On March 4, 2020, the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued a consent order assessing a $450,000 civil money penalty against Michael LaFontaine, a former Chief Operational Risk Officer at U.S. Bank NA (“U.S. Bank”), for his alleged failure to prevent Bank Secrecy Act/anti-money laundering (“BSA/AML”) violations that took place during his tenure.[1] This action—which follows U.S. Bank’s 2018 BSA/AML-related resolution with FinCEN, the U.S. Department of Justice (“DOJ”), the Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve for a combined $613 million in financial penalties—marks the first time FinCEN has imposed a penalty on a bank compliance officer for his role in failing to prevent BSA/AML compliance program failures.[2]

This action follows closely on the heels of several recent OCC enforcement actions against financial institution executives (all of which involved prior resolutions and significant penalties paid by their employers).[3] These include the OCC’s January 2020 consent orders against John Stumpf, the former Wells Fargo CEO and Chairman, and two other former executives and enforcement actions against five other former Wells Fargo executives—including the former head of the Community Bank, group risk officer, general counsel, chief auditor and executive audit director—as well as the July 2019 consent order against Daniel Weiss, the former General Counsel of Rabobank, N.A.[4]

FinCEN’s last notable enforcement action against a compliance officer was its much-watched action against Thomas Haider, the former Chief Compliance Officer (“CCO”) of MoneyGram International, Inc. (“MoneyGram”), in which the agency initially sought a $1 million penalty, but ultimately reached a settlement for a $250,000 penalty in 2017.[5] In the consent order against LaFontaine, he was required to represent that he had not served in a compliance management function for any financial institution since he left U.S. Bank in June 2014.[6] Notably, however, LaFontaine is not subject to an industry bar, which was imposed on Stumpf by the OCC, and on Haider by FinCEN.[7]

When combined with the recent OCC actions, FinCEN’s action against LaFontaine signals a trend in more aggressive efforts by federal regulators to hold individuals responsible for compliance deficiencies at the financial institutions they serve.

The Assessment of the Civil Money Penalty

LaFontaine had held senior positions within U.S. Bank’s AML hierarchy from 2005 until 2014, acting at various times as CCO, Deputy Risk Officer and Chief Operational Risk Officer. As Chief Operational Risk Officer, LaFontaine oversaw U.S. Bank’s AML compliance department, reported directly to U.S. Bank’s CEO and communicated regularly with its Board of Directors. As detailed by FinCEN, during LaFontaine’s tenure, U.S. Bank adopted AML policies that it knew would cause it to fail to investigate and report potentially illegal activity, despite the fact that these shortcomings were repeatedly brought to LaFontaine’s attention by U.S. Bank’s AML staff.

In levying a civil money penalty against LaFontaine, FinCEN determined that he had (i) failed to take sufficient steps to ensure that U.S. Bank’s compliance division was appropriately staffed to meet regulatory expectations; and (ii) failed to take sufficient action when presented with significant BSA/AML program deficiencies. FinCEN alleges that LaFontaine had received concerns from U.S. Bank AML staff, but that he failed to adequately address them. LaFontaine admitted to his role in U.S. Bank’s BSA/AML violations, which included: (i) failure to implement an adequate transaction monitoring system to spot potentially suspicious activity; (ii) failure to devote adequate resources to U.S. Bank’s AML program; and, as a result, (iii) failure to timely file thousands of suspicious activity reports (“SARs”), including for transactions that potentially laundered the proceeds of crimes.

