Such programs must include monitoring for suspicious activities and filing of SARs “where appropriate” with FinCEN. 

Based on the importance of these requirements, the Division noted that compliance with AML obligations by broker-dealers and RICs remains a priority. 

On January 5, 2021, the SEC Division of Examinations issued its AML Source Tool for broker-dealers “Source Tool”, what I (and other counsel) consider as an indispensable reference tool and for all financial institution organizations general counsel, AMLCOs, CCOs and members of risk management departments and committees.  Although specifically tailored by the SEC for broker-dealers[5], other financial institutions will find this Source Tool to be valuable in periodic assessments of changing regulatory requirements and enhancements to firm policies and procedures.  The SEC Risk Alerts are another useful resource in addition to the list of contact personnel available for advice.

Additionally, the SEC has “spotlighted” cybersecurity on its website and a recent Rule 24A Report describes facts and circumstances of e-mail compromises.  In 2014, the SEC issued Risk Alert Guidance and more recently focused on IT security as a holistic, corporate culture matter, with “operational resiliency” being a critical objective.  (See SEC Report, January 2020).

On June 30, 2021, FinCEN’s Office of Strategic Communications published the first government-wide priorities for AML and countering the financing of terrorism (AML/CFT) policy, titled “AML/CFT Priorities”.

“the priorities highlight key treat trends as well as informational resources that can assist covered institutions in managing their risks.  Compiled with the Department of Treasury’s 2020 Illicit Finance Strategy and 2018 National Risk Assessment, the priorities aim to help covered institutions assess their risks, tailer their AML programs, and prioritize resources.”   

Key Takeaways

The SEC’s most recent enforcement actions highlight the importance of establishing and maintaining robust SAR-related policies, procedures, standards, and training and the intersection with AML compliance. The SEC and FinCEN have issued important tools for use in both AML programs and BSA compliance.  The prevalence of cyber intrusions constitute a “red flag” that broker-dealers and other entities mandated to file SARs reports should review their SARs reporting and AML program, to ensure that they are reporting all of the required information on SARs, specifically as it pertains to the method and manner of cyber-intrusions and schemes to “take over” firm and/or customer accounts, including the method of transferring out funds, how the account was accessed, bank account information, phone/fax numbers, email addresses, and IP addresses.

Penalties for violations are significant, and the potential for SARs and AML program “gate keepers” to be held accountable remains a possibility.

Given the extensive legislative, regulatory and enforcement efforts involving both BSA and AML responsibilities, financial institutions should remain proactive in their oversight and changes to policies, procedures, systems and training of human resources.

If you have questions, please contact us

If you have any questions or if you would like to discuss these issues further,
please contact Paul A. Lieberman or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.


[1] SEC Release No. 89510; A.P. File No. 3-19907.

[2] SEC Release No. 84828; A.P. File No. 3-18931; UBS Financial Services, Inc. consented to a Civil Money Penalty on the U.S. Department of Treasury FinCEN Case No. 2018-03.

[3] See, 31 U.S.C. §§ 5311 et. seq.; BSA Rules adopted by FinCEN are found at 31 C.F.R.ChX; see also 31 C.F.R. §§ 1023 et. seq. involving broker-dealers.

[4] See, 31 U.S.C. § 5318(g) and implementing regulations; 31 C.F.R. § 1023.210.

[5] See, FINRA AML Compliance Rule/Guidance:  FINRA Rule 3310; AML FAQs; NJM 18-19 Amendments to Rule 3310.

Failing to Understand Your SAR Reporting Obligations Can Result In Costly Penalties

Author: Paul A. Lieberman
Failing to Understand Your SAR Reporting Obligations Can Result In Costly Penalties

The SEC recently brought another enforcement action this time against GWFS Equities Inc. (GWFS), a Colorado-based registered broker-dealer, for violating the federal securities laws governing the filing of Suspicious Activity Reports (SARs)...

