Posted by Brian Monroe - bmonroe@acfcs.org 03/11/2020
FinCEN issues rare penalty, nearly half a million dollars, against top risk officer for longstanding AML failures, alert caps
The skinny:
- FinCEN has issued a rare and hefty penalty, $450,000, against a top risk officer at U.S. Bank for longstanding AML failures and alert caps.
- U.S. Bank, one of the country’s largest institutions, paid more than $600 million to regulators and authorities in a 2018 deferred prosecution agreement for these failings and attempting to hide known weaknesses from examiners.
- The case echoes the battle between the U.S. Treasury and a former chief compliance officer at MoneyGram who had faced a $1 million individual penalty and lifetime debarment, but negotiated a lesser sanction: a $250,000 settlement and three-year injunction.
- While there has only been a handful of high-profile penalties against individual officers in compliance and AML roles, this latest action has the further nuance it targets a chief risk officer. Some believe such a sanction could even be illegal as, technically, only AML officers and the board have accountability for program gaps.
The U.S. Treasury has issued a rare, nearly half a million-dollar penalty against a top compliance official for failures in a bank’s underlying anti-money laundering program tied to capping transaction monitoring alert volumes, understaffing analysts and weak and missing filings tied to suspicious activities.
The Financial Crimes Enforcement Network (FinCEN) has assessed a $450,000 civil money penalty against Michael LaFontaine, the former Chief Operational Risk Officer at U.S. Bank National Association (U.S. Bank), for his failure to prevent violations of the Bank Secrecy Act (BSA), the country’s chief anti-money laundering (AML) rule, during his tenure.
U.S. Bank “systemically and continually devoted an inadequate amount of resources to its AML program,” according to FinCEN, adding that the bank’s own internal transaction monitoring testing revealed that alert capping caused it to “fail to investigate and report thousands of suspicious transactions.”
While FinCEN offers pages of argument and evidence to buttress its foundation for the penalty, the action has caused a further fracturing and fretting in AML compliance circles – in short, the question on everyone’s minds: Do I stay or do I go?
Even so, other pundits and compliance clock watchers have stated the government’s overtures to pin down and penalize individual AML officers as part of, or after, egregious fincrime compliance failures has been inconsistent at best – with varying levels of AML staffers seemingly guilty of similar abuses, but without being subjected to formal fines.
Some had even stated that the action may not be legal because only the AML officer and the board can, technically, have responsibility and accountability for egregious fincrime compliance failures.
In fact, there should be a line of authority that goes straight from the AML officer to the top executives of the bank and further on to the board.
Individual penalty follows big fine against bank
The individual penalty against LaFontaine follows U.S. bank paying a hefty fine just a few years ago from a host of regulatory and investigative agencies.
In February 2018, U.S. Bank, one of the country’s largest banks, paid federal regulators and authorities $613 million in a settlement for longstanding financial crime compliance deficiencies, including capping alerts on potential illicit activity and attempting to hide known weaknesses from examiners.
The deferred prosecution agreement between U.S Bank National Association and the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), Office of the Comptroller of the Currency (OCC), Federal Reserve and the U.S. Department of Justice (DOJ) also included the institution admitting responsibility in a statement of facts and facing felony charges for violating AML program rules if it didn’t improve enough in a relatively short two-year timeframe.
But the action against LaFontaine is not the only individual penalty against a top officer, nor is it the largest ever to be levied.
The most high-profile action against an individual settled roughly three years ago, in mid-2017.
In the widely-watched case between the U.S. Treasury and a lone compliance officer facing a $1 million individual penalty and lifetime debarment, the individual successfully negotiated a lesser sanction, eventually agreeing to a $250,000 settlement and three-year injunction.
Since the case dropped in 2014, related to a broader $100 million AML penalty against MoneyGram in 2012 tied to agents actively aiding fraudsters and scam artists stealing from people, it has been a flashpoint issue in financial crime compliance, federal regulatory and investigative circles.
Critics argued that the former head compliance officer for MoneyGram, Thomas Haider, was made a “scapegoat” by the company as his requests to drop fraudulent agents were overruled by higher-ranking executives – a critical focal point of the final FinCEN order.
Some believed that the U.S. government unfairly targeted him for a rare statement-making penalty to shock other AML compliance professionals into line.
Still others, however, stated that targeting a compliance officer with a penalty was actually making the wrong statement.
Action foreshadows more individual actions against other bank units
The news of the latest action against a top compliance professional, this time a risk officer, started a spirited discussion on social media, with many top minds weighing in to analyze how this can happen and offer potential approaches to prevent such failures from happening again.
The action, in general, tells the fincrime compliance community that a bevy of roles could more readily be in the crosshairs of examiners and investigators for individual actions.
The sanction “demonstrates as well that multiple roles across the firm are responsible and accountable in addition to the AML officer,” said Eric Young, the former Chief Compliance Officer of BNP Paribas, in the posting.
