On December 16, 2021, the Office of the Comptroller of the Currency (“OCC”) and the Financial Crimes Enforcement Network (“FinCEN”) issued civil monetary penalties against a Texas community bank for violations of the Bank Secrecy Act (“BSA”). The consent orders read like a veritable “how not to” for reviewing anti-money laundering alerts.
According to the OCC’s consent order imposing a $1 million civil monetary penalty, between June 2016 and June 2021, the bank failed to implement a system of internal controls to assure the Bank’s BSA compliance program was functioning as intended, in violation of 12 C.F.R. § 21.21(d)(1). As a result, the bank failed to investigate and disposition alerts of suspicious activities, in violation of suspicious activity reporting requirements under 12 C.F.R. § 21.11. Under these requirements, covered institutions must notify FinCEN of any activity involving insiders or transactions over specific monetary thresholds that the institution reasonably believes may have been made in furtherance of a crime. During this five-year period, the OCC alleged that the bank failed to timely file complete suspicious activity reports on approximately $100 million of suspicious activity.
On the same day, FinCEN imposed an $8 million civil monetary penalty for similar violations, albeit for the period 2015 through 2019. The FinCEN consent order provides significantly more detail around the violations, which cumulatively caused the bank to “willfully” fail to file at least 17 suspicious activity reports (“SAR”). These missed SARs included at least three groups of the bank’s customers who were charged with crimes based in part on transactions through their accounts at the bank.
According to the FinCEN order, these failures were caused by an understaffed AML department that failed to properly utilize the bank’s automated monitoring system and systematically failed to investigate alerts. Specifically, the order alleges:
- The bank’s AML compliance office, consisting of six to eight staff, including a BSA officer and multiple analysts, was not adequate to review the 300 alerts the bank received on average each day, particularly because the BSA analysts did not review supporting documents for the alerts, including cash deposit slips, wire transcripts, or check images, among others.
- The bank failed to update customer due diligence (“CDD”) questionnaires when circumstances warranted (e.g., when the questionnaire was updated). When CDD was updated, the bank’s AML staff obtained the additional information from customer account officers rather than from the customers themselves, in violation of the bank’s policies and procedures.
- The bank failed to consistently evaluate its customer’s first 90 days of account activity for illicit activity, because its automated monitoring system was only programed to compare activity day over day, and lacked a meaningful assessment of whether this activity was consistent with activity one would expect from the customer based on its business model.
- The bank did not fully utilize the functionality of the automated monitoring systems. For example, AML staff did not generate available monthly reports, such as “High Risk Reports.”
- In order to reduce alert volume, the bank’s BSA Officer applied exemptions for customers whose activity was thought to be “well-known,” including individuals later arrested for or convicted of financial crimes. The bank did not retain work papers or other appropriate documentation supporting these exemptions.
- The Bank’s BSA analysts closed alerts without investigation by selecting a reason from a pre-set list of possible reasons a case alert could be closed without further elevation. As a result, the bank failed to file SARs for new activity by customers for whom a SAR had previously been filed.
- When SARs were filed, it was often without any further investigation into the activity or the subject.
In determining the penalty, FinCEN cited the seriousness and impact of the violations as exacerbating factors, but credited the bank’s prompt and efficient response to the investigation, including the fact that its entire AML office, including the BSA officer, resigned.
Putting it Into Practice: While the bank’s case is extreme, the lessons taken from it are straight forward. Covered financial institutions have to adequately staff their AML departments to ensure all alerts are reasonably investigated. Investigations have to include a review of supporting documents. CDD information must be obtained from customers, not account managers or other third parties. Alerts have to be reasonably set to flag suspicious activity based on an accurate customer profile. Every step of an investigation, including any exceptions applied, must be documented according to the institutions written procedures. Covered institutions can always do more, but should at a minimum ensure these critical BSA-AML program components are in place and working as intended.