the audit impact of the u.s. department of justice...

The Audit Impact of United States Department of Justice Prosecution of Bank Secrecy Act Violations -1 of 35-

The Audit Impact of the U.S. Department

of Justice Prosecution of Bank Secrecy

Act Violations

By: Jason C. Honeycutt


The author is a Texas licensed attorney who is a board-certified criminal law specialist. He is a Certified Anti-Money Laundering Specialist by ACAMS. He is the current chair of the Texas Bar Association’s Minimum Continuing Legal Education Committee. His legal experience includes State prosecutor, Federal prosecutor (United States Department of Justice, United States Attorney’s Office for the Southern District of Texas), and private practice of law in civil litigation and criminal defense work. His trial experience as a State prosecutor ranges up to murder, including numerous white collar criminal matters and drug cases. His federal prosecutorial experience on the U.S.-Mexico border includes public corruption, drug trafficking, and money laundering. He was involved thousands of criminal cases while acting as a prosecutor.


TABLE OF CONTENTS

I. INTRODUCTION ...................................................................................................... 5

A. WHAT IS AN “APPROPRIATE” BSA/AML PROGRAM? AND HOW IS THAT ASSESSED? ............. 5 B. ACCORDING TO THE DEPARTMENT OF JUSTICE, WHAT IS “INEFFECTIVE”? ............................ 6 C. THE TEN GENERAL LESSONS .......................................................................................... 6

II. LEGAL BACKGROUND .......................................................................................... 7

A. UNITED STATES CODE TITLE 31, CHAPTER 53 COMMONLY REFERRED TO AS THE “BANK

SECRECY ACT” .............................................................................................................. 8 B. 31 U.S.C. § 5318: DELEGATION OF AUTHORITY TO TREASURY DEPARTMENT ...................... 8 C. 31 U.S.C § 5321: CIVIL PENALTIES ................................................................................. 8 D. 31 U.S.C § 5322: CRIMINAL PENALTIES ........................................................................... 8

III. CIVIL ACTIONS ....................................................................................................... 9

A. PREVIEW....................................................................................................................... 9 B. LESSON #1: VALIDATE THE BSA/AML OFFICER, THE OFFICER IS INDIVIDUALLY LIABLE......... 9 C. LESSON #2: USE QUANTITATIVE TESTING, SUCH AS PUBLISHED INDUSTRY STANDARDS ..... 10 D. LESSON #3: USE QUALITATIVE TESTING, SUCH AS THE BSA/AML PROGRAM’S USE OF ALL

READILY AVAILABLE RESOURCES .................................................................................. 11 E. LESSON #4: REVIEW THIRD PARTY PAYMENT PROCESSOR DUE DILIGENCE ....................... 13

IV. CRIMINAL CASES ................................................................................................ 14

A. PREVIEW..................................................................................................................... 14 B. LESSON #5: FOR HIGHER RISK CUSTOMERS OR PRODUCTS, VALIDATE STAFFING ANALYSIS 14 C. LESSON #6: FOR NEGATIVE NEWS, VALIDATE THE DUE DILIGENCE BEFORE THE DATE OF THE

NEGATIVE NEWS .......................................................................................................... 15 D. LESSON #7: VALIDATE THE “TONE AT THE TOP” REGARDING BSA/AML ............................. 15 E. LESSON #8: VALIDATE THE “REQUEST FOR INFORMATION” ESCALATION PROCESS .............. 15 F. LESSON #9: VALIDATE THE CORRESPONDENT BANKING DUE DILIGENCE ............................ 16 G. LESSON #10: VALIDATE THE BSA/AML FUNCTION’S INDEPENDENCE AND AUTHORITY ......... 16 H. LESSON #11: VALIDATE THE WIRE RISK ASSESSMENT AND WIRE MONITORING PROCESS ... 17 I. LESSON #12: VALIDATE REMEDIATION AND GAP ASSESSMENT PROCESSES ....................... 17 J. LESSON #13: VALIDATE THE BSA/AML PROGRAM COMPONENTS ..................................... 19 K. LESSON #11: VALIDATE THE BSA/AML STAFFING & RESOURCES ..................................... 21 L. LESSON #14: VALIDATE ACCOUNT PROCEDURES POST SAR FILING ................................. 21 M. LESSON #15: VALIDATE HORIZONTAL INFORMATION SHARING OR “INTERNAL REFERRAL”

