The headline reads more like the title of an action and adventure movie, but professionals who manage the day-to-day compliance with the Bank Secrecy Act know first-hand how much of an adventure their career path can take. As part of our annual BSA training, we often remind staff that the BSA carries both civil and criminal penalties for “willful non-compliance.” These warnings are often brushed aside with the thought, “Yeah, that’ll never happen here.”
What many employees probably do not realize is that examiners and regulatory agencies review training materials to determine what individuals “knew or should have known” about the Bank Secrecy Act when evaluating why and how BSA violations occur.
Consider the March 4th Press Release from the Financial Crimes Enforcement Network (FinCEN) which announced a $450,000 civil money penalty against the former U.S. Bank Chief Operational Risk Officer, Michael LaFontaine. FinCEN had previously fined U.S. Bank $185 million (in addition to $453 million in Department of Justice asset seizures). The allegations against U.S. Bank were incriminating memos from management, including Risk Officer LaFontaine, directing BSA analysts to cap the number of suspicious activity monitoring alerts they would review from their automated systems due to a staff shortage and profitability, resulting in hundreds of missed suspicious activity reports.
To compound the BSA/AML violations, management suppressed model validation findings which criticized the practice of alert suppression, ignored testing that demonstrated thresholds were artificially set too high to limit the number of alerts which suspicious activity went undetected below those thresholds. To ensure that the Board was not made aware of audit findings, management ultimately suspended future model validations to eliminate those pesky findings which would require that they hire additional staff and appropriately calibrate their system.
Why was the fine so severe?
This action represents a shift in FinCEN’s approach to addressing BSA/AML deficiencies. Previous enforcement actions and fines were often directly solely at financial institutions. High-level employees may lose their jobs as a result of these enforcement actions, but the separations were often accompanied with large severance packages. No more. This case is a clear warning shot to boards and executive management, that intentionally sabotaging a BSA/AML Program will not be tolerated and they will not receive a free pass to jump ship with a nice severance to ensure a soft landing. FinCEN is preparing an “empty concrete pool” for willful violators of the BSA to come crashing back to earth.
In its comments, FinCEN notes that there had been a previous enforcement action against Wachovia Bank for similar violations due to inappropriate suppressing of monitoring alerts. Based on Risk Officer LaFontaine’s position and advanced training he would have received commensurate with his responsibilities, FinCEN expects that he either knew or should have known about the Wachovia case.
What does this mean for your institution?
First and foremost, the BSA Officer has an obligation to ensure that they – as well as their board and senior management team – are aware of significant enforcement actions in the industry. FinCEN will not allow staff to use ignorance as an excuse for non-compliance. TCA encourages every Board training module to include this case study as part of its training in 2020 so that the Board has a strong understanding of their personal risks if they ignore the institution’s BSA/AML responsibilities. “I didn’t know that “ won’t be an acceptable excuse.
Second, prudential regulators will be reviewing the institution’s AMS tuning and testing processes for its automated monitoring systems. Using default parameters without proper testing to evaluate if they are reasonably designed to identify suspicious activity for your institution’s risk profile could result in expensive lookbacks if they determine your system is not properly calibrated.
Third, consider performing a staffing analysis to evaluate the length of time it takes to perform each BSA-related task (e.g., CTR filing, high-risk customer review, alert monitoring, information sharing request, OFAC review, etc.). Calculate the number of hours required to complete all tasks timely and accurately. Compare that amount of time to the number of full-time equivalent employees in the BSA Department. Is there time to spare or is everyone working Sundays just to keep up? Approaching senior management and the Board to request additional resources will often be met with resistance. Remember that they have the responsibility to run a profitable institution. Presenting hard evidence of potential risks versus simply walking into an office empty-handed and asking for more will demonstrate that you have taken the time to adequately evaluate the department’s resources. This can help defuse the initial thought that staff simply doesn’t want to work hard which is driving the request for more resources.
Finally, remember that sample size and job function should be driven by adequate risk mitigation, not profit margin. If your institution sacrifices the strength of internal controls (one of the five BSA Pillars) in the name of the bottom line, the institution accepts the risk of becoming the next U.S. Bank and management accepts the personal risk of being the next Michael LaFontaine.
TCA is here to help your BSA Program. Whether you need help evaluating your automated monitoring parameters, current staffing levels or to train you Board on timely topics such as this, contact our BSA Action Team at (800) 934-7347 or [email protected]
