FinCEN’s Latest Enforcement Action: What Can We Learn From It?
Regulatory violations result in costly fines and civil penalties. Financial Institutions, as well as Individual financial institution employees (including credit union employees) can be subject to these penalties. Last year, I wrote about the most common reasons banks and credit unions over the years have faced civil money penalties assessed by the Financial Crimes Enforcement Network (FinCEN) and other regulators. Today, we will go over FinCEN’s most recent enforcement action.
In a Nutshell. On March 4, 2020, FinCEN assessed a $450,000 civil money penalty against Michael LaFontaine. LaFontaine is the former Chief Operational Risk Officer at U.S. Bank National Association (U.S. Bank). Before that, LaFontaine also serve as Deputy Risk Officer and Chief Compliance Officer for U.S. Bank. Among other things, LaFontaine failed to prevent violations of the Bank Secrecy Act (BSA) and regulations issued pursuant to that Act which occurred during his tenure, and to take sufficient steps to ensure that U.S. Bank’s compliance division was appropriately staffed to meet regulatory expectations.
Does the Name “U.S. Bank” Ring a Bell? It should! If you were thinking this institution sounded familiar you were absolutely right. In 2018, FinCEN determined U.S. Bank willfully violated the BSA’s program and reporting requirements from 2011 to 2015. According to FinCEN, both prior to and during Mr. LaFontaine’s tenure, the bank capped the number of alerts its automated transaction monitoring system would generate for investigation, causing the bank to fail to investigate and report large numbers of suspicious transactions. It allowed noncustomers to conduct currency transfers at its branches through a large money transmitter and failed to include such transfers in its automated transaction monitoring system. It also employed inadequate procedures to identify and address high-risk customers that caused it to fail to effectively analyze and report the transactions of such customers.
At the time, FinCEN determined the bank failed to timely file over 2,000 Suspicious Activity Reports (SARs) on transactions worth more than $700 million and filed thousands of Currency Transaction Reports (CTRs) that provided materially inaccurate information. FinCEN assessed a civil money penalty of $185 million, while the Office of the Comptroller of the Currency (OCC), U.S. Bank’s primary regulator, assessed a $75 million civil money penalty against the bank.
What can we learn from the recent enforcement action against LaFontaine?
- You can be personally liable. Between January 2005 and June 2014, LaFontaine “held senior positions within the Bank’s AML hierarchy, involving oversight of the Bank’s AML compliance functions. As Chief Operational Risk Officer, LaFontaine oversaw the Bank’s AML compliance department and he supervised the Bank’s Chief Compliance Officer (CCO), AML Officer (AMLO), and AML staff”. According to FinCEN, since LaFontaine at various times had responsibility for overseeing U.S. Bank’s compliance program, he shares responsibility for the Bank’s violations of the requirements to implement and maintain an effective AML program and file SARs in a timely manner. Several memos were sent by the AMLO to LaFontaine, who failed to take sufficient action when presented with significant AML program deficiencies.
- Having and implementing an adequate AML program is vital to prevent violations. During the course of LaFontaine’s employment, U.S. Bank failed to establish and implement an adequate AML program and to report suspicious activity. According to FinCEN, “U.S. Bank adopted AML policies, procedures, and controls that it knew would cause it to fail to investigate and report suspicious and potentially illegal activity… and employed a woefully inadequate number of AML investigators, thus violating the BSA’s requirement that it designate a compliance officer and provide that officer with the resources necessary to fulfill his/her responsibilities.” An analysis of the bank’s transactions revealed that “it failed to timely file thousands of SARs, including on transactions that potentially laundered the proceeds from crimes,” FinCEN explained.
- Use technology but use it wisely. The enforcement action explains that U.S. Bank’s alert practices were noncompliant for years. U.S. Bank imposed caps on the number of alerts the transaction monitoring system would generate, which meant that certain accounts or customers with high-risk scores would not generate alerts simply because U.S. Bank had a large number of accounts or customers with even higher risk scores. Likewise, U.S. Bank set numerical caps on alerts until 2014. As a result, the transaction monitoring system did not generate alerts for many of the transactions that a risk-based approach would have flagged as potentially suspicious. An alarming number of alerts were suppressed which prevented suspicious activity from being investigated and reported. Rather than addressing their thresholds and caps, U.S. Bank decided to stop conducting below-threshold testing in April 2012. FinCEN explains U.S. Bank maintained inappropriate alert caps for no less than five years.
- Staffing is an investment: Staff the compliance division/department based on the credit union’s needs. According to FinCEN, the AMLO verbally told LaFontaine that the Bank did not have enough AML staff to work all of the alerts that it should be working and LaFontaine failed to take sufficient action in regards to the number of staff members necessary to fulfill the AML compliance role by his AMLO.
- Listen to your staff and don’t ignore the warnings of other/previous enforcement actions. LaFontaine received internal memos from staff informing him of significant increases in SAR volumes and law enforcement inquiries. He also received account closure recommendations. According to the staff these issues created a situation where AML staff was “stretched dangerously thin.” According to FinCEN, LaFontaine failed to act when presented with significant AML program deficiencies. In 2010, FinCEN and the OCC announced regulatory action against Wachovia Bank over the same misconduct underlying U.S. Bank’s violations, which were already underway at that time. Such misconduct included “improperly capping the number of alerts generated by its automated transaction monitoring system based on the number of compliance personnel that it had available to review transactions” and failing to adequately staff its BSA compliance function. U.S. Bank was not proactive in identifying its BSA deficiencies and learning from its peers' mistakes.
BSA/AML compliance programs should be structured to adequately address a credit union’s risk profile, as identified by its risk assessment. It is always a good time to dust off your credit union’s compliance program and self-assess the overall BSA compliance of your credit union. Don’t let history repeat itself at your institution!
Here is a picture of my new coworker (my child-cat "Ash"), in case you needed something to brighten up your day during these difficult times.