Bank Secrecy Act (BSA)

Ballard Spahr is very pleased to host on December 17, 2018 at noon in our Philadelphia office a CLE program for the gaming industry and associated counsel to participate in a panel discussion with speakers from the Internal Revenue Service (IRS) on the latest industry trends in BSA/AML compliance and examination.

Please join us in

First Post in a Two-Part Series

How do financial institutions get in trouble with their regulators? Recent AML enforcement actions suggest that the following two failures are at the heart of most of these actions: (1) inadequately identifying, monitoring and/or reporting suspicious activity; and (2) failing to implement adequate internal controls. And these same issues crop up year after year.

In this post, we’ll discuss these failures and their root causes and provide practical tips for ensuring that your AML program will withstand the scrutiny of regulators. In our next post, we will discuss how these practical tips apply in a specific AML enforcement action: the recent consent order between the New York Department of Financial Services and Mashreqbank.  Further, we look forward to discussing all of these issues in an upcoming podcast in Ballard Spahr’s Consumer Financial Monitor Podcast series.  So please stay tuned.

The U.S. financial institutions that recently found themselves in the government’s crosshairs allegedly engaged in the following behavior:

  • Failing to investigate alerts on high-risk accounts where those accounts had been investigated previously, even when the new suspicious activity to which the bank had been alerted differed from the activity that it previously had investigated.
  • Having a policy of not investigating or filing SARs on cash withdrawals from branches near the Mexican border if the customer said they were withdrawing cash in the U.S., rather than carrying cash into the U.S. from Mexico, in order to avoid having to file a Report of International Transportation of Currency or Monetary Instruments (CMIR).
  • Capping the number of alerts from its transaction monitoring systems based on the number of staff available to review the alerts rather than on the risks posed by the transactions (and lying to regulators about it).
  • Failing to report the suspicious activities of a longtime customer despite having been warned that the customer was laundering the proceeds of an illegal and fraudulent scheme through accounts at the bank.
  • Failing to conduct necessary due diligence on foreign correspondent accounts.
  • A brokerage company failing to file SARs on transactions that showed signs of market manipulation.
  • A MSB’s failing to implement proper controls and discipline crooked agents because those agents were so profitable for the MSB, thereby enabling illegal schemes such as money laundering.

Although the behavior of these financial institutions may differ, the root causes of their failures do not. They include the following:

  • An inadequate, ineffective or non-existent risk assessment.
  • Elevating the business line over the compliance function.
  • Offering products or using new technologies without adequate controls in place.
  • Compliance programs that are not commensurate with the risks, often due to under investment in AML technology or other resources and/or lack of awareness of AML risks or controls.
  • Corporate silos, both human and technological, that prevent or hinder information sharing.
  • Insufficient screening of parties and relationships and lack of effective processes and controls around EDD.

So how can you ensure that your AML program is adequate? Here are some practical tips.
Continue Reading

The Treasury Inspector General for Tax Administration, or TIGTA, issued last month a Report, entitled The Internal Revenue Service’s Bank Secrecy Act Program Has Minimal Impact on Compliance, which sets forth a decidedly dim view of the utility and effectiveness of the current Bank Secrecy Act (“BSA”) compliance efforts by the Internal Revenue Service (“IRS”).  The primary conclusions of the detailed Report are that (i) referrals by the IRS to the Financial Crimes Enforcement Network (“FinCEN”) for potential Title 31 penalty cases suffer lengthy delays and have little impact on BSA compliance; (ii) the IRS BSA Program spent approximately $97 million to assess approximately $39 million in penalties for Fiscal Years (FYs) 2014 to 2016; and (iii) although referrals regarding BSA violations were made to IRS Criminal Investigation (“IRS CI”), most investigations were declined and very few ultimately were accepted by the Department of Justice for prosecution.

Arguably, the most striking claim by the Report is that “Title 31 compliance reviews [by the IRS] have minimal impact on Bank Secrecy Act compliance because negligent violation penalties are not assessed.”

A primary take-away from the Report is that an examination program lacking actual enforcement power is, unsurprisingly, not very effective.  The Report also highlights some potential problems which beset the IRS BSA Program, which include lack of staffing, lack of planning and coordination, and delay. Although the Report’s findings clearly suggest that what the IRS BSA Program really needs are resources and enhanced enforcement power, the repeated allusions in the Report to a certain purposelessness of the current BSA examination regime nonetheless might help fuel the current debate regarding possible AML/BSA reform, with an eye towards curbing regulatory burden.

