The Currency and Foreign Transactions Reporting Act, also known as the “BSA,” enacted in 1970, established requirements for record-keeping and reporting by banks and other financial institutions.¹ The BSA is designed to, among other things, enable U.S. law enforcement and regulatory agencies to investigate potential criminal, tax, and regulatory violations (including money laundering and other financial crimes), by requiring individuals, banks, and other financial institutions to: file currency reports with the U.S. Department of Treasury; identify persons conducting transactions in currency and other monetary instruments; and maintain appropriate records of financial transactions.

In 1986, Congress enacted the Money Laundering Control Act to ensure compliance with the BSA. Among other things, the act requires banks to establish and maintain procedures reasonably designed to confirm and monitor their compliance with the BSA.² 

Since 1996, persons and entities subject to the BSA have been required to file a Suspicious Activity Report (“SAR”) with U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) whenever they “detect[] a known or suspected violation of Federal Law, or a suspicious transaction related to a money laundering activity or a violation of the [BSA].”³ A suspicious transaction or pattern of transactions concerns funds or other assets of at least $5,000 that the person or entity knows, suspects, or has reason to suspect: (1) involves funds derived from illegal activity or is conducted to disguise funds derived from illegal activities; (2) is designed to evade any requirement of the BSA; (3) has no business or apparent lawful purpose and the broker-dealer knows of no reasonable explanation for the transaction after examining the available facts; or (4) involves use of the broker-dealer to facilitate criminal activity.⁴ 

When submitting a SAR to FinCEN, filers are required to “provide a clear, complete, and concise description of the activity, including what was unusual or irregular that caused suspicion” in the narrative and to “include any other information necessary to explain the nature and circumstances of the suspicious activity.”⁵ To be effective, the SAR should describe “the five essential elements of information – who? what? when? where? and why? – of the suspicious activity being reported.”⁶ When a SAR “lack[s] basic information regarding the Five Essential Elements … [the] SAR [i]s deficient as a matter of law.”⁷ 

FinCEN has provided additional instructions regarding the obligations of financial institutions to report cyber-related events. In December 2011, for example, FinCEN issued an advisory to alert financial institutions to the increased threat of cyber account takeover activity.⁸ 

FinCEN advised that “[c]ybercriminals are increasingly using sophisticated methods to obtain access to accounts” and these “attacks aim to deliberately exploit a customer’s account and, in many instances, to gain seemingly legitimate access to another customer’s account.”⁹ In order to assist financial institutions with identifying and reporting account takeover activity where cybercriminals attempt intrusions into a customer’s account in order to steal the customer’s funds, FinCEN also set forth detailed instruction for reporting account takeovers that emphasizes the importance of reporting cyber-related information—including cyber-event data, such as URL address and IP addresses with timestamps, as well as email addresses and other electronic identifying information—in the event of a cyber-enabled account takeover.¹⁰ 

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, commonly known as the “USA PATRIOT Act”, required financial institutions to establish AML programs, including, at a minimum: “(A) the development of internal policies, procedures, and controls [to assure ongoing compliance with the BSA]; (B) the designation of a [BSA] compliance officer; (C) an ongoing employee [BSA] training program; and (D) an independent audit function to test [the BSA compliance] program.”¹¹ 

In addition, a financial institution’s BSA compliance program must include a customer identification program, as well as procedures for conducting ongoing customer due diligence and complying with beneficial ownership requirements for legal entity customers.¹² 

Compliance with the BSA is supervised by the Board of Governors of the Federal Reserve System (the “Federal Reserve”). Among other responsibilities, the Federal Reserve evaluates an institution’s BSA compliance program.¹³ 

The Federal Reserve’s supervisory processes assess whether banks have established the appropriate policies, procedures, and processes commensurate with their individual BSA/AML risk to identify and report suspicious activity; and that they provide sufficient detail in their reports to law enforcement agencies to ensure that the reports are useful for investigating reported suspicious transactions.

In general, a BSA compliance program must be tailored to the financial institiution’s size, complexity, organizational structure, and unique illicit financial activity risk profile. Thus, for example, a bank’s transaction monitoring system—used to identify, research, and report suspicious activity—should be risk-based to incorporate any necessary additional screening for higher-risk products, services, customers, and geographic locations.¹⁴ 

A financial institution also must implement risk-based customer due diligence policies, procedures, and processes necessary to enable the institution to understand the nature and purpose of customer relationships—which may include understanding the types of transactions in which a customer is likely to engage.¹⁵ These processes assist the institution in determining when transactions are potentially suspicious. BSA monitoring systems can include employee identification or referrals from law enforcement, transaction-based monitoring systems (manual), and/or surveillance monitoring systems (automated).

A transaction-based monitoring system targets specific types of transactions (e.g., involving large amounts of cash or offshore transfers), which the financial institution compiles in a periodic report that its employees must manually review for suspicious or unusual activity. Surveillance monitoring systems typically use computer software programmed to identify individual transactions, patterns of unusual activity, or deviations from expected behavior indicative of suspicious activity.

Surveillance monitoring systems include rule-based and intelligent systems. The rule-based systems typically detect transactions that are outside a set of established parameters or “rules,” while the “intelligent” systems are generally adaptive programs that can identify transactions as unusual based on patterns or context.

