Compliance Officers Professional Liability
“If you can’t stand the heat, get out of the kitchen.” Harry S. Truman
Recent regulatory developments have compliance officers nationwide very concerned about their jobs and the possible consequences of actions (or inactions) taken while employed for financial institutions. Even when the hiring market for compliance professionals has been very active in recent years, the risks that come with the job cannot be overlooked.
A review of the recent enforcement actions published by federal regulatory agencies found several actions against “institution-affiliated parties” for engaging in reckless unsafe or unsound practices. According to the enforcement actions examined these violations or practices were part of a pattern of misconduct that caused more than a minimal loss to the institutions involved. The misconduct noted in these cases resulted in financial and reputational losses to the institutions involved; demonstrated willful or continuing disregard for the safety and soundness of the institutions involved, and involved reckless disregard for the applicable laws or regulations.
Those stakes make compliance a high-pressure job. According to a study from the British Bankers’ Association and LexisNexis Risk Solutions, fifty four percent of those surveyed said they would leave the financial industry if an opportunity arose. In an already hot recruitment situation, this could be devastating for banks and other financial institutions trying to stay on top of the current regulatory environment.
General Requirements – Duties of Directors and Officers
Service as a director or officer of a federally insured bank represents an important business assignment that carries with it commensurate duties and responsibilities.
Banks need to be able to attract and to retain experienced and conscientious directors and officers. When an institution becomes troubled, it is especially important that it have the benefit of the advice and direction of people whose experience and talents enable them to exercise sound and prudent judgment.
Directors and officers of banks have obligations to discharge duties owed to their institution and to the shareholders and creditors of their institutions, and to comply with federal and state statutes, rules and regulations. Similar to the responsibilities owed by directors and officers of all business corporations, these duties include the duties of loyalty and care.
The duty of loyalty requires directors and officers to administer the affairs of the bank with candor, personal honesty and integrity. They are prohibited from advancing their own personal or business interests, or those of others, at the expense of the bank.
The duty of care requires directors and officers to act as prudent and diligent business persons in conducting the affairs of the bank.
This means that directors are responsible for selecting, monitoring, and evaluating competent management; establishing business strategies and policies; monitoring and assessing the progress of business operations; establishing and monitoring adherence to policies and procedures required by statute, regulation, and principles of safety and soundness; and for making business decisions on the basis of fully informed and meaningful deliberation.
Officers are responsible for running the day to day operations of the institution in compliance with applicable laws, rules, regulations and the principles of safety and soundness. This responsibility includes implementing appropriate policies and business objectives.
Directors must require and management must provide the directors with timely and ample information to discharge board responsibilities. Directors also are responsible for requiring management to respond promptly to supervisory criticism. Open and honest communication between the board and management of the bank and the regulators is extremely important.
The FDIC and other regulatory agencies will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation. However, as receiver for a failed financial institution, the FDIC may sue professionals who caused losses to the institution in order to maximize recoveries. These individuals can include officers and directors, attorneys, accountants, appraisers, brokers, or others. Professional liability claims also include direct claims against insurance carriers such as fidelity bond carriers and title insurance companies.
Professional liability suits are only initiated if they are both meritorious and expected to be cost-effective. Before seeking recoveries from professionals, for example, the FDIC conducts a thorough investigation into the causes of the losses. Most investigations are completed within 18 months from the time the institution is closed. All lawsuits against former directors and officers require review by senior FDIC supervisory and legal staff and approval by the FDIC Board of Directors. Prior to filing a lawsuit, staff in most cases will attempt to settle with the responsible parties. If a settlement cannot be reached, the FDIC will file a complaint, usually in federal court, and sometimes in state court.
When pursuing professional liability litigation, the FDIC typically engages outside counsel to assist. Attorneys in the Legal Division manage all legal assignments and litigation, including matters referred to outside counsel, and oversee settlement and litigation strategy. As a result, the FDIC’s in-house attorneys are always available to discuss all aspects of litigation, including settlement.
As receiver, the FDIC has at least three years for tort claims and six years for breach-of-contract claims to file suit from the time a bank is closed. If state law permits a longer time, the state statute of limitations is followed.
Professionals may be sued for, among other things, either gross or simple negligence. The Supreme Court has ruled that the FDIC may pursue simple negligence claims against directors and officers if state law permits. Federal law preempts state law that insulates directors and officers from gross negligence or worse conduct. Bank directors are allowed to exercise business judgment without incurring legal liability.
