There have been tons of cases where firms got in trouble – in AML trouble, which is one the worst kinds of trouble – for failing to be sufficiently on top of third-party wires, i.e., where a customer wires money not to himself but to someone else.  In a change of pace, last week, the SEC published a settlement it entered into with Securities America Advisors (SAA) that involved a failure to adequately supervise first-party wires, i.e., wires sent by the client to him- or herself.  It is a super-interesting case, as it tees up a few thought-worthy issues.  Like, did SAA’s supervisory requirements go too far?  That is, did the firm make the mistake of holding itself to a standard that was not only unnecessary, but practically impossible to meet?  Should first-party wires be treated the same as third-party wires?  Is it really reasonable to expect a firm to require that an existing customer who wants to take money out of his securities account and send it to his bank account disclose what his plans are for that money before it can be disbursed?

Let’s start, as always, with the facts.  SAA is an investment advisor.  Securities America, Inc. (SAI) is the BD that served as the introducing firm for SAA’s clients.  They share common ownership.  SAA “adopted SAI’s policies and procedures for safeguarding client assets from misappropriation . . . thereby delegating to SAI responsibility for surveilling SAA advisory accounts.”   Hector May was an RR with SAI and the owner of his own independent state-registered investment adviser.  His advisory clients participated in SAA advisory programs and opened SAA advisory accounts.  Hector, as it turned out, was not a good guy, and a rather poor fiduciary.

He encouraged certain of his SAA advisory clients “to buy bonds away from” their SAA accounts, “falsely claiming that he could obtain the bonds at a better price and avoid certain fees if they did so.”  To pull that off, “he instructed the clients to transfer the necessary funds from their SAA advisory accounts to their personal bank accounts and to approve the transfer in the event they were contacted for confirmation.”  Once the money hit the personal bank accounts, Hector then had his +clients transfer the money to an account owned by his RIA.  He did not then use the money to buy bonds, however.  Instead, he “diverted” it “for his own personal use,” and hid his misconduct by ginning up fake advisory account statements that, falsely, showed the bonds.  (For this, Hector later became a respondent in an SEC case and a defendant in a federal criminal case, resulting in associational and penny stock bars, a 10+ year prison sentence, and a restitution obligation of $8 million.)

But, enough about Hector, let’s get back to SAA and SAI.  Putting aside for the moment whether this was a smart thing to do, SAI had systems in place designed to surveil for potentially improper disbursements – apparently including first-party disbursements – both before and after the disbursement.

Beforehand, SAA required, quite predictably, that customers actually document their requests.  Interestingly, SAA policy allowed a customer to sign a disbursement request once, and it could then be used for the next 12 months.  At least one customer, however, was permitted to rely – six times – on a disbursement request that had already expired.

In addition, there was a separate policy that required the back office to review outgoing wire requests over $50,000 for possible misappropriation.  This entailed a four-step process.  First, the back office staff had to contact the advisor to confirm that the customer had verbally confirmed the wire request.  Next, the back office was required to speak directly to the client to confirm the request, including confirming the client’s full name, last four digits of the client’s social security number, date of birth, and the amount and destination of the wire.  Third, the back office had to administer a Verification ID test designed to confirm the client’s identity.  Last, once steps 1-3 were done, staff was required to complete the Representative Verification and Client Verification section of the brokerage disbursement verification checklist.  While this is an impressive sounding list of requirements, in practice, staff failed to do everything in every case that the policies required.  One customer had 20 outgoing wires that should have resulted in a call to him, but he only got called 11 times.  Another five disbursements were approved where the customer could not identify the amount or the destination of the wire.

As for after-the-fact supervision, SAI had an automated AML surveillance system that generated alerts “based on certain preset rules and scenarios for potentially suspicious disbursements from client accounts,” including alerts based on the size of disbursements, size of disbursements relative to total account value, frequency of disbursements, and the percentage of disbursements to deposits.  Once generated, these alerts were supposed to be reviewed “within two to ten days depending on the alert” and analyzed for suspicious activity.  The disbursements by Hector’s customers triggered multiple alerts.  Indeed, between November 2014 and March 2018, at least 55 alerts were generated for outgoing disbursements to May’s advisory clients were identified as suspicious, but they were not analyzed, and not escalated for further action.  Why were the alerts triggered?  As examples, the SEC pointed to Client A, a senior citizen, and Client B, a company pension fund.  Both had account profiles that identified growth among their investment objectives and both stated that they held no assets away from SAA, facts apparently inconsistent with multiple withdrawals. Despite these facts, and despite the fact that these multiple disbursements were emptying the accounts, the alerts were not analyzed; indeed none of the 55 alerts was analyzed as per SAA’s policies.