The Securities and Exchange Commission (SEC) recently brought another enforcement action this time against GWFS Equities Inc. (GWFS), a Colorado-based registered broker-dealer, for violating the federal securities laws governing the filing of Suspicious Activity Reports (SARs). The company will pay a $1.5 million penalty and agreed to certain AML remedial efforts to settle allegations of SAR violations relating to the failure to report several cyber-related events, specifically account takeover activity where cybercriminals attempt intrusions into a customer’s account in order to steal the customer’s funds. Of the SAR reports that GWFS did file, the SEC found that they lacked key information the broker-dealer was required to report about the suspicious activity and suspicious actors.  Interestingly, no members of the SAR committee or the firm’s BSA officer were held personally accountable.

Kurt L. Gottschall, Director of the SEC’s Denver Regional Office, in a press statement declared: 

“Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts. By failing to file SARs and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees’ accounts, particularly when the unauthorized account access has been cyber-enabled.”

According to the SEC’s Order, during a three-year period, GWFS was aware of increasing attempts by external bad actors to gain access to the retirement accounts of individual plan participants. The Order further provides that GWFS was aware that the bad actors attempted or gained access by using improperly obtained personal identifying information of the plan participants, and that the bad actors frequently were in possession of electronic login information such as user names, email addresses, and passwords.

According to the SEC, GWFS failed to file approximately 130 SARs, including in cases when it had detected external bad actors gaining, or attempting to gain, access to the retirement accounts of participants in the employer-sponsored retirement plans it serviced. Further, the SEC determined that of the 297 SARs that were filed, GWFS did not include the “five essential elements” of information it knew and was required to report about the suspicious activity and suspicious actors, including cyber-related data such as URL addresses and IP addresses.

Despite investigating account takeover incidents, compiling specific, “detailed information about the underlying suspicious activity, including:  when and how the suspicious actor took control, or attempted to take control, of the plan participant’s account; identifying information regarding the suspected bad actors, IP addresses and email addresses linked to the bad actors; and details regarding how the bad actors used misappropriated funds once they had been improperly withdrawn from the GWFS plan participants’ accounts,” and sharing it with GWFS’ SAR Committee and BSA Officer, the firm failed to include it in its SAR narratives. “GWFS filed hundreds of SARs that disclosed only that an unauthorized person had accessed a plan participant’s account—and omitted any details about the bad actor or the bad actor’s activity.”

SAR Reporting Obligations

The Bank Secrecy Act (BSA), along with its implementing regulations, require various U.S. financial institutions to file a SAR when they detect a known or suspected violation of federal law meeting applicable reporting criteria. Entities that may be required to file SARs include banks, financial holding companies, casinos, money services businesses, broker-dealers, insurance companies, mutual funds, and residential mortgage lenders and originators. 

SARs are used to report a wide range of suspicious activity affecting depository institutions. Examples include cash transaction structuring, money laundering, check fraud and kiting, computer intrusion, wire transfer fraud, mortgage and consumer loan fraud, embezzlement, misuse of position or self-dealing, identity theft, and terrorist financing.

The BSA and its implementing regulations require that broker-dealers file SARs with the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) to report a transaction (or pattern of transactions of which the transaction is a part) conducted or attempted by, at, or through the broker-dealer involving or aggregating funds or other assets of at least $5,000 that the broker-dealer knows, suspects, or has reason to suspect:

  • Involves funds derived from illegal activity or is conducted to disguise funds derived from illegal activities;
  • Is designed to evade any requirement of the BSA;
  • Has no business or apparent lawful purpose and the broker-dealer knows of no reasonable explanation for the transaction after examining the available facts; or
  • Involves use of the broker-dealer to facilitate criminal activity.

When filing a SARs, financial institutions must provide certain information. The guidance for preparing SARs from FinCEN instructs SAR filers to “provide a clear, complete, and concise description of the activity, including what was unusual or irregular that caused suspicion” in the narrative and to “include any other information necessary to explain the nature and circumstances of the suspicious activity.”

FinCEN also advises that in order to be effective tools for law enforcement and fulfill their intended purpose, SAR narratives should include “the five essential elements of information – who? what? when? where? and why? – of the suspicious activity being reported.” When the reported transaction involves a cyber intrusion, broker-dealers must also include cyber-related data, such as URL addresses and IP addresses. The failure to file a complete SAR is a violation of Section 17(a) of the Exchange Act and Rule 17a-8 thereunder.

Enforcement Precedents

Prior to the GWFS action, on August 10, 2020, the SEC accepted a settlement offer of administrative cease and desist proceedings against Interactive Brokers, LLC[1], for a litany of violative conduct involving BSA evasions, failures to file SARs for U.S. microcap securities, and failure to recognize red flags of suspicious activity.

