Second Post in a Two-Part Series NYDFS Action Highlights the Need for Good Monitoring – and Good Consultants
In part one of this two-part post, we provided some practical tips for financial institutions to increase the chances that their Anti-Money Laundering (“AML”) programs will withstand regulators’ scrutiny, including: (1) promoting a culture of AML/Bank Secrecy Act (“BSA”) compliance; (2) focusing on transaction monitoring; (3) improving information sharing; (4) identifying and handling high-risk accounts appropriately; and (5) knowing your risks and continually improving your AML program to control those risks.
In this post we’ll discuss the consequences of potentially failing to heed these practical tips in a specific case: the New York Department of Financial Services’ (DFS) recent enforcement action against Mashreqbank.
Mashreqbank is the oldest and largest private bank in the United Arab Emirates. Its New York branch is Mashreqbank’s only location in the United States. It offers correspondent banking and trade finance services and provides U.S. dollar clearing services to clients located in Southeast Asia, the Middle East and Northern Africa. In 2016, the branch cleared more than 1.2 million USD transactions with an aggregate value of over $367 billion. In 2017, the branch cleared more than one million USD transactions with an aggregate value of over $350 billion.
The DFS enforcement action asserted that Mashreqbank’s AML/BSA program was deficient in a number of respects and that the New York branch had failed to remediate identified compliance issues. The enforcement action began with a DFS safety and soundness examine in 2016. In 2017, DFS and the Federal Reserve Bank of New York (FRBNY) conducted a joint safety and soundness examination. DFS provided a report of its findings to which Mashreqbank submitted a response.
In a consent order signed on October 10, 2018, Mashreqbank admitted violations of New York laws and accepted a significant monetary penalty and increased oversight for deficiencies in its AML/BSA and Office of Foreign Assets Control (OFAC) programs. Regulators pursued the enforcement action despite the New York branch’s strong cooperation and demonstrated commitment to building an effective and sustainable compliance program. Among other things, Mashreqbank agreed to pay a $40 million fine; to hire a third-party compliance consultant to oversee and address deficiencies in the branch’s compliance function including compliance with AML/BSA requirements; and to develop written revised AML/BSA and OFAC compliance programs acceptable to DFS.
The DFS and FRBNY examination findings demonstrate Mashreqbank’s failure to follow the practical tips identified in part one of this post. Specifically, the regulators found that Mashreqbank failed to: (1) have appropriate transition monitoring; (2) identify and handle high-risk accounts appropriately; and (3) know its risk and improve its AML program to control those risks.
Further, and as our discussion will reflect, the Mashreqbank enforcement action is also notable in two other respects. First, the alleged AML failures pertain entirely to process and the general adequacy of the bank’s AML program – whereas the vast majority of other AML/BSA enforcement actions likewise discuss system failures, they usually also point to specific substantive violations, such as the failure to file Suspicious Activity Reports (“SARs”) regarding a particular customer or set of transactions. Second, although the use of external consultants usually represents a mitigating factor or even a potential reliance defense to financial institution defendants, the DFS turned what is typically a defense shield into a government sword and instead criticized Mashreqbank for using outside consultants who, according to DFS, were just not very rigorous. This alleged use of consultants performing superficial analysis became part of the allegations of affirmative violations against the bank, thereby underscoring how financial institutions must ensure that their AML/BSA auditors or other consultants are experienced, competent, and performing meaningful testing, particularly when addressing issues previously identified by regulators.
Inadequate Transaction Monitoring
Transaction monitoring is a bank’s procedures for monitoring financial transactions for potential AML/BSA violations and determining whether SARs should be filed with law enforcement. We previously noted the importance regulators place on reviewing a bank’s complete cycle of transaction monitoring in examinations.
In Mashreqbank’s case, prior to the 2016 exam, regulators had identified deficiencies in the New York branch’s handling of transaction monitoring processes including failing to set proper sensitivity setting for screening based upon the branch’s business, and failing to filter U.S. dollar transactions in a manner that complied with OFAC regulations. The branch had committed to improve its AML/BSA and OFAC compliance programs. However, the 2016 exam determined that these commitments had not been satisfied.
Regulators determined that the branch’s AML/BSA and OFAC compliance policies remained insufficient. Regulators found that the branch’s policies lacked sufficient detail and simply cited regulatory language. As such, the policies were insufficiently tailored to address the specific risks associated with the Branch’s particular lines of business. The Branch relied heavily on a system with manual components which were inadequate to address the risks associated with an annual USD clearing volume of $300 billion. Identified deficiencies in the transaction monitoring program included: the failure to make appropriate use of relevant Know Your Customers (KYC) files; allowing the same analyst to conduct first- and second-level reviews of the same transaction – thereby defeating the purpose of a second-level review; and the use of broad, generic language when addressing or documenting the disposition of alerts – thereby limiting the branch’s ability to detect trends and patterns in its customers’ activities. Regulators also discovered that the branch had a three-month backlog in its generation of transaction monitoring alerts with 1,500 to 1,600 alerts generated per month.
