Venerable and storied, Riggs Bank was a Washington, D.C. fixture dating back to 1836. It was the bank of presidents: Abraham Lincoln, Theodore Roosevelt, Dwight Eisenhower and at least 20 others. It was the bank of generals: William Sherman, John J. Pershing and Douglas MacArthur. It was the bank of other notables in American history, politics, philanthropy and the arts, including frontiersman and congressman Davy Crockett, orator and statesman Daniel Webster, founder of the American Red Cross Clara Barton and composer of “The Star-Spangled Banner” Francis Scott Key. It was Riggs Bank that organized the financing for the Mexican American War, the purchase of Alaska and the first expedition of Robert Peary to the North Pole.

But when a report surfaced shortly after September 11, indicating that an account held at the bank had ties to two of the 9/11 hijackers, it triggered a series of criminal, regulatory and federal investigations into money laundering, and not even the bank’s lofty reputation was able to save it from ruin. Riggs was forced to endure four years of investigations, tens of millions of dollars in fines and a Justice Department-imposed corporate suspension stemming from its “don’t ask, don’t tell” approach to transactions involving multiple accounts held at the bank by former Chilean dictator Augusto Pinochet and by president of Equatorial Guinea Teodoro Obiang Nguema, who originally came to power following a military coup. In 2005, the bank was finally acquired by the PNC Financial Services Group. The Riggs name, which had once commanded considerable goodwill and respect, was dropped from its 51 Washington-area branches. The bank was no more.

The lesson to be learned from the demise of Riggs Bank is that financial institutions that fail to comply with money laundering and terrorist-financing laws, or that fail to implement and adhere to effective systems of governance, internal control and audit in these areas, expose themselves to significant regulatory, legal and reputational risks. Riggs may be the poster child of what can happen to a financial institution that is unable or unwilling to sufficiently mitigate such risks, but any financial institution that fails to take adequate steps to confront these risks can set itself up for a major loss.

Regulatory Risk

Regulatory risk, or what could more aptly be termed legislative and regulatory risk, is created when an organization fails to comply with laws or regulatory requirements. There are a variety of adverse consequences that may result from a breach of existing anti-money laundering (“AML”) laws or regulatory requirements.

Formal Enforcement Actions/Monetary Penalties

If AML laws are thought to have been breached, regulators and prosecutors can take formal enforcement proceedings. The natural consequence of a successful enforcement action can include, among other things, a monetary penalty. In the United States, this means either a civil money penalty levied by a regulator, or a fine or forfeiture imposed in the case of a criminal prosecution, or both. These penalties can total hundreds of millions of dollars.

On the civil side, and in the U.S. banking sector, formal enforcement actions may also include: a cease-and-desist or consent order either prohibiting a particular business practice or requiring that certain steps be taken to remedy conditions resulting from the particular practice or legal violation; an order suspending or removing a director, officer, employee or other party from office, or barring such party from further participation in the affairs of any insured depository institution; or the termination of deposit insurance coverage (basically, a death sentence), if applicable.

In the United States, cease-and-desist and consent orders range from the less intrusive (such as imposing an obligation on an organization to take steps to improve its compliance program) to the more invasive. As an example of this latter category, the federal branch of Arab Bank was the subject of a consent order issued in 2005 by the Office of the Comptroller of Currency (the foreign bank regulating body in the United States), when its U.S. international funds transfer business came under scrutiny for alleged violations of the Bank Secrecy Act.

The far-reaching order required that the branch increase its capital equivalency deposit, maintain a certain quality of total assets, cease engaging in funds transfer activities and close down its correspondent accounts. And the order did not stop there. The bank also had to refrain from opening any new deposit accounts (or renewing any existing ones), wind down and convert the branch into a federal agency with limited banking powers, and pay off all depositors, creditors and holders of other third-party liabilities.

Regulatory approvals

If a financial institution is in breach of AML laws, it will likely affect regulators’ decisions to approve or deny pending applications, especially where there is some relevance to the matter under consideration. Apart from this human tendency, the regulator may be required by statute to consider “any other relevant matter” in connection with an application before it. In the United States, the Bank Holding Company Act and the Federal Deposit Insurance Act each stipulate that the applicable regulator must consider the effectiveness of a financial institution in combating money laundering prior to approving its application for an acquisition, merger, consolidation or other prescribed transaction.

The former AmSouth Bank is a case in point. Two of the bank’s customers ran a Ponzi scheme in which the investment was a promissory note held in an AmSouth account that had been established for each victim. Some of the notes promised interest of up to 25% per month, and prosecutors and regulators believed that the bank had a duty to flag the transactions and file suspicious activity reports (SAR) in response.

The Ponzi investigation triggered a wider review of AmSouth’s AML practices by the Financial Crimes Enforcement Network (FinCEN), the Federal Reserve and the Alabama Department of Banking. In the end, not only were severe monetary penalties levied on the bank ($50 million in aggregate), but AmSouth’s ambitious expansion plan to open 64 new branches had to be delayed for approximately one year because the Federal Reserve restricted the bank’s expansion activities until AmSouth complied with AML laws.

Legal Risk

Legal risk is not only the result of litigation, but can also stem from agreements previously reached by the organization being rendered unenforceable. Legal risk and the possibility of significant losses exists regardless of whether or not a claim is successfully defended. Even a successful defense will incur substantial legal costs. An unsuccessful defense compounds the problem, however, because not only does it expose a company to a potentially significant judgment award, but it can create reputational damage as well.

If a claim, whether a derivative action, class action or ordinary lawsuit, is brought against a financial institution or its directors alleging that a deficient AML program caused damage to one or more plaintiffs, then management’s time and attention is directed away from running the business and earning profits. In addition, the out-of-pocket costs associated with the defense of the claim (the fees of attorneys, expert witnesses, public relations firms and other consultants) can be staggering, easily reaching into the millions. In extreme cases, share prices can be affected. Such lawsuits are not just theoretical.

