By Brian Monroe
December 22, 2016
New York’s financial services regulator penalized the US branch of one of Italy’s largest banks $235 million for broad and longstanding failures in its financial crime compliance program, chiefly issues tied to the tracking, clearing and escalating of alerts from the automated transaction monitoring system.
The enforcement action by the New York Department State Department of Financial Services (NYDFS) against Banca Intesa Sanpaolo S.p.A. and its New York branch highlights a bevy of issues harped on by both state and federal authorities throughout 2016, and gives a glimpse of the regulatory focal points examiners will be emphasizing next year.
Examiners noted that due to wide-ranging human and systems failures, Banca Intesa gave some of the riskiest entities and regions of the world entry into the international financial system, including politically-exposed persons (PEPs), shell companies with murky and anonymous ownership structures and countries blacklisted by the United States, including Iran and Sudan.
The report further directed significant, individual criticism on the unnamed compliance officer at the helm at the time of the violations.
The person allowed and even fostered the whitewashing of alerts to improve “efficiency,” and left it up to junior staff to analyze and clear alerts without the documentation on decision-making or even an auditable trail, due in part to a separate case management system that required manual input of alerts, according to the DFS order.
The order is a further echoing of key issues brought up in recent orders, a familiar refrain spanning the entire spectrum of the anti-money laundering (AML) program, including the depth and accuracy of initial customer due diligence and related risk scoring, the original tuning of the transaction monitoring system, and any tinkering done later to improve the accuracy of alerts and lower false positives, and, lastly, the number and quality of suspicious activity reports (SARs).
At the same time, the action against Banca Intesa – which states that the compliance deficiencies spanned all the way back to the early 2000s and included a formal action – is another example, nigh a warning, of how a written order can turn into a monetary penalty if issues are not quickly and completely addressed to examiners’ satisfaction.
NYDFS examiners found that the bank’s compliance staff “utterly mismanaged its transaction monitoring system and repeatedly failed to properly identify suspicious transactions” until they were discovered by a new DFS-appointed independent consultant in 2014.
The regulator installed the consultant, who took over for a prior, unnamed firm, due to the branch having “serious issues” related to its overall AML program identified by examiners going back to 2002.
The bank was a target for regulators due to its size. It has $761 billion in assets globally and is one of the largest banks in Italy. In New York, it has $18 billion, but clears $4 trillion a year through the branch from correspondent relationships.
Minor monitoring typos lead to major snafus
The lengthy, detailed 31-page penalty order also gives insight into the errors that can occur in complex and highly technical AML automated transaction monitoring systems, including something as simple as a programmer adding an extra space to a word or accidentally requiring the system to search for “Russian Federation” instead of simply the word Russia.
The order will be required reading for AML officers in New York as it is a critical peek behind the curtain of what NYDFS examiners will be looking for in the new year. 2016 saw the advent of a new New York state law requiring transaction and sanctions filtering systems be reviewed and signed off on by either a top compliance officer or an institution’s board. It takes effect January 1.
The deficiencies at Banca Intesa “generally were attributable to a lack of robust governance, oversight and accountability at senior levels,” according to the order. “The department views effective transaction monitoring systems as an essential tool in the battle against illicit transactions and terrorist financing in this age of risk.”
In a bid to ensure any missed suspicious activities get a second look, Banca Intesa is required to engage in a lookback, or transaction review, of transactions from 2014 on both the AML and sanctions fronts from the federal and local vantage points. The independent consultant will perform an audit of those efforts and issue an audit report to DFS.
The penalty also keeps up the momentum of the agency’s hard-charging and sometimes controversial prior leader Ben Lawsky, who some believe at times strong-armed foreign banks into hefty penalties in the hundreds of millions of dollars by threatening to pull their banking license.
In a few AML and sanctions enforcement cases, Lawsky also front-ran his federal regulatory counterparts, leaving them looking less aggressive and lowering the penalty figures they could request from banks already under investigation.
New leader, but same enforcement momentum
Since being confirmed in June, NYDFS Superintendent Maria Vullo has led DFS enforcement actions for violations of AML laws against Mega Bank of Taiwan, which was fined $185 million and Agricultural Bank of China, which was fined $215 million.
