In February, the US Department of Justice (DOJ) and federal financial regulators announced major public enforcement actions against two large banks with significant international business dealings, resulting in a guilty plea, a deferred prosecution agreement (DPA), and near-record fines and penalties. Both financial institutions failed to comply with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements. They failed, and in some instances willfully failed, to maintain procedures reasonably designed to assure and monitor compliance with the requirements of the BSA, including detecting suspicious activity indicative of money laundering, terrorist financing, and other crimes, and reporting suspicious transactions to the Department of the Treasury (Treasury) by filing suspicious activity reports (SARs). In some instances, these deficiencies, coupled with inadequate controls and lack of strong management and reporting structures, also led to fraudulent reporting to bank regulators regarding money laundering activity.

On February 8, Rabobank National Association (Rabobank), a California subsidiary of the Netherlands-based Rabobank U.A., pleaded guilty to conspiracy to obstruct the examination of a financial institution, in violation of 18 U.S.C. § 1517 and 18 U.S.C. § 371, by obstructing Treasury’s Office of the Comptroller of the Currency (OCC) in its examination of Rabobank’s BSA/AML compliance program. In the plea agreement announced by the DOJ, the bank admitted it processed funds without adequate AML review. Due to its deficient AML program, Rabobank allowed hundreds of millions of dollars in untraceable cash – allegedly money connected to drugs and illegal activities – to be deposited into bank branches in Imperial County, California and transferred via wire transfers, checks, and cash transactions, without notifying US federal authorities, as required. Rabobank then defrauded the OCC by suppressing the results of later BSA/AML examinations and review findings. Rabobank agreed to forfeit $368,701,259 to the US government as a result of its AML program failures. In addition, the OCC announced the imposition of a $50 million civil penalty against Rabobank due to its finding that the bank’s AML program was deficient. The OCC penalty will be credited toward satisfaction of the penalty assessed by the DOJ.

On February 15, U.S. Bancorp, entered into a DPA with the DOJ for two felony violations resulting from deficiencies in the BSA/AML compliance program of its subsidiary, U.S. Bank National Association (U.S. Bank). The DOJ found that U.S. Bank willfully failed to implement an adequate AML program and willfully failed to file SARs. In addition, the DPA states the bank concealed information from the OCC. In conjunction with the DPA, U.S. Bank stipulated to the government’s factual account of the alleged misconduct, agreed to pay a $528 million penalty, and agreed to reform its BSA/AML compliance program. As a result of the same misconduct, the US Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) also imposed a $185 million penalty, $115 million of which will be credited towards satisfaction of the DOJ penalty. The OCC similarly imposed a $75 million penalty against U.S. Bank, to be credited against the DOJ forfeiture amount. Finally, in a separate action, the Board of Governors of the Federal Reserve System, the bank’s other financial regulator, issued a Cease and Desist Order against U.S. Bancorp for AML violations and ordered the bank to pay a $15 million fine. In total, the bank must pay $613 million to the US government.

The Rabobank Case

Rabobank admitted to a number of BSA/AML program failures between 2009 and 2012. First, it did not adequately monitor or conduct investigations into transactions by “high-risk” customers or through accounts deemed to be “high-risk,” and second, it did not submit SARs when required or advisable. Many of these suspicious transactions involved cash deposits close to the Mexico border. The Calexico branch of Rabobank, for instance, which is located two blocks from the US-Mexico border, was the highest performing branch in Imperial Valley due to these cash deposits. Rabobank failed to conduct proper investigations into these transactions.

In addition, Rabobank implemented several policies that had the effect of preventing adequate investigation into suspicious transactions. Of note is a policy that allowed employees to ignore a suspicious transaction when a customer was on its “verified list” – even where the transaction generated an internal alert or the customer’s activities had changed dramatically from when the customer was first “verified.”

George Martin, a former vice president at the bank, entered into a DPA with the DOJ in 2017 for his role in aiding and abetting Rabobank’s failure to maintain an AML program that met BSA requirements.[1]

When the OCC began an examination of Rabobank’s AML program in 2012 – eventually leading to a 2013 Consent Order between the OCC and Rabobank – three of the bank’s executives allegedly obstructed the examination. The plea agreement includes detailed information about attempts by these executives to respond to the OCC’s examination questions and an initial report with misleading information about Rabobank’s AML program. The plea agreement also explains how Rabobank demoted or terminated two of its employees who raised questions about the adequacy of Rabobank’s AML program.

