In its Civil Monetary Assessment (the "Assessment"), FinCEN assessed a penalty of $450,000 against Michael LaFontaine, former Chief Operational Risk Officer (and, before that, Deputy Risk Officer and Chief Compliance Officer) at U.S. Bank National Association ("Bank") for his failure to prevent BSA violations which occurred during his tenure.
LaFontaine oversaw the Bank's compliance program and, among other alleged failures, set the Bank's transaction monitoring system to cap the number of alerts on potentially suspicious transactions that should have been identified, investigated and potentially reported to FinCEN.
FinCEN highlighted the fact that employees of the Bank and auditors from the OCC repeatedly warned LaFontaine that the Bank's systems were insufficient. LaFontaine was told that it was impermissible to artificially limit the number of suspicious transaction alerts the system would generate, and that the BSA required a risk-based approach to transaction monitoring. In addition, FinCEN noted that the Bank employed a woefully inadequate number of AML investigators, thus violating the BSA's requirement that it designate a compliance officer and provide that officer with the resources necessary to fulfill his/her responsibilities. According to FinCEN's Assessment, the former officer failed to:
establish an adequate AML program by (i) imposing upper limits on the number of alerts produced by the institution's automated transaction monitoring system, (ii) not including Western Union money transfers in the monitoring system and (iii) insufficiently vetting high-risk customers;
adequately staff AML compliance; and
timely file "thousands" of Suspicious Activity Reports (or "SARs").
FinCEN's action is notable. First, taking a page from the DOJ, FinCEN's director, a former federal prosecutor himself, continues to hold individuals, not just the financial institutions, responsible for violations of the BSA. Second, this case is another in a line in which compliance officers and other gatekeepers are increasingly being held individually responsible for system failures. Here, however, the charges are not surprising. The compliance officer was warned not just by internal employees but by regulators as well that an artificial limit on suspicious transaction alerts violated the BSA and that the bank employed too few AML compliance officers. Finally, as the Assessment noted, FinCEN brought a similar case several years earlier against another bank. Gatekeepers will continue to be a focus of enforcement and regulatory agencies - but they can withstand scrutiny by insuring adequate resourcing in their compliance departments and designing their transaction monitoring systems based on objective risk assessments given the financial institution's customer base and risk profile.