Stickier enforcement actions call for greater collaboration, more formal sharing

Broader sharing of financial crime compliance program structures, policies and procedures among a larger universe of banks could lower the time and cost for institutions to extricate themselves from enforcement orders which regulators seem more reticent to remove in recent years, say compliance professionals.

Currently, though hundreds of banks share data on potential suspicious activities and individuals – an authority granted under Patriot Act Section 314(b) – only a handful of top compliance officials at large domestic banks routinely share information with each other on the proper framework of anti-money laundering (AML) compliance structures to glean which are, and are not, passing muster with examiners.

Chiefly, that is because these individuals, at institutions such as Bank of America, JPMorgan, Wells Fargo and Citigroup, know and trust each other on personal and professional levels, relationships solidified in the trenches of solving broader compliance challenges.

“There is nothing wrong with sharing, but at least between the big four banks, they typically only do it between each other because the top compliance people all know each other,” said an individual familiar with the matter.

“But if you go down to the next tier, these large banks typically won’t work on helping these institutions with their AML compliance program structures because they don’t know them as well, on a personal or professional basis,” said the person, who asked not to be named.

Going below that first tier of household-name banks, though, many larger and mid-size institutions can only access such a reservoir of senior level compliance knowledge by attending industry conferences and seminars and hoping to get the attention of panelists on stage or on cocktail breaks, to find solutions to their specific program problems.

Either that or engage expensive consultants, attorneys and vendors who have culled more comprehensive strategies from multiple banks, colleagues and regulators. Already, many savvy institutions are starting compliance committees consisting of staff from regional banks to share information on fraud and crime trends and structural compliance conundrums, though even in unison, their body of knowledge can be limited.

But if a larger spectrum of banks on a more wide-ranging basis had a more formal mechanism to compare notes – without fear of regulatory reprisal or bulging bill eating into compliance budgets – they could more holistically tackle common problems, access senior understanding and create best practices fostering compliance with both the letter and the spirit of the rules, say attorneys and compliance officers.

Such institutional partnerships could be a boon for institutions that have had expensive remediation engagements extended, had more nitpicky compliance monitors installed – an on-the-ground sentry giving more-immediate updates to government overseers and not swayed by a consultant-bank reimbursement dynamic – and suffered additional penalties for failing to adhere to a panoply of program-improvement deadlines.

Compliance engagements, and costs, extended

There currently is “nothing formal to share compliance structures on a broad basis” between a certain size of banks or a mechanism that spans national or international borders, said the person familiar with the matter, noting that the institution usually only coaches other banks due to their correspondent relationships and even then only in “certain instances” based on expected risks or perceived gaps.

That could be a problem for many institutions under enforcement orders going forward as anecdotal evidence points to regulators being more willing to extend compliance remediation requirements beyond the parameters of the original deferred prosecution agreement, monetary penalty or other formal action, mostly due to fears that banks could have missed something the first time around or may relapse if not micromanaged.

In December, the Justice Department decided to extend by three years the deferred prosecution agreement British bank Standard reached in 2012, in addition to tacking on the requirement to acquire a compliance monitor to shepherd the deal for that duration of time.

In public statements and court filings, federal investigators said the bank had not satisfied the requirements of the original agreement to improve the controls around screening for sanctions violations and, in fact, may have committed more infractions. The original agreement was slated to expire December 10, but now will be lengthened to Dec. 10, 2017.

The bank was accused of concealing some $250 billion in transactions tied to rogue regimes, including Iran, Sudan, Libya and Burma between 2001 and 2007. In August, the bank paid $300 million to the New York State Department of Financial Services, an amount in addition to $340 million paid in 2012, for failing to adequate correct compliance lapses.

In February of last year, remittance heavy weight Western Union announced that it was unable to meet a mid-2013 deadline, and several further extensions, related to a $94 million 2010 settlement with Arizona and three other border states for lax AML controls. As a result, it stated the agreement to bolster financial crime controls would be extended to 2017 and also calls for a compliance monitor.

One key reason why banks are finding it harder to pull away from enforcement actions is the increased use of the corporate compliance monitors, said Bruce Zagaris, an attorney at Berliner, Corcoran & Rowe LLP in Washington, D.C.

“They have become more common in these large settlements,” he said, which can more easily lead to longer engagements or even additional penalties because the individual “is in the bank, on the ground, giving updates to regulators and investigators. They have their nose under the tent.”

Moreover, monitors are charged with being more a representative of the government, and not the bank, similar to a consultancy, which in some cases has been swayed by the bank to water down findings to make the remediation less time-consuming, burdensome and costly, Zagaris said.

