Suspicious Activity Reports for Securities and Futures Industries

Brokers and dealers in securities were required to report suspicious activity beginning in January 2003.2 In May 2004, futures commission merchants and introducing brokers in commodities were added to the regulatory definition of ?financial institution,? thus requiring them to comply with the recordkeeping and reporting obligations of the Bank Secrecy Act.

In Issue 7 of The SAR Activity Review, FinCEN reported on trends after the first year of mandatory filings.3 The following is an analysis of reporting by the securities and futures industries from January 2003 through June 2005.4 The analysis reviews the total number of filings, suspicious activities, occupations, violation amounts, and instruments used to conduct the suspicious activity. It also examines the types of institutions reporting, evaluates the geographic location of the filers, and takes an in-depth look at narratives.

Filing Trends

In its first year (2003), the securities and futures industries filed 4,267 Suspicious Activity Reports. In 2004, filings increased to 5,705 Suspicious Activity Reports. Current filing levels in 2005 are likely to meet or exceed the filing rate established in 2004. The chart below illustrates the filing trends over the last two years.


Institutions Reporting

There is a variety of financial institutions filing Suspicious Activity Reports in the securities and futures industries. While many of the institutional categories identified on the Suspicious Activity Report form (in item 51) are not mutally exclusive, the majority of the institutions are self-identified as either clearing securities brokers or introducing securities brokers.

Instruments Reported

?Cash and cash equivalents? remains the most commonly reported instrument involved in a suspicious activity and is frequently cited in conjunction with the Money Laundering/Structuring violation within the securities and futures industries.

In 2004, there was a slight, but noticeable, fluctuation in stocks reported as the instrument involved in a suspicious activity. In the first quarter of 2003, stocks represented 2.54% of the securities and futures industries filings. By the second quarter of 2003, stocks reported as the instrument involved in a suspicious activity rose to 8.70% and then to 10.65% in the first quarter of 2004. The percentage of reports that indicate stocks as the instrument involved continues to fluctuate around 10.65%. The increase between the first quarter of 2003 and the first quarter of 2004 may be due to a better understanding by broker-dealers of their Suspicious Activity Report filing obligations; or the increase may be the result of the economic recovery and subsequent rebound of the broad financial markets.5


Reviews of Suspicious Activity Report narrative sections were necessary to determine the nature of instruments associated with filings listing ?Other.? The narratives indicate that ?other? has become a catch-all receptacle for filings regarding negotiable instruments, such as drafts, checks, and guarantee instruments. In theory, these instruments can be coded as cash equivalents, but filers appear to be more comfortable listing them separately. Moreover, they are more likely to provide specifics about the nature of the abuse in the narrative section if the instrument is listed separately from ?cash or cash equivalents.?

Suspect versus Filer Locations

Not surprisingly, the city/state distributions of securities and futures institutions filing Suspicious Activity Reports reflects many of the primary financial districts within the United States. As expected, more filers indicate an address in New York than in any other state, followed by Massachusetts, California, Washington, and Minnesota respectively.

In contrast, the distribution of the addresses for suspects was highly correlated to the 2000 United States Census, i.e., suspects in this group mirrored the general population with respect to location.

However, when the reporting branch location was not proximate to a suspect?s address, the Suspicious Activity Report most likely involved online brokerage activities. Straw accounts6 and funding fraudulent schemes were commonly reported. In these filings, there was no proximity between the addresses of the suspect and the branch reporting the suspicious activity. This association between suspect and filer locations was most obvious in filings reporting broker-dealers operating online businesses. In some instances, it appears that broker-dealers operating online have a straight-through application process: it involves a non-documentary means of customer identification, typically by checking credit bureau headers; therefore no official government identification is reviewed as a source document to verify applicant identity. Accounts that are opened without face-to face contact may be a higher risk for money laundering and terrorist financing, e.g., it is more difficult to positively verify the individual?s identity, customer may be out of the broker-dealer?s targeted geographic area or country, transactions are instantaneous, and accounts may be used by a ?front? company or unknown third party.

Violation Amounts

The most commonly reported violation amounts in the securities and futures industries were in the $10,000 to $49,999 category. Reported violation amounts ranged from zero ($0) to $2.1 billion; generally, higher dollar amounts reported were associated with Advance Fee Fraud email solicitations as opposed to actual transactional amounts.7 Out of the 11,721 Suspicious Activity Reports filed by the securities and futures industries since 2003, only 16 filings failed to identify a violation amount.





Occupation Analysis

In general, securities and futures industries filers did not report an occupation for suspects. This information appears on the Suspicious Activity Report form, but it is not required to be obtained under the Customer Identification Program rule. Only about one in 15 Suspicious Activity Reports included this information. An occupation was more likely to be listed where the suspect was associated with either the filing firm or another financial services firm. In fact, suspects in this specific category (Financial Services Industry) comprised almost 7% of those filings that reported an occupation. Occupational information assists FinCEN and law enforcement in analyzing Suspicious Activity Reports if the subject?s occupation is provided.