In the 2017 exam, regulators determined that the branch had failed to correct a number of these deficiencies, despite engaging a third-party consultant. Alert and disposition records lacked detailed information, making it difficult to assess the adequacy of compliance investigations into potentially suspicious transactions. The transaction monitoring system was generating approximately 2,000 alerts monthly. Each alert was reviewed only once by a single reviewer. The quality review of alerts was suffering from a five-month backlog. In addition, regulators also found that the rules utilized by the transaction monitoring system did not adequately address Mashreqbank’s customer base and transaction volume and did not properly monitor risks associated with certain common scenarios in foreign correspondent activities. In the consent order, the DFS criticized the bank’s reliance on a third-party vendor engaged to “validate these transaction monitoring rules” because the vendor’s effort “was determined to be deficient, doing little more than summarizing the interim rules and indicating their purported adequacy.”
The consent order illustrates that regulators will expect transaction monitoring processes to appropriately take into account the scope of transactions and business activities of the bank. Banks should be prepared to show that their review and investigation process is well-documented, comprehensive and timely. Importantly, entities may not simply rely on a third-party vendor if the monitoring program implemented by the vendor is not appropriate to the bank’s customer base and the nature of the transactions at issue.
Failure to Identify and Handle High-Risk Accounts Appropriately
In part one of this post, we noted the importance of a financial institution’s ability to identify high-risk accounts and perform enhanced due diligence and monitoring of those accounts. In Mashreqbank’s case, regulators found that Marshreqbank failed to provide adequate oversight of transactions by customers in high-risk regions. Marshreqbank provides clearing services to clients located in Southeast Asia, the Middle East and North Africa – regions that potentially present a high risk in connection with financial transactions. The branch identified nearly 2/3 of its foreign financial institutional customers as high-risk accounts.
In the 2016 exam, regulators determined that although a large number of accounts were identified as high risk and the branch’s customer bases consists principally of foreign financial institutions located in high-risk regions, the branch’s due diligence files lacked robust information about its foreign correspondent customers’ markets.
In the 2017 exam, regulators found that the OFAC compliance program continued to suffer from gaps including insufficient documentation of the disposition of OFCA alerts and cases, and insufficient rationales regarding the procedures for investigating alerts. DFS concluded that deficiencies identified demonstrate that “the Branch has not yet completed its efforts to develop a compliance infrastructure commensurate with the risks present by its business activities.”
The consent order demonstrates the importance of not only having adequate procedures in place to identify high risk accounts but also that banks must insure that enhanced due diligence is performed and properly documented and that KYC information is properly updated and utilized.
Failure to Know Risk and Improve AML Programs to Control Those Risks
We noted in our first post that regulators will expect banks to continually enhance their AML/BSA programs. A bank’s program should improve over time as the entity’s risk profile evolves and in response to guidance it receives from regulators. In Mashreqbank’s case, evaluators found that deficiencies identified prior to, and during, the 2016 exam persisted despite the branch’s efforts to improve its program. Although the branch made efforts to cooperate with regulators, it repeatedly received low ratings in its exams. DFS concluded that “while the Branch made some progress in remediation, it failed to address all of the compliance issues identified by its regulators.”
Notably, regulators determined that the AML/BSA policy gaps were attributable both to branch management and the head office – and an external auditor. Although the head office had engaged a third-party auditor to conduct a 2017 AML/BSA audit and validate the branch’s work to improve its program, the head office did not provide sufficient oversight of the external auditor. To the contrary, regulators concluded that the external auditor produced work paper that failed to demonstrate adequate testing of the AML/BSA program and omitted numerous issues uncovered by regulators in the 2016 exam. More specifically, the consent order alleges the following:
In November 2017, the External Auditor issued its report detailing its validation of efforts to remediate prior examination deficiencies. The report lacked narrative conclusions, instead, merely pointing to the corresponding workpapers for detail. The examiners who reviewed the External Auditor’s workpapers found that the sample size for the External Auditor’s review of OFAC alerts was too small. Examiners conducted follow-up discussions with the External Auditor and concluded that, rather than performing independent testing to validate management’s various corrective actions, the External Auditor merely signed off on documentation provided by management. Though such documentation detailed certain efforts made by management to strengthen the Branch’s compliance function (such as hiring additional personnel, including a resident Internal Auditor at the Branch), it failed to provide examiners independent corroboration of the adequacy or sustainability of the Branch’s BSA/AML and OFAC compliance programs.
The Marshreqbank example underscores the importance of financial institutions implementing good solutions to problems uncovered by regulators. Banks should make every effort to correct issues and avoid repeat findings of deficiency. Importantly, entities may not relieve themselves of this responsibility by simply relying on an external vendor. Banks must confirm that auditors or other consultants are performing thorough and meaningful testing of AML/BSA programs and evaluating the effectiveness of improvements to address issues previously identified. Senior management must take an active role in overseeing external auditors and addressing deficiencies identified by regulators.