Gotham’s banking regulator Wednesday penalized the New York branch of the largest and oldest bank in the United Arab Emirates $40 million for a host of financial crime compliance deficiencies, including lax oversight of dollar clearing portals for high-risk countries, monitoring and reporting on suspicious activity and policies for dealing with rogue regimes.

The New York State Department of Financial Services (NYDFS), which worked in concert with the Federal Reserve, also required that Dubai-based Mashreqbank hire an outside consultant to engage in a transactional lookback to find any missed instances of aberrant activity during a six-month period in mid-2016.

“Mashreqbank failed to fully comply with critical New York and federal banking laws aimed at combating international money laundering, terrorist financing and other related threats by failing to provide adequate oversight of transactions by customers in high-risk regions,” said Superintendent Maria Vullo in a statement. To read the full action, click here.

Mashreq is an international bank with more than 70 branches and assets totaling more than $34 billion. The bank, including a predecessor, has operated in New York since 1989 and currently has assets of $1.1 billion.

The penalty continues a trend of federal and New York regulators focusing on foreign banks with operations in the United States that also have sprawling correspondent banking networks – particularly those with connections to banks in regions to be at a higher risk for money laundering, corruption or terror finance.

For instance, Mashreq’s New York branch offers correspondent banking and trade finance services and provides U.S. dollar clearing services to clients located in Southeast Asia, the Middle East and Northern Africa – regions that “present a high risk in connection with financial transactions,” according to the NYDFS.

The weak AML oversight of these portals was magnified due to the financial throughput through these arenas. The branch engaged in a substantial amount of U.S. dollar clearing activity for foreign customers in high risk jurisdictions – with some components of the program still processing alerts manually.

For example, in 2016, the branch cleared more than 1.2 million U.S. Dollar transactions with an aggregate value of over $367 billion. In 2017, the branch cleared more than one million U.S. Dollar transactions with an aggregate value exceeding $350 billion.

In the settlement documents, NYDFS examiners noticed a sharp decline in AML and OFAC program performance between 2014 and 2016, going from “satisfactory” to overall abysmal scores in just two years. OFAC refers to the U.S. Treasury’s Office of Foreign Assets Control, which administers the country’s sanctions programs.

But some lines in the order had compliance analysts chafing, including this one: “A bank’s programs should improve sufficiently over time as the institution receives the benefit of the guidance provided by the examiners and works to implement-solutions to issues uncovered during examinations.”

“So, the expectation isn’t that you’re simply addressing audit and exam issues, but you’re going beyond those issues and enhancing your program,” said the former top compliance officer at a large U.S. bank. “So, if your program failed to clear a 6′ bar last year, you’ll be expected to clear a 7′ bar next year?”

Compliance program ‘lacked detail, nuance or complexity’

At the time of the 2016 Examination, the branch’s BSA/AML and OFAC policies “lacked detail, nuance or complexity, doing little more than citing standard language from applicable regulations,” according to the settlement.

Though the branch had “commenced increasing its compliance staffing levels and had applied an interim transaction monitoring solution, it had not yet implemented a sufficiently well-designed system,” the NYDFS stated in the penalty documents.

“Shortcomings included failing to make appropriate use of relevant information in Know Your Customer (KYC) files, including documentation detailing the customer’s line of business and anticipated activity,” which are typically key metrics woven into AML risk assessments, with final figures then sensitizing the transaction monitoring system.

Examiners also noted that even with more staffing, AML analysts were absolutely overwhelmed by alert volumes, leading to increasingly longer lag times to even review or disposition alerts.

“At the time of the 2016 Examination, the New York Branch had accumulated a three-month backlog in its generation of any transaction monitoring alerts,” according to DFS.

Deluge of alerts overwhelmed AML staff

With some 1,500 to 1,600 alerts typically generated per month during that period, the “gap between the generation of alerts and their subsequent review presented a compliance risk to Mashreq, and potentially increased risks to other financial institutions with which it conducted business.”

The rising tide of alerts surged to roughly 2,000 a month as 2017 waned – with only one reviewer doing both the first and second-line reviewers of the same alert, defeating the purpose of a second pair of eyes as a backstop as it was the same reviewer.

The decline, even after formal chastising from examiners, continued into late 2017, where both DFS and Federal Reserve examiners “found that records regarding specific alerts and dispositions continued to lack detailed information, making it difficult for examiners to assess the adequacy of investigations conducted by compliance staff. Rationales for closing alerts also failed to include essential information.”

Poor decision-making, escalation, documentation

Examiners continued to find faults across both AML and sanctions related to the number of analysts reviewing transaction alerts and sanctions hits, additional backstops to review decisions made were proper and escalated and that those findings and decisions were adequately documented and recorded.

“The branch maintained inadequate documentation concerning its dispositions of OFAC alerts and cases, with branch compliance staff failing to properly substantiate its rationales for waiving specific alerts and cases,” according to the action, adding that the New York issues were further compounded by a disconnect between the branch and the head office, leading to a third-party auditor in 2017 also failing to highlight areas needed for improvement.

The issues in the NYDFS documents have caused some compliance professionals to wonder what are adequate regulatory expectations for AML alerts and OFAC sanctions hits.

Do federal and state regulators expect “real-time transaction OFAC screening alerts, which would of course, require a second reviewer to ensure the pending transactions will not violate U.S. sanctions?” wondered the compliance professional.

“Isn’t it sufficient for financial institutions to conduct a monthly quality assurance review for accuracy and adherence to procedural standards on ten (10) to fifteen (15) percent of the remediated alerts?”

Head office can’t head off off the reservation reviewers

As well, typically, a head office should have to engage in rigorous oversight of a third-party consultant in New York and act as an auditor’s, in essence, second line of defense – as that is what the auditor is supposed to be doing for branch, said the person, noted that if an external reviewer missed something, that failure should also in part be borne by their employer.

But the penalty figure and potential remediation costs – typically estimated to be more than 10 times the actual fine – could have been far worse without the bank’s quick and complete commitment to clean up shop.

The regulator acknowledged that Mashreqbank exhibited “laudable conduct” in not quibbling about the penalty and engaged in “strong cooperation in this matter, including demonstrating a commitment to remediating the shortcomings identified, and to building an effective and sustainable BSA/AML and OFAC compliance infrastructure.”