FDIC Weighs In on “De-Risking;” FinCEN and SEC Bring Actions Against Oppenheimer & Co. for BSA/AML Violations 

SUMMARY

January ended on a very active note in the area of Bank Secrecy Act (“BSA”)/anti-money laundering (“AML”) compliance, with the Federal Deposit Insurance Corporation (the “FDIC”), the Securities and Exchange Commission (“SEC”), and the Financial Crimes Enforcement Network (“FinCEN”) all contributing to the ongoing dialogues regarding “de-risking” and heightened regulatory expectations.

On January 28, 2015, the FDIC released a statement to financial institutions—consistent with, but seemingly more expansive than, earlier statements made by federal banking regulators—encouraging institutions to take a risk-based approach in assessing all individual customer relationships rather than “de-risking,” or declining to provide services to entire categories of customers. The statement advised that institutions may contact the FDIC’s Ombudsman or Office of Inspector General (the “OIG”) if examiners fail to follow these principles. The same day, the media reported that the FDIC issued a policy that reinforces the statement by requiring examiners to formally document and report instances in which FDIC personnel recommend or require banks to terminate deposit account relationships. Assuming the press reports are accurate, the FDIC’s statement, when combined with the policy, seems to be a step in the right direction towards aligning agency policy with examiner practice.

With respect to heightened regulatory expectations, on January 27, 2015, FinCEN and the SEC settled parallel enforcement actions for a total of $20 million in civil penalties against Oppenheimer & Co. Inc. (“Oppenheimer”), a full-service broker-dealer, for violations of the BSA and federal securities laws. The two actions are the latest in a series of actions against Oppenheimer for AML program shortcomings, the most recent being the Financial Industry Regulatory Authority’s (“FINRA”) August 2013 action against the company for substantially similar conduct.  In addition, the SEC’s action, particularly when coupled with  earlier actions by FINRA against Oppenheimer and Brown Brothers Harriman for AML program deficiencies in connection with penny stock transactions, demonstrates that securities regulators are viewing penny stock surveillance as a matter of significant AML concern.

FDIC STATEMENT RELATED TO “DE-RISKING”

On January 28, 2015, the FDIC issued a Financial Institution Letter entitled “Statement on Providing Banking Services” (the “Statement”). In the Statement, the FDIC encourages financial institutions to follow a risk-based approach to providing banking services to potential customers on an individualized basis, rather than engaging in “de-risking.”1 In the cover letter accompanying the Statement, the FDIC characterizes this individualized risk-based approach as an approach that institutions are “expected” to employ. The Statement addresses reported industry reluctance to provide certain banking services for fear of running afoul of the BSA. In an apparent effort to assuage any such concerns, the FDIC reiterates existing federal banking agency guidance recognizing that, “as a practical matter, it is not possible for a financial institution to detect and report all potentially illicit transactions that flow through an institution.” A financial institution with an acceptable risk-based AML program, according to the FDIC, would be “well-positioned” to manage customer accounts while also “generally” detecting illegal activity.2   According to the FDIC, “[i]solated or technical violations” of the BSA occurring within an otherwise adequate BSA/AML program would “generally” not prompt serious regulatory concern or demonstrate a lack of adequate management supervision or commitment to BSA compliance.3 Finally, the FDIC states that institutions concerned that examiners are not following the Statement may contact the FDIC’s Ombudsman or the OIG.

On the same day the Statement was released, it was reported that the FDIC issued a memorandum to risk management and consumer protection examiners establishing a policy that reinforces the Statement by requiring examiners to formally document and report instances in which FDIC personnel recommend or require that banks terminate deposit account relationships (the “Memo”).4

In addition to serving as a rebuttal to concerns that the FDIC has been overly aggressive in demanding that financial institutions avoid certain categories of customers—concerns also voiced with respect to other federal banking regulators—the Statement is notable for a number of reasons:

  • First, although consistent with prior regulatory guidance pertaining to specific categories of potentially high risk customers, including money services businesses (“MSBs”) and third-party payment processors (“TPPPs”),5 the Statement arguably goes further and suggests an expectation that institutions will apply an individualized risk-based approach to all existing and prospective customers, not just those in categories that regulators recognize present increased risk.
  • Second, the FDIC’s acknowledgement that it is practically impossible to detect and report all suspicious activity and that an institution with an adequate BSA/AML program will only “generally” detect illegal activity is important, but it may provide little comfort to institutions in the present environment of  record-setting fines  and potential criminal prosecutions  related to BSA/AML lapses.
  • Third, concerns have been expressed by financial institutions in various fora that examiners are requiring institutions to terminate potentially high risk account relationships. The FDIC’s statement that an institution may contact the FDIC’s Ombudsman or the OIG if it believes examiners are not following the Statement appears to acknowledge those concerns. It is unclear whether other banking regulators have the same concerns with respect to their examiners recommending the termination of account relationships and, if so, whether similar statements will be issued by those regulators.

