By Brian Monroe
August 25, 2016
New York’s state regulator penalized a Taiwanese bank $180 million for broad financial crime compliance failures in many of the riskiest areas of banking, including transactions through affiliate and foreign correspondent portals, international trade, and reporting on suspicious activity.
The consent order by the New York State Department of Financial Services (NYDFS) issued this week against Mega Bank also echoes familiar themes from prior state and federal anti-money laundering (AML) enforcement orders, from affiliate oversight and proper risk ranking, to responses to negative news trends, to the authority, independence and expertise of compliance officers.
The action also brings some clarity to a question on the minds of compliance officers with banking operations in New York: What will be the enforcement philosophy of new Superintendent Maria Vullo, who took over for hard-charging and sometimes off-putting Ben Lawsky? The answer seems to be that she is keeping AML enforcement a priority and won’t shy away from high-profile penalties.
The 23-page enforcement order gives a glimpse into what examiners expect to see when it comes to dealings with Panama, its trade sector or law firm Mossack Fonseca. It also yields additional guidance and granularity on the depth of scrutiny around a recently-finalized state law on transaction monitoring and sanctions screening systems formally taking effect in January.
The New York regulations require state-chartered institutions to submit an annual board resolution or senior officer compliance finding confirming steps taken to ascertain compliance with the regulation. The new law goes beyond federal AML rules and details more concrete, prescriptive requirements around validating the data flowing through monitoring systems, which can be one of the most technical and arcane areas of compliance.
Correspondent ties at heart of penalty
Mega Bank is a major international financial institution with approximately $103 billion in assets, including $9 billion at its New York branch.
The NYDFS centered much of it criticism on Mega Bank’s intersections with Mossack Fonseca, the now infamous law firm at the heart of the Panama Papers scandal, the largest data leak in history revealing how the rich, famous, politically-connected and criminally-inclined used shell companies and opaque ownership structures to shield all manner of assets.
The action touches on several regulatory flashpoint issues that have become a higher priority in recent years that center on what foreign funds are coming into and out of the United States, according to Ross Delston, a Washington, D.C.-based AML compliance consultant.
“Correspondent banking relationships with affiliates is a hot button for the DFS and has been an issue in virtually every major consent order,” he said.
But a key issue is that many banks “licensed in New York hold their affiliates to a lesser standard than non-affiliated correspondents. What DFS is saying, and the FFIEC says, is that all correspondents must be treated the same and all of them should get enhanced due diligence,” Delston said.
The company apparently acknowledged the penalty in a Chinese statement posted to its website, but there was no corresponding English-language comment, according to the Wall Street Journal.
Reuters reported that the bank’s president offered to leave his post over the issues, but the chairman asked him to stay. A vice president quoted by Bloomberg on Monday stated the bank isn’t involved in laundering illicit funds, and that the institution is committed to bolstering its compliance system, according to the Journal.
In the wake of the DFS penalty, Taiwanese media reports said regulators are asking banks to tighten controls over their overseas operations. Reports on Monday said Taiwan’s government will investigate Mega Bank to see if any crimes were committed, according to the Journal.
Head office ‘indifferent’ to risks in Panama
The state regulator also noted key gaps between the bank’s home office and New York branch, stating that, “the bank’s head office was indifferent toward risks associated with transactions involving Panama, recognized as a high-risk jurisdiction for money-laundering.”
Mega Bank has a branch in Panama City and another in Panama’s Colon Free Trade Zone, but the bank did not adequately update risk-ranking of those regions or tweak and tune the transaction monitoring system to better scrutinize funds flowing through those locales.
A free-trade zone in Panama, a region already at a higher risk for money laundering and trade-based money laundering, makes the cumulative score “ultra high-risk,” Delston said, particularly in light of the Panama Papers scandal, which has prompted investigations the world over and a corresponding ripple to banks, nudging them to update surveillance and risk rankings in the region.
The regulator’s investigation, “identified a number of suspicious transactions running between Mega Bank’s New York and Panama Branches,” according to the order.
The investigation also determined that a “substantial number of customer entities, which have or had accounts at several other Mega Bank branches, were apparently formed with the assistance of the Mossack Fonseca law firm in Panama.”
“DFS will not tolerate the flagrant disregard of anti-money laundering laws and will take decisive and tough action against any institution that fails to have compliance programs in place to prevent illicit transactions,” Vullo said in a statement, stating that Mega Bank’s failings suggested a “fundamental lack of understanding of the need for a vigorous compliance infrastructure.”
Lack of qualified staff compounds issues
Part and parcel of these issues, according to the state regulator, is that the AML officer for the New York branch, who was based at the bank’s Taiwan headquarters, and the branch’s chief compliance officer “both lacked familiarity with U.S. regulatory requirements.”
“Compliance staff at both the head office and branch failed to periodically review surveillance monitoring filter criteria designed to detect suspicious transactions,” according to DFS. Also, numerous documents relied upon in transaction monitoring were not translated to English from Chinese, creating problems for regulators and staff who didn’t speak Chinese.