For example, the Bank of New York Company, Inc. (now the Bank of New York Mellon Corporation) was sued in a Moscow court in 2007 by the Russian Federal Customs Service claiming $22.5 billion in damages in connection with certain funds transfer activities to and from Russia from 1996 through 1999. During this period, approximately $7 billion was alleged to have flowed out of Russia in violation of its currency controls through funds transfers involving accounts located at a retail branch of the bank in New York.

The accounts were opened by a Russian émigré with the assistance of his wife who was also from Russia and a vice president of the bank. Both pleaded guilty in 2000 to several crimes involving the accounts including conspiring to operate an illegal money transmitting business and laundering money to promote wire fraud.

The lawsuit was based on an “acknowledgement of responsibility” in a nonprosecution agreement between the bank and U.S. prosecutors in which the bank agreed to take extensive remedial steps in connection with its AML program. The claim alleged that the bank, contrary to U.S. law, failed to supervise and monitor certain funds transfer activities thereby resulting in an under payment of taxes to Russia for importing certain goods.

The lawsuit was settled in 2009 for $14 million without any admission of liability on the bank’s part. The real problem, however, lay not in this relatively modest amount or even in the defense costs incurred, but rather, in lost opportunities as a result of management having been distracted by the claim and from the downward pressure that the claim had on the bank’s share price.

Reputational Risk

Reputational risk can be defined as the risk of operational disruption or other damage to an organization as a result of loss of its standing or reputation. That loss can be in the eyes of the organization’s customers, investors, market analysts, distribution intermediaries, alliance partners, regulators, the media, the general public or anyone who can have an impact on the organization. There is an obvious relationship between regulatory and legal risk and reputational risk in that a failure to comply with laws and regulations may have a negative impact on an organization’s reputation.

Loss often comes as a result of negative publicity, but it does not have to – it could result from an audit conducted by a regulator whose findings never make the news. But this is somewhat academic. What is more important are the variety of areas that can be adversely affected in an entity whose reputation is besmirched.

Customers: A damaged reputation may make it more difficult to recruit new customers and meet sales and budget targets. There may also be a concurrent flight of existing customers, leading not only to a decrease in revenue, but also to a decline in profitability because fixed costs will not decline or will not decline proportionately with revenue.

Investors, fund sources and market analysts: A private company that is “de-valued” and that is part of a corporate group may find it more difficult to obtain any planned capital infusion from its parent or to compete with other subsidiaries in the group for capital from the parent. It may even be simply sold off. If the business operates in a particular jurisdiction as a branch, its head office may restrict the scope of the branch’s business, sell off its book of business, send it into run-off or close it down.

A public company may find it more difficult to raise funds in the equity markets if its reputation is tarnished, as stock analysts are quick to cut share ratings on negative news. Any contemplated public or private offering of shares may need to be delayed or discounted, thus denying the issuer of needed investment capital. If the reputational damage comes to light during the process of an entity’s divestiture, and provided there is a “material adverse change” clause in the sale or merger agreement, the transaction may be delayed, fail to close or need to be renegotiated. If the organization in question is a bank, its ability to access funding through securitization and interbank markets may be curtailed.

Distribution intermediaries: It may be more difficult to recruit new distribution intermediaries (for example, agents and brokers in the case of an insurer or securities brokers for a brokerage firm). There may also be a flight of existing intermediaries, especially the more productive ones, leading to a decline in both revenue and profitability.

Partners: Any ongoing negotiations with a prospective partner may fail when a money laundering or terrorist financing story breaks. Any agreements that are up for renewal with existing partners may not be renewed. Finally, any agreements with current partners may be cancelled according to any early termination provisions in those documents.

Directors and staff: It may be more difficult for an organization with a negative image to recruit skilled and reputable directors, officers and other employees. It may also be more difficult for a firm with a negative image to retain good staff, notably those who have options and particularly during favourable economic times.

Regulators: Reputational damage from an implication in a money laundering or terrorist financing scheme will likely lead to a loss of trust and goodwill with the firm’s financial regulators. This, in turn, can result in additional examinations or audits, during which additional undetected failures may be uncovered. Any implication in a scheme in which there is perceived culpability in the eyes of a regulator will likely make future dealings between the firm and that regulator more difficult.

Media: Once one negative story surfaces, an organization becomes more newsworthy and will be subject to greater scrutiny. This can lead to negative follow-up stories that would not otherwise garner media attention or warrant publication but that serve to reinforce the negative image. As an example of the effect of reputational damage, Union Bank of California International had a significant international correspondent banking business centered in New York, which included relationships with a large number of Russian banks. After the Federal Reserve Bank of New York raised concern about these relationships and their potential use for money laundering, the Russian relationships were severed, and the bank’s good standing was tarnished. In 2005, its international correspondent banking business was sold to Wachovia Bank and the corporation was liquidated soon after.

Vulnerabilities Remain

Money laundering is not a new problem. So why should we be concerned with AML risks now when it has been some time since the enactment of AML legislation and the documentation of early compliance failures?

The answer is simple. As long as there is systemic vulnerability in an organization rising from compensation practices that favor risk-takers over risk-mitigators, IT infrastructures that inadequately identify and monitor risk exposures on an enterprise-wide basis, governance practices that do not establish and adequately communicate risk tolerances from the top down, and other systemic vulnerabilities, there will be a need to get the message out that a failure to confront AML risks can result in significant, practical loss to an organization. As long as there is staff turnover, as long as calm gives rise to complacency and as long as there are funds that require laundering, it is a lesson worth repeating.