In the ongoing saga of the Financial Crimes Enforcement Network’s (FinCEN) pursuit of terrorists and various illicit activities, the Bank Secrecy Act (BSA) is the foundational framework that provides the examination and enforcement authorities. Recently, a Chief Operational Risk Officer got caught up in the net of financial institution officials who allow violations of the BSA.
I believe this is the second time that the Financial Crimes Enforcement Network has assessed a civil monetary penalty (“CMP”) against an individual for Bank Secrecy Act violations based on alleged shortcomings of the Anti-Money Laundering (“AML”) Program that the individual was responsible for overseeing.
Let’s be clear about the implications of this enforcement action: all industry participants should take note that AML enforcement reaches to individuals who are responsible for AML compliance, that is, they may be held personally liable if the AML Program is legally insufficient.
FinCEN has the authority to investigate and impose civil money penalties on financial institutions that willfully violate the BSA, and on current and former employees who willfully participate in such violations.
Here’s what happened. A CMP assessment (“CMP Assessment”) was brought against the former Chief Operational Risk Officer of U.S. Bank National Association (“U.S. Bank” or “Bank”) on the basis of alleged actions involving the Bank’s AML compliance program that had previously been addressed by regulators.
As set forth in the CMP Assessment, the most prominent alleged shortcoming of the Bank’s AML compliance program, until 2015, included systems and processes that capped the number of alerts regarding suspicious transactions that were generated. This “alert capping” resulted in many potentially suspicious transactions not being further investigated or reported through SARs. Additionally, regulators determined that certain money transfers processed as an agent of a licensed money transmitter at the Bank were (A) not included in the monitoring system, (B) used deficient procedures for identifying and addressing high-risk customers, and (C) had an insufficient number of AML compliance personnel assigned to AML Program implementation.
FinCEN’s decision to pursue the individual allegedly responsible for these shortcomings after they have already been enforced against the Bank is sort of reminiscent of FinCEN’s decision to assess a CMP of $1 million against the former Chief Compliance Officer of MoneyGram International, a major international money transmitter, in 2014. That matter was, ultimately, settled in 2017, and the former compliance officer agreed to a $250,000 penalty. The facts and circumstances do not line up tightly with the U.S. Bank situation, and the specific allegations of misconduct against the money transmitter were different from the allegations against the money transmitter’s compliance officer; however, this sentence stands out in the MoneyGram litigation:
“… despite being presented with various ways to address clearly illicit use of the financial institution, the individual failed to take required actions designed to guard the very system he was charged with protecting, undermining the purposes of the BSA.”
Line that up with the current case, where FinCEN alleges that the Bank’s Chief Operational Risk Officer
“… shares responsibility for the Bank’s violations of the requirements to implement and maintain an effective AML program and file SARs in a timely manner,” and that he “failed to take sufficient action when presented with significant AML program deficiencies.”
The Chief Operational Risk Officer was hit with a $450,000 penalty for violations of the BSA and its implementing regulations. Indeed, he was required to affirm that he did not handle a compliance management function from June 2014, when he left the Bank, to February 26, 2020.