Introduction

On Aug. 6, 2007, the Department of Justice ("DOJ"), the Financial Crimes Enforcement Network (“FinCEN”), a bureau of the U.S. Department of Treasury, and the Board of Governors of the Federal Reserve System ("Federal Reserve") simultaneously entered into separate agreements with American Express Bank International ("AEBI " or the "Bank"), an Edge Act corporation organized under section 25A of the Federal Reserve Act, resolving allegations that AEBI failed to maintain an effective antimoney laundering ("AML") program.1 Miami-based AEBI offers traditional private banking services to a target customer base of high net-worth individuals and businesses in South America.

AEBI entered into a Deferred Prosecution Agreement with the DOJ,2 which filed a one-count information in the U.S. District Court for the Southern District of Florida, charging the Bank with failure to maintain an effective AML program from April 2002 to April 2004, in violation of the Bank Secrecy Act ("BSA") and the regulations implemented thereunder.3 AEBI acknowledged its responsibility for its employees' behavior in a factual statement filed with the Deferred Prosecution Agreement.4 In light of AEBI's willingness to accept responsibility for its actions and its remedial actions to date, the DOJ indicated that it would recommend dismissal of the charge in 12 months so long as AEBI fully implements the remedial actions required under the agreement. AEBI also agreed to pay $55 million to settle criminal and civil forfeiture claims asserted by the government relating to certain accounts through which funds were laundered.5

AEBI also agreed to pay a $25 million civil penalty to FinCEN, $15 million of which will be satisfied by the forfeiture sum of $55 million paid to the government, and a $20 million civil penalty assessed by the Federal Reserve Board, which will also be deemed satisfied by the forfeiture sum.6 Of the $25 million penalty assessed by FinCEN, $5 million was assessed against American Express Travel Related Services Company, Inc. ("Amex Travel"), a money services business located in Salt Lake City, Utah, for its violations of the BSA.7 In sum, AEBI paid $65 million in resolution of its AML violations, the secondhighest combined penalty assessed against a financial institution under the BSA.8 The Federal Reserve Board also issued a cease-and-desist order requiring AEBI to take certain corrective measures.9

The DOJ alleged in the Deferred Prosecution Agreement that from December 199910 to April 2004, AEBI willfully violated the BSA in that the Bank allowed millions of dollars of financial transactions involving the proceeds from the sale of illegal narcotics to be conducted by others through AEBI bank accounts.11 Ultimately, the investigation determined that the primary cause of AEBI's failure to identify, prevent and report the activity in issue was, at least through April 2004, the fact that AEBI's AML program contained serious systemic deficiencies in critical areas required by the BSA.12 The settlement followed an investigation in which it was determined that AEBI had failed to do the following: exercise sufficient control over accounts held in the names of offshore bearer share corporations; conduct a risk assessment of its operations until 2002; develop and maintain an account monitoring program designed to monitor suspicious activities; adequately monitor the source of funds sent to customer accounts; independently verify information on clients provided by private bank relationship managers; and maintain an audit program reasonably designed to ensure compliance with BSA/AML laws and regulations.13

Background

In 1994, AEBI entered into a civil settlement agreement with the DOJ following a 1993 Federal Reserve cease-and-desist order and civil penalty14 The settlement also grew out of a related indictment and conviction of two AEBI employees who failed to follow "Know Your Customer" ("KYC") procedures with respect to drug cartel leader Juan Garcia Abrego 15 As a result of the settlement, the DOJ dismissed its civil money laundering complaint and did not file criminal charges. In turn, AEBI also agreed to withdraw its claim to a $30 million client account that had served as collateral for $19 million in loans, forfeited $7 million, paid a $7 million civil penalty and agreed to spend at least $3 million on AML compliance.16

