In today’s ACFCS Fincrime Briefing, OCC levies rare fine, lifetime bar against former Rabobank general counsel for concealing AML report, regulators issue joint statement on their approach to risk-based exams, Equifax’s $700 million breach settlement, and more.

Please enjoy this unlocked story, part of the many benefits of being an ACFCS member.

Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content!

OCC penalizes former Rabobank General Counsel $50,000, levies career bar for concealing AML report

A top federal banking regulator has levied a rare financial crime compliance penalty and severe censure against an individual, a $50,000 fine and career ban against a former top official for one of the Netherlands’ largest banks for concealing the adverse findings in a third-party anti-money laundering report.

The U.S. Treasury’s Office of the Comptroller of the Currency (OCC) Tuesday released the issuance of a consent order of prohibition and $50,000 civil money penalty against Daniel Weiss, the former General Counsel of Roseville, Calif.-based Rabobank, N.A., part of the banking group headquartered in the Netherlands.

The consent order prohibits Weiss from “participating in the affairs of any federally insured depository institution” for violations of law and unsafe or unsound practices alleged in a notice of charges issued in March.

The charges in the notice are serious, stating that a top official over anti-money laundering (AML) compliance actively attempting to obfuscate the negative findings in a third-party consultants’ compliance report.

The notice alleges that Weiss participated in the “continuous concealment” of a third-party report assessing the Bank’s Bank Secrecy Act program from the OCC in violation of 12 USC 481 and made false statements to the OCC in violation of 18 USC 1001.

On February 2018, Rabobank pled guilty to conspiracy to obstruct an OCC examination and agreed to pay a forfeiture of nearly $370 million, with $50 million carved out to the OCC.

In the 2018 settlement, the U.S. Department of Justice (DOJ) and OCC chastised Rabobank for failures across the entire AML program from 2009 to 2012, including risk ranking, monitoring and reporting on high-risk customers, including Mexican entities potentially tied to drug cartels.

“When Rabobank learned that substantial numbers of its customers’ transactions were indicative of international narcotics trafficking, organized crime, and money laundering activities, it chose to look the other way and to cover up deficiencies” in AML program, said Acting Assistant Attorney General John Cronan at the time. “Worse still, Rabobank took steps to obstruct an examination by its regulator into those same deficiencies.  

To read the prior DOJ action, click here and the OCC action here.  

The action in early 2018 reflected on broader trends in the AML space, including law enforcement wanting banks to plead guilty to a crime as a deterrent to the rest of the industry, the rising risks of informal and non-monetary orders later turning into massive penalties and the risk of a smaller fine turning into a head-turning penalty if examiners feel they were told lies or half-truths.

In all, the bank allowed hundreds of millions of dollars – whether wires, checks or hefty cash deposits just below reporting thresholds, structuring – to flow to and from Mexico, just as laws were changing in that country to restrict deposits of U.S. dollars.

Rabobank took full advantage, according to the Justice Department, with its branch closest to the Mexican border winning awards for growing revenues as a hub for Mexican businesses to deposit cash and engage in an array of international transactions, (via the OCC). To read ACFCS coverage of the Rabobank 2018 penalty, click here.

DOJ and OCC handing down penalties against individuals in large scale AML failures and penalties – particularly against AML officers or legal counsels – is exceedingly rare.

It sends a general chill to compliance professionals as they more apprehensively feel the encroaching specter of individual liability over their collective shoulders, a fear that has caused some longtime AML thought leaders to leave their banking posts entirely for the safer environs of consultancies.

One of the most high-profile cases occurred against MoneyGram, where FinCEN penalized a former top AML officer, threatening a million-dollar fine and lifetime debarment in 2014. The officer, Thomas Haider, fought the charges and later settled in mid-2017 in a controversial and widely-watched case, eventually paying $250,000 and agreeing to a three-year work ban.