SYSTEM ...................................................................................................................... 22 N. LESSON #15, PART 2: VALIDATE THE HORIZONTAL INFORMATION SHARING OR “INTERNAL

REFERRAL” SYSTEM ..................................................................................................... 23 O. LESSON #16: COMPARE THE ACTUAL VERSUS EXPECTED USE OF THE ACCOUNT ............... 24 P. LESSON #17: REVIEW THE QUALITY AND QUANTITY OF READILY AVAILABLE INFORMATION TO

THE FINANCIAL INVESTIGATIONS UNIT............................................................................. 25 Q. LESSON #18: VALIDATE CHECK KITING & OTHER FRAUD DETECTION PROCESSES .............. 25 R. LESSON #19: VALIDATE THE MSB DUE DILIGENCE & PROCESSES .................................... 26


S. LESSON #20: IDENTIFY THE HIGHER RISK CUSTOMERS IN HIGHER RISK GEOGRAPHIES WITH

HIGHER RISK PRODUCTS AND VALIDATE THOSE BSA/AML PROCESSES ............................ 26 T. LESSON #21: VALIDATE THE RED FLAG DETECTION PROCEDURES AND ACTUAL RESULTS ... 27 U. LESSON #20, PART 2: DETERMINE THE HIGHER RISK CUSTOMERS IN HIGHER RISK

GEOGRAPHIES WITH HIGHER RISK PRODUCTS AND VALIDATE THOSE BSA/AML PROCESSES27 V. LESSON #23: EFFECTIVE BSA/AML PROGRAM ESSENTIALS ............................................ 28 W. LESSON #24: VALIDATE THE WIRE TRANSACTION MONITORING PROCESS .......................... 29 X. LESSON #25: VALIDATE THE BULK CASH AND OTHER CASH RELATED MONITORING PROCESS29 Y. LESSON #26: VALIDATE THE POUCH AND REMOTE DEPOSIT CAPTURE REVIEW PROCESS.... 29 Z. LESSON #12, PART 2: VALIDATE REMEDIATION TRACKING AND EFFORTS AFTER ISSUE

IDENTIFICATION............................................................................................................ 30 AA. LESSON #4, PART 2: REVIEW THIRD PARTY PAYMENT PROCESSOR DUE DILIGENCE ........... 30 BB. LESSON #29: VALIDATE THE BEARER SHARE DUE DILIGENCE ........................................... 31 CC. LESSON #30: VALIDATE THE RISK ASSESSMENT .............................................................. 31 DD. LESSON #31: VALIDATE THE SOURCE OF FUNDS ............................................................. 31 EE. LESSON #32: “TRUST, BUT VERIFY” INFORMATION ........................................................... 31 FF. LESSON #10, PART 2: VALIDATE THE BSA/AML FUNCTION’S INDEPENDENCE & AUTHORITY 32 GG. LESSON #33: VALIDATE THE AUDIT PLAN........................................................................ 32

V. DISCUSSION ......................................................................................................... 32

A. 5+ YEARS OF SIGNIFICANT FEDERAL LEGAL ACTION ........................................................ 32 B. INDIVIDUAL RESPONSIBILITY & COMPETENCE .................................................................. 32 C. HIGHER RISK CUSTOMERS ............................................................................................ 33 D. RED FLAG DETECTION PROCESSES ............................................................................... 33 E. MEASURABLE VALIDATION, BOTH QUALITATIVE AND QUANTITATIVE ................................... 33 F. REVIEW TRENDS .......................................................................................................... 34 G. ACT PROACTIVELY, VALIDATE RETROSPECTIVELY, BUT NOT IN A VACUUM ......................... 34 H. ISSUE REMEDIATION ..................................................................................................... 34 I. BSA/AML PROGRAM ESSENTIALS ................................................................................. 34 J. REGULAR RISK ASSESSMENTS ...................................................................................... 34 K. VALIDATE THE AUDIT PLAN............................................................................................ 34

VI. CONCLUSION ....................................................................................................... 35


I. Introduction

A. What is an “appropriate” BSA/AML program? And how is that assessed?

If you are reading this, then you have heard or read about the terms found in discussions about anti-money laundering (AML) programs of today’s U.S. financial institutions: “deficiencies,”1 “adequately,”2 “ineffective,”3 “violations of law,”4 “commensurate,”5 “timely,”6 “standards,”7 “proactive,”8 “qualified,”9 and “competent.”10 What exactly does all of this mean? You probably also have questions about what are the right tools and background to examine and assess an AML program. Most industry and AML audit professionals start with the FFIEC Manual and can recite its provisions almost religiously. So let us start there.

