In the following guest post, Christopher Laursen, Senior Vice President and Chair, Financial Institutions and Bank Practice at NERA Economic Consulting, takes a look at the current enforcement trends involving the Bank Secrecy Act and the Anti-Money Laundering regulations. I welcome guest submissions from responsible persons on topics of interest to readers of this blog. If you are interested in submitting a guest post, please contact me. Here is Chris’s guest post:
Following HSBC Holdings plc’s December 2012 admission to facilitating the laundering of $881 million in drug cartel monies and violating federal sanctions, members of Congress have pressed regulators to hold individuals accountable for systematic violations of Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations. Recent enforcement trends and public statements suggest that regulators, who were already shifting towards a stricter enforcement trend by levying large corporate monetary penalties, have responded with increased scrutiny for directors and officers failing to address alleged BSA/AML compliance shortfalls. In March 2014 statements before the Association of Certified Anti-Money Laundering Specialists (ACAMS), regulators indicated that they intend to hold individuals accountable for violations as part of this broader shift toward stricter enforcement.
Members of Congress have repeatedly raised the issue of individual accountability for AML compliance violations. In October 2013, House Democrats introduced a bill making bank executives, officers, and directors personally liable for BSA/AML violations. The “Holding Individuals Accountable and Deterring Money Laundering Act” would also grant FinCEN, the federal regulator directly responsible for enforcing BSA/AML compliance, expanded power to litigate independently of other regulators. The bill was referred to the Subcommittee on Crime, Terrorism, Homeland Security, and Investigations on January 9, 2014.
Undersecretary of the Treasury for Terrorism and Financial Intelligence David S. Cohen stated before the Senate Committee on Banking that under his direction, FinCEN is looking at ways to bring monetary penalties and industry participation injunctions against individuals for BSA violations. Comptroller of the Currency Thomas J. Curry has echoed FinCEN’s focus on responsibility, and repeatedly stated that the OCC was looking into holding individuals accountable for violations. He reiterated this goal in a focused speech before ACAMS in March 2014, suggesting that a stricter enforcement paradigm targeting individual accountability might emerge in the near future. In each of these statements, bank D&O were mentioned as a class facing increased scrutiny from an individual liability perspective.
The general trend toward stricter enforcement is evident from recent enforcement actions against financial institutions. Federal regulators levied nearly $5 billion in monetary penalties against financial institutions in connection with alleged violations of BSA/AML regulations since 2007. According to analysis by NERA Economic Consulting in the white paper “Recent Trends in BSA/AML Enforcement and Litigation,” two-thirds of all formal enforcement actions since 2012 have included monetary penalties, compared to only one-third from 2007 through 2011. Moreover, more than four-fifths of the approximately $5 billion in monetary penalties imposed since 2007 have been levied since 2012. This regulatory emphasis has persisted despite reportedly enhanced BSA/AML compliance efforts by financial institutions’ compliance personnel, directors, and officers, including a 38% increase in filings of Suspicious Activity Reports (SARs) since 2006.
Regulators’ enforcement practices have shifted paradigms from the financial crisis and its aftermath through the present. From 2007 through late 2009, a period in which many financial institutions struggled to maintain liquidity and capital ratios, regulators typically issued cease and desist orders with no pecuniary levies. No BSA/AML monetary penalty exceeded 1% of a financial institution’s total equity capital in that period. This stance may have been, in part, an effort to avoid placing further strains on institutions weathering the financial crisis. From late 2009 onward, however, regulators shifted to a more aggressive enforcement paradigm and pursued enforcement actions against financial institutions for both larger dollar amounts and larger proportions of total equity capital. The increasing trend in the penalties assessed as a share of total equity capital—conditional upon an enforcement action—has been striking.
As part of this aggressive enforcement paradigm, FinCEN added a stand-alone Enforcement Division in June 2013 in a major internal reorganization, and FinCEN also started placing emphasis on corporate and individual responsibility with respect to BSA/AML compliance. While historically, financial institutions that were the subject of enforcement actions were typically able to consent to monetary penalties without admitting or denying the alleged wrongdoing, FinCEN Director Jennifer Shasky Calvery has made clear in multiple speeches since 2013 that this practice is deliberately changing. This emerging trend in admitting responsibility in response to enforcement actions both increases the liability risk for D&O and widens avenues for private litigation against financial institutions and their D&O.
Bank D&O are ultimately responsible for ensuring that a bank maintains an effective BSA/AML compliance program, which must be approved by the board of directors and noted in the board minutes. The compliance program must provide for four minimum requirements: 1) a system of internal controls to ensure ongoing compliance; 2) independent testing of BSA/AML compliance; 3) designation of an individual or individuals responsible for managing BSA compliance; and 4) compliance training for appropriate personnel. In addition, notification of SARs filed must be regularly presented to the board of directors and documented in the board minutes.
A number of enforcement actions have assessed personal monetary penalties against bank D&O over the past few years. In February 2009, the directors of Sykesville Federal Savings Association were collectively fined $10,500 in non-reimbursable civil money penalties for multiple violations of a consent order to cease and desist. In January 2013, the OCC levied civil money penalties against five D&O of Security Bank for up to $20,000 per person in connection with violations including failure to ensure an effective BSA compliance and SAR reporting system. In September 2013, the Justice Department charged the CEO of Public Savings Bank with criminal failure to file a SAR and maintain adequate AML controls in connection with an $86,400 wire transfer of suspected drug money.
