On Aug. 18, 2020, the Financial Crimes Enforcement Network (“FinCEN”) issued a statement describing its approach to enforcing the Bank Secrecy Act (“BSA”) and its implementing regulations (“FinCEN Statement”),[1] marking the first time that FinCEN, which administers the BSA, has issued such a statement. The FinCEN Statement is notable because it provides regulated financial institutions with a better understanding of how FinCEN exercises its enforcement authority and the key factors that FinCEN weighs when deciding how to resolve an enforcement action.

The FinCEN Statement follows an Aug. 13, 2020 joint statement by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration and the Office of the Comptroller of the Currency (collectively, the “Agencies”) setting forth the Agencies’ policy on the issuance of mandatory cease-and-desist orders to depository institutions to address noncompliance with Bank Secrecy Act/anti-money laundering (“BSA/AML”) compliance obligations (“Joint Statement”).[2] though the Joint Statement does not formally apply more broadly to other enforcement actions that the Agencies may take, such as the issuance of civil money penalties, it is nonetheless notable because it, too, provides depository institutions with additional guidance related to the issues the Agencies consider in resolving BSA/AML-related enforcement actions.[3]

FinCEN Statement

The FinCEN Statement provides valuable insight and guidance into FinCEN’s enforcement approach — it explains some background information on BSA compliance, generally; identifies the actions FinCEN may take to resolve actual or possible violations of the BSA or its implementing regulations; and details the factors that FinCEN considers when evaluating an appropriate disposition of an enforcement action.

The FinCEN Statement makes clear that FinCEN may take enforcement action, including imposing civil money penalties, against any “financial institution” as covered by the BSA and its implementing regulations, nonfinancial trades or businesses and any other persons that violate the BSA, including partners, directors, officers or employees of such financial institutions or businesses that participate in BSA violations. It states that “[r]egulated parties will be afforded an opportunity to respond to and contest factual findings or legal conclusions underlying any FinCEN enforcement action.” Importantly, the FinCEN Statement also confirms that FinCEN’s enforcement actions “seek to establish a violation of law based on applicable statutes and regulations,” and that FinCEN will not consider noncompliance with standards set forth solely “in a guidance document as itself a violation of law.”[4]

The FinCEN Statement identifies the following actions that FinCEN may take in resolving an enforcement action:

  • No Action. FinCEN may close a matter with no additional action. FinCEN may reopen the matter if FinCEN obtains new material information concerning the matter or becomes aware of additional or subsequent violations.
  • Warning Letter. FinCEN may issue a warning through a supervisory letter or similar communication.
  • Equitable Remedies. FinCEN may seek an injunction or equitable relief to enforce compliance when FinCEN believes an entity or individual has violated, is violating or will violate the BSA or any BSA regulation or order.
  • Settlements. As part of a settlement, FinCEN may require both remedial undertakings and civil money penalties.
  • Civil Money Penalties. FinCEN may assess a civil money penalty.
  • Criminal Referral. If circumstances warrant, FinCEN may refer a matter to appropriate law enforcement agencies for criminal investigation and/or criminal prosecution.

FinCEN will also consider whether to impose “compliance commitments” to ensure full compliance with BSA obligations.

Finally, the FinCEN Statement enumerates the following, non-exhaustive list of the factors that it considers when evaluating how to resolve an enforcement action:

  • Nature and seriousness of the violations, including the extent of possible harm to the public and the amounts involved.
  • Impact or harm of the violations on FinCEN’s mission to safeguard the financial system from illicit use, combat money laundering and promote national security.
  • Pervasiveness of wrongdoing within an entity, including management’s complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations.
  • History of similar violations, or misconduct in general, including prior criminal, civil and regulatory enforcement actions.
  • Financial gain or other benefit resulting from, or attributable to, the violations.
  • Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures.
  • Timely and voluntary disclosure of the violations to FinCEN.
  • Quality and extent of cooperation with FinCEN and other relevant agencies, including as to potential wrongdoing by its directors, officers, employees, agents and counterparties.
  • Systemic nature of violations. Considerations include, but are not limited to, the number and extent of violations, failure rates (g., the number of violations out of total number of transactions) and duration of violations.
  • Whether another agency took enforcement action for related activity. FinCEN will consider the amount of any fine, penalty, forfeiture and/or remedial action ordered.

The FinCEN Statement provides that FinCEN “strives for proportionality, consistency, and effectiveness” and “[t]he weight given to any factor” depends on “the relevant facts and circumstances of a case.”

Unlike enforcement guidelines issued by some other agencies, such as the Office of Foreign Assets Control (“OFAC”),[5] the FinCEN Statement does not ascribe any numerical significance to these various factors. Nevertheless, although none of the factors should come as a surprise, FinCEN’s delineation of the factors provides a useful framework for institutions and individuals under threat of an enforcement action to assess their potential exposure and engage in a dialogue with enforcement officials.

