In the ongoing saga of the Financial Crimes Enforcement Network’s (FinCEN) pursuit of terrorists and various illicit activities, the Bank Secrecy Act (BSA) is the foundational framework that provides the examination and enforcement authorities. Recently, a Chief Operational Risk Officer got caught up in the net of financial institution officials who allow violations of the BSA.[1]
I believe this is the second time that the Financial Crimes
Enforcement Network has assessed a civil monetary penalty (“CMP”) against an
individual for Bank Secrecy Act violations based on alleged shortcomings of the
Anti-Money Laundering (“AML”) Program that the individual was responsible for
overseeing.
Let’s be clear about the implications of this enforcement action: all
industry participants should take note that AML enforcement reaches to individuals
who are responsible for AML compliance, that is, they may be held personally
liable if the AML Program is legally insufficient.
FinCEN has the authority to investigate and impose civil money
penalties on financial institutions that willfully violate the BSA, and on
current and former employees who willfully participate in such violations.[2]
Here’s what happened. A CMP
assessment (“CMP Assessment”) was brought against the former Chief Operational
Risk Officer of U.S. Bank National Association (“U.S. Bank” or “Bank”) on the
basis of alleged actions involving the Bank’s AML compliance program that had
previously been addressed by regulators.
As set forth in the CMP Assessment, the most prominent alleged
shortcoming of the Bank’s AML compliance program, until 2015, included systems
and processes that capped the number of alerts regarding suspicious
transactions that were generated. This “alert capping” resulted in many
potentially suspicious transactions not being further investigated or reported
through SARs. Additionally, regulators determined that certain money transfers
processed as an agent of a licensed money transmitter at the Bank were (A) not
included in the monitoring system, (B) used deficient procedures for
identifying and addressing high-risk customers, and (C) had an insufficient
number of AML compliance personnel assigned to AML Program implementation.
FinCEN’s decision to pursue the individual
allegedly responsible for these shortcomings after they have already been
enforced against the Bank is sort of reminiscent of FinCEN’s decision to assess
a CMP of $1 million against the former Chief Compliance Officer of MoneyGram
International, a major international money transmitter, in 2014.[3]
That matter was, ultimately, settled in 2017, and the former compliance officer
agreed to a $250,000 penalty. The facts and circumstances do not line up tightly
with the U.S. Bank situation, and the specific allegations of misconduct
against the money transmitter were different from the allegations against the money
transmitter’s compliance officer; however, this sentence stands out in the
MoneyGram litigation:
“… despite being presented with
various ways to address clearly illicit use of the financial institution, the
individual failed to take required actions designed to guard the very system he
was charged with protecting, undermining the purposes of the BSA.”
Line that up with the current case, where FinCEN alleges that the
Bank’s Chief Operational Risk Officer
“… shares responsibility for the
Bank’s violations of the requirements to implement and maintain an effective
AML program and file SARs in a timely manner,” and that he “failed to take
sufficient action when presented with significant AML program deficiencies.”
The Chief Operational Risk Officer was hit with a $450,000 penalty
for violations of the BSA and its implementing regulations. Indeed, he was
required to affirm that he did not handle a compliance management function from
June 2014, when he left the Bank, to February 26, 2020.