In the case of Rabobank, penalty documents cited a triumvirate of executives running interference to stymie examiners and bury or alter a negative AML audit report.

The investigation cites that the three unnamed executives resisted examiner requests from the OCC for documents and reviews and, later, used their authority to strong arm a consultant brought in to remediate, telling examiners the person failed to create a final report, though one was available in draft form.

And in one instance, where one executive started to voice concerns about the AML program, a diatribe that occurred as the OCC threatened a formal action, other bank management shunned the person and later fired them, according to DOJ.

The cover-up included deleting, delaying and changing negative findings in the consultant’s report to further obfuscate the true threadbare status of the AML program.

Rabobank’s guilty plea in February of last year came less than two months after a former Rabobank vice president, George Martin, who was also a top AML staffer, entered into a deferred prosecution agreement with the United States for his role in aiding and abetting Rabobank’s failure to maintain an AML program.

Martin admitted his role in the failures in federal court in San Diego on Dec. 14, 2017. As part of its guilty plea, Rabobank agreed to cooperate with the United States’ continuing investigation.

Bottom line: these individual penalties and sanctions will likely make these former high ranking AML professionals radioactive, resulting in an uncertain future in a field and career now off limits – a cautionary tale that could cause a mass exodus of fincrime compliance talent fearing a similar dark fate.

Federal examiners should be assessing individual institution risks, allocating resources accordingly, just as banks risk rank customers, employ mitigating controls: joint statement

Federal bank examiners should be, in what is tantamount to a turnabout, following the practices of the banks they review when ranking risk and allocating resources accordingly, according to a curious joint statement by the top federal banking and credit union regulators, along with the government body setting domestic financial crime compliance standards.

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), the Office of the Comptroller of the Currency (OCC), the National Credit Union Administration (NCUA), and other bank regulatory bodies issued the diminutive, three-page missive that appears to exhort examiners to be more nitpicky with the banks the choose to examiner, rigor involved in reviewing those institutions and the overall time spent at low, medium and higher-risk banks.

The advisory occurs in an overall context where federal regulators and investigators are nudging banks to bolster efficiency and effectiveness to better identify, detect, prevent and report on potential large scale financial crimes that could be touching their institutions – rather than simply finding and filing on any aberrant transaction to defensively outwit examiners.

In two advisories at the tale end of last year, these same cadre of cohorts gave their blessing to smaller banks and credit unions pooling anti-money laundering (AML) compliance resources to improve insight into complex crimes that could be missed at individual institutions due to a lack of access to expensive systems, expertise or overall resources and urged banks of all sizes to innovate.

The latter statement was a clarion call for banks broadly to break out of the stricture of current paradigms, where institutions can collectively conclude, “well, my regulator hasn’t dinged my AML program yet, so why change anything?”

In the latest advisory, the agencies are quick to point out that they are attempting to hold themselves to the same high standards they put before their charges, noting the statement is “intended to improve transparency into the risk-focused approach used for planning and performing BSA/AML exams,” (via FinCEN).

The joint statement also “does not establish new requirements,” even though it touches on past comments about dicey current industry flashpoints, like de-risking and the potential pitfalls of when institutions fully follow a “risk-based approach,” including that examiners filet you over the low-risk population you ignored.

The statement, however, did hold some nuggets buried in its footnotes, according to longtime compliance thought leader Jim Richards, the former top AML officer at Wells Fargo, with a statement that is “very complex and confusing,” he wrote.

The statement in question: “Bank directors provide guidance regarding acceptable risk exposure levels and corresponding policies while management implements policies, procedures, and practices that translate the board’s goals, objectives, and risk limits into prudent operating standards.”

He asks a question that brings into relief a critical, easily missed nuance.

“Are bank directors simply providing guidance regarding risk limits and policies (and procedures and practices) that are established and implemented by management?” according to Richards. “Or are bank directors setting the goals, objectives, and risk limits, which are then translated into prudent operating standards (policies, procedures, and practices) by management?

