Second Part in a Two-Part Series
The Tale of an AML BSA Exam Gone Wrong
As we have blogged, the Ninth Circuit Court of Appeals recently upheld the decision of the Board of Directors of the Federal Deposit Insurance Corporation (“FDIC”) to issue a cease and desist order against California Pacific Bank (the “Bank”) for the Bank’s alleged failure to comply with Bank Secrecy Act (“BSA”) regulations or have a sufficient plan and program in place to do so.
In our first post, we described how the Ninth Circuit rejected the Bank’s constitutional challenge to the relevant regulation, and accorded broad deference to the FDIC in its interpretations of its own regulations, expressed in the form of the Federal Financial Institutions Examination Council Manual (“FFIEC Manual”). This post discusses the Court’s review of the Bank’s challenge under the Administrative Procedures Act to the FDIC’s factual findings of AML program failings.
The California Pacific opinion provides a significant piece of guidance for banks questioning the adequacy of its BSA compliance program: consult and abide the FFIEC Manual. Furthermore, it demonstrates that no shortcuts are permitted when it comes to establishing and maintaining a BSA compliance program. The BSA and the FDIC’s regulations contain firm guidelines and the FFIEC Manual puts banks of all sizes on notice of what compliance is expected of them. The independence of both the AML compliance officer and of testing; adequate risk assessments of customer accounts; and the correction of prior regulator findings of AML deficiencies are key.
Pillar One – Provide for a system of internal controls to assure ongoing compliance
Pillar One of an AML compliance program, according to the FFIEC Manual, requires regulated entities to develop internal controls meant to identify regulatory vulnerabilities that are “commensurate with the size, structure, risks, and complexity of the bank.” The Manual further states that regulated entities should continuously monitor their risk profile. In practice, this requirement entails conducting and documenting customer due diligence aimed at identifying high risk customers, conducting site visits, and sufficiently monitoring accounts for suspicious activity. FDIC found the Bank’s internal controls lacking for various reasons.
First, it found that the Bank’s ongoing depositor monitoring was insufficient. During the 2010 Examination, the FDIC determined that the Bank needed to monitor certain customers’ activity over at least three months to determine a pattern of activity. The Bank did not do this, relying instead on daily monitoring, which failed to take into account the customers’ identified risk profile. Second, the Bank failed to adequately risk-rate its depositors’ accounts. Having been put on notice by the 2010 Examination of the need to evaluate new customers for risk, the Bank instead developed a new customer risk-rating system that automatically downgraded a customer’s risk profile if the new customer account was related to a loan or existing deposit account. This process failed to take into account specific risk indicators. Third, the Bank failed to conduct, with one exception, any site visits. Importantly, each of these deficient features was recognized in the 2010 ROE as conditions that needed to be corrected. As the Court explained, “[t]he Bank’s failure to correct problems with its internal controls that were previously brought to its attention in the 2010 ROE, on its own, required the FDIC to issue a cease and desist order against the Bank.”
Pillar Two – Provide for independent testing for compliance to be conducted by bank personnel or by an outside party
According to the FFIEC Manual, Pillar Two requires that regulated entities conduct “independent testing” that, at the least, would allow a reviewer “to reach a conclusion about the overall quality of the BSA/AML compliance program.” The FFIEC Manual further provides that an auditor “must not be involved in any aprt of the bank’s BSA/AML compliance program.”
The Bank’s “independent testing” consisted of a 2012 quarterly report prepared by its allegedly independent auditor. Not only did the report fail to satisfy Pillar Two because it was prepared by an individual who also served as a consultant to the Bank and who had written and updated the Bank’s BSA Policy Manual, it was substantively deficient in several ways, including: being limited to the first two quarters of 2012, failing to identify numerous deficiencies identified by FDIC examiners, faiing to assess the adequacy of the Bank’s customer monitoring program and failing to assess whether employee training was adequate (it was not).
Pillar Three – Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance
Concerning compliance officers, the FFIEC Manual explains that
The BSA compliance officer should be fully knowledgeable of the BSA and all related regulations. The BSA compliance officer should also understand the bank’s products, services, customers, entities, and geographic locations, and the potential money laundering and terrorist financing risks associated with those activities. The appointment of a BSA compliance officer is not sufficient to meet the regulatory requirement if that person does not have the expertise, authority, or time to satisfactorily complete the job.
Following the 2010 examination, the Bank hired the son of its CEO as the BSA compliance officer, without interviewing any other candidates, without interviewing him and without seeking approval of the Bank’s Board of Directors. His relevant background and experience consisted of attending an Independent Community Bankers of America course and a webinar and “on-the-job” training. He also served as the Bank’s Senior Vice President, Senior Credit Officer, Chief Financial Officer, Internal Auditor, and Operations Compliance Officer. Not only did the Court agree that the BSA compliance officer lacked the training and experience necessary for the role, they highlighted the conflicts of interest his dual roles would give rise to.
Pillar Four – Provide training for appropriate personnel
The FFIEC Manual explains that training “should include regulatory requirements and the bank’s internal BSA/AML policies, procedures and processes” and “should be tailored to the person’s specific responsibilities.” The Bank failed to meet these requirements because its internal training consisted of presentations that offered only “rudimentary” BSA training and failed entirely to tailor trainings and materials to specific roles. Moreover, the BSA compliance officer’s lack of experience rendered him unqualified to oversee employee training.
Failure to File a SAR
Finally, the Ninth Circuit also affirmed the FDIC’s conclusion that the Bank had failed to file a SAR when necessary. During 2011 and 2012, the Bank had received grand jury subpoenas seeking documents and information concerning certain customers, some of whom were indicted later for espionage and misappropriate of trade secrets. Despite uncovering suspicious account activity, the Bank declined to file a SAR, believing that to do so would violate a letter request by the Department of Justice not to reveal the receipt of a grand jury subpoena. The Court explained this was in error because nothing pertaining to reporting the suspicious activity itself would have revealed the existence of a grand jury investigation. Moreover, although the fact of a government subpoena does not necessarily require the filing of a SAR, it does trigger an obligation to examine subject customer activity and, if suspicious activity is uncovered, to file a SAR. Indeed, the FFIEC Manual and the Bank’s own policies contemplated that government investigations and subpoenas often will prompt SAR filings.