The longer I do this, the more apparent it becomes just how little anything changes. Sure, some things do change, a little. Rule numbers may get updated, as Rule 2310 becomes Rule 2111. Things that once may have been done manually are now automated. NASD changes its name to FINRA. But, in large ways, especially when it comes to Enforcement actions, it is remarkable how similar today’s landscape compares to history’s. I say this after reading an AWC that Hilltop Securities entered into with FINRA last week involving AML issues, which evoked two memories.
First, a couple of years ago, I wrote a piece called BD Learns It’s Not Enough To Have A Supervisory Procedure For OBAs, You Actually Have To Follow It. Second, about four years ago, I wrote In AML World, The Need To File A SAR Can, Apparently, Be Too Obvious To Ignore, about an SEC case that stood for the proposition that sometimes, the facts are so clear that a SAR must be filed that it is impossible to make a reasonable argument to the contrary. Perhaps these titles gave away the whole story a bit too much, but apart from that flaw, they were fairly instructive articles (at least compared to some of my more rant-y pieces). Well, it appears that Hilltop, and perhaps (at least) one other firm (which I will get to in a minute), somehow managed to miss them, and, unfortunately, learned their lesson the hard way.
Hilltop is a firm whose roots as a NASD/FINRA member firm, pre-mergers, go back over 70 years. It is a clearing firm, but also has its own retail operation. At its core, the AWC involved two principal issues, which are the same I covered in the earlier blogs mentioned above: (1) the repeated failure to detect (supposed) red flags consistent with possible money laundering, despite supervisory procedures that covered that area, and (2) the failure to have filed SARs in light of such obvious red flags. I will address them both.
Among its AML procedures, Hilltop required its associated persons to collect and complete “Deposit Review Forms” for all receipt of low-priced securities positions. These forms required, among other things, information that could be used in an AML analysis:
- whether the stock had undergone a reverse merger in the prior year
- whether the stock had undergone a name or business change
- the number of shares owned by the customer overall, including at other firms
- revenue of the issuer
- the exchange on which the stock was listed
- the total outstanding shares of the stock on the market
All that’s good stuff. But, for whatever reason, from 2015-2016 – a mere five years ago! – Hilltop routinely failed to obtain the Deposit Review Forms that its AML procedures required and, when it did collect them, many were inaccurate or incomplete. As a result, the firm failed to identify as a possible red flag the fact that a single customer deposited millions of shares of a low-priced security – indeed, this one customer’s trades “represented 25% of Hilltop’s overall clearing of transactions in low-priced securities” during the review period – “without having sufficient information to . . . make a reasonable determination regarding the suspicious nature of the transactions and whether a SAR filing was warranted.”
But, that’s not all! In addition, Hilltop also dropped the ball in other ways. One of its introducing firms manifested all kinds of potential AML issues, but they were dismissed by a Hilltop AML analyst who reviewed the activity, commenting that “activity appears normal.” What did he miss?
- The introducing firm had four accounts that alone were responsible for over 78% of the firm’s total low-priced securities volume and traded in 930 different low-priced securities issuers
- Many of the issuers of these securities had no material operations or revenues, and were the subject of promotional campaigns
- One account owner was allegedly involved in a manipulative trading scheme using convertible notes, and the other, a former AMLCO, was sanctioned by FINRA for AML deficiencies involving low-priced securities.
In summary: Hilltop had a decent procedure, i.e., the Deposit Review Form requirement, but it failed to abide by it. That will never be ok with FINRA.
Even more damning, however, was FINRA’s conclusion that Hilltop failed “to devote adequate resources to its AML program,” which, therefore, “could not reasonably be expected to detect and cause the reporting of suspicious activity.” FINRA’s concern centered on the firm’s use of another report – the Daily Penny Stock, or “DPS” Report – which was described as “the primary report used by the Firm’s AML analysts to review low-priced securities transactions for red flags.” The DPS Report was created manually, “a process that took between one and one and half hours.” Despite all the work that went into its creation, however, “neither the DPS Report nor any other report was utilized to assist analysts in identifying” AML red flags.
This seems to have been a function of several things. First, there were not enough AML analysts and too many trades to review (even though the thresholds that the firm used for trades to appear on the report were set so high that they “excluded 80% of the total value of penny stock transactions”). Second, “[w]hen the AML analysts selected a transaction for review, minimal analysis was performed, and the analysts’ documentation of the review frequently failed to note any red flags identified or what steps, if any, were taken to investigate the red flags.”
It is hard to imagine a worse scenario than this, having FINRA tell you that your AML program is patently undermanned and not performing. A fantastic written procedure will not save you from an unhappy outcome.
The other aspect of the Hilltop AWC that bears noting is that FINRA took the firm to task specifically for not filing SARs, something you don’t see every day. FINRA was helpful inasmuch as it explained for our benefit what the particular problem was: when the firm reviewed penny stock trades, it “applied an unreasonably high threshold for the filing of SARs.” According to the pertinent law, a BD is required “to file a SAR for any transaction that it knows, suspects, or has reason to suspect “has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage.” Even though a SAR must be filed even when a problem is only “suspected,” Hilltop “would not file a SAR unless it had evidence proving that the low-priced security was part of a fraudulent scheme, even where activity triggered multiple red flags.”
