Anti-Money Laundering Landscape
A variety of regulatory and law enforcement agencies at the federal, state and local level have jurisdiction over ensuring that financial institutions comply with the BSA and other AML laws. Banks and other depository institutions are regularly examined for BSA compliance by their primary federal regulators: the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC) and the Board of Governors of the Federal Reserve System (the "Federal Reserve"). The Securities and Exchange Commission (SEC) performs much the same function for broker-dealers, and, under a proposed regulation, would also do so for registered investment advisers. Various state regulators such as the New York Department of Financial Services also examine banks and other financial institutions for compliance with AML laws.
The BSA and other AML laws have criminal enforcement provisions, and federal and state law enforcement officials often have a high degree of autonomy in choosing to bring criminal charges. The U.S. Attorney's Office for the Southern District of New York and the New York County District Attorney's Office have been two of the most aggressive prosecutors in pursuing such charges. In addition to traditional law enforcement of BSA/AML crimes, the United States Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) acts as hybrid regulator. Although housed within the Department of the Treasury, FinCEN is tasked with bringing civil enforcement actions for violations of the BSA in broad financial context.
Recent Changes in AML Regulations
While FinCEN has used the enforcement process to steer financial institutions away from high-risk customers and impose individual liability on those responsible for institutions' BSA/AML compliance, it has also utilized the formal rulemaking process to impose new AML program requirements on covered institutions under the BSA. In addition to the proposed investment adviser rule described above, FinCEN has finalized its "enhanced customer due diligence" rule. BSA programs have traditionally been composed of four "pillars" – internal policies, procedures and controls to prevent money laundering; a qualified BSA Officer; ongoing employee AML training; and an independent audit function to test the BSA program. The new rule adds a fifth pillar – enhanced customer due diligence. Under the enhanced customer due diligence pillar, covered financial institutions, including depository institutions, broker-dealers and mutual funds, must verify a customer's identity and purpose for opening an account at the time of account opening. If the customer is an entity rather than a natural person, the financial institution must identify the beneficial owners who "control" the customer at the time of the account opening. The new rule uses a broader definition of "control" than is traditionally used in commercial settings. For example, any person who owns 25 percent or more of the customer would be deemed to "control" the customer. Finally, financial institutions must continue to update and monitor their customer due diligence on a periodic basis. This would include confirming the beneficial ownership of a customer, verifying the customer's and beneficial owners' identities, and understanding the nature and purpose of customer relationships.
FinCEN has not been the only regulator to issue new regulations and guidance in the area of AML. In recent years, each of the OCC, FDIC and Federal Reserve have released guidance on managing third-party relationships, including vendors. Notably, the OCC has expressed a willingness to pursue third-parties who play a significant role in the conduct or affairs of the financial institution under an "institution affiliated party" theory for violations at the financial institution caused by the third-party. While the OCC has not yet pursued a third-party vendor for violations of AML laws at a regulated financial institution, it is possible that the OCC could bring an enforcement action against third-party vendors such as mortgage servicers, software providers or external auditors under its guidance.
Recent Trends in AML Enforcement Actions
Two recent trends in AML enforcement actions are: (i) the use of proxy enforcement actions against banks and other depository institutions as a means of forcing such institutions to "debank" customers who present heightened money laundering risk, such as foreign account holders and money services businesses (MSB) and (ii) actions against individuals responsible for an institution's BSA/AML compliance.
In issuing two recent enforcement penalties, FinCEN noted that the penalized depository institutions failed to maintain BSA/AML programs that adequately addressed the money laundering risk posed by their customer bases. In December 2016, FinCEN issued a $500,000 civil money penalty to Bethex Federal Credit Union (Bethex). Among other violations, Bethex failed to maintain an AML program reasonably designed to monitor the high number of foreign payment transactions in its customer accounts. Merchant's Bank of California (Merchant's) was fined $7 million by FinCEN and $1 million by the OCC for similar issues in February 2017. In addition to failing to perform adequate monitoring of foreign transaction accounts, Merchant's was fined for failing to do appropriate customer due diligence and detect and report suspicious activity with regards to the accounts of MSB customers. FinCEN also has direct enforcement jurisdiction over MSBs under the BSA. FinCEN and the U.S. Department of Justice reached a $586 million settlement with Western Union to resolve AML violations in January 2017 and imposed enhanced compliance requirements.
