How to Respond to a Wells Notice From the SEC for Suspected Bank Secrecy Act/AML Violations at a Community Bank
A Wells Notice typically gives a community bank about 30 days to submit a written response before the SEC staff recommends an enforcement action. For suspected Bank Secrecy Act/AML failures, the notice often signals parallel exposure to FinCEN, federal banking regulators, DOJ, and state authorities. This article explains how to triage the notice, preserve privilege, investigate, craft a Wells submission, and manage multi‑agency risk.
What a Wells Notice Means in a Community Bank BSA/AML Case
A Wells Notice is the SEC Enforcement Division staff’s formal notice that it intends to recommend that the Commission bring an enforcement action. It is not a finding of liability, but it is a pivotal inflection point: the bank (and potentially individual officers, directors, BSA/AML personnel, and business-line leaders) is given a chance to respond before staff presents the matter to the Commission.
When the notice references suspected Bank Secrecy Act/anti-money laundering (BSA/AML) violations—often framed as internal controls, books-and-records, disclosure, supervisory, or gatekeeper failures—the risk profile changes for a community bank. The SEC may be pursuing a theory tied to securities offerings, broker-dealer/affiliate activity, investment advisory operations, public-company disclosures, or misstatements to investors about compliance. At the same time, BSA/AML issues can trigger collateral scrutiny by FinCEN and prudential regulators, and can create criminal exposure if willfulness, concealment, or facilitation is alleged.
Immediate Triage: First 72 Hours After Receiving the Notice
1) Confirm deadlines, recipients, and scope
Wells Notices commonly specify a response deadline (often around 30 days, though extensions can sometimes be negotiated). Identify who received the notice (the bank entity, a holding company, an affiliate, and/or individuals). Pin down the staff’s stated theories (e.g., failure to maintain an adequate AML program, deficient suspicious activity monitoring, improper SAR decisioning, misleading compliance statements, or inadequate internal accounting controls).
2) Issue a targeted legal hold and stabilize systems
Implement a litigation hold covering emails, chats, ticketing systems, core banking notes, transaction monitoring alerts/case files, SAR narratives/drafts, model tuning records, independent testing reports, audit workpapers, board and committee materials, and communications with regulators and consultants. Preserve cloud and mobile data. Avoid “cleanup” projects that could be misconstrued as spoliation.
3) Establish privilege boundaries from day one
Because BSA/AML programs generate large volumes of operational documentation, it is easy for privilege to blur. Outside counsel should direct the response and, where appropriate, retain forensic consultants and AML experts through counsel to strengthen privilege arguments. Create a documented protocol for interviews, document collection, and draft analyses. Make clear that business teams should not conduct ad hoc “side investigations” outside counsel’s direction.
4) Evaluate insurance, indemnification, and governance issues
Notify relevant carriers (D&O, E&O, fidelity bond) consistent with policy terms. Review indemnification and advancement provisions for individuals, and consider independent counsel needs for potentially conflicted officers or directors. Form a special committee if governance independence is necessary.
Map the Enforcement Landscape: SEC Theories and Parallel Proceedings
Community banks sometimes assume BSA/AML is “only a banking regulator issue.” In practice, SEC cases can arise when AML weaknesses intersect with securities law obligations—for example:
Disclosure/internal controls theories: Allegations that the bank (or holding company) made misleading statements to investors about compliance, risk controls, or remediation; or lacked adequate internal accounting controls to prevent or detect misconduct.
Affiliate/registered entity exposure: If the bank has a broker-dealer, investment adviser, or other SEC-registered affiliate, the SEC may examine AML policies, customer identification procedures, escalation protocols, and supervisory controls in that context.
Offering proceeds and customer activity: In capital raises, merger transactions, or structured products, the SEC may scrutinize whether the institution ignored red flags tied to customer funds flows, beneficial ownership, or source-of-funds representations.
At the same time, Wells Notices in this area often coincide with parallel or follow-on actions:
FinCEN: Civil money penalties and programmatic remediation requirements tied to AML program deficiencies, SAR failures, or recordkeeping issues.
Prudential regulators (FDIC/OCC/Fed; plus state banking departments): Matters requiring attention, formal enforcement orders, CMPs, management changes, and heightened governance obligations.
DOJ and U.S. Attorney’s Offices: Criminal investigations can arise when facts suggest willful violations, obstruction, or facilitation of illicit activity.
State AGs and private plaintiffs: Follow-on civil suits and shareholder derivative actions may leverage SEC allegations.
