The latest FinCEN actions are instructive to financial institutions regarding the extent and importance of filing so-called “defensive SARs.”
FinCEN Sharpens Teeth with New Enforcement Division – Practical Considerations for Avoiding FinCEN’s Bite
BY V. GERARD COMIZIO, KEVIN L. PETRASIC, LAWRENCE D. KAPLAN & HELEN Y. LEE
On September 23, 2013, the Financial Crimes Enforcement Network (“FinCEN”) announced the assessment of a $37.5 million civil money penalty (“CMP”) against TD Bank, N.A. for failure to file suspicious activity reports (“SARs”) related to a “massive Ponzi scheme” orchestrated by a Florida attorney.1 The FinCEN enforcement action was conducted in coordination with the bank’s primary banking regulator, the Office of the Comptroller of the Currency (“OCC”), and the U.S. Securities and Exchange Commission (“SEC”).2 On the following day, FinCEN coordinated with the OCC and the U.S. Attorney’s Office for New Jersey in announcing the assessment of a $4.1 million CMP against a small New Jersey-based savings association, Saddle River Valley Bank. In that case, the bank was accused of, among other things, “lacking an effective [AML] program reasonably designed to manage the risks of money laundering and other illicit activity, failing to conduct adequate due diligence on foreign correspondent accounts, and failing to detect and adequately report in a timely manner suspicious activities in the accounts of foreign money exchange houses.3 The CMPs represent the first civil money penalties assessed by FinCEN’s new Enforcement Division resulting from FinCEN’s recent internal reorganization completed in June 2013.4
FinCEN’s latest enforcement actions, its new Enforcement Division, and other similar enforcement actions announced by federal and state regulators in recent months,5 highlight the heightened regulatory scrutiny and program risks imposed on financial institutions in complying with Bank Secrecy Act (“BSA”) and anti-money laundering (“AML”) laws and regulations.6 The recent actions are a reminder for institutions to review their BSA/AML and Office of Foreign Assets Control (“OFAC”) compliance programs and enhance such programs, as necessary, to ensure adequate staffing, training, and resources allocated to compliance and business staff to monitor suspicious activities and timely file SARs relating to the types of operations the entity engages in and volume of transactions the entity handles. Among other things, the latest FinCEN and other agency actions are instructive to financial institutions in considering the extent and importance of filing so-called “defensive SARs,” which traditionally have been discouraged by regulators.
This client alert addresses: (i) BSA suspicious activity reporting requirements and FinCEN’s enforcement authority; (ii) the basis for FinCEN’s recent enforcement actions; and (iii) practical considerations for institutions to enhance their BSA/AML programs to meet supervisory expectations for the filing of SARs, including considerations with the extent and renewed importance of a robust SARs filing compliance program.
SARs Reporting Requirements and FinCEN’s Enforcement Authority
The BSA and its implementing regulations impose an obligation on banks to report transactions involving (or aggregating) at least $5,000 that are conducted by, at or through the bank, and that the bank “knows, suspects, or has reason to suspect” are suspicious.7 A transaction is “suspicious” if the transaction: (1) involves funds derived from illegal activities, or is conducted to disguise funds derived from illegal activities; (2) is designed to evade the reporting or recordkeeping requirements of the BSA or implementing regulations; or (3) has no business or apparent lawful purpose or is one in which the customer would not normally be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including background and possible purpose of the transaction.8
Created in 1990 as a bureau of the U.S. Department of the Treasury, FinCEN collects and analyzes information about financial transactions required under the BSA in order to combat money laundering, terrorist financing and other financial crimes.9 It is authorized to investigate banks and other financial institutions for compliance with and violation of the BSA pursuant to 31 C.F.R. § 1010.810, which grants FinCEN “overall authority for enforcement and compliance, including coordination and direction of procedures and activities of all other agencies” under the BSA.