Regulators and law enforcement have, in recent years, sought to ensure compliance with AML laws by bringing enforcement actions directly against individuals responsible for institutions' AML compliance programs. In March 2017, the Chief Compliance Officer and BSA Officer of Trident Partners Ltd. were sentenced to six months in prison for participating in a money laundering scheme that diverted customer money. In May 2017, FinCEN secured a $250,000 civil money penalty in the U.S. District Court for the Southern District of New York against the former Chief Compliance Officer of MoneyGram for his alleged role in MoneyGram's failure to implement an effective BSA/AML program, specifically the failure to file necessary suspicious activity reports (SAR). This penalty was the largest ever imposed by FinCEN against an individual and only the second time in FinCEN's history that it sued to enforce a civil money penalty.
Key Takeaways and Next Steps
Several key takeaways are evident both in reviewing recent AML enforcement and regulatory actions as well as the government's continued interest in bringing enforcement actions against money launderers:
Community banks and other small financial institutions will continue to be targets of regulatory and law enforcement scrutiny, especially where those institutions have customers such as MSBs, casinos or cash-intensive businesses that present a heightened risk of money laundering activity. These institutions are at a heightened risk of AML enforcement, because they often do not have the resources to implement BSA/AML programs required by the heightened expectations of regulators.
Non-bank lenders and lessors and MSBs are attracting more regulatory attention than in years past. From 2014 to the present, a full 39 percent of FinCEN enforcement actions have been directed at non-bank lenders and MSBs. This is in comparison to depository institutions which only accounted for 24 percent of FinCEN enforcement actions.
Financial institutions such as mortgage servicers and other depository institution service providers that do not have BSA/AML program requirements are still at risk from AML enforcement actions. To the extent such financial institutions pose money laundering risk, regulatory and law enforcement agencies may pursue proxy enforcement actions to convince banks and other depository institutions to drop such customers. Additionally, the OCC and other bank regulators could pursue such financial institutions as "institution affiliated parties" for facilitating violations of AML laws at regulated depository institutions.
While non-bank lenders are not required to maintained a BSA/AML program, these institutions may present a heightened risk of being utilized for money laundering and should consider voluntarily implementing BSA/AML programs.
Financial institutions can take several steps in order to mitigate the risk associated with these trends:
Adopt a front-, middle- or back-end strategy. First, train employees, officers and directors on the front-end about money laundering risks and AML laws applicable to your institution. This includes training for customer-facing employees who are the front line of defense against money laundering, and at least annual training for directors and senior executive officers on changes in AML laws. As a middle step, perform customer due diligence, including due diligence on beneficial owners of customers and consider whether to even open accounts for customers in industries with a high-risk of money laundering. On the back-end, maintain a strong internal audit function that tests your BSA/AML program, especially the Cash Transaction Report and SAR reporting functions.
Think like a bank. Banks and other depository institutions have long had the most sophisticated BSA/AML programs. Other institutions with BSA compliance obligations should look to bank BSA/AML programs for guidance, including performing enhanced customer due diligence, empowering a qualified BSA Officer (possibly with bank experience), proactively seeking guidance from FinCEN and considering whether to accept customers from high-risk jurisdictions or in high-risk industries.
Financial institutions without BSA/AML program obligations should consider voluntarily establishing BSA/AML programs. Such voluntary programs would not only help to identify and prevent money laundering, but would mitigate the risk of proxy enforcement actions or institution affiliated party enforcement actions, and in the event of an enforcement action, would likely result in leniency by the applicable regulatory or law enforcement agency.
Contact counsel related to any unclear BSA/AML issues and consider having counsel review your BSA/AML program or conduct training with directors and officers.