The Securities and Exchange Commission said Wednesday it has settled charges against GWFS Equities Inc., a Greenwood Village-based registered broker-dealer and affiliate of Empower Retirement, for not properly reporting attempts to hack into individual retirement accounts over a three-year period.
As part of the settlement, regulators fined the subsidiary of the retirement plan services giant $1.5 million and censured it for failing to file approximately 130 Suspicious Activity Reports, or SARs, on attempts, some successful, to illegally gain access to retirement plan accounts. Of the nearly 300 reports GWFS did file, some lacked the cyber information needed to help authorities track down the fraudsters, the SEC said.
“Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts,” said Kurt L. Gottschall, director of the SEC’s Denver Regional Office, in a news release. “By failing to file SARs and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees’ accounts, particularly when the unauthorized account access has been cyber-enabled.”
Between September 2015 and October 2018, GWFS saw repeated attempts to gain unauthorized access to the retirement accounts of individual retirement plan participants, the SEC said. The hackers often had improperly acquired personal identifying information, in some cases the electronic login information, including user names, email addresses and passwords.
Broker-dealers are required to file SARs in cases where fraudulent activity is suspected or when financial accounts are accessed without a legitimate business purpose. The U.S. Treasury Department’s Financial Crimes Enforcement Network requires that SARs include information on the who, what, when, where and why behind the suspicious activity.
The SEC found that GWFS failed to file approximately 130 of the required reports and that of the nearly 300 SARs it did file, essential information was left out, including the URL and IP addresses that authorities needed to track down where the hacking attempts were originating.
The fine could have been larger, but the SEC noted in its order that GWFS cooperated with investigators and took several steps to beef up security, including adding dedicated anti-money laundering staff and systems, replacing key personnel, clarifying the delegation of responsibility for filing reports and implementing new policies, procedures and training.
As part of the agreement, GWFS said it would cease and desist from future violations. Empower Retirement is the nation’s second-largest retirement plan administrator with oversight of more than 12 million retirement accounts. It also has its name on Empower Field at Mile High.