On February 15, 2018, the U.S. Department of Justice (“DOJ”),[1] the Financial Crimes Enforcement Network (“FinCEN”),[2] the Office of the Comptroller of the Currency (“OCC”),[3] and the Federal Reserve[4] announced $613 million in penalties against U.S. Bancorp and its subsidiary, U.S. Bank N.A. (the “Bank”), for willful violations of the Bank Secrecy Act (“BSA”). Among other deficiencies cited by the government, the Bank (i) failed to devote sufficient resources to its BSA/AML compliance program; (ii) artificially capped the number of alerts generated by its transaction monitoring system based on staffing levels and resources, and made efforts to avoid disclosing this practice to the OCC, its primary regulator; (iii) failed to conduct any transaction monitoring of non-customer Western Union transactions at its branches; (iv) failed to file suspicious activity reports (“SARs”) as a result of deficient customer due diligence, transaction monitoring and investigation procedures; and (v) failed to timely report suspicious banking activities of a significant customer who used the Bank to launder more than $2 billion of proceeds from an illegal payday lending scheme.

The DPA and Accompanying Statement of Facts

According to the Statement of Facts, to which U.S. Bancorp stipulated as part of its deferred prosecution agreement (“DPA”),[5] the Bank willfully failed to establish, implement and maintain an adequate BSA/AML compliance program from at least 2009 through 2014.[6] According to the U.S. Attorney for the Southern District of New York, Geoffrey S. Berman, the Bank operated its BSA/AML compliance program “on the cheap” and “concealed its wrongful approach from the OCC” resulting in a failure to identify and report on “large numbers” of suspicious transactions.

Capping of Alerts in Transaction Monitoring System and Deficient AML Resources

Chief among the concerns raised by prosecutors was the Bank’s practice of capping suspicious activity alerts. Since April 2004, the Bank had configured its AML transaction monitoring system, SearchSpace, so that it would generate a fixed number of “security blanket” alerts per month rather than setting a risk-based threshold that would have generated alerts naturally occurring for set levels of risk.[7] The effect of these caps was to prevent suspicious activity from being alerted and investigated.[8] In addition, when the Bank conducted “below threshold” testing (designed to test the adequacy of its alert settings) the Bank concluded it was failing to detect a large number of potentially suspicious transactions.[9] However, rather than lower the thresholds to include this activity, the Bank stopped the testing because the Bank lacked resources to investigate additional alerts.[10] Indeed, for most of the relevant period, the Bank employed just 25-30 employees to investigate AML transaction monitoring alerts, despite the AML Officer’s (“AMLO’s”) concern in 2009 and 2010 that staff were “stretched dangerously thin.”[11] Moreover, the Bank knowingly underpaid its investigators and filled key AML positions with individuals with no prior AML experience.[12]

According to the Statement of Facts, the Bank’s then Chief Compliance Officer (“CCO”) took steps to avoid disclosing the Bank’s alert capping practices to the OCC by, among other things, removing references to the alert caps from presentation materials prepared for the Bank’s CEO, which ultimately would be shared with the OCC.[13] Others at the Bank also consistently did not volunteer relevant information to the OCC.[14] In 2013, the Bank’s AMLO told a senior manager that the Bank’s BSA/AML compliance program “was an effort to use ‘smoke and mirrors’ to ‘pull the wool over the eyes’ of the OCC.”[15]

Failure to Monitor Western Union Transactions

Starting in May 2009, U.S. Bank began offering both customers and non-customers the ability to conduct Western Union transactions at its branches.[16] The Bank recognized that this service was one of the highest risk products the Bank offered,[17] but never performed an initial risk assessment of Western Union, and failed to conduct transaction monitoring of any non-customer Western Union transactions.[18]

Failure to File SARs

In 2014, the Bank retained outside counsel to conduct an internal review of the Bank’s transaction monitoring practices and monitoring of Western Union transactions due to concerns raised by the newly-appointed Chief Risk Officer.[19] The OCC was informed of the results of the review, and in October 2015, the Bank entered into a consent order with the OCC largely related to this conduct.[20] Pursuant to the consent order, the Bank performed a look-back analysis, which resulted in the generation of an additional 24,179 alerts and the filing of 2,121 SARs involving over $719 million in transactions.[21] Since 2015, the Bank has spent more than $200 million to enhance its BSA/AML compliance program, including implementing a new transaction monitoring program and strategy, and increasing its AML and related compliance staff by 156% to 540 fulltime employees, including 228 individuals whose responsibilities include investigating suspicious activity alerts.[22]