Not all bank failures result in Director and Officer (D&O) lawsuits. The FDIC brought claims against directors and officers in 24 percent of the bank failures between 1985 and 1992. From 1986 through 2014, the FDIC and former Resolution Trust Corporation (1989-1995) collected $8.62 billion from professional liability claims. Over that same time, they spent $2.14 billion to fund all professional liability claims and investigations. Early in the process of professional liability claims, expenses will often exceed recoveries due to the costs incurred in handling new investigations. Professional liability program recoveries lag expenses by several years until settlements occur and judgments are awarded.
From January 1, 2009, through March 18, 2016, the FDIC has authorized suits in connection with 151 failed institutions against 1,213 individuals for D&O liability. This includes 108 filed D&O lawsuits (92 of which have fully settled, and 1 of which resulted in a favorable jury verdict) naming 826 former directors and officers. The FDIC also has authorized 72 other lawsuits for RMBS, LIBOR suppression, fidelity bond, insurance, accounting malpractice, appraiser malpractice, securities, and attorney malpractice claims. In addition, 79 residential mortgage malpractice and fraud lawsuits are pending, consisting of lawsuits filed and inherited.
These cases rely on state and federal law, including 12 U.S.C. § 1821(k), which expressly provides that directors and officers of a failed institution “may be held personally liable for monetary damages in any civil action” by the FDIC as receiver for the failed bank”. However, it is also important to note that the FDIC’s ability to recover personal damages from bank employees extends beyond the officers and directors of failed institutions. For instance, under 12 U.S.C. §1818(b), the FDIC may also issue cease-and-desist orders to certain “institution-affiliated parties”, regardless of whether the institution has failed, if the affiliated party has either engaged in “unsound or unsafe practices” or violated federal banking law. The definition of “institution affiliated party” includes employees or other “agents” of financial institutions. Section 1821 further permits such a cease-and-desist order to require the employee(s) to “take affirmative action to correct the conditions resulting from any such violation or practice”. Courts have applied Section 1821 to impose personal liability on bank employees.
While the FDIC is fully prepared to litigate its claims against professionals of failed institutions to judgment, at any time during the process the parties may settle. Pursuing a settlement agreement may avoid costly and protracted litigation and result in greater recoveries. The FDIC publishes the terms and conditions of all settlements as they become available. The information is updated on a monthly basis.
Criminal Penalties for Money Laundering, Terrorist Financing, and Violations of the BSA
Penalties for money laundering and terrorist financing can be severe. A person convicted of money laundering can face up to 20 years in prison and a fine of up to $500,000. Any property involved in a transaction or traceable to the proceeds of the criminal activity, including property such as loan collateral, personal property, and, under certain conditions, entire bank accounts (even if some of the money in the account is legitimate), may be subject to forfeiture.
Pursuant to various statutes, banks and individuals may incur criminal and civil liability for violating AML and terrorist financing laws. For instance, pursuant to 18 USC 1956 and 1957, the U.S. Department of Justice may bring criminal actions for money laundering that may include criminal fines, imprisonment, and forfeiture actions. In addition, banks risk losing their charters, and bank employees risk being removed and barred from banking.
Moreover, there are criminal penalties for willful violations of the BSA and its implementing regulations under 31 USC §5322 and for structuring transactions to evade BSA reporting requirements under 31 USC §5324(d). For example, a person, including a bank employee, willfully violating the BSA or its implementing regulations is subject to a criminal fine of up to $250,000 or five years in prison, or both. A person who commits such a violation while violating another U.S. law, or engaging in a pattern of criminal activity, is subject to a fine of up to $500,000 or ten years in prison, or both. A bank that violates certain BSA provisions, including 31 USC 5318(i) or (j), or special measures imposed under 31 USC §5318A, faces criminal money penalties up to the greater of $1 million or twice the value of the transaction.
Since the enactment of the USA PATRIOT Act and until recently, the DOJ has brought numerous criminal BSA cases and collected forfeitures exceeding $1.69 billion from financial institutions. For example, on March 12, 2015 Commerzbank AG, a global financial institution headquartered in Frankfurt, Germany, and its U.S. branch, Commerzbank AG New York Branch (Commerz New York), agreed to forfeit $563 million, pay a $79 million fine and enter into a deferred prosecution agreement with the Justice Department for violations of the International Emergency Economic Powers Act (IEEPA) and the Bank Secrecy Act (BSA). The bank also entered into settlement agreements with the Treasury Department’s Office of Foreign Assets Control (OFAC) and the Board of Governors of the Federal Reserve System. In another example, in January 2014, the Manhattan U.S. Attorney announced criminal BSA charges against JPMorgan Chase Bank and simultaneously announced a deferred prosecution agreement. Under the DPA, JPMorgan forfeited $1.7 billion, double the DOJ’s historical BSA penalties.
