On February 27, 2017, FinCEN announced a $7 million civil monetary penalty against Merchants for willful violations of the BSA. Additionally, the Office of the Comptroller of the Currency (OCC), Merchants’ federal functional regulator, identified deficiencies in Merchants’ processes that resulted in violations of the 2010 and 2014 consent orders that Merchants entered into with the OCC, as well as continued violations of 12 C.F.R. § 21.21 (i.e., the requirement that a bank’s AML compliance program must be reasonably designed to assure and monitor compliance with the BSA’s recordkeeping and reporting requirements). The OCC is assessing an additional, separate $1 million penalty for the violations.1
The FinCEN Assessment of Civil Monetary Penalty (the “Assessment”) provides that Merchants failed to establish and implement an adequate AML program, conduct required due diligence on its foreign correspondent accounts, and detect and report suspicious activity. The Assessment states that Merchants’ “failures allowed billions of dollars in transactions to flow through the U.S. financial system without effective monitoring to adequately detect and report suspicious activity.”
A bank’s AML compliance program must be reasonably designed to assure and monitor compliance with the BSA’s recordkeeping and reporting requirements. At the time of the violations, a bank’s AML compliance program must, at a minimum, (i) provide for a system of internal controls to assure ongoing compliance, (ii) provide for independent testing for compliance to be conducted by bank personnel or an outside party, (iii) designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance, and (iv) provide training for appropriate personnel.2 Merchants failed on each of these fronts. The Assessment details various examples that clarify when internal controls, independent testing, designation of responsible individuals and training failed to meet FinCEN AML standards.
Merchants’ leadership impeded investigations of the activities, the activities went unreported for many years, and employees who attempted to report the activities were threatened with possible dismissal or retaliation. Additionally, Merchants insiders owned or managed MSBs with accounts at Merchants, some of which demonstrated highly suspicious transaction patterns and red flags. Finally, the Assessment notes several conflicts of interest, including that two of the three individuals granted BSA duties were executives responsible for bringing businesses to Merchants—particularly MSBs.
The Assessment outlines a number of deficiencies relating to customer due diligence (CDD) standards that are also the focus of FinCEN’s May 11, 2016 CDD Final Rule (“CDD Final Rule”). The CDD Final Rule formalizes new and existing CDD expectations for banks and certain other financial institutions and adds another minimum requirement to a bank’s compliance program. The CDD Final Rule goes into effect on May 11, 2018. Together, this enforcement action and the implementation of FinCEN’s CDD Final Rule demonstrate continued and heightened scrutiny of customer and beneficial owner due diligence and the importance of vetting internal conflicts of interest.
The Assessment outlines relatively detailed examples of compliance failures. Additionally, and with the CDD Final Rule, it is apparent that the deeper due diligence and ongoing monitoring requirements may highlight internal conflicts of interests.
Banks and other financial institutions with MSB customers and/or potential conflicts of interest in their compliance program staff should carefully review this Assessment against their compliance programs to ensure that they are meeting or exceeding the standards. These reviews may focus on the delegation of authority for managing the compliance program, identifying internal conflicts of interest and beneficial owners, the specificity of the compliance program policies and trainings, the geographic locations of the MSB customers, the geographic locations of the MSB customers’ customers, which accounts those customers use, the information solicited from the customers, what is done with that information, and the scope and methodology of independent audits.
1 See here and here for the FinCEN press release and assessment of civil monetary penalty, and here and here for the OCC press release and consent order for the assessment of a civil monetary penalty.
2 31 C.F.R. § 1020.210.