Consent Order Stresses that Only Three AML Analysts Struggled to Review 100 “Alerts” Per Day, Each – and Notes in Passing that “Outside Examiners” Blessed the Bank’s AML Program for the Same Five Years that the Bank Allegedly Maintained a Willfully Deficient Program
On December 16, 2021, the Financial Crimes Enforcement Network (“FinCEN”) entered into a Consent Order with CommunityBank of Texas, N.A. (“CBOT”), in which CBOT admitted to major shortcomings with respect to the implementation and effectiveness of its anti-money laundering (“AML”) program. The monetary penalties imposed on CBOT are substantial: FinCEN assessed an $8 million penalty, although CBOT will receive credit for a separate $1 million penalty to be paid to the Office of the Comptroller of the Currency (“OCC”).
The Consent Order, available here, offers valuable insight into FinCEN’s reasoning for its enforcement actions. According to the Consent Order, CBOT has a regional footprint and operates several branches in Texas. It serves small and medium-sized businesses and professionals. And, in the “back of the house,” CBOT established a typical AML system designed to detect and escalate alerts for suspicious activity for investigation and potential filing of Suspicious Activity Reports (“SARs”). However, FinCEN alleged that over a period of at least four years, CBOT “willfully” failed to effectively implement its AML, program, leading to a failure to file SARs and otherwise detect specific suspicious activity. As detailed below, many of the alleged shortcomings of CBOT’s AML program flowed from a lack of compliance resources and personnel between 2015 and 2019: too few analysts were assigned to review and investigate potentially suspicious transactions, and as a result, downstream investigations and due diligence suffered, including an alleged failure to file at least 17 specific SARs.
Because the detailed Consent Order offers a somewhat rare opportunity to glean FinCEN’s reasoning behind its enforcement actions generally, we explore the alleged failures in some detail below. Then, we summarize key details of the Consent Order, offer key takeaways, and note several questions that the Consent Order still leaves unresolved.
Willful Failure to Implement an Effective AML Program
CBOT’s AML program appeared to suffer no fault in its design. An automated system used certain criteria to automatically generate alerts for potentially suspicious activity, which were then reviewed, along with certain supporting documentation, by an analyst. If the analyst believed the alert warranted further review, it was escalated to a committee for additional investigation and for potential SAR filing if the activity was determined to be suspicious. The whole program was under the purview of CBOT’s BSA Officer.
Here’s the rub: CBOT relied on a staff of six to eight individuals (which included the BSA Officer) to execute the AML function—only three of whom were responsible for reviewing alerts and supporting documentation to determine if further investigation was warranted. On average, the system required the review of 100 alerts per analyst, per day. FinCEN noted that such a high volume caused an inadequate review of available supporting documentation, and further exacerbated issues with Customer Due Diligence (“CDD”), transaction monitoring, and SAR filing.
Specifically, the Consent Order explained that CBOT performed its CDD obligations by gathering customer information and feeding it into its automated monitoring system. However, when that information was not available, CBOT’s AML staff was instructed to rely on information furnished by bank officers, rather than gathering that information directly from customers themselves. Additionally, although the system could generate reports identifying potentially high-risk customers, CBOT’s AML staff reportedly declined to do so in the ordinary course of business.
The Consent Order also detailed how CBOT’s BSA Officer altered the automated system to apply certain exemptions to certain “well-known” customers in order to reduce the number of alerts analysts needed to review. The problem, according to the Consent Order, was that some of those well-known customers were later convicted of financial crimes, and some of their suspicious account activity escaped review due to the exceptions. Even when alerts were elevated and suspicious activity was reported, subsequent alerts on the suspicious accounts would be closed with an explanation that “[a] SAR was previously filed and is not due for review at this time.”
Alleged Failures to File Specific SARs
The Consent Order alleged that the foregoing deficiencies caused CBOT to fail to file specific SARs. It is worth pausing here to consider how FinCEN identified SARs that should have been, but were not, filed by CBOT. FinCEN alleged CBOT “willfully failed to file at least 17 SARs.” As it turns out, this is the number of SARs that CBOT back-filed after it conducted a lookback caused by FinCEN’s investigation. FinCEN also provided three instances of transactions that exemplified how CBOT failed to file a SAR. As described below, each of those instances involved a customer that was later convicted of financial crimes (FinCEN’s press release thanks not only the OCC, but also IRS-Criminal Investigation, the Department of Homeland Security, and the FBI, indicating that the criminal investigations and prosecutions of these customers were key factors).
Customer A: Customer A held accounts at CBOT for their used car dealership business and finance company. CBOT designated Customer A as “high risk,” and CBOT’s monitoring system alerted repeatedly on hundreds of transactions that indicated structuring or money laundering. Only some of the alerts were flagged by staff as suspicious, and some investigations were closed not after customer outreach, but after receiving implausible explanations for the transactions from the CBOT relationship manager and credit officers that worked with Customer A. CBOT filed one SAR related to Customer A, who pleaded guilty to structuring, tax evasion, and money laundering charges arising from their operation of an illegal sports gambling operation.