Basis for Recent FinCEN Enforcement Actions
The primary basis for FinCEN’s assessment of a CMP against TD Bank was that the bank had “willfully violated the [BSA’s] reporting requirements by failing to detect and adequately report suspicious activities in a timely manner.”10 In particular, FinCEN noted, “[a] lack of adequate training for both the business and [BSA/AML] staff contributed to the [bank’s] failure to recognize … suspicious activity.”11 Key assertions made in the agency’s enforcement order included that the bank failed to detect and report suspicious activity, and filed late SARs. In particular, FinCEN indicated that the bank failed to properly identify, monitor, and report suspicious activity in attorney trust accounts known as Interest on Trust Accounts (“IOTAs”) maintained by a Florida attorney, which accounts were used to conduct fraudulent transactions.
FinCEN noted that the bank’s policies, procedures, and training regarding IOTAs had been inadequate and, as a result, while the accounts triggered suspicious activity alerts in the bank’s AML surveillance software between April 2008 and September 2009, the bank’s employees failed to recognize the suspicious activity and file SARs in a timely manner.12 Specifically, FinCEN alleged the bank filed five late SARs, totaling an estimated $900 million in aggregate suspicious transaction activity occurring between April 2008 and October 2009, substantially exceeding the general 30-day timeframe to file required SARs.13
In FinCEN’s action against Saddle River Valley Bank, which ceased operations in 2012, the agency coordinated with the OCC and New Jersey U.S. Attorney’s Office to address numerous willful violations arising from an inadequate and ineffective BSA/AML program “reasonably designed to manage the risks of money laundering and other illicit activity, failing to conduct adequate due diligence on foreign correspondent accounts, and failing to detect and adequately report in a timely manner suspicious
activities in the accounts of foreign money exchange houses, also known as casas de cambio.”14 According to FinCEN, the bank “executed $1.5 billion worth of inadequately monitored transactions on behalf of Mexican and Dominican casas de cambio despite publicly available information, [including] a FinCEN advisory, that provided ample notice of the heightened risks of dealing with these institutions.”15
Avoiding FinCEN’s Bite – Meeting Supervisory Expectations for the Filing of SARs
Financial institutions seeking to manage program risks presented with BSA/AML compliance should perform enterprise-wide reviews and assessments of BSA/AML and OFAC risk, regardless of the size and degree of complexity with respect to the institution’s operations. These reviews should be conducted periodically as well as when an institution launches a significant new product or service that may implicate AML or OFAC obligations. In addition to other Action Plan items noted in Paul Hastings’ earlier publication “BSA/AML and OFAC Compliance – Higher Stakes and Greater Consequences for Banks,”16 practical considerations for financial institutions to meet supervisory expectations for the filing of SARs include:
When in Doubt, File a SAR: The recent enforcement actions by FinCEN and other regulators underscore the importance of avoiding and addressing lax controls for the review and monitoring of suspicious activity. As noted above, a transaction is “suspicious” if the transaction: (1) involves funds derived from illegal activities, or is conducted to disguise funds derived from illegal activities; (2) is designed to evade the reporting or recordkeeping requirements of the BSA or implementing regulations; or (3) has no business or apparent lawful purpose or is not the sort in which the customer would normally be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts.17 Banking institutions are generally required to report “any suspicious transaction relevant to a possible violation of law or regulation,” and are required to file a SAR for transactions “conducted or attempted by, at, or through the bank involving (or aggregating) at least $5,000 in funds or other assets, and the bank knows, suspects, or has reason to suspect that” the transaction involves suspicious activity.18 Thus, a bank need only have a suspicion of illegal activity, rather than actual knowledge, to trigger a potential SAR filing obligation. Given the trend in recent regulatory enforcement actions citing institutions for failing to file (or timely file) SARs, notwithstanding past guidance discouraging the filing of defensive SARs,19 these new enforcement actions suggest that when in doubt, an entity should file a SAR.