For this, SAA paid the SEC $1.75 million, and had to retain an Independent Consultant.  Hardly a slap on the wrist.

And for what, really?  That’s what I’m trying to figure out.  When you read the details of the actual violations, it certainly seems that what got the SEC worked up is the fact that SAA had policies in place that seemed pretty good, but, for whatever reason failed to abide by them:  “SAA failed to implement its policies requiring AML analysts to review automatically generated surveillance alerts for suspicious client disbursements. SAA also failed to implement the signature requirements delegated to Cashiering and the call-out requirements for Trade Support.”    Granted, the failure happened multiple times, and resulted in over $8 million in customer losses.  When you put it that way, the result doesn’t sound crazy, right?  The SEC hates seeing that much money misappropriated from customers, so its reaction is hardly surprising.

But…would this have been the result if SAA didn’t have policies in place to monitor first-party wire disbursements?  What if SAA didn’t bother to make customers explain why they were taking money from their advisory or brokerage accounts and transferring it to their bank accounts?  Would the SEC have written the firm up in that circumstance for not having a first-person disbursement surveillance program in place?

I don’t think the answer is clear.  I don’t represent banks, but I am unaware of any rule that says a bank – which, of course, also has to abide by the very same AML rules – is obliged to ask a customer who makes a withdrawal – even a big withdrawal – why the customer wants his or her money and how it’s going to be spent?  Assuming that I am correct, why, then, would a BD or an RIA have to pose those same questions to their customers?  I have defended hundreds of customer arbitrations, and in many of them, I am faced with facially odd spending decisions by the customer.  My response is generally the same:  a customer is free to do with her money whatever she wants.  Not my problem, or, more importantly, my clients’ problem, if a customer decides to pull money out of an account – even money that when deposited was represented to be a long-term investment – and buy a car, or re-do a kitchen, or pay an unexpected medical bill.

In 2020, FINRA entered into an AWC with Royal Alliance that suggests I am correct.  In that case, FINRA found that two Royal Alliance RRs stole more than $3.8 million from customers by having their customers send wire transfers or checks from their brokerage accounts into accounts for entities the RRs created.  The gravamen of the complaint is that “the firm’s cashiering group unreasonably treated these . . . transfers as first-party transactions and thus processed them in contravention of the firm’s prohibition against third-party wire transfers.”  In other words, Royal Alliance was ok with first-party transfers, but not third-party transfers.  Notably, however, FINRA did not write the firm up for not having a more robust policy to cover first-party transfers, but, rather, for not doing a particularly job of figuring out that the transfers at issue were, in fact, third-party transfers.  That is consistent with my experience: first-party disbursement requests are routinely made without the same scrutiny that third-party requests are supposed to require, and the regulators are cool with that.

Notwithstanding this, the SAA settlement certainly suggests that there is some real risk to any advisor or BD that is not paying the same attention to first-party wires as it is to third-party wires.  I just don’t see that this reflects reality.  I cannot imagine that customers will cotton to having to tell their advisors why they want their own money.  The answer that “well, sorry, Mr. Customer, but I am required to ask” is not going to stop customers from taking ALL their money out and moving it elsewhere, where the advisors aren’t quite so nosy.

In conclusion, I am conflicted on what advice to give here.  The conservative me says that you should use the SAA settlement as a lesson not to distinguish between how you treat first- and third-party disbursement requests.  But, given the ridiculous amount of work that advice engenders, and the lack of prior indications from regulators that this is something you HAVE to do, the reality me says that you don’t need to do this.  Well, maybe only in those situations where your advisors are using first-party transfers to steal customer money.  Once you figure out how to detect those, maybe you can share it with the rest of us.  But in my experience, it is not easy to do, no matter how robust your supervisory system.  I will say this, however, which I have said before: Be very careful about creating a supervisory policy that holds you to a standard above and beyond that which the regulators demand.  Because once you do, then it’s fair for the regulators to insist that actually do what you say you’re going to do.