What you will find is an overarching theme of “Assess the adequacy of the bank’s BSA/AML compliance program. Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.”11 On occasion, the FFIEC Manual will give you a concrete item “[t]he BSA/AML compliance program must be written, approved by the board of directors, and noted in the board minutes.”12 But usually the Manual gives you more of the same “[a] bank must have a BSA/AML compliance program commensurate with its respective BSA/AML risk profile.”13

The right AML tools and assessment can be difficult unless more specific factual scenarios are available to learn from and apply. This has led to subjective, challengeable assessments of what exactly is an effective AML program based on who is reviewing the material and what exactly is being looked at. This is frequently executed as a subjective standard based on an examiner’s or auditor’s “opinion” of what is “adequate” and “effective.” However, money laundering and an AML program is federal law and the law is an objective standard. That objective standard is ultimately measured by those in the federal court system. The federal court system provides a public record

1 In the Matter of JP Morgan Chase Bank, et al., (O.C.C. January 14, 2013). 2 Id. 3 Id. 4 In the Matter of Cadence Bank, N.A., (O.C.C. February 9, 2015). 5 In the Matter of Citigroup, Inc., (Fed. Reserve March 21, 2013). 6 Id. 7 Id. 8 In the Matter of JP Morgan Chase & Co., (Fed. Reserve January 14, 2013). 9 “Written Agreement by and between” Discover Financial Services and Federal Reserve Bank of Chicago (Fed. Reserve March 26, 2015). 10 In the Matter of Banamex USA (F.D.I.C. August 2, 2012). 11 Federal Financial Institutions Examination Council, Bank Secrecy Act Anti-Money Laundering Examination Manual, at 28 (2014) (emphasis in original). 12 Federal Financial Institutions Examination Council, Bank Secrecy Act Anti-Money Laundering Examination Manual, at 28 (2014). 13 Federal Financial Institutions Examination Council, Bank Secrecy Act Anti-Money Laundering Examination Manual, at 28 (2014).


of what the “inadequate” or “ineffective” AML program has done. Short of the federal court system, is the administrative decisions of the supervising agencies (frequently referred to as “Consent Orders”), and of course those private and confidential exam findings (such as a “Matter Requiring Attention”). An advantage with federal court filings over Consent Orders is the far more specific factual and publically available information in the federal court filings.

The federal court system, of course, has its draw backs as well. Much research and attention has been devoted to how little of a percentage of filed matters actually go to trial in a federal criminal case, but with such a large number of criminal indictments generally each year, a sufficient number of cases proceed to trial and through the appellate court process so the case law develops sufficiently for the public to be informed on how to objectively interpret the federal criminal laws. Generally, the same is true for civil cases (so few as a percentage go to trial, but as a nation sufficient total numbers go to trial and are appealed for the case law to develop for effective notice).

However, for civil and criminal actions of AML program violations, the relevant pool of criminal indictments and civil actions was virtually nonexistent for decades. When the climate began to change and federal criminal indictments and federal civil cases by the U.S. appeared more regularly for AML program violations, banks and auditors needed to wait for sufficient factually specific cases to arise and then form an articulable objective standard.

Although there are still insufficient appellate cases to meaningfully analyze and grade an “effective AML program,” we can use the factual allegations in the trial court level pleadings to shed light on what the U.S. Department of Justice Civil Attorneys and Criminal Prosecutors have determined to be “objectively insufficient.” This is the best source of factually specific “case studies” until an adequate federal appellate case law develops. A review of the available trial court level proceedings have revealed all Deferred Prosecution Agreements, which means there will not be any federal appellate case law developing in the near future.