Commit Sufficient Resources to Ensure a Strong Compliance Program: An institution must be able to demonstrate to regulators that it has committed the necessary resources – and is willing and able to invest additional resources, as appropriate – to establish and maintain a robust BSA/AML and OFAC compliance program, including investments in technology, staff, training, and monitoring capabilities. While institutions are continually facing pressures to reduce overhead and expenses, particularly as revenue growth slows, BSA/AML and OFAC compliance efforts should not be part of any planned cost-cutting measures. The size of an institution’s BSA/AML and OFAC compliance program should be commensurate with its size and risk profile, and institutions should expect to continue to fund and expand compliance capability where necessary and appropriate to do so. To ensure the efficient allocation of resources, financial institutions should consider applying progressive methods of due diligence and suspicious activity monitoring systems that may be deployed as the risk level
rises, as shown in the following graphic from the BSA/AML Examination Manual of the Federal Financial Institutions Examination Council:
Source: FFIEC BSA/AML Examination Manual, Appendix K: Customer Risk Versus Due Diligence and Suspicious Activity Monitoring
The cost of committing adequate resources up-front will produce benefits in terms of reduced risk exposure and potential remedial costs and fines for failing to take the necessary actions to achieve and maintain BSA/AML and OFAC compliance. At a minimum, employing an experienced and knowledgeable BSA officer and support staff, as appropriate, as well as experienced OFAC compliance staff, is critical.
Maintain the Strength of Information Technology (“IT”) and Monitoring Processes: In addition to maintaining updated IT software and programs, management and the board of directors of an institution should ensure adequately trained staffing to monitor and supervise these processes and programs to, among other things, ensure that suspicious activity can be detected and management alerted in a timely manager. Examiners may probe IT systems and back-end analytical departments to ensure that case management processes for unique or unusual transactions are supported by reasonable financial intelligence.
The expanding focus of U.S. regulators on BSA/AML and OFAC compliance issues highlights the significant operational risks facing financial institutions relating to the adequacy of their BSA/AML and OFAC compliance programs. It also underscores the efforts of regulators to address the challenges for domestic and international regulators to detect and eradicate money laundering and terrorist financing activities across borders in our increasingly globalized and co-dependent financial systems. Financial institutions seeking to manage program risks should perform an enterprise-wide review and assessment of BSA/AML and OFAC compliance to ensure that they are meeting supervisory expectations regarding the monitoring and detection of suspicious activities, the timely filing of SARs, and related program issues.
If you have any questions concerning these developing issues, please do not hesitate to contact any of the following Paul Hastings lawyers:
Chris Daniel 1.404.815.2217 email@example.com
Todd W. Beauchamp 1.404.815.2154 firstname.lastname@example.org
Erica Berg Brennan 1.202.551.1804 email@example.com
Kevin Erwin 1.404.815.2312 firstname.lastname@example.org
Diane Pettit 1.404.815.2326 email@example.com
Cathy S. Beyda 1.650.320.1824 firstname.lastname@example.org
Thomas Brown 1.415.856.7248 email@example.com
Kristin M. Hall 1.415.856.7071 firstname.lastname@example.org
Stanton R. Koppel 1.415.856.7284 email@example.com
Samuel C. Zun 1.415.856.7206 firstname.lastname@example.org
V. Gerard Comizio 1.202.551.1272 email@example.com
Behnam Dayanim 1.202.551.1737 firstname.lastname@example.org
Kevin L. Petrasic 1.202.551.1896 email@example.com
Ryan A. Chiachiere 1.202.551.1767 firstname.lastname@example.org
Michael A. Hertzberg 1.202.551.1797 email@example.com
Lawrence D. Kaplan 1.202.551.1829 firstname.lastname@example.org
Amanda Jabour Kowalski 1.202.551.1976 email@example.com
Helen Y. Lee 1.202.551.1817 firstname.lastname@example.org
Paul Hastings LLP www.paulhastings.com
StayCurrent is published solely for the interests of friends and clients of Paul Hastings LLP and should in no way be relied upon or construed as legal advice. The views expressed in this publication reflect those of the authors and not necessarily the views of Paul Hastings. For specific information on recent developments or particular factual situations, the opinion of legal counsel should be sought. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions. Paul Hastings is a limited liability partnership. Copyright © 2013 Paul Hastings LLP.
