Why it matters

A $6.5 million civil money penalty imposed against a $1.57 billion Florida bank for persistent anti-money laundering (AML) and Bank Secrecy Act (BSA) deficiencies provided an appropriate back drop for two enforcement-related announcements by the Office of the Comptroller of the Currency (OCC). On February 26, the OCC announced a revised policy and matrices for calculating civil money penalties against national banks, legacy federal thrifts and institution affiliated parties. Three days later, the OCC followed with a bulletin addressing the consequences of noncompliance with the BSA and repeat or uncorrected BSA compliance problems.

Detailed discussion

The civil money penalties (CMP) imposed on Gibraltar Bank capped a saga of repeat and "substantial" AML program deficiencies that began more than six years ago and was related to transactional activity tied to a $1.2 billion Ponzi scheme. In 2010, the Office of Thrift Supervision (OTS), the regulatory predecessor of Office of the Comptroller of the Currency, warned Coral Gables, Florida-based Gibraltar Private Bank and Trust about deficiencies in the institution's anti-money laundering and Bank Secrecy Act program. Despite the warning, the bank persisted in violating applicable laws, failed four reviews by the OCC, and was ultimately subjected by a consent order with the OCC in 2014, replacing an earlier order with the OTS.

The Financial Crimes Enforcement Network (FinCEN)'s order against the bank cited a number of deficiencies in the bank's AML/BSA program. It found violations of the requirements to implement an effective AML compliance program, to develop and implement an adequate customer identification program and to report suspicious transactions.

With respect to AML program violations, FinCEN noted the bank did not adequately monitor, detect or report suspicious activity or assess its money laundering risks. Gibraltar's transaction monitoring system contained incomplete and inaccurate account opening information and customer risk profiles, anticipated account activity did not match actual activity and an unmanageable number of alerts were generated. This "hindered its compliance staff from adequately spotting unusual account activity," FinCEN said. The bank could not "timely or adequately review or investigate all of the alerts."

The bank's training was inadequate. It failed to provide appropriate training for "specific positions, departments, board members and other personnel." It also failed to address the needs of its BSA/AML compliance personnel for "significant training in order to adequately implement its BSA/AML compliance program." It did not develop and implement an adequate customer identification program, and it did not sufficiently address a number of problems with its automated monitoring system, which system generated an "unmanageable" number of alerts—including large numbers of false positives—and resulted in significant delays in Gibraltar's review, FinCEN said.

"Although Gibraltar used a software system to monitor its accounts for unusual activity going through the bank, the system and procedures were so flawed that Gibraltar systematically failed to identify and timely report transactions through numerous accounts that exhibited indicia of money laundering or other suspicious activity," according to FinCEN's Assessment of Civil Money Penalty.

For example, from the period from August 2013 to July 2014, 60 percent of the bank's alerts had not been reviewed despite an internal policy requiring all BSA alerts to be checked within 30 days. Even when the alerts were reviewed, they were sometimes closed despite being suspicious or delayed, FinCEN alleged. "And, in those instances where alerts were escalated to investigations for potential SAR filings, 16 alerts, or 64 percent of the escalated reviews, took over 60 days to escalate for further investigation," the regulator said. "Eleven of these reviews resulted in SAR filings."

These compliance failures came at a cost, the regulator said. Gibraltar failed to timely file at least 120 suspicious activity reports (SARs) involving about $558 million over a four-year period. The program deficiencies also delayed the bank from detecting and reporting transactions related to a $1.2 billion Ponzi scheme led by a Florida attorney who was convicted in 2010 and sentenced to 50 years in federal prison.

"We may never know how that scheme might have been disrupted had Gibraltar more rigorously complied with its obligations under the law," FinCEN Director Jennifer Shasky Calvery said in a statement. "This bank's failure to implement and maintain an effective AML program exposed its customers, its banking peers, and our financial system to significant abuse."

One day after the Gibraltar orders were issued, the OCC released its revised civil money penalty policy. First issued in 1993 with a matrix that could be used to calculate the size of CMPs based on a number of factors, the revised policy now provides two matrices. One matrix sets out the factors considered with imposing CMPs on the institutions and the other addresses institution-affiliated parties (IAPs). The weights applied have increased for a number of factors including "continuation of violations after notifications." Its new policy on Process for Administrative Enforcement Actions Based on Noncompliance With BSA Compliance Program Requirements or Repeat or Uncorrected BSA Compliance Problems can be viewed here.

To read the OCC's Assessment of Civil Money Penalty in In the Matter of Gibraltar Private Bank and Trust Company, click here.

To read FinCEN's Assessment of Civil Money Penalty, click here.

To read the OCC's Revised Civil Money Penalty Policy, click here.