Anti-Money Laundering Expectations in 2017
Recent agency guidance, rulemakings, and enforcement actions—all issued prior to the change in administrations—demonstrate the financial regulatory agencies' commitment to enforcing the Bank Secrecy Act and its implementing regulations (BSA), and, in particular, their willingness to hold lead compliance professionals personally accountable. Add to that the new administration's rhetoric of fighting terrorism and bolstering national security, and financial institutions should expect an upsurge of anti-money laundering (AML) supervision and enforcement in the coming years.
I. Recent Actions Imposing Personal Liability
Two recent enforcement actions against financial institutions and their AML officers support this expectation and should serve as stark warnings to individuals charged with ensuring compliance with the BSA.
SEC Order Instituting Administrative and Cease-and-Desist Proceedings. In January 2017, the Securities and Exchange Commission (SEC) filed an order instituting administrative and cease-and-desist proceedings against a New York-headquartered broker-dealer and its Chief Compliance Officer and AML Officer for alleged violations of the BSA and other securities laws.1 The order alleged that the company facilitated the unregistered sale of hundreds of millions of penny stock shares—including those occurring in accounts controlled by microcap stock financiers who were separately charged by the SEC with conducting a pump-and-dump scheme—without performing adequate due diligence. Regarding those transactions and others, the order alleged that the company and its AML Officer failed to file required suspicious activity reports (SARs) for $24.8 million in suspicious penny stock sale transactions, which earned the company at least $493,000 in commissions.
The order alleged that the AML Officer was personally responsible for monitoring customer transactions for suspicious activity and ensuring the firm's compliance with SAR reporting requirements, citing the company's AML program, which required all identifications of red flags or suspicious behavior to be elevated to the AML Officer, who would then determine whether or not and how to further investigate the matter and whether to file a SAR.
In reaching its findings, the order also cited to agency guidance and the AML Officer's apparent failure to adhere to it. Specifically, the order identified written guidance relating to microcap stocks issued by the Financial Industry Regulatory Authority (FINRA) and the SEC's Office of Compliance Inspections and Examinations (OCIE), both of which identified several red flags indicative of potential money laundering. Notwithstanding agency guidance and the company's AML program, it was alleged that the company repeatedly violated the BSA, and that the AML Officer caused and aided and abetted those violations, by failing to file required SARs concerning dozens of potentially illegal stock sale transactions by its customers.
The order also is an example of the SEC's aggressive use of AML program and SAR filing requirements to require securities firms and their supervisory and compliance teams to monitor for and report potential violations of federal securities laws by customers and counterparties.
FDIC Cease and Desist Order and Civil Money Penalty. In December 2016, the Federal Deposit Insurance Corporation (FDIC) brought an enforcement action against the President and Chief Executive Officer of an Arkansas state-chartered non-member bank with $37 million in assets for alleged violations of the BSA.2 The individual also served as the bank's BSA Officer for a period of time. Based on allegations that he failed to file timely SARs, he consented to a cease and desist order that imposed ongoing compliance requirements, including periodic training requirements and to "[f]amiliarize himself with and adhere to the FDIC Guidance on Payment Processor Relationships, as set forth in FDIC Financial Institution Letter 127-2008 as revised by FDIC Financial Institution Letter 41-2014[.]" In addition, the individual consented to a civil money penalty (CMP) in the amount of $35,000, for which he was prohibited from seeking or accepting indemnification from the bank.
II. Personal Liability Takeaways
The SEC and FDIC orders serve as warnings to the financial services industry that personal liability arising out of BSA/AML violations continues to be an enforcement objective of the federal bank and securities regulatory agencies under certain circumstances. To protect themselves and the institutions they serve, AML officers and compliance divisions should ensure that their policies, procedures, and practices reflect relevant regulatory expectations and should request allocations of additional resources if necessary to meet to regulators' expectations.
