Stout and Taylor English Duma co-hosted a panel in Atlanta discussing several recent AML-related enforcement actions and associated shareholder litigation. The event featured the following panelists (all of whom have worked with numerous financial institutions on AML-related issues):

  • Jesse Morton, Stout, Dispute Consulting Director & Southeast Forensic Services Leader
  • Harry Dixon, Taylor English Duma, Attorney
  • Alan Faircloth, Federal Reserve Bank of Atlanta, Assistant General Counsel in the Legal Department
  • Terri Sands, Secura Risk Management, Founder

The panel addressed the following topics during the hour-long discussion:

  • Why AML is an enforcement priority for regulators
  • Selected recent AML enforcement actions
  • The major lessons learned from the enforcement actions
  • How to apply the major lessons learned

The Bank Secrecy Act (BSA) and anti-money laundering laws (AML) are rules requiring financial institutions, such as banks and credit unions, to perform checks on and keep specific records of events that may signal the occurrence of money laundering, tax evasion, or other criminal activities. The panel addressed the importance of AML compliance, instances of noncompliance, and how to avoid similar types of mistakes.

Jesse Morton kicked off the panel by noting that AML is consistently named as one of the top enforcement priorities for a slew of regulatory agencies and that some of these agencies have recently made changes to their AML compliance frameworks. Morton noted, as a specific example, the beneficial ownership requirement from FinCEN, which he described as "now considered to be the 'fifth pillar' of an effective AML program."

Furthermore, Morton stated that there has been myriad recent enforcement actions related to AML violations, many of which include fines in the hundreds of millions of dollars. Thus, AML compliance continues to be a high priority for all financial institutions, and these institutions should scrutinize AML regulatory enforcement actions for lessons that can be learned and incorporated into their own AML programs.

AML as a Priority for Regulators

Morton started by asking Alan Faircloth to provide some insight into why AML continues to be a priority for regulators. Faircloth responded by noting that there are several risks associated with AML that regulators are highly concerned about. One risk is the consumer risk associated with AML noncompliance. Every regulatory agency is concerned about protecting consumers from fraud, and when AML infractions are caught, there is a sense that the offending institution has failed to protect consumers. Another risk is reputation risk, which can affect both financial institutions and regulatory agencies. For financial institutions, when AML infractions are made public, there is a reputation risk of appearing untrustworthy to customers and shareholders. For federal agencies, there is a reputation risk that the regulator was not "minding the farm" or doing its job correctly.

Morton then opened the question up to the larger panel. Harry Dixon spoke to the idea of an enhanced individual focus. The theory, Dixon stated, is that when there is AML noncompliance or failures, someone at the financial institution is responsible. Questions are then raised about who is responsible for the problem, what should be done to hold the individual accountable, and how the financial institution will try to ensure that the problem does not happen again.

Terri Sands added that she felt the interaction between individuals and systems plays a role. Sands stated that she finds many banks have an issue where AML staff do not have proper training on their reporting system and/or do not want to use the technology. This causes the AML staff to work outside of the proper AML reporting system. When an examiner performs an audit, they find the staff's personal reporting system to be inadequate and without proper controls. This may result in censure of the bank.

Dixon noted that he has seen an increase in the trend of shareholder class-action lawsuits. Dixon stated that each suit tends to follow these three steps:

  1. The financial institution becomes the target of an enforcement action due to a faulty BSA/AML compliance program.
  2. The enforcement action has either a to-do list for the financial institution or an assessed monetary fine.
  3. The financial institution then discloses the enforcement action, which usually causes the stock price to drop. Disgruntled investors respond by filing a class-action lawsuit that claims securities fraud occurred because, by failing to disclose that they were under investigation, the financial institution artificially inflated the stock price. Faircloth added that this is a tricky situation for a financial institution because legally, if a regulator identifies BSA/AML issues, the financial institution cannot disclose the issue.

The panel then transitioned into discussing recent AML enforcement actions and the lessons that can be learned from each of these cases.  

Recent AML Enforcement Actions and Lessons Learned

BancorpSouth

Dixon presented first, citing a recent class action lawsuit against BancorpSouth. BancorpSouth is a regional bank headquartered in Tupelo, MS. In January 2014, the bank announced that they were acquiring two banks, Ouachita Bancshares Corp. and Central Community Corp. In July 2014, however, BancorpSouth announced that federal regulators had identified concerns with the bank's BSA/AML controls. This announcement caused BancorpSouth's share price to drop by 8%, and, as a response, purchasers of securities filed a class action lawsuit. The shareholders alleged that the bank misrepresented their compliance with BSA/AML laws and the closing of two mergers, which artificially inflated the price of the bank's stock. In March 2018, BancorpSouth reached a $13 million settlement with this group of shareholders over these allegations.

Dixon stated that there are several lessons that can be learned from this case. First, bank management must be candid with shareholders and investors during instances where regulators express serious concern about the bank's BSA/AML program. Second, BSA/AML program deficiencies have implications that go beyond a government enforcement action. These deficiencies may trigger allegations of private securities fraud, class-action lawsuits, delays in acquisitions, and the like.

Sands added that this is one reason why banks should place a high importance on periodically conducting a non-regulatory mandated lookback, which is when a bank reviews the past few years of customer activity to ensure that they didn't 'miss' any potentially suspicious activity that should have resulted with the filing of Suspicious Activity Reports (SARs). Conducting lookbacks can allow a bank to catch and correct mistakes before the regulator finds these errors.

