Developments in Bank Secrecy Act and Anti-Money Laundering Enforcement and Litigation

Money laundering is a term that is used to refer to financial transactions in which individuals and criminal enterprises attempt to disguise the proceeds and sources of funds obtained through illicit activities by funneling them through banks or other legitimate financial institutions.1 To address concerns that some of the same techniques used to perpetuate criminal activity were also being used to promote terrorism and evasion of government sanctions, The Patriot Act was enacted in 2002. Since then, federal regulators have imposed more than $5.4 billion in civil money penalties, fines, and forfeitures (“monetary penalties”)2 against financial institutions in connection with alleged violations of Bank Secrecy Act (“BSA”)3 and Anti-Money Laundering (“AML”)4 regulations.5 This article traces key recent developments in the US regulatory landscape that have led to the expansion in the scope and size of BSA and AML actions and analyzes recent data released by the Financial Crimes Enforcement Network (“FinCEN”), the federal regulator directly responsible for enforcing BSA/AML compliance. FinCEN regulations require that financial institutions file Suspicious Activity Reports (“SARs”) when their BSA/AML compliance and monitoring programs identify suspicious activity and determine it warrants reporting under BSA/AML regulations and statutes. From 2002 through 2015, increases in regulatory investigations and enforcement actions have accompanied a roughly six-fold increase in the filing of SARs.6 The growth in SAR filings is only partly explained by expansion in the types of financial entities subject to the SAR and AML reporting requirements; SAR filings by banks also grew sharply even though they have been subject to the reporting requirements since 1996. Given regulators’ enhanced scrutiny over BSA/AML compliance, the data suggest that the number of regulatory enforcement actions and private lawsuits will continue to grow, along with the size of fines and penalties. Financial institutions’ expenditures on AML and regulatory compliance have grown apace, and such compliance costs are also expected to continue to grow as enforcement actions propel firms to raise compliance standards to meet stricter regulatory expectations. By Dr. Sharon Brown-Hruska June 2016 Developments in Bank Secrecy Act and Anti-Money Laundering Enforcement and Litigation www.nera.com 2 Recent Developments in BSA/AML Enforcement Action Objectives and Emphases A More Aggressive BSA/AML Enforcement Regime Develops Since the financial crisis of 2007-2008, regulators have emphasized the importance of strict AML law enforcement and have become more aggressive in pursuing enforcement actions against alleged wrongdoers. Reflecting its more deliberate focus on enforcement, FinCEN added a stand-alone Enforcement Division in June 2013.7 In November 2013, FinCEN Director Jennifer Shasky Calvery underscored the agency’s focus on strengthening enforcement practices in a speech before the ABA Money Laundering Enforcement Conference: “…strong enforcement efforts may be needed. Not only do such actions correct the bad behavior of those on the receiving end, they also ensure that financial institutions that have been diligent in their efforts do not lose business to competitors seeking to cut corners with respect to AML.”8 Acceptance of Responsibility and Acknowledgement of the Facts by Financial Institutions In response to criticism that financial regulators were too lenient in settlement agreements with perpetrators of financial crime, FinCEN has stressed individual and corporate responsibility with respect to BSA/AML compliance. FinCEN’s change in approach has paralleled a broader shift in the regulatory approach toward enforcement actions. Historically, financial institutions that were the subject of FinCEN or other regulators’ enforcement actions could typically consent to a penalty without admitting or denying the alleged facts. Beginning in 2011, this practice was challenged by several US District Court judges.9 By 2012, some regulators began to press firms to admit to allegations as part of settlements resolving enforcement actions. For instance, in the mid-December 2012 press release announcing HSBC’s record monetary penalty for BSA/AML compliance failures, the Department of Justice (“DOJ”) stated: “HSBC has waived federal indictment, agreed to the filing of the information, and has accepted responsibility for its criminal conduct and that of its employees.”10 FinCEN Director Shasky Calvery indicated in 2013 that her agency was deliberately changing its practices in order to force more targets of enforcement actions to take responsibility for alleged violations: “As Director, I feel it is imperative that not only should those who violate the BSA be held accountable, but those who violate the BSA must take responsibility… In our most recent actions, the financial institutions have not been permitted to [‘]neither admit nor deny[’] the facts. Acceptance of responsibility and acknowledgment of the facts is a critical component of corporate responsibility.”11 www.nera.com 3 FinCEN has not been alone in forcing financial institutions found non-compliant with BSA/AML regulations to accept responsibility for their shortcomings; the DOJ has done so as well. Thus, in January 2014, when his office announced a deferred prosecution agreement with JPMorgan Chase for BSA/AML compliance failures related to the Bernard Madoff Ponzi scheme and imposed another record-breaking monetary penalty, US Attorney for the Southern District of New York Preet Bharara commented: “With today’s resolution, the bank has accepted responsibility and agreed to continue reforming its anti-money laundering practices.”12 Such admissions of corporate responsibility in future settlements could bolster evidence of liability for third-party plaintiffs in related legal actions. Individual Accountability for Corporate Wrongdoing Self-regulatory