SEC Settles Investigation of Broker-Dealer for SAR-Related Violations
On May 12, 2021, the Securities and Exchange Commission issued a media release announcing a settlement with a Colorado affiliate of Great-West Life & Annuity Insurance Company for violations and failures related to Suspicious Activity Reports, or “SARs.”
Great-West and its affiliates provide record-keeping and other services for employer-sponsored retirement plans. Great-West is the second-largest record-keeping retirement service provider in the US, with over 9 million participant accounts holding over $700 billion in assets. Like banks, businesses such as Great-West must file SARs for certain transactions that the company suspects may involve fraudulent activity or no apparent business purpose.
We took note of SEC’s investigation and resolution of the Great-West matter because the suspicious activity involved cyber-hacking and other unauthorized attempts to access account information. The case is also notable because SEC found that the Great-West affiliate violated Section 17(a) of the Securities Exchange Act and Rule 17a-8 for:
- Failing to file 130 SARs under required circumstances and
- failing to properly file an additional 297 SARs.
The Settlement Order describes the findings. Starting in September 2015, Great-West became aware of an uptick in attempts by hackers and other “external bad actors” to access retirement accounts. The unauthorized efforts used improperly obtained personal identifying information and login information like user names, email addresses, and passwords. Over three years and approximately 130 suspected attempts, Great-West failed to file any SARs. For another 297 attempts, the company filed inadequate SARs.
Regarding the inadequate SARs, the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) says that a SAR narrative should include clear, complete, and concise descriptions of the suspicious activity. According to FinCEN, this means that the description should provide “five essential elements” of information: the who, what, when, where, and why of the reported activity.
For the 297 SARs that were filed inadequately, SEC charged Great-West with failing to provide full and complete information. Among other things, Great-West did not provide cyber-related data like the URL and IP addresses from which the attempts were made. SEC asserted that Great-West knew or should have known that cyber-related data was required as part of the SAR narrative. SEC also asserted that Great-West knew or should have known that SARs were necessary for every unauthorized access attempt—especially since FinCEN issued a December 2011 advisory alerting financial institutions of the increased threat of cyber account takeovers.
Unlawful account takeover attempts continue to concern regulators. The Financial Industry Regulatory Authority (FINRA) just published Regulatory Notice 21-18 to warn about takeover efforts, also providing practice tips to mitigate risks.
Great-West agreed to settle the investigation by paying a $1.5 million penalty, accepting a censure, and agreeing to comply in the future. Great-West did not admit or deny the SEC’s findings.