The foregoing principles were at issue in an enforcement action brought by the Securities and Exchange Commission (“SEC”) against Silvergate Capital Corporation (“SCC” or the “Company”), its former Chief Executive Officer (“CEO”), and former Chief Risk Officer (“CRO”) (here). In the SEC’s complaint (here), the SEC charged defendants with misleading investors about the strength of the BSA/AML compliance program and the monitoring of crypto customers, including FTX, by SCC’s wholly owned subsidiary, Silvergate Bank. The SEC also charged SCC and its former Chief Financial Officer (“CFO”) with misleading investors about the Company’s losses from expected securities sales following FTX’s collapse.¹⁶ All parties charged, except the CFO, agreed to settle the SEC’s charges.

According to the SEC, from November 2022 to January 2023, SCC, the CEO and CRO misled investors in stating that SCC had an effective BSA/AML compliance program and conducted ongoing monitoring of its high-risk crypto customers, including FTX, in part to rebut public speculation that FTX had used its accounts at SCC to facilitate FTX’s misconduct. In reality, said the SEC, SCC’s automated transaction monitoring system failed to monitor more than $1 trillion of transactions by its customers on the bank’s payments platform, the Silvergate Exchange Network (”SEN”).

“At all times, but especially during moments of crises, public companies and their officers must speak truthfully to the investing public. Here, we allege that [the Company, CEO and CRO] fell not only woefully, but also fraudulently, short in that regard,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “Rather than coming clean to investors about serious deficiencies in its compliance programs in the wake of the collapse of FTX, one of [SCC’s] largest banking customers, they doubled down in a way that misled investors about the soundness of the programs. In fact, because of those deficiencies, [SCC] allegedly failed to detect nearly $9 billion in suspicious transfers among FTX and its related entities. [SCC’s] stock eventually cratered, wiping out billions in market value for investors.”

The SEC also alleged that SCC and the CFO misrepresented the company’s financial condition during a liquidity crisis and bank run following FTX’s collapse. The SEC alleged that SCC and the CFO, in an earnings release and earnings call, understated SCC’s losses from expected security sales and misrepresented that it remained well-capitalized as of December 31, 2022. In March 2023, SCC announced it would wind down its banking operations, and its stock eventually fell to near $0.00 per share.

The SEC filed its complaint in the U.S. District Court for the Southern District of New York. The SEC charged SCC, the CEO, and CRO with negligence-based fraud and charged SCC with violating certain reporting, internal accounting controls, and books-and-records provisions.

Without admitting or denying the allegations, SCC agreed to a final judgment ordering it to pay a $50 million civil penalty and imposing a permanent injunction to settle the charges. The CEO and CRO also settled the charges without admitting or denying the allegations, agreeing to permanent injunctions, five-year officer-and-director bars, and civil penalties of $1 million and $250,000 respectively. The settlements are subject to court approval. SCC’s payment may be offset by penalties paid to the Federal Reserve and/or the California Department of Financial Protection and Innovation.

The SEC charged the CFO with violating certain of the antifraud and books-and-records provisions of the federal securities laws, and with aiding and abetting certain of SCC’s violations.

In parallel actions, the Federal Reserve and DFPI announced the settled charges (here and here, respectively) against SCC.

Footnotes

1. 31 U.S.C. § 5311 et seq.
2. 12 U.S.C § 1818(s).
3. 12 C.F.R. § 208.62.
4. 31 C.F.R. § 1023.320(a)(2) (the “SAR Rule”).
5. See FinCEN, FinCEN Suspicious Activity Report (FinCEN SAR) Electronic Filing Instructions (October 2012) (here).
6. See, e.g., FinCEN, Guidance on Preparing a Complete & Sufficient Suspicious Activity Report Narrative, at 3 (Nov. 2003) (here).
7. SEC v. Alpine Sec. Corp., 308 F. Supp. 3d 775, 800 (S.D.N.Y. 2018) [here], aff’d, 982 F.3d 68 (2d Cir. 2020).
8. FinCEN, Account Takeover Activity, FIN-2011-A016 (Dec. 19, 2011) (here).
9. Id.
10. See FinCEN, Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, FIN2016-A005 (Oct. 25, 2016) (here); see also Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs) (Oct. 25, 2016).
11. 31 U.S.C. § 5318(h)(1); see also 12 C.F.R. § 208.63.
12. 31 C.F.R. §§ 1020.210 and 1020.220.
13. 12 U.S.C. § 1818(s).
14. See generally 31 C.F.R. § 1020.210.
15. Id.
16. FTX was one of the largest crypto asset trading platforms in the world. FTX held bank accounts at SCC, as did many entities related to FTX—including Alameda Research (“Alameda”), a crypto asset hedge fund owned by Sam Bankman-Fried (“Bankman-Fried”), the Chief Executive Officer of FTX. FTX declared bankruptcy on November 11, 2022, amid public uproar questioning whether FTX and Bankman-Fried had diverted billions of dollars of FTX customers’ funds to Alameda for improper purposes. Soon after FTX’s bankruptcy, SCC customers began to remove their deposits from their SCC accounts. By November 15, 2022, SCC was in the midst of an existential bank run; its crypto asset-related deposits had fallen to under $8 billion, down from over $14 billion at the beginning of the year, and the Company was facing a liquidity crisis.