Author: Jonathan J. Rusch

On July 22, the U.S. federal bank supervisory agencies and the Financial Crimes Enforcement Network (FinCEN) issued a joint statement ”to emphasize their risk-focused approach to examinations of banks’ Bank Secrecy Act /anti-money laundering (BSA/AML) compliance programs,” and to improve transparency into the risk-focused approach that the agencies use for planning and performing BSA/AML examinations.

The joint statement has two principal sections, each of which addresses multiple topics:

1. BSA/AML Compliance Programs and Risk Profiles:
   • General Requirement: The joint statement first sets out the agencies’ expectations that “banks structure their compliance programs to be risk-based and to identify and report potential money laundering, terrorist financing, and other illicit financial activity,” in order “[t]o assure that BSA/AML compliance programs are reasonably designed to meet the requirements of the BSA.” Such a risk-based compliance program “enables a bank to allocate compliance resources commensurate with its risk.
   • Risk Assessment and Risk Profile: The joint statement briefly notes, with regard to BSA/AML risk assessments, that “[a] bank’s well-developed risk assessment is a critical part of sound risk management and assists examiners in understanding the bank’s risk profile.” With regard to risk profiles, it further states that banks “determine the levels and types of risks that they will assume.”  On this point, the joint statement attaches a footnote stating that “[b] Bank directors provide guidance regarding acceptable risk exposure levels and corresponding policies while management implements policies, procedures, and practices that translate the board’s goals, objectives, and risk limits into prudent operating standards.”
   • Risk Mitigation and “De-risking”: Banks that operate in compliance with applicable law, properly manage customer relationships and effectively mitigate risks by implementing controls commensurate with those risks are neither prohibited nor discouraged from providing banking services.”  This sentence, as the agencies explain in a footnote, “does not create additional requirements or supervisory expectations for banks.”  The joint statement also recapitulates prior statements by the banking agencies on de-risking, encouraging banks “to manage customer relationships and mitigate risks based on customer relationships rather than declining to provide banking services to entire categories of customers.”
   • Agencies’ Approach to Examinations: The joint statement summarizes the agencies approach to BSA/AML examinations as follows:
     • “Federal banking agency examiners evaluate the adequacy of a bank’s BSA/AML compliance program relative to its risk profile, and that bank’s compliance with applicable laws and regulations. Examiners review risk management practices to evaluate and assess whether a bank has developed and implemented effective processes to identify, measure, monitor, and control risks.”
     • The joint statement also recognizes that there is no “one-size-fits-all” risk profile applicable to banks.  It notes that the agencies “recognize that banks vary in focus and complexity, and that these differences create for each bank a unique risk profile. Accordingly, the scope of BSA/AML examinations varies by bank.”  With regard to the variability of focus, it briefly states, in a footnote, that “[f]or example, a bank with a localized community focus likely has a stable, known customer base.”
2. Risk-Focused Examinations: This section begins with a general statement that the federal banking agencies “s conduct risk-focused BSA/AML examinations, and tailor examination plans and procedures based on the risk profile of each bank.” It then explains how the agencies conduct those examinations:
   • Common Practices: This section notes that common practices for assessing the bank’s risk profile include the following actions:
     • “leveraging available information, including the bank’s BSA/AML risk assessment, independent testing or audits, analyses and conclusions from previous examinations, and other information available through the off-site monitoring process or a request letter to the bank”;
     • “contacting banks between examinations or prior to finalizing the scope of an examination”; and
     • “considering the bank’s ability to identify, measure, monitor and control risks.”
   • This section adds that “[t]he information gained from assessing the bank’s risk profile assists examiners in scoping and planning the examination and initially evaluating the adequacy of the BSA/AML compliance program.”

• Resource Allocation: This section declares that the federal banking agencies “generally allocate more resources to higher-risk areas, and fewer resources to lower-risk areas. For example, the pre-examination request list is tailored to the bank’s risk profile, complexity, and planned examination scope.”
• Risk Assessment and Testing: This section further states:
  • “Examiners review a bank’s BSA/AML risk assessment and independent testing to assess the bank’s ability to identify, measure, monitor, and control risks. Risk assessments and independent testing that properly consider and test all risk areas (including products, services, customers, and the geographic locations in which the bank operates and conducts business) are used in determining the examination procedures and transaction testing that should be performed.”
• Examination Manual: This section concludes with a declaration that the risk-focused approach reflected in the joint statement “forms the foundation for the information, instructions, and procedures communicated to examiners through the Federal Financial Institutions Examination Council BSA/AML Examination Manual.”

