On April 20, 2020, Industrial Bank of Korea (the “Bank”) and its New York branch (“NY Branch”) reached settlements with the U.S. Attorney’s Office for the Southern District of New York (“USAO”) and the New York State Department of Financial Services (“NYDFS”), agreeing to pay a combined $86 million to resolve investigations into its anti-money laundering compliance program, which the USAO and NYDFS claimed led to the bank processing over $1 billion worth of transactions in violation of U.S. sanctions against Iran. Specifically, the Bank entered into a deferred prosecution agreement (“DPA”) with the USAO, agreeing to pay $51 million to settle charges that it willfully failed to maintain an adequate anti-money laundering program at its New York Branch in violation of the Bank Secrecy Act (“BSA”). And both the Bank and the New York Branch entered into a consent order (“Consent Order” and, together with the DPA, the “settlement agreements”) with the NYDFS, agreeing to pay a $35 million fine for violating New York state law.

According to the settlement agreements, the Bank failed to establish, implement, and maintain an adequate AML program at the New York Branch from 2011 to 2019. Specifically, the USAO and NYDFS claimed that the Bank and the New York Branch failed to implement a properly functioning automated transaction review program; failed to properly staff, train, and provide resources to the New York Branch’s compliance program; and failed to institute required Know-Your-Customer policies and procedures—all despite admonitions from New York state regulators and warnings from the New York Branch’s employees. For example, the USAO and NYDFS highlighted the fact that until 2014, the New York Branch employed just one compliance officer who had to manually review financial transactions for suspicious activities and made multiple requests for resources, including additional staff and an automated transaction screening tool, that were ignored by bank management. Understaffed and working without automated screening tools, the New York Branch fell behind on transaction reviews required under the BSA and failed to notice deviant patterns.

As a result of the New York Branch’s allegedly deficient compliance program, a Bank client was reportedly able to conduct nearly $1 billion worth of transactions that violated U.S. sanctions against Iran in a six-month period in 2011. The New York Branch’s compliance officer detected approximately $10 million of the improper transactions that had been processed through the New York Branch, and the New York Branch reported them to U.S. authorities, but the remaining $990 million went undetected.

The USAO and NYDFS appeared to stress that the New York Branch was on notice of its deficient AML program from both internal warnings, but also from regulator admonitions before the improper transactions went undetected. After conducting an examination of the New York Branch in 2010, New York state banking regulators had alerted the New York Branch to its deficient transaction monitoring system, identifying its program as requiring immediate attention, and directing the New York Branch to dedicate the resources required to timely detect and report suspicious activities. And in 2016, the Bank entered into a Written Agreement with NYDFS and the Federal Reserve Bank of New York to address the continuing deficiencies of its compliance program. But according to NYDFS, the Bank did not come into compliance with the terms of the Written Agreement until its most recent examination in 2019.

Despite the Bank having finally achieved a compliant AML program, the USAO and NYDFS apparently determined that further enforcement action was necessary. The NYDFS stated it concluded that it was “necessary at this time to confirm the Bank’s continued commitment to build towards full implementation of an effective and sustainable BSA/AML compliance program.” And the DPA, with federal authorities, also cited the Bank’s continued failures to implement an effective AML compliance program, while acknowledging the Bank’s remediation progress.

The case highlights not only the key pitfalls financial institutions should keep in mind when designing a compliance program, which includes proper staffing, a risk-based approach, and adequate screening tools to detect and flag suspicious transactions, but also the critical need to address any regulator concerns once they are raised.