organizations and federal regulators have also stepped up enforcement actions against the executives and directors of financial institutions, making it clear that AML compliance failures can result in personal liability. In February 2014, the securities industry self-regulatory organization FINRA fined Brown Brothers Harriman & Co.’s former Global AML Compliance Officer Harold Crawford $25,000 and suspended him for one month for AML compliance program failures.13 This relatively small personal penalty was soon followed by much more aggressive action by federal regulators. In December 2014, FinCEN filed a complaint via the US Attorney for the Southern District of New York against Thomas Haider, the former Chief Compliance Officer for MoneyGram, for “willful failure” to ensure compliance with BSA/AML statutes and regulations.14 The enforcement action aimed to secure a $1 million personal penalty and enjoin the defendant from participating in the management of any financial institution for “a term of years—to be determined at trial.”15 In January 2016, a federal judge upheld FinCEN’s authority by denying Haider’s motion to dismiss, finding that the BSA statutes “demonstrate[d] Congress’ intent to subject individuals to liability in connection with a violation of any provision of the BSA or its regulations, excluding the specifically excepted provisions.”16 While FinCEN and other regulators had occasionally pursued personal liability claims against customer-facing financial institution employees for compliance violations,17 the Haider case is the first FinCEN enforcement action against a nationwide financial institution executive for “willful failure” to ensure compliance with BSA/AML statutes and regulations.18 The January 2016 ruling raised the specter of personal liability for chief compliance officers and designated BSA/AML compliance officers going forward. In September 2015, the Department of Justice made FinCEN’s personal accountability enforcement action approach federal government policy by issuing the so-called “Yates Memo.” Circulated to all federal prosecutors under the subject “Individual Accountability for Corporate Wrongdoing,”19 this widely-reported document articulates DOJ’s position that “one of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.”20 Declaring that “civil enforcement efforts are designed […] to hold the wrongdoers accountable and to deter future wrongdoing,” the Yates Memo leaves little doubt about the government’s intention to focus on “individual misconduct.”21 www.nera.com 4 Taken together, these initiatives suggest an expanded scope for individual prosecution regarding corporate AML compliance, with important implications. If individual directors, officers, and executives of financial institutions admit to regulator allegations in future settlements, as it appears financial institutions and corporations already are, such settlements’ Statements of Facts could become central exhibits in related third-party plaintiffs’ legal actions, including in director and officer liability cases and class action lawsuits. Trends in the Nature of Recent Cases From 2002 through 2015, at least 156 enforcement actions resulting in a court order were brought against financial institutions and their employees, directors and officers for BSA/AML violations. Figure 1 presents the breakdown of targeted institutions by type. The vast majority (119 actions, or 76%) are banks, even though Title III of the Patriot Act also classifies at least four other types of entities as “financial institutions” for BSA/AML purposes. Figure 1: Types of Institutions Targeted by Enforcement Actions January 2002 to December 2015 0.6% 5.1% 3.8% 14.1% 76.3% Casinos and Card Clubs Precious Metals/Jewelry Firms Securities and Futures Industry Firms Money Services Businesses Banks and Depository Institutions Notes and Sources: NERA analysis of data from FinCEN enforcement actions and BankersOnline.com BSA/AML penalties list. The six largest monetary penalties in connection with BSA/AML violations were assessed in the last six years of this 14-year period (i.e., 2010 through 2015). Four of these required the financial institution to admit the accuracy of government claims and accept responsibility for the actions of its officers, agents, and employees who violated BSA/AML regulations. www.nera.com 5 The Six Largest BSA/AML Settlements Institutional Defendant Main Allegations Monetary Penalties JPMorgan Chase Bank, N.A. (“JPMC”)22,23 January 2014 JPMC admitted and accepted responsibility for violations of the BSA during the period between 1996 and 2008, including failure to file SARs and failure to maintain an effective AML program, in connection with its relationship with Bernard Madoff and his Ponzi scheme. $2.05 billion: • $1.7 billion asset forfeiture to victims of Madoff’s Ponzi scheme to satisfy FinCEN and the US Attorney for the Southern District of New York. • $350 million civil money penalty assessed by the Office of the Comptroller of the Currency (“OCC”). HSBC Holdings plc24,25,26 December 2012 HSBC accepted and acknowledged responsibility for violating the BSA from 2006 through 2010 by failing to adequately enhance and implement an effective AML compliance program, failing to maintain due diligence information on HSBC Group Affiliates, and ignoring money laundering risks associated with doing business with high-risk foreign customers, resulting in at least $881 million in drug trafficking proceeds being laundered through HSBC Bank USA. $1.9 billion: • $1.256 billion asset forfeiture to US Department of Justice. • $665 million civil money penalty assessed by the OCC, the Federal Reserve, and the US Treasury Department. ABN AMRO Bank N.V.27 May 2010 ABN AMRO accepted and acknowledged responsibility for violating the BSA by knowingly and willingly engaging in transactions with entities associated with state sponsors of terrorism and Cuba and willfully failing to establish an adequate AML program after already being assessed an $80 million civil