Those roles more in the compliance line of fire could include: IT, the front line, business line managers, budget bean counters — particularly those forcing the AML function to choose lesser expensive data analysis and transactional monitoring hardware and software options versus “having a robust surveillance program to monitor the suspicious activity of their clients,” he stated.
Some of the more arcane and tech-oriented roles could also be under more scrutiny for penalties, including the independent model validation teams and “executive management” as they trim or approve budgets and “set the tone” for compliance culture throughout the entire organization, Young said.
In light of the action, institutions may need to consider a “firm-wide system of internal controls across people, processes and technology, which enables the AML team and AML officer to monitor, escalate, investigate and report on suspicious and/or actual activity warranting SAR reporting and account restriction and/or closure and beyond.”
In fact, some have feared such a draconian stance against an individual compliance officer – one ostensibly responsible for the unknown decisions by dozens, or even hundreds of analysts below their level – could start an exodus from the field.
The result, in essence, would not be improving compliance or bringing to bear greater accountability for top compliance and risk officers, but instead result in the wholesale loss of bright, talented and experienced fincrime professionals leaving the field altogether.
Where would they go? To take positions at companies and in industries without the persistent specter of individual penalties hovering out there in the ether of the compliance universe.
Alert caps based on resources, not actual aberrant activity
In the case of U.S. Bank, its weak AML practices also made it easier for risky groups to bank because they were less likely of being identified and reported to law enforcement, according to the 2018 action.
U.S. Bancorp is the parent company of Minneapolis-based U.S. Bank, the fifth-largest bank in the U.S. with 74,000 employees and $462 billion in assets.
From 2009 and continuing until 2014, U.S. bank “willfully failed to establish, implement, and maintain an adequate AML program,” according to federal investigators, adding that the institution “capped the number of alerts generated by its transaction monitoring systems.
The bank incorrectly “based the number of such alerts on staffing levels and resources, rather than setting thresholds for such alerts that corresponded to a transaction’s level of risk” and further compounded the issue by “deliberately” concealing the practice from the OCC.
But rather than removing the alert caps, the bank “terminated the testing,” that uncovered the problem, resulting in outcries from senior AML staffers who warned that federal examiners would likely chastise the move as using “smoke and mirrors” to make the AML program appear sturdier than it truly was.
Deceiving examiners with ‘smoke and mirror’ tactics
An OCC examiner assigned to the bank “repeatedly” warned USB officials, including the anti-money laundering officer (AMLO), of the “impropriety of managing the bank’s monitoring programs based on the size of its staff and other resources.”
Realizing OCC examiners would likely find U.S. Bank’s resource-driven alert limits to be improper, bank officials, including the chief compliance officer (CCO), “deliberately concealed these practices from the OCC.”
They did this, for example, by having a bank employee deliberately exclude “references to resource limitations from the minutes of an internal Bank meeting for fear that the OCC would disapprove of the Bank’s practices, and in order to protect himself and his supervisor from adverse consequences.”
Indeed, the AMLO described U.S. Bank’s AML program to another senior manager as an effort to use “smoke and mirrors” to “pull the wool over the eyes” of the OCC.
U.S. Bank also allowed, and failed to monitor, non-customers conducting millions of dollars of risky currency transfers at its branches through money remittance heavyweight Western Union.
For just the six months prior to taking steps to remedy the practices, the Bank’s analysis resulted in the generation of an additional 24,179 alerts and the filing of 2,121 SARs, according to penalty documents.
In addition, U.S. Bank filed over 5,000 Currency Transaction Reports (CTRs) with incomplete or inaccurate information, “impeding law enforcement’s ability to identify and track potentially unlawful behavior,” according to FinCEN.
Risky, shady payday lender given free reign
The bank also allowed millions of dollars to be moved related to a risky payday lender and kept his account open even after several high-profile negative news events and government subpoenas – an investigation that later lead to a conviction for fraud.
From October 2011 through November 2013, the bank willfully failed to timely report suspicious banking activities of Scott Tucker, a longtime customer with a checkered past and carrying a bevy of obvious red flags.
All that despite U.S. Bank being on notice that Tucker had been using the institution to “launder proceeds from an illegal and fraudulent payday lending” scheme using a series of sham bank accounts opened under the name of companies nominally owned by various Native American tribes.
From 2008 through 2012, Tucker’s companies extended approximately five million loans to customers across the country, while generating more than $2 billion in revenues and hundreds of millions of dollars in profits, most flowing through his U.S. Bank accounts.
USB employees responsible for servicing Tucker’s ongoing account activity disregarded numerous red flags, including him spending large sums of monies from accounts in the names of Tribal companies on personal items, including tens of millions of dollars on a vacation home in Aspen and on Tucker’s professional Ferrari racing team.
