Failures in Financial Institutions’ AML Compliance Programs: A Compliance Officer’s Checklist

In the first three quarters of 2018, there has been an unusual spate of enforcement actions by prosecutors and regulators against top-tier financial institutions for significant failures in their design and implementation of anti-money laundering (AML) compliance programs:

  • February – Rabobank: Rabobank N.A., a subsidiary of Rabobank, pleaded guilty in U.S. federal court to felony conspiracy to impair, impede, and obstructing its primary regulator, the U.S. Department of the Treasury’s Office of the Comptroller of the Currency (OCC), by concealing deficiencies in its anti-money laundering (AML) program and for obstructing the OCC’s examination of Rabobank, and agreed to forfeit $368,701,259.
  • February – U.S. Bancorp: The Department of Justice reached a deferred prosecution agreement (DPA) with U.S. Bancorp, resolving criminal charges under the Bank Secrecv Act (BSA), that required U.S. Bancorp to forfeit $453 million and pay a $75 million civil penalty assessed by the Office of the Comptroller of the Currency (OCC). In addition, the Financial Crimes Enforcement Network (FinCEN) reached a separate agreement with U.S. Bancorp requiring the bank to pay $70 million for civil BSA violations.
  • June – Commonwealth Bank of Australia (CBA): AUSTRAC and CBA reached agreement on a AU$700 million penalty “to resolve Federal Court proceedings relating to serious breaches of anti-money laundering and counter-terrorism financing (AML/CTF) laws.” AUSTRAC later stated that this penalty was “the largest civil penalty in Australia’s corporate history and reflects the magnitude of the serious non-compliance by CBA.”
  • July – UBS U.S. Branches: The OCC reported that it had entered cease-and-desist orders against three U.S. branches of UBS and had found that the branches failed (1) to adopt and implement a compliance program that adequately covered the required Bank Secrecy Act/Anti-Money Laundering (BSA/AML) program elements and (2) to timely file Suspicious Activity Reports (“SARs”) related to suspicious customer activity. The OCC also stated that the deficiencies in the branches’ BSA/AML compliance program resulted in various violations of OCC regulations, but did not impose any financial penalties for those violations.
  • September – ING: The Dutch Public Prosecution Service announced that it had reached a settlement agreement with ING Bank N.V. requiring ING to pay approximately US$900 million to resolve an investigation focused on violation, “for many years and on a structural basis,” of the Dutch Anti-Money Laundering and Counter Terrorism Financing Act by ING’s business unit ING Bank Netherlands.
  • September – Credit Suisse: FINMA concluded two enforcement procedures against Credit Suisse AG. One was for deficiencies in Credit Suisse’s adherence to AML due diligence obligations in relation to suspected corruption involving the International Federation of Association Football (FIFA), the Brazilian oil company Petrobras, and the Venezuelan oil company Petróleos de Venezuela, S.A. (PDVSA).  The other was for deficiencies in the bank’s AML process, as well as shortcomings in the bank’s control mechanisms and risk management, with regard to a significant business relationship with a politically exposed person (PEP).
  • September – Danske Bank: Danske Bank acknowledged, based on internal investigations, that approximately $234 billion in potentially suspicious transactions had flowed through its Estonian branch for nearly a decade. Criminal investigations by several countries into the Estonian branch’s activity are now underway.
  • September – Deutsche Bank: The Bundesanstalt für Finanzdienstleistungsaufsicht (“BaFin,” the German Federal Financial Supervisory Authority) ordered that Deutsche Bank AG “take appropriate internal safeguards and comply with general due diligence obligations” in order to prevent money laundering and terrorist financing, and appointed a monitor “to report on and assess the progress of the implementation.” BaFin did not specify what shortcomings warranted its order, but reportedly stated that “this was the first time it had made such an appointment at a bank related to money laundering.”

It may be tempting for some to dismiss these actions simply as examples of aggressive behavior by prosecutors and regulators.  AML compliance officers and internal auditors, however, should examine these cases more closely to see what specific failures or deficiencies were identified, at least as a point of comparison with their own compliance programs.

