On September 29, the Financial Crimes Enforcement Network (“FinCEN”) entered into a consent order with Shinhan Bank America (“SHBA”), which imposed a $15 million dollar civil penalty against SHBA for allegedly willfully failing to implement and maintain an AML program that meets the minimum requirements of the Bank Secrecy Act (“BSA”), and for allegedly willfully failing to accurately and timely report suspicious transactions to FinCEN.
In its press release, FinCEN noted that, as a result of SHBA’s inactions, “tens of millions of dollars in suspicious transactions were not reported to FinCEN in a timely manner, including transactions connected to tax evasion, public corruption, money laundering, and other financial crimes.”
Working in collaboration with FinCEN, the FDIC also separately issued a civil penalty against SHBA in the amount of $5 million dollars – which FinCEN will credit toward its own fine, leaving an amount owed of $10 million dollars – and the NYDFS also issued a stand-alone civil penalty in the amount of $10 million dollars.
As we will discuss, this enforcement action involves several typical allegations by the government, including an alleged failure to file required SARs, prior regulatory problems, and insufficient AML compliance staffing and funding.
Failure to Implement an Adequate AML Program
Within the Consent Order, FinCEN details numerous alleged failures involving SHBA’s AML program. Regarding customer due diligence, as required by 31 C.F.R. § 1020.210(a)(2)(v), FinCEN found that SHBA failed to consistently validate and transfer information collected from its customer into its transaction monitoring system (“TM system”). Instead of checking transaction activity against customer-provided information, SHBA solely would tie its TM baselines to 90-days of the customer’s actual activity, thereby “impairing management’s ability to determine whether the actual amount of activity was unusual for a customer or not.” Further, FinCEN found that SHBA consistently failed to implement a customer risk rating (“CRR”) that was comprehensive and risk-based, claiming that SHBA’s CRR failed to both adequately consider the entire customer relationship or consider cash-intensive individuals with a high volume of domestic and international wire activity.
Additionally, SHBA’s TM system did not sufficiently flag unusual activities – such as transactions passing through a large number of jurisdictions – and did not aggregate transaction types or cluster accounts belonging to the same customer relationship. FinCEN asserted that these gaps in the TM system “meant that a large cash or check deposit into an account could immediately be wired out of the account without generating a suspicious activity alert . . . because the TM system neither aggregated the volume of the deposit and withdrawal nor accounted for the rapid succession of transactions in evaluating whether the activity was unusual.”
FinCEN also highlighted issues with SHBA’s corporate governance and change management. Pointing to certain portions of the SHBA’s Board meeting minutes, FinCEN found “a lack of urgency and adequate planning to address . . . extensive and recurring AML program failures.” In particular, FinCEN highlighted the intended 2019 rollout of a new TM System, which was ultimately delayed until 2020. Pointing to a lack of strategic planning and insufficient control mechanisms to guide the new system’s implementation, FinCEN notes that the new TM system failed to identify 468 alerts that led to SAR filings under SHBA’s old TM system.
Finally, on top of training gaps, FinCEN found that a failure to hire enough analysts resulted in excessive turnover rate, which contributed to “disorganization and interruptions.”
Failure to File Suspicious Activity Reports
FinCEN’s findings state that SHBA failed to develop proper formalized procedures for suspicious activity reports (“SARs”) and did not implement an effective process for detecting and reporting suspicious activity in a timely manner. Instead of the 30-calendar day reporting period required under the BSA (see 31 C.F.R. § 1020.320(b)(3)) for the filing of a SAR, FinCEN’s investigation revealed that SHBA filed several hundred SARs an average of approximately 119 days late, covering activity totaling tens of millions of dollars.
Further still, the FinCEN found that the analysts SHBA employed to investigate alerts generated by the SHBA’s TM system “lacked the training and experience needed to reach well-supported alert dispositions.” Alarmingly, FinCEN noted that sometimes the justification from analysts for clearing an alert, as opposed to escalating it, “relied on whether [SHBA] previously filed a SAR or a currency transaction report, rather than on an analysis of the actual account activity and a determination of its reasonableness.” A sampling of customer transaction by FinCEN found failures to file a SAR on transactions that had no apparent lawful purpose or were otherwise transactions in which the customer would normally not be expected to engage, such as large deposits from individuals who purported to be unemployed.
We provide an example of FinCEN’s identification of a failure to file a SAR. Arguably, the following alleged failure to file a SAR assumes a very high degree of knowledge regarding the customer’s finances, because it revolves around an alleged effort to hide personal assets. Customers can try to hide assets from current or former spouses, the IRS, or other creditors. Whether a financial institution is well-positioned to detect such efforts is a separate question.
Customer C was a cosmetic surgeon in New York and an SHBA customer since 2007. In late 2016, Customer C was indicted on one count of second-degree manslaughter related to a botched medical procedure that led to the death of Customer C’s patient. In mid-2017, Customer C was sued for medical malpractice related to the 2016 incident. From around the time of Customer C’s indictment until December 2017, Customer C engaged in a large volume of unusual transactions, totalling approximately $2.7 million, from and to different investment, personal, and business accounts in what appeared to be an attempt to hide personal assets. SBHA did not file a SAR until at least one year after suspicious activity concluded.
Prior Regulatory Action against SHBA
The Consent Order highlights that SHBA has been entwined in multiple prior regulatory actions related to AML/BSA violations, including a 2017 consent order with the FDIC – which was amended in 2022 to address alleged deficiencies and weaknesses which remained in SHBA’s AML program – and a 2020 memorandum of understanding with NYDFS, which addressed alleged deficiencies in SHBA’s BSA/AML compliance program and its internal audit function.
Despite these agreements, the Consent Order notes that SHBA “failed to make all of the critical changes needed to bring the Bank into full compliance with the BSA.” For instance, while SHBA management made improvements to its AML program in response to prior regulatory actions, “it struggle to retain a consistent compliance officer . . . let alone to fully address its more systemic violations.” These prior actions and the pervasiveness of wrongdoing were among the express factors that lead to the $15 million dollar civil penalty issued by FinCEN.