SEC Fines Recordkeeper $1.5 Million for Not Filing Account Takeover SARs
The SEC fined a 401(k) recordkeeper $1.5 Million for failing to file Suspicious Activity Reports addressing account takeovers.
The recordkeeper became aware of many account takeover attempts and successful withdrawals over a three-year period. Regardless, the recordkeeper either did not file hundreds of SARs or filed template reports that omitted required detailed information. Because the recordkeeper was also a registered broker-dealer that executed transactions for its plan clients, it was subject to the Bank Secrecy Act, which requires the filing of a SAR if the BD becomes aware of transactions that may involve criminal activity or have no lawful business purpose. In 2011, FinCEN alerted financial institutions of their obligations to file SARs to report cyber account takeovers.
The Bank Secrecy Act and the SAR filing obligation were adopted to combat money laundering. However, the SEC and FinCEN have broadened its use to deputize broker-dealers to monitor all potential wrongdoing. In this case, the SEC faults the recordkeeper for failing to report cyber breaches. In another case, a large custodian/clearing firm agreed to pay $2.8 Million to settle charges that it failed to report he conduct of dozens of terminated advisors that the SEC claimed violated the Advisers Act.
Read the SEC Order here.