FinCEN, OCC penalize Gibraltar Bank $4 million for extensive AML deficiencies

The US Treasury Thursday issued a $4 million joint penalty against a Coral Gables-based bank linked to a billion dollar Ponzi scheme for a host of “willful,” longstanding compliance deficiencies, including monitoring and risk ranking customers, investigating alerts and filing more than 100 suspicious activity reports.

The Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC) issued the penalty against Gibraltar Private Bank and Trust for “substantial” anti-money laundering (AML) deficiencies dating back to 2008 and 2010, when the now defunct Office of Thrift Supervision, later absorbed by the OCC, issued a formal order against the institution.

The compliance gaps at the bank – from missing, non-existent or stale customer identification information, to a poorly tuned and never-validated transaction monitoring system to failing to act on internal and external alerts tied to a potential fraudster – ultimately caused Gibraltar to not file at least 120 suspicious activity reports (SARs) involving nearly $558 million in transactions occurring between 2009 to 2013, according to FinCEN.

As well, the cumulative failings “unreasonably delayed” Gibraltar’s SAR reporting regarding accounts related to a $1.2 billion Ponzi scheme led by Florida attorney Scott Rothstein, who was convicted in 2010 and sentenced to 50 years in federal prison. In his scheme, he purportedly sold investments into fictitious sexual harassment settlements, but instead used to the funds to support his own lavish lifestyle.

Also in 2010, the OCC issued a formal enforcement against Gibraltar for broad compliance failings. As for the current action, the $4 million penalty is deemed satisfied by a $1.5 million payment to FinCEN and a $2.5 million payment to the OCC.

“We may never know how that scheme might have been disrupted had Gibraltar more rigorously complied with its obligations under the law,” FinCEN Director Jennifer Shasky Calvery said in a statement. “This bank’s failure to implement and maintain an effective AML program exposed its customers, its banking peers, and our financial system to significant abuse.”

The fallout to Rothstein’s massive Ponzi scheme, which he said was known to certain bank staff and actively supported by them, is still reverberating beyond the OCC order.

In depositions, he made accusations that key Gibraltar bank executives, including former Gibraltar Chief Executive Officer Steven Hayworth, were “in his pocket” after being showered with expensive gifts and cash bribe payments.

Attorneys for Hayworth last week stated he is suing Gibraltar for breach of contract, saying he was a “scapegoat” for Rothstein and is seeking $40 million in punitive and compensatory damages.

As well, the OCC in December penalized John Harris, a former senior vice president for Gibraltar, $75,000 for engaging in “unsafe and unsound” banking practices tied to “accounts for a customer who was later found to be operating an illegal Ponzi scheme,” while not directly mentioning Rothstein.

Gibraltar is a community bank headquartered in Coral Gables, Florida, that provides loan, deposit, and other financial services to high net-worth clients. As of December 31, 2015, Gibraltar had approximately $1.57 billion in total assets, with seven offices located in Florida and one office in New York.

Longstanding issues highlighted by examiners

The order notes that OCC examiners repeatedly told the bank about its compliance issues without seeing sufficient improvement, conducting four subsequent exams on Gibraltar from 2011 through 2014, and continually identifying “significant deficiencies” in Gibraltar’s BSA compliance program and customer due diligence and reporting functions.

In an interesting detail not found in most AML compliance enforcement actions, the bank negotiated a line that it only admits to “willfulness” as the term is defined in AML civil enforcement regulations.

FinCEN stated in the order that to establish that a financial institution or individual acted willfully, the government “need only show that the financial institution or individual acted with either reckless disregard or willful blindness.”

The government need not show that the entity or individual “had knowledge that the conduct violated the BSA, or that the entity or individual otherwise acted with an improper motive or bad purpose,” a line likely pushed for by bank with the knowledge that lawsuits by duped investors are flourishing and have increasingly targeted banks, in many instances arguing that a weak AML program aided the fraud.

Transaction monitoring troubles

Gibraltar’s procedures for monitoring, detecting, and reporting suspicious activity were “ineffective,” according to FinCEN, primarily due to a software system and procedures that were “so flawed,” that they were systematically unable to identify and report transactions through numerous accounts even when they “exhibited indicia of money laundering or other suspicious activity.”


