On December 21, 2017, the New York Department of Financial Services (“DFS”) announced a consent order against NongHyup Bank and its New York branch that imposed an $11 million penalty for failing to maintain an adequate anti-money laundering (“AML”) program.[1] NongHyup is a major bank in South Korea with approximately $255 billion in global assets, and its New York branch processes approximately $2 billion worth of U.S. dollar transactions each year. NongHyup Bank was formed in 2012 as a result of a corporate restructuring of South Korea’s National Agricultural Cooperative Federation, and its New York branch began operations in August 2013.

As summarized below, over the course of its three examinations of the New York branch to date, the DFS identified a laundry list of AML deficiencies. These include deficiencies in transaction monitoring (including alleged inadequate rules, manipulation of rule thresholds solely to reduce workload, and failure to timely review alerts for potentially suspicious activity), inadequate customer due diligence (including of the NongHyup Head Office and other foreign correspondent bank accounts), and inadequate compliance personnel expertise.

The DFS’s consent order is notable for the relatively modest size of the penalty—$11 million—compared to the DFS’s other recent AML/sanctions penalties, which have ranged from $180 to $425 million during Superintendent Vullo’s tenure. Additionally, unlike many of its other recent consent orders, this order does not impose a monitor or independent consultant and does not require the Bank to perform a transactional lookback. The DFS’s order also “recognizes and credits the manner in which [the Bank] has cooperated with the Department in its investigation of this matter,” and the remedies imposed reflect the DFS’s “positive consideration” of that cooperation.[2]

DFS’s Findings

While the DFS noted that “a bank’s examination ratings should improve over time,” it found that “the opposite occurred at NongHyup—each successive examination [of the Bank] uncovered an increasing number of deficiencies in connection with the New York Branch.”

The DFS’s first examination of the New York branch took place in 2014 and determined that the branch “maintained substandard internal controls across a number of compliance functions” and had violated New York law due to its inadequate BSA/AML controls. The DFS alleged that the Bank:

  • Failed to maintain adequate transaction monitoring rules;
  • Failed to review all alerts for potentially suspicious activity, conducted many reviews in an untimely manner, and did not keep appropriate records of alert dispositions;
  • Failed to prepare adequate reports to track key risk metrics, which are necessary to “allow management of the Branch and Head Office to undertake adequate oversight of the BSA/AML program”;
  • Failed to conduct the necessary level of “Know Your Customer” (“KYC”) due diligence on the NongHyup Head Office account both in terms of expected account activity and purpose of account, failed to screen the “Head Office account against lists of prohibited persons and entities,” such as the SDN list, and failed to determine whether Head Office members of executive management might be Politically Exposed Persons (“PEPs”) or had “otherwise been cited negatively in publicly available information”;
  • Failed to maintain an appropriate structure for the compliance function due to the fact that the Deputy General Manager and Compliance Officer also served in the additional role of “Audit Liaison,” which created a conflict of interest that could have materially impaired the audit process; and
  • Failed to formalize and document policies regarding the audit function, which could impact the ability to oversee the audit function that was outsourced to a private firm.

The DFS’s second examination, which took place in December 2015, identified a number of new issues as well as “prior deficiencies that went uncorrected.” The DFS downgraded the branch’s compliance rating from “fair” to “marginal.” The DFS found a “critical deficiency” related to the Bank’s transaction monitoring system, which was that the branch’s outside auditor reported that the then-Compliance Officer admitted to “manipulating” transaction monitoring rule thresholds “solely” to reduce the workload of the compliance staff, which did not have sufficient resources. (The changes to thresholds allegedly were not made to “fine tune” the system, such as by eliminating unproductive alerts.) The DFS further noted that the audit report containing this finding was circulated to branch and Head Office management, which took no action.

The 2015 examination also found that the branch:

  • Lacked sufficient compliance resources to execute its assigned tasks and that its existing staff was insufficiently trained or experienced;
  • Replaced its Chief Compliance Officer (who was terminated due to performance issues) with another Compliance Officer who “similarly lacked subject-matter expertise to adequately perform the role”;
  • Failed to maintain an adequate independent testing/audit program, noting that much of the branch’s 2015 Internal Audit report was “simply copied and pasted” from the Branch’s AML policies and procedures and the audit lacked a “targeted scope commensurate with the Branch’s risk profile”; and
  • Repeated, in whole or in part, a number of violations that had previously been identified in the 2014 examination, including deficient foreign correspondent bank due diligence, inadequate BSA/AML and OFAC risk assessments, and failure to conduct adequate transaction monitoring system validation testing.

This examination was conducted jointly with the Federal Reserve Bank of New York (“New York Fed”), and resulted in a January 17, 2017 written agreement between the Bank and the New York Fed.[3]

Finally, the DFS’s third examination was conducted in February 2017 and found that the “trend continue[d] downward” and the branch was unable to complete the necessary “course correction by the next examination cycle.” The DFS again rated the branch’s compliance program as “marginal” due to a “still-seriously deficient BSA/AML program.” Among other things, the DFS found that the branch:

  • Hired additional compliance staff that “once again” lacked proper BSA/AML background and experience (for example, two employees simply had been transferred from the Branch’s trade finance division and a third employee was an external hire who “apparently had no experience in the banking industry, let alone relevant BSA/AML experience”);
  • Continued to “struggle” with transaction monitoring, including by excluding from review certain SWIFT payment messages (MT202s) involving medium- and low-risk countries, and failing to document the rationale for this configuration;
  • Failed to timely review and resolve a substantial number of alerts for potentially suspicious activity; and
  • Failed to perform adequate BSA/AML and OFAC risk assessments, despite the fact that its assessments had been scored as deficient in both prior examinations (the conclusions reached in the assessments lacked necessary support and the methodologies used were inconsistent “both in definition and application”).

Penalty and Remediation

Beyond imposing an $11 million penalty, the DFS’s consent order requires that NongHyup Bank submit plans to enhance its BSA/AML policies and procedures, transaction monitoring and suspicious activity reporting, customer due diligence, internal audit, and corporate governance and management oversight. The Bank is also required to provide quarterly reports on the status of each of these areas for two years. However, the consent order does not require a monitor, an independent consultant, or a lookback review of past transactions.

We will continue to monitor AML/sanctions developments and look forward to providing you with further updates.