The begs a further query: “Should the phrase ‘the board’s goals, objectives, and risk limits’ actually be ‘the board-approved goals, objectives, and risk limits?’”

The line of questioning is informed by dozens of enforcement actions in recent years faulting the board for a lack of involvement in AML programs as they were formed and run, leading regulators calling on some institutions to get financial crime compliance approvals directly from the board, top management and higher executives in a quest for accountability.

One commenter on social media agreed: “Directors must set the framework for the Compliance function – in my book that includes the risk policy.”

StanChart whistle-blower says U.S. missed billions in trade tied to Iran, supported terror groups

Standard Chartered Plc’s transactions with Iran were worth tens of billions of dollars more than previously known, a whistle-blower said in a lawsuit claiming the British bank actively pursued Iranian business in violation of U.S. sanctions.

The whistle-blower, a bank executive who isn’t named in court papers, was the bank’s global head of transaction banking and foreign exchange sales. He and another plaintiff — described only as an American currency trader — say StanChart handled more than $56 billion in transactions from 2009 to 2014, compared with $240 million cited by the Justice Department between 2007 and 2011 in an April settlement with the bank.

StanChart’s illicit trade with Iran has cost it more than $1.7 billion in penalties from prosecutions in 2012 and 2019 by the Justice Department and regulators. The whistle-blower claims the bank’s wrongdoing was more extensive than the U.S. alleged and seeks an order forcing it to pay an unspecified additional sum to the government.

The illicit transactions enabled Iran to aid U.S. adversaries, the plaintiffs claim.

“Beneath the green eye-shade complexity and deception of the international financial transactions involved in this case, the unavoidable fact is that [StanChart] used its resources to help terrorists kill and wound American, British, and other Coalition military personnel and thousands of innocent civilians,” they say in a complaint filed Thursday in Manhattan federal court.

The bank dismissed the lawsuit as “baseless,” noting that the U.S. chose not to join the whistle-blower lawsuit. “The U.S. authorities have been aware of these claims for several years and have not seen fit to join this suit or include the claims as part of our resolution of historical sanctions compliance issues,” it said in a statement.

The lawsuit opens a window on a seven-year saga in which the StanChart executive secretly aided U.S. prosecutors and regulators.

Just a week after the first settlements between the bank and U.S. authorities in 2012, the executives filed a sealed whistle-blower case and met with authorities to further develop their investigation, according to the complaint.

That settlement covered $250 billion in transactions for the years from 2001 to 2007, but the whistle-blower says the true number was closer to $280 billion.

The prior U.S. enforcement cases focused on Standard Chartered’s method of “stripping” identifying Iranian information from payment messages. The suit claims the bank used other methods to process –- and hide -– Iranian business.

Iranian clients were allowed to conduct transactions through a currency trading platform that was designed not to maintain records of illegal transactions, Iranian transactions were parked in so-called sundry accounts where they would remain undetected, and Iranian accounts were placed under another business unit to conceal their existence, according to the complaint, (via Bloomberg).

This case reveals yet aftershock of AML and sanctions actions apart from formally negotiated federal settlements – lawsuits from private entities, in this case a whistleblower. Other lawsuits have been started in similar instances by jaded investors when stock drops after penalties, relatives and victims of terror attacks and narco cartels.

And remember, OFAC has a strict liability standard. Even if DOJ has declined to start an investigation anew, if OFAC finds that there have been historical sanctions violations not identified in the settlement, they can likely still bring a penalty – barring the statute of limitations.

In certain cases DOJ has forced institutions to sign tolling agreements to let investigators engage in a deep enough investigation in response for mercy at the negotiating table later.

It’s also not out of the realm of possibility for banks to be settling a penalty in one part of the institution, but pockets of non-compliance fester in other, more far-flung regions – necessitating a potentially second and larger fine. Only time will tell if any of these prognostications will come to pass.

