On March 17, the OCC and FinCEN issued civil monetary penalties against a federal savings bank for “willfully” failing to meet minimum compliance program requirements and shoddy suspicious transaction reporting. The consent orders read like a veritable “how not to” for reviewing anti-money laundering alerts.
According to the OCC’s consent order imposing a $60 million civil monetary penalty, between 2017 and 2021, the bank failed to implement and maintain an adequate BSA/AML Compliance Program and failed to correct problems with its program that the OCC previously reported to the bank relating to BSA/AML internal controls. The bank’s deficiencies included inadequate internal controls and risk management practices; inadequate suspicious activity identification, evaluation, and reporting; inadequate compliance staffing and training; and inadequate third-party risk management, among others, in violation of 12 U.S.C.§ 1818(s)(3)(B) and 12 C.F.R. § 21.21. Additionally, the bank failed to file timely SARs as required by 12 C.F.R. § 163.180(d).
On the same day, FinCEN imposed a $140 million civil monetary penalty for similar violations. The FinCEN consent order provides significantly more detail around the violations, which cumulatively led to the bank’s untimely filing of at least 3,873 suspicious activity reports (SARs). According to the FinCEN order, the bank willfully failed to implement and maintain an AML program that met the minimum requirements of the BSA, in violation of 31 U.S.C. § 5318(h) and 31 C.F.R. § 1020.210. Specifically, the Order alleges that the bank failed to properly monitor for and detect personal accounts that were being used for business activities, despite the OCC’s prior warning to the bank’s board of directors in 2017. As a result, the bank allowed millions in potentially suspicious funds to flow through its customers’ accounts without adequate scrutiny from the bank’s compliance department.
In 2019, the bank invested approximately $500 million into overhauling its AML program and committed to hiring another 178 compliance staff. Despite this, FinCEN found that the bank failed to fully satisfy the terms of the 2018 Commitments, and at the beginning of 2021, 62 compliance positions remained unfilled. Further, FinCEN identified new and recurring AML program violations throughout the relevant time period that the bank did not address. As of early 2021, three separate corrective actions related to the bank’s 2017 violations were still pending, along with newly-identified deficiencies related to internal controls and training. Moreover, the bank did not voluntarily disclose these violations to FinCEN. Finally, FinCEN determined that the bank filed 3,873 SARs late, with an average filing time of 226 days after the underlying suspicious activity ended, well beyond the 60-calendar day maximum permitted under the BSA.
In determining the penalty, FinCEN cited to the nature and seriousness of the violations including the possible harm to the public and the amounts involved.
Putting It Into Practice: The bank’s case is an extreme example of a bank’s disregard for BSA/AML laws and requirements in favor of aggressive growth. The bank CEO said that the fine was imposed because the bank did not “sufficiently strengthen the capabilities and expertise necessary to regulatory requirements and evolving business needs.” Covered financial institutions seeking to grow their market share should remember that compliance has to grow commensurate with this business. Compliance departments should be adequately staffed to ensure alerts are timely and adequately investigated.