We are pleased to offer the latest episode in Ballard Spahr’s Consumer Financial Monitor Podcast series — a weekly podcast focusing on the consumer finance issues that matter most, from new product development and emerging technologies to regulatory compliance and enforcement and the ramifications of private litigation. Our podcast discusses the conduct for which financial
Second Post in a Two-Part Series
NYDFS Action Highlights the Need for Good Monitoring – and Good Consultants
In part one of this two-part post, we provided some practical tips for financial institutions to increase the chances that their Anti-Money Laundering (“AML”) programs will withstand regulators’ scrutiny, including: (1) promoting a culture of AML/Bank Secrecy Act (“BSA”) compliance; (2) focusing on transaction monitoring; (3) improving information sharing; (4) identifying and handling high-risk accounts appropriately; and (5) knowing your risks and continually improving your AML program to control those risks.
In this post we’ll discuss the consequences of potentially failing to heed these practical tips in a specific case: the New York Department of Financial Services’ (DFS) recent enforcement action against Mashreqbank. Further, we look forward to discussing all of these issues in an upcoming podcast in Ballard Spahr’s Consumer Financial Monitor Podcast series. So please continue to stay tuned.
Mashreqbank is the oldest and largest private bank in the United Arab Emirates. Its New York branch is Mashreqbank’s only location in the United States. It offers correspondent banking and trade finance services and provides U.S. dollar clearing services to clients located in Southeast Asia, the Middle East and Northern Africa. In 2016, the branch cleared more than 1.2 million USD transactions with an aggregate value of over $367 billion. In 2017, the branch cleared more than one million USD transactions with an aggregate value of over $350 billion.
The DFS enforcement action asserted that Mashreqbank’s AML/BSA program was deficient in a number of respects and that the New York branch had failed to remediate identified compliance issues. The enforcement action began with a DFS safety and soundness examine in 2016. In 2017, DFS and the Federal Reserve Bank of New York (FRBNY) conducted a joint safety and soundness examination. DFS provided a report of its findings to which Mashreqbank submitted a response.
In a consent order signed on October 10, 2018, Mashreqbank admitted violations of New York laws and accepted a significant monetary penalty and increased oversight for deficiencies in its AML/BSA and Office of Foreign Assets Control (OFAC) programs. Regulators pursued the enforcement action despite the New York branch’s strong cooperation and demonstrated commitment to building an effective and sustainable compliance program. Among other things, Mashreqbank agreed to pay a $40 million fine; to hire a third-party compliance consultant to oversee and address deficiencies in the branch’s compliance function including compliance with AML/BSA requirements; and to develop written revised AML/BSA and OFAC compliance programs acceptable to DFS.
The DFS and FRBNY examination findings demonstrate Mashreqbank’s failure to follow the practical tips identified in part one of this post. Specifically, the regulators found that Mashreqbank failed to: (1) have appropriate transition monitoring; (2) identify and handle high-risk accounts appropriately; and (3) know its risk and improve its AML program to control those risks.
Further, and as our discussion will reflect, the Mashreqbank enforcement action is also notable in two other respects. First, the alleged AML failures pertain entirely to process and the general adequacy of the bank’s AML program – whereas the vast majority of other AML/BSA enforcement actions likewise discuss system failures, they usually also point to specific substantive violations, such as the failure to file Suspicious Activity Reports (“SARs”) regarding a particular customer or set of transactions. Second, although the use of external consultants usually represents a mitigating factor or even a potential reliance defense to financial institution defendants, the DFS turned what is typically a defense shield into a government sword and instead criticized Mashreqbank for using outside consultants who, according to DFS, were just not very rigorous. This alleged use of consultants performing superficial analysis became part of the allegations of affirmative violations against the bank, thereby underscoring how financial institutions must ensure that their AML/BSA auditors or other consultants are experienced, competent, and performing meaningful testing, particularly when addressing issues previously identified by regulators.…
First Post in a Two-Part Series
How do financial institutions get in trouble with their regulators? Recent AML enforcement actions suggest that the following two failures are at the heart of most of these actions: (1) inadequately identifying, monitoring and/or reporting suspicious activity; and (2) failing to implement adequate internal controls. And these same issues crop up year after year.
