This week, Charles Schwab consented to pay the SEC a $2.8 million civil penalty for failing to file SARs on certain transactions – suspicious transactions, namely – by a number of independent investment advisors that Schwab had terminated from its platform. This matter is noteworthy not just for the size of the civil penalty, but because it reflects the continuation of a concerning trend by the SEC to focus less on a firm’s AML processes and procedures and more on the firm’s ultimate decision whether or not to file a suspicious activity report, or SAR.

Section 356 of the USA PATRIOT Act amended the Bank Secrecy Act to require broker-dealers to monitor for and report suspicious activities when circumstances warrant. The rule requires broker-dealers to file a SAR when they know, suspect, or have reason to suspect that a transaction of at least $5,000 involves money from illegal activity, or was conducted to disguise such funds or evade the requirements of the BSA, or has no business or apparent lawful purpose, or involved the use of the broker-dealer to facilitate criminal activities.  Based on this somewhat fuzzy language, figuring out whether some set of facts requires the filing of a SAR can become the subject of intense debate.

But, here is why I find the Schwab case to be interesting. Historically, perhaps because of the fuzzy language used in the statute, the focus of regulators in their enforcement actions involving AML cases has not been on whether or not a firm actually filed a SAR; instead, the focus has been on whether the firm had proper AML procedures in place that allowed it to spot the apparently suspicious activity in a timely manner, to investigate the suspicious activity promptly and thoroughly, and to document that entire process.  The case that most people, including me, cite for this proposition is the Sterne Agee decision, a FINRA OHO decision.  The hearing panel in that case looked to guidance from bank examiners to determine what the proper focus ought to be.  It noted with approval that

[t]he Federal Financial Institutions Examination Council (“FFIEC”) has emphasized the importance of focusing on the process, rather than on whether a particular SAR was filed. In its examination manual for banks, FFIEC states, “The decision to file a SAR is an inherently subjective judgment.  Examiners should focus on whether the bank has an effective SAR decision-making process, not individual SAR decisions.”  This is not to say that the failure to file a SAR cannot be questioned, and FINRA has settled matters involving the failure to file SARs.

Schwab is now the latest in a recent line of SEC cases that turns the Sterne Agee reasoning on its head, by caring more – or at least as much – about whether a SAR was filed than whether the firm had a reasonable supervisory system in place that allowed the firm to spot the suspicious circumstances in the first place.

In November 2017, Wells Fargo Advisors, LLC agreed to pay $3.5 million to the SEC for its “failure to file or timely file”  “at least 50 SARs, a majority of which related to continuing suspicious activity occurring in accounts held at Wells Fargo Advisors’ U.S. branch offices that focused on international customers.”  In March 2018, Aegis Capital Corp. entered into a settlement with the SEC, resulting in a $750,000 civil penalty, because it

failed to file Suspicious Activity Reports (“SARs”) on hundreds of transactions when it knew, suspected, or had reason to suspect that the transactions involved the use of the broker-dealer to facilitate fraudulent activity or had no business or apparent lawful purpose. Many of the transactions involved red flags of potential market manipulation, including high trading volume in companies with little or no business activity during a time of simultaneous promotional activity.  Aegis did not file SARs on these transactions even when it specifically identified AML red flags implicated by these transactions in its written supervisory procedures.

I am hardly saying that it is not necessary to worry about your AML supervisory procedures; indeed, that remains a legitimate concern. But, what seems to be a new development is the need to worry a lot about the actual decision to file a SAR or not.  I am wondering now if my historic advice to clients not to be concerned about that as long as they make a reasoned, documented decision not to file a SAR remains valid in light of these recent cases.  Now, the lesson of these cases seems to be: if you identify something suspicious, even potentially suspicious, then file a SAR, since that will avoid the nasty call from the SEC asking for the explanation for the absence of a SAR.

But that would be a lousy development and a bad lesson. While the whole process of filings SARs often seems to be an exercise in box-checking and doing it because the rules say that I have to do it, in fact, SARs fulfill an important function in helping detect and prevent real criminal activity.  I would 100% agree, of course, that very, very few SARs reveal actual criminal activity, but that’s for FinCEN to suss out.  If BDs simply file a SAR every time they spot something even potentially suspicious, without bothering really to analyze the activity to figure out if it is truly suspicious – something that I have seen characterized as filing a “defensive” SAR, i.e., a SAR designed simply to avoid regulatory scrutiny, rather than to report of suspicious activity – then it could very well compromise FinCEN’s ability to meaningfully review and follow up on those SARs that reveal truly suspicious conduct.

I don’t advocate, therefore, that firms simply abdicate their responsibility to determine whether activity is suspicious or not and just file SARs anyway. But, I do think it’s clear that there is no point whatsoever in sweating over the decision to file a SAR.  There is no reason only to file SARs in those instances in which you are 100% convinced a filing is necessary.  If it is arguable that a SAR should be filed, then stop the internal debate and make the filing.  The SEC is not going to make an example of you if you do, but, as these cases reveal, you run a legitimate risk of being second-guessed if you don’t.