More recently, for example, the Office of the Comptroller of the Currency published a consent order for a cease and desist and civil money penalty proceedings against a former bank employee on the basis of his activities while serving as Chief Compliance Officer (CCO) and Chief Risk Officer (CRO). The Comptroller found that during the period while the former employee was CCO and CRO, the (employer) bank failed to timely file suspicious activity reports on a set of accounts for a customer who was later convicted of crimes relating to an illegal Ponzi scheme. The (employer) bank’s BSA Officer investigated this activity, reported this information to the former employee, prepared suspicious activity reports, and communicated the preparation of those reports to the former employee who agreed with the contents of those reports, but failed to ensure that the bank filed timely suspicious activity reports, causing the bank to be in violation of laws and regulations.
All signs point to continued increased criminal and civil enforcement, with new units being created in several key prosecutors’ offices to focus on BSA violations. And as prosecutors have gotten more involved in BSA enforcement, the regulatory penalties have also sky-rocketed. Foreign jurisdictions are also adopting and enforcing their own AML statutes, further crowding the enforcement landscape.
BSA/AML Compliance Program Requirement – What is Expected?
Financial institutions are responsible for developing and administering a program to assure and monitor compliance with the Bank Secrecy Act (BSA) and related regulations (BSA Compliance Program). The federal regulatory agencies are responsible for regularly reviewing BSA Compliance Programs, communicating identified deficiencies and apparent violations to the institution’s management and Board of Directors (and other regulatory authorities, as appropriate), and taking supervisory action to address the associated risks.
Under section 8(s) of the Federal Deposit Insurance Act (“FDIA”) and section 206(q) of the Federal Credit Union Act (“FCUA”), each of the federal regulatory agencies (agencies) is directed to prescribe regulations requiring each insured depository institution to establish and maintain procedures reasonably designed to assure and monitor the institution’s compliance with the requirements of the Bank Secrecy Act (“BSA Compliance Program”). Sections 8(s) and 206(q) also require that each agency’s examinations of an insured depository institution include a review of the BSA Compliance Program and that its reports of examination describe any problem with the BSA Compliance Program. Finally, sections 8(s) and 206(q) state that if an insured depository institution has failed to establish and maintain a BSA Compliance Program or has failed to correct any problem with the BSA Compliance Program previously reported to the institution by the appropriate agency, the appropriate agency shall issue a cease and desist order against the institution. As required by sections 8(s) and 206(q), each of the agencies has issued regulations that require any institution it supervises or insures to establish and maintain a BSA Compliance Program. Each of these regulations imposes substantially the same requirements.
The BSA/AML compliance program must be written, approved by the board of directors, and noted in the board minutes. A bank must have a BSA/AML compliance program commensurate with its respective BSA/AML risk profile. Furthermore, the BSA/AML compliance program must be fully implemented and reasonably designed to meet the BSA requirements. Policy statements alone are not sufficient; practices must coincide with the bank’s written policies, procedures, and processes. The BSA/AML compliance program must provide for the following minimum requirements:
- A system of internal controls to ensure ongoing compliance;
- Independent testing of BSA/AML compliance;
- Designation of an individual or individuals responsible for managing BSA compliance (BSA compliance officer); and
- Training for appropriate personnel.
In addition, a Customer Identification Program (CIP) must be included as part of the BSA/AML compliance program.
The board of directors of a financial institution is ultimately responsible for developing and administering a BSA Compliance Program that ensures compliance with regulatory requirements. To a large degree, the success of an institution’s BSA Compliance Program is founded on the actions taken by its board and senior management. Key actions that a board and management may take to demonstrate their commitment to maintaining an effective BSA Compliance Program and to set a positive climate for compliance include:
- demonstrating clear and unequivocal expectations about compliance;
- adopting clear policy statements;
- appointing a compliance officer with authority and accountability;
- allocating resources to compliance functions commensurate with the level and complexity of the institution’s operations;
- conducting periodic compliance audits; and
- providing for recurrent reports by the compliance officer to the board.