The U.S. Bancorp Case

The DPA states that from 2009 to 2014, U.S. Bank operated with limited compliance resources, hindering the effectiveness of its AML program. In 2012, for instance, the bank had more than $340 billion in assets and only 32 AML investigators. U.S. Bank also reportedly paid its investigators below-market salaries and did not provide adequate funding for computers and hardware, causing delays in necessary upgrades to their compliance software. Further, the DPA states that U.S. Bank filled oversight positions with individuals who lacked AML experience.

In addition, U.S. Bank imposed a cap on the number of transactions that were subject to AML review. That cap was based on resource constraints rather than any risk-based analyses of transactions. The DPA states that in 2013, U.S. Bank removed the cap on the number of transactions reviewed, but replaced it with a score threshold chosen to indirectly replicate the cap previously in place.

U.S. Bank also failed to monitor Western Union money services business transactions by allowing non-bank customers to make those transactions even though non-customers were not subject to AML review. According to an internal summary of the Western Union transactions, more than 40% of the transactions in 2013 involved countries on U.S. Bank’s primary or secondary high-risk country lists.

Further, the DPA discusses at length the fact that U.S. Bank failed to file SARs related to the banking activity of Scott Tucker, a customer who was later convicted of racketeering, wire fraud, and money laundering for perpetrating a payday lending scheme.

Finally, the DPA states that U.S. Bank concealed the Bank’s deficient AML program from the OCC by failing to disclose that its alert caps were resource-based rather than determined by the transaction’s risk, and by not providing direct answers to the OCC’s inquiries. Much of this behavior was driven by the bank’s chief compliance officer.

In 2015, U.S. Bank entered into a Consent Order with the OCC based on the OCC’s finding that U.S. Bank’s AML program was deficient. Pursuant to that, the bank conducted a limited review (or look-back analysis) to determine the impact of its AML program deficiencies. The look-back revealed that the bank had failed to file SARs when required, which constituted additional BSA violations—leading to the $75 million civil money penalty imposed by the OCC.


The $368,701,259 fine imposed on Rabobank and the $613 million fine imposed on U.S. Bancorp are among the largest penalties financial institutions have incurred as a result of deficient AML programs.[2]

Financial institutions with a history of BSA/AML deficiencies are at risk of greater penalties for failing to correct AML deficiencies. Rabobank’s guilty plea, for instance, follows a 2006 Memorandum of Understanding and a 2008 Formal Agreement between Rabobank and the OCC. In those earlier enforcement actions, the OCC identified AML deficiencies and Rabobank agreed to implement new compliance measures and submit regular progress reports to the OCC. No civil penalties were associated with those sanctions.[3] As a result of an apparent pattern of misconduct and deficiencies under the BSA that were not remediated adequately over time, Rabobank received a substantial penalty in conjunction with its recent guilty plea. This case reinforces the need for US financial institutions to engage with regulators and supervisory authorities concerning AML requirements.

The absence of a DPA related to Rabobank’s BSA/AML program deficiencies is striking and particularly noteworthy. Unlike BSA/AML cases against major financial institutions where DOJ entered into a DPA in relation to BSA/AML program deficiencies – such as the U.S. Bank case – the plea in the Rabobank case is a criminal obstruction charge. In fact, in the plea agreement, the US government recognizes that Rabobank “has made substantial efforts, and expended significant resources, to remediate the criminal conduct and BSA/AML program deficiencies” since 2013. Accordingly, as Rabobank appears to have rectified deficiencies in its program and has engaged in substantial remediation already, the OCC terminated the 2013 consent order and the United States agreed to abstain from recommending additional remedial measures related to the bank’s BSA/AML program.

Both the Rabobank and the U.S. Bancorp enforcement actions once again demonstrate that financial institutions continue to face scrutiny and potentially large monetary sanctions, as well as criminal charges, as a result of deficiencies in their BSA/AML compliance programs. We strongly advise that our financial institution clients regularly evaluate their existing BSA/AML compliance programs, including a review of existing approaches, due diligence monitoring and alert systems, policies, and procedures.

In addition, both cases serve as a stark reminder of the often noted admonition by regulators and prosecutors that managers proceed at their own risk when they fail to value, emphasize, and adequately fund compliance programs. A strong culture of compliance can only be achieved through a strong message from a company’s board and senior management, as well as a strong reporting structure emanating from the very top of the organization.

Finally, these cases demonstrate the importance of cooperating with regulators. In both cases, managers were in contact with relevant regulators and failed to disclose – or even acted to conceal – AML deficiencies. These actions resulted in more severe penalties, and in the case of Rabobank provided the basis for the conspiracy charges to which Rabobank ultimately plead guilty.