In particular, the FDIC order suggests that individuals at smaller institutions may be more susceptible to individual liability than peers in similar positions at larger institutions, as they may have a greater degree of influence over the institution's AML controls. This concept has been corroborated by government officials. In October 2016, a former chief of the Asset Forfeiture and Money Laundering Section at the Department of Justice stated, "[i]n order to hold an individual responsible for breaking [the BSA], you would have to say, essentially, this person caused the institution to be criminally deficient in its [AML] program. So, we have used that occasionally, but it tends to be with smaller institutions where you can really attribute all the decision-making to one person or one small group of people."3
In addition, common to both orders are the allegations the AML officers failed to heed the warnings contained in agency-issued guidance relating to the risks of certain customers and products. Such criticisms highlight the importance for AML officers of ensuring that their institution takes a risk-based approach to compliance, properly devoting enhanced diligence and monitoring to higher-risk customers—such as third-party payment processors—and their transactions. Bank compliance personnel, and especially AML officers, should diligently review industry developments, including new regulations, guidance, and enforcement actions, to ensure they are equipped to identify and detect the risks most concerning to the regulators.
III. AML Outlook
Although significant regulatory relief is expected in the financial services industry in light of the new administration's stated objectives, we do not anticipate the administration will ease AML enforcement. In fact, given the administration's focus on national security and state and federal regulators' recent rulemakings and guidance, it is more likely that enforcement of the BSA is an area of supervision that will increase in the coming years.
From a policy perspective, there are numerous indications that AML will remain a top priority. Recently, the Office of the Comptroller of the Currency (OCC),4 the SEC,5 and FINRA6 have each identified AML as a supervision or examination priority for 2017. Moreover, in December 2016, the Financial Action Task Force published its Mutual Evaluation Report7 on the AML/counter-terrorist financing measures in the US, which identified a number of weaknesses and deficiencies. As a remedy, agencies are likely to take a more rigorous approach to AML compliance examinations, which may ultimately result in an uptick in AML enforcement.
The Financial Crimes Enforcement Network's final Customer Due Diligence Rule (CDD Rule) seeks to address one of those identified deficiencies: beneficial ownership. Under the CDD Rule, financial institutions are required to identify and verify the identity of the beneficial owners of most legal entity customers at the time a new account is opened, necessitating significant operational changes to financial institutions' existing AML programs. The CDD Rule, which also formalizes existing expectations of customer due diligence imposed on financial institutions as the "fifth pillar" of AML compliance, became effective on July 11, 2016, and has an "applicability date" of May 11, 2018. Many institutions have already begun implementing changes to their compliance programs to conform to the CDD Rule in advance of the compliance date. In at least one public enforcement action, the OCC has already imposed the CDD Rule's requirements on a bank, including as a provision that the bank should consider the CDD Rule in developing customer due diligence and enhanced due diligence policies and procedures.8
Separately, the New York Department of Financial Services' (DFS) new risk-based anti-terrorism and anti-money laundering rule (DFS Rule) became effective on January 1, 2017, requiring New York-regulated institutions to bolster their AML programs and, most significantly, to provide a personal certification to the DFS that those enhanced programs meet the DFS' expectations. Interestingly, in the assessment of public comments accompanying the DFS Rule, the DFS explicitly left the door open to civil and criminal liability resulting from the certification, stating, "if such [an AML] program is not reasonably designed and if the compliance finding is not based on a review of necessary documents and materials, the certifying individual(s) may appropriately be subject to the Superintendent's civil enforcement powers, and if the compliance finding was made with the intent to deceive, to criminal penalties."9 The implementation of the DFS Rule raises the compliance standard for New York institutions during an already active period of AML enforcement. Since August 2016, the DFS has entered into four public AML enforcement actions with penalties ranging from $180 million to $425 million each.
Finally, despite the administration's promise to limit regulatory burdens on the financial industry, there has been little indication that it desires to pull back on the enforcement of existing regulations, especially those contributing to national security. Indeed, holding financial institutions accountable for perceived deficiencies in controls designed to thwart money laundering and the financing of terrorism aligns with the president's campaign positions. Accordingly, financial institutions would do well to strengthen their commitment to AML compliance. As a first step, financial institutions should assess thoroughly their risk-profiles and consider how much support and resources must be allocated to AML officers and compliance departments to properly mitigate those risks.
Administrative Proceeding, SEC File No. 3-17813.
Consent Order to Cease and Desist and Order to Pay, FDIC-16-0124b, FDIC-16-0125k.
OCC Fiscal Year 2017 Bank Supervision Operating Plan (Sep. 14, 2016).
SEC OCIE Examination Priorities for 2017 (Jan. 12, 2017).
FINRA 2017 Annual Regulatory and Examination Priorities Letter (Jan. 4, 2017).
FATF, Mutual Evaluation of the United States (Dec. 1, 2016).
OCC Consent Order, AA-SO-2016-62 (Jul. 2016).