In this post, we’ll discuss these failures and their root causes and provide practical tips for ensuring that your AML program will withstand the scrutiny of regulators. In our next post, we will discuss how these practical tips apply in a specific AML enforcement action: the recent consent order between the New York Department of Financial Services and Mashreqbank. Further, we look forward to discussing all of these issues in an upcoming podcast in Ballard Spahr’s Consumer Financial Monitor Podcast series. So please stay tuned.
The U.S. financial institutions that recently found themselves in the government’s crosshairs allegedly engaged in the following behavior:
- Failing to investigate alerts on high-risk accounts where those accounts had been investigated previously, even when the new suspicious activity to which the bank had been alerted differed from the activity that it previously had investigated.
- Having a policy of not investigating or filing SARs on cash withdrawals from branches near the Mexican border if the customer said they were withdrawing cash in the U.S., rather than carrying cash into the U.S. from Mexico, in order to avoid having to file a Report of International Transportation of Currency or Monetary Instruments (CMIR).
- Capping the number of alerts from its transaction monitoring systems based on the number of staff available to review the alerts rather than on the risks posed by the transactions (and lying to regulators about it).
- Failing to report the suspicious activities of a longtime customer despite having been warned that the customer was laundering the proceeds of an illegal and fraudulent scheme through accounts at the bank.
- Failing to conduct necessary due diligence on foreign correspondent accounts.
- A brokerage company failing to file SARs on transactions that showed signs of market manipulation.
- A MSB’s failing to implement proper controls and discipline crooked agents because those agents were so profitable for the MSB, thereby enabling illegal schemes such as money laundering.
Although the behavior of these financial institutions may differ, the root causes of their failures do not. They include the following:
- An inadequate, ineffective or non-existent risk assessment.
- Elevating the business line over the compliance function.
- Offering products or using new technologies without adequate controls in place.
- Compliance programs that are not commensurate with the risks, often due to under investment in AML technology or other resources and/or lack of awareness of AML risks or controls.
- Corporate silos, both human and technological, that prevent or hinder information sharing.
- Insufficient screening of parties and relationships and lack of effective processes and controls around EDD.
So how can you ensure that your AML program is adequate? Here are some practical tips.…
The Treasury Inspector General for Tax Administration, or TIGTA, issued last month a Report, entitled The Internal Revenue Service’s Bank Secrecy Act Program Has Minimal Impact on Compliance, which sets forth a decidedly dim view of the utility and effectiveness of the current Bank Secrecy Act (“BSA”) compliance efforts by the Internal Revenue Service (“IRS”). The primary conclusions of the detailed Report are that (i) referrals by the IRS to the Financial Crimes Enforcement Network (“FinCEN”) for potential Title 31 penalty cases suffer lengthy delays and have little impact on BSA compliance; (ii) the IRS BSA Program spent approximately $97 million to assess approximately $39 million in penalties for Fiscal Years (FYs) 2014 to 2016; and (iii) although referrals regarding BSA violations were made to IRS Criminal Investigation (“IRS CI”), most investigations were declined and very few ultimately were accepted by the Department of Justice for prosecution.
Arguably, the most striking claim by the Report is that “Title 31 compliance reviews [by the IRS] have minimal impact on Bank Secrecy Act compliance because negligent violation penalties are not assessed.”
A primary take-away from the Report is that an examination program lacking actual enforcement power is, unsurprisingly, not very effective. The Report also highlights some potential problems which beset the IRS BSA Program, which include lack of staffing, lack of planning and coordination, and delay. Although the Report’s findings clearly suggest that what the IRS BSA Program really needs are resources and enhanced enforcement power, the repeated allusions in the Report to a certain purposelessness of the current BSA examination regime nonetheless might help fuel the current debate regarding possible AML/BSA reform, with an eye towards curbing regulatory burden.