From 2003 to 2005, AEBI underwent multiple regulatory examinations, with increasingly adverse findings. Regulators found that review parameters for customer account activity were not risk-focused and that review parameters for transaction activity in a number of customer accounts were set too high to capture potential suspicious activity. They further found that certain accounts were exempted from transaction monitoring reviews without any written justification, that measures to fully identify account relationships involving offshore personal investment companies ("PICs") and bearer share accounts were not effectively implemented, and that periodic reviews of high-risk accounts were ineffective in detecting and reporting suspicious activity.17 They also found that the periodic reviews were conducted on an individual account level and did not aggregate customer activity through multiple accounts, thus preventing the Bank from obtaining a comprehensive picture of potential money laundering activity.18

Allegations Underlying 2007 Enforcement Actions

The DOJ alleged, among other things, that AEBI, which operates in a High Intensity Drug Trafficking Area, failed to monitor its provision of private banking services to high net-worth individuals living in South America, allowing many of these customers to process transactions through the Black Market Peso Exchange ("BMPE"), often through accounts held in the names of bearer share corporations incorporated in offshore jurisdictions, such as the British Virgin Islands ("BVI").19

For example, investigators found numerous private banking accounts, possibly involving flight capital, that were controlled by apparently legitimate South American businesses, but held in the names of offshore shell corporations, many controlled through bearer shares. 20 These accounts engaged in parallel currency exchange market transactions originating from South America that are typically used to avoid excise taxes, among other reasons.21 According to the Factual Statement, these parallel currency exchange markets represent a high risk of money laundering for U.S. financial institutions, yet AEBI processed the transactions without the means to monitor them for BSA purposes. AEBI is alleged to have maintained these accounts, despite its knowledge of the risks and minimal ability to monitor or control the transactions in these accounts.22

According to the DOJ, some of the accounts had dozens, sometimes hundreds, of sources of incoming funds, typically wire transfers from persons and entities completely unrelated to an accountholder.23 The financial transactions were often inconsistent with an accountholder's business as reported to the Bank, and funds transfers were often transacted in ways suggestive of drug proceeds.24 Drug Enforcement agents working undercover as Colombian money brokers and drug traffickers were able to transfer hundreds of thousands of dollars of drug proceeds into AEBI accounts.25 The DOJ also identified client accounts that it claimed were used to launder $55 million through the use of the BMPE.26

The DOJ alleged that, prior to May 2002, AEBI did not conduct a risk assessment of its operations and products and therefore failed to identify areas of high-risk in need of enhanced monitoring. Moreover, because of deficiencies in the Bank's monitoring software, AEBI could only identify accounts that breached preset parameters rather than identify transaction patterns that might be suspicious. The system did not consider the country of origin or destination of funds flowing in and out of the accounts and its reports provided scant detail, including no information on the source of funds.27 The allegations also included AEBI's failure to have sufficient KYC mechanisms in place to determine the actual owners of these accounts. The Bank failed to follow its written KYC policies and procedures, which required employees to compare the transactions of their clients to the nature of their businesses.28

Further, although AEBI had relationship managers who were supposed to conduct monthly activity reviews, law enforcement found many examples of red flags or suspicious activity that either were not detected or not questioned, particularly regarding questionable sources of funds from South American parallel currency exchange market activity, largely because AEBI's account monitoring system and its reports failed to identify the country of origin or the source of incoming funds.29 According to the DOJ, even where accounts breached the parameters set by the software program, the Bank failed to investigate the account activity because the relationship managers were not given reports containing sufficient information to effectively review the activity in the account.30

Further exacerbating the insufficient monitoring tools were the failures of AEBI's independent review system. While its compliance personnel were required to perform spot checks or independent reviews of accounts that had breached parameters, its compliance officer was permitted to exempt accounts from activity-monitoring based solely on his own judgment. Often he did so by justifying the activity as commercial in nature, even though these were held in offshore corporate names. Also, the independent reviews were not actually being conducted by compliance personnel as required, but rather, compliance personnel based their reviews on uncorroborated information provided by the relationship manager.31