Customer B: Customer B was permitted to open CBOT accounts despite a tax-related conviction and connection to a multibillion dollar sports gambling ring. FinCEN alleged that CBOT failed to conduct adequate CDD into Customer B’s gambling business, and indeed opened an account for Customer B for their social club, which was a gambling establishment. Thereafter, transactions with Customer B’s accounts began setting off automated alerts. According to the Consent Order, CBOT did not file SARs on most of this suspicious activity; when it did, the SARs failed to properly identify Customer B as the subject of the reports and inaccurately reported CBOT’s knowledge of Customer B’s business. After Customer B’s arrest for operating an illegal gambling ring, CBOT filed a SAR reporting over $30 million in suspicious activity through Customer B’s accounts.
Customer C: CBOT onboarded Customer C but failed to collect adequate CDD information about Customer C’s business. Customer C’s accounts then exhibited a number of red flags for suspicious activity, including a lack of expected business activity, frequent check deposits, and the frequent assessment of fees for insufficient funds. CBOT also reportedly became aware that law enforcement was investigating Customer C and their family. Even after elevating Customer C to a high-risk profile, CBOT allegedly failed to conduct appropriate enhanced due diligence. CBOT eventually filed SARs on Customer C, but FinCEN observed that the reports did not adequately describe the suspicious activity. Customer C was indicted for running a chemical trafficking organization; thereafter, CBOT filed a more complete SAR describing the suspicious activity.
One clear message from the face of the Consent Order is that a financial institution’s AML system is only as good as the resources dedicated to it. FinCEN expects more than a well-designed AML system; financial institutions would be wise to dedicate enough staff to prevent the volume-driven woes suffered by CBOT. What is “enough” will surely depend on the size and type of the institution and the market it serves—indeed, FinCEN credited CBOT for taking self-remedial measures upon learning of the investigation by increasing AML staff levels and hiring appropriately-experienced managers.
That said, FinCEN’s language in the Consent Order suggests that an understaffed AML program was but one ingredient in a recipe for disaster, as staffing issues “exacerbated the other failures.” The Consent Order finds that the violations were not the result of “pervasive wrongdoing with the organization,” and principally lays blame “within [CBOT’s] AML office, which failed to fully respond to the risk inherent in the Bank’s customer base.” For instance, when responding to the high volume of automated alerts, CBOT’s BSA Officer found ways to suppress those alerts, thereby reducing the volume of alerts but not actually reducing the risk. Likewise, CBOT’s policy of designating certain customers as “high-risk” made sense, but such designations meant little without some sort of follow up due diligence. One could read the Consent Order as a broader indictment that CBOT’s AML program did not operate in the spirit of the risk-based approach required by the BSA. In fact, they key to this Consent Order and the heavy fines associated likely lies in the fact that three CBOT customers were actually arrested or indicted for financial crimes. CBOT’s lapse in filing SARs for those customers counteracts the very core of the global AML/BSA regime: financial institutions are in a position to provide critical data to government agencies and law enforcement in order for those entities to follow the money and investigate criminal wrongdoing.
We also observe, with some unease, the disjunction between the Consent Order’s allegations that CBOT “willfully failed to implement an AML program that adequately met [its] BSA requirements” and the fact that CBOT reportedly “received satisfactory or strong BSA/AML examination findings from outside examiners through 2019.” Those strong marks are cold comfort against the $8 million penalty. Moreover, the fact that the “outside examiners” (presumably the OCC, which is CBOT’s primary banking regulator) provided satisfactory or strong examination findings presumably lulled at least some portion of CBOT’s leadership into believing for years that its AML function was operating effectively and did not require correction or personnel changes – and there is no suggestion that CBOT misled or misdirected its examiners. As we have recently covered, bank examiners should be looking to ensure that a financial institution’s system for monitoring for suspicious activity is commensurate with the bank’s risk profile, so it is still not clear why CBOT received satisfactory or strong ratings in the time period when they were apparently “willfully” deficient.
Finally, the Consent Order does not explain precisely how it calculated the $8 million penalty, although the Consent Order briefly analyzes the various factors relevant to evaluating an enforcement disposition which FinCEN lists in its August 18, 2020 Statement on Enforcement of the BSA. As the Consent Order notes, civil penalties for BSA violations can add up very quickly: FinCEN may impose a penalty of $25,000 per day for willful violations of the requirement to implement and maintain an effective AML program occurring on or before November 2, 2015, and up to $59,017 per day for such violations occurring after that date; FinCEN also may assess a penalty ranging from $59,017 to $236,071 for each willful violation of the SAR reporting requirement occurring after November 2, 2015. Regardless of the precise math, the alleged five year span of willful misconduct could have, in theory, supported a penalty approximating nine figures. So how did FinCEN arrive at a penalty of “only” $8 million? It is impossible to know for sure, but in language which larger banks will find disturbing, FinCEN explained in part that although CBOT’s BSA failures inflicted “real harm” to law enforcement interests, CBOT is a “mid-size community bank” and the detrimental impact of its violations “appears to have been localized and modest given the Bank’s relative size as compared to the rest of the industry.” Perhaps the most important factor in the penalty calculation, however, may be the awkward fact that “outside examiners” blessed the operation of CBOT’s AML compliance program during the same years at issue in an enforcement action brought in part by the same outside agency.