The Report made five specific recommendations to the IRS for remedial steps. We will focus on four of those recommendations, and the findings upon which they rest:
- Coordinate with FINCEN on the authority to assert Title 31 penalties, or reprioritize BSA Program resources to more productive work;
- Leverage the BSA Program’s Title 31 authority and annual examination planning in the development of the IRS’s virtual currency strategy;
- Evaluate the effectiveness of the newly implemented review procedures for FinCEN referrals; and
- Improve the process for referrals to IRS CI.
Address Emphasizes Role of SARs in Fighting Illegal Activity, Including Drug Dealing Fueling the Opioid Crisis
Kenneth Blanco, the Director of the Financial Crimes Enforcement Network (“FinCEN”), discussed last week several issues involving virtual currency during an address before the “2018 Chicago-Kent Block (Legal) Tech Conference” at the Chicago-Kent College of Law at Illinois Institute of Technology. Although some of his comments retread familiar ground, Blanco did offer some new insights, including the fact that FinCEN now receives over 1,500 Suspicious Activity Reports (“SARs”) a month relating to virtual currency.…
Bank’s Alleged “Tick Box” Approach Failed to Attain Substantive AML Compliance
Late last week, the Financial Conduct Authority (“FCA”), the United Kingdom’s financial services regulator, imposed a $1.2 million (896,100 pound) fine on the UK division of India’s Canara Bank, an Indian state-owned bank, and ordered a moratorium on new deposits for nearly five months. The cause—according to Reuters—was Canara’s systemic anti-money laundering (“AML”) failures.
A 44-page final notice published by the FCA explains the multi-year regulatory process that led to a finding of systemic failures and the imposition of penalties. The FCA’s investigation began in late 2012 and early 2013 with assessments of Canara’s AML systems. Upon inspection, the FCA “notified Canara of a number of serious weaknesses in its AML systems and controls.” After promises of remedial action by Canara, an April 2015 visit revealed that the AML systems had not been fixed. The investigation ended with a final report from a “skilled person,” an expert brought in by the FCA to assess Canara’s AML policies and procedures, completed in January 2016. Settlement followed, resulting in sanctions and the FCA’s published final notice.
These three visits from the FCA generated a laundry list of Canara’s AML shortcomings. This enforcement action reflects three main take-aways: (i) the potential risks faced by banks operating in foreign countries in which they have limited AML experience; (ii) the need for swift remedial action after the first examination finding AML deficiencies; and (iii) the need for a substantive AML policy implemented in a substantive way, rather than through a rote reliance on AML-related checklists.…
Incorporation Solidifies Customer Due Diligence as “Fifth Pillar” to BSA/AML Compliance Program
May 11, 2018 was the much anticipated effective date for the Customer Due Diligence (“CDD”) Requirements for Financial Institutions Rule (the “Beneficial Ownership Rule”) issued by the Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”). On the same day, the Federal Financial Institutions Examination Council (“FFIEC”) released two updates to the Bank Secretary Act/Anti-Money Laundering (“BSA/AML”) examination manual that incorporate and clarify the CDD Requirements and Beneficial Ownership Rule. The FFIEC is an interagency body that is “empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions.” The FFIEC examination manual drives the principles and obligations of covered financial instructions in creating BSA/AML compliance programs. The new updates further clarify the FinCEN rules and solidify CDD as the fifth pillar of the BSA/AML compliance regime.