Suspicious Activity Patterns

The most common violation reported in Suspicious Activity Reports filed by securities and futures industries, not including ?Other,? was ?Money Laundering/Structuring.? Filers reporting this violation gave examples of overt efforts to launder funds through investment accounts opened for no apparent economic purpose other than to wire funds internationally. Additionally, filers identified deposit/withdrawal activity in accounts that seemed to have no other source of net change in the account balance. Generally, suspicious activity pertaining to ?Check Fraud? and ?Significant Wire or Other Transaction Lacking Purpose? remained stable over the last two years, but ?Identity Theft? appeared to be closing in as one of the most commonly reported suspicious activities.

Only in the first quarter of 2004 was there a fundamental change in the distribution of reported violations. Closer inspection revealed an extraordinarily high number of filings reporting ?Check Fraud,? ?Credit/Debit Card Fraud,? and ?Wire Fraud.? These categories represented the most popular methods of funding retail brokerage accounts. Increases in these categories may indicate that retail customers were:

1. illiquid during this period; or
2. deliberately failing to fund their accounts and/or settle trades.

There was also an increase in identity theft reported during the first quarter of 2004. In many of these filings, multiple suspects attempted account piracy by trying to fraudulently fund accounts through misappropriated Automated Clearing House payments. When the Automated Clearing House transfers failed, some suspects provided booster (fraudulent) checks to falsely inflate account balances. This was done with the hope that a wire transfer might be sent to another institution before any suspicious activity was detected in the new brokerage account. This peculiar distribution did not persist into the second quarter of 2004, and the percentages in each violation category except identity theft trended back to previously observed rates.


Straw Accounts/Account Funding Frauds

Filers continued to report account funding fraud throughout the examination period. Some of the funding frauds occurred in conjunction with identity theft and Automated Clearing House piracy, while others occurred in conjunction with straw accounts established in the names of purely fictional individuals/entities. Filers cited attempts to fund newly established accounts with counterfeit, stolen, or bad checks, or through unauthorized Automated Clearing House payments from unknowing individuals.

It appears most financial institutions were able to identify ?true name fraud?8 or straw entities by following their Customer Identification Programs before brokerage accounts were established; however, online broker-dealers typically reported that the detection of fraud occurred after accounts were established and transactions initiated. When monitoring suspect accounts, online broker-dealers discovered that several straw accounts with the same addresses had been established. This subsequently led to the filing of multiple Suspicious Activity Reports as filers reported straw accounts associated by similar address, phone number, or name.

Losses attributed to straw accounts and true name frauds appeared to affect online brokerage firms more than traditional brokerage firms. This may be the result of limited capabilities of online brokerages to conduct adequate account due diligence when allowing online processing of applications. Unlike traditional brokerage houses with regional registered representatives familiar with regional economic conditions and the regional consumer base, online firms have no specific regional market and thus may be vulnerable from all points. As noted above, the online application process typically may not involve any verification beyond credit bureau headers,9 which means no official government identification is actually reviewed as a source document to verify applicant identity.

As described in filing narratives, online broker-dealers were more likely to let customers buy/sell and conduct wire activity in new accounts without an appreciable hold or restriction period. Online broker-dealers reported more losses related to initial funding activity that eventually (10 or more days later) proved to be fraudulent.

Automated Customer Account Transfer/Automated Clearing House/Wire Piracy

Piracy in the context of Suspicious Activity Reports indicates the takeover, or attempted takeover, of an established account or transaction by an unauthorized individual. As previously noted, a number of filers reported that individuals believed to be legitimate prospects opened accounts with the intent to fund the accounts electronically. The fraudulent funding method of choice was typically an Automated Clearing House payment or an Electronic Funds Transfer (ACH/EFT) debit of a demand deposit account.10 Filers also indicated that many suspects offered several different pirated account numbers in anticipation that initial attempts to fund an account would fail. Predictably, these Automated Clearing House/Electronic Funds Transfer debits were returned for various reasons, including insufficient funds and account restrictions due to fraud.

Electronic memorandum (account journaling) was also identified as an account takeover mechanism and a source of fraudulent funding. There were at least seven Suspicious Activity Reports that indicated fraudulent funding attempts using transferring services11 offered by one particular clearing processor and/or its subsidiaries. These attempts included one subject?s effort to transfer securities from an account rightfully titled in his mother?s name. Another was attempted by a subject opening an account for transfer; however, the transfer failed because a securities clearing processor could not match the subject?s Social Security Number to that of the legitimate account holder.

