FinCEN

The SEC’s Authority to Enforce the Bank Secrecy Act is Challenged

In the past few years, the SEC has become increasingly active in bringing enforcement actions based on broker-dealers’ alleged failures to comply with requirements of the Bank Secrecy Act (BSA), in particular that requirement that they file “Suspicious Activity Reports,” or “SARs.” The SEC’s authority to bring such actions, however, has never been established by statute or appellate authority, and is being challenged in a petition for a writ of mandamus currently pending in the Second Circuit.  Though the procedural posture of that case makes it an unlikely vehicle for resolving the question, the issue it raises is likely to recur so long as the SEC continues to bring such enforcement actions despite its lack of any clear authority to do so.  Practitioners should be aware of this open issue so that it can be properly raised and preserved in BSA enforcement actions brought by the SEC.

The SEC’s Lack of Civil Penalty Authority under the BSA

The Bank Secrecy Act, enacted in 1970 to combat money-laundering, gives general examination and enforcement authority to the Secretary of the Treasury.  The Treasury Secretary is also authorized to “delegate duties and powers … to an appropriate supervising agency.”  31 U.S.C. § 5318.  By regulation, Treasury has delegated “[a]uthority to examine institutions to determine compliance with the requirements of” the BSA to various other agencies. 31 C.F.R. § 1010.810(b).  With respect to securities broker-dealers, such “authority to examine” has been delegated to the SEC. 31 C.F.R. § 1010.810(b)(6).  However, Treasury has kept “[a]uthority for the imposition of civil penalties” with the Financial Crimes Enforcement Network, or FinCEN, which is a bureau of Treasury.  31 C.F.R. § 1010.810(d).

Despite its lack of delegated authority, for more than a decade the SEC has initiated civil enforcement actions based on alleged failure of securities broker-dealers to comply with BSA requirements. In recent years, these enforcement actions have become more frequent, and have also changed in nature. Earlier enforcement actions typically focused on the requirement that broker-dealers establish and comply with a written Customer Identification Program. And in those cases where the SEC based its enforcement action on the requirement that broker-dealers file SARs, it was generally in circumstances where the broker-dealer in question failed to file any SARs at all for a protracted period. More recent enforcement actions, however, have challenged the adequacy of SARs that broker-dealers actually did file.

In these proceedings, the SEC has based its asserted enforcement authority under the BSA on Exchange Act Section 17(a), which allows the SEC to require that broker-dealers “make and keep for prescribed periods such records” that the Commission requires. Under that provision, the SEC promulgated Exchange Act Rule 17a-8—17 C.F.R. § 240.17a-8—which cross-references the regulations promulgated by the Treasury Department under the BSA and requires that securities broker-dealers comply with them.  In effect, then, the SEC has invoked its books-and-records authority as a means to assert for itself authority to enforce the requirements of the BSA.

The Pending SEC v. Alpine Securities Corp. Litigation

Although the SEC has been bringing enforcement actions based on securities broker-dealers’ alleged failures to comply with BSA requirements for more than a decade, its authority to do so was not challenged until recently.  The SEC brought a BSA enforcement action against Alpine Securities Corp. in the summer of 2017 in the Southern District of New York. That suit is representative of the SEC’s more recent BSA enforcement actions. According to the SEC’s allegations, Alpine did have a BSA compliance program, and did file thousands of SARs. The SEC, however, alleges that the SARs that Alpine filed were inadequate in various ways. And as in other BSA enforcement actions brought by the SEC, the agency alleged that these inadequate SARs violated Section 17(a) of the Exchange Act and Rule 17a-8.

In early 2018, Alpine moved for summary judgment, arguing that the SEC lacks authority to bring enforcement actions seeking civil penalties for alleged violations of the Bank Secrecy Act.  Alpine argued that the BSA expressly delegates authority to bring civil enforcement actions to the Treasury Secretary, and that the Treasury Secretary—while delegating authority to examine various institutions for BSA compliance to various other agencies—retained enforcement authority for itself.  Alpine contended that the SEC’s interpretation of the “books and record” provision as giving it the power to bring its own BSA enforcement actions was contrary to Congressional command, and that the SEC was improperly attempting to “bootstrap” itself into an area where it lacked jurisdiction.