As we previously blogged here, when FinCEN announced its final rule on CDD requirements it established two important requirements for covered financial institutions. First, the covered financial institutions were required to establish procedures to identify and verify the beneficial owners of all legal entity customers. Second, the rule required covered financial institutions to adopt ongoing risk-based CDD procedures as part of their AML compliance programs – including developing and updating customer risk profiles and conducting ongoing AML monitoring. We previously provided practical guidance to aid covered financial institutions in preparing for implementation of these two requirements. Now we will highlight the key considerations of FFIEC examination manual addressing these topics. Of particular interest, the new FFIEC examination manual provisions state in part that regulatory examiners are not supposed to engage in second-guessing specific decisions; rather, during an examination “the bank should not be criticized for individual customer decisions unless it impacts the effectiveness of the overall CDD program, or is accompanied to evidence of bad faith or other aggravating factors.”…
Second Part in a Two-Part Series
The Tale of an AML BSA Exam Gone Wrong
As we have blogged, the Ninth Circuit Court of Appeals recently upheld the decision of the Board of Directors of the Federal Deposit Insurance Corporation (“FDIC”) to issue a cease and desist order against California Pacific Bank (the “Bank”) for the Bank’s alleged failure to comply with Bank Secrecy Act (“BSA”) regulations or have a sufficient plan and program in place to do so.
In our first post, we described how the Ninth Circuit rejected the Bank’s constitutional challenge to the relevant regulation, and accorded broad deference to the FDIC in its interpretations of its own regulations, expressed in the form of the Federal Financial Institutions Examination Council Manual (“FFIEC Manual”). This post discusses the Court’s review of the Bank’s challenge under the Administrative Procedures Act to the FDIC’s factual findings of AML program failings.
The California Pacific opinion provides a significant piece of guidance for banks questioning the adequacy of its BSA compliance program: consult and abide the FFIEC Manual. Furthermore, it demonstrates that no shortcuts are permitted when it comes to establishing and maintaining a BSA compliance program. The BSA and the FDIC’s regulations contain firm guidelines and the FFIEC Manual puts banks of all sizes on notice of what compliance is expected of them. The independence of both the AML compliance officer and of testing; adequate risk assessments of customer accounts; and the correction of prior regulator findings of AML deficiencies are key.…
Court Defers Heavily to the FDIC and the FFIEC Manual
First Part in a Two-Part Series
The Ninth Circuit Court of Appeals recently upheld the decision of the Board of Directors of the Federal Deposit Insurance Corporation (“FDIC”) to issue a cease and desist order against California Pacific Bank (the “Bank”) for the Bank’s alleged failure to comply with Bank Secrecy Act (“BSA”) regulations or have a sufficient plan and program in place to do so.
This decision, California Pacific Bank v. FDIC, provides a nearly step-by-step analysis of what is required of banks under the BSA and a vivid illustration of an Anti-Money Laundering (“AML”) program that did not pass muster in the eyes of a regulator. It highlights the general rules that banks of all sizes, but particularly smaller community banks, must keep in mind concerning their compliance programs – size does not matter and you are on notice of what compliance entails.
Importantly, and before upholding the FDIC’s factual findings regarding the Bank’s violations, the Ninth Circuit first rejected the Bank’s claim that the regulation at issue (which required the Bank to implement an AML compliance program which complied with the “four pillars” of such a program) was unconstitutionally vague. Moreover, the Ninth Circuit found that the FDIC has broad discretion when interpreting this regulation, described by the Court as “ambiguous.”
This post will summarize the case and the key role played by the Federal Financial Institutions Examination Council Manual (“FFIEC Manual”) in both the Court’s rejection of the constitutional challenge and the broad deference which the Court accorded to the FDIC and its interpretation of its own regulations. The second post will turn to the Bank’s alleged AML program failings and the Bank’s challenges to the FDIC’s many factual findings.…
Yesterday, the SEC Office of Compliance Inspections and Examinations (OCIE) announced its 2018 examination priorities, released in order to “improve compliance, prevent fraud, monitor risk, and inform policy.” OCIE announced five priorities, with Anti-Money Laundering (“AML”) programs being one of them. This emphasis on AML is consistent with the SEC’s increasing willingness to bring enforcement actions relating to AML and the Bank Secrecy Act (“BSA”). As we also discuss, here and in our sister blog, CyberAdviser, another priority announced by OCIE is cybersecurity, an issue which increasingly overlaps with AML issues.…