Financial Crime Compliance Lookback: The enforcement actions and trends that shaped 2015

Looking back at 2015 for compliance professionals, there are several key themes strewn throughout the year’s many notable formal enforcement actions and informal statements by regulators and law enforcement agencies.

From AML to fraud, sanctions to cybersecurity, 2015 saw heightened pressure and liability for compliance teams, enforcement actions and regulations expanding to new sectors, and a laser focus on the accuracy and depth of data flowing through monitoring systems and folded into reports to law enforcement.

The required skill set of the ideal financial crime compliance professional, or the desired makeup of the team, also broadened and deepened into the arcane realm of quantitative statistical modeling and predictive analytics.

For example, at the 2015 ACFCS conference in New York in April, compliance team leaders noted how they wanted compliance officers with an exposure to computer science and programming, a certain degree of mathematical and statistical savvy, and an understanding of finance who were also adaptable and creative enough to properly harness the tools at their disposal. To read our coverage of the conference, please click here.

In addition, by truly understanding the power of that data, financial institutions can combine disparate elements, such as names in news stories, transaction histories and other structured and unstructured information to do more than just figure out if a person should be denied an account or ability to send a wire, but also get critical information and intelligence to law enforcement before authorities even know which institutions to ask for help.

Here is an ACFCS summary of some of the major actions that took place during the year and the broader, bigger picture trends involved that bring critical context and nuance to complex compliance conundrums.

Anti-money laundering

It was a year of firsts in AML/BSA enforcement for the US Financial Crimes Enforcement Network. The agency issued its first penalty in the virtual currency sector, its first penalty against a large casino and its first compliance related penalty against a bank for not realizing certain transactions were tied to judicial corruption.

Just yesterday, FinCEN released an assessment of a $200,000 civil money penalty against a Los Angeles precious metals business, as well as its owner and compliance officer, a first for the agency in the precious metals sector apart from a small penalty nearly a decade ago against a small jewelry store.

The penalty is against B.A.K. Precious Metals, Inc. (B.A.K.), its sole owner, Bogos Karaoglanyan, and its designated compliance officer, Arman Karaoglanyan, who have admitted to willfully violating federal anti-money laundering (AML) laws.

The bureau also got more aggressive using its powers around geographic targeting orders to increase the scrutiny and reporting requirements in the areas of trade, fashion and armored cars in states like California and Florida.

During the year, FinCEN also released a bevy of new proposed, resurrected and finalized rules, including a proposal to require financial institutions to capture beneficial ownership information, re-releasing an initiative to require banks and money remitters to get more details on cross-border wires, and grafting anti-money laundering (AML) obligations to several parts of the investment sector, among other actions.

This year also saw the release of two key interagency reports on financial crime that highlighted the country’s overall risks and vulnerabilities to money laundering and terrorist financing: The US National Money Laundering Risk Assessment and a sister publication, the US National Terrorist Financing Risk Assessment.

To see a deeper ACFCS analysis of the risk assessments, please click here and here

 Corruption

 In August, The Bank of New York Mellon paid nearly $15 million to settle charges by the US Securities Exchange Commission it violated federal bribery laws by selectively awarding internships to the family members of officials with ties to a Middle Eastern sovereign wealth fund with more than $50 billion in assets.

The regulator stated the bank didn’t adequately evaluate the family members for its internship program, typically a highly competitive and stringent process. The bank, instead, chose family members to corruptly sway government officials to gain or keep contracts associated with the fund.

Bigger picture trend: On the financial services side, banks have been warned for more than a decade they should fear a more draconian use of FCPA powers, but have had little to fear in that time and no clear framework for how corruption could infiltrate their institution.

That changed with the nearly $15 million penalty last month against BNY Mellon, which is just the first tangible sign of a much more significant foray by US enforcement agencies into financial services and potential corrupt dealings. JPMorgan Chase and a half-dozen other financial institutions are being investigated for possible FCPA violations, said one expert. To read ACFCS coverage of the issue, please click here.

Prior to that, in May, the FBI and IRS indicted more than a dozen individuals tied to the soccer governing body FIFA on wire fraud, racketeering and money laundering charges tied to collusion with sports marketing executives. In March, the US Justice Department announced settlement and civil forfeiture cases against $1.2 million in assets tied to corruption proceeds from former Korean president Chun Doo Hwan.

The year ended with another enforcement first in an action punctuated by financial crime compliance and corruption failings, this time in the United Kingdom.

In November, London-based ICBC Standard Bank entered into the country’s first-ever deferred prosecution agreement with the Serious Fraud Office (SFO) for failing to prevent a former sister company from paying $6 million in bribes to Tanzanian official to win business from a state bank.

The multi-jurisdictional and multi-agency penalty resulted in $32.5 million to the SFO, $4.2 million to the US Securities Exchange Commission and another $7 million to the US government. The action highlighted the risks of insiders and how they can evade compliance controls and the broader issue of how to craft an enterprise-wide, cross-border program.

 Sanctions

In March, Frankfurt-based Commerzbank paid $1.5 billion for extensive financial crime violations related to dealing with blacklisted regimes in an action notable for more than just the heft of the settlement and tight turnaround timeframes. To read ACFCS coverage of the action, please click here.

The enforcement action was also significant as it showed a deep degree of regulatory distrust in the institution’s leadership, holding the chief executive accountable for progress.

