For many years the government has encouraged directors and officers of corporations to ensure that they have robust compliance programs to detect and prevent violations of law. This is especially important in regulated industries including defense, healthcare and banking. The U.S. Sentencing Guidelines and the U.S. Department of Justice’s Principles of Federal Prosecution of Business Organizations contain significant incentives for corporations to join in the government’s law enforcement efforts by implementing and maintaining effective compliance programs.2
In addition, with the easing of the financial crisis, there is an enhanced regulatory focus on the importance of strict and robust compliance by banks and other financial institutions with the provisions of the Bank Secrecy Act (BSA)3 to ensure that the institution’s anti-money laundering (AML) program is strong. This focus relies on the examination process, follow-on visitations and, if necessary, regulatory enforcement, cease and desist and civil money penalty orders to ensure that these institutions are complying with the BSA and ensuring that their customer accounts and other facilities are not being used to engage in money laundering, drug and terrorist financing, and other criminal conduct.
Recently, however, the government has increasingly used another weapon against banks and other financial institutions, and their directors and officers – criminal charges for willfully failing to maintain an adequate compliance program as required by the BSA. While the government has used this statute against several financial institutions over the last ten years, it was the formation of the Bank Integrity Unit at the U.S. Department of Justice – announced by the Assistant Attorney General in charge of the Criminal Division, Lanny Breuer, in an October 2010 speech4 – that signaled the government’s new willingness to turn this powerful prosecutorial weapon on financial institutions themselves, especially those which have “abdicated their roles as responsible gatekeepers to the American banking system.”
The mission of the Bank Integrity Unit is to focus not only on financial institutions themselves, but also their directors and officers, to the extent that they ignore their obligations to implement and maintain BSA/AML compliance and allow their institutions to be used for criminal purposes. A willful violation of this or any other requirement of the BSA could result in criminal penalties for the financial institution and its directors and officers, including enhanced penalties where the violation occurs in connection with another violation of law or as part a pattern of illegal activity.5
The BSA requires, at a minimum, the four pillars of anti-money laundering (AML) compliance:
- The development of internal policies, procedures, and controls;
- The designation of a compliance officer;
- An ongoing employee training program; and
- An independent audit function to test the BSA/AML compliance program.6
A “willful” failure to maintain an adequate BSA/AML program that meets these four basic requirements means not only that the financial institution failed to comply with these requirements, but also that the financial institution knew that its failure to do so was unlawful.7
In a recent case prosecuted in Los Angeles, the Bank Integrity Unit obtained plea agreements from a check cashing business and its manager and compliance officer for failing to maintain an adequate AML program and conspiring to fail to file required CTRs on customer transactions.8 The manager was sentenced to five years in prison and the manager to eight months, and the check cashing business itself was ordered to pay a fine of nearly $1 million and to forfeit approximately $250,000 in profits for unreported cash transactions.
The government has signaled a willingness to prosecute larger financial institutions as well. Various Deferred Prosecution Agreements (DPAs) against financial institutions over the last several years – the most recent and high-profile of which was entered into with HSBC in December 2012 – contain important lessons for financial institutions and their directors and officers.9 For example, the crimes that occurred as a result of the banks’ willful failure to implement and maintain adequate BSA/AML compliance programs ranged from the laundering of illegal drug sale proceeds (e.g., BankAtlantic, American Express Bank International, Union Bank of California, Wachovia Bank, Ocean Bank) to evasion of OFAC restrictions on transactions with sanctioned entities such as Cuba, Libya, Iran, and the Sudan (ABN AMRO Bank). Other cases in which the particular crime of willful failure to maintain an adequate BSA/AML compliance program was not charged – but where the compliance failure was clear and strengthened compliance was an integral part of the DPA – also involved violations of OFAC regulations and sanctions regimes (Standard Chartered, ING, Barclays, Lloyds).10
As is reflected in these DPAs the government focuses on the following factors to show knowledge of money laundering risks in connection with a financial institution’s business:
- Any relevant publicly available information, such as government-issued warnings, news articles and press releases highlighting money laundering risks;
- The location of the bank in a federally designated “High Intensity Money Laundering and Related Financial Crime Area”; and
- Internal documents evidencing knowledge of money laundering risks within the bank’s business activities.
Moreover, based on these DPAs, the government will cite these and other factors to establish the lack of an adequate BSA/AML compliance program:
- Failure to adequately monitor high-risk accounts, and particularly the failure to maintain an adequate automated monitoring system designed to detect suspicious activity;
- Failure to perform adequate customer due diligence, and particularly the failure to gather the recommended “Know Your Customer” information regarding the customer’s true identity, source of funds, and typical and expected transactions;
- Failure to provide adequate resources and training to the bank’s compliance department;
- Failure to adequately self-audit;
- Failure to conduct risk assessments on accounts;
- Filing an extremely low number of Suspicious Activity Reports (as required by the BSA) in relation to other comparably-sized institutions;
- Failure to have policies and procedures for handling suspicious activity;
- Failure to terminate accounts with known suspicious activity; and
- Failure to provide ways for members of lower-level management to communicate suspicious activity to each other.
In short, the government is flexing its muscles and invoking new tools in an effort to prevent the financial system from being used for criminal activity. Historically, the government has sought to enlist financial institutions in this effort. Now, enlistment is no longer a choice – a failure to do so could subject a financial institution – along with its directors and officers – not only to regulatory sanctions, but also to criminal fines and imprisonment.