Intentional Abuse of Accounts

The most common theme reported by filers was individuals attempting to use brokerage accounts in a manner inconsistent with the stated investment objective. The predominant activity reported in this category was funding an account but allowing the money to remain idle. Since some investment accounts are not interest bearing, failure to invest assets is actually considered a loss in most cases. Therefore, lack of activity in an investment account may serve as a red flag to broker-dealers. Filers indicated that the decision to file a Suspicious Activity Report usually was made after long periods of inactivity followed by sudden liquidation activity on the account, such as check writing, debit card use at automated teller machines, and/or outbound fund transfers sent without obvious economic benefit. Reports indicating excessive outbound wire activity were common in Suspicious Activity Reports filed by the securities and futures industries. Preliminary indicators are that individuals who engage in this activity within one year of establishing a brokerage account were more likely to send funds outside of the United States.

Several filers located near the Canadian or Mexican borders reported strong suspicions that funds in idle brokerage accounts were being wired to foreign institutions in Canada and Mexico to evade taxes. In one case, a filer reported an elaborate funds transfer scheme involving a local bank?s correspondent account. Apparently, a suspect attempted to trace funds released to a customer before the item had cleared; the charge-back to the brokerage account created a margin debit12 for several thousand dollars.

See 31 CFR ? 103.19 and 67 F.R. 44048 (July 1, 2002).
See http://www.fincen.gov/sarreviewissue7.pdf, page 20. Please note that futures commission merchants and introducing brokers in commodities were not required to report suspicious activity until after the period subject to review in Issue 7 of The SAR Activity Review.
Please note: Futures commission merchants and introducing brokers in commodities were not required to report suspicious activity until May 2004, although the analysis for this study dates back to January 2003.
5 A financial market is a market for a financial instrument, in which buyers and sellers find each other and create or exchange financial assets. Sometimes these are organized in a particular place and/or institution, but often they exist more broadly through communication among dispersed buyers and sellers over long distances.
6 A straw account is established by someone presenting himself/herself as a straw man. The term straw man can refer to a third party that acts as a ?front? in a transaction (i.e., one who is an agent for another) for the purpose of taking title to real property, breaking a joint tenancy, or engaging in some other kind of transaction where the principal remains hidden or who plans to do something else which is not allowed. A straw man is also ?a person of no means,? or one who deliberately accepts a liability or other monetary responsibility without the resources to fulfi
l it, usually to shield another party.
7 In the ?Advance Fee Fraud? or 4-1-9 (a section of the Nigerian penal law that prohibits this activity) schemes, victims may receive emails and letters from groups of con artists, often located in Nigeria, who claim to have access to a very large sum of money and want to use the victim?s bank account to transfer the funds. In exchange for the victim?s services, they claim they will give the recipient of the email/letter a large percentage of the funds. These schemes have a common denominator?eventually the target of the scheme will be required to pay up-front (advance) fees (licensing fees, taxes, attorney fees, transaction fees, bribes, etc.) to receive the percentage of funds promised. The con artists usually request that they be furnished with blank company letterhead and/or bank account information. In Issue 7 of The SAR Activity Review, pages 47-48, FinCEN requested that financial institutions not file Suspicious Activity Reports on advance fee fraud schemes unless such schemes involve a monetary loss.
8 True name fraud is the primary fraudulent technique used to initiate an account takeover. The Association of Certified Fraud Examiners defines true name fraud as an ?account takeover [that] involves the thief actually taking on the true name identity of legitimate consumers.? In this case, fraud against the institution is not effected through a straw identity (fictitious person of no means) but is instead effected by misappropriation of another?s true name (18 U.S.C. ? 1028) (a person of means illegally placed in a position of obligation).
9 ?Credit header data is the identifying information that accompanies consumers? credit reports. It consists of name, name variations, address, former addresses, telephone number (even unlisted numbers if known), date of birth (usually limited to month and/or year of birth) and Social Security number. Although credit header information is generated as part of the credit reporting process, the Federal Trade Commission has determined that it is not part of the credit history and therefore is not regulated under the Fair Credit Reporting Act.? (Source: http://www.privacyrights.org/ar/fedres.htm)
10 A demand deposit account (or DDA) is an account, usually a checking account, which permits the account owner to withdraw funds from the account on demand. 11 ?Transferring services? refers to systems that allow customers to transfer assets from one brokerage firm and/or bank to another.
12 Margin debit is ?a debit in your account that is owed to the broker. The debit is secured with stocks and bonds which regulators have authorized for use as collateral. It excludes funds due which are debits resulting from purchases in a cash account.? Source: www.trader-soft.com/option-trading/optionglossary/ m.html.

Excerpted from SAR Activity Review Issue 9, page 5