An appellate court this week has ruled for a federal regulator and against a state bank in California that argued its examiner was not impartial when the agency levied a formal order and that the regulations requiring financial crime compliance programs are unworkably vague.
The Ninth Circuit Court of Appeals this week affirmed a cease-and-desist order requiring San Francisco-based California Pacific Bank to comply with anti-money laundering (AML) rules, rejecting the bank’s protestations arguing that the regulations are unconstitutionally vague and the federal regulator at the helm, in this case, the Federal Deposit Insurance Corp. (FDIC), had a biased examination process.
In the 35-page ruling, a three-judge panel found there was more than enough evidence to support an administrative law judge’s earlier finding that the financial institution had lax AML internal controls, an inexperienced compliance officer, weak training for staff and deficient independent testing, and as a result failed to comply with related program rules.
The FDIC had originally planned to issue a consent order to improve the AML program in 2012, but later issued a more stern “cease-and-desist” order, which got the backing and support of the administrative law judge, noting that California Pacific had extensive failures in every one of the four pillars of its AML program, including failing to file a suspicious activity report (SAR) in the face of clearly criminal activity.
Officials at California Pacific appealed the order on a bevy of grounds, including that the guidance cited in the AML interagency exam manual by the FDIC did not have the force of law and thus can’t be used to find fault with the bank’s compliance program.
“The Bank advances two constitutional challenges,” according to the appellate ruling. “The Bank first challenges that the BSA and its implementing regulations are unconstitutionally vague. The Bank’s second constitutional challenge is that the FDIC conducted a biased investigation that violated the Bank’s due process rights.”
But after extensive analyses, the judges ruled against the bank on every point.
“We hold that the BSA and its implementing regulations are not unconstitutionally vague, and the FDIC did not exhibit unconstitutional bias against the Bank,” according to the appellate ruling. “
“We further hold that the FDIC acted in accordance with the law by relying on the [AML interagency exam manual] to clarify its four pillars regulation. The FDIC Board’s decisions that the Bank failed to comply with the four pillars and that the Bank failed to file a SAR where one was needed, and thus, that the Bank did not comply with the BSA, are supported by substantial evidence. Accordingly, the Bank’s petition for review is denied.”
Rare bank battle against AML order
The case involving the diminutive bank – the operation, founded in 1980, has two branches less than a dozen employees and around $80 million in assets – has wider repercussions for the industry. The rulings of appellate courts can have direct import on how banks craft, staff and implement AML programs. The ruling may also influence attempts to frame more concrete parameters around how regulators interpret and gauge compliance programs.
The court battles are also a rare glimpse into what goes on behind the scenes in typically secretive, heavily negotiated AML actions, where examiners and bank staffers battle to reach a middle ground that eventually improves the compliance program, brings some level of comfort to examiners, but doesn’t break the bank’s resources to the detriment of the institution.
Rarely, if ever, does a bank go to the relatively extreme length of not just challenging an order, but going the further perilous step of saying the examining agency had it out for them and that the entire AML program examination and enforcement regime is an amorphous, subjective exercise left up to the whims and discretion of draconian examiners.
The case also has lessons for banks large and small, from the beginning of the AML program to the eventual end, filing SARs, including:
- AML controls: When internal auditors, and external examiners tell you to improve your customer risk assessments, and related monitoring, to see more detailed fincrime trends over a longer period of time, don’t blow them off and respond that because you are the compliance officer, you know the customers better than their apparent heightened risk score.
- AML compliance officer: A compliance officer with no experience in AML also can’t hold other top bank positions at the same time, some directly related to business lines. Why? Because AML typically needs a fulltime person and such a structure can be considered a conflict of interest – a compliance officer could hold back in pressing a profitable, risky customer.
- AML training: Issuing stagnant, superficial training to your bank, and in particular your AML staff, along with random quizzes and having them attend a slipshod webinar does not a compliance training program make. The training has to be inline with the risks the bank is facing, tailored to what employees will see in their jobs and must create a communal acumen in line with the institution’s overall risk profile.
- AML audit: When your supposed external auditor is also creating your AML program, that also could be considered a conflict of interest because the person could end up grading their own work – resulting in a dynamic where the bank is engaging in the very bias it is accusing examiners of engaging. As well, when the external auditor is rebuffed by the compliance officer in question, they can’t just throw their hands up and leave the program to the “tender mercies” of regulators.
The case also evinces the frustrations of a compliance officer who saw that, one year, he basically had a program that passed muster with examiners, but come the next year – when certain seemingly minor changes weren’t made to regulators’ desires – gets a harsh exam and outcome, though the program had changed very little.
Disagreements over overall bank risk, customer scores lead to strife
The friction at the bank had its origins going all the way back to the early 2010s.
In 2012, the California Pacific had fewer than fifteen employees, approximately 200 customers, and approximately 500 deposit accounts, according to the ruling. But the Bank’s customer base consisted of a “significant number of import-export customers, accounts held by non-resident aliens, and accounts with international transactions.”
In July 2010, FDIC Examiner Heather Rawlins conducted a safety and soundness examination of the bank, eventually deeming the AML program “satisfactory” but identified several areas that “must be corrected,” including:
- The bank document its director training and incorporate a method of testing employees’ knowledge of training;
- Designate new customers that have high levels of activity as high risk for at least six months;
- Monitor and analyze aggregate activity for at least three months to establish a pattern of activity;
- Increase the risk rating for the customer base.
