GWFS Equities Inc., a broker-dealer subsidiary of Empower Retirement, agreed to pay $1.5 million to settle Securities and Exchange Commission charges that it failed to properly report detected cases of hackers gaining, or attempting to gain, access to participant retirement accounts.
Greenwood Village, Colo.-based GWFS did not admit to or deny the SEC's findings in agreeing to the settlement, the SEC said Wednesday.
From 2015-2018, GWFS was aware of increasing attempts by external hackers to gain access to the retirement accounts of individual plan participants, according to the SEC order. Moreover, GWFS knew that the hackers attempted or gained access by, among other things, using improperly obtained personal identifying information of the plan participants, and that the hackers frequently were in possession of electronic login information such as usernames, email addresses and passwords, the SEC said.
GWFS failed to file approximately 130 suspicious activity reports, or SARs, over the three-year stretch. Broker-dealers are required to file SARs for certain transactions suspected to involve fraudulent activity or a lack of an apparent business purpose, the SEC noted.
Though GWFS did file nearly 300 SARs during that time, the SEC order found that the SARs were lacking vital information, including cyber-related data such as URL addresses and IP addresses.
"Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts," said Kurt L. Gottschall, director of the SEC's Denver regional office, in a news release. "By failing to file SARs and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees' accounts, particularly when the unauthorized account access has been cyber-enabled."
Significant cooperation by GWFS with the SEC's investigation and subsequent remedial efforts were taken into account in the determination to accept the company's settlement offer, the SEC said. The remedial efforts included adding dedicated anti-money laundering, or AML, staff and systems, replacing key personnel, clarifying delegation of responsibility for filing SARs, and implementing new SAR-related policies, procedures, standards and training, according to the SEC.
Steve Gawlik, a spokesman for Empower, said in an email that the firm has undertaken significant measures to address the issues identified by the SEC and has proactively filed SARs on the incidents that should have been reported previously but were not, and filed amended SARs to correct previously filed deficient SARs.
"We are confident the issues identified by the SEC are well behind us and have committed to maintaining an effective AML compliance program," Mr. Gawlik said.