In its conclusion, the joint statement recapitulates a number of its key points:

• “Risk-focused BSA/AML examinations consider a bank’s unique risk profile”;
• Examiners “use risk assessments and independent testing when planning and conducting examinations,” and “assess the adequacy of a bank’s BSA/AML compliance program during each examination cycle”;
• “The extent of examination activities necessary to evaluate a bank’s BSA/AML compliance program generally depends on a bank’s risk profile and the quality of its risk management processes to identify, measure, monitor, and control risks, and to report potential money laundering, terrorist financing, and other illicit financial activity.”

Note:  Financial institutions’ risk and AML compliance teams should read the joint statement closely, both as a general checklist for reviewing their BSA/AML compliance programs and as a frame of reference in preparing for future BSA/AML examinations.  While the joint statement specifically states that it “does not establish new requirements,” it articulates regulators’ expectations regarding BSA/AML program evaluations in greater detail than before.

The joint statement also may serve as a recognition of the limits to which regulators may go in questioning the adequacy of a bank’s BSA/AML program.  So long as a bank has thought through and provided sufficient processes and resources for each element of is program, taking into account its unique risk profile, it can be in a stronger position to challenge, respectfully but firmly, any suggested revisions to its BSA/AML program that are inconsistent with a risk-based approach.

On July 18, the United Kingdom National Crime Agency announced that on July 12, the United Kingdom High Court had issued the first Unexplained Wealth Order (UWO) in relation to a businessman from the north of England “with suspected links to serious organised criminals.”  Although the NCA has obtained a number of UWOs previously, it referred to this issuance as “the first time one has been obtained solely based on an individual’s alleged involvement in serious organised crime.”

Under section 362A of the Proceeds of Crime Act 2002 (as amended by the Criminal Finances Act 2017), a United Kingdom Government enforcement authority, such as the NCA, may apply to the High Court for an order, pertaining to specified property, directed to a person whom the enforcement authority thinks holds the property.  That order requires that person to provide a statement that includes:

• The nature and extent of that person’s interest in the specified property;
• An explanation of how the person obtained the property “(including, in particular, how any costs incurred in obtaining it were met)”;
• “[W]here the property is held by the trustees of a settlement, setting out such details of the settlement as may be specified in the order.”

In this case, the NCA was investigating eight properties that the businessman had bought in various locations across the country.  The NCA stated that its officers “believe the businessman’s property purchases were funded by a number of criminal associates involved in drug trafficking, armed robberies and supplying firearms.”

Note: While some anti-corruption advocates have been critical of United Kingdom law enforcement for not seeking more UWOs, particularly UWOs directed at serious criminals, the Government’s caution to date has been understandable.  The UWO is an unprecedented and powerful tool for law enforcement to combat the exploitation of the United Kingdom as a haven for criminal proceeds.

Law enforcement authorities can be forgiven for wanting to proceed with some caution, for two reasons: (1) the complexity of the process for obtaining UWOs; and (2) the need to ensure that the High Court  judges become comfortable with that process before the authorities seek UWOs against higher-level organized crime figures or other property-holders with greater incentive to challenge the legitimacy of the UWO.  Having obtained this UWO, however, the NCA will likely be expected – especially with a new Prime Minister and a new Home Secretary – to show that it is moving expeditiously in using all of the resources at its disposal to combat serious organized crime.

On July 16, the U.S. Financial Crimes Enforcement Network (FinCEN) announced that it is undertaking “new efforts to curtail and impede Business Email Compromise (BEC) scammers and other criminals who profit from their schemes.”  BEC schemes, as FinCEN explained, “generally entail criminal attempts to compromise the email accounts of victims to send fraudulent payment instructions to financial institutions or business associates in order to misappropriate funds or to assist in financial fraud.”

FinCEN concluded, after analyzing Suspicious Activity Reports (SARs) that it had received, that “hackers and other illicit actors’ BEC scams generated more than $300 million a month in 2018, with a cumulative total exceeding billions of dollars stolen from businesses and individuals.”  Its latest Financial Trends Analysis found that the number of SARs describing BEC incidents

has grown rapidly, averaging nearly 500 per month in 2016, and above 1,100 per month in 2018. The total value of attempted BEC thefts, as reported in SARs, climbed to an average of $301 million per month in 2018 from only $110 million per month in 2016.