B. According to the Department of Justice, what is “ineffective?”

As an institution required to have an “effective AML program,” you must take a two-pronged approach to “effectiveness:” (1) test yourself internally and (2) test yourself by use of an independent auditor. This white paper is designed to assist you to determine what not to do and what to test for based on prior “ineffective” BSA/AML programs, according to public record of civil and criminal cases brought under federal law by the U.S. Department of Justice. This white paper also gives guidance on what the scope of audit of an AML program should include at a minimum, both as a financial institution and as the auditor of a financial institution’s AML program.

C. The 10 General Lessons

This paper highlights relevant BSA lessons immediately before the legal quote or citation. In reviewing the lessons as a whole there are some broader categories of lessons learned.

Individual responsibility and competence is the cornerstone of BSA/AML program effectiveness. Board of directors, senior/executive level management, the business line,


the BSA/AML officer, and the BSA/AML investigators. Senior/executive level management should support the BSA/AML component or risk their line of business being “de-risked.” BSA/AML investigators should have all readily available information and systems at their disposal and should have sufficient education, experience and intellect to perform proper analysis and document that analysis. The BSA/AML program should be flexible and proactive. As new or unique risk situations develop, the BSA/AML program should analyze, adapt and modify detection processes as appropriate. The transaction monitoring process should cover all banking transactions. The BSA/AML officer should be of senior or executive status and maintain direct lines of communication with the board of directors and other senior/executive level management.

Higher risk customers pose unique challenges and must be monitored with unique tools and by using unique skillsets.

Red flag detection processes utilize an unlimited array of incoming information, from computer systems, to commercial negative news databases, to manual monitoring, to human intelligence. All of these processes should function in a way that effectively flows the information and produces useable results.

Qualitative and quantitative testing coupled together produces the most reliable results. This also allows for testing of potential future red flag detection methods for effectiveness before actual implementation.

Reviewing trends, both of customers and the industry in light of the BSA/AML program’s current resources will notify you if the BSA/AML program has sufficient staffing and resources to be an effective BSA/AML program.

Acting proactively in preventing money laundering and financial crime will not prevent all criminal acts. However, it can increase the odds of detection and assist in protecting the U.S. financial system and the general public of the U.S. as mandated by federal law.

Gap assessment and remediation are mission critical. Unanticipated scenarios are certain to arise, how your BSA/AML program deals with new information and uncharted territory will determine whether or not your BSA/AML program remains dynamically effective versus formerly effective.

BSA/AML program essentials include customer identification (beneficial ownership), source of funds analysis, expected transactions of the account, transaction monitoring, out-of-pattern transaction identification, due diligence on out-of-pattern transactions, and filing on unusual or suspicious transactions. Failure on any of these matters risks civil and criminal liability, both by the bank and the individuals involved.

Risk assessments of the overall BSA/AML function and of the major components of the function will act as a guide to determine if your program is effective.

Review and comment on the audit plan is an effective way to ensure you obtain adequate independent audit coverage. Cover all lessons learned from this research, plus all FFIEC examination topics.

II. Legal Background


A. United States Code Title 31, Chapter 53 Commonly Referred to as the “Bank Secrecy Act”

The Bank Secrecy Act and its implementing regulations, which Congress enacted to address an increase in criminal money laundering activities utilizing financial institutions, requires domestic banks, insured banks and other financial institutions to maintain programs designed to detect and report suspicious activity that might be indicative of money laundering and other financial crimes, and to maintain certain records and file reports related thereto that are especially useful in criminal, tax, or regulatory proceedings.14

B. 31 U.S.C. § 5318: Delegation of Authority to Treasury Department

The “Bank Secrecy Act” provides the Treasury Department with the ability to implement much of the anti-money laundering standards. 31 USC § 5318(h), titled “Compliance, Exemptions, and Summons Authority,” subtitled “Anti-Money Laundering Programs,” and sub-subtitled “Regulations” states: “The Secretary of the Treasury . . . may prescribe minimum standards for [AML] programs.”15

C. 31 U.S.C § 5321: Civil Penalties

The “Bank Secrecy Act” provides for civil penalties. 31 U.S.C. § 5321, Titled “Civil Penalties,” Subsection (a)(1) states: “A domestic financial institution . . . partner, director, officer, or employee . . . willfully violating [the AML program legal and regulatory provisions] is liable to the United States Government for a civil penalty.”16