The Report made five specific recommendations to the IRS for remedial steps. We will focus on four of those recommendations, and the findings upon which they rest:

  • Coordinate with FINCEN on the authority to assert Title 31 penalties, or reprioritize BSA Program resources to more productive work;
  • Leverage the BSA Program’s Title 31 authority and annual examination planning in the development of the IRS’s virtual currency strategy;
  • Evaluate the effectiveness of the newly implemented review procedures for FinCEN referrals; and
  • Improve the process for referrals to IRS CI.


Continue Reading

Five U.S. regulatory agencies—the Board of Governors of the Federal Reserve System (“FRB”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), the Office of the Comptroller of the Currency (“OCC”), and the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”)—released on October 3, 2018 an Interagency Statement on Sharing Bank Secrecy Act Resources (the “Statement”). This guidance addresses instances in which certain banks and credit unions can enter into “collaborative arrangements” to share resources to manage their Bank Secrecy Act (“BSA”) and anti-money laundering (“AML”) obligations more efficiently and more effectively.

The Statement contemplates banks sharing resources such as internal controls, independent testing, and AML/BSA training (it does not apply to collaborative arrangements formed for information sharing among financial institutions under Section 314(b) of the U.S. Patriot Act). Such resource sharing contemplates reducing costs and increasing efficiencies in the ways banks manage their BSA and AML obligations. The Statement clearly is addressed primarily to community banks, for which the costs of AML/BSA compliance can be significant, and which presumably engage in “less complex operations [and have] lower risk profiles for money laundering or terrorist financing.” The Statement potentially represents another step in an ongoing AML reform process, which increasingly acknowledges the costs of AML compliance to industry.
Continue Reading

The Federal Banking Agencies (“FBAs”) — collectively the Office of the Comptroller of the Currency (“OCC”); the Board of Governors of the Federal Reserve System (“Federal Reserve”); the Federal Deposit Insurance Corporation (“FDIC”); and the National Credit Union Administration (“NCUA”) — just issued with the concurrence of FinCEN an Order granting an exemption from the

Critics Bemoan Removal of Potential Weapon Against Shell Companies

Last week, and on the eve of a scheduled markup of the original bill in the House Financial Services Committee, a new draft of the Counter Terrorism and Illicit Finance Act (“CTIFA”) was sent to Congress.  That bill, among other things, removes a key passage of

But Noncustomer Plaintiffs May Face Uphill Battle Proving Digital Currency Exchange’s Actual Liability

Earlier this week, the Eleventh Circuit affirmed, in an unpublished opinion, that Coinbase Inc., an online platform used for buying, selling, transferring, and storing digital currency, could not compel arbitration on a former customer of Cryptsy, a now-defunct cryptocurrency exchange, in his proposed class action suit alleging that Coinbase helped to launder $8 million of Cryptsy customers’ assets. Leidel v. Coinbase, Inc., Dkt. 17-12728.

In so holding, the Court found that the plaintiff’s allegations emanated not from the User Agreement between Coinbase and Cryptsy’s CEO, Paul Vernon, but from extra-contractual duties “allegedly” found in federal statutes and regulations, specifically the Bank Secrecy Act (“BSA”).  As we previously have blogged, courts have held that financial institutions generally do not owe a duty of care to a noncustomer and that no special duty of care arises from the duties and obligations set forth in the BSA absent a special relationship or contractual relationship. Moreover, there is no private right of action stemming from the BSA. Nor does the BSA define a financial institution’s standard of care for the purposes of a negligence claim.

Coinbase is registered as a Money Services Business with FinCEN, and is otherwise required to comply with the BSA. However, if courts treat Coinbase as it would any other financial institution (which we have no reason to believe that they would not), Plaintiff, having avoided the contractual arbitration provision, has an uphill battle to show that Coinbase had a duty of care to noncustomers to prevent AML failures.
Continue Reading

Second Part in a Two-Part Series

The Tale of an AML BSA Exam Gone Wrong

As we have blogged, the Ninth Circuit Court of Appeals recently upheld the decision of the Board of Directors of the Federal Deposit Insurance Corporation (“FDIC”) to issue a cease and desist order against California Pacific Bank (the “Bank”) for the Bank’s alleged failure to comply with Bank Secrecy Act (“BSA”) regulations or have a sufficient plan and program in place to do so.

In our first post, we described how the Ninth Circuit rejected the Bank’s constitutional challenge to the relevant regulation, and accorded broad deference to the FDIC in its interpretations of its own regulations, expressed in the form of the Federal Financial Institutions Examination Council Manual (“FFIEC Manual”).  This post discusses the Court’s review of the Bank’s challenge under the Administrative Procedures Act to the FDIC’s factual findings of AML program failings.