Leadership on compliance by the board of directors and senior management sets the tone in an organization. The board and senior management should discuss compliance topics during their meetings. They should include compliance matters in their communications to institution personnel and the general public. Institution management and staff should have a clear understanding that compliance is important to the board and senior management, and that they are expected to incorporate compliance in their daily operations.
Policy statements on compliance topics provide a framework for the institution’s procedures and provide clear communication to management and employees of the board’s intentions toward compliance.
The “compliance culture” of the institutions is measured and rated under the “Management” component. According to the federal banking agencies, a strong “compliance culture” will be rated “One” defined as follows: An institution in this category is in a strong compliance position. Management is capable of and staff is sufficient for effectuating compliance. An effective compliance program, including an efficient system of internal procedures and controls, has been established. Changes in consumer statutes and regulations are promptly reflected in the institution’s policies, procedures and compliance training. The institution provides adequate training for its employees. If any violations are noted they relate to relatively minor deficiencies in forms or practices that are easily corrected. There is no evidence of discriminatory acts or practices, reimbursable violations, or practices resulting in repeat violations. Violations and deficiencies are promptly corrected by management. As a result, the institution gives no cause for supervisory concern.”
Federally regulated institutions then need to consider their “Compliance Management” practices as a top priority. “Compliance Management” is the means by which organizations can assure compliance in accordance with the rules, regulations, laws, and other requirements to which the organization is subject. A Compliance Management system is how an institution (a) learns about its compliance responsibilities; (b) ensures that employees understand these responsibilities; (c) ensures that requirements are incorporated into business processes; (d) reviews operations to ensure responsibilities are carried out and requirements are met; and (e) takes corrective action and updates materials, as necessary.
The complexity of the Compliance Management system will depend on the size and complexity of each institution. The type of oversight needed for a Compliance Management program can also vary considerably depending upon the scope and complexity of the organization’s activities, the geographic reach of the organization, and other inherent risk factors.
BSA/AML Compliance Program Requirement – Compliance Officer
Regardless of size or institution complexity, the first step a board of directors and senior management should take in providing for the administration of the BSA Compliance Program is the designation of a compliance officer. The bank’s board of directors must designate a qualified individual to serve as the BSA compliance officer. The BSA compliance officer is responsible for coordinating and monitoring day-to-day BSA/AML compliance. The BSA compliance officer is also charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations; however, the board of directors is ultimately responsible for the bank’s BSA/AML compliance. In developing the organizational structure of the compliance program, the board and senior management must grant a compliance officer sufficient authority and independence to cross departmental lines; have access to all areas of the institution’s operations; and effect corrective action.
Compliance officers are the first line of defense in their institutions against money laundering and other financial crimes. Well before a grand jury subpoena is served or a SAR is filed, compliance officers can and do step in and stop issues from becoming problems down the road.
A qualified compliance officer is required to have knowledge and understanding of all appropriate regulations that apply to the business operations of the financial institution. The compliance officer should also have general knowledge of the overall operations of the institution and interact with all of the departments and branches to keep abreast of changes (e.g., new products and services or business practices, personnel turnover) that may require action to manage perceived risk. The appointment of a BSA compliance officer is not sufficient to meet the regulatory requirement if that person does not have the expertise, authority, or time to satisfactorily complete the job. While the title of the individual responsible for overall BSA/AML compliance is not important, his or her level of authority and responsibility within the bank is critical. The BSA compliance officer may delegate BSA/AML duties to other employees, but the officer should be responsible for overall BSA/AML compliance. The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.
A compliance officer’s general responsibilities, regardless of the size or complexity of the institution’s operations, include:
- developing compliance policies and procedures;
- training management and employees in consumer protection laws and regulations;
- reviewing policies and procedures for compliance with applicable laws and regulations and the institution’s stated policies and procedures;
- assessing emerging issues or potential liabilities;
- coordinating responses to consumer complaints;
- reporting compliance activities and audit/review findings to the board; and
- ensuring corrective actions.
When more than one individual is responsible for compliance responsibility and accountability must be clearly defined.
As much as full-throated compliance programs are essential to preventing fraud and corruption, the quality and effectiveness of a compliance program is also an important factor that prosecutors consider in determining whether to bring charges against a business entity that has engaged in some form of criminal conduct. For example, the Department of Justice has indicated that in the after-the-fact reviews they conduct on corporate compliance programs, the department looks closely at whether compliance programs are simply “paper programs,” or whether the institution and its culture actually support compliance. The Department of Justice looks at pre-existing programs, as well as what remedial measures a financial institution took after discovering misconduct, including efforts to implement or improve a compliance program.