money penalty for BSA/AML violations in 2005.28 $500 million: • $500 million asset forfeiture to US Department of Justice. Wachovia Bank, N.A.29 March 2010 Wachovia consented to pay a civil money penalty without admitting or denying allegations that it violated the BSA by failing to properly report $8 billion dollars in suspicious transactions via SARs and to timely file over 11 thousand Currency Transaction Reports (“CTRs”).30 $160 million: • $110 million asset forfeiture to US Department of Justice, also satisfying civil money penalty assessed by FinCEN. • $50 million civil money penalty assessed by the OCC. Banamex USA31 July 2015 Banamex USA consented to a civil money penalty without admitting or denying allegations that it failed to retain a qualified and knowledgeable BSA officer and sufficient staff, maintain adequate internal controls, provide sufficient BSA training, or conduct effective independent testing and auditing of its controls. $140 million: • $100 million civil money penalty assessed by the FDIC. • $40 million civil money penalty assessed by Commissioner of the California Department of Business Oversight. MoneyGram International Inc.32 November 2012 MoneyGram admitted to violating the BSA by criminally aiding and abetting wire fraud and by failing to conduct AML audits, to conduct due diligence on MoneyGram agents, and to file SARs on/terminate agents MoneyGram knew to be involved in scams. $100 million: • $100 million asset forfeiture to victims of fraud schemes through the US Department of Justice Victim Asset Recovery Program. www.nera.com 6 Historical Trends Enforcement Trends Since the Financial Crisis BSA/AML enforcement patterns changed dramatically during the Financial Crisis (2007-2009) and again thereafter.33 This can be seen in Figures 2 through 4, which depict BSA/AML enforcement activity from 2002 through 2015. Figure 2 charts annual enforcement actions34 and their composition by penalty status. Actions with a monetary penalty are shown in blue and those without are shown in green. From 2002 through 2006, total actions climbed from two per year to 11. The count exploded in 2007 and 2008 to 32 and 28 respectively, and then fell back to an annual average of ten from 2009 through 2015. Monetary penalties were assessed in connection with each enforcement action from 2002 through 2006. From 2007 through 2009, a period when regulators may have been worried about financial institution stability and capitalization, most enforcement actions entailed a cease and desist order with no monetary component. From 2010 onward, monetary penalties were again the norm. Figure 2: Number of BSA/AML Enforcement Actions with and without Monetary Penalties, 2002 through 2015 Enforcement Actions without Monetary Penalties Enforcement Actions with Monetary Penalties 0 5 10 15 20 25 30 35 Number of Enforcement Actions 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Notes and Sources: Data from FinCEN enforcement actions and BankersOnline.com BSA/AML penalties list. Enforcement actions are dated according to the date of the court order (e.g., cease and desist order, consent agreement, assessment of civil money penalty) in the matter. Figure 3, limited to banks, shows the size of monetary penalties. Each enforcement action is represented by its own circle whose area indicates the penalty amount, height indicates the entity’s assets, horizontal location indicates date, and color indicates the entity’s primary “prudential” regulator. A three-stage pattern emerges: low-to-midsize penalties against mostly smaller institutions before 2007; numerous zero-penalty enforcement actions from 2007 through mid-2009, also targeted primarily at smaller institutions; and a number of large enforcement actions against large institutions from late 2009 through the present. These trends www.nera.com 7 appear to be fairly consistent regardless of which supervisory agency was a bank’s primary federal regulator: the Federal Deposit Insurance Corporation (“FDIC”), the Federal Reserve Board (“FRB”), the OCC, the Office of Thrift Supervision (“OTS”), or the National Credit Union Administration (“NCUA”). That may be because many enforcement actions involve agencies other than a bank’s primary regulator, such as FinCEN, other prudential regulators, and the Department of Justice, which may lead all regulators to use similar benchmarks in targeting high-risk institutions and assessing penalties. Figure 3: BSA/AML Enforcement Actions against Banks, 2002 through 2015 0 -100,000 100,000 200,000 300,000 400,000 500,000 600,000 700,000 9/27/2004 6/21/2007 3/20/2010 12/14/2012 9/10/2015 Asset Size ($ in millions) 1/1/2002 JPMorgan Chase Bank, N.A.1 $2.5 Trillion (A) $2.1 Billion (P) HSBC Bank USA, N.A. Citibank, N.A.1 $1.3 Trillion (A) ABN AMRO Bank NV Banamex USA TD Bank, N.A. Wachovia Bank FDIC FRB OCC OTS NCUA Notes and Sources: Bubble size indicates penalty size. Bubble colors indicate primary federal regulators. The non-shaded bubbles represent institutions that received cease and desist orders or written agreements with the regulatory agencies; no financial penalty was assessed in these cases. From NERA analysis of data from FinCEN enforcement actions and BankersOnline.com BSA/AML penalties list. Asset data come from FFIEC Call Reports for the quarter-end prior to the enforcement action dates. Where bank`s assets are not available, parent company`s assets are used. Moneygram is excluded, as it is a moneyservices business (MSB). 