The California Pacific opinion provides a significant piece of guidance for banks questioning the adequacy of its BSA compliance program: consult and abide the FFIEC Manual.  Furthermore, it demonstrates that no shortcuts are permitted when it comes to establishing and maintaining a BSA compliance program.  The BSA and the FDIC’s regulations contain firm guidelines and the FFIEC Manual puts banks of all sizes on notice of what compliance is expected of them.  The independence of both the AML compliance officer and of testing; adequate risk assessments of customer accounts; and the correction of prior regulator findings of AML deficiencies are key.
Continue Reading

Court Defers Heavily to the FDIC and the FFIEC Manual

First Part in a Two-Part Series

The Ninth Circuit Court of Appeals recently upheld the decision of the Board of Directors of the Federal Deposit Insurance Corporation (“FDIC”) to issue a cease and desist order against California Pacific Bank (the “Bank”) for the Bank’s alleged failure to comply with Bank Secrecy Act (“BSA”) regulations or have a sufficient plan and program in place to do so.

This decision, California Pacific Bank v. FDIC, provides a nearly step-by-step analysis of what is required of banks under the BSA and a vivid illustration of an Anti-Money Laundering (“AML”) program that did not pass muster in the eyes of a regulator.  It highlights the general rules that banks of all sizes, but particularly smaller community banks, must keep in mind concerning their compliance programs – size does not matter and you are on notice of what compliance entails.

Importantly, and before upholding the FDIC’s factual findings regarding the Bank’s violations, the Ninth Circuit first rejected the Bank’s claim that the regulation at issue (which required the Bank to implement an AML compliance program which complied with the “four pillars” of such a program) was unconstitutionally vague. Moreover, the Ninth Circuit found that the FDIC has broad discretion when interpreting this regulation, described by the Court as “ambiguous.”

This post will summarize the case and the key role played by the Federal Financial Institutions Examination Council Manual (“FFIEC Manual”) in both the Court’s rejection of the constitutional challenge and the broad deference which the Court accorded to the FDIC and its interpretation of its own regulations.  The second post will turn to the Bank’s alleged AML program failings and the Bank’s challenges to the FDIC’s many factual findings.
Continue Reading

As we previously have blogged, the Financial Crimes Enforcement Network (“FinCEN”) became one of the first regulators to wade into the regulation of cryptocurrency when it released interpretive guidance in March 2013 stating that an administrator or exchanger of virtual currency is a Money Services Business (“MSB”). As a MSB, and according to FinCEN, an administrator or exchanger of virtual currency therefore is a “financial institution” subject to the Bank Secrecy Act (“BSA”) and its various AML-related requirements, unless a limitation or exemption applies.  Accordingly, the Department of Justice has prosecuted operators of cryptocurrency exchanges for a failure to register with FinCEN as a MSB, and FinCEN has brought civil enforcement proceedings against such exchanges for alleged failures to maintain adequate AML programs and file required Suspicious Activity Reports (“SARS”), among other alleged BSA violations.

Recently, regulators of all stripes across the globe have been moving swiftly to regulate cryptocurrency in various ways (see herehere, here, here, here, here, here, here, and here). Indeed, the Securities and Exchange Commission (“SEC”) has been very vocal and aggressive in claiming that many if not all Initial Coin Offerings (“ICOs”) involving cryptocurrency represent securities subject to the jurisdiction and supervision of the SEC, and already has filed several enforcement proceedings involving ICOs. Moreover the SEC just yesterday issued a statement that it considers exchanges for cryptocurrency to also be subject to its jurisdiction. Likewise, the U.S. Commodity Futures Trading Commission (“CFTC”) has asserted that cryptocurrencies are commodities subject to its jurisdiction; this week, a federal court agreed with this assertion in a CFTC enforcement action.  The CFTC claims that its jurisdiction reaches beyond cryptocurrency derivative products to fraud and manipulation in the underlying cryptocurrency spot markets.

But there is a potential problem with all of these regulators simultaneously rushing in to assert their respective power over cryptocurrency businesses, and it is a tension that does not seem to have attracted much public attention to date. Specifically, BSA regulations pertaining to the definition of a MSB, at 31 C.F.R. § 1010.100(ff)(8)(ii), flatly state that a MSB does not include the following:

A person registered with, and functionally regulated or examined by, the SEC or the CFTC, or a foreign financial agency that engages in financial activities that, if conducted in the United States, would require the foreign financial agency to be registered with the SEC or CFTC[.]

How can certain cryptocurrency businesses be subject to the claimed jurisdictions of FinCEN as well as the recent regulatory newcomers to this area, the SEC and the CFTC?
Continue Reading