BSA Compliance Fails, Go to Jail: A New Challenge for Directors and Officers of Financial Institutions

by Manatt, Phelps & Phillips, LLP

For many years the government has encouraged directors and officers of corporations to ensure that they have robust compliance programs to detect and prevent violations of law. This is especially important in regulated industries including defense, healthcare and banking. The U.S. Sentencing Guidelines and the U.S. Department of Justice’s Principles of Federal Prosecution of Business Organizations contain significant incentives for corporations to join in the government’s law enforcement efforts by implementing and maintaining effective compliance programs.2

In addition, with the easing of the financial crisis, there is an enhanced regulatory focus on the importance of strict and robust compliance by banks and other financial institutions with the provisions of the Bank Secrecy Act (BSA)3 to ensure that the institution’s anti-money laundering (AML) program is strong. This focus relies on the examination process, follow-on visitations and, if necessary, regulatory enforcement, cease and desist and civil money penalty orders to ensure that these institutions are complying with the BSA and ensuring that their customer accounts and other facilities are not being used to engage in money laundering, drug and terrorist financing, and other criminal conduct.

Recently, however, the government has increasingly used another weapon against banks and other financial institutions, and their directors and officers – criminal charges for willfully failing to maintain an adequate compliance program as required by the BSA. While the government has used this statute against several financial institutions over the last ten years, it was the formation of the Bank Integrity Unit at the U.S. Department of Justice – announced by the Assistant Attorney General in charge of the Criminal Division, Lanny Breuer, in an October 2010 speech4 – that signaled the government’s new willingness to turn this powerful prosecutorial weapon on financial institutions themselves, especially those which have “abdicated their roles as responsible gatekeepers to the American banking system.”

The mission of the Bank Integrity Unit is to focus not only on financial institutions themselves, but also their directors and officers, to the extent that they ignore their obligations to implement and maintain BSA/AML compliance and allow their institutions to be used for criminal purposes. A willful violation of this or any other requirement of the BSA could result in criminal penalties for the financial institution and its directors and officers, including enhanced penalties where the violation occurs in connection with another violation of law or as part a pattern of illegal activity.5

The BSA requires, at a minimum, the four pillars of anti-money laundering (AML) compliance:

(A) The development of internal policies, procedures, and controls;

(B) The designation of a compliance officer;

(C) An ongoing employee training program; and

(D) An independent audit function to test the BSA/AML compliance program.6

A “willful” failure to maintain an adequate BSA/AML program that meets these four basic requirements means not only that the financial institution failed to comply with these requirements, but also that the financial institution knew that its failure to do so was unlawful.7

In a recent case prosecuted in Los Angeles, the Bank Integrity Unit obtained plea agreements from a check cashing business and its manager and compliance officer for failing to maintain an adequate AML program and conspiring to fail to file required CTRs on customer transactions.8 The manager was sentenced to five years in prison and the manager to eight months, and the check cashing business itself was ordered to pay a fine of nearly $1 million and to forfeit approximately $250,000 in profits for unreported cash transactions.

The government has signaled a willingness to prosecute larger financial institutions as well. Various Deferred Prosecution Agreements (DPAs) against financial institutions over the last several years – the most recent and high-profile of which was entered into with HSBC in December 2012 – contain important lessons for financial institutions and their directors and officers.9 For example, the crimes that occurred as a result of the banks’ willful failure to implement and maintain adequate BSA/AML compliance programs ranged from the laundering of illegal drug sale proceeds (e.g., BankAtlantic, American Express Bank International, Union Bank of California, Wachovia Bank, Ocean Bank) to evasion of OFAC restrictions on transactions with sanctioned entities such as Cuba, Libya, Iran, and the Sudan (ABN AMRO Bank). Other cases in which the particular crime of willful failure to maintain an adequate BSA/AML compliance program was not charged – but where the compliance failure was clear and strengthened compliance was an integral part of the DPA – also involved violations of OFAC regulations and sanctions regimes (Standard Chartered, ING, Barclays, Lloyds).10

As is reflected in these DPAs the government focuses on the following factors to show knowledge of money laundering risks in connection with a financial institution’s business:

  • Any relevant publicly available information, such as government-issued warnings, news articles and press releases highlighting money laundering risks;
  • The location of the bank in a federally designated “High Intensity Money Laundering and Related Financial Crime Area”; and
  • Internal documents evidencing knowledge of money laundering risks within the bank’s business activities.