The multi-jurisdictional $1.45 billion deferred prosecution agreement (DPA) between state and federal regulators, investigators and Frankfurt-based Commerzbank centers on the institution’s decision to do business with blacklisted entities and regimes and a large Japanese optics company, Olympus, which was engaged in a massive accounting fraud.

The bank chose to continue doing business with these potentially illicit entities in many instances even after internal staff members stated such practices could be illegal and external investigators stated the bank could be breaching US Treasury rules by “stripping” incriminating wire information tied to Iran and Sudan so they could pass through sanctions filters at the New York branch.

As part of the settlement, the government installed a corporate monitor that will report on the progress to adhere to the DPA every 90 days and additional requirements that the bank and monitor report any stumbles immediately. US officials are also requiring a personal signature from the bank’s chief executive that the required improvements are in place.

Bigger picture trend: The settlement with Commerzbank is just the latest massive penalty action against a large foreign bank for “stripping” violations since 2009, numbering now more than a half dozen and including household name operations in the biggest financial centers around the globe.

In June of 2014, France’s largest bank, BNP Paribas, paid a record nearly $9 billion penalty and had to plead guilty, an extreme measure, for knowingly stripping interbank data out of wires tied to regimes including Iran and Sudan, even after investigators warned the institution it was being formally investigated for such practices.

The bank’s penalty was so massive because it blithely continued its activities when investigators requested it to cease, and was not forthright in responding to information requests. Other banks that have been penalized for similar missteps include ING Bank, Barclays, Royal Bank of Scotland, Standard Chartered and Lloyds. A $1.9 billion penalty against HSBC also included such activities.

In response to such infuriating infractions, earlier this month, New York Governor Andrew Cuomo unveiled proposed state regulations imposing stricter AML and sanctions monitoring expectations, including an annual written certification by a “senior financial executive,” which is believed to mean a chief compliance officer or equivalent rank. To read ACFCS coverage of the initiative, please click here.

The initiative is modeled on SOX requirements for CEOs/CFOs to certify financial accounting and is designed to address “serious shortcomings in the transaction monitoring and filtering programs of… institutions and… a lack of robust governance, oversight, and accountability at senior levels of these institutions” which has “contributed to these shortcomings.”

Under the rules, which have a 45-day comment period, banks would have to engage an array of testing to compliance systems, including:

  • An end-to-end, pre-and post-implementation testing of the Transaction Monitoring Program, including governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output, as well as periodic testing.
  • An end-to-end, pre- and post-implementation testing of the Watch List Filtering Program, including data mapping, an evaluation of whether the watch lists and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and Watch List Filtering Program output.
  • Identification of all data sources that contain relevant data, along with validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program
  • Analysis and testing of data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used.

Cybersecurity

The most emblematic action in the area of cybersecurity arguably happened in November, with the indictments of three Israelis accused of masterminding a massive international hacking and fraud scheme generating hundreds of millions of dollars in illicit proceeds, an initiative only possible with the help of crooked bankers and even a corrupted credit union.

Investigators and analysts categorized the case as unprecedented in scope, complexity and creative use of myriad different funding streams – such as data breaches, penny stock scams, online gambling, payment processing and a Bitcoin exchange. The schemes targeted many of the nation’s largest banking, trading and media organizations, including JPMorgan, TD Ameritrade and News Corp., which owns the Wall Street Journal.

In court documents, prosecutors charged Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein in a 23-count indictment with alleged crimes spanning 12 companies, including nine financial services firms and media outlets, eventually capturing details on more than 100 million people, some 80 million of those from the JPMorgan breach alone. To read the indictments, please click here and here. To read ACFCS coverage of the case, please click here.

Bigger picture trend: At the ACFCS inaugural cybersecurity conference in October, attendees and speakers confirmed that Criminal hacking groups are more aggressively attacking a wider universe of institutions, from banks, to data aggregators, to third-party outsourcers such as human resources and legal services, and are actively sharing information on what tools work and vulnerabilities remain outstanding. To read our coverage of the conference, please click here.

The decisions around and resources devoted to thwarting cyber thieves have taken on increased importance as these groups in the last two years have infiltrated some of the largest banks and retailers in the United States, including JPMorgan, Home Depot, Target and also perforated choice government data nodes, such as the Office of Personnel Management.

As a result, regulators, including the US Treasury’s Office of the Comptroller of the Currency (OCC), have stated they are making cybersecurity, resilience and cyber “maturity” more of a focus while other regulatory bodies, including the Federal Trade Commission, have already taken formal legal actions against companies telling customers they employed stout cyber protections, but didn’t.

At the state level, the New York State Department of Financial Services is also planning on doing cybersecurity assessments as part of its overall compliance reviews, with many of the training, risk assessment and auditing duties of the cyber program mirroring current financial crime compliance requirements.

There are also new platforms that have created opportunities for cyber criminals, including in mobile devices, cloud computing and alliances between cyber criminals, hackers and nation state cyber espionage, making it more difficult for authorities to determine “who was behind the attack,” according to one speaker. Business email compromise attacks are also surging.

Last year, the OCC also engaged in an exercise to grade the cybersecurity programs of some 500 institutions, and then earlier this year creating and releasing a voluntary cybersecurity assessment tool that will help banks better understand their cyber risks, awareness and general “maturity level,” in critical areas, said a second speaker.