1. JPMorgan Chase, N.A. and Citibank, N.A. exceed the scale of the chart. (A) refers to total assets, (P) refers to penalty. As can be seen in Exhibit 3, the FDIC is the prudential regulator associated with the most BSA/ AML enforcement actions we identified, 59. However, 46 of those imposed no monetary penalty. The OCC is the prudential regulator associated with enforcement actions carrying the largest BSA/AML penalties: approximately $4 billion total through 2015 for actions in which the OCC took part. Most of that total is from just two enforcement actions, both also involving other federal regulators such as FinCEN.35 BSA/AML enforcement action penalties have been rising not just in dollars, as seen in Figure 3, but as a percent of capital. As Figure 4 demonstrates, before 2007, no penalty exceeded 9% of the defendant institution’s total capital and less than one-quarter exceeded 5%. Since October 2009, nearly one-third of penalties have exceeded 10% of capital and more than 1-in-7 has been greater than 35%.36 The growing incidence of penalties that comprise a substantial portion of capital has not been limited to banks with a particular primary federal regulator, but rather has occurred across the regulatory spectrum. www.nera.com 8 Figure 4: BSA/AML Penalties against Banks as Percent of Equity Capital, 2002 through 2015 0% 10% 5% 15% 20% 25% 30% 35% 40% 70% 75% Jan 2002 Jan 2003 Jan 2004 Jan 2005 Jan 2006 Jan 2007 Jan 2008 Jan 2009 Jan 2010 Jan 2011 Jan 2012 Jan 2013 Jan 2014 Jan 2015 Jan 2016 Penalty as Percentage of Total Equity Capital Bank of Mingo1 , ~73% Banamex USA1 , ~66% First Bank of Delaware Pacific National Bank Family Bank and Trust Co. Pamrapo Savings Bank HSBC Bank USA Ocean Bank Beach Bank Liberty Bank of New York JPMorgan Chase Bank FDIC FRB OCC OTS Notes and Sources: NERA analysis of data from FinCEN enforcement actions, BankersOnline.com BSA/AML penalties list, and FFIEC Call and TFR reports. Institutions with zero or near-zero monetary penalty are not included. 1. Data points above the y-axis break. What the data do not indicate is why, as the Financial Crisis receded, BSA/AML penalties rose so sharply, both absolutely and as a percentage of equity capital. More egregious behavior by certain financial actors is of course one possibility. But another is that regulators may have been less concerned by late 2009 that relatively large penalties might pose destabilizing risks of their own, given the improved market conditions. In addition to the potential deterrence value, these penalties also demonstrate to the public the importance of punishing failures by financial institutions to self-police financial crime in their midst. Suspicious Activity Reporting by Financial Institutions Since 1996, suspicious activity reporting using a standardized SAR form has been a central tenet of BSA/AML regulations.37 Financial institutions are required to report a transaction using a SAR if it involves at least $5,000 and the financial institution has reason to suspect that: (1) the transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities; (2) the transaction is designed to evade any federal requirements; or (3) the transaction has no apparent business or lawful purpose.38 Detailed reports describing the activity must be filed with FinCEN no later than 30 calendar days after the date of initial detection. A 30-day extension is given to identify a suspect if he or she is unknown.39 In addition, an immediate telephone notification of law enforcement is required in addition to filing a SAR if the violation is ongoing and warrants immediate attention, “such as, for example, ongoing money laundering schemes.”40 www.nera.com 9 There are two ways to quantify suspicious activity reporting—the number of SAR forms filed with FinCEN, and the number of suspicious activities reported. Each SAR form can list several distinct suspicious activities regarding the same person or persons, and financial institutions historically have been free to decide whether to report multiple distinct instances of suspicious activities on a single SAR or to report each suspicious instance on a separate SAR.41 As a result of this discretionary approach, neither measure is necessarily more precise than the other in quantifying financial institution compliance with suspicious activity reporting requirements under BSA/AML regulations. The number of SARs filed with FinCEN has grown nearly thirty-fold since 1996, when the SAR was introduced, and nearly five-fold since 2002, when the Patriot Act’s Title III expansion of BSA/AML requirements to certain non-banks took effect. Since 2003, banks have originated only half of SAR filings, money services businesses (“MSBs”) have reported nearly as many SARs as banks, and casinos and the securities and futures industries have reported a small but growing proportion of SARs. Figure 5 charts SAR filings by year and institution type. Note that intertemporal comparisons of SAR reporting should take into account several changes to that reporting in 2012 and 2013. On 29 March 2012, FinCEN introduced the new standardized SAR Form 111, while continuing to accept legacy SAR forms until 31 March 2013; the legacy and new Form 111 statistics are reported separately by FinCEN because certain fields on the legacy forms do not analogize discretely onto particular fields in new Form 111. In addition, on 1 July 2012, FinCEN mandated that all SARs be filed electronically. FinCEN expected that “the adoption of the new unified SAR form and the implementation of e-Filing [would] enable the financial industry to report suspicious activity more swiftly and with more specificity.”42 While the publicly available data does not allow analysis of changes in the swiftness of SAR reporting, expectations of increased specificity are borne out by the substantial increase in SARs filed in 2014, the first full year with both e-filing and mandatory use of the new Form 111. The increase in SAR filings reflects a combination of increased regulatory requirements, a broader range of institutions subject to BSA/AML regulations, and stronger compliance programs at financial institutions. The role of stricter compliance programs per se can be seen in the tripling, from 2002 through 2014, of SAR filings by banks, which were required to file not just in that period but previously.43 www.nera.com 10 It is worth noting that increases in SAR filings by financial institutions are not always welcomed by regulators. FinCEN has previously expressed concern about low-quality “defensive” SAR filings. In these