A Colorado-based broker-dealer will pay $1.5 million as part of a settlement with the Securities and Exchange Commission (SEC) announced Wednesday for lapses in the filing of suspicious activity reports (SARs) related to the threat of cyber-breaches.
GWFS Equities, an affiliate of Great-West Life & Annuity Insurance Company, provides services to employer-sponsored retirement plans. The company was allegedly the victim of multiple attempts by bad actors to access the retirement accounts of individual plan participants. GWFS failed to file approximately 130 SARs related to these incidents as required, according to the SEC.
The details: From September 2015 through October 2018, GWFS was aware of the breach attempts. The bad actors were often in possession of the electronic login information—such as usernames, email addresses, and passwords—of plan participants in attempting to breach the accounts, according to the SEC’s order.
GWFS warded off most these attempts, though some were successful, the SEC noted. Regardless, the incidents are required to be reported under the Bank Secrecy Act (BSA) and regulations from the Financial Crimes Enforcement Network (FinCEN) when the attempted breach involves at least $5,000.
Of the nearly 300 SARs GWFS did file regarding the incidents, none included the “five essential elements”—who? what? when? where? and why?—firms are expected to include as stated by FinCEN, according to the SEC.
“These SAR narratives also omitted other key facts, including details relating to cyber-events, necessary to make the SARs effective tools and fulfill their intended purpose,” the agency stated.
Remedial measures: GWFS conducted a thorough investigation into its anti-money laundering (AML) program and cooperated with the SEC’s probe, the agency noted. The company had a BSA officer and SAR committee during the period of the alleged violations and has since enhanced these functions.
GWFS implemented new SAR drafting procedures; retained an outside AML consultant to review and recommend enhancements to its SAR processes; increased the size and experience of its AML compliance team; implemented new SAR-related policies, procedures, standards, and training; and created a new case management system to track all reports of unusual activity from initial intake through SAR decision and filing.
GWFS neither admitted nor denied the SEC’s findings.
Compliance takeaways: “Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts,” said Kurt Gottschall, director of the SEC’s Denver Regional Office, in a press release. “By failing to file SARs and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees’ accounts, particularly when the unauthorized account access has been cyber-enabled.”
Wednesday’s action isn’t the first time the SEC has cracked down on a firm for alleged failures relating to SARs, which are typically overseen by FinCEN. One expert believes it could be a sign of more to come.
“This won’t be the last such penalty from the SEC or any of the regulators,” says Kieran Beer, chief analyst for the Association of Certified Anti-Money Laundering Specialists (ACAMS). “Regulators are focused on policies and procedures to stop cyber-theft, including better reporting of actual or attempted hacks. The SEC isn’t alone in this focus.”