Hot on the heels of FinCEN’s advisory on risks associated with third-party payment processors (see Government Update, issue 18), FinCEN and the FDIC assessed concurrent $15 million civil money penalties against First Bank of Delaware for violations of BSA/AML laws and regulations. Among other things, FinCEN and the FDIC found that the bank “failed to adequately oversee third-party payment processor relationships and related products and services commensurate with associated risks.”
The bank also settled related civil claims with the DOJ, which alleged it “established direct relationships with several fraudulent merchants and third-party payment processors working in cahoots with a large number of additional fraudulent merchants.” On behalf of those entities, the DOJ alleged, the bank originated hundreds of thousands of debit transactions against consumers’ bank accounts, many of which originated via remotely created checks (RCCs). The DOJ also alleged that the bank was aware of “significant red flags warning the bank that the debit transactions were tainted by fraud.” The DOJ’s $15 million penalty is concurrent with those of FinCEN and the FDIC. The bank also is required to maintain an account with $500,000 to pay consumer claims arising from its alleged conduct. First Bank of Delaware’s BSA/AML Failings
FinCEN’s order details a litany of the bank’s BSA/AML failings, most of which are related to the bank’s lack of an effective system of internal controls to ensure ongoing compliance. FinCEN found that the bank did not “effectively assess and implement policies and procedures to mitigate potential money laundering risks, given its high-risk products and clients and failed to detect and timely report suspicious activity to FinCEN.” These are FinCEN’s key findings:
- Regarding third-party payment processors, FinCEN found the bank failed to adequately assess AML risks associated with the provision of banking services to processors; consistently ignored red flags associated with particular processors; and failed to collect sufficient information to anticipate those processors’ normal range of transactions and activities, resulting in a failure to take into account heightened risk factors in its transaction monitoring. In addition, FinCEN found the bank failed to detect and act upon “significant risk indicators” regarding its third-party payment processor customers, including those offering RCC services or servicing merchants paid through the ACH network. For example, merchants utilizing the bank’s third party payment processor customers’ RCC services “were responsible for total return rates of over 60%, which vastly exceeded any reasonably expected rate for such activity.”
- Regarding MSB customers, FinCEN found the bank did not effectively perform individual risk assessments for its high-risk MSB customers, and the risk analyses that were prepared were not provided to appropriate bank personnel. In contravention of its own policy, the bank did not conduct on-site visits for out-of-state, high risk MSBs and other potentially high risk MSB customers.
- Regarding an MSB customer that offered prepaid cards to foreign persons, FinCEN found that the bank relied on the MSB to perform BSA/AML functions related to this product but failed to collect adequate information from the MSB about the foreign cardholders. The FDIC directed the bank to update its policies and procedures related to MSB’s activities, enhance its risk assessment, perform an independent review of the MSB’s AML program and conduct a suspicious activity look back review.
FinCEN’s order also discusses deficiencies related to transaction monitoring, independent testing, day-to-day management of the bank’s AML program, training for appropriate personnel and suspicious activity reporting.
In the joint press release announcing the action, FinCEN Director Jennifer Shasky Calvery stated: “To make money, First Bank of Delaware entered into risky lines of business and chose to disregard its Bank Secrecy Act responsibilities. … As a result of its failure to implement systems and controls to identify and report suspicious activities, as required by the BSA, financial predators were able to victimize consumers.”
This is not the first time First Bank of Delaware has run afoul of the FDIC, having been the subject of a number of orders over the last several years on a variety of issues, including BSA/AML and third party oversight.
Several weeks prior to the public announcement of the FinCEN/FDIC orders and the DOJ settlement, First Bank of Delaware shareholders voted to dissolve the bank.
FinCEN’s press release is available here, FinCEN’s civil money penalty order is available here and the FDIC’s order is available at here. The DOJ’s press release regarding its settlement is available here.