Rawlins reviewed the results of the examination with the Bank’s CEO, Richard Chi, and the Bank’s third-party auditor, Joan Vivaldo. The Bank’s management agreed to the recommendations.
Compliance round robin results in cooked goose
But implementing those improvements became increasingly challenging with a revolving door of AML compliance officers.
During 2011, “at least four individuals served sequentially as the bank’s BSA compliance officer,” according to the ruling.
In August 2011, Alan Chi, CEO Richard Chi’s son, became acting BSA Officer without the Bank’s Board of Directors interviewing for the position or recruiting anyone else with more experience to fill the vacancy.
Following election by the bank’s board in January 2012, Alan Chi became the bank’s permanent BSA Administrator, in addition to the Bank’s Senior Vice President, Senior Credit Officer, Chief Financial Officer, Internal Auditor, and Operations Compliance Officer – which examiners would later say was a conflict of interest.
But even before that, Alan Chi’s first order of business was to implement a system where rather than customers being risk assessed on classic data points – products, geographies, amounts and the link – Chi stated all customers who have existing accounts or where referred by current customers should get lower scores, leading to the bank having an overall low to medium risk score.
The move was quickly decried by third-party auditor Joan Vivaldo noting that this methodology failed to identify three new high-risk deposit accounts.
Vivaldo commented that Alan Chi’s use of an automatic twelve-point reduction for certain customers “could turn around and bite them someday.” Vivaldo informed Alan Chi that if he ignored her, he would be left “to the tender mercies of the FDIC.”
Alan Chi also revised the risk assessment form the bank used to assess its own risk, according to the ruling.
Using this altered methodology resulted in the California Pacific Bank having a “low,” rather than “medium to high,” overall risk rating. Vivaldo disagreed with the new methodology as well, but Chi deflected the naysaying, continuing a revised system heavily weighting current customers in lower risk tiers, regardless of actual transactional red flags.
This was not missed by the FDIC.
Lack of experience leads to missed SAR
FDIC examiner Rawlins performed another examination of the bank beginning on December 3, 2012, concluding that the Bank “failed to administer a BSA compliance program in accordance with the four pillars and failed to file” a SAR.
Part of what made it more difficult for the bank to hone in on what customers were the most risky due to red flags that should be alerting the transaction monitoring system was that the bank did analysis on batch filing on a daily basis, rather than over a series of weeks or months to gain insight into when patterns change that could be indicative of criminal activity.
As well, the SAR issue related to a disagreement chiefly due to Alan Chi’s inexperience.
The bank was subject to a grand jury subpoena for several customers, with a law enforcement officer telling Chi not to tell anyone about the subpoena. Chi later mistakenly thought that meant he was also not supposed to file SARs on those customers – even after they were formally indicted for economic espionage and theft of trade secrets.
The appellate ruling detailed Alan Chi’s experience, stating he had “received no training in BSA compliance before taking over as BSA Officer in August 2011.”
His own training consisted of “several Independent Community Bankers of America courses” and completing a webinar and interactions with the FDIC and reviewing of FDIC reports.
Not surprisingly, Rawlins, the examiner, determined that this was “inadequate experience to administer the Bank’s BSA compliance program. Rawlins also concluded that Alan Chi could not dedicate sufficient time to compliance amidst his many roles at the Bank.”
Rawlins also believed that sharing BSA and credit responsibilities created a conflict of interest and inhibited Alan Chi’s ability to assess the Bank’s compliance efforts objectively.
Objectivity was also at the heart of California’ Pacific’s legal challenge, arguing that the BSA is “unconstitutionally vague because neither the statute nor its implementing regulations were precise enough to inform the bank of its required conduct.”
FDIC examiner, ALJ, AML manual not at fault
As well, the bank contended that the statute and regulations are unconstitutionally vague because the FDIC “can arbitrarily determine whether BSA compliance procedures are sufficient. The Bank further argues that the FFIEC Manual cannot clarify compliance procedures because the FFIEC Manual lacks the force and effect of law.”
The appellate court shot down those arguments in rapid fire fashion, stating that “an agency-issued instruction manual, even if lacking the force of law itself, can clarify what conduct is expected of a person subject to a particular regulation and thus mitigate against vagueness.”
Indeed, the FDIC Board found that provisions of the FFIEC Manual were “incorporated in the Bank’s own BSA Policy Manual, and copies of the FFIEC Manual were found scattered throughout the Bank.”
The judges ruled that: “A BSA Officer at the Bank bearing the requisite ‘specialized knowledge’ would understand that compliance with the FFIEC Manual ensures compliance with the BSA. The BSA and its implementing regulations are not unconstitutionally vague.”
FDIC examiners also had no agenda to chastise the bank, according to the judges.
Rawlins clearly told the bank to improve key metrics in the areas of customer risk ranking, training and aberrant activity reporting – even in the exam deemed generally satisfactory.
And when both the bank’s own auditor, and later Rawlins again, noted the bank had blown off these remediation obligations, the resultant failures put it squarely out of compliance with all of the relevant AML prongs.
The administrative law judge (ALJ) “highlighted two places where the bank came up short” in implementing the 2010 report of examination: by “failing to monitor and aggregate activity in high risk accounts and by improperly lowering its self-assessed risk rating.”
With that on the record criticism, California Pacific’s bank’s charge that the judge was also biased is “contradicted by the record,” according to the ruling, with the judges’ finally ruling that “Neither the FDIC’s investigation nor the ALJ was unconstitutionally biased against the Bank.”