The New York branch procedures provided “virtually no guidance concerning the reporting of continuing suspicious activities; had inconsistent compliance policies; and failed to determine whether foreign affiliates had in place adequate AML controls.”
Overall, “what the examiners found was extremely troubling,” according to the order.
The order also hit upon other state and federal regulatory focal points, including the “degree to which the bank is engaging in adequate customer due diligence (CDD) and the onboarding of corporations and legal entities, specifically whether beneficial ownership information is being adequately documented,” Delston said.
Dismissive response, forceful reaction
The order also detailed a rare occurrence in AML enforcement orders at any level in that the bank actually pushed back against the DFS on certain regulatory findings and tried to lecture examiners on US AML laws, with not very satisfactory results.
In a March response to a February exam, the bank “refuted certain regulatory findings, according to the order. The bank stated that because it didn’t believe guidance was available on a certain suspicious activity then the activity wasn’t suspicious. ‘This is a complete misstatement of established BSA Law,’” the regulator responded.
As a result of the regulatory dust-up, the bank “did not act quickly to remedy the acute shortcomings. Despite communications between the department and the New York branch in Spring 2016, the bank has not taken sufficient steps to demonstrate material improvement in the quality of its compliance program.”
The engagement with the New York regulator likely could have been less acrimonious if Mega Bank hadn’t had such a “dismissive response” to regulatory inquiries, Delston said.
“That is the linchpin of the whole action,” he said. “That is egregious on a number of levels. First, you don’t argue with your regulator any more than you would argue with the cop who stops you for going through the red light.”
When a bank isn’t forthright with a regulator, or worse, combative, it gives the impression to examiners the bank is trying to hide something.
“When a bank does that to a banking regulator, whether state or federal, they are painting a target on a red flag stitched to their back that any regulator would attack,” Delston said. “What that means is whereas without that kind of reaction there might have been an attempt to compromise by DFS or at least the possibility to compromise. But with that reaction and response, the regulator will sharpen their scrutiny to the point of extreme pain.”
The dynamic begs the question: why would a bank treat its regulator that way?
The potential answer, according to Delston, is that is how the bank treats its regulator in its home jurisdiction. “It’s common to see overly timid banking regulators in foreign jurisdictions,” he said. “They just don’t have the same authority U.S. regulators have.”
That kind of thing, however, would be a mistake in New York, which has threatened to yank bank licenses to operate in the state for financial crime compliance failings.
“The bank should have realized it didn’t have home court advantage anymore,” Delston said, adding that the severity of the AML failings and degree of red flags missed in the enforcement action gave the bank little leverage to push back against examiner findings.
Mega Bank must comply quickly and completely with the order, as the NYDFS is appointing a monitor to shepherd the remediation engagement for two years, and report on any new issues taking too long to correct directly to the regulator. The institution is also mandated to conduct a transactional lookback to find any missed suspicious activity or unreported ties to blacklisted entities and regimes.
‘Serious deficiencies’ in monitoring, independence
The inability to identify red flags, particularly tied to clearly suspicious activity, also extended to the bank’s monitoring systems, what some consider the heart of an AML program.
The DFS’ examination also “uncovered serious deficiencies in the New York branch’s transaction monitoring systems and policies,” according to the order.
For example, compliance personnel – either at the branch level or the head office – “failed to periodically review surveillance monitoring filter criteria, required to evaluate the appropriateness of filter criteria and thresholds.”
Moreover, for a number of the criteria or key words purportedly used to detect suspicious transactions, branch management was “unable to explain the validation process or justification of the selection of the criteria being used,” according to the order.
The examiners also found that the compliance structure at the bank was “significantly flawed because the compliance and operational functions were co-mingled as a result of the dual conflicting responsibilities of certain compliance personnel.”
The chief compliance officer (CCO) had “conflicted interests because she had key business and operational responsibilities, along with her compliance role,” according to the order, noting that lower rank staff also suffered from training, procedural and system challenges, along with being hampered by a language barrier.
For example, the order states, the branch’s vice president and deputy general manager also served as the branch’s CCO.
That was an issue because the CCO “provided support to all branch operations” including its funding division, the business division, the correspondent banking division, the loan division and also served as Information Technology security officer.
Thus, the New York CCO “devoted insufficient time and effort to important compliance responsibilities and, in any event, was conflicted in these responsibilities, since the CCO had a key business and operational role along with the compliance role,” according to the regulator.
The DFS examination uncovered that Mega Bank’s compliance program “was a hollow shell, and this consent order is necessary to ensure future compliance,” Vullo said.
The order also cements Vullo’s reputation as a leader who will not tolerate banks shirking their AML duties, Delston said.
“There is a new sheriff and there was a question about whether the aggressive enforcement actions under Lawsky would continue,” he said. “That question has been laid to rest.”