What a Fool Believes[I]
Until recently, the AML community has seen only two major cases of personal liability. Frankly, many conferences and webinars have downplayed the impact of those rulings on how institutions should either allocate AML/CTF resources or give governance prominence to the BSA function.
The March 4th enforcement action by FinCEN (coordinated with the OCC) against the former Chief Operational Risk Officer of US Bank may change this perspective.
As you know, US Bank was hit with a $185 million dollar penalty in 2018 for, among other things, failure to file suspicious activity reports (SARs) in a timely manner. The major issue was that the bank capped the number of alerts its automated transaction monitoring system would generate for investigations.
What struck me in that penalty announcement was that US Bank employees in 2013 prepared a PowerPoint presentation for the CEO that identified multiple problems with the Bank’s AML program, and described that those issues had led to actions against other banks. According to the civil penalty “[t]he PowerPoint presentation explicitly referred to, among other things, ‘[m]anipulation of system output through use of alert caps on both profiling and query detection methods’ that could ‘potentially result in missed Suspicious Activity Reports’ and ‘[p]otential regulatory action resulting in fines, consent order, and significant historical review of transactions.’ “
What did the CCO then do? Well, he reviewed the draft deck “and removed references to alert caps from the presentation, added positive information about the Bank’s AML program, and otherwise altered the presentation to depict a more favorable image of the Bank’s AML program.”
I remember at the time thinking, “no repercussions?” Really?
The Civil Penalty for Corporate AML Failures: Improvement for corporate culture?
One of the decades long challenges for those of us in the compliance field has been getting the attention of senior management and boards of directors to dedicate sufficient resources and general support to requirements for such important areas such as AML. Certainly enforcement actions and policy leaders impact decisions, but when individuals are held liable, common sense tells us that accountability will increase.
The $450,000 civil penalty against Michael LaFontaine occurred, according to the FinCEN Director, because “he was warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised. His actions prevented the proper filing of many, many SARs, which hindered law enforcement’s ability to fully combat crimes and protect people.”
The enforcement action is worth your focus for a number of reasons. First, it was clear that the CRO did not want to share problems with the CEO. Second, the several examples of staff going past the CRO because he was ignoring or not prioritizing their very clear concerns, is a great model for those that believe in doing the right thing. Finally, the civil penalty recommends, and I certainly agree, that looking at other enforcement actions (in that case what Wachovia was being fined for) and doing a gap analysis is a solid tactic to assess where resources may be needed. Wachovia was also capping alerts and while some staff discounted the analogy to US Bank, a risk leader cannot afford to ignore those warnings.
As for corporate culture, the need to encourage staff to raise issues cannot be overstated. US Bank employees noted system challenges, reviewed previous regulatory actions and strongly expressed the view that AML staff was “dangerously thin.”
How do you ignore that statement?
The US Bank case and the civil penalty against the CRO need to be read in tandem and the AML community should use both as more than cautionary tales. AML infrastructure is only as strong as the overall system including culture.
Ignoring warnings and expecting no ramifications is only what a fool believes.
COVID-19 and SARS
FinCEN issued a statement to financial institutions that it alert their regulators and FinCEN if there will be any delays in their ability to file SARs as well noting emerging fraudulent trends such as imposter, investor and product scams. https://www.fincen.gov/news/news-releases/financial-crimes-enforcement-network-fincen-encourages-financial-institutions
[I] “What a Fool Believes” was a #1 hit by the Doobie Brothers in 1979 and a 1980 Grammy Award Song of the Year.