Recently, the Industrial and Commercial Bank of China Ltd. (“ICBC”) entered into two consent orders. The first consent order is with the New York State Department of Financial Services (the “NYDFS”) for alleged deficiencies in the bank’s Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) and Office of Foreign Assets Control (“OFAC”) compliance screening programs over the past several examination cycles, as well as alleged violations of sharing confidential supervisory information. As we will discuss, the NYDFS consent order finds that ICBC violated New York banking law by backdating internal certifications – not themselves required by statute or regulation – and then not immediately disclosing these “false entries” to the NYDFS.
ICBC also entered into an Order to Cease and Desist (“C&D Order”) with the Board of Governors of the Federal Reserve (the “Federal Reserve”) for the alleged improper disclosure of confidential supervisory information, or CSI. Generally, CSI is information relating to a regulatory examination or investigation, which cannot be disclosed without the agreement of the financial institution’s examining regulator – which here, of course, is the Federal Reserve. As noted above, the NYDFS consent order also contains allegations of improper disclosure of CSI, which is also protected as confidential under New York banking law. Ironically, the alleged disclosure of CSI was to the bank’s foreign regulator.
This is not the first time ICBC has had issues involving alleged BSA/AML deficiencies. In 2018, ICBC entered into a consent Cease and Desist Order with the Federal Reserve for similar BSA/AML deficiencies at its New York branch, about which we blogged here. Despite ICBC’s noted efforts in enhancing BSA/AML and OFAC compliance programs and promptly reporting the unauthorized disclosure of confidential supervisory information to the regulators, the bank was subjected to a $30 million civil money penalty from the NYDFS and another $2.4 million civil money penalty from the Federal Reserve.
NYDFS Consent Order
The NYDFS’s consent order sets forth the following allegations:
Failure to Maintain an Effective and Compliance AML Program
The consent order asserts that the New York branch had “long-standing” weaknesses in its BSA/AML and OFAC screening compliance programs; however, the consent order offers few details of the branch’s specific ongoing weaknesses. The NYDFS issued this finding despite a targeted 2023 BSA/AML exam, which found that both the BSA/AML and OFAC compliance programs were adequate due to significant improvements the bank had made over the years and that the New York branch had successfully remediated all prior exam findings.
The consent order also highlights that the deficiencies stemming from the 2018 Federal Reserve order persisted “for several more years and through repeated examination cycles.” In addition, the NYDFS highlights a 2022 joint exam with the Federal Reserve Bank of New York that found that the BSA/AML compliance program continued to have deficiencies and required additional enhancements. Further, a 2023 Federal Reserve Bank of New York exam that found that both programs were in compliance but that additional improvements were still necessary.
Improper Backdating of Books and Records
According to New York banking laws, a licensed foreign banking corporation must maintain accurate books, accounts, and records. In addition, the New York laws require a report to be made immediately upon the discovery of any “embezzlement, misapplication, larceny, forgery, fraud, dishonesty, making of false entries and omission of true entries, or other misconduct, whether or not a criminal offense, in which any director, trustee, partner, officer, employee (excluding tellers), or agent of such organization is involved.”
The NYDFS received information from a New York branch employee about actions taken by a senior branch employee to satisfy ICBC’s internal Know Your Customer (“KYC) policy – not, as the consent order acknowledges, an actual statutory or regulatory requirement. Specifically, ICBC’s internal policy was to obtain a certification from the banking customer that they complied with the USA PATRIOT Act and then a branch employee (i.e., typically the relationship manager) would counter-sign the certification form. In August 2015, a senior branch employee became aware of some certifications that were missing the counter signature of a relationship manager who already had left the bank. The senior branch staff employee contacted this former relationship manager and requested that this person counter sign the certifications with dates in 2014.
The consent order notes that, according to ICBC, the backdated certifications were never included in the banking clients’ KYC files. Nonetheless, the consent order alleges that the backdating violated the New York branch’s obligation to maintain appropriate books and records under New York banking law. Further, a bank employee raised this issue in January 2017, and the backdating was confirmed by an internal investigation in April 2017. According to the consent order, “[t]he making of the backdated Certifications plainly constituted false entries, the making of which should have been reported immediately upon discovery. 3 NYCRR § 300.1. Instead, the [NYDFS] only learned about the backdated certifications in January 2018.”
Disclosure of Confidential Supervisory Information
As noted, New York banking law requires all reports of examinations, investigations, and correspondence concerning such examinations remain confidential. A regulated entity may only disclose such information upon the prior written approval of the NYDFS.
According to the consent order, an employee of the New York branch that was in the process of transferring to an overseas ICBC affiliate needed to fill out a questionnaire from the foreign regulator. The questionnaire asked whether the employee or the New York branch was subject to any regulatory or disciplinary investigations. Thus, the questionnaire requested CSI. The New York branch actually approached the NYDFS and the Federal Reserve about disclosing the questionnaire and the proposed language to the foreign regulator. Unfortunately, the New York branch precipitously sent the questionnaire to the foreign regulator without the proper authorization from either regulator. New York branch counsel subsequently learned that the questionnaire had been sent to the foreign regulator and reported this disclosure to the NYDFS and the Federal Reserve. This was a violation, even though the disclosure was to another regulator.
Penalties and Remediation
For the New York branch’s alleged violations, ICBC must take several remedial actions. Given the lack of details in the consent order regarding the alleged “long-standing deficiencies,” the areas for remedial action can be interpreted as deficient to some degree since 2021. ICBC must provide a remedial report to the NYDFS with updates on:
- Internal controls to ensure compliance with BSA/AML requirements and relevant state laws and regulations;
- Controls to ensure compliance with all requirements relating to correspondent banking accounts for foreign financial institutions;
- A comprehensive BSA/AML risk assessment identifying the products and services of the New York branch, customer types, geographic locations, and transaction volumes;
- Management of the New York branch’s BSA/AML compliance program by a qualified compliance officer;
- Identification of management information systems used to achieve compliance with BSA/AML requirements and relevant state laws and regulations, and a timeline to review key systems;
- Comprehensive and timely independent testing for the New York branch; and
- Effective training for all appropriate New York branch personnel and appropriate ICBC personnel.
In addition to the remedial report, ICBC must also submit a report regarding corporate governance and management oversight, which includes actions taken by the board of directors to maintain control and oversight of the New York branch related to BSA/AML compliance.
Lastly, ICBC must submit a report regarding any enhancements to the New York branch’s customer due diligence program.
The Federal Reserve
The Federal Reserve’s C&D Order focuses solely on the New York branch’s disclosure of CSI and references the same event in which the New York branch answered the questionnaire of a foreign regulator, sharing CSI without prior approval.
The C&D Order states that the New York branch lacked any formal policies, procedures, training, or other internal controls regarding the proper handling of CSI. ICBC and the New York branch therefore must submit a report to enhance the effectiveness of the branch’s internal controls and compliance functions regarding the identification, monitoring, and control of CSI. The report must consist of enhanced policies, procedures, internal controls, and training; the designation of a CSI officer; procedures to promptly escalate to the CSI officer any unauthorized disclosure; and measures to ensure management’s effective oversight.