Case analysis of a transaction monitoring system, and consequent SAR reporting, breakdown: Gibraltar Bank:

  1. Gibraltar’s transaction monitoring system contained account opening information and customer risk profiles that were frequently incomplete, inaccurate, and lacked sufficient analysis and validation.
  2. The anticipated account activity for some customers often did not match the actual transaction activity.
  3. Due to this erroneous information, when the bank’s monitoring system generated alerts on certain customers, analysts in the BSA department could not determine when a change in those customers’ activities should have resulted in a change to those customers’ risk ratings.
  4. In addition, due to poor customer information and a lack of tuning and testing of the monitoring system, that resulted in the generation of an unmanageable number of alerts, including large numbers of false positives.
  5. The problems associated with the system were due to Gibraltar’s failure to adequately tailor the parameters and thresholds of the alerts generated by the system to match the high-risk activities it sought to identify and control.
  6. Also contributing to this deficiency was that prior to 2013, Gibraltar did not validate or independently test the system’s parameters and thresholds to reduce the number of false positive alerts the system generated.
  7. Significantly, OTS examiners first highlighted the inefficiency of Gibraltar’s monitoring system as early as 2010, but it was not fully rectified until mid-2014.
  8. Consequently, Gibraltar’s failure to accurately set, validate, and test the automated monitoring system left Gibraltar overwhelmed by the large volume of alerts, many of which yielded false positive results.
  9. Hampered by a large volume, Gibraltar’s BSA analysts were also unable to timely or adequately review or investigate all of the alerts. For example, from early August 2013 to late July 2014, Gibraltar failed to review and close or escalate nearly 60% of its monthly alerts in the 30 days prescribed by Gibraltar’s own BSA/AML policy.
  10. When Gibraltar did review alerts, there were numerous instances when Gibraltar closed alerts that should have been escalated. And, in those instances where alerts were escalated to investigations for potential SAR filings, 16 alerts, or 64% of the escalated reviews, took over 60 days to escalate for further investigation. Eleven of these reviews resulted in SAR filings.

‘Unreasonable amount of time’ taken on Rothstein SAR

The action also lists the compliance issues tied specifically to Rothstein’s scheme, including that Gibraltar’s AML officers, not named in the indictment, took two years investigating relationships and transactions tied to the disgraced schemer, which FinCEN states is an “unreasonable amount of time given the information the bank had.”

Nine months into the investigation, the AML officer also got two other suspicious activity referrals from other bank officers tied to Rothstein. Rothstein actively tried to evade financial crime compliance officers, in some cases bribing other bank staff to run interference for him. Gibraltar compliance staff didn’t file a SAR on him until his illicit activities “appeared in the media,” according to FinCEN.

FinCEN listed several key compliance collapses tied to risk assessments and to Rothstein in particular, including:

  • Gibraltar did not adequately risk rate its high net-worth private banking customers, like Scott Rothstein. As a result, the Bank applied insufficient scrutiny to his and related accounts, and missed the following significant red flags.
  • Rothstein used his account to conduct millions of dollars of intrabank and interbank funds transfers sent in large, round-dollar amounts. The continued movement of large round-dollar amounts within accounts at the same institution is red flag activity indicative of a Ponzi scheme.
  • The account also processed unexplained funds transfer activity and payments and receipts with no links to legitimate services provided. The Bank should have identified that this activity was not expected for the Rothstein accounts and, as unexpected activity, should have investigated it further.
  • A significant volume of highly suspicious transactional activity involved multiple Interest on Trust Accounts (“IOTAs”) controlled by Rothstein that did not match his customer information file. An IOTA is an account set up by an attorney to hold client funds received for future use, and cannot be used to support ongoing transaction activity. Had Gibraltar applied appropriate scrutiny to Rothstein’s accounts, it would have identified as suspicious Rothstein’s improper use of IOTAs to support his massive Ponzi scheme.

In addition, in 2011, Gibraltar’s customer risk profiles were generally “incomplete, stale, and lacking in sufficient analysis and validation. Some account files lacked sufficient supporting documentation to validate the risk profiles of the beneficial owners or authorized signers.”

Moreover, such files also were “generally missing descriptions regarding the source of funds, financial capacity, expected activity, and the purpose of the account,” all critical details to determine risk and monitoring protocols.

By failing to have complete and accurate information, Gibraltar “was unable to accurately risk rate such accounts either at account opening or when updating its account risk ratings,” according to FinCEN.

In sum, Gibraltar’s “transaction and suspicious activity monitoring deficiencies from 2008 through 2013, combined with its overall risk assessment and risk rating deficiencies, demonstrate Gibraltar’s continuous failure to maintain an anti-money laundering compliance program that adequately identified the risks posed by its products, services, customers, and its customers’ activities,” according to FinCEN.