DOJ hits troubled Citi subsidiary with nearly $100 million AML penalty

By Brian Monroe
May 25, 2017

The US Department of Justice hit a subsidiary of one of the country’s largest banks with a nearly $100 million penalty as part of a non-prosecution agreement (NPA) on Monday, in an enforcement action spearheaded by federal investigators rather than regulators.

The $97.4 million forfeiture is the second major action against Citigroup-owned financial institution Banamex in the past two years for broad and longstanding anti-money laundering (AML) failures. In 2015, the Federal Deposit Insurance Corp. (FDIC) and California’s banking regulator penalized the bank $140 million for key program gaps, including a lack of adequate staffing, poor transaction monitoring and failing to file suspicious activity reports (SARs) – at one point for two straight years. Banamex is being shut down by Citi at the end of next month.

The agreement is one of the first high-profile AML enforcement actions against a financial institution under the Trump administration and new Attorney General Jeff Sessions. It may be an early indicator that intensive scrutiny of financial crime compliance in the U.S. is not wavering, despite the administration’s overall focus on cutting regulations.

In the latest action, federal prosecutors revealed a compliance department completely overwhelmed as Banamex focused on capitalizing on the burgeoning growth of Mexican remittances through the mid-2000s. The institution believed at one point that, through its remitter partnerships, it could potentially get nearly half of the multi-billion dollar market between the U.S. and Mexico.

Unfortunately, that growth did not translate into more compliance officers able to handle the avalanche of alerts now flooding the mostly manual transaction monitoring system. Soaring activity buried the two designated AML compliance staffers, one of which had much of her bandwidth taken up by also being the IT person, according to the agreement.

The action notes that between 2007 and 2012, the monitoring system issued more than 18,000 suspicious activity alerts involving some $142 million – a sliver of the $8.8 billion in remittances to Mexico during that time – but Banamex conducted less than 10 investigations and filed only nine SARs on 30 million remittance-related transactions representing just more than $340,000.

Banamex USA (BUSA) also failed to file any SARs between 2010 and 2012. Part of the reason the bank was inundated with so many alerts – even though it had only rudimentary pre-tuned monitoring scenarios – is that the bank also had insight into actual remitter transactions, in essence the customer’s customer, rather than just batched MSB company transactions.

Lax staffing, monitoring, senior level support

The NPA also chastised BUSA for employing a “limited and manual transaction monitoring system, running only two scenarios to identify suspicious activity on the millions of remittance transactions it processed.”

As a result of the lax staffing and monitoring, the bank missed or was not able to further investigate key red flags, according to the order.

Bank staff, and the board, knew that the average remittance to Mexico was “$300 and primarily involved individuals periodically sending money to family members in Mexico. Yet, from 2007 to 2012, BUSA processed approximately $1.3 billion in remittances with a value greater than $1,500 – five times the expected family remittance.”

Many of the anecdotes in the NPA follow a familiar refrain from past actions where a compliance officer realizes the program is not strong enough, importunes senior management to improve systems, staffing or controls, and is rebuffed or given token improvements far out of line with what is actually needed.

At one point, one of the two unnamed compliance officers in the Banamex action was saddled with both doing their job and installing a new automated transaction monitoring system. Under so much stress and pressure, the individual quit.

Many penalties, but similar threads

The latest settlement mirrored many of the details from the 2015 joint penalty levied by the FDIC and California’s state banking regulator.

In the FDIC order, the compliance issues surrounding Banamex USA centered on the inability to hire and retain a qualified compliance officer with skill in line with the risk of the operation, have properly trained officers and a sufficient overall number of staff.

Exacerbating the bank’s inability to correct these issues was that is also had an ineffective independent testing program, the AML-mandated backstop to prevent minor program weaknesses into systemic failures, according to the FDIC.

Banamex USA at that time had assets of roughly $500 million, with some 300 employees in branches in California and Texas. Citi bought the institution in 2001 from a Mexican bank.

But the FDIC just two months ago went further, hitting several top executives, one in a compliance role, with individual penalties and putting a proverbial scarlet letter on their careers in the banking space.

In March, the FDIC stated that it had individually penalized Banamex’s former chief compliance officer (CCO), also its AML officer, $70,000, and banned the person from working in banking again.

The former chief executive officer, and executive vice president of corporate and international banking befell similar fates and permabans, with penalties of $90,000 and $30,000. The FDIC also banned the former senior vice president of operations, but didn’t hand down a penalty.

The larger government push for compliance officer liability in regulatory failures at an institution is a flashpoint issue in financial crime compliance circles because it appears any officer can be named or shamed if they are found to have a poor program, even if they attempted repairs and asked senior management for support and resources that were never provided.

Prosecutors leave room for potential future actions

The 24-page settlement directs Banamex and Citigroup to “use their best efforts to make available for interviews, testimony…present or former officers, directors, employees, agents and consultants.”

The obligation of these parties includes “sworn testimony before a federal grand jury or in federal trials as well as interviews with domestic or foreign law enforcement and regulatory authorities.” Such commitments are a fairly standard component in non-prosecution and deferred prosecution agreements, though not always seen in regulatory enforcement actions.

Further, and potentially boding ill for the bank, the settlement does not mince words, stating that the NPA “does not provide any protection against prosecution for any individuals regardless of their affiliation” with Banamex or present or former subsidiaries and “shall not restrict the ability” of DOJ to “charge any individual for any criminal offense and to seek the maximum term of imprisonment.”

The information gathered from these current or former consultants can also be used against Citigroup, with the settlement “tolling” or extending the statute of limitations for related crimes between one year and five years, depending on when investigators are made aware of a problem or find out on their own.

That wording opens the door for further actions against Citi if more faults come to light.

That’s not a good thing as the ceiling in AML-related enforcement actions against banks in recent years, including settlements with U.S. and foreign banks, have had figures as high as $9 billion, more than a billion dollars and hundreds of millions of dollars in individual agreements, though in some cases that was tied in part to violating sanctions rules.

Citi reiterated its commitment to compliance on Monday in a statement.

“Among our most serious obligations as a bank is to achieve the strongest possible system for anti-money-laundering and sanctions compliance to protect the integrity of the financial system,” Citigroup stated in responses to queries about the health of its overall financial crime countermeasures.