LaFontaine’s Supervision of U.S. Bank’s Transaction Monitoring System

Among the key BSA/AML deficiencies highlighted by FinCEN were U.S. Bank’s policy of “capping” the number of alerts that U.S. Bank’s automated transaction monitoring system would generate for review. From 2004 to 2014, U.S. Bank used automated transaction monitoring software to monitor transactions for potential money laundering and other illicit conduct.[8] Rather than allow the software to generate alerts based on whether a transaction exceeded set risk thresholds, U.S. Bank capped the number of alerts that the transaction monitoring software could generate for review, such that suspicious transactions would be suppressed, thereby preventing suspicious activity from being investigated and reported.[9] FinCEN noted that, in February 2010, it and the OCC announced a regulatory action against Wachovia Bank for improperly capping the alerts generated by its automated transaction monitoring system, that LaFontaine should have known of the Wachovia regulatory action based on his position and that he should have conducted further diligence to determine the applicability of that action to U.S. Bank’s conduct.[10]

As early as 2009, U.S. Bank’s AML staff and its AML Officer (“AMLO”) cautioned LaFontaine that the existing transaction monitoring alert threshold system was inadequate because of the policy of capping the number of alerts generated each month. U.S. Bank’s BSA/AML compliance staff informed LaFontaine that “below threshold” testing—reviewing samples of alerts occurring immediately below the risk threshold—revealed a failure to detect a substantial number of suspicious transactions.[11] Rather than lifting the cap on alerts, in 2012, U.S. Bank opted to cease performing “below threshold” tests, thus limiting U.S. Bank’s and the OCC’s ability to observe that there was a significant problem with the alert caps policy.[12] The policy of capping alerts remained in place until 2014.[13]

In mid-2012, U.S. Bank hired a new CCO and AMLO, both of whom quickly flagged that the system of capping alerts raised serious risks.[14] Nonetheless, LaFontaine did not take sufficient steps to address the program’s deficiencies when presented with these concerns. In 2013, U.S. Bank’s CEO requested a meeting so that the new CCO and AMLO could update the CEO on U.S. Bank’s AML program. In advance of that meeting, the CCO and AMLO prepared a PowerPoint presentation that highlighted the alert caps issue as one of U.S. Bank’s most significant AML problems. Despite reviewing the presentation in advance of the meeting, LaFontaine failed to raise the issue with the CEO.[15]

LaFontaine’s Failure to Allocate Sufficient BSA/AML Resources

In addition to his failure to ensure that deficiencies in U.S. Bank’s AML transaction monitoring system were corrected, FinCEN determined that LaFontaine repeatedly failed to respond to internal warnings that U.S. Bank’s BSA/AML compliance department was understaffed. In December 2009, U.S. Bank’s then-AMLO sent LaFontaine a memo observing that U.S. Bank projected a substantial rise in SAR volume, law enforcement enquiries and closure recommendations, but that these projections had not been met with a commensurate increase in staffing.[16] The AMLO cautioned that AML staff was “stretched dangerously thin.”[17] LaFontaine received another similar memo in 2010. Even though U.S. Bank had more than $340 billion in assets, it employed only approximately 30 AML investigators, which FinCEN determined was “woefully inadequate.”[18]

U.S. Bank did not begin to address its deficient AML program until May 2014, when the AMLO bypassed LaFontaine and voiced his concerns directly to U.S. Bank’s then-Chief Risk Officer. Shortly thereafter, questions from the OCC and reports from an internal complainant caused the Chief Risk Officer to retain outside counsel to investigate U.S. Bank’s practices.[19] Subsequent analysis of U.S. Bank’s transactions revealed that it had failed to timely file thousands of SARs.[20]

Implications

The penalty imposed on LaFontaine marks the third significant action against individuals by federal financial regulators in the past eight months, signaling a continued willingness to levy substantial penalties on individuals charged with overseeing bank compliance operations.

The LaFontaine action reinforces the importance of meeting regulatory expectations for those who oversee BSA/AML compliance programs, including attempting to ensure that (i) sufficient resources are devoted to BSA/AML compliance and (ii) transaction monitoring systems are appropriately calibrated to monitor potentially suspicious transactions based on risk, not volume. Further, compliance officers would be wise to expeditiously escalate significant concerns that are raised to them about the adequacy of existing BSA/AML programs, and to ensure that any significant issues are promptly corrected, as necessary and reasonable under the circumstances.