In the ongoing saga of the Financial Crimes Enforcement Network’s (FinCEN) pursuit of terrorists and various illicit activities, the Bank Secrecy Act (BSA) is the foundational framework that provides the examination and enforcement authorities. Recently, a Chief Operational Risk Officer got caught up in the net of financial institution officials who allow violations of the BSA.[1]
I believe this is the second time that the Financial Crimes
Enforcement Network has assessed a civil monetary penalty (“CMP”) against an
individual for Bank Secrecy Act violations based on alleged shortcomings of the
Anti-Money Laundering (“AML”) Program that the individual was responsible for
overseeing.
Let’s be clear about the implications of this enforcement action: all
industry participants should take note that AML enforcement reaches to individuals
who are responsible for AML compliance, that is, they may be held personally
liable if the AML Program is legally insufficient.
FinCEN has the authority to investigate and impose civil money
penalties on financial institutions that willfully violate the BSA, and on
current and former employees who willfully participate in such violations.[2]
Here’s what happened. A CMP
assessment (“CMP Assessment”) was brought against the former Chief Operational
Risk Officer of U.S. Bank National Association (“U.S. Bank” or “Bank”) on the
basis of alleged actions involving the Bank’s AML compliance program that had
previously been addressed by regulators.
As set forth in the CMP Assessment, the most prominent alleged
shortcoming of the Bank’s AML compliance program, until 2015, included systems
and processes that capped the number of alerts regarding suspicious
transactions that were generated. This “alert capping” resulted in many
potentially suspicious transactions not being further investigated or reported
through SARs. Additionally, regulators determined that certain money transfers
processed as an agent of a licensed money transmitter at the Bank were (A) not
included in the monitoring system, (B) used deficient procedures for
identifying and addressing high-risk customers, and (C) had an insufficient
number of AML compliance personnel assigned to AML Program implementation.
FinCEN’s decision to pursue the individual
allegedly responsible for these shortcomings after they have already been
enforced against the Bank is sort of reminiscent of FinCEN’s decision to assess
a CMP of $1 million against the former Chief Compliance Officer of MoneyGram
International, a major international money transmitter, in 2014.[3]
That matter was, ultimately, settled in 2017, and the former compliance officer
agreed to a $250,000 penalty. The facts and circumstances do not line up tightly
with the U.S. Bank situation, and the specific allegations of misconduct
against the money transmitter were different from the allegations against the money
transmitter’s compliance officer; however, this sentence stands out in the
MoneyGram litigation:
“… despite being presented with
various ways to address clearly illicit use of the financial institution, the
individual failed to take required actions designed to guard the very system he
was charged with protecting, undermining the purposes of the BSA.”
Line that up with the current case, where FinCEN alleges that the
Bank’s Chief Operational Risk Officer
“… shares responsibility for the
Bank’s violations of the requirements to implement and maintain an effective
AML program and file SARs in a timely manner,” and that he “failed to take
sufficient action when presented with significant AML program deficiencies.”
The Chief Operational Risk Officer was hit with a $450,000 penalty
for violations of the BSA and its implementing regulations. Indeed, he was
required to affirm that he did not handle a compliance management function from
June 2014, when he left the Bank, to February 26, 2020.
Relevant to this matter is that in February 2018, FinCEN assessed
a civil money penalty on U.S. Bank for, among other things, willfully violating
the BSA requirements to implement and maintain an effective AML program and to
file SARs in a timely manner.[4] Stated
differently, in February 2018, FinCEN, the Office of the Comptroller of the
Currency (“OCC”), and the U.S. Department of Justice, issued a CMP of $185
million against the Bank for, among other things, failing to comply with its
obligations to implement and maintain an effective AML compliance program, and
to detect and report certain suspicious activity by filing Suspicious Activity
Reports.
What is obvious is that FinCen can hold an individual personally
liable if he or she is responsible for the implementation of an AML Program
that is legally defective!
Let that sink in!
In this case, according to FinCEN, the Chief Operational Risk
Officer held multiple senior positions within the Bank’s AML compliance
department, and he was at times responsible for overseeing the Bank’s AML compliance
program. Consequently, FinCEN asserted that he shared responsibility for the
Bank’s failures to establish and implement an adequate AML compliance program
and to timely file the SARs.
The CMP Assessment claims that the Bank knowingly drafted AML
policies and procedures that prevented the identification and reporting of
certain suspicious activity. Significantly, the Bank’s automated transaction
monitoring system allegedly “capped” the number of alerts generated for review.
