Despite recent announcements from the Trump administration regarding its desire to reduce regulation affecting financial institutions, all indications suggest the new administration believes the enforcement of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) should remain a top priority over the next several years. The pace of inquiries and the amount of fines levied against institutions in the past few years, as well as individual compliance officers who have been cited for personally failing to ensure the proper levels of AML compliance programs at their respective banks, make it imperative that financial institutions of all sizes keep their AML programs up-to-date and effective. Any institution that fails to do so is likely to find itself in the crosshairs of an unwanted and expensive regulatory inquiry.
Recent Enforcement Decisions
Regulatory inquiries initiated in the past few years continue to target banks and financial institutions of all sizes (Western Union forfeit of $586 million; Deutsche Bank fine of $425 million), but perhaps the most alarming action taken by regulators of late involves individual compliance officers. Regulators have recently turned their attention to compliance officers charged with overseeing their companies’ compliance programs. Since last year, three compliance officers have been found to be personally liable for their failure to file timely Suspicious Activity Reports (SARs), failure to detect or investigate “red flags” indicating suspicious activity, and for aiding and abetting foreigner entities purchasing U.S. securities. These recent actions holding compliance officers personally responsible for shortcomings in their AML compliance programs have had a chilling effect on the ability of bank and financial institutions to recruit qualified professionals to take on these roles.
Although these actions targeted compliance officers of large institutions, regulatory agencies are willing to target small businesses that are not considered your typical financial institution. In two separate matters, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCen) levied fines, ranging from $10,000 to $60,000, against the owners of small grocery stores that also provided money service programs for their customers. Both owners served as the de facto compliance officer for their respective businesses and were fined for not having any semblance of an AML program, thus underscoring the warning that any entity falling under the definition of a “financial institution” is exposed to possible fines, penalties and sanctions by regulatory and law enforcement agencies.
Not only are regulators and law enforcement initiating AML investigations and handing down fines and penalties, but plaintiff suits are now using the AML laws to pursue top executives, such as in the previously mentioned Western Union case. A shareholder derivative lawsuit was filed, accusing the company’s senior executives of failing to allow for an effective AML compliance program to be instituted at the company.
The Five Pillars
For many years financial institutions operated under the theory that an effective AML compliance program included what was commonly referred to as The Four Pillars: (1) internal controls; (2) independent testing; (3) a designated compliance officer; and (4) training for appropriate personnel. Beginning last year, a fifth pillar was added: introducing required risk-based procedures for conducting customer due diligence. This new requirement promulgated by FinCen in May 2016 requires banks, broker-dealers, mutual fund, and similar institutions to identify and verify the identity of the natural persons behind the legal entity, i.e., the beneficial owners. The new requirement comes on the heels of the Panama Papers controversy, which pulled back the curtain on the extraordinary efforts entities took to obscure the identities of beneficial owners of large offshore investment accounts. All institutions will have to comply with this new rule beginning on May 11, 2018.
Under this new directive institutions will be required to identify the beneficial owner of an entity if that owner owns 25 percent or more of the legal entity or is a single individual who has a significant responsibility to control, manage or direct a customer of that legal entity, or any other individual who regularly performs similar functions.
Avoiding Regulatory Inquiries
Senior officials from any financial institution who have experienced a regulatory or law enforcement inquiry will openly admit that the only way to avoid a costly and protracted investigation is to ensure an effective compliance program is sufficiently designed, implemented and regularly reviewed by independent professionals (internally or third party). Additionally, senior management must demonstrate the willingness to empower their AML officials by allowing them to take the necessary steps in assessing the framework of their programs and ensuring proper oversight with regular monitoring and testing, training for all necessary personnel and accurate reporting mechanisms are operational at all times. These fundamental elements will allow all institutions, regardless of size, to not only improve and strengthen their compliance programs but also to adequately defend inquiries brought by a regulator or law enforcement agency and avoid costly fines and penalties.
For questions or comments about the issues addressed, please contact us.
John E. Mulvaney, Jr. is the Leader of the Forensic, Litigation and Valuation Services Group in New England. He specializes in government and internal investigations, as well as complex civil and criminal matters. He can be reached at 617.761.0569 or JMulvaney@cbiztofias.com.