To that end, this post provides a checklist of some of the principal corporate AML failures that were specifically identified in those cases:

  • Failure of Systems Design
    • Design of Systems for Monitoring Transactions:
      • In Credit Suisse’s case, FINMA stated that the bank had not established an automated comprehensive overview of client relationships, which would allow every relevant department within the bank “to see all the client’s relationships with the bank instantly and automatically.”
      • In Danske Bank’s case, the internal investigation report stated that the Estonian branch had its own information technology platform, which meant “that the branch was not covered by the same customer systems and transaction and risk monitoring as Danske Bank Group” and that Danske Bank Group “did not have the same insight into the branch as other parts of [the] Group.”
    • Design of Systems to Receive Currency Deposits:
      • In CBA’s case, the bank failed to carry out an appropriate assessment of the money laundering and terrorism financing (ML/TF) risks of its smart Automated Teller Machines, labeled “Intelligent Deposit Machines” (IDMs). AUSTRAC alleged that CBA did not limit the number of transactions a customer could make per day, and that its IDMs allowed up to 200 notes per transaction. That meant that a customer could deposit a stack of 200 AU$100 notes at one time, resulting in a deposit twice a large as the AU$10,000 reporting threshold for transfers of physical currency.  In addition, CBA’s IDMs reportedly allowed anonymous cash deposits, making them more attractive to criminals.  One new report speculated that “whoever installed the machines back in 2012 simply didn’t realise transactions above $10,000 had to be reported, and never wrote the code.”
    • Failure of Organizational Design:
      • In ING’s case, the Public Prosecution Service stated that
        • “one of the main reasons for the shortcomings was the insufficient attention paid by ING NL to compliance risk management (business over compliance). The responsibility for compliance with the AML/CTF Act rests with three different divisions of the bank. None of these divisions oversaw the whole picture. This in part explains why senior management was not fully aware of the seriousness of the shortcomings, and their persistence.”
      • In Danske Bank’s case, the back acknowledged that “in general, the Estonian branch had insufficient focus on the risk of money laundering, and branch management was more concerned with procedures than with identifying actual risk,” and that “the Estonian control functions did not have a satisfactory degree of independence from the Estonian organization.”
    • Noncompliance with Corporate AML Program Requirements:
      • In CBA’s case, for a period of three years, the bank did not comply with the requirements of its own AML program relating to monitoring transactions on 778,370 accounts.
      • In Credit Suisse’s case, FINMA found that a client relationship manager –
        • “who was very successful in terms of assets under management – breached the bank’s compliance regulations repeatedly and on record over a number of years. However, instead of disciplining the client manager promptly and proportionately, the bank rewarded him with high payments and positive employee assessments. The supervision of the relationship manager was inadequate due to this special status.”
    • Failure to Implement Controls:
      • In CBA’s case, the bank failed to complete the introduction of appropriate controls to mitigate and manage the money laundering and terrorist financing (ML/TF) risks of its IDMs.
      • In UBS’s case, the Consent Order cited the branches’ inadequate system of internal controls as one of the “critical deficiencies” in the elements of the branches’ BSA/AML compliance program.
    • Failure to Meet Due Diligence Obligations:
      • In Credit Suisse’s case, FINMA determined that “repeatedly over a number of years,” Credit Suisse had failed to comply with its due diligence obligations relating to FIFA, Petrobras, and PDVSA in five respects: (1) Identifying the client; (2) Determining the beneficial owner; (3) Categorizing a business relationship as posing an increased risk; (4) Performing the necessary clarifications upon increased risk plus associated plausibility checks; and (5) documentation. It also determined that with respect to a significant business relationship with a client who was a PEP, Credit Suisse “failed to meet its heightened due diligence obligations regarding investigation, plausibility checks and documentation regarding the client and certain related high-risk transactions.”
      • In ING’s case, the Public Prosecution Service stated that “[t]he absence or insufficient conducting of client due diligence led to ING NL’s acceptance of clients without sufficiently investigating the risks associated with those clients. Clients were also classified in the wrong client segments.” That statement cited multiple specific examples of due diligence failures, including a women’s underwear trader that was able to launder approximately €150,000,000 through its bank accounts with ING NL.
