Last week the Department of Justice (DOJ) announced criminal charges against U.S. Bancorp “consisting of two felony violations of the Bank Secrecy Act (‘BSA’) by its subsidiary, U.S. Bank National Association (the ‘Bank’), the fifth largest bank in the United States, for willfully failing to have an adequate anti-money laundering program (‘AML’) and willfully failing to file a suspicious activity report (‘SAR’).” The DOJ entered into a Deferred Prosecution Agreement (DPA) with the Bank and was joined by the OCC, FinCEN, and the Federal Reserve who also came to agreements to resolve related issues with the Bank stemming from similar activities.
Anyone serving in a senior management role, providing legal and compliance support or charged with overseeing BSA/AML operations within a regulated entity should consider both the DOJ’s complaint and DPA required reading. The complaint alleges the Bank violated the BSA by:
- FAILURE TO IMPLEMENT RISK-DRIVEN COMPLIANCE: Failing to implement and maintain an adequate AML program. Specifically, in violation of the BSA requirement to implement adequate internal policies, procedures and controls, the Bank adopted AML policies, procedures, and controls that were deficient and not commensurate with its respective BSA/AML risk profile, which caused the Bank to fail to investigate and report suspicious activity.
- UNTIMELY SAR FILING: Failing to timely file thousands of SARs with FinCEN.
- INACCURATE CTRS: Filling more than 5,000 materially inaccurate CTRs with FinCEN. The CTR form prescribed by FinCEN during the relevant period required the Bank to identify not only the party conducting the transaction, but also the person or entity on whose behalf the transaction was conducted.
In one of the largest settlements of this type, the monetary and regulatory ‘costs’ are then outlined in the DPA, which requires the Bank to:
- To pay $528,000,000 to the United States, less the amount of any civil money penalty paid by USB to the Office of the Comptroller of the Currency ("OCC") in connection with its concurrent settlement of the related regulatory action brought by the OCC.
- Continue its ongoing effort to implement and maintain an adequate BSA/AML compliance program in accordance with the BSA, and the directives and orders of any US regulator of the Bank, including without limitation the OCC, as set forth in the OCC's Consent Order dated October 23, 2015.
- Provide the DOJ with semiannual reports describing the status of the Bank's implementation of the remedial changes to its BSA/AML compliance program required by the Consent Order for the duration of the BSA.
- Allow the DOJ: (a) access to any and all non-privileged books, records, accounts, correspondence, files, and any and all other documents or other electronic records, including e-mails, of the Bank and its representatives, agents, affiliates, and employees, relating to any matters described or identified in the Semi-Annual Reports; and (b) the right to interview any officer, employee, agent, consultant, or representative of USB concerning any non-privileged matter described or identified in the Semi-Annual Reports, for the duration of the agreement.
- Promptly notify the DOJ of: (a) any deficiencies, failings, or matters requiring attention with respect to the Bank's BSA/AML compliance program identified by any United States regulatory authority within thirty business days of any such regulatory notice; and (b) any steps taken or planned to be taken by USB to address the identified deficiency, failing, or matter requiring attention.
According to U.S. Attorney Geoffrey Berman, the heart of the matter stems from allegations that USB “operated the program ‘on the cheap’ by restricting headcount and other compliance resources, and then imposed hard caps on the number of transactions subject to AML review in order to create the appearance that the program was operating properly.” Berman went on to note that the “[b]ank also concealed its wrongful approach from the OCC.” These allegations, on top of both internal memos that detailed staff concerns relating to the sufficiency of the BSA/AML program and prior written concerns of regulators appear to have driven the significant penalties assessed.
While a postmortem review of this matter provides an excellent overview of the application of the BSA to depositories, the one thing that any supervised entity should take away from the actions taken by the DOJ, OCC, FRB, and FinCEN is that the reputational, regulatory and monetary costs associated with BSA violations can be enormous and your compliance and controls should be thought of as mandatory, which are to be reviewed frequently for adequacy and overall performance.
- BSA/AML programs must be driven by the risk in the institution not by financial resources or staffing concerns.
- SAR and CTR activity must be driven by identified risk and legal requirements, in all cases.
- An institution should never ignore BSA/AML concerns raised by a regulator or its staff.
- An institution should always respond to internal concerns raised regarding the propriety of BSA/AML programs.
- Deficiencies identified in Below Threshold Testing (BTT) should always be addressed within a global BSA/AML program.
- Chief Compliance Officers and institution boards should be careful when setting budgets and staffing for BSA/AML so that these decisions are defensible and sufficient to respond to the risks presented by the institution’s offerings:
- What are the risks associated with the institution’s clients?
- What are the risks associated with the institution’s products?
- What are the geographic risks associated with the institution’s products?
- What are the industry risks associated with the institution’s clients?
- BSA/AML staff should be aware of red flags and investigate all red flags for potential money laundering. These must be fully investigated and cleared.