So, there are some clear lessons to be gleaned from the Hilltop AWC. None is particularly tricky, however, or particularly new, but given FINRA’s proclivity to bring AML cases, it is in your own best interest to take them to heart:
- Make sure your written procedures are robust and up-to-date
- Make sure you follow your procedures
- Makes sure you document the hell out of the fact you have followed your procedures
- Make sure that the volume/nature of your business hasn’t changed in a material way since you instituted your procedures and hired the people to implement them; otherwise, be prepared to revise and amplify your procedures, and hire more bodies
- Whatever your decision is regarding the filing of a SAR, or not, memorialize your thought process, in order to be able to defend the reasonableness of your decision.
Finally, I mentioned at the outset that there were at least two firms that seem to have failed to learn these lessons. One was Hilltop, and the other was J K R & Company, a small BD that’s been around for over 40 years, and without any disciplinary history. It, too, signed an AWC involving AML issues. Like Hilltop, its AWC stands for the proposition that it is not enough to have good procedures if you don’t follow them.
According to the findings in that matter, in a four-year period extending from 2012 to 2016, the firm “failed to detect red flags of suspicious activity in four related accounts” despite the fact that it had “written AML procedures that required the firm to monitor for red flags of potentially suspicious activity.” I bet now you can really get a sense of the (sadly, all-too-obvious) theme of this blog post? When you commit in writing to doing something of a supervisory nature, you had better be sure to actually do it, because FINRA is not going to let you off the hook, or even give you partial credit, for having beautifully detailed written procedures if you fail, for whatever reason, to follow them. Here is how FINRA tersely put it in the AWC:
The firm’s AML procedures indicated that when the firm detected any red flags of potentially suspicious activity, it would determine whether and how to investigate further and take steps that could include: gathering additional information internally or from third parties, contacting the government, freezing the account, or filing a SAR. JKR did not, however, implement those measures.
So what red flags did FINRA claim JKR missed? There were a bunch, frankly. But, interestingly, the fine imposed was only $50,000, very modest by AML standards. What does that mean? Well, either the firm’s counsel did a great job for his client, or, perhaps more likely, the missed flags at issue here were, in fact, actually only a very pale red, at best; some of them you wouldn’t even call them pink.
First came the supposed red flags that appeared during the account opening process for four accounts. The firm missed the fact that:
- the four accounts had beneficial owners and control persons in common
- one of the accounts was opened seven months after the accountholder’s corporate president and the control person were barred by the SEC from participating in any manner in any offering involving penny stocks (even though the stated purpose of the account was to trade penny stocks)
- three accounts were controlled by a single person, who granted a Power of Attorney to someone else, giving that other person the power to trade the account
- one of the customers was the investment advisor for another of the customers
- the legal address for one of the accounts was not a physical address, but instead, was a personal mailbox at a retail store
- the account-opening documents for one of the accounts indicated that one of the customers was self-employed as an investment banker for the corporate entity listed for one of the other four accounts
- the copy of the passport provided by one customer was not properly certified
- the corporate entities for two of the accounts had been created just one week prior to account-opening under the laws of the Republic of Seychelles, a country known for heightened money-laundering risk.
Once the accounts were opened and started to trade, the firm then proceeded to miss these additional red flags:
- two accounts evidenced extensive trading in a penny stock, which, based upon conversations with the customer, was contrary to the expected activity in those accounts
- potentially suspicious wire activity that was unexplained, repetitive and showed unusual patterns with no apparent business purpose
- two accounts engaged in very minimal securities activity.
Quantitatively speaking, that’s a lot of red flags to miss. But, qualitatively, maybe there’s not a whole there beyond the usual knee-jerk conclusions that FINRA always touts, i.e., things that sound bad but aren’t. I mean, the Republic of Seychelles?? How can any entity from there possibly be legit, right? Ok, mark it down. Or the old “no apparent business purpose” gambit. Remember: FINRA is the arbiter of what is and isn’t a “legitimate” business purpose. It doesn’t matter what YOU claim is the purpose of a trade or a money transfer if FINRA concludes, in its opinion, that it was not legitimate.
Or perhaps my favorite one on the list, the absence of a certification on the copy of the passport. According to the AWC, one of the customers provided a passport “reflecting only a stamp from a Notary Public in the State of Florida, instead of an affidavit sworn to by [the] Customer . . . as the custodian of the passport, as required by the American Association of Notaries’ rules governing copy certification by a document custodian.” Seriously, and no offense intended to Notaries, it is rather amazing that FINRA actually cited to the these rules, for maybe the first time in recorded history. What makes this even worse, and considerably less funny for JKR, is that, as Alison Jimenez pointed out in her blog about this same AWC, the “Customer Identification Program (CIP) rules do not require notarization of identification documents, nor does the AWC state that the firm’s policies & procedures required notarized copies of customer IDs.” If neither the AML rules nor the firm’s own procedures required either a notary stamp or a custodial affidavit, then how can this possibly be a red flag?
The point is: even when the red flags are ticky-tacky, as most of these were, stack enough of them together and maybe you can cobble together enough to justify a $50K fine. Just another example of FINRA using quantity, rather than quality, to coerce a firm into settling.
 Let me just stop for a minute here. The pertinent time period goes back EIGHT YEARS! I mean, the end of the pertinent time period was four years ago. How can it possibly take FINRA this long to conduct exams? And how can it possibly be fair to a firm to have defend actions it took (or, as in this case, didn’t take) almost a decade ago? Yet, as readers of this blog will acknowledge, this is a common issue in FINRA Enforcement actions. Someone ought to look into this, as it is a real, and continuing, problem.