Joint Statement by Banking Agencies

The Joint Statement focuses on the issuance of mandatory cease-and-desist orders to address noncompliance with certain BSA/AML obligations. As the Joint Statement explains, the Agencies are required by statute to issue cease-and-desist orders when a depository institution either (1) fails to establish and maintain a compliance program designed to meet the requirements of the BSA (“BSA/AML Compliance Program”) or (2) fails to correct a problem with their BSA/AML Compliance Program that was previously reported to the institution by their regulator.[6]

Although the previously issued Agencies’ 2007 statement focused on cease-and-desist orders for failures related to the four pillars required to establish an effective BSA/AML Compliance Program — internal controls; independent testing; a BSA compliance officer; and training (each, a “Pillar”) — the Joint Statement now also addresses failures by a financial institution relating to the recent “fifth” Pillar regarding risk-based procedures for conducting ongoing customer due diligence.[7]

The Joint Statement provides that the Agencies evaluate the fifth Pillar and other BSA reporting and recordkeeping obligations as part of the “internal controls” component of the BSA/AML Compliance Program.

Failure to Establish and Maintain a BSA/AML Compliance Program

The instances where the Agencies will issue mandatory cease-and-desist orders for BSA/AML compliance program failures include when a depository institution:

  • Fails to have a written BSA/AML Compliance Program, including a customer identification program, that adequately covers the Pillars;
  • Fails to implement its BSA/AML Compliance Program to adequately address the Pillars;[8] or
  • Has defects in one or more Pillars of its BSA/AML Compliance Program that indicate that either the written program or its implementation is ineffective.[9]

In clarifying the first instance, the Agencies write that an institution may be subject to a cease-and-desist order if its internal controls, such as suspicious activity monitoring, fail with respect to a high-risk area or multiple lines of business that impact the BSA/AML Compliance Program. An institution may also be subject to a cease-and-desist order if it has deficiencies in required testing or another Pillar, coupled with evidence of highly suspicious activity, creating a potential for significant money laundering or other illicit transactions.

Next, the Agencies describe when an institution may fail to implement its BSA/AML Compliance Program. Such failures include, for example, when an institution rapidly expands its business relationships through its foreign affiliates or businesses without identifying its money laundering risks, without an appropriate system of internal controls to verify customers’ identities, without providing sufficient resources to the BSA/AML Compliance Program, with deficiencies in independent testing, and without adequate training for relevant personnel.

Third, the Agencies write that other types of deficiencies in a BSA/AML Compliance Program, or in implementing one or more of the Pillars, will result in an issuance of a cease-and-desist order when the deficiencies are so severe or significant as to render the BSA/AML Compliance Program ineffective as a whole.

Finally, the Agencies clarify that they will consider the application of the institution’s BSA/AML Compliance Program across its business lines and activities when making their evaluations. For example, if a deficiency only affects some of its business lines, then the deficiency may not be so severe or significant as to mean the institution does not have an effective overall BSA/AML Compliance Program.

Failure to Correct a Previously Reported Problem with a BSA/AML Compliance Program

Beyond the above, the Agencies may also issue cease-and-desist orders for a failure to correct a previously reported problem with a BSA/AML Compliance Program. To warrant a cease-and-desist order, the previously reported problem (1) must be substantially the same as that previously reported to the depository institution; (2) must have been communicated in a report of examination or other supervisory communication (e.g., supervisory letter) to the depository institution’s board of directors or senior management as a violation of law or regulation or matter that must be corrected (e.g., MRA/MRIA); and (3) will typically involve substantive deficiencies in any of the BSA/AML Compliance Program Pillars.

The Joint Statement clarifies that a cease-and-desist order will not be issued in situations where certain problems are not correctable before the next examination, or within planned timeframes due to unanticipated or other issues.

Other Enforcement Actions

The Joint Statement further addresses how the Agencies evaluate violations of individual Pillar requirements. The Agencies may pursue enforcement actions based on individual Pillar violations or unsafe or unsound practices that may impact individual Pillars. The structure of such an enforcement action will depend on the severity of the concern or deficiency, the capability and cooperation of the depository institution’s management and the Agency’s confidence that the depository institution’s management will take appropriate and timely corrective action.

Finally, the Joint Statement notes that the Agencies may take formal or informal enforcement actions to address violations of BSA/AML requirements that relate to problems other than the institution’s BSA/AML Compliance Program or Pillar requirements. These enforcement actions may investigate, among others, violations of customer due diligence, beneficial ownership, foreign correspondent banking, suspicious activity reporting and currency transaction reporting. Notably, violations of any of these requirements that are determined by an Agency to be isolated or technical will generally not result in an enforcement action.

Takeaways

The FinCEN Statement and the Joint Statement collectively provide financial institutions with valuable guidance concerning federal regulators’ authority to pursue enforcement actions for BSA/AML violations, as well as the factors that play into enforcement decision-making. They may also signal an increased focus on enforcement in the BSA/AML area.[10]