Court Defers Heavily to the FDIC and the FFIEC Manual
First Part in a Two-Part Series
The Ninth Circuit Court of Appeals recently upheld the decision of the Board of Directors of the Federal Deposit Insurance Corporation (“FDIC”) to issue a cease and desist order against California Pacific Bank (the “Bank”) for the Bank’s alleged failure to comply with Bank Secrecy Act (“BSA”) regulations or have a sufficient plan and program in place to do so.
This decision, California Pacific Bank v. FDIC, provides a nearly step-by-step analysis of what is required of banks under the BSA and a vivid illustration of an Anti-Money Laundering (“AML”) program that did not pass muster in the eyes of a regulator. It highlights the general rules that banks of all sizes, but particularly smaller community banks, must keep in mind concerning their compliance programs – size does not matter and you are on notice of what compliance entails.
Importantly, and before upholding the FDIC’s factual findings regarding the Bank’s violations, the Ninth Circuit first rejected the Bank’s claim that the regulation at issue (which required the Bank to implement an AML compliance program which complied with the “four pillars” of such a program) was unconstitutionally vague. Moreover, the Ninth Circuit found that the FDIC has broad discretion when interpreting this regulation, described by the Court as “ambiguous.”
This post will summarize the case and the key role played by the Federal Financial Institutions Examination Council Manual (“FFIEC Manual”) in both the Court’s rejection of the constitutional challenge and the broad deference which the Court accorded to the FDIC and its interpretation of its own regulations. The second post will turn to the Bank’s alleged AML program failings and the Bank’s challenges to the FDIC’s many factual findings.
California Pacific Bank is a community bank with two offices in Northern California. It has less than 15 employees, approximately 200 customers and approximately 500 deposit accounts. Its customers include “a significant number of import-export customers, accounts held by non-resident aliens, and accounts with international transactions.”
In 2010, FDIC conducted a routine safety and soundness examination of the Bank. While it determined that the Bank’s BSA program was “satisfactory,” the FDIC noted several issues it determined “must be corrected.” FDIC conducted a follow-up examination in December 2012. In its report of examination (“ROE”), the FDIC concluded the Bank failed to administer a sufficient BSA compliance program under FDIC regulations and also failed to file suspicious activity reports (“SARS”) under required circumstances. After the Bank refused to sign a consent order, the FDIC sought charges before an Administrative Law Judge (“ALJ”) seeking a cease and desist order. The ALJ adopted the FDIC’s findings and issued the cease and desist order. The Bank appealed to the Ninth Circuit, which affirmed.
Before analyzing the FDIC’s factual determination that the Bank failed to establish and maintain a compliance program that satisfactorily met the “four pillars” of compliance outlined in the FDIC regulations, the Court addressed two preliminary issues concerning the constitutionality of those regulations and the conduct of the FDIC’s investigation. The banking regulation at issue, 12 C.F.R. 326.8(c), incorporates by reference BSA requirements and tracks related regulations under the BSA for banks. It provides that an AML compliance program shall, at a minimum:
(1) Provide for a system of internal controls to assure ongoing compliance;
(2) Provide for independent testing for compliance to be conducted by bank personnel or by an outside party;
(3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and
(4) Provide training for appropriate personnel.
(As an aside, this FDIC regulation now lags behind its sister regulation under the BSA, 31 C.F.R. § 1020.201, which reflects that there are now “five pillars” to any AML compliance program, which also must include risk-based procedures for Customer Due Diligence).
The Bank argued that the BSA and the implementing FDIC regulations were “void for vagueness” because the BSA itself was not precise enough to alert the Bank to its required conduct and the FDIC was not legally permitted to rely on the FFIEC Manual to clarify the regulations and analyze compliance.
The Court rejected this argument. Although it acknowledged later in the opinion that the FDIC’s “four pillars” were ambiguous, the Ninth Circuit held that the FFIEC Manual provided “clarifying guidance” that “put regulated banks on notice of expected conduct.” The Court explained that the fact that the Bank had incorporated provisions of the FFIEC Manual into its own BSA policy manual contradicted its argument, because such incorporations confirmed the fact that an AML compliance officer with the requisite specialized knowledge would understand that BSA compliance turns on FFIEC Manual compliance.
Not Too Ambiguous, But Ambiguous Enough
As noted, the Ninth Circuit described the “four pillars” regulation as “ambiguous” – although not so ambiguous that it was unconstitutionally vague. But because the regulation was ambiguous, the Ninth Circuit concluded under the Supreme Court precedent of Auer v. Robbins that the FDIC’s “interpretation of its own regulations is ‘controlling unless plainly erroneous or inconsistent with the regulation.’” Because the FDIC interpreted its own (ambiguous) regulations through the provisions of the FFIEC Manual, it therefore was permitted to rely on the FFIEC Manual, which itself would receive judicial deference under Auer. Thus, the Court continued, regulated institutions are expected to be familiar with the Manual’s requirements, which are a roadmap used by examiners and banks alike for banks’ compliance with the pillars.
The practical import of this finding in California Pacific was that, when the Court then assessed the Bank’s claim under the Administrative Procedures Act that the FDIC’s factual findings of non-compliance by the Bank were arbitrary and capricious, the Court would review very deferentially the FDIC’s interpretations of the FFIEC Manual’s requirements. The more global implications of this ruling appear to be that, although the FFIEC Manual does not have the force of law per se, it nonetheless will have tremendous practical importance whenever a bank tries to challenge in court a regulator’s use of the FFIEC Manual to justify its exam deficiency findings.
However, the heavy reliance on the FFIEC Manual by the Ninth Circuit and the FDIC to reach the outcome in California Pacific also raises an interesting question in regards to other entities regulated by the BSA which have their own, near-identical regulations requiring adherence to the four (or five) pillars of AML compliance programs, and which presumably are also “ambiguous.” Specifically, although the FFIEC Manual sets forth a road map for BSA examinations of banks, and although there is a similar examination manual for money services businesses, there is no such comprehensive AML/BSA examination manual for other regulated entities, such as casinos, mutual funds, broker-dealers, insurance companies, dealers in precious metals, operators of credit card systems, and nonbank residential mortgage lenders. What are the implications of the California Pacific opinion regarding the vagueness of the regulations regarding these other entities, and the deference that courts should accord to their regulators during enforcement?
Having found the regulations constitutional and rejected the Bank’s argument that the FDIC investigation was biased against it, the Court turned to the FDIC’s factual conclusions that the Bank had failed to satisfy the four pillars. The next post will focus on this discussion.