“Global financial institutions must be the first line of defense in the war against international terrorism, cybercrime and tax evasion,” she said in a statement. “Effective and responsible transaction monitoring systems are an essential tool in the battle against illicit transactions and terrorist financing in this age of risk.”
The order uncovered major violations at the New York branch, including:
· Cavalier AML attitude: An Intesa compliance officer, when questioned about unauthorized clearing practices, said that transactions were being cleared in a manner outside of the Bank’s prescribed written procedures because it was more efficient. The bank’s AML system, he claimed, had generated a large number of “false positives.” The unauthorized process being used was acceptable, he said, because a risk-based policy meant (at least to him) that “if you miss one, you miss one.”
· Separate alert, case management systems: The Bank missed thousands of alerts generated by the automated system, which employs keywords and algorithms to identify suspicious transactions. The transaction is then supposed to be screened through a separate case management system so it can be reviewed in more detail. The alerts had to be manually entered into the second system.
· Falsity on false positives: In 2014 alone, approximately 41 percent of the alerts improperly closed through the unauthorized and ad hoc clearing process were not “false positives” but were proper alerts that required further investigation, of which some may have required further escalation.
· Left up to individuals: In another situation, the AML compliance officer in the New York branch left it to individual reviewers to decide for themselves how to review transactions based on what “works best” for them – against the Bank’s written guidelines and contrary to established industry practices.
· Sanctions stripping: Intesa specially trained certain employees to handle transactions involving Iran to obfuscate the money-processing activities so they could not be readily flagged as transactions tied to a sanctioned entity. From approximately 2002 to 2006 Intesa used opaque methods and practices to conduct more than 2,700 U.S. dollar clearing transactions, amounting to more than $11 billion, on behalf of Iranian clients and other entities possibly subject to U.S. economic sanctions.
History of compliance failures
Examiners stated the New York branch of Banca Intesa had compliance issues dating back to 2002 and more problems in 2005-2006, but from 2008-2012 dropped ties to some 5,400 clients to “remediate the compliance failures.”
The moves helped, but still resulted in a written agreement on AML in 2007 between the Federal Reserve and New York.
Between 2002 and 2006, the branch engaged in non-transparent methods tied to Iranian u-turn transactions, which were allowed under federal law, but became violations of New York books and records rules when information was changed, obfuscating data for regulatory review.
As a result of its compliance problems, Banca Intesa paid the U.S. Treasury’s Office of Foreign Assets Control $2.9 million in 2013 for stripping violations for dealing with blacklisted regimes Iran, Sudan and Cuba.
But it was the 2007 written agreement that directly led to the latest penalty.
As part of that order, the bank had to do a transaction lookback for the prior six months in 2006 due to its dealings with shell companies. Those results were given to New York and the Federal Reserve in 2009.
New York examiners then expanded the lookback in 2013 to look at transactions dating all the way back to 2005 and also do a broader review of the overall AML systems in place at the time. In tandem, a new consultant also took over in 2014.
And what the consultant found gave examiners more ammunition for a monetary penalty.
The consultant found issues for bank AML staffers getting alerts from the transaction monitoring system loaded into a separate case management system.
Analysts are supposed to document decision making for or against a filing a suspicious activity report (SAR). But because alerts were not automatically loaded from transaction system into the case management system, staffers had to manually load a spreadsheet into the case tracking system each month.
That lead to “more egregious” actions by branch staff in 2012 where the top AML officer decided to allow analysts to view and close alerts without ever putting them into the case management system.
That was done for thousands of alerts and for two months in 2014, no alerts were migrated into the management system. In 2014, some 10,000 alerts, or more than 90 percent of all alerts generated, were never loaded into the case management system. The missing alerts in 2014 represented nearly $17 billion in transactions.
The report also noted that with so much missed activity going on for so long, there was also a breakdown in the AML audit function, one of the core four prongs of the program.
An auditor found problems in 2014, which the person “notated in a quarterly report,” the issues were never escalated to get addressed and no changes were made for another two years until the second consultant took over.
In one of the more humorous episodes in the order, the transaction monitoring system spit out an alert tied to a potential PEP. But when an analyst reviewed the alert, the person found that the person was actually potentially linked to an organized crime group. Rather than filing a SAR or taking other investigative steps, the person simply cleared the alert and moved on. The reason? The subject was not a PEP.