Rabobank

Morton then presented on an enforcement action against Rabobank. Rabobank, N.A., a subsidiary of Rabobank Group, is a regional bank operating in California. Several of the bank's branches were located near the Mexican border and they had a concentration of customers that were in higher risk businesses such as agriculture, trucking/transportation, and jewelry, among others. Among the many issues identified by the regulators in this action, one of the primary ones related to Rabobank hiring an independent consultant to conduct a review of their BSA/AML program, and the consultant identified several recommendations to enhance their BSA/AML program. Several members of the BSA/AML team disagreed with some of the consultant's findings, so when the examiners asked for a copy of the report some of them attempted to obscure the report. The regulators alleged that the obscuring of the report amounted to the Bank providing false and misleading statements to federal regulators. Accordingly, Rabobank was charged, fined, and placed on a two-year probation.

Morton highlighted that another key lesson that could be learned from this case is that financial institutions should be more judicious on filing SARs when transactions look suspicious or are potentially indicative of illegal behavior. He noted that this seems to be both a moral and a legal obligation. Sands pointed out that regulators hold banks responsible for illegal activities conducted by customers, even if the monetary transaction is small.

Undisclosed Community Banks

Finally, Sands presented trends she has found while working with community banks. Sometimes, she noted, whether a bank is determined to have proper AML controls depends on the individual regulator. One regulator may find that the bank has adequate controls, but another may find deficiencies in the same system. Sands stated that this usually comes down to the amount of experience a regulator has in the AML field.

On a related note, she has noticed a trend where specialized AML regulators are starting to conduct examinations in multiple states. This has led to an increased expectation in uniform controls, i.e., an examiner will expect the same controls from a bank in NYC and a bank in rural Georgia. Some banks, especially those in smaller markets, are finding this standard difficult to achieve. Morton noted that a consistent issue at many community banks is finding qualified and experienced AML staff. This, however, is not an acceptable excuse to regulators, and smaller banks may find themselves in significant trouble if they do not make AML staffing and succession a priority. Sands added that she understands that executives tend to not focus on the AML department because it is not a revenue generator but rather a cost; however, she stressed that a strong AML department will help to ensure that the bank does not face major noncompliance consequences including a potentially very large fine. Faircloth observed that banks have a responsibility to educate the board so that they can speak to and understand basic AML risk.

Audience Question

An audience member asked a question on racial profiling and AML mechanisms. The question was: How do banks ensure AML enforcement and compliance without falling into the trap of racially profiling? Morton responded that the AML risk assessments are racially neutral, rules-based, and formulaic. This formula depends on a number of factors including, but not limited to, geographies, products, services, and transactions. When financial institutions conduct an assessment with this formula, certain customers may end up being scrutinized more heavily, but that is because certain businesses, such as money services businesses, cash intensive businesses, and other types, have a higher risk profile. Sands stressed the importance of banks having strong AML structures; two banks can have the same system but use the information very differently. Faircloth noted that it is important not to engage in "pure box checking." He stated that banks must look at each risk assessment analytically to make fair and accurate determinations.

How to Apply Lessons Learned

The panel ended the session by discussing the larger lessons learned and how banks can apply them to their own AML programs. Dixon kicked off this section by emphasizing that AML is not going to go away and will stay as a priority for regulators.

Faircloth gave four pieces of advice. First, he stressed the importance of tracking consumer complaints. Banks need to know what consumers are complaining about and critically look at these complaints to see if they indicate issues with AML controls. An example of this occurred in the Western Union and MoneyGram enforcement actions where the financial institutions were receiving large numbers of complaints about certain branches that indicated various types of fraud and money laundering, yet the institution did not adequately investigate or respond to those complaints.

Second, any substantive allegations of AML noncompliance need to be communicated between the legal group and the AML group. When these two groups work together, they can usually resolve most AML issues before they become a concern for regulators. Third, Faircloth stressed the importance of thinking about SARs operationally. He stated that banks should look at their SARs and critically assess whether they indicate a lack of internal controls. Finally, Faircloth stated that banks should drive the conversation with the regulators. Regulators, he explained, are usually open and receptive to questions and feedback that banks may have. It is better for banks to be proactive and identify corrections that need to be made before they become an issue with a regulator.

Sands had several observations. First, she noted that there is a communication gap between the first line of defense and the board. Sands stated that banks need to educate their boards on the basics of AML compliance. Second, bank executives need to continuously examine and evaluate their AML programs. Third, she noted the importance of training staff being more alert at identifying signs of money laundering and other illegal activity. As examples, she identified the importance of training staff to spot indicia that may indicate elder abuse or human trafficking. Training, she stressed, is not only one of the required pillars of an effective BSA/AML program but should be a key control every bank.

Morton and Dixon ended the panel discussion with observations on two emerging themes that may have an impact on future AML regulatory guidance. The first is related to frauds operated through financial institutions. Morton explained that when an individual or business operates a fraud, like a Ponzi scheme, through a financial institution and the fraud is discovered, oftentimes the victims of the fraud file a lawsuit against the financial institution. The rationale is that the financial institution either 'knew or should have known' about the fraudulent activity since their BSA/AML program requires detection of suspicious activity, or the financial institution's program was deficient in not detecting the suspicious activity — either way, therefore, the financial institution should be held liable. The second theme is the migration of criminal activity from systematically important financial institutions (SIFIs) to much smaller regional and community banks. As SIFIs have increased the size and sophistication of their AML departments, many as a result of massive fines and penalties (e.g., HSBC fined $1.9 billion for inadequate BSA/AML controls), criminals have begun to migrate their illegal activity to banks that do not have commensurate budgets for compliance, compliance departments that are not nearly as large, or BSA/AML systems that are as sophisticated. Therefore, there is a shift occurring where many criminals are moving to bank with smaller regional and community banks, so regulators are subsequently scrutinizing the controls at these smaller banks.