cases, banks file brief SARs on wide-ranging categories of potentially suspicious activities in order to avoid potential liability for failing to report wrongdoing, without reporting sufficient context to allow regulatory or law enforcement personnel to use the SAR effectively in an investigation. FinCEN has responded to concerns about defensive filing by reviewing, on a sample basis, the quality of SARs to ensure that they “articulate […] the basic who, what, when, where, why, and how questions,” and by discussing concerns with smaller banks who may feel that “smaller banks can either file SARs defensively or run the risk of regulatory enforcement actions over cases that fall in the ‘grey area’ of whether to file.”44 FinCEN generally welcomes “a more cautious approach to the subjective question of what is suspicious,” provided that the SARs being filed are of a high enough quality that they are useful to regulators and law enforcement.45 Figure 6 shows that the growth in bank SAR filings overwhelmingly involves transactions that break customers’ established statistical patterns or have unclear sources of funds (see the “BSA/Structuring/Money Laundering” data series in Figure 6). Detection of such suspicious transactions relies largely upon the coordination of banks’ internal statistical monitoring programs and the judgment of compliance personnel. The recent substantial rise in reporting suggests increased bank attention to identifying deviations from expected transaction sizes and frequencies for particular customer types, likely in response to FinCEN guidance46 and the new, more specific SAR Form 111. Banks Money Services Businesses March 29, 2012 – FinCEN begins to accept new SAR Form 111. July 1, 2012 – FinCEN mandates electronic filing of SAR forms. April 1, 2013 – FinCEN ceases accepting legacy SAR forms; only Form 111 valid thereafter. Casinos and Card Clubs Securities and Futures Industry Firms Other 0 200,000 400,000 600,000 800,000 1,000,000 1,200,000 1,400,000 1,600,000 1,800,000 2,000,000 Number of SARs Filed 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Notes and Sources: Data from FinCEN`s “SAR Activity Review – By the Numbers,” October 2003 and May 2013, Issues 1 and 18; and “SAR Stats,” October 2015. Money Services Businesses did not have to file SARs until 2002, and the Securities and Futures Industries did not have to file SARs until 2003. Other institution types were separately reported in 2013 and 2014, such as Loan or Finance Companies, Insurance Companies, and Housing GSEs. Figure 5: Annual SAR Filings by Institution Type, 1996 through 2014 www.nera.com 11 Figure 6: Characterizations of Suspicious Activities Reported in Bank SARs, 1996 through 2014 As indicated by Figure 7 below, SARs filings trended up substantially and fairly steadily for both banks and non-banks over the review period. Enforcement actions have not followed this pattern. Annual enforcement actions against banks rose but remained relatively low before 2007, shot up in 2007, remained very high in 2008, and fell back thereafter. Annual enforcement actions against non-banks did not follow a clear trend. This suggests that different factors are driving suspicious activity reporting, enforcement actions against banks, and enforcement actions against non-banks. As noted above, the decline in total enforcement actions after 2008 or early 2009 was accompanied by a shift from zero-penalty cease and desist orders toward actions with substantial monetary penalties. It is possible that enforcement actions assessing sizable monetary penalties require more resources to complete, which may result in a tradeoff between quantity of enforcement actions and magnitude of enforcement actions, assuming regulatory BSA/AML enforcement resources are roughly constant. Suggestive patterns also emerge in more granular data—for instance, in the wake of large enforcement actions against banks, monthly SAR filings by banks often temporarily spike.47 March 29, 2012 – FinCEN begins to accept new SAR Form 111. July 1, 2012 – FinCEN mandates electronic filing of SAR forms. April 1, 2013 – FinCEN ceases accepting legacy SAR forms; only Form 111 valid thereafter. Identity Theft Mortgage Loan Fraud Credit Card Fraud Check Fraud Consumer Loan Fraud BSA/Structuring/Money Laundering All Other 0 500,000 1,000,000 1,500,000 2,000,000 2,500,000 3,000,000 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Number of SARs Filed by Characterization of Suspicious Activity Notes and Sources: Note that each SAR can indicate more than one suspicious activity type. 1996–2012 data from “legacy” SAR forms; 2013–2014 data from new Form 111. Data from FinCEN`s “SAR Activity Review – By the Numbers,” October 2003 and May 2013, Issues 1 and 18; and “SAR Stats,” October 2015. “All Other” category includes false statement, counterfeit check, wire transfer fraud, check kiting, debit card fraud, counterfeit debit/credit card, defalcation, mysterious disappearance, misuse of position, commercial loan fraud, computer intrusion, counterfeit instrument, terrorist financing, unknown, bribery, and others. www.nera.com 12 Figure 7: SAR Filings versus Enforcement Actions by Institution Type, 2000 through 2014 Bank SAR Filings Non-Bank SAR Filings Bank Enforcement Actions Non-Bank Enforcement Actions 0 0 5 10 15 20 25 30 35 100,000 200,000 300,000 400,000 500,000 600,000 700,000 800,000 900,000 1,000,000 SAR Filings Enforcement Actions 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Notes and Sources: SAR data from FinCEN`s “SAR Activity Review – By the Numbers,” October 2003 and May 2013, Issues 1 and 18; and “SAR Stats,” October 2015. Enforcement action and monetary penalty data from NERA analysis of FinCEN enforcement actions and BankersOnline.com BSA/AML penalties list. Before 2002, only banks needed to file SARs in large numbers. Conclusion In recent years, there have been notable increases in the number of BSA/AML enforcement actions and the size of penalties. Nearly 90% of BSA/AML enforcement actions