Conducting an Internal Investigation That Will Stand Up to SEC Scrutiny
Define the investigation questions before collecting everything
A Wells response is only as strong as the fact development behind it. Build an investigation plan around the staff’s likely elements: what the bank knew, when it knew it, how it responded, and whether controls were reasonably designed and implemented.
Key evidence categories in BSA/AML Wells matters
Program design and governance: Board minutes; BSA/AML committee materials; BSA officer reporting lines; staffing levels; training; risk assessment methodology; vendor selection and oversight; independent testing results; management responses.
Transaction monitoring and alert disposition: Rules/scenario settings; tuning and validation records; backlogs; QA findings; alert-to-case conversion metrics; escalation paths; evidence supporting closures; documentation quality.
SAR decisioning and filing: SAR logs; timeliness tracking; narrative quality; “no SAR” rationales; repeat-activity handling; communications about sensitive accounts; any deviations from policy.
Customer due diligence/beneficial ownership: CIP/CDD files; beneficial ownership collection practices; periodic reviews; enhanced due diligence on higher-risk customers; adverse media screening outcomes.
Regulatory communications: Exam reports; MRAs/MRIs; responses and remediation plans; communications with field examiners; consultant reports; progress tracking.
Interview sequencing and credibility
Start with control owners and document custodians (BSA officer, AML operations manager, monitoring lead, model governance, internal audit). Then interview business-line leaders tied to higher-risk products (MSBs, cash-intensive businesses, international wires, fintech sponsorship, prepaid, remote deposit capture). Carefully prepare witnesses to ensure accuracy; do not “script” testimony, and document the basis for factual conclusions.
Deciding Whether to Submit a Wells Response (and What Type)
Not every Wells Notice warrants a lengthy submission, but most community banks benefit from a strategic response that (1) narrows theories, (2) corrects factual misunderstandings, and (3) demonstrates credible remediation and governance accountability.
Common options include:
Full Wells submission: A detailed brief with exhibits, timelines, declarations, and remediation evidence. Best when facts are defensible, staff’s narrative is incomplete, or legal theory is overbroad.
Targeted submission: A narrower letter addressing key inaccuracies, jurisdictional issues, or a small number of decisive documents. Best when time is short or the staff’s case is largely factual but overstated.
Presentation without a letter: An in-person meeting to walk staff through evidence and remediation. Best when sensitive facts should not be memorialized broadly or when negotiation posture is central.
No submission: Occasionally appropriate where parallel criminal risk is high and statements could be used adversely, or where settlement is imminent and a submission could harden positions.
How to Draft a Persuasive Wells Submission in an AML Context
Lead with a credible narrative and a clean timeline
SEC staff often sees BSA/AML control failures as “known problems ignored.” Your submission should anchor a timeline showing what the bank identified, what it escalated, what it fixed, and how the board and senior management governed the response. Use dated artifacts: committee decks, vendor change orders, staffing approvals, tuning memos, and independent testing results.
Address likely SEC pressure points
Materiality and investor impact: If the case involves disclosures or offerings, explain why alleged deficiencies were not material as framed, or how risk was appropriately disclosed. Tie statements to contemporaneous knowledge and qualified language.
Reasonable design vs. perfect outcomes: AML programs are risk-based. Show the bank’s risk assessment, product/customer segmentation, and governance choices. Acknowledge issues without conceding that the program was inherently unreasonable.
Causation and red flags: If staff points to specific customers or events, analyze what alerts occurred, how they were dispositioned, what information was available at the time, and whether escalation decisions were consistent with policy.
Individual liability theories: Where staff targets officers or compliance personnel, separate institutional process issues from individual intent. Demonstrate good-faith escalation, resourcing requests, and documented warnings.
Use remediation as a shield—but don’t oversell it
Remediation is often the most powerful lever in BSA/AML matters, but exaggeration undermines credibility. Provide concrete, verifiable steps, such as:
Program upgrades: New transaction monitoring scenarios, refreshed risk assessment, revised SAR decisioning framework, enhanced QA, and updated policies aligned to current risk profile.
Resourcing: Headcount increases, training, revised performance metrics (quality over throughput), and clarified escalation authority.
Governance: Board reporting enhancements, compliance independence, three-lines-of-defense clarity, and documented oversight cadence.
Backlog burn-down: If historical alerts/cases were backlogged, show a structured plan, prioritization logic, and independent validation of completion quality.
Independent testing and validation: Summaries of internal audit results, consultant findings, and management action plans with completion dates.
Include exhibits that win the “show me” battle
Effective exhibits include: a remediation roadmap; before-and-after monitoring metrics; committee minutes showing escalation; staffing approvals; vendor governance records; and examples of SAR narratives demonstrating





