      • In Danske Bank’s case, the internal investigations report stated that failures of the bank’s due diligence included lack of knowledge of customers, lack of identification of ultimate beneficial owners and “controlling interests,” inclusion of “so-called intermediaries,” “which were unregulated and represented unknown end-customers,” as customers.
      • In UBS’s case, the Consent Order stated that the branches had systemic deficiencies in their customer due diligence, enhanced due diligence, and customer risk rating processes, and failed to establish and apply an adequate due diligence program for foreign financial institutions.
    • Failure to Maintain Adequate Staff:
      • In ING’s case, the Dutch Public Prosecution Service stated that “[t]he compliance department was understaffed and inadequately trained. Partly due to the limited personnel capacity, the system for monitoring transactions was set up by the bank in such a way that only a limited number of money laundering signals were generated.”
      • Similarly, as noted below, in U.S. Bancorp’s case, the bank capped the number of automated alerts its system generated, based on staffing levels and resources.
    • Failure to Monitor Customers:
      • In Danske Bank’s case, the internal investigations report stated that the AML monitoring failings included insufficient attention to customer activities, lack of identification of the source and origin of funds used in transactions, absence of screening of customers against PEP lists, absence of screening of incoming payments against sanctions or terror lists, and in general, absence of automatic screening of incoming payments. In addition, Danske Bank’s Internal Audit team noted in 2014 that “’ongoing monitoring’ was performed manually by account managers, who were responsible for so many customers that it was ‘in fact impossible to perform the monitoring in an effective and efficient way’.”
      • In CBA’s case, the bank, even after it became aware of suspected money laundering or structuring on CBA accounts, “did not monitor its customers to mitigate and manage ML/TF risk, including the ongoing ML/TF risks of doing business with those customers.”
      • In UBS’s case, the Consent Order stated that the branches “had systemic deficiencies in their transaction monitoring systems, which resulted in monitoring gaps. These systemic deficiencies resulted in alert and investigation backlogs, and led to a failure to file SARs in a timely manner.”
      • In Credit Suisse’s case, FINMA found that Credit Suisse “had failed to adequately record, contain and monitor the risks arising over a number of years from the PEP business relationship and the responsible (and since criminally convicted) client relationship manager.”
      • In Rabobank’s case, Rabobank “knew that millions of dollars in cash deposits at [its Southwest border] branches were likely tied to illicit conduct,” yet continued its practice of soliciting cash-intensive customers from Mexico and elsewhere for an extended period.
    • Conducting Transactions Not Subject to Monitoring:
      • In U.S. Bancorp’s case, the bank processed Western Union transactions involving non-customers, “even though they would not be subject to the Bank’s transaction monitoring systems. Even when Bank employees flagged specific non-customer transactions raising AML-related concerns, the transactions went uninvestigated.”
    • Manipulation of Monitoring Software:
      • In U.S. Bancorp’s case, FinCEN stated that the bank “capped the number of alerts its automated transaction monitoring system would generate to identify only a predetermined number of transactions for further investigation, without regard for the legitimate alerts that would be lost due to the cap.” The U.S. Attorney who handled the DPA stated that the bank “bas[ed] the number of such alerts on staffing levels and resources, rather than setting thresholds for such alerts that corresponded to a transaction’s level of risk.”
      • Similarly, in ING’s case, the Public Prosecution Service stated that “[p]artly due to the limited personnel capacity, the system for monitoring transactions was set up by the bank in such a way that only a limited number of money laundering signals were generated. Only the proverbial tip of the iceberg was investigated.”
    • Compromise of Alert Processes:
      • In Rabobank’s case, the bank “received regular alerts of transactions by ‘High-Risk’ customers, or through accounts deemed to be ‘High-Risk,’ and that had been the subject of prior SARs filed by Rabobank,” but “created and implemented policies and procedures to prevent adequate investigations into these suspicious transactions, customers, and accounts.” In particular, the bank created a “Verified List” of certain customers, and ”instructed its employees that if a customer was on the ‘Verified List,’ no further review of that customer’s transactions was necessary — even if the transactions generated an internal alert, or the customer’s activity had changed dramatically from when it was ‘verified’.”  The bank also instructed its BSA/AML staff “to aggressively increase the number of bank accounts on the Verified List.”