To be effective at overseeing compliance and maintaining a strong compliance posture, a compliance officer also must be provided with ongoing training, as well as sufficient time and adequate resources to do the job. The compliance officer may utilize third-party service providers or consultants to help administer the compliance program or audit functions. However, the compliance officer should perform sufficient due diligence to verify that the provider is qualified, because ultimately the institution is accountable for compliance with applicable laws and regulations.
The lines of communication should allow the BSA compliance officer to regularly apprise the board of directors and senior management of ongoing compliance with the BSA. Pertinent BSA-related information, including the reporting of SARs filed with FinCEN, should be reported to the board of directors or an appropriate board committee so that these individuals can make informed decisions about overall BSA/AML compliance. The BSA compliance officer is responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes.
In 2014 U.S. Assistant Attorney General James Cole warned compliance officers that the Justice Department will “hold banks and their employees responsible for their misconduct – no individual and no business, including a financial institution, is immune from prosecution.” This message was reinforced in 2015 when Assistant Attorney General Leslie R. Caldwell, while delivering remarks at the Compliance Week Conference, indicated that “corporations should be holding themselves accountable by designing compliance programs that don’t just look good on paper but actually work.”
On September 9, 2015, the Department of Justice (“DOJ”) issued a policy memorandum titled “Individual Accountability for Corporate Wrongdoing”, signed by Deputy Attorney General Sally Yates, regarding the prosecution of individuals in corporate fraud cases. This Memorandum indicates that “fighting corporate fraud and other misconduct is a top priority of the Department of Justice”. This memorandum follows a series of public statements made by DOJ officials indicating that they intend to adopt a more severe posture towards “flesh-and-blood” corporate criminals, not just corporate entities. Furthermore, this Memorandum formalizes six guidelines that are intended to strengthen the DOJ’s pursuit of individual corporate wrongdoing.
Examination of the BSA/AML Compliance Program
The federal banking agencies work to ensure that the organizations they supervise understand the importance of having an effective BSA/AML compliance program in place. Management must be vigilant in this area, especially as business grows and new products and services are introduced. An evaluation of the bank’s BSA/AML compliance program and its compliance with the regulatory requirements of the BSA has been an integral part of the supervision process for years. The BSA/AML examination is intended to assess the effectiveness of the institution’s BSA/AML compliance program and the institution’s compliance with the regulatory requirements pertaining to the BSA, including a review of risk management practices.
As part of a strong BSA/AML compliance program, the federal banking agencies seek to ensure that a bank has policies, procedures, and processes to identify and report suspicious transactions to law enforcement. The agencies’ supervisory processes assess whether banks have established the appropriate policies, procedures, and processes based on their BSA/AML risk to identify and report suspicious activity and that they provide sufficient detail in reports to law enforcement agencies to make the reports useful for investigating suspicious transactions that are reported.
But the federal banking agencies are not the only agencies looking at the institution’s compliance programs. As much as full-throated compliance programs are essential to preventing fraud and corruption, the quality and effectiveness of a compliance program is also an important factor that prosecutors consider in determining whether to bring charges against a business entity that has engaged in some form of criminal conduct.
As a checklist, on November 5, 2015 Assistant Attorney General Leslie R. Caldwell detailed the seven core considerations the Department of Justice will use to determine the effectiveness of corporate compliance programs:
- Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
- Do the people who are responsible for compliance have stature within the company? Do compliance teams get adequate funding and access to necessary resources?
- Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
- Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?
- Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances?
- Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations. Is discipline even handed?
- Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?
In the anti-money laundering and sanctions contexts, in particular, the DOJ requires more to consider a compliance program as “effective”. In those cases, DOJ prosecutors will ask:
- What does the institution’s “know your customer” policy look like? This seems basic, but an institution must ensure that its anti-money laundering, sanctions and other compliance policies and practices are tailored to identify and mitigate the risks posed by its unique portfolio of customers, and that those customers are providing complete and accurate information.
- If a financial institution operates in the U.S. – whether it is a U.S.-based bank or a U.S. branch or component of a foreign bank, is it complying with U.S. laws? This may sound straightforward in principle, but DOJ cases indicate that it is all too often not implemented in practice.