The bank also received subpoenas from regulators investigating Tucker’s businesses, but still failed to file any SARs.
Even after news organizations published reports examining Tucker’s history and questionable business practices in September 2011, the bank tarried on dropping the customer or taking a proactive approach to inform law enforcement.
Internally, the grumbling of frustrated mid-level compliance staffers started to boil over.
In a review of Tucker’s accounts, an AML investigator at the bank bemoaned the lack of action, reporting to supervisors, “among other things, that ‘it looks as though Mr. Tucker is quite the slippery individual’ who ‘really does hide behind a bunch of shell companies.’”
Based on its findings, the Bank finally closed the accounts in the names of the Tribal Companies, but still failed to file a SAR.
Conversely, rather than closing all accounts tied to Tucker, the bank actually expanded its business with him.
The bank “left open Tucker’s non-tribal accounts and opened new ones, allowing over $176 million more from his illegal payday business to flow into the Bank,” according to penalty documents.
Moreover, despite also “learning of an April 2012 Federal Trade Commission lawsuit against Tucker and the Tribal Companies, the Bank did not file a SAR regarding Tucker until served with a subpoena” by federal authorities in November 2013.
Tucker was sentenced in January 2018 to more than 16 years in prison related to the $2 billion payday lending scheme.
Uncorrected orders turning to monetary penalties
The U.S. Bank penalty continues a recent trend of non-monetary regulatory orders turning into hefty penalties when examiners feel the bank didn’t improve the AML program enough or, worse, that the institution attempted to hide the true depth and breadth of issues.
In its 2015 consent order, the OCC cited the bank having an “inadequate system of internal controls, ineffective independent testing, and inadequate training. The bank had systemic deficiencies in its transaction monitoring systems, which resulted in monitoring gaps and a significant amount of unreported suspicious activity.”
In addition, U.S. Bank filed over 5,000 Currency Transaction Reports (CTRs) with incomplete or inaccurate information, impeding law enforcement’s ability to identify and track potentially unlawful behavior.
The actions reflect on broader current trends in the AML space, including law enforcement wanting banks to plead guilty to a crime as a deterrent to the rest of the industry, the rising risks of informal and non-monetary orders later turning into massive penalties and the risk of a smaller fine turning into a head-turning penalty if examiners feel they were told lies or half-truths.
In wake of penalty, AML program improvements abound
The message of a bank needing to be transparent, truthful and forthright seems to be taking root at U.S. Bank.
The settlement “finalizes legacy matters involving our AML compliance program,” said U.S. Bank President and Chief Executive Andy Cecere, at the time, adding that the bank has “worked diligently over the past several years to make significant investments to improve and strengthen our AML controls, processes and staff.”
The bank has bolstered its AML program in several key ways, including:
- New leadership team running the Bank’s AML program since 2014 – many of whom are recognized as leaders in the industry and come from law enforcement backgrounds;
- A more transparent and frequent AML reporting and escalation process to the Board and executive management;
- A centralized, independent, enterprise-wide financial crimes compliance function;
- Improved AML controls and training for all customer-facing employees;
- Expanded transaction monitoring to identify potentially suspicious activity;
- AML compliance staff that has increased significantly; and
- Improved risk identification, oversight, and reporting functions.
Those improvements, however, are only so drastic because of the depths the program had fallen, with warnings upon warnings to top compliance decision makers going unheeded.
In its reasoning for the individual penalty, FinCEN stated that LaFontaine was “advised by two subordinates that believed the existing automated system was inadequate because caps were set to limit the number of alerts,” a move that has been a central pillar in prior formal AML actions and penalties against banks.
As well, the OCC “warned U.S. Bank on several occasions” that using numerical caps to limit the Bank’s monitoring programs based on the rather small size of its staff and available resources could result in a potential public enforcement action, and FinCEN had taken previous public actions against banks for the same activity in a number of occasions – meaning the issue was not a new one unknown to top industry professionals.
Moreover, FinCEN stated LaFontaine had gotten several internal warnings and failed to act quickly enough.
He received “internal memos from staff claiming that significant increases in SAR volumes, law enforcement inquiries, and closure recommendations, created a situation where the AML staff “’is stretched dangerously thin.’”
LaFontaine “failed to take sufficient action when presented with significant AML program deficiencies in the Bank’s SAR-monitoring system and the number of staff to fulfill the AML compliance role,” according to FinCEN, adding that the Bank had maintained “inappropriate alert caps” for at least five years.
Even as the bank makes it improvements, it can’t change history, with the failures hurting law enforcement’s ability to uncover and investigate potential financial crimes.
“Mr. LaFontaine was warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised,” said FinCEN Director Kenneth Blanco. “His actions prevented the proper filing of many, many SARs, which hindered law enforcement’s ability to fully combat crimes and protect people.”
On the whole, FinCEN “encourages technological innovations to help fight money laundering, but technology must be used properly.”