As a result of these monitoring and reporting deficiencies, AEBI filed only three Suspicious Activity Reports ("SARs") from 1996 through 2004, described by the DOJ as a nominal number given the highrisk business that AEBI was conducting.32 The DOJ noted that AEBI personnel were aware of the BMPE through FinEN advisories and BSA/AML training materials, but considered the parallel currency exchange markets a fact of life in South America—rather than something to be prevented or reported— that financial institutions serving South American clients would have to accommodate in the ordinary course of business.33

Separately, FinCEN's review of Amex Travel revealed failures to file timely, accurate and complete SARs. In assessing its $5 million penalty, FinCEN determined that Amex Travel failed to file over 1,000 SARs between May 7, 2006 and May 7, 2007, totaling over $500 million in suspect transactions. Also, 1,639 SARs filed during that period were found to contain over 2,000 errors, including sections that were left blank, or that contained incorrect data, or references to other sections that did not contain the data.34

In addition to the allegations contained in the Deferred Prosecution Agreement with the DOJ, the Federal Reserve indicated in its Cease-and-Desist Order that in 2004 and 2005, AEBI had represented that it was implementing improved transaction and account monitoring, and improving controls involving offshore bearer share PICs.35 However, when the Federal Reserve conducted an examination in September 2006, it found that AEBI had significant breakdowns with respect to BSA compliance.

FinCEN 's review also identified similar deficiencies. Together, these included:

  •  Failure to adopt and implement comprehensive customer due diligence and enhanced due diligence; ineffective control measures for bearer share and other PICs and failure to adhere to AEBI's own written policies, including the periodic review of high-risk accounts;
  • Inadequate transaction monitoring system, including a system that was severely compromised by data integrity problems and other deficiencies, and a failure to establish adequate management controls regarding the resolution of identified potentially suspicious activity. 36 FinCEN also noted that at one time, these deficiencies created a backlog of hundreds of suspicious activity alerts awaiting review, in which one individual had authority to unilaterally clear the alerts without adequate oversight or controls.37 
  • Failure to perform satisfactory independent testing of its BSA/AML compliance program, including inadequate internal audit function review of AEBI's new automated transaction monitoring system.38 Additionally, FinCEN indicated that Internal Audit failed to assist management with tracking and following up on previously identified regulatory examination deficiencies, and that the auditors lacked sufficient training and knowledge to facilitate compliance with the BSA.39
  • Failure of management to provide adequate oversight and accountability of the BSA/AML compliance program after undertaking to do so.40 FinCEN also indicated that management failed to (i) designate enough personnel to ensure day-to day compliance with the BSA; (ii) adequately define and implement compliance roles with respect to validating customer records; (iii) reconcile data involving high-risk customers with customer profile documentation; (iv) escalate or share identified negative customer information among appropriate personnel at the Bank; and (v) ensure that compliance personnel were independently confirming the customer information provided by the account relationship managers, and were conducting reviews of the entire customer relationship, rather than in the context of a single account basis.41

Required Remedial Actions

In addition to the $65 million in civil penalties and forfeiture, pursuant to the Deferred Prosecution Agreement, AEBI has engaged, or is engaging, in additional intensive remedial measures, including:

  • hiring a consultant to conduct a comprehensive review of AEBI's BSA and AML programs; to conduct a "look-back" of high-risk accounts and transactions and file SARs, as appropriate; and to make recommendations for restructuring AEBI's BSA and AML programs, including the development of enhanced AML policies and procedures; 
  • implementing improved policies related to high-risk accounts;
  • enhancing its compliance department to over 12 full-time employees exclusively devoted to AML compliance; 
  • significantly enhancing its transaction monitoring process; and
  • conducting additional training on BMPE and other BSA/AML issues.

In addition, the Federal Reserve cease-and-desist order requires AEBI to undertake similar remedial measures