What’s more, according to the CMS Assessment, the Bank purportedly set limits
on two rules that were run against transaction data to identify “indicia of
potentially suspicious activity.” FinCEN alleged that these practices
suppressed an “alarming” number of SAR alerts that would have been captured by
a risk-based AML compliance program. Thus, according to FinCEN’s
characterization based on a look-back review, thousands of SARs were not timely
filed as a result, and some may have involved transactions that laundered
money.
FinCEN also alleged that the Bank had inadequate compliance
personnel, such that even a limited number of alerts could not be properly
reviewed. According to the CMP Assessment, even when the Bank had over $340
billion in assets, it employed only about 30 AML investigators. FinCEN stated
that this violated the BSA requirement to provide a compliance officer with the
resources necessary to fulfill his or her responsibilities.
So, what was the basis for individual liability?
FinCEN alleged that the Chief Operational Risk Officer was
individually responsible for these failures during his tenure with the Bank (which
began in 2005 and ended in 2014). FinCEN’s pursuit of individual liability seems
to be predicated on FinCEN’s belief that the Chief Operational Risk Officer was
on notice of the alleged shortcomings of the Bank’s compliance program and
failed to act appropriately to address them.
In particular, the CMP Assessment notes that there was precedent
for FinCEN’s regulatory action for AML compliance program violations, including
concerns about “capping alerts.” According to FinCEN, the regulatory action
taken against Wachovia Bank (“Wachovia”) in February 2010 should have been
recognized as applicable to the U.S. Bank, since the conduct was similar to
that of U.S. Bank. By the way, about that regulatory action? It was taken
against Wachovia Bank, the predecessor bank, in February 2010, and FinCEN claimed
that the previous action should have been recognized as applicable to U.S. Bank’s
situation.
In addition, the CMP Assessment states that officials at U.S. Bank
were warned by the OCC that the alert caps could result in an enforcement
action for U.S. Bank, and that FinCEN had previously taken action against other
banks for the same activity.
Wachovia had been improperly capping the number of alerts
generated by its automated transaction monitoring system based on the number of
compliance personnel that it had available to review transactions. Wachovia’s
“monitoring system was routinely tuned so that the number of alerts generated
by the system with respect to international correspondent banks remained
constant at around 300 each month,” without any “analysis to determine whether
[this] number of monthly alerts was appropriate to actual risk and the number
and nature of transactions facilitated.” FinCEN also faulted Wachovia for
“fail[ing] to adequately staff the BSA compliance function,” and employing “as
few as three individuals” to monitor all of Wachovia’s “correspondent
relationships with foreign financial institutions.”
You might take the position that the Chief Operational Risk
Officer saw Wachovia’s situation as constructively more different from U.S.
Bank’s own situation, and, to that end, FinCEN appears to have found that certain
subordinates in his group actually did discount the applicability of the
Wachovia regulatory action to U.S. Bank. Nevertheless, FinCEN’s view was
that he should have known, based on his position, that there was clear relevance
of the Wachovia action to U.S. Bank’s practices or, based on that observation, he
should have conducted further diligence to make an appropriate determination.
In the case of U.S. Bank, the Chief Operational Risk Officer was,
according to FinCEN, “advised” by two separate AML officers that the AML
transaction monitoring tools were problematic. For example, in 2009, the CMP
Assessment details an instance in which an AML officer sent the Chief
Operational Risk Officer a memo indicating that an insufficient number of
alerts were being investigated. The CMP Assessment also recounts an instance in
2010 in which an AML officer again allegedly warned that “despite increases in
SAR volumes, law enforcement inquiries, and closure recommendations, staffing
had remained ‘relatively constant’ and ‘dangerously thin.’” According to
FinCEN, even though the Chief Operational Risk Officer “did take certain steps
to upgrade the AML Program, including advocating for and receiving funding for
the replacement of the system in its entirety, his actions were inadequate to
correct the deficiencies.”
FinCen asserted that employees understood through internal testing
and other means that the inadequate AML policies caused the Bank to fail to
identify and report large numbers of suspicious transactions. Subsequent
analysis of the Bank’s transactions revealed that it failed to timely file
thousands of SARs, including on transactions that potentially laundered the
proceeds from crimes.
Although FinCEN determined that the Chief Operational Risk Officer
did try to address the deficiencies, it found that his efforts were not enough:
he “failed to take sufficient action when presented with significant AML
program deficiencies in the Bank’s SAR-monitoring system and the number of
staff to fulfill the AML compliance role.” In mid-2012, U.S. Bank hired a new Chief
Compliance Officer (“CCO”) and a new AML Officer (AMLO”), both of whom had
significant AML experience and had been recruited by the Chief Operational Risk
Officer.
The CMP Assessment also states that, by the end of 2012, the new
AMLO identified the practice of capping alerts as a “serious risk” (in the
words of the CMP Assessment), and the new CCO also raised the issue.