IRS Circular 230 Disclosure: As required by U.S. Treasury Regulations governing tax practice, you are hereby advised that any written tax advice contained herein or attached was not written or intended to be used (and cannot be used) by any taxpayer for the purpose of avoiding penalties that may be imposed under the U.S. Internal Revenue Code.
1 See FinCEN Press Release dated Sept. 23, 2013, available at http://www.fincen.gov/news_room/nr/pdf/20130923.pdf.
2 The bank’s primary federal banking regulator, the OCC also announced the assessment of a concurrent penalty for the same amount against the bank for related violations. See OCC Press Release dated Sept. 23, 2013, available at http://www.occ.treas.gov/news-issuances/news-releases/2013/nr-occ-2013-145.html. Additionally, the SEC assessed a separate $15 million penalty against the Bank for related securities violations. See SEC Press Release dated Sept. 23, 2013, available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539827946.
3 See FinCEN Press Release dated Sept. 24, 2013, available at http://www.fincen.gov/news_room/nr/html/20130924.html. In making such findings against the bank, FinCEN worked with the OCC and the U.S. Attorney’s Office for the District of New Jersey.
4 See FinCEN Press Release dated Sept. 23, 2013, at p. 2. Pursuant to the FinCEN Press Release, “[t]he Enforcement Division was created under FinCEN’s June 2013 reorganization and is comprised of an elite group of personnel who target the exploitation of the financial system by illicit actors. Its efforts are focused on: compromised financial institutions and their officers, managers, and employees; compromised jurisdictions; and third party money launderers who facilitate financial crime. The division has a broad array of enforcement authorities to target both domestic and foreign actors affecting the U.S. financial system.” See FinCEN’s Press Release dated June 24, 2013 regarding the reorganization, available at http://www.fincen.gov/news_room/nr/html/20130624.html.
5 For a discussion of recent enforcement actions taken by regulators to address BSA/anti-money laundering and Office of Foreign Assets Control compliance issues, see Kevin L. Petrasic, Michael A. Hertzberg, and Carla Laroche, BSA/AML and OFAC Compliance – Higher Stakes and Greater Consequences for Banks (Mar. 25, 2013), available at http://www.paulhastings.com/publications-items/details/?id=a5b32f26-8aa5-6986-8b86-ff00008cffc3.
6 The Bank Secrecy Act is codified at 12 U.S.C. §§ 1829b, 1951-1959 and 31 U.S.C. §§ 5311-5314, 5316-5332. Regulations implementing the Bank Secrecy Act appear at 31 C.F.R. Chapter X.
7 31 U.S.C. § 5318(g) and 31 C.F.R. § 1020.320.
8 31 C.F.R. §§ 1020.320(a)(2)(i) - (iii).
9 See generally “About FinCEN, What We Do,” available at http://www.fincen.gov/about_fincen/wwd/.
10 FinCEN Order 2013-1 (Sept. 23, 2013), referencing 31 U.S.C. § 5318(g) and 31 C.F.R. § 1020.320.
11 Id. at 4.
13 Pursuant to FinCEN regulations, a bank is required to file a SAR no later than 30 calendar days after the date of initial detection by the bank of facts that may constitute a basis for filing a SAR. If no suspect was identified on the date of the detection of the incident requiring the filing, a bank may delay filing a SAR for an additional 30 calendar days to identify a suspect. In no case shall reporting be delayed more than 60 calendar days after the date of initial detection of a reportable transaction. In situations involving violations that require immediate attention, such as, for example, ongoing money laundering schemes, the bank is required to immediately notify, by telephone, an appropriate law enforcement authority in addition to filing timely a SAR. 31 C.F.R. § 1020.320(b)(3).
14 See supra, note 3.
16 Available at http://www.paulhastings.com/publications-items/details/?id=a5b32f26-8aa5-6986-8b86-ff00008cffc3.
17 31 C.F.R. § 1020.320(a).
19 See, e.g., Remarks of FinCEN Director Fox, October 25, 2004, available at http://www.fincen.gov/news_room/speech/html/20041025.html.