The recent $450,000 fine of U.S. Bank’s former Chief Operational Risk Officer reminds financial institution executives and Bank Secrecy Act (BSA) professionals of the personal liability they face implementing and maintaining effective anti-money laundering (AML) programs.
Ensuring AML/CFT programs minimize personal liability
- The recent case where a former top risk officer was fined reminds financial institution executives and BSA professionals of the personal liability tied to implementing and maintaining effective AML programs.
- The former Chief Operational Risk Officer was fined for insufficient action on AML program deficiencies and staffing issues.
- Adequately staffed and risk-focused AML resources with good documentation are critical.
Former exec fined for insufficient action on AML/CFT deficiencies
Many priorities compete for budgetary dollars at banks and credit unions. In the middle of a recession, there can be additional pressure to tighten expenses on cost centers like AML programs. That makes it especially important to heed a few takeaways from the situation involving former U.S. Bank CRO Michael LaFontaine. LaFontaine consented to the civil fine as part of an agreement with the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) admitting to his role in violations of the BSA by U.S. Bank. Specifically, according to the consent agreement filed March 4, regulators held LaFontaine responsible for his role in:
- The bank’s AML policies, procedures, and controls that caused it to fail to investigate and report suspicious and potentially illegal activity, including maintaining inappropriate caps on the number of alerts its automated transaction monitoring system generated for review for at least five years
- The bank’s employing “a woefully inadequate number of AML investigators,” and
- The bank’s failing to file thousands of Suspicious Activity Reports (SARs) in a timely manner.
“Mr. LaFontaine failed to take sufficient action when presented with significant AML program deficiencies in the Bank’s SAR-monitoring system and the number of staff to fulfill the AML compliance role by his AMLO [AML Officer],” the document said. The bank’s Chief Compliance Officer also raised concerns, and in May 2014, the AML Officer ultimately bypassed LaFontaine and sent an email to the then-Chief Risk Officer regarding the cap on alerts, according to the enforcement action.
“The Bank did not begin to address its deficient policies and procedures for monitoring transactions and generating alerts until June 2014, when questions from the OCC and reports from an internal complainant caused the Bank’s Chief Risk Officer to retain outside counsel to investigate the Bank’s practices,” it said.
Adequate, risk-focused AML resources are critical
Abrigo Compliance & Engagement Director Terri Luttrell, CAMS-Audit, says that fines against individual BSA professionals are rare.
“It’s everybody’s worst nightmare, and the personal liability is one of the reasons it’s hard to find strong BSA professionals,” she notes. The U.S. Bank case illustrates several important ways to minimize personal liability within a BSA program.
Get adequate resources. “The regulators don’t care what your budget is,” Luttrell says. “You must find a way to get the resources, and I think that message is coming around loud and clear these days.”
Certainly meeting the staffing requirements of a strong BSA program can be costly. But inadequate staffing appears in regulatory consent orders more often than many people would expect, and regulators are not sympathetic when it comes to violations as a result of underemployment in compliance. Consider outsourcing AML/CFT work as one option in order to remain compliant and meet short-term needs for alert or case-monitoring to address seasonal issues, such as tax season, or employee issues, such as a leave of absence. Or, if the financial institution is facing extended challenges with BSA/AML staffing, consider outsourcing basic AML/CFT tasks of SARs filings and managing alerts so that staff can focus on case escalation and implementing AML policies and procedures.
Focus BSA/AML resources on risk. Especially considering the limited resources that all banks and credit unions have, another way to ensure personal liability is minimized is to focus resources on the financial institution’s risks, especially when using BSA/AML software, Luttrell says. “That means that if the financial institution uses an automated transaction monitoring system, staff should regularly ensure it is ‘tuned’ correctly --- not to limit your alerts, but to make sure the parameters are set right for the risk for your institution,” says Luttrell. If staff don’t know how to adjust the parameters themselves, take advantage of suspicious activity system optimization offered by the solutions provider, she adds.
“FinCEN encourages technological innovations to help fight money laundering, but technology must be used properly,” the regulator said in a news release announcing the fine against LaFontaine.
Ensure good documentation. Make sure that the financial institution’s BSA/AML software documents every step of the SAR process so that a strong trail of documentation exists – not only for regulators but also to minimize the personal liability of staff. A good SAR tracking system will also monitor how long a SAR has been in the system and will generate reminders to keep BSA staff from filing untimely SARs.
Documentation is always an important part of the job for BSA staff, and most personnel minimize personal liability simply by doing their job. In the U.S. Bank case, lower-level employees documented their concerns with the bank’s policies and procedures, and Luttrell says that was an especially smart move from a liability protection standpoint. “If you don’t have compliance from the top down, document it, and look for another job,” she says.
FinCEN in coordination with the Office of the Comptroller of the Currency (OCC) in February 2018 issued a $185 million civil penalty against U.S. Bank for, among other things, willfully violating the BSA’s requirements to implement and maintain an effective AML program and to file SARs in a timely manner. U.S. Bank’s parent, U.S. Bancorp, agreed to forfeit $528 million as part of a deferred prosecution agreement with the U.S. Attorney’s Office for the Southern District of New York.
When the OCC terminated a consent order related to the AML program in December 2018, U.S. Bancorp said it had made “significant investments since 2014 to improve and strengthen its AML and BSA controls, including a new AML and BSA leadership team as well as improved and enhanced processes and systems.”