from 2012 through 2015 included monetary penalties, compared to less than half from 2002 through 2011.48 Penalties have grown substantially in both absolute terms and as a proportion of firm capital.49 Nearly $4.4 billion, more than 80% of the total monetary penalties imposed since 2002, have been levied since 2012.50 Recent enforcement trends suggest that financial institutions will continue to face more intense regulatory scrutiny for broader categories of BSA/AML violations. Our analysis indicates that FinCEN and other financial institution regulatory bodies recently have pursued larger penalties against alleged BSA/AML violators, even when such penalties equal a substantial fraction of a firm’s total capital, and regulators have not announced plans to change tack. Moreover, the addition of FinCEN’s stand-alone Enforcement Division in June 2013 is expected to increase FinCEN’s capacity to pursue larger numbers of regulatory investigations each year. www.nera.com 13 Since dissemination of the Yates Memo, regulators have indicated their intent to force both financial institutions and their directors, officers, and executives to admit wrongdoing in future settlements; if they succeed in doing so, it may provide third-party plaintiffs with acknowledgments relevant to their own lawsuits. Thus, regulators are pursuing enforcement regimes increasingly aimed at deterring misconduct by holding individual financial institution directors, officers, and employees accountable for BSA/AML compliance. Financial institutions have responded to enforcement actions and evolving guidance regarding suspicious activity reporting by substantially increasing both the number of SAR filings and number of suspicious activities reported across time. Regulators have ramped up enforcement efforts in recent years concomitant with the rise in SAR filings. As a result, financial institutions should be prepared for enforcement actions targeting a broader scope of violations going forward. About The Author: Sharon Brown-Hruska, PhD Dr. Brown-Hruska is a Vice President in NERA’s Global Securities and Finance and White Collar, Investigations, and Enforcement Practices. She is a leading expert in regulatory compliance, corporate governance, and risk management. Dr. Brown-Hruska has provided expert opinions on AML-related issues in connection with alleged Ponzi schemes, fraudulent transfers, and damages in commercial litigation and bankruptcy matters. Prior to joining NERA, she served as Commissioner (2002-2006) and Acting Chairman (2004-2005) of the US Commodity Futures Trading Commission (CFTC), leading the nation’s primary derivatives regulator during the period when the CFTC adopted many of its BSA/AML regulations pursuant to the PATRIOT Act. She has extensive expertise in anti-money laundering regulation, supervision, and compliance, and has presented on the economics of fraud and manipulative schemes for workshops hosted by the CFTC Division of Enforcement, the CFTC Office of International Affairs, the European Commission, the Securities and Exchange Commission, and other financial, legal, and government organizations, and attended by international enforcement attorneys, market practitioners, and regulators. 1 US Department of the Treasury Resource Center, “Money Laundering,” available at http://www.treasury.gov/resource-center/terrorist-illicitfinance/Pages/Money-Laundering.aspx, accessed February 17, 2015. 2 NERA analysis of reported enforcement actions from FinCEN and the Bankers Online BSA/AML Penalties List. See http://www.fincen.gov/ news_room/ea/. See also http://www.bankersonline.com/security/ bsapenaltylist.html. 3 The Bank Secrecy Act is the name given to the Currency and Foreign Transactions Reporting Act of 1970 and successive amendments to the framework thereof. The BSA requires US financial institutions to assist US government agencies to detect and prevent money laundering. See Financial Crimes Enforcement Network, “FinCEN’s Mandate from Congress: Bank Secrecy Act,” available at http://www.fincen.gov/statutes_regs/bsa/index.html, accessed January 4, 2016. 4 Anti-Money Laundering compliance refers to financial institution practices designed to identify, report, and ultimately prevent money laundering, defined as “the process of making illegally-gained proceeds (i.e. ‘dirty money’) appear legal (i.e. ‘clean’).” Several statutes are considered AML laws; all are connected to the BSA legislative framework that was created by the 1970 law. See Financial Crimes Enforcement Network, “History of Anti-Money Laundering Laws,” available at http://www.fincen.gov/news_room/aml_history.html, accessed January 4, 2016. 5 Government Printing Office, “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001,” 115 Stat. 272, Public Law 107-56, October 26, 2001, available at http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/ pdf/PLAW-107publ56.pdf, accessed January 4, 2016. 6 1,726,971 SARs were filed in 2014, and 916,709 were filed in the first half of 2015, for an annualized 2015 rate of 1,833,418 SARs, compared to 306,101 SARs filed in 2002. From NERA analysis of FinCEN’s SAR Stats and SAR Activity Review – By the Numbers reports. See Financial Crimes Enforcement Network, SAR Stats, Issue 2 (October 2015) and SAR Activity Review – By the Numbers, Issue 1 (October 2003), available at http://www.fincen.gov/news_room/rp/ sar_by_number.html, accessed January 18, 2016. 7 FinCEN, “FinCEN Reorganization Announced,” June 24, 2013, available at http://www.fincen.gov/news_room/nr/pdf/20130624.pdf, accessed February 3, 2016. 8 Director Jennifer Shasky Calvery, “Money Laundering Enforcement Conference Speech,” FinCEN, November 19, 2013, available at http://www.fincen.gov/news_room/speech/pdf/20131119_ABA_ABA. pdf, accessed February 4, 2016 (emphasis added). 9 Judge Rakoff refused to approve a proposed consent agreement between the SEC and Citigroup because Citigroup was not required to either admit or deny the allegations against it. US—Securities and Exchange Commission v. Citigroup Global Markets Inc., 827 F. Supp. 2d 328 (S.D.N.Y. 2011). Judge Rakoff’s order was vacated by the Second Circuit Court of Appeals, USSEC v. Citigroup Global Markets, Inc., 752 F.3d 285 (2d Cir. 2014). 