Subsection (a)(5)(C), titled “Willful Violations”, states: “In the case of any person willfully violating, or willfully causing any violation of any provision of section 5314 [the maximum penalty shall be . . . ]”17

Subsection (a)(6), titled “Negligence,” states: “Treasury may impose a civil money penalty . . on any financial institution . . . which negligently violations any provision.”18 In addition, a “financial institution . . . [may] engage in a pattern of negligent violations.”19

D. 31 U.S.C § 5322: Criminal Penalties

The Bank Secrecy Act provides for criminal penalties. 31 U.S.C § 5322, titled “Criminal Penalties,” provides that willful violation by a person can be sentenced to up to five years of prison.20 Violating the Bank Secrecy Act while committing another federal crime, can result up to 10 years of prison.21 In addition, the criminal fine can be up to two times the amount of the transaction, up to $1 million.22

14 United States v. Wachovia, Criminal Information P. 1. 15 Id. 16 31 U.S.C § 5321. 17 Id. 18 Id. 19 Id. 20 31 U.S.C § 5322. 21 Id. 22 Id.


III. Civil Actions

A. Preview

The federal civil lawsuits to support this paper were extremely limited. Of the two covered, one included a parallel criminal proceeding, leaving only a single dedicated civil action for analysis. The differences between the civil and criminal system can be very important. For instance, the civil system has a “two-way discovery” or discovery processes that allow opponents to request documentation from each other and take the testimony of witnesses and opposing parties before the trial actually occurs. In addition, the usual remedies involve money or forcing or preventing a future action. While a criminal charge generally has a one-way discovery where the criminal defendant gets information from the government, the primary remedy of a criminal charge is punishment, either by prison time or by fine. A significant second punishment of a criminal charge is the stigma associated with the allegation or conviction. A logical deduction from the heavily favored criminal process over the civil process is likely the reduced cost to the U.S. (civil discovery can be very expensive and time consuming) and the threat of criminal conviction.

B. Lesson #1: Validate the BSA/AML Officer, the Officer Is Individually Liable

United States v. Haider, 2014. In 2014, the U.S. filed a civil suit against Haider in connection with his duties as chief compliance officer of MoneyGram.23 The U.S. alleged the following failures:

i. Failure to implement a policy to discipline agents and outlets that knew or suspected were involved in fraud and/or money laundering.24

ii. Failure to terminate agents and outlets understood to be involved in fraud and/or money laundering.25

iii. Failure to file SARs because Haider did not provide fraud department information to the AML program.26

iv. Failure to conduct effective audits of agents/outlets, including ones suspected to be involved in fraud and/or money laundering.27

v. Failure to conduct adequate due diligence on agents/outlets by (1) granting outlets to agents previously terminated by other money transmission companies and (2) granting additional outlets to agents suspected to be involved in fraud and/or money laundering.28

These AML failures resulted in known or suspected fraud and/or money laundering outlets to continue to use MoneyGram’s money transfer system to facilitate their

23 United States v. Haider, 14-cv-0987 (S.D.N.Y. 2014) (unreported) (available at http://www.justice.gov/sites/default/files/usao-sdny/legacy/2015/03/25/Haider%2C%20Thomas%20Complaint.pdf, last accessed January 29, 2016). 24 Id. P. 3. 25 Id. P. 3. 26 Id. P. 3. 27 Id. P. 3. 28 Id. P. 3.

http://www.justice.gov/sites/default/files/usao-sdny/legacy/2015/03/25/Haider%2C%20Thomas%20Complaint.pdf

http://www.justice.gov/sites/default/files/usao-sdny/legacy/2015/03/25/Haider%2C%20Thomas%20Complaint.pdf


fraudulent schemes.29 Haider’s AML failures were willful within the meaning of the civil enforcement provisions of the “Bank Secrecy Act.”30

United States v. CommerceWest Bank, 2015 (civil). In 2015, the U.S. filed a civil complaint against CommerceWest Bank alleging the bank, knowingly or with deliberate ignorance, allowed the theft of tens of millions of dollars from customers’ bank accounts.31 The U.S. alleged the following failures: For over a year, the bank ignored red flags of return rates over 50 percent, thousands of consumer complaints, multiple complaints from other banks whose customers had been victims of the fraud scheme. Ultimately, the bank permitted hundreds of thousands of unauthorized charges from consumer bank accounts.32