Equifax to pay up to $700 million to federal authorities, states for 2017 data breach involving millions of victims

Beleaguered credit-reporting bureau, Equifax, will pay as much as $700 million to a host of federal agencies and most of the states in a massive settlement tied to the disastrous 2017 data breach that exposed the sensitive personal data, including Social Security numbers, of some 150 million victims in this country.

The proposed settlement with the Consumer Financial Protection Bureau, the Federal Trade Commission (FTC), and 48 states, the District of Columbia and Puerto Rico, if approved by the court, would provide up to $425 million in financial relief to affected consumers, require Equifax to pay a $100 million civil money penalty, and offer other relief.

In September of 2017, Equifax, a nationwide credit reporting company headquartered in Atlanta, Georgia, announced that a data breach at the company resulted in the exposure of approximately 147 million U.S. consumers’ sensitive personal information, including names, addresses, social security numbers, and dates of birth.

To read ACFCS coverage of the original Equifax data breach, click here.

The Bureau alleges in its Complaint that Equifax violated the law in several ways through its conduct both before and after the breach.

Specifically, the Bureau alleges, Equifax engaged in “unfair and deceptive practices” in violation of the Consumer Financial Protection Act of 2010 by:

• – Failing to provide reasonable security for the massive quantities of sensitive personal information stored within its computer network, causing substantial injury to consumers whose data was stolen;
• – Deceiving consumers about the strength of its data security program in its privacy policies; and
• – Engaging in acts and practices that caused additional harm or risk of harm to consumers in response to the breach.

As part of the settlement and in a bid to prevent a future fracas, Equifax also must make “significant improvements to its data security practices and would be subject to ongoing oversight by regulators.”

On that end, the agency is reportedly spending more than $1 billion to buttress its cyber defenses, resilience and recovery procedures across the board by upgrading systems, improving disaster response procedures and engaging in broader and more aggressive training to counter the human element, the culprit in 90 percent of successful cyber breaches, (via the CFPB).

In targeting Equifax – part of the three main credit reporting bureaus – the hacking group snared data on 143 million people, including names, Social Security numbers, birth dates, addresses and in some cases, driver’s license numbers, more than enough to create fake identities or bust into current ones.

For a bit of context, the entire population of the United States is 323 million.

The unknown group also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people, including some residents of Canada and the United Kingdom, according to the company.

Sobering figures indeed, with some experts saying nearly everyone in this country should be worried about stolen credit and debit card accounts, or individuals attempting to run up massive loans in their name, for the rest of their lives.

In tandem, banks face new challenges to protect customers and protect themselves in the wake of such a burgeoning breach.

So here are some tips for consumers to consider to better safeguard their financial future, along with important ways banks can better help shield clients and, most importantly, be cognizant of new vulnerabilities and attack vectors potentially coming in the future – including targeted spear phishing attacks trying to dupe top leadership and impersonate cyber defenders.

For consumers to protect themselves:

• Find out if your information was exposed. Visit the Equifax Security site (http://www.equifaxsecurity2017.com/) and click on the “Potential Impact” tab and enter your last name and the last six digits of your Social Security number.
• Your Social Security number is sensitive information, so make sure you’re on a secure computer and an encrypted network connection any time you enter it. The site will tell you if you’ve been affected by this breach.

For banks to help protect consumers:

• Consider sending an email to all clients letting them know about the breach and how to protect themselves. In the email, ask clients to see if their information was compromised by checking on the Equifax site, and, if so, raise the financial crime risk score of those customers to better tune monitoring systems.

For banks to help protect themselves:

• Banks should consider either sending a companywide email, or doing live training, for staff at all levels to be more aware, and thoughtful, about any unknown emails that seem to be coming from customers, third-party vendors, staffers or even top leadership and IT professionals as they may actually be from fraudsters. To read the full ACFCS sidebar on the Equifax breach for more tips, click here.