US and UK regulators continue to focus on enforcement actions against institutions and individuals for violations of anti-money laundering (AML) laws and regulations, and the trend is intensifying. A review of recent US and UK enforcement cases reveals common themes financial institutions might consider when establishing or assessing the effectiveness of AML programs. Specifically, regulators continue to direct their attention to internal controls, the identification and timely reporting of potential suspicious activity, and conduct that may give rise to the individual liability of employees.
Over the past 15 months, US regulators1 have brought more than 40 enforcement cases and imposed penalties totaling more than $1 billion,2 primarily against financial institutions such as banks, credit unions, broker-dealers, and money services businesses. Many cases involved missing or ineffective AML programs, which led to other deficiencies, such as failure to file Suspicious Activity Reports (SARs) and Currency Transaction Reports. Likewise, in recent years, UK regulators3 have fined nine banks for AML breaches. The majority of the cases involve a bank breaching Principle 3 of the Financial Conduct Authority’s Principles for Businesses, i.e., failing to “take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems.”4 The most recent penalty, issued on January 31, 2017, amounted to more than £160 million ($195 million) and was the largest fine ever imposed by that UK authority for AML breaches.
Internal Controls: The Key to Successful AML Programs
In the US, the rules of the Department of Treasury’s Financial Crimes Enforcement Network (FinCEN)5 require financial institutions to establish systems, policies, and procedures to comply with the Bank Secrecy Act, including: (1) a system of internal controls to assure ongoing compliance; (2) independent testing of the program; (3) the designation of a qualified individual for coordinating and monitoring day-to-day compliance; (4) training of appropriate personnel; and (5) appropriate risk-based procedures for conducting ongoing customer due diligence.6
In the UK, financial institutions must look to the Money Laundering Regulations 2007 (MLR), which set minimum standards using a proportionate and risk-based approach to combatting money laundering risks. The Financial Conduct Authority also expects financial institutions to maintain effective systems and controls to counter the risk of systems being used to further financial crime7 and to enable those systems to “identify, assess, monitor and manage money laundering risk.” The systems should be “comprehensive and proportionate to the nature, scale and complexity of its activities.”8 The Financial Conduct Authority has published extensive guidance on this topic: its Financial Crime Guide contains examples of poor AML
controls9 and consolidated examples of good and poor practices under themes which include private banking, high-risk situations, and automatic monitoring.10
In recent years, US and UK regulators have charged financial institutions with failure to establish sufficient internal controls in the following areas:
• Policies and Procedures. Regulators charged financial institutions with failing to establish and implement adequate procedures and with failing to follow established procedures. Examples in the US include: a US financial institution failed to provide meaningful guidance for monitoring, detecting, and investigating potential suspicious activity in its procedures; another institution’s procedures, which called for a manual review of activity, were deemed unreasonable given the volume of relevant transactions; and another failed to conduct a documented risk assessment and review of its customers despite a requirement to do so in its written supervisory procedures. In one UK case, the Financial Conduct Authority emphasized a board of directors’ failure to act cohesively and effectively due to lack of experience and expertise in relation to regulatory and compliance matters that led to manifest differences in opinion about how to approach and comply with regulatory requirements.
• Failure to Tailor the AML Program. In multiple instances, US regulators found that financial institutions failed to tailor their AML supervisory systems to their business models. In December 2015, two financial institutions were cited for failing to establish an AML program tailored to cover their high volume of low-priced securities. In another instance, a financial institution failed to adequately tailor the parameters and thresholds of the alerts generated by the system to review transactions executed by its high net worth private banking clients. In a 2015 case, the UK’s Financial Conduct Authority highlighted a similar failure to tailor thresholds in an automatic transaction monitoring system to the type of activity expected on the accounts; there was no alternate manual monitoring, which meant a number of large transactions passed through the system unnoticed.
• Due Diligence Requirements. Financial institutions were also cited for failing to conduct adequate due diligence at account opening and on an ongoing basis. Examples include failing to conduct appropriate due diligence of a correspondent account established for a foreign financial institution and failing to take adequate steps to learn whether certain customers had “criminal histories and/or negative regulatory backgrounds.” In a recent US case, a money services business consented to a finding that it failed to conduct adequate due diligence on its agents, which resulted in a failure to identify the agents’ fraudulent transactions. Similarly, in a UK case decided in October 2016, remittance thresholds for obtaining source of funds information were set at inappropriate levels, and there was inadequate screening of customers to identify politically exposed persons.