10 Department of Justice, “HSBC Holdings Plc. and HSBC Bank USA N.A. Admit to Anti-Money Laundering and Sanctions Violations, Forfeit $1.256 Billion in Deferred Prosecution Agreement,” December 11, 2012, available at http://www.justice.gov/opa/pr/2012/ December/12-crm-1478.html, accessed March 4, 2016 (emphasis added). 11 Director Jennifer Shasky Calvery, “Money Laundering Enforcement Conference Speech,” FinCEN, November 19, 2013, available at http:// www.fincen.gov/news_room/speech/pdf/20131119_ABA_ABA.pdf, accessed February 4, 2016 (emphasis added). 12 Preet Bharara, “Manhattan US Attorney And FBI Assistant DirectorIn-Charge Announce Filing Of Criminal Charges Against And Deferred Prosecution Agreement With JPMorgan Chase Bank, N.A., In Connection With Bernard L. Madoff’s Multi-Billion Dollar Ponzi Scheme,” US Attorney for the Southern District of New York, January 7, 2014, available at http://www.justice.gov/usao/nys/pressreleases/ January14/JPMCDPAPR.php, accessed March 4, 2016 (emphasis added). 13 FINRA, “FINRA Fines Brown Brothers Harriman a Record $8 Million for Substantial Anti-Money Laundering Compliance Failures: Highest Fine Levied by FINRA for AML-Related Violations; AML Compliance Officer Also Fined and Suspended,” February 5, 2014, available at https:// www.finra.org/newsroom/2014/finra-fines-brown-brothers-harrimanrecord-8-million-substantial-anti-money-laundering, accessed January 23, 2016. 14 United States District Court Southern District of New York, “The United States Department of the Treasury v. Thomas E. Haider, Complaint,” December 18, 2014, available at https://www.fincen.gov/news_room/ ea/files/USAO_SDNY_Complaint.pdf, accessed February 3, 2016. 15 United States District Court Southern District of New York, “The United States Department of the Treasury v. Thomas E. Haider, Complaint,” December 18, 2014, available at https://www.fincen.gov/news_room/ ea/files/USAO_SDNY_Complaint.pdf, accessed February 3, 2016. 16 The January 2016 order did not rule on the merits of Haider. That case continues to be litigated. “The United States Department of the Treasury v. Thomas E. Haider, Order on Motion to Dismiss,” January 8, 2016, available at http://www.buckleysandler.com/uploads/1082/ doc/Treasury_v_Haider_Motion_to_Dismiss_January_8.pdf, accessed February 3, 2016. 17 For example, FinCEN imposed a civil money penalty against the VIP Services Manager at a casino in the Northern Mariana Islands for willfully causing the casino to fail to file CTRs and SARs. In the Matter of: George Que, Northern Mariana Islands, Assessment of Civil Money Penalty, August 20, 2014, available at https://www.fincen.gov/news_room/ea/files/GeorgeQue_ Assessment_20140820.pdf. 18 “The United States Department of the Treasury v. Thomas E. Haider, Order on Motion to Dismiss,” January 8, 2016, available at http:// www.buckleysandler.com/uploads/1082/doc/Treasury_v_Haider_ Motion_to_Dismiss_January_8.pdf, accessed February 3, 2016. 19 US Department of Justice, “Individual Accountability for Corporate Wrongdoing,” September 9, 2015, available at http://www.justice.gov/ dag/file/769036/download, accessed January 16, 2016. 20 US Department of Justice, “Individual Accountability for Corporate Wrongdoing,” September 9, 2015, available at http://www.justice.gov/ dag/file/769036/download, accessed January 16, 2016. 21 US Department of Justice, “Individual Accountability for Corporate Wrongdoing,” September 9, 2015, available at http://www.justice.gov/ dag/file/769036/download, accessed January 16, 2016. 22 FinCEN, “JPMorgan Admits Violation of the Bank Secrecy Act for Failed Madoff Oversight; Fined $461 Million by FinCEN,” January 7, 2014, available at http://www.fincen.gov/news_room/nr/html/20140107. html, accessed January 21, 2016. 23 US Department of Justice, “JPMC DPA Packet (Fully executed w Exhibits),” January 6, 2014, available at http://www.justice.gov/usao/ nys/pressreleases/January14/JPMCDPASupportingDocs/JPMC%20 DPA%20Packet%20%28Fully%20Executed%20w%20Exhibits%29.pdf, accessed January 21, 2016. Notes 24 US Department of the Treasury, “Treasury Department Reaches Landmark Settlement with HSBC,” December 11, 2012, available at http://www.treasury.gov/press-center/press-releases/Pages/tg1799. aspx, accessed January 21, 2016. 25 US Department of Justice, “HSBC Deferred Prosecution Agreement,” December 11, 2012, available at http://www.justice.gov/opa/hsbc-pcdocs.html, accessed January 21, 2016. 26 US Department of Justice, “HSBC Deferred Prosecution Agreement Attachment A: Statement of Facts,” December 11, 2012, available at http://www.justice.gov/opa/documents/hsbc/dpa-attachment-a.pdf, accessed January 21, 2016. 27 Gibson Dunn, “ABN AMRO Deferred Prosecution Agreement,” May 10, 2010, available at http://www.gibsondunn.com/publications/ Documents/ABNAmroDPA.pdf, accessed January 21, 2016. 28 Federal Reserve Board, “Joint Press Release,” December 19, 2005, available at http://www.federalreserve.gov/BoardDocs/Press/ enforcement/2005/20051219/default.htm, accessed January 21, 2016. 29 FinCEN, “Assessment of Civil Money Penalty in the Matter of Wachovia Bank, N.A.,” March 12, 2010, available at http://www.fincen.gov/ news_room/ea/files/100316095447.pdf, accessed January 21, 2016. 30 A bank must file currency transaction reports for each currency transaction of more than $10,000 by, through, or to the bank. Multiple currency transactions totalling more than $10,000 during any one business day are treated as a single transaction if the bank has knowledge that they are by or on behalf of the same person. See https://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_017.htm 31 Federal Deposit Insurance Corporation, “In the Matter of Banamex USA,” July 22, 2015, available at https://www.fdic.gov/news/news/ press/2015/pr15061.pdf, accessed January 18, 2016. 