On December 17. 2018, the SEC accepted a settlement offer of administrative cease and desist proceedings against UBS Financial Services, Inc.[2], relating to deficiencies in the firm’s AML program and risk assessments which resulted in failures to file SARs on fund movements.

2021 SEC Priorities Have Been Announced.

The SEC’s 2021 Examination Priorities, Division of Entities FY 2021 guidelines contained a section on Anti-Money Laundering, reminding financial institutions of their Bank Secrecy Act (BSA)[3] obligation to establish “AML programs[4]…tailored to address risks associated with the firm’s location, size and activities…” (p. 27).  Such programs must include monitoring for suspicious activities and filing of SARs “where appropriate” with FinCEN. 

Based on the importance of these requirements, the Division noted that compliance with AML obligations by broker-dealers and RICs remains a priority. 

On January 5, 2021, the SEC Division of Examinations issued its AML Source Tool for broker-dealers “Source Tool”, what I (and other counsel) consider as an indispensable reference tool and for all financial institution organizations general counsel, AMLCOs, CCOs and members of risk management departments and committees.  Although specifically tailored by the SEC for broker-dealers[5], other financial institutions will find this Source Tool to be valuable in periodic assessments of changing regulatory requirements and enhancements to firm policies and procedures.  The SEC Risk Alerts are another useful resource in addition to the list of contact personnel available for advice.

Additionally, the SEC has “spotlighted” cybersecurity on its website and a recent Rule 24A Report describes facts and circumstances of e-mail compromises.  In 2014, the SEC issued Risk Alert Guidance and more recently focused on IT security as a holistic, corporate culture matter, with “operational resiliency” being a critical objective.  (See SEC Report, January 2020).

On June 30, 2021, FinCEN’s Office of Strategic Communications published the first government-wide priorities for AML and countering the financing of terrorism (AML/CFT) policy, titled “AML/CFT Priorities”.

“the priorities highlight key treat trends as well as informational resources that can assist covered institutions in managing their risks.  Compiled with the Department of Treasury’s 2020 Illicit Finance Strategy and 2018 National Risk Assessment, the priorities aim to help covered institutions assess their risks, tailer their AML programs, and prioritize resources.”   

Key Takeaways

The SEC’s most recent enforcement actions highlight the importance of establishing and maintaining robust SAR-related policies, procedures, standards, and training and the intersection with AML compliance. The SEC and FinCEN have issued important tools for use in both AML programs and BSA compliance.  The prevalence of cyber intrusions constitute a “red flag” that broker-dealers and other entities mandated to file SARs reports should review their SARs reporting and AML program, to ensure that they are reporting all of the required information on SARs, specifically as it pertains to the method and manner of cyber-intrusions and schemes to “take over” firm and/or customer accounts, including the method of transferring out funds, how the account was accessed, bank account information, phone/fax numbers, email addresses, and IP addresses.

Penalties for violations are significant, and the potential for SARs and AML program “gate keepers” to be held accountable remains a possibility.

Given the extensive legislative, regulatory and enforcement efforts involving both BSA and AML responsibilities, financial institutions should remain proactive in their oversight and changes to policies, procedures, systems and training of human resources.

If you have questions, please contact us

If you have any questions or if you would like to discuss these issues further,
please contact Paul A. Lieberman or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.


[1] SEC Release No. 89510; A.P. File No. 3-19907.

[2] SEC Release No. 84828; A.P. File No. 3-18931; UBS Financial Services, Inc. consented to a Civil Money Penalty on the U.S. Department of Treasury FinCEN Case No. 2018-03.

[3] See, 31 U.S.C. §§ 5311 et. seq.; BSA Rules adopted by FinCEN are found at 31 C.F.R.ChX; see also 31 C.F.R. §§ 1023 et. seq. involving broker-dealers.

[4] See, 31 U.S.C. § 5318(g) and implementing regulations; 31 C.F.R. § 1023.210.

[5] See, FINRA AML Compliance Rule/Guidance:  FINRA Rule 3310; AML FAQs; NJM 18-19 Amendments to Rule 3310.

Firm News & Press Releases