Moreover, based on these DPAs, the government will cite these and other factors to establish the lack of an adequate BSA/AML compliance program:

  • Failure to adequately monitor high-risk accounts, and particularly the failure to maintain an adequate automated monitoring system designed to detect suspicious activity;
  • Failure to perform adequate customer due diligence, and particularly the failure to gather the recommended “Know Your Customer” information regarding the customer’s true identity, source of funds, and typical and expected transactions;
  • Failure to provide adequate resources and training to the bank’s compliance department;
  • Failure to adequately self-audit;
  • Failure to conduct risk assessments on accounts;
  • Filing an extremely low number of Suspicious Activity Reports (as required by the BSA) in relation to other comparably-sized institutions;
  • Failure to have policies and procedures for handling suspicious activity;
  • Failure to terminate accounts with known suspicious activity; and
  • Failure to provide ways for members of lower-level management to communicate suspicious activity to each other.

In short, the government is flexing its muscles and invoking new tools in an effort to prevent the financial system from being used for criminal activity. Historically, the government has sought to enlist financial institutions in this effort. Now, enlistment is no longer a choice – a failure to do so could subject a financial institution – along with its directors and officers – not only to regulatory sanctions, but also to criminal fines and imprisonment.

1. The authors gratefully acknowledge the assistance of Manatt associates Sirena Castillo and Colin McGrath in the preparation of this newsletter. back to text

2.U.S. Sentencing Guidelines § 8B2.1,; Principles of Federal Prosecution of Business Organizations, U.S. Attorney’s Manual § 9-28.800. back to text

3. 31 U.S.C. § 5311 et seq. back to text

4. back to text

5.31 U.S.C. § 5322. back to text

6. 31 U.S.C. § 5318(h)(1). back to text

7. United States v. Ratzlaf, 510 U.S. 135 (1994). back to text

8. back to text

9.The first DPA in 2006 involved BankAtlantic (U.S. v. BankAtlantic, No. 06-cr-60126 (S.D. Fla. Apr. 27, 2006)), and was followed by American  ExpressBank International (U.S. v. American Express Bank Int’l, No. 07-cr-20602 (S.D. Fla. Aug. 6, 2007)), Union Bank of California (U.S. v. Union Bank of California, N.A., No. 07-cr-02566 (S.D. Cal. Sept. 18, 2007)), Wachovia Bank (U.S. v. Wachovia Bank, N.A., No. 10-cr-20165 (S.D. Fla. Mar. 16, 2010)), ABN AMRO Bank (U.S. v. ABN AMRO Bank N.V., No. 10-cr-00124 (D.D.C. May 10, 2010)), Ocean Bank (U.S. v. Ocean Bank, No. 11-cr 20553 (S.D. Fla. Aug. 16, 2011)), and HSBC (U.S. v. HSBC Bank USA, N.A., No. 12-cr-763 (E.D.N.Y. Dec. 20, 2012)). back to text

10.U.S. v. Standard Chartered Bank, 1:12-cr-00262-JEB (D.D.C. December 10, 2012); U.S. v. ING Bank, N.V., No. 1:12-cr-00136 (D.D.C. Jun. 12, 2012); U.S. v. Barclays Bank, PLC, No. 10-cr-00218 (D.D.C. Aug. 16, 2010); U.S. v. Lloyds TSB Bank, PLC, No. 09-cr-007 (D.D.C. Jan. 9, 2009). back to text

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP

Manatt, Phelps & Phillips, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.