The civil suit then goes on to detail BSA/AML program requirements:

vi. An effective BSA/AML program requires knowing the identity of its customer and understanding the customer’s business.33 This Customer Identification Program is designed to prevent access to the banking system by entities engaged in illegal activity.34

C. Lesson #2: Use Quantitative Testing, Such as Published Industry Standards

The civil suit also gives great weight to banking regulators’ published guidance on risks associated with payment processor customers. Years before this suit, “bank regulators . . . urged banks to take particular precautions when dealing with payment processor customers. These steps have included:

i. Monitoring all transaction returns (unauthorized returns total returns);

ii. Reviewing the third-party payment processor’s promotional materials to determine its target clientele;

iii. Determining whether the third-party payment processor re-sells its services to other entities;

iv. Reviewing the third-party payment processor’s policies and procedures to determine the adequacy of merchant due diligence;

v. Reviewing main lines of business and return volumes for the third-party payment processor’s merchants; and

vi. Requiring . . . the third-party payment processor provide the bank with information about its merchants to enable the bank to assure that the merchants are operating lawful businesses.”35

29 Id. P. 3. 30 Id. P. 4. 31 United States v. CommerceWest Bank, CV 15-00379 (C.D.CA 2015) (unreported) (available at http://www.justice.gov/opa/pr/commercewest-bank-admits-bank-secrecy-act-violation-and-reaches-49-million-settlement-justice, last accessed January 29, 2016). 32 Id. P. 2. 33 Id. P. 4. 34 Id. P. 4. 35 Id. P. 6.

http://www.justice.gov/opa/pr/commercewest-bank-admits-bank-secrecy-act-violation-and-reaches-49-million-settlement-justice


vii. A “bank accepting large volumes of demand drafts for deposit must analyze rates of return transactions for the demand drafts it submits into the national banking system.”36

D. Lesson #3: Use Qualitative Testing, Such as the BSA/AML Program’s Use of All Readily Available Resources

After conducting due diligence of the third-party payment processor, the customer was categorized as high risk.37 The due diligence revealed that the third-party payment processor specialized in demand drafts for merchants that had been prohibited from accepting other forms of payments,38 including obtaining information of a special “Terminated Merchant File” for merchants that had been banned from processing credit card payments.39 However, the bank did not conduct separate due diligence on this special “Terminated Merchant File” product.40 In contrast to performing additional due diligence and mitigating or eliminating risks, the bank’s account officer for the third-party payment processor reported to the bank’s CEO “that ‘[w]e have hit gold with this relationship, it will expanding. The [payment processor] founder . . . would like to meet you and take you flying in his Russian fighter jet.’”41

Additional red flags appeared early in the banking relationship as many merchants stopped processing payments through the third-party payment processor.42 Of particular importance are the reasons for stopping the business and the bank’s actual knowledge of the reasons. The reasons included claims of fraudulent charges by the third-party payment processor.43 The bank’s due diligence file contained copies of the complaints, including for fraudulent charges.44 Very shortly after the relationship creation and expansion (about six months), nearly all transactions were on behalf of three merchants.45 Each of these three merchants were engaged in a multimillion dollar consumer fraud scheme.46

Merchant #1: YR Benefits. More than half of YR Benefits’ demand drafts were returned.47 About a month into the YR Benefits relationship, the bank “received explicit notice from another bank that it suspected YR benefits was engaged in a fraud scheme targeting the elderly. [The other bank referenced] 100 unauthorized drafts presented to . . . and drawn on the accounts of elderly customers.”48 The warning to the bank was very explicit: “100% of the customers . . . indicated . . . the draft was not authorized . . . the vast majority of the victims . . . are elderly persons, prompting numerous elder abuse investigations…. I also trust that [your bank] will be filing a [suspicious activity

36 Id. P. 10. 37 Id. P. 10. 38 Id. P. 10-11. 39 Id. P. 11. 40 Id. P. 11. 41 Id. P.11. 42 Id. P. 11. 43 Id. P. 11-12. 44 Id. P. 11-12. 45 Id. P. 12. 46 Id. P. 12. 47 Id. P. 12. 48 Id. P. 14.


report] based on the high level of return items.” The bank then terminated the YR Benefits relationship a week later.49 After terminating the YR Benefits relationship, the bank permitted other merchants with “strikingly similar red flags” to continue to withdraw funds from bank accounts.50

