In the Matter of GWFS EQUITIES, INC. (SEC). On May 12, 2021, the United States Securities and Exchange Commission (the ‘SEC’) fined GWFS Equities, Inc. (‘GWFS’), a registered broker-dealer, $1.5 million for failing to file Suspicious Activity Reports (‘SARs’) relating to cybersecurity breaches over a three-year period.1
As a service provider to employer-sponsored retirement programs, GWFS detected that it had been subject to increased attempts by cyber criminals to obtain unauthorized access to the retirement accounts of plan participants. Although GWFS concluded that personal identifying information (or ‘PII’) was not obtained via any direct breach of its systems, GWFS also determined that bad actors attempting to hack GWFS systems possessed certain plan participant login information (e.g., usernames, email addresses, passwords). GWFS was able to intervene in most hacking attempts before cyber criminals could successfully request and receive a distribution from a retiree’s account; however, GWFS was unable to prevent all account takeovers.
As a result of its investigation, the SEC determined that GWFS failed to file 130 SARs in connection with unauthorized account access. Perhaps most importantly, the SEC determined many of the SARs did not link a bad actor’s prior or concurrent attempts to gain unauthorized access to GWFS plan participants, indicating that the regulators continue to emphasize a financial institution’s ability to connect potentially suspicious behaviour across its organization and among common actors, customers, and scenarios.
Additionally, the SEC found that approximately 300 of GWFS’s filed SARs lacked required information (e.g., the “who, what, when, where and why” of the suspicious activity, including URL and IP addresses of the associated bad actors). More specifically, GWFS’s SAR quality was criticized for omitting detailed information about the associated bad actors, including how the bad actors accessed retirees’ accounts and whether the criminals were associated with any other account takeover(s) at GWFS. Instead of providing event-specific details useful to law enforcement, GWFS used a standard template to construct each SAR narrative, which stated generically:
“[t]he participant’s account was taken over by an unauthorized individual who used all of their personal
information to authenticate as the participant. It is unknown whether or not [sic] there is any related litigation with this SSN. It is unknown whether or not foreign nationals are involved in this activity. It is unknown
whether or not the IRS has been contacted. All information is contained in this report.2”
In the Matter of NATIONAL SECURITIES CORPORATION (NYDFS). In a related cybersecurity action from mid-April, the New York Department of Financial Services (the ‘NYDFS’) announced an enforcement action against an insurance company for defects in the company’s cybersecurity program, namely a failure to implement multi-factor authentication required by NYDFS Part 500 3. As a result, the company fell victim to four cyber breaches exposing its customers’ personal data, two of which were not reported to NYDFS as required. The NYDFS further stated that the insurance company falsely certified compliance with the applicable cybersecurity regulation because multi-factor authentication was not implemented at the time of certification.
In addition to highlighting a continued regulatory focus on BSA/AML compliance programs (at broker-dealers, insurance companies, and more generally), the SEC and NYDFS cases specifically highlight the need for financial institutions’ BSA/AML compliance programs to work in lockstep with cyber-crime prevention programs. In response to this case, broker-dealers should examine their BSA/AML and cybersecurity programs, and more specifically the SAR filing programs, to ensure all required information is contained within SAR narratives. This case demonstrates that firms may inadvertently obscure the purpose behind SAR filings as they attempt to streamline compliance processes (namely to provide detailed and actionable intelligence related to financial crimes to law enforcement to help safeguard the United States’ financial system from criminal activity) 4. The SAR process is not meant to be a check-the-box exercise in administrative filing; therefore, financial institutions should consider any attempts to streamline the administrative and financial costs of such a critical function against underlying reasons behind SARs requirements, including whether adequate details are being passed to FinCEN for consideration 5.
Regarding cybersecurity, advanced and persistent threats seeking to undermine data security exponentially complicate an organization’s mission; defensive capabilities must evolve toward resilience. Traditional cybersecurity and business continuity programs need to be refreshed and enhanced to incorporate cybersecurity by design across every access point. Organizational cyber security programs should incorporate the 1st line (i.e., SecOps & controls), 2nd line (i.e., user attestation & compliance) and 3rd line (i.e., independent assessment and certification) across people, processes, and technology enabling structured response, detection, and prevention in the dynamic threat landscape. Many industry frameworks (e.g., MITRE CREF, DHS CRR) address cyber resilience and are leveraged by financial institutions to establish best practices resilience programs.
For further details or to learn more about Capco’s financial crimes compliance or cybersecurity offerings, please contact:
Spencer Schulten, Executive Director and US Financial Crimes Compliance lead, at spencer.schulten@capco.com or (203) 216-5571 (mobile)
Julien Bonnay, Partner and Cybersecurity Lead, at julien.bonnay@capco.com or (212) 203-5926 (mobile)
_____________________________________________
1 For more details, see GWFS Equities, Inc. (sec.gov).
2 Id. at 7. The SEC determined that, “although the SAR Committee and the BSA Officer receiv[ed] detailed identifying information about the bad actor, the nature of how the bad actor accessed PPC’s account, and the
bad actor’s association with another account that had been taken over, GWFS filed a SAR that did
not include the ‘five essential elements’ about the bad actor or the bad actor’s conduct.” This emphasizes the need for senior officer review of each SAR filing to ensure that appropriate details are contained within SARs and not merely escalated to individuals and/or committees with responsibility over a broker-dealer’s BSA/AML compliance program.
3 For more details, see https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202104141.
4 See, aml-risk-alert.pdf (sec.gov), stating, ‘FinCEN has provided guidance that filers include a clear, complete, and concise narrative of the activity, including what was unusual or irregular that caused suspicion. FinCEN also has highlighted that the care with which the narrative section is drafted is important to law enforcement’s ability to understand the nature and circumstances of the suspicious activity and its possible criminality. Furthermore, FinCEN has urged financial institutions to identify the five essential elements of information – who? what? when? where? and why? – of the suspicious activity being reported.’
5 See, FFIEC BSA/AML Appendices - Appendix L – SAR Quality Guidance, stating, “[b]anks must file SARs that are complete, sufficient, and timely. Unfortunately, some banks file SARs that contain incomplete, incorrect, or disorganized narratives, making further analysis difficult, if not impossible. Because the SAR narrative serves as the only free text area for summarizing suspicious activity, the narrative section is ‘critical.’ The care with which the narrative is written may make the difference in whether or not the described conduct and its possible criminal nature are clearly understood by law enforcement, and thus a failure to adequately describe the factors making a transaction or activity suspicious undermines the purpose of the SAR.”