In the past year, a number of major financial institutions have been hit not just once, but twice by federal and state regulators for follow-on regulatory violations, including financial sanctions issues. Other institutions have suffered record breaking fines for Foreign Corrupt Practices Act (FCPA) and economic sanctions violations. In this environment, the Superintendent of the New York Department of Financial Services (DFS) Benjamin Lawsky announced just last week that his agency is about to propose a requirement that senior banking executives personally "sign off" on the "adequacy and robustness" of the anti-money laundering (AML) compliance programs that their firms use to spot suspicious customer financial transactions. This requirement would represent a major escalation of pressure on firms to prevent the types of serious financial crimes and abuses that have recently received significant attention. 

The DFS proposal arises after a string of recent breaches that have included cases against chief compliance officers and actions against major institutions as repeat offenders. Just a few months ago, for example, the U.S. Department of Justice (DOJ) fined MoneyGram's chief compliance officer $1 million for failing to maintain adequate controls and address significant money laundering activity that occurred on the officer's watch. Further, last summer, Britain's Standard Charter PLC was hit with a second $300 million penalty after it allegedly failed to meet the requirements set in an earlier agreement that included a $340 million penalty for failing to adhere to Iran sanctions. Similarly, last fall, Bank of Tokyo-Mitsubishi received a $315 million penalty on top of a previous $250 million fine by DFS for allegedly misleading regulators about its transactions with Iran, Sudan and other countries placed under U.S. sanctions. And these amounts, while very large, pale in comparison to the landmark case of a financial institution in France, which paid nearly $8.9 billion to settle charges that it willfully continued to do business with countries and entities on U.S. Sanctions Lists, including Iran, Sudan and Cuba. It was the largest sanctions fine in U.S. history, more than four times larger than the next highest penalty.

In December 2012, HSBC paid nearly $1.3 billion as part of a deferred prosecution agreement, as well as $665 million in civil penalties after the institution was accused of conducting transactions on behalf of customers in Cuba, Iran, Libya, Sudan and Burma, all of which were, at the time, on U.S. Sanctions Lists. U.S. federal authorities claimed that HSBC helped launder $880 million in drug proceeds through the U.S. financial system. Also in 2012, ING was assessed with a $619 million penalty for moving $2 billion on behalf of Cuban and Iranian entities.

Still other prominent institutions have paid large fines, in earlier periods. In December 2009, Credit Suisse paid $536 million for customer transactions from Iran and Sudan. Law enforcement authorities claimed that Credit Suisse trained Iranian clients to falsify wire transfer orders so the messages would not be picked up by U.S. financial institution filters. Following resolution of this issue, Credit Suisse agreed to pay another $2.6 billion over tax fraud charges. Similarly, in January 2009, Lloyd's was charged with a $350 million fine related to transactions with Iranian customers. U.S. officials asserted that the transactions allowed for more than $350 million to be processed by U.S. correspondent banks that otherwise would have been rejected. In August 2010, Barclays paid $298 million for stripping wire transfer records of references to sanctioned countries in order to pass filters. 

More recently, the fines and penalties have reached beyond U.S. federal and state government action. Indeed, just last month, a $67 million civil judgment against a Canadian-based bank was upheld on appeal. The case was brought by shareholders alleging that the bank allowed proceeds of money laundering to flow through client accounts. Now, it appears that HSBC is heading towards a possible second penalty assessment by the Swiss, after Swiss authorities raided HSBC's offices in Geneva, Switzerland a few weeks ago.

In addition to these high profile sanctions issues, other regulators also have been aggressive in pursuing financial institutions for other financial regulatory transgressions. In 2014, the Financial Industry Regulatory Authority (FINRA) imposed $134 million in sanctions for industry rules violations, including against some major financial institutions. These included substantial fines against several individual institutions, such as Brown Brothers Harriman, which received an $8 million fine for AML rules violations over its alleged failure to detect and investigate suspicious penny stock transactions, and a larger $43.5 million settlement with ten investment banks over their alleged promise to provide research tips in exchange for a portion of the Toys"R"Us initial public offering. 

Notwithstanding the penalties already imposed, money laundering in particular remains challenging for institutions to address and prevent, given the myriad of obligations imposed through the Financial Recordkeeping and Reporting Currency and Foreign Transactions Act, the Bank Secrecy Act of 1970 (BSA), the Money Laundering Control Act of 1986 (MLCA), and the Patriot Act of 2001, enacted in the wake of the September 11 attacks, which strengthened the provisions of both the BSA and the MCLA.

These and other laws, rules and regulations already, among many other things, require financial institutions to establish sufficient AML programs; compel the Treasury to adopt regulations requiring financial institutions to establish customer identification programs; and allow the Treasury to institute special measures for financial institutions, foreign jurisdictions and "primary money laundering concerns." These requirements mean that financial institutions must keep abreast of the latest laundering techniques, vehicles and methods. 

Mr. Lawsky's proposal will add more requirements for financial institutions and another significant hurdle for bank executives to meet. One significant difference in the proposal is that it will seek to hold executives personally liable in the event further major breaches come to light. It is now axiomatic that a financial institution adopt, employ and enforce a sophisticated and timely AML program as part of a sound sanctions compliance program. Institutions that engage in foreign acquisitions and mergers must also undertake stringent FCPA due diligence efforts. 

The penalty leveled by the Securities And Exchange Commission (SEC) against Goodyear Tire & Rubber Company, although not a financial institution, illustrates the risks a company runs when it acquires subsidiaries or merges with companies in developing regions. The issue Goodyear faced, its subsidiaries in Kenya and Angola paying bribes to government officials to obtain lucrative contracts, is not confined to these locations or unique to Goodyear. Many companies have faced significant FCPA penalties for the acts and transgressions of subsidiaries and agents, including Avon, Alcoa, Hewlett-Packard, and Alstom. Financial institutions that seek to acquire foreign assets face similar risks and must take similar preventive and due diligence efforts.

In addition, other recent pronouncements by senior U.S. Department of Justice, SEC and UK officials clearly also reflect the need for institutions to adopt advanced, sound and comprehensive compliance and due diligence programs that are routinely tested and upgraded. Even if not completely successful, it is clear that a good faith and meaningful effort will substantially reduce any penalty that might be assessed in the event a violation does occur. Training key staff, especially in offices abroad and in merger or acquisition targets, is essential. Many of the significant violations can be traced to individuals in subsidiaries that were not aware of the rules and regulations or the potential gravity of the penalties. Now, DFS's proposal will likely require that added efforts be applied. Notably, in a speech last week at Columbia Law School, Mr. Lawsky said that his office is looking to increase its use of random audits of the automatic transaction monitoring and filtering systems at the thousands of firms it regulates.

In light of these comments, as well as the increased scrutiny from other regulatory bodies, it is time for institutions to re-examine the quality of their programs and ensure, among other things, not only that their AML and compliance systems are state of the art, but also that their key personnel understand the importance of AML compliance. Now, it is also personal.