The Analysis also identified the following trends:

• Targeted Sectors: Manufacturing and construction was the most targeted sector in both 2017 and 2018, representing 20 percent of all analyzed transactions in 2017 and 25 percent in 2018. Commercial services (such as shopping centers, entertainment facilities, and lodging) increased more than other industries, up from 6 percent of reported incidents in 2017 to 18 percent in 2018. In addition, “financial firms are the most frequently targeted firms in New York, while manufacturing and construction firms are the most frequently targeted in Texas.”
• Use of Domestic Financial Accounts: “In approximately 73 percent of incidents in 2017, funds were sent or attempted to be sent to domestic accounts, likely controlled by money mules. These destinations likely represent intermediate hops in a money laundering process, based on FinCEN’s analysis of BEC networks and recent law enforcement insights on use of money mules in other scams.
• Evolution of BEC Methods: The Analysis stated that “BEC scam methods have evolved over time.” For example, impersonating a CEO or other high-ranking business officer declined from 33 percent of sampled incidents in 2017 to 12 percent in 2018, while use of fraudulent vendor or client invoices increased from 30 percent of sampled incidents in 2017 to 39 percent in 2018.  FinCEN observed that the average transaction amount for BEC impersonation of a vendor or client invoice was $125,439, compared to $50,373 for CEO impersonation. “Despite representing 30 percent of total transactions, BEC fraud using a fraudulent vendor invoice accounted for 41 percent of total transaction amounts, ranking the highest among the scam typologies observed.”

In response to the threat that BEC schemes pose to companies and financial institutions, FinCEN also announced a number of measures that it is taking.  These include issuance of an update to its 2016 advisory to financial institutions on BEC schemes; the operation of its Rapid Response Program, which, in collaboration with law enforcement, recently exceeded $500 million in recovered BEC-related funds; and having its FinCEN Exchange Forum, which brings together law enforcement and financial institutions from across the country to share information, conduct a meeting that focused “on identifying and combatting potential BEC and resultant money laundering and terrorist financing activities.”

Note:  Financial-crimes compliance teams at companies and financial institutions should take note of the trend data in the Financial Trends Analysis, particularly the increased use of fraudulent vendor or client invoices.   Compliance officers should share that information with their finance departments and confer with them about their invoice reconciliation and validation processes, including for emails or telephone calls purportedly from a senior executive or “trusted” third party who insists on an immediate wire transfer to pay an invoice for five-six-, or even seven-figure amounts.  If leading companies such as Google and Facebook can lose vast amounts to BEC invoice schemes, so can any firm that does not maintain constant vigilance for such schemes.

On July 18, the Financial Times reported that the Chinese Central Commission for Discipline Inspection (CCDI), the Communist Party’s mechanism for investigating corruption and misconduct by Party officials, “plans to expand its anti-corruption campaign overseas by embedding officers in countries participating in China’s Belt and Road Initiative.”

According to La Yifan, the CCDI Director-General for International Co-operation, the scale of the massive BRI, which has been projected to exceed $1 trillion, is prompting the CCDI “to expand its presence internationally to monitor the activity of Chinese companies” participating in the BRI.

The Financial Times reported that the CCDI began this approach to combating BRI-related corruption in 2017 in Laos,

to oversee a railway project being built by a state-owned company. CCDI embedded its inspectors in the project, allowing them to work alongside the company. It has also set up a joint inspection team with its Laotian counterpart.

La stated that the CCDI “plans to expand those operations by embedding inspectors in other large projects across the region.”  In his words, “’We are trying to gather these practices into a standard format and copy it for other mega projects to follow suit’ . . . . So many countries have shown interest to follow suit, including the Philippines and other neighbouring countries’.”

La reportedly characterized this CCDI initiative as “an extension of China’s domestic anti-corruption campaign.” As he put it, “’How can you strike hard on corruption here at home and give a free hand to Chinese people and business groups [that are] reckless abroad’ . . . Part of the campaign is to go after corruption and stolen assets abroad’.”

La also explained that

China had launched a series of seminars with more than 30 countries to help link up anti-corruption regulators. “That is my dream, that we create a network of law enforcement of all these Belt and Road countries,” he said. “We are starting this network to exchange views on that.”

