Global banks have been the focus of enforcement actions, focusing on AML and sanctions violations. With the new beneficial ownership regulations effective May 11, 2018, we are about to see a significant transformation in AML compliance and enforcement.
Justice Department prosecutors brought two significant AML enforcement actions in the beginning of 2018.
US Bancorp (USB) entered into a two-year deferred prosecution agreement (DPA) for failing to maintain an adequate anti-money laundering program and failing to file a suspicious activity report (SARs). USB agreed to pay $458 million in forfeiture, a $75 million penalty to the Office of the Comptroller of the Currency, and a $70 million payment to the Department of Treasury’s Financial Crime Enforcement Network (FinCEN).
Rabobank’s subsidiary plead guilty to a conspiracy to violate money laundering laws and obstruction of a regulatory investigation of its activities in California. Rabobank agreed to pay $368 million in forfeited funds.
The lessons learned from these two significant AML enforcement actions include:
Adequate Resources: A financial institution that fails to allocate adequate resource to operate a robust AML compliance program is doomed to fail. Both USB and Rabobank allocated minimal resources to their respective compliance programs and suffered serious consequences when their compliance programs faltered. A company that ignores the need for resources is demonstrating its lack of commitment to ethics and compliance and will never be able to achieve an effective ethics and program.
Avoid pre-established criteria for SARs and account/transaction scrutiny: USB adopted set criteria for the number of high-risk transactions that could be reviewed and the number of SARs that could be filed. Such an approach, by definition, was ineffective because it failed to account for relevant circumstances and changes in risk profiles. When USB fixed the problem, USB discovered there were a large number of transactions/accounts that should have been renewed, and USB ended up filing 2,121 SARs for a six-month period.
Implement controls for regulatory interactions: USB and Rabobank deceived and mislead the Office of Comptroller of the Currency. To avoid such a problem, companies have to establish internal controls governing responses to regulatory inquiries and audits and have multiple levels of review to ensure that accurate and complete information is provided to the regulators. If a single person or small group of persons have such responsibility, they can coordinate and conspire to mislead the regulator, especially when their conduct is at issue.
Apply rules no matter the size of the customer: USB and Rabobank sought to protect large customers who were important to the bank’s financial performance. This is a critical point – bank rules and policies have to be applied consistently when dealing with large customers.
Document and subject to internal review changes in policies and procedures: Rabobank sought to circumvent AML restrictions by adding high-risk customers to a verified list of approved customers. Such additions should be subject to careful review and any change in policies and practices has to be reviewed, justified and supported by careful analysis.
Independent AML assessments are critical: Surprisingly, Rabobank had an independent AML assessment conducted during the period of misconduct. The report found a number of deficiencies in the AML compliance program. Companies have to be aware of an assessment, share the results, and develop a remediation plan that is subject to oversight, monitoring and continuing review. Banks have to devote more time and attention to the assessment process and the implementation of remediation based on such an assessment.