Though bank directors and officers are often covered by D&O liability insurance, for the past several years the Federal Deposit Insurance Corporation (FDIC) has taken an increasingly strong position that a financial institution’s insurance policies may not indemnify D&O for civil money penalties. In 2011, the FDIC cited several financial institutions for D&O liability insurance policies that covered civil money penalties, and in October 2013 the FDIC published a Financial Institution Letter explicitly prohibiting insured depository institutions or their holding companies from purchasing insurance policies that would indemnify institution-affiliated parties against civil money penalties.
The shift toward individual accountability for BSA/AML violations has sparked some concerns that qualified personnel might avoid compliance or D&O positions at banks due to the risk of personal liability, especially due to the prohibition on institution-provided D&O civil money penalty insurance coverage. Comptroller Curry attempted to assuage such concerns in his March 2014 address before ACAMS, stating that increased D&O accountability “doesn’t mean that a senior executive in New York, for example, should be held responsible if an account officer in South America decides to turn a blind eye to suspicious transactions.” Curry also clarified that his focus would be on major, systemic violations, by assuring ACAMS that the regulatory focus on individual accountability “doesn’t mean penalizing honest mistakes or errors in judgment or even minor failures in compliance.”
While many experts and financial journalists have expressed concern that qualified individuals will nonetheless shy away from BSA/AML compliance positions as a result of a focus on individual accountability, some see this very public expression of regulatory intent as a means of forcing bank executives and boards of directors to prioritize compliance, in order to provide more support to compliance officers. Since compliance does not create revenue, regulators and bank compliance personnel have both expressed the sentiment that tough talk and even enforcement “catastrophes” by regulators are sometimes required to shift management’s attention to compliance matters. Seen through this lens, regulators’ recent comments suggest that they do not believe bank D&O are currently allocating sufficient attention or resources to BSA/AML compliance, and may feel the need to make a few examples.
Many financial institutions have responded to stronger BSA/AML enforcement with enhanced compliance programs, a substantial increase in SAR filings, and so-called de-risking of customer portfolios. De-risking, a potentially costly compliance response, involves the purposeful closing of financial relationships with groups of customers or lines of business considered high risk under BSA/AML standards. Before de-risking a group of customers or a line of business, banks must compare the benefits of potential revenue from existing business arrangements against potential compliance risk costs.
Regulators have generally encouraged increased SAR filings as the best relatively inexpensive way to reduce compliance risks for financial institutions. Institutions have responded to this impetus: the number of SARs filed with FinCEN has grown nearly thirty-fold since 1996, when the SAR was introduced, and nearly five-fold since 2002, the first year the Patriot Act’s Title III expansion of BSA/AML requirements was in effect, according to FinCEN’s SAR Activity Review – By the Numbers. However, some regulators and law enforcement personnel have criticized what they term “defensive” SAR filings, which allegedly report a large number of transactions with low levels of detail included in each report. Regulators have initiated multiple enforcement actions against financial institutions for allegedly insufficient or incomplete SAR filings, likely to incentivize banks to report additional context in each SAR filing.
Partial compliance with relevant regulations is not enough to avoid regulatory action. The JPMorgan Chase & Co. (JPMC) settlement from January 2014 in particular reveals the broad scope and long look-back of recent enforcement actions. JPMC admitted and accepted responsibility for violations of the BSA during the period between 1996 and 2008, including failure to file SARs in connection with its relationship with Bernard Madoff and his Ponzi scheme and failure to maintain an effective AML program. However, in the deferred prosecution agreement, supervisory agencies acknowledged that JPMC filed a timely British SAR on Madoff, but seemingly sought to emphasize that meeting foreign reporting obligations did not satisfy US BSA/AML regulatory requirements.
The increasing magnitude of regulatory and private challenges to BSA/AML compliance has come with increased costs to financial institutions. According to the 2014 Global Anti-Money Laundering Survey, average AML compliance costs for financial institutions have grown at a rate of at least 40% every three years since 2002, and by 53% over the most recent three year period. It is expected that the costs of compliance, regulatory enforcement actions, and private lawsuits will continue their increasing trend. As legislators and regulators have specifically stated their desire to hold D&O accountable for AML violations, and as regulators bar institution-provided liability insurance from indemnifying D&O, it may also be expected that their personal liability risks will increase accordingly.
Author: Christopher Laursen
Senior Vice President
Chair, Financial Institutions and Banking Practice
NERA Economic Consulting
tel: +1 202 466 9203
Mr. Laursen is a Senior Vice President and Chair of NERA’s Financial Institutions and Banking Practice. He is a leading expert in financial products, markets, risk management, and financial regulation. He has served as an expert witness in numerous litigation matters and has provided consulting and advisory services for both public and private sector clients. Prior to joining NERA in 2009, Mr. Laursen served as a banking company policy-maker, supervisor, and examiner for 17 years with the Federal Reserve Board, Regional Federal Reserve Banks, and the Office of the Comptroller of the Currency. He has extensive expertise in anti-money laundering compliance, fraud reviews, credit underwriting, and trading activities, and has served as an expert witness and consultant in matters dealing with BSA/AML.