Note: La’s comment that this CCDI initiative “is an extension of China’s domestic anti-corruption campaign” is the epitome of understatement.  Although China Daily recently touted the BRI as “a path to clean governance,” the BRI has been operating in numerous countries that pose substantial bribery and corruption risk and without adequate oversight.  That inattention to corruption has contributed not only to arrests and convictions of former foreign officials who bribed officials in Belt and Road countries, but to a growing backlash by countries skeptical of the BRI’s purported benefits for them.

The decision to expand the international reach of the CCDI, whose authority was substantially enhanced last year, reflects a recognition by the Chinese government that it needs to pursue BRI-related corruption far more aggressively if it is to succeed in persuading other countries that its commitment to a “Clean Silk Road” is genuine.

On July 18, the United States Attorney’s Office for the Southern District of Ohio announced that a federal grand jury in that district had indicted the Ohio-based pharmaceutical distributor Miami-Luken and four individuals on a charge of conspiring to distribute controlled substances (i.e., hydrocodone).  The four individual defendants included Anthony Rattini, Miami-Luken’s former president; James Barclay, Miami-Luken’s former compliance officer; Devonna Miller-West, a pharmacist who owned and operated Miller-West Pharmacy in Oceana, West Virginia; and Samuel “Randy” Ballengee, a pharmacist who owned and operated Tug Valley Pharmacy in Williamson, West Virginia.

According to the indictment, which was unsealed after the individual defendants’ arrests on July 18, Rattini, Barclay, and Miami-Luken, which reportedly “supplied pharmaceuticals to more than 200 pharmacies in Ohio, West Virginia, Indiana and Tennessee,”

sought to enrich themselves by distributing millions of painkillers to doctors and pharmacies in rural Appalachia, where the opioid epidemic was at its peak.

The distributor and its officials allegedly continued to distribute millions of pills to Westside, Tug Valley and other pharmacies even after being advised by the DEA of their responsibilities as a wholesaler to ensure drugs were not being diverted and to report suspicious orders.

The U.S. Attorney’s Office also stated that Miami-Luken and its officials

filled suspicious orders placed by Miller-West, Ballengee and others.

For example, Rattini, Barclay and Miami-Luken allegedly ignored obvious signs of abuse by distributing more than 2.3 million oxycodone pills and 2.6 hydrocodone pills to Miller-West’s pharmacy in a town of approximately 1,394 people.

Ballengee’s pharmacy allegedly received more than 120,000 painkiller pills from Miami-Luken in one month.  From 2008 through 2014, Miami-Luken distributed more than 6 million hydrocodone pills to Tug Valley Pharmacy.

In addition, Miami-Luken “allegedly provided another 2.2 million pills from 2012 through 2014 to another pharmacy that had been cut off from other wholesalers.”  The company’s sales efforts from 2008 until 2015 resulted in generating more than $173 million in consolidated sales per year, and receiving more than 70 percent of its profits from wholesale distribution.

Note: Many observers of the pharma sector have been concerned about the extent to which opioid-related litigation would seek to target distributors and pharmacies for contributing to the opioid crisis across the country.  This indictment, along with the recent federal indictment of and resolution with Rochester Drug Co-Operative (RDC), indicates the approach that the Justice Department is apparently taking with regard to criminal charges against those two segments of the supply chain.

In both cases, the Justice Department is seeking to hold accountable specific distributor firms not merely for having distributed opioid drugs in large volumes, but having done so despite specific evidence that the firms knew that certain pharmacies posed a high risk of illegal diversion.  In Miami-Luken’s case, that knowledge allegedly included specific reminders from the Drug Enforcement Administration about avoiding involvement in illegal diversion, knowledge of “red flags” about particular pharmacies, and continuing to fill suspicious orders from certain pharmacies.  In RDC’s case, that knowledge included direction by its senior management to supply dangerous opioids “to pharmacy customers that its own compliance personnel determined were dispensing those drugs to individuals who had no legitimate medical need for them,” distribution of controlled substances “to those pharmacies even after identifying ‘red flags’ of diversion,” and frequently bringing on “pharmacy customers that had been terminated by other distributors.”

Both cases also involve indictment of the former chief compliance officers of the companies in question.  That fact indicates the Justice Department’s interest in signaling to pharma chief compliance officers the consequences of failing to report suspicious orders and choosing to ignore diversion “red flags,” such as termination of pharmacies by other distributors, in the interest of maintaining or increasing sales.