• Adequate Risk Assessment of New Accounts. An important part of an AML program is assessing the risks of opening a new account. To illustrate, in February 2016, FinCEN cited a financial institution for failing to prepare adequate risk profiles on clients, finding that the risk profiles were incomplete, out of date, and lacked sufficient analysis and validation. FinCEN also found a violation where a financial institution failed to revise the customer’s risk profile after it detected a deviation from the customer’s anticipated activity as reflected on new account documentation. Similarly, in an October 2016 UK case, a financial institution failed to perform adequate due diligence by neglecting to provide its staff with guidance on what constitutes “sufficient” due diligence before opening a new account and by improperly documenting the purpose and intended nature of new business relationships or anticipated activity.
• Inadequate Resources for AML Program. In a number of cases, financial institutions failed to allocate adequate resources or tools for AML surveillance. This inevitably impacted the regulatory staff’s ability to review and investigate alerts as well as to conduct risk assessments and sufficient due diligence. Regulators also found violations where a financial institution collected data for business development purposes but failed to use the same data to monitor AML compliance.
Identification and Timely Reporting of Potential Violations
In both the US and the UK, financial institutions are subject to reporting obligations and must report any transaction they know, suspect, or have reason to suspect involves funds derived from illegal activities or is being conducted to disguise funds from illegal activities. In addition, a reporting requirement may be triggered if the suspected activity is designed to evade reporting or recordkeeping requirements; has no apparent business or lawful purpose; is outside of the activity expected from the account and the institution; or involves use of the financial institution to facilitate criminal activity.11 Failure to file a Suspicious Activity Report (SAR) can lead to criminal liability in the UK for individuals. Financial institutions in the UK also must be cognizant of regulatory obligations under the Financial Conduct Authority’s Principle 11 (which requires open cooperation with regulators)12 and Supervision Manual (SUP) 15 (which sets out procedures for notifications to the Authority).13
In many recent cases, financial institutions identified the suspicious activity but failed to timely file a SAR. One US financial institution investigated a Ponzi scheme for two years without filing a SAR and only did so after the scheme was reported in the media; another had a SAR committee that never met to review and discuss possible filings. In a recent UK case, a Money Laundering Reporting Officer (MLRO) noticed low levels of SAR reporting by staff, but the bank did not carry out a proper investigation of why this might be. Following regulatory intervention, more than 200 additional SARs had to be filed.
There also were cases in which financial institutions failed to detect and investigate red flags, meaning the reporting stage was never reached. A number of US cases involved transactions of microcap securities, which the regulators posited were red flags warranting further review. In one instance, a financial institution failed to detect and investigate the sale of more than 73 billion shares of microcap securities over an 18-month period to determine if the sale constituted an illegal unregistered distribution. In another instance, a financial institution failed to collect any identification information from a client who had been the subject of 15 prior SARs and five Currency Transaction Reports.
Individual Liability: A Growing Trend
The US and the UK regulators have brought recent actions against officers charged with AML compliance (for example, Anti-Money Laundering Compliance Officers, Money Laundering Reporting Officers, and Chief Compliance Officers), charging them with failure to establish and implement AML systems reasonably designed to achieve and monitor compliance with regulatory and legal requirements and with failure to establish and implement reasonable procedures to identify and investigate “red flags” indicating suspicious activity.
The Financial Industry Regulatory Authority (FINRA) took the lead in the US against individuals by initiating nine actions, with penalties ranging from $5,000 to $30,000, and suspensions from the industry of up to three months.14 In all instances, FINRA charged the AML officer for, among other things, failing to implement an adequate AML program or to follow written supervisory procedures requiring the individual to conduct due diligence on clients.
Likewise, the US Securities and Exchange Commission (SEC) brought an action against a president of a broker-dealer that allowed 23 non-US citizens to conduct more than $23 million in securities transactions through the account of one of its affiliates without ever collecting, verifying, or maintaining any identification documents for those individuals. The SEC charged that the president knew of the existence of the affiliate account and the trading in the account but failed to take any action.
In October 2016, the UK’s Financial Conduct Authority imposed a penalty of almost £18,000 ($21,900) on a bank’s AML officer, stating that many of the failings in the bank’s AML function fell within that officer’s area of responsibility. In 2015 and 2016, the Financial Conduct Authority also used its powers to seek restraint orders and investigate potential confiscation of the proceeds of crime against 62 individuals.
US- and UK-regulated financial institutions, as well as their senior management and AML officers, can expect to come under increased scrutiny. FinCEN continues its aggressive enforcement, already bringing two actions for AML violations in 2017, with one of them resulting in a penalty of $184 million. Likewise, FINRA and the Financial Conduct Authority both announced that anti-money laundering is one of their current regulatory priorities, highlighting once again that enforcement in this area will be a regulatory focus in the upcoming year.