The district court judge—Judge Denise Cote—denied Alpine’s motion. First, the court concluded that Alpine was wrong to characterize the SEC’s suit as seeking to enforce the BSA, because the SEC in fact brought the suit under Section 17(a) and Rule 17a-8. Second, the court rejected Alpine’s challenge to the SEC’s interpretation of Section 17(a) of the Exchange Act.  Applying the two-step framework from Chevron v. Natural Resources Defense Council, 467 U.S. 837 (1984), the court concluded that Rule 17a-8, which requires compliance with certain BSA regulations, is a reasonable interpretation of Exchange Act Section 17(a).  The court further observed that “neither the Exchange Act nor the BSA expressly precludes joint regulatory authority by FinCEN and the SEC over the reporting of potentially suspicious transactions.”

Alpine moved for reconsideration of the court’s order or, in the alternative, for certification of an interlocutory appeal. The court denied both motions.  On June 22, 2018, Alpine filed a petition for a writ of mandamus in the Second Circuit, again arguing that the BSA expressly delegates enforcement authority to Treasury, and such authority cannot be usurped by the SEC. On July 9, the SEC filed an opposition to the mandamus petition.

Implications for White-Collar and Securities Practitioners

In light of the high bar for obtaining a writ of mandamus, the chances that the Second Circuit will grant the relief Alpine requests are likely low.  The reasoning and conclusion of the district court’s decision, however, are vulnerable to attack.  The district court focused its analysis almost exclusively on Exchange Act Section 17(a) and Rule 17a-8, and rejected Alpine’s challenge based on its determination that the SEC clearly has authority to impose record-keeping and production requirements on broker-dealers.  In FDA v. Brown & Williamson, however, the Supreme Court emphasized that, “[i]n determining whether Congress has specifically addressed the question at issue, a reviewing court should not confine itself to examining a particular statutory provision in isolation.”  529 U.S. 120, 132 (2000).  Rather, courts must “interpret the statute as a symmetrical and coherent regulatory scheme,” and must also take into account how one statute “may be affected by other Acts.”  Id. at 133 (internal citations omitted).  Similarly, the Second Circuit has held that where an Act of Congress “specifically and unambiguously targets” a particular issue and “unambiguously” gives enforcement authority to a particular agency, another agency’s “assertion of concurrent jurisdiction rings a discordant tone with the regulatory structure created by Congress.”  Nutritional Health All. v. FDA, 318 F.3d 92, 104 (2d Cir. 2003).

As long as the SEC continues to bring BSA enforcement actions, it appears inevitable that at some point a court of appeals will be called upon to determine whether the SEC does, in fact, have such enforcement authority. White-collar and securities practitioners defending broker-dealers in SEC enforcement actions based on the alleged failure to file SARs or comply with other requirements of the BSA should raise the issue during the investigation process and again during court proceedings to ensure that it is preserved, and ask the court to certify the question for interlocutory appeal under 28 U.S.C. 1292(b) if the court determines that the SEC does have such authority.  Although the district judge in the Alpine Securities case refused to certify an interlocutory appeal, in light of the dearth of appellate case law on the issue and the fundamental nature of the challenge, other district judges may be willing to certify.

Chamber of Commerce Airs Grievances Related To Internal Controls Inspections

In recent months, issues related to internal control systems and reporting have taken on an increased profile and significance.  For example, as previously noted by the authors here and here, the SEC has sought to prioritize compliance with internal controls by initiating a growing number of investigations into companies based on allegations of inadequate internal controls.

READ MORE

Going for Brokerage: SEC Report Highlights Best (and Worst) Practices in Cybersecurity Preparedness

cybersecurity

On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts.  FINRA issued a similar, more extensive “Report on Cybersecurity Practices” on the same day.

The National Exam Program Risk Alert, “Cybersecurity Examination Sweep Summary” summarizes cybersecurity practices and policies of 57 registered broker-dealers, and 49 registered investment advisers based on examinations conducted by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”).  These findings should be reviewed by CISOs and CIOs who have responsibility for cybersecurity protection because they highlight best practices and areas ripe for improvement.  It is reasonable to assume that both the SEC and FINRA will expect firms to review the findings and tailor their own internal assessments and practices to improve their cybersecurity posture, accordingly.  They also underscore that the simplest cyber-related scams (phishing, fraudulent e-mail scams, etc.) are still remarkably successful.

READ MORE