Failure to Monitor and Report Activities of Scott Tucker

On October 13, 2017, Scott Tucker and his attorney, Timothy Muir, were convicted in the United District Court for the Southern District of New York of racketeering, wire fraud and money laundering for their roles in perpetrating a massive payday lending scheme.[23] According to the Statement of Facts, the Bank willfully failed to timely report suspicious banking activities of Tucker, its longtime customer, despite being on notice of facts giving rise to suspicion that Tucker had used and was using the Bank to launder more than $2 billion of proceeds from an illegal payday lending scheme.[24] The Bank made little effort to conduct meaningful due diligence on Tucker or his payday lending business.[25] This included failing to investigate Tucker or to file SARs when the Bank received subpoenas relating to Tucker and his business from regulators, or after learning that regulators had taken or were contemplating taking enforcement actions against Tucker businesses.[26]

The Penalties

The DOJ’s $528 million penalty will be collected through U.S. Bancorp’s payment of a $453 million civil forfeiture to the DOJ, with the remaining $75 million satisfied by the payment of a civil money penalty assessed by the OCC. FinCEN has also assessed a $185 million civil money penalty against the Bank. The DOJ has indicated that it plans to recommend that amounts forfeited by U.S. Bancorp be distributed to victims of Tucker’s scheme. Lastly, the Federal Reserve has imposed a $15 million penalty. Consistent with prior practices resolving parallel investigations by multiple regulators, part of the Bank’s penalties were credited against the largest penalty. Here, the DOJ agreed to credit the $75 million paid to the OCC against the $528 million forfeiture amount, and $115 million of FinCEN’s $185 million penalty was deemed satisfied by the DOJ forfeiture.[27]

Implications of the Resolution

This resolution marks the second major BSA/AML resolution this month (the other being the Rabobank N.A. guilty plea and $369 million penalty, announced on February 7, 2018). In contrast, the DOJ announced only two significant BSA/AML resolutions in all of 2017 (the Western Union DPA in January 2017 and the Banamex USA non-prosecution agreement in May 2017).[28]

Significantly, like the Rabobank resolution, this resolution involved deliberate conduct by a financial institution to prevent its primary regulator, the OCC, from obtaining full information about the Bank’s BSA/AML compliance program. Although the conduct cited in this resolution did not approach that of Rabobank, which pled guilty to a charge of obstructing the OCC’s supervision, both banks were cited for attempting to conceal BSA/AML compliance program deficiencies from the OCC.[29] While financial institutions should ensure that they timely report pertinent information about their BSA/AML programs to their regulators, these resolutions serve as a reminder that it is also critically important that employees do not take actions which could be viewed as attempting to withhold or conceal relevant information from regulators.

Also, as we have discussed previously in connection with the Rabobank resolution, this resolution reinforces the expectation that financial institutions will appropriately invest resources to ensure a robust BSA/AML compliance function. Not only are regulated entities expected to employ sufficient numbers of qualified personnel, they also are expected to routinely upgrade, test, and invest in transaction monitoring and other AML-related systems to ensure they are up-to-date and appropriately monitoring AML risk.

Finally, this resolution highlights the focus of prosecutors and regulators on appropriate due diligence and transaction monitoring of money services business (“MSB”) activity. Recent enforcement actions involving MSBs, including Western Union,[30] demonstrate that regulators are focused on ensuring that MSBs appropriately observe BSA/AML requirements related to due diligence, transaction monitoring, and suspicious activity reporting. This scrutiny extends to financial institutions that conduct business with MSBs, like the Bank. In 2017, both Merchants Bank[31] and Banamex USA resolved enforcement actions that in part alleged insufficient monitoring and detection of suspicious activity for transactions involving MSBs. Financial institutions with MSBs as customers or partners should adopt appropriate AML processes and procedures to address the AML risks associated with these companies.

Associates Jacobus J. Schutte and Anand Sithian contributed to this Client Memorandum.