Furthermore, according to FinCEN, around November 2013, the new AMLO and CCO
prepared a PowerPoint presentation on the AML program, which identified the
capping of alerts. FinCEN stated that the issue of alert caps was first on a
list of an “Overview of Significant AML Issues,” because, “from their
perspective, it was the most pressing of the Bank’s AML issues.” According to
FinCEN, the Chief Operational Risk Officer reviewed the presentation “yet
failed to raise the issue of the alert caps with the CEO during the meeting,
choosing instead to prioritize other compliance-related issues.”
Furthermore, in or about November 2013, a meeting was scheduled at
the request of the Bank’s CEO, so that the Chief Operational Risk Officer, AMLO
and CCO could update the Chief Executive Officer on the Bank’s AML program.
According to FinCEN, the following took place:
“In advance of that meeting, the
AMLO and CCO prepared a PowerPoint presentation that began with an ‘Overview of
Significant AML Issues,’ the first of which was ‘Alert volumes capped for both
[Security Blanket, an alert system] and [Q]uery detection methods.’ The AMLO
and CCO put the alert caps issue first because, from their perspective, it was
the most pressing of the Bank’s AML issues. The PowerPoint identified the alert
caps as a ‘[c]overage gap’ that ‘could potentially result in missed Suspicious
Activity Reports.’ It also said that the ‘[s]ystem configuration and use could
be deemed a program weakness, with potential formal actions including fines,
orders, and historical review of transactions.’ Prior to the meeting with the
CEO, the [Chief Operational Risk Officer] reviewed the PowerPoint, yet failed
to raise the issue of the alert caps with the CEO during the meeting, choosing
instead to prioritize other compliance-related issues.”
FinCEN alleged that in May 2014, the AMLO bypassed the Chief
Operational Risk Officer and emailed the Bank’s then-Chief Risk Officer,
outlining steps the AMLO believed were necessary to correct the alert capping
issue, but the Bank still did not begin addressing the issues until June 2014
“when questions from the OCC and reports from an internal complainant caused
the Bank’s Chief Risk Officer to retain outside counsel to investigate the
Bank’s practices.” At that point, FinCEN alleges, the Bank had maintained
inappropriate alert caps for “no less than five years.”
According to FinCEN, the communications and warnings to the Chief
Operational Risk Officer were sufficient for him to be responsible – and, thus,
personally liable – for the Bank’s AML compliance program’s shortcomings. The
CMP Assessment states that the civil monetary penalty was appropriate “for his
role in the violations of the BSA and its implementing regulations.”
Under the BSA, a civil money penalty of $25,000 may be imposed for
each willful violation of the AML program requirement occurring on or before
November 2, 2015.[5]
The BSA provides that a “separate violation” of the AML program requirement
occurs “for each day that the violation continues.”[6] Violations
of AML program requirements include the lack of one or more AML program
“pillars.” There are four “pillars”: (1) internal controls (i.e., Anti-Money
Laundering Program); (2) designation of one or more individuals to assure
day-to-day compliance with the BSA/AML; (3) independent testing; and (4) training.
Furthermore, a penalty not to exceed the greater of the amount
involved in the transaction (but capped at $100,000) or $25,000 may be imposed
for each willful violation of the SAR-filing requirement occurring on or before
November 2, 2015.[7]
In my view, FinCEN’s actions should put on notice all AML
compliance program personnel and certainly the most responsible individuals
charged with its implementation that there can be personal consequences for
alleged systemic shortcomings of AML compliance programs.
[1] In the
Matter of Michael LaFontaine, Number 2020-01, Department of the Treasury, Financial Crimes Enforcement Network
[2] 31 C.F.R. §
1010.810(a); Treasury Order 180-01 (July 1, 2014); 31 U.S.C. § 5321(a)
[3] In the
Matter of Thomas E. Haider, Number 2014-08, Department of the Treasury,
Financial Crimes Enforcement Network
[4] See In re
U.S. Bank, N.A., FinCEN Assessment No. 2018-01. In February 2018, FinCEN and US
Bank entered into a settlement agreement that resolved the claims asserted by
FinCEN in the assessment. See Treasury v. U.S. Bank, N.A., No. 18 Civ. 1358
(RWS), Dkt. No. 4 (S.D.N.Y. Feb. 15, 2018).
[5] 31 U.S.C. §
5321(a)(1). Violations of the AML program requirement all occurred before
November 2, 2015.
[6] 31 U.S.C. §
5321(a)(1)
[7] 31 U.S.C. §
5321(a)(1); 31 C.F.R. § 1010.820(f). Violations of the SAR-filing requirement
all occurred before November 2, 2015.