OPPENHEIMER ENFORCEMENT ACTIONS

On January 27, 2015, the SEC and FinCEN settled parallel enforcement actions against Oppenheimer for violations of the BSA and federal securities laws relating to the sale of penny stocks. The agencies assessed a combined $20 million in civil penalties. Oppenheimer admitted to the agencies’ findings and, under the SEC settlement, agreed to retain an independent compliance consultant to review its AML policies and procedures. The actions by the SEC and FinCEN are the latest in a series of actions against the company for AML program shortcomings.  In December 2005, the New York Stock Exchange 6 and FinCEN assessed Oppenheimer $2.8 million in civil money penalties and in August 2013 FINRA fined the company $1.4 million for BSA violations similar to those detailed by FinCEN and the SEC.

FinCEN Action

In its enforcement action, FinCEN found that Oppenheimer willfully violated the BSA by failing to (a) implement an adequate AML program, (b) conduct adequate due diligence on a foreign correspondent account, and (c) comply with requirements under the rules imposing Special Measures under Section 311 of the USA PATRIOT Act. The conduct at issue principally involved penny stocks and spanned 2008 through May 2014. A central theme in FinCEN’s action is Oppenheimer’s failure to properly handle “red flags.” In particular, FinCEN identified 16 customers who engaged in patterns of suspicious activity in branches in five states, the majority of which exhibited the same two “significant” red flags: (i) the securities were penny stocks for which no registration statement was in effect; and (ii) the customers repeatedly deposited large blocks of the securities, many in paper certificate form, sold them shortly after the deposit and immediately transferred the proceeds out of their account. According to FinCEN, Oppenheimer’s AML program was not adequately designed to detect and report this suspicious activity. Among the flaws in the AML program, according to FinCEN, was a failure to promote sharing of information among compliance groups, creating “information silos” that contributed to Oppenheimer’s lapses. FinCEN also found that Oppenheimer failed to conduct adequate due diligence on a foreign correspondent account, and that its failure to conduct periodic reviews of all foreign financial institution accounts, as required by Oppenheimer’s own policy, contributed to its failure to detect and report suspicious penny stock activity. In addition, FinCEN determined that Oppenheimer failed to comply with “special measures” imposed by FinCEN against three foreign financial institutions deemed by FinCEN to be “of primary money laundering concern,” which required Oppenheimer to notify its foreign correspondent accountholders that their correspondent accounts could not be used by the three financial institutions.7

SEC Action

In its enforcement action, the SEC found, premised largely on the same misconduct, that Oppenheimer willfully violated federal securities laws, including the requirement under Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-8 thereunder that Oppenheimer file SARs with FinCEN. The SEC, much like FinCEN, emphasized that Oppenheimer had failed to take appropriate action despite several red flags that customers were engaging in illicit activity and that Oppenheimer’s policies and procedures for preventing and detecting violations of the securities laws were inadequate. The SEC referenced, in particular, Regulatory Notice 09-05, in which FINRA reminded firms of their obligation to ensure that they comply with federal securities laws when participating in unregistered resales of restricted securities, and listed several red flags that signal the possibility of illegal activity. As part of the settlement, Oppenheimer undertook to retain an independent compliance consultant to review Oppenheimer’s policies and procedures as they relate to BSA/AML.8 FINRA’s August 2013 action similarly required the company to retain an independent consultant.

The January 27 FinCEN and SEC actions are notable for a number of reasons.

  • First, in both actions, Oppenheimer admitted that its conduct violated the BSA.9 This admission of wrongdoing appears to be characteristic of a trend in FinCEN enforcement actions, beginning in 2014, in which settlements include an admission of the financial institution’s wrongful conduct. For instance, neither of the two civil money penalties assessed by FinCEN in 2013 contain admissions of wrongdoing.10 One of the 2013 FinCEN enforcement actions was paralleled by a SEC enforcement action that similarly did not contain an admission of wrongdoing.11 In 2014, however, only one of eight total FinCEN civil money penalty assessments did not include admissions of FinCEN’s findings of fact and admissions of violations of the BSA. We have observed a similar trend in actions by other regulators.
  • Second, as noted earlier, the recent FinCEN and SEC actions are the latest in a series of actions against Oppenheimer for AML program shortcomings, the most recent being FINRA’s August 2013 action against the company. The SEC does not mention in its action the substantially similar action brought by FINRA 15 months earlier. The cascading, and arguably additive, actions by multiple regulators has been a characteristic of BSA/AML enforcement.
  • Third, the SEC’s action, particularly when coupled with FINRA’s August 2013 action against Oppenheimer and February 5, 2014 action against Brown Brothers Harriman,12 which similarly addressed AML concerns around penny stock transactions, indicates that securities regulators view penny stock surveillance as a matter of significant AML concern.
  • Fourth, the SEC, unlike FINRA, historically has not brought many enforcement actions against broker-dealers for AML violations.

CONCLUSION

These recent developments, although unrelated, highlight the ongoing tension between regulatory expectations regarding “de-risking” and increased enforcement of BSA/AML requirements. Despite regulatory pronouncements on “de-risking,” the enforcement environment continues to put pressure on institutions weighing the risk of particular classes of customers or businesses.