Part of those compliance program expectations includes sharing information about potentially suspicious activity with other branches or offices. For example, if a foreign branch of a U.S. bank identifies suspicious activity related to an account held by a customer that also maintains an account with the bank in the U.S., compliance personnel in the U.S. should be alerted to the suspicious activity. In the DOJ’s view, to effectuate these practices, financial institutions with a U.S. presence should give U.S. senior management a material role in implementing and maintaining a bank’s overall compliance framework.
- Is the company or financial institution candid with regulators? When the DOJ investigates companies, they look closely at the information the companies provided to regulators about the violation and at whether the companies were forthcoming, or not.
The vast majority of financial institutions file Suspicious Activity Reports when they suspect that an account is connected to nefarious activity. But, in appropriate cases, the DOJ encourages those institutions to consider whether to take more action: specifically, to alert law enforcement authorities about the problem, who may be able to seize the funds, initiate an investigation, or take other proactive steps. Some banks also take more action by closing the suspicious account, but sometimes that may just prompt the criminals to move the illicit funds elsewhere. So, the DOJ encourages financial institutions facing a decision to close or not a suspicious account to speak with regulators and law enforcement about particularly suspicious activity.
A recent decision from a federal district court and a proposed regulation from the New York State Department of Financial Services provide even more reasons for compliance officers at financial institutions to install robust BSA compliance programs in order to avoid personal liability.
In U.S. Department of Treasury v. Haider the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) alleged that MoneyGram’s former chief compliance officer, Thomas Haider, failed to take sufficient actions to terminate, and failed to file Suspicious Activity Reports (SARs) related to transactions he had reason to believe were related to money laundering, fraud, or other illegal activity. FinCEN fined him $1 million and brought action in federal court to collect the fine. Haider sought dismissal of the fine, arguing that the Bank Secrecy Act applies to institutions, not individuals. The court disagreed and denied his motion, reasoning that the Bank Secrecy Act’s civil penalties provision applies to “partners, directors, officers, and employees” of financial institutions. No final disposition has been reached in the case, but the district court’s decision makes clear that FinCEN is empowered to impose personal liability on compliance officers. In addition to a $1 million fine, Haider faces a permanent ban from employment in the financial industry. Under this decision, compliance officers would be personally subject to both civil and criminal liability if their institution’s anti-money laundering compliance programs are incapable of detecting and stopping illicit transactions.
This decision was followed very closely by state authorities. On December 1, 2015 New York Governor Andrew M. Cuomo announced that his Administration is proposing a new anti-terrorism and anti-money laundering regulation that includes, among other important provisions, a requirement modeled on Sarbanes-Oxley that would require that senior financial executive certify that their institutions has sufficient systems in place to detect, weed out, and prevent illicit transactions. Governor Cuomo’s proposal was motivated by concerns that terrorist organizations are using American banks as pass-through for illicit funds.
According to the press release, over the last four years, the New York State Department of Financial Services (NYDFS) has conducted a series of investigations into terrorist financing, sanctions violations, and anti-money laundering compliance at financial institutions. As a result of these investigations, the Department has uncovered (among other issues) serious shortcomings in the transaction monitoring and filtering programs of these institutions and that a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to these shortcomings.
The key requirements of the new anti-terrorism and anti-money laundering regulation that NYDFS is proposing, which will be subject to a 45-day notice and public comment period before final issuance, include the following:
Maintain a Transaction Monitoring Program
Each regulated institution will maintain for the purpose of monitoring transactions after their execution for potential BSA/AML violations and Suspicious Activity Reporting, which system may be manual or automated, and which shall, at a minimum include the following attributes:
- Be based on the Risk Assessment of the institution.
- Reflect all current BSA/AML laws, regulations and alerts, as well as any relevant information available from the institution’s related programs and initiatives, such as “know your customer due diligence”, “enhanced customer due diligence” or other relevant areas, such as security, investigations and fraud prevention.
- Map BSA/AML risks to the institution’s businesses, products, services, and customers/counterparties.
- Utilize BSA/AML detection scenarios that are based on the institution’s Risk Assessment with threshold values and amounts set to detect potential money laundering or other suspicious activities.
- Include an end-to-end, pre-and post-implementation testing of the Transaction Monitoring Program, including governance, data mapping, transaction coding, detection scenario logic, model validation, data input and Program output, as well as periodic testing.
- Include easily understandable documentation that articulates the institution’s current detection scenarios and the underlying assumptions, parameters, and thresholds.
- Include investigative protocols detailing how alerts generated by the Transaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other action, who is responsible for making such a decision, and how investigative and decision-making process will be documented; and
- Be subject to an on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions.