32 Department of Justice, “MoneyGram International Inc. Admits AntiMoney Laundering and Wire Fraud Violations, Forfeits $100 Million in Deferred Prosecution,” November 9, 2012, available at http:// www.justice.gov/opa/pr/2012/November/12-crm-1336.html, accessed January 21, 2016. 33 See NERA analysis of FinCEN Enforcement actions, available at http:// www.fincen.gov/news_room/ea/; See also BankersOnline.com BSA/ AML Penalties List, available at http://www.bankersonline.com/security/ bsapenaltylist.html, both accessed January 27, 2016. 34 By enforcement action, we refer to enforcement activity resulting in a court order or settlement. For consistency, throughout this paper, enforcement actions are dated according to the court order or settlement (e.g., cease and desist order, consent agreement, assessment of civil money penalty) in the matter. 35 For example, the HSBC enforcement action also involved the Federal Reserve, a separate prudential regulator. 36 Not shown in Figure 4 is Saddle River Valley Bank, which ceased operations in 2012. The $8.3 million in civil money penalties and forfeiture that regulators imposed on this entity in 2013 represented about 750% of total capital. 37 Government Printing Office, “Final Rule,” 61 FR 4326, February 5, 1996, available at http://www.gpo.gov/fdsys/pkg/FR-1996-02-05/ pdf/96-2272.pdf, accessed March 12, 2014. 38 31 CFR (2013) 1020.320(a)(2), available at http://www.gpo.gov/fdsys/ pkg/CFR-2013-title31-vol3/pdf/CFR-2013-title31-vol3.pdf, accessed March 4, 2014. 39 31 CFR (2013) 1020.320(b)(3). 40 Ibid. The telephone notification requirement requires that financial institutions report such violations immediately upon discovery. See FinCEN, “Banco Popular Deferred Prosecution Agreement,” January 16, 2013, available at http://www.fincen.gov/news_room/ea/files/ bancopopular.pdf, accessed March 6, 2014. 41 There are valid reasons for financial institutions to prefer both more detailed filings covering all relevant suspicious activities by a person and prompt filing of brief reports after each suspicious activity observed. While reporting all of the instances of a suspicious activity on one form might make each form individually more useful to regulators or law enforcement, it entails a delay on the part of financial institutions in filing a SAR while they carefully collect all relevant information. The alternative would be to file brief SARs upon observing a suspicious activity, and then file additional SARs as the compliance staff at the financial institution identifies more potentially suspicious activities or additional context relevant to regulators or law enforcement. The latter option may involve a large number of much shorter filings, but will likely get the first report to FinCEN faster than the alternative. 42 Financial Crimes Enforcement Network, “SAR Stats Technical Bulletin July 2014,” July 2014, p. 1, available at https://www.fincen.gov/news_ room/rp/files/SAR01/SAR_Stats_proof_2.pdf. 43 NERA analysis of FinCEN’s SAR Activity Review – By the Numbers and SAR Stats reports. See Financial Crimes Enforcement Network, SAR Activity Review – By the Numbers, Issue 18 and Issue 1, May 2013 and October 2003, and SAR Stats, Issue 2, October 2015, available at http://www.fincen.gov/news_room/rp/sar_by_number.html, accessed January 3, 2016. 44 Financial Crimes Enforcement Network, “Report on Outreach to Depository Institutions with Assets under $5 Billion,” February 2011, pp. 29-30, 64, available at https://www.fincen.gov/news_room/rp/ reports/pdf/Banks_Under_$5B_Report.pdf. 45 Financial Crimes Enforcement Network, “Report on Outreach to Depository Institutions with Assets under $5 Billion,” February 2011, p. 30, available at https://www.fincen.gov/news_room/rp/reports/pdf/ Banks_Under_$5B_Report.pdf. 46 See Financial Crimes Enforcement Network, “Guidance,” available at https://www.fincen.gov/statutes_regs/guidance/. 47 For instance, the Wachovia settlement in March 2010 coincided with a 24% monthly increase in SAR filings by banks, and the HSBC settlement in December 2012 coincided with a 53% monthly increase in SAR filings by banks. 48 NERA analysis of reported enforcement actions from FinCEN and the Bankers Online BSA/AML Penalties List. See http://www.fincen.gov/ news_room/ea/. See also http://www.bankersonline.com/security/ bsapenaltylist.html. 49 Ibid. Firm capital and asset size data are only regularly provided for banks, so analysis of monetary penalties as a proportion of firm capital or assets is only conducted for enforcement actions against banks. 50 Ibid. About NERA NERA Economic Consulting (www.nera.com) is a global firm of experts dedicated to applying economic, finance, and quantitative principles to complex business and legal challenges. For over half a century, NERA’s economists have been creating strategies, studies, reports, expert testimony, and policy recommendations for government authorities and the world’s leading law firms and corporations. We bring academic rigor, objectivity, and real world industry experience to bear on issues arising from competition, regulation, public policy, strategy, finance, and litigation. NERA’s clients value our ability to apply and communicate state-of-the-art approaches clearly and convincingly, our commitment to deliver unbiased findings, and our reputation for quality and independence. Our clients rely on the integrity and skills of our unparalleled team of economists and other experts backed by the resources and reliability of one of the world’s largest economic consultancies. With its main office in New York City, NERA serves clients from more than 25 offices across North America, Europe, and Asia Pacific. Contact For further information and questions, please contact the author: Dr. Sharon Brown-Hruska Vice President +1 202 466 9222 [email protected] The opinions expressed herein do not necessarily represent the views of NERA Economic Consulting or any other NERA consultant. Please do not cite without explicit permission from the author.