    • Failure to Timely Report High Volumes of Suspicious Transactions:
      • In CBA’s case, the bank failed to provide 53,506 threshold transaction reports, having a total value of about AU$625 million, to AUSTRAC on time for nearly three years. It also “failed to report suspicious matters on time, or at all, involving transactions in the tens of millions of dollars.”
      • In U.S. Bancorp’s case, the bank willfully failed to timely report suspicious banking activities of a longtime customer, despite being on notice that he had been using the bank to launder proceeds from an illegal and fraudulent payday lending scheme. As part of that failure, the Justice Department stated that the bank “disregarded numerous red flags” concerning the suspicious nature of the customer’s activity.
      • In Danske Bank’s case, the internal investigations report noted that the bank’s AML failings included lack of response to suspicious customers and transactions.
    • Failure to Terminate Customer Accounts:
      • In ING’s case, the Public Prosecution Service determined that “[c]lient relationships and bank accounts were . . . , when necessary, not terminated by the bank in a timely manner.”
      • In U.S. Bancorp’s case, after receiving information that the customer had been using sham bank accounts under the names of companies nominally owned by various Native American tribes to launder proceeds of his fraud scheme, the bank “closed the accounts in the names of the tribal companies but failed to file a SAR . . . and left open [the customer’s] ’s non-tribal accounts and opened new ones,” which allowed additional proceeds of more than $176 million from his illegal payday business to flow into the bank.
    • Termination of Employees Identifying Potential Misconduct:
      • In Rabobank’s case, the Justice Department stated that “[t]o further conceal the inadequate nature of its BSA/AML program and to avoid ‘others contradicting our findings’ and statements to the OCC, Rabobank demoted or terminated two RNA employees who were raising questions about the adequacy of Rabobank’s BSA/AML program.”
    • Prior Warnings by Regulators:
      • In ING’s case, the Public Prosecution Service noted that the Dutch Central Bank had warned ING NL on multiple occasions. In U.S. Bancorp’s case, an OCC examiner assigned to the Bank had repeatedly warned bank officials “of the impropriety of managing the Bank’s monitoring programs based on the size of its staff and other resources.”
      • In Danske Bank’s case, the bank had been the subject of regulatory sanctions with respect to its Estonian branch from both the Estonian FSA and the Danish FSA in 2015 and 2016, respectively.
    • Concealment of Conduct from Regulators:
      • In U.S. Bancorp’s case, bank officials (including the Chief Compliance Officer). “[k]nowing that the OCC would find [the Bank’s] resource-driven alert limits to be improper, . . . deliberately concealed these practices from the OCC.”
    • Obstruction of Regulators:
      • In Rabobank’s case, when the OCC began conducting its periodic examination of Rabobank in 2012, the Justice Department stated that Rabobank agreed to knowingly obstruct the OCC’s examination. Rabobank responded to the OCC’s February 2013 initial report of examination with false and misleading information about the state of Rabobank’s BSA/AML program.  Rabobank also made false and misleading statements to the OCC regarding the existence of reports developed by a third-party consultant, which detailed the deficiencies and resulting ineffectiveness of Rabobank’s BSA/AML program.” The Department also stated that Rabobank did so “in hopes of avoiding regulatory sanctions that had previously been imposed on Rabobank in 2006 and 2008 for nearly identical failures.”

There is no doubt that each of these acts and omissions constitute, in varying degrees, serious failures in AML compliance that would be problematic for any financial institution.  AML compliance officers should use these examples in not only in reviewing their own programs, but in crafting general and targeted training for managers and employees.  It is easy for executives and employees at leading financial institutions to think, “It can’t happen here,” which makes it all the more important for compliance programs to show that it can happen and has happened at peer institutions.  As the examples here have shown, the price of complacency or inattention to robust and consistent AML compliance can be devastating in financial and reputational terms.

6 thoughts on “Failures in Financial Institutions’ AML Compliance Programs: A Compliance Officer’s Checklist”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s