Recent enforcement actions demonstrate just how expensive failures with regard to Bank Secrecy Act and anti-money laundering (BSA/AML) compliance can be and how intentional conduct can enhance the severity of a penalty, with the California branch of a foreign bank required to pay upward of $368 million and a national bank facing a total of $613 million in payments, as well as changes to its policies and programs.
What happened
The upward of $368 million payment dates back to a 2012 examination conducted by the Office of the Comptroller of the Currency (OCC) of a Roseville, CA, branch of a Netherlands-based bank. The exam revealed a deficient BSA/AML compliance program that allowed hundreds of millions of dollars in untraceable cash to be deposited in other branches of the bank, the OCC said. The branch also attempted to conceal the problems with its compliance program during the exam, according to the regulator.
In December 2013, the branch entered into a consent decree with the OCC that detailed the BSA/AML deficiencies and required the bank to submit and implement a comprehensive action plan and risk assessment and to engage an independent consultant to review transaction and account activity over a three-year period.
The independent consultant uncovered 472 suspicious activity reports (SARs) that were not filed with the federal government, accounting for $233 million in previously unreported suspicious activity.
As a result, the OCC and the branch entered into a new consent order. Dating back to 2012, the bank failed to perform adequate customer due diligence and implement enhanced due diligence processes, neglected to adequately investigate questionable activity, and did not cooperate with the OCC’s 2012 exam, according to the 2018 consent order.
The bank pleaded guilty to one count of conspiracy to defraud the United States by obstructing a bank examination. The guilty plea included an admission that the bank conspired with several former executives to unlawfully impede the OCC’s ability to regulate the bank and obstructed the regulator’s examination of its operations throughout California, including its Calexico and Tecate branches.
Further, the bank admitted that its deficient AML program allowed the cash—sourced from Mexico and other foreign countries—to be deposited into its rural bank branches and then transferred via checks, wire transfers and cash transactions.
The branch “created and implemented a number of policies and procedures that prevented adequate investigations into suspicious customer activity,” according to the plea agreement; for example, it created a “Verified List” of customers whose transactions did not need further review, even if there had been a change in activity since the time a customer was last verified. BSA/AML staff members were instructed to “aggressively increase” the number of accounts on the Verified List, resulting in a jump from fewer than 10 customers on the list in 2009 to more than 1,000 customers in 2012.
The bank failed to monitor and conduct adequate investigations into transactions involving accounts on the Verified List and neglected to provide proper notification to the Financial Crimes Enforcement Network (FinCEN), as mandated by the BSA. With knowledge of these failures, the bank executives attempted to hide and minimize the deficiencies of the BSA/AML program from regulators during the 2012 exam, according to the plea agreement.
Pursuant to the 2018 consent order, the bank must pay a total of almost $369 million in forfeiture and fines, including a $50 million civil money penalty to the OCC, which terminated the 2013 consent order.
In a second multimillion-dollar penalty for BSA/AML violations, a Minneapolis-based bank will pay a total of $613 million pursuant to agreements with the Department of Justice (DOJ), the OCC, FinCEN and the Board of Governors of the Federal Reserve System.
According to the regulators, the bank willfully failed to establish, implement and maintain an adequate AML program from 2009 until 2014. The bank not only capped the number of alerts generated by its transaction monitoring systems, basing the number on staffing level and resources instead of a transaction’s level of risk, but also concealed this system from the OCC.
The bank was aware that this practice resulted in missing “substantial” numbers of suspicious transactions, the regulators said, referencing bank documentation of the issue and testing that found SARs should have been filed on more than 25 percent (and as many as 80 percent) of tested transactions. In lieu of changing its practices, the bank stopped conducting such tests.
Other problems arose with the bank’s failure to monitor money transfer transactions that took place at bank branches involving non-customers. The bank processed the transactions despite the fact that they were not subject to the bank’s transaction monitoring systems, even when flagged by bank employees with AML concerns. Not until July 2014 did the bank implement a new policy prohibiting money transfer transactions by non-customers.
A review of the bank’s deficient monitoring practices found the need for an additional 24,179 alerts and filing of 2,121 SARs over just a six-month period.
The DOJ also highlighted willful failures with respect to Scott Tucker, a longtime customer about whom the bank had been notified that he had been using the bank to launder proceeds from an illegal and fraudulent payday lending scheme. Tucker’s companies extended approximately 5 million loans to consumers across the country, generating more than $2 billion in revenues and hundreds of millions in profits over a four-year period, the DOJ said.
During this time, bank employees turned a blind eye to “numerous” red flags, the DOJ said, such as Tucker spending tens of millions of dollars from accounts in company names on personal items, such as a vacation home in Aspen and his professional Ferrari racing team. Even when the bank eventually closed Tucker’s business accounts (after receiving subpoenas from regulators), it failed to file a SAR and left some of his personal accounts open.
To settle the charges, the bank reached a deal with the various regulators. The bank—which acknowledged that it had filed more than 5,000 currency transaction reports with incomplete and inaccurate information—must continue with reforms of its BSA/AML compliance program, according to the stipulation and settlement with the DOJ.
Assuming continued compliance, the DOJ agreed to defer prosecution for two years and then dismiss the charges. The bank will pay a $528 million penalty, with $453 million going to the DOJ in a civil forfeiture action, and the remainder satisfied by payment of a $75 million civil money penalty to the OCC. An additional $70 million is slated for FinCEN.
In an order to cease and desist with the Federal Reserve Board, the bank agreed to strengthen firmwide risk management and compliance programs for preventing violations of BSA/AML requirements, as well as to put in place procedures to ensure it provides adequate and complete responses to examiner inquiries. The bank will also pay a $15 million penalty.
To view the plea agreement, click here.
To read the OCC 2018 consent order, click here.
To read the DOJ stipulation and settlement, click here.
To read the Federal Reserve Board order to cease and desist, click here.
Why it matters
In a statement, the DOJ said the stipulation and settlement should serve as a cautionary tale for other financial institutions. “The integrity of our financial system depends on prompt reporting by banks and other financial institutions of suspicious, potentially criminal transactions, and on these entities’ truthfulness and transparency with their regulators,” Acting Assistant Attorney General John P. Cronan said in a statement. “[The bank’s] guilty plea today and forfeiture of more than $360 million is a warning to financial institutions that there are significant consequences for banks that engage in obstructive conduct in an effort to hide their anti-money laundering program failures from their regulators.” The second action reiterates the importance of BSA/AML programs and the cost—in that case, north of $600 million—associated with failures.