Maintain a Watch List Filtering Program
Each regulated institution will maintain for the purpose of interdicting transactions, before their execution, that are prohibited by applicable sanctions, including OFAC and other sanctions lists, politically exposed persons lists, and internal watch lists, which system may be manual or automated, and which shall, at a minimum, include the following attributes:
- Be based on the risk assessment of the institution.
- Be based on technology or tools for matching names and accounts, in each case based on the institution’s particular risks, transaction and product profiles.
- Include an end-to-end, pre- and post-implementation testing of the Watch List Filtering Program, including data mapping, an evaluation of whether the watch lists and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and Watch List Filtering Program output.
- Utilizes watch lists that reflect current legal or regulatory requirements.
- Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and the threshold settings to see if they continue to map to the risks of the institution.
- Include easily understandable documentation that articulates the intent and the design of the Program tools or technology.
Each Transaction Monitoring and Filtering Program shall, at a minimum, require the following:
- Identification of all data sources that contain relevant data.
- Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program.
- Data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used.
- Governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported, and audited.
- Vendor selection process if a third party vendor is used to acquire, install, implement, or test the Transaction Monitoring and Filtering Program or any aspect of it.
- Funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of this Part.
- Qualified personnel or outside consultant responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis, of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filing.
- Periodic training of all stakeholders with respect to the Transaction Monitoring and Filtering Program.
- No regulated institution may make changes or alterations to the Transaction Monitoring and Filtering Program to avoid or minimize filing suspicious activity reports, or because the institution does not have the resources to review the number of alerts, or to otherwise avoid complying with regulatory requirements.
To ensure compliance with the requirements, each institution shall submit to the Department by April 15 of each year certifications duly executed by its compliance officer or functional equivalent. If the compliance officer’s certification is later found to be false, the officer would be subject to criminal liability. Under the proposed regulation, the institutions will also be subject to “all applicable penalties provided for by the Banking Law and the Financial Services Law for failure to maintain” programs which meet the requirements of the proposed regulation and for failing to file the certification annually.
The proposed regulation will affect “bank regulated institutions”, i.e., all banks, trust companies, private bankers, savings banks, and savings and loan associations chartered pursuant to New York Banking Law (“Banking Law”) and all branches and agencies of foreign banking corporations licensed pursuant to the Banking Law to conduct banking operations in New York. The proposal would also apply to “Nonbank Regulated Institutions”, defined in the proposal as check cashers and money transmitters licensed pursuant to the Banking Law (money service businesses).
Other Financial Institutions
The imposition of personal liability on compliance officers is part of the regulators’ broader interest in compliance failures at the highest levels of financial institutions and is not limited to banks. For example, on January 5, 2016 the Financial Industry Regulatory Authority (FINRA) published its 2016 Regulatory and Examination Priorities Letter identifying both new areas of focus as well as areas of recurring regulatory concern.
During 2016 FINRA will continue to assess the adequacy of firms’ monitoring for suspicious activity, including surveillance of both money movements and trading activity. Firms should routinely test systems and verify the accuracy of data sources to ensure that all types of customer accounts and customer activity, particularly higher-risk accounts and activity, are properly identified and reviewed in a manner designed to detect and report potentially suspicious activity. In situations where a risk-based decision is made to exclude certain customer transactions from one or more aspects of AML surveillance, the rationale for the decisions should be documented and will be checked.
FINRA will also make it a priority to assess the adequacy of firms’ monitoring of high-risk customer accounts and transactions, including activity that occurs in cash management accounts where banking services are offered to brokerage customers. When monitoring customer money movement activity, firms should ensure that the business purpose of higher risk transactions is understood to enable the firm to assess whether the transactions are suspicious, considering what the firm knows or should know about the customer and the customer’s anticipated activity. FINRA also reminded firms to consider reviewing customers’ activity over a period of time sufficient to identify patterns and ensure they assess the full picture of activity. When firms delegate the monitoring of suspicious trading activity to personnel outside of the AML function, firms should ensure that appropriate delegation has been made, and that the AML function has an open line of communication with the personnel conducting reviews of trading activity.