After regulatory knuckle-wrapping, standards rise

Much of the reticence behind regulators lifting regulatory orders across the board, particularly monetary penalties with aggressive remediation programs, dates back to July 2012, when legislators hauled global bank HSBC before Congress for financial crime failures, along with top officials from the Office of the Comptroller of the Currency (OCC) and the Federal Reserve, the top regulators of large banks and their holding companies.

The hearing before the Permanent Subcommittee on Investigations chastised the bank for allowing trillions of dollars in suspicious wire transfers, in many cases tied to drug trafficking networks, move with little scrutiny, while then heaping criticism on regulators for allowing the bank to carry dozens of ongoing matters requiring attention (MRAs) and matters requiring immediate attention (MRIAs) without fixing them individually or in totality.

HSBC in December of that year paid a then-record $1.9 billion penalty for the compliance failures and dealing with rogue regimes. The OCC as well instituted several policy changes, including making AML problems “pillar violations” that affect deposit insurance rates, being more willing to make informal actions formal and allowing fewer informal actions to be carried.

For enforcement actions, formal and informal, with penalties and without, “it is taking banks longer to get the orders lifted” from federal regulators or the Justice Department, in some cases adding several months and even years, according to a compliance officer at a large bank in the United States, citing direct knowledge of the trend and conversations with peers.

One of the reasons is that the “current expectations of regulators have ramped up and their exams are much more thorough,” said the person, who asked not to be named, adding that results in more time auditing and doing quality assurance on the new and updated processes to withstand future regulatory fusillades.

“They are also facing increased pressure to not allow repeat MRAs and MRIAs because they don’t want to be called out for that by congress,” said the individual. “As a result, they are much harder on you if they find a problem, and you say you will do x, y and z, and you only do x and y, they will come down on you like a ton of bricks.”

Large trade and compliance associations are trying to create stronger, more extensive networks to keep banks abreast of the latest challenges, solutions and upcoming regulatory agendas, and release best practices, policy perspectives and white papers, but they typically don’t support formal mentoring programs to devote resources to struggling institutions, the person said.

Creating some kind of broader association, though, apart from having to go to consultants and attorneys, could be a way for institutions to more effectively solve common problems and get a “better sense of what examiners are looking for,” the compliance officer said. “Regulators are sharing best practices among each other domestically, and, with foreign regulators. So why can’t banks?”

Sharing platforms already in place for suspected fraud, AML

As it stands now, several of the largest domestic financial institutions are already sharing vast amounts of data tied to fraud and other suspicious activities since 2010 through a mutually owned risk management platform called Early Warning.

At that time, Bank of America, BB&T, JPMorgan Chase and Wells Fargo formed the Scottsdale, AZ-based company to create a broader shared database of transactions to prevent fraudsters tied to a wide array of crimes, including credit and mortgage fraud, from trying scams at one bank, only to go across the proverbial street and try it at other institutions.

In September 2012, the US Treasury’s Financial Crimes Enforcement Network (FinCEN), which is also the nation’s financial intelligence unit (FIU), released an administrative ruling tied to Early Warning, stating the company can also share AML data because they were an “association of financial institutions” and thus protected under the provisions of Patriot Act Section 314(b).

The ruling enabled the banks to create a searchable database to determine whether other financial institutions had reported suspicious or unusual activity by their clients. The database expedited bank-to-bank data-sharing through 314(b), which can take weeks per information request. In mid-2011 the company confirmed that it was working to pool the data from 900 client banks.

In some cases, banks under enforcement actions have not been able to get out from under a formal action or penalty because they “had the idea that we paid our penalty so we are done,” said Robert Rowe, vice president and senior counsel for the American Bankers Association (ABA), an industry lobbying group.

“We were doing 65 and we paid the speeding ticket, now we can keep going 65,” he said, adding that some large banks have been hesitant to put additional spending into retooling the compliance program, which can be as much or more expensive than the penalty itself. “There is a minority that feels the penalty is a cost of doing business.”

What regulators want more than a whopping check is for institutions to “change their culture of compliance,” Rowe said, adding that in order to affect major changes, the “tone at the top” must be transmuted to make financial crime compliance a priority, something that can happen at a glacial pace and far slower than the formal regulatory order requires.

AML staff must have the ear of management to garner the resources and authority to make broad program improvements and meet the standards of the action while, at the same time, process the day-to-date alerts and keep pace with the behind-the-scenes, informal actions.

In terms of general program structures, senior compliance officers attempt to find ways to better highlight and capture suspicious information, document it, and get it into the hands of law enforcement and propagate such stratagems among their trusted peers or in receptive industry forums. They try to do that “all the time” at conferences, Rowe said, if the information is not proprietary.

“All of these compliance officers are facing common challenges, so if it’s not marketing a product, more collaboration can help them get an edge,” he said.