FINRA has observed a number of instances where firms failed to supervise the transmittal of customer funds to third-party accounts. Recently, FINRA brought several enforcement actions in this area. These transfers create risks for customers and the firm. FINRA reminded firms of their responsibilities related to the transmittal of customer funds pursuant to FINRA Rule 3110 (Supervision). In 2016, FINRA will assess whether firms implement adequate supervisory controls to test and verify systems to prevent the improper transmittal of customer funds. This will include firms’ controls to review and monitor transmittals of funds (e.g., wires or checks) or securities from customer accounts to third-party accounts that would result in a change of beneficial ownership; outside entities (e.g., banks, investment companies); locations other than a customer’s primary residence (e.g., post office box, “in care of” accounts or alternate address); and firms’ registered representatives (including the hand-delivery of checks).
The 2016 Regulatory and Examination Priorities Letter was also followed by targeted exam letters sent by FINRA during February 2016. FINRA and other regulators conduct targeted exams, known as sweeps, to gather information and carry out investigations. Sweep information is used to focus examinations and pinpoint regulatory response to emerging issues. The number of firms included in targeted exams varies and the firms that are included are carefully chosen; in some cases, only a few firms are included and in others, dozens. Firms are selected based on a variety of factors, including level and nature of business activity in a particular area, customer complaints and regulatory history, and prior examination findings. By limiting the inquiry to a small number of firms, sweeps allow FINRA to reduce the regulatory burden on the majority of firms.
In addition to requesting general information on the firms’ practices, FINRA specifically requested information on how the firms established, communicated and implemented cultural values. As part of this review, FINRA plans to meet with executive business, compliance, legal and risk management staff of the selected firms to discuss cultural values.
The Securities and Exchange Commission (SEC) also joined the regulatory wave. In April 20, 2015, the SEC charged a BlackRock Advisers LLC compliance officer with breaching its fiduciary duty by failing to disclose a conflict of interest created by the outside business activity of a top-performing portfolio manager. BlackRock settled the charges and paid a $12 million penalty. The firm also engaged an independent compliance consultant to conduct an internal review. The SEC’s order also finds that BlackRock and its then-chief compliance officer Bartholomew A. Battista caused the funds’ failure to report a “material compliance matter to their boards of directors. BlackRock additionally failed to adopt and implement policies and procedures for outside activities of employees, and Battista caused this failure. Battista agreed to pay a $60,000 penalty to settle the charges against him.
In June 15, 2015 announced fraud charges against a Washington D.C.-based investment advisory firm’s former president accused of stealing client funds. The firm and its chief compliance officer separately agreed to settle charges that they were responsible for compliance failures and other violations. SFX Financial Advisory Management Enterprises is wholly-owned by Live Nation Entertainment and specializes in providing advisory and financial management services to current and former professional athletes. The SEC Enforcement Division alleges that SFX’s former president Brian J. Ourand misused his discretionary authority and control over the accounts of several clients to steal approximately $670,000 over a five-year period by writing checks to himself and initiating wires from client accounts for his own benefit. The SEC separately charged SFX and its CCO Eugene S. Mason, finding that the firm failed to supervise Ourand, violated the custody rule, and made a false statement in a Form ADV filing. The SEC finds that Mason caused some of SFX’s compliance failures by negligently failing to conduct reviews of cash flows in client accounts, which was required by the firm’s compliance policies, and not performing an annual compliance review. Mason also was responsible for a misstatement in SFX’s Form ADV that client accounts were reviewed several times each week. SFX and Mason agreed to pay penalties of $150,000 and $25,000 respectively.
All these developments only reinforce the expectation that compliance officers need to implement robust compliance programs and ensure that they have the adequate resources to avoid being the next target of an enforcement action.
 Future Financial Crime Risks: Considering the financial crime challenges faced by UK banks; A LexisNexis® Risk Solutions report produced for the British Bankers’ Association; November 2015
 Atherton v. FDIC, 519 U.S. 213 (1997)
 12 U.S.C. §1813(u))
 12 U.S.C. §1821(b)(1); for example, see Del Junco v. Conover, 682 F.2d 1338, 1341-44 (9th Cir. 1982).
 For a list of recent settlement agreements see https://www.fdic.gov/about/freedom/plsa/index.html.
 18 USC 1956
 18 USC 981 and 982
 31 USC 5322(a)
 BSA compliance program regulations: 12 CFR 208.63, 12 CFR 211.5(m), and 12 CFR 211.24(j) (Federal Reserve); 12 CFR 326.8 (FDIC); 12 CFR 748.2 (NCUA); 12 CFR 21.21 (OCC).
 Civil No. 0:15-01518 (D. Minn.)
 Global RADAR hosted a webinar on the proposed regulation on January 12, 2016.
 Global RADAR published a previous article on compliance culture.