Merchant #2: Loan Assistance. Approximately 50 percent of the transactions were returned by consumers’ banks.51 The third-party payment processor did not provide any due diligence on this merchant.52 The bank’s basic due diligence revealed “information indicating that Loan Assistance was committing fraud.”53 Including, “483 complaints [in just over] two months.54 The “Better Business Bureau issued a nationwide alert about Loan Assistance . . . warning consumers about unauthorized charges . . . Loan Assistance . . . had an ‘F’ rating with the Better Business Bureau.”55 “Despite . . . [the] red flags, [the bank] continued processing [transactions] every day [for several months].”56 The bank “never terminated Loan Assistance. Instead, [the third party payment processor took over] Loan Assistance. [The bank] knowingly let the Loan Assistance scheme continue, but under a different name and with a different owner.”57

Merchant #3: The Payment Processor Took Over Merchant #2. The third-party payment processor’s sole merchant was now itself and processed more than 750,000 demand drafts with an approximate 50 percent return rate.58 The bank then increased the third-party payment processor’s daily deposit and transactions cap.59 “When [the bank] terminated YR Benefits, the Bank cited the high return rates as the primary reason it could not continue . . . however, over the next 12 months, the Loan Assistance scheme . . . generated similar return rates.”60 “Because [the bank] did not terminate [the relationship] despite consistently high return rates . . . instead, the fees generated millions of dollars for the Bank’s bottom line.”61

The bank continued processing the fraudulent transactions even after two separate individuals from the third-party payment processor notified them that the payment processor’s owner had intentionally re-submitted demand drafts resulting in more than $500,000 of fraudulent attempted charges.62 Not only did the bank have notice from consumer’s fraud complaints, but from other banks as well.63 Simple research of the bank’s own systems would have revealed the complaints and high return rates.64

49 Id. P. 14. 50 Id. P. 14. 51 Id. P. 16. 52 Id. P. 16. 53 Id. P. 16. 54 Id. P. 16. 55 Id. P. 16. 56 Id. P. 17. 57 Id. P. 17. 58 Id. P. 17. 59 Id. P. 17. 60 Id. P. 19. 61 Id. P. 22. 62 Id. P. 24. 63 Id. P.24. 64 Id. P. 29.


Eventually the bank did conduct the research and concluded that all transactions appeared to be fraudulent.65 Yet, the bank processed the demand drafts for six more weeks.66 The U.S. then claims the bank became a party to the fraud scheme by participating in the scheme for profit,67 and sought an injunction to permanently stop all future fraudulent conduct.68 The bank agreed to a permanent injunction, which mandated several due diligence procedures.69

Return Thresholds. For example, the bank and the U.S. agreed that for any merchant with more than 50 debit transactions in a calendar month, certain “Return Rate Thresholds” apply.70 Those are as follows:

i. 0.5 percent for Unauthorized returns (NACHA Reason Codes R05, R07, R10, R29, R37, and R51);

ii. 3 percent for Account Data Quality Returns (NACHA Reason Codes R03, R04, or R20);

iii. 15 percent for returns for any reason (excluding RCK entries).”71

For any merchant of a third-party payment processor with returns exceeding these thresholds, critical things were required to occur: (1) Stop all debits from consumer accounts by that merchant within three business days; (2) Terminate banking services to that merchant within 45 days, with the exception of withholding funds to cover returned items;72 (3) For any merchant who exceeds these thresholds, the bank should sample at least 25 merchant customers and contact them directly to obtain information if the debits where authorized or not and if the consumer believes they were the victim of fraud or abusive practices by the merchant;73 and (4) notify the bank’s board of directors of the name of the merchant, the due diligence results, return history information, and results of the consumer sampling.74

E. Lesson #4: Review Third Party Payment Processor Due Diligence

Third-Party Payment Processor Due Diligence. The permanent injunction places due diligence requirements on the bank and provides a roadmap for how to conduct due diligence on any third-party payment processor.75 These items include:

i. Certify before the start of banking activity76 and then every six months,77 licensure status as a money transmitter in each state of

65 Id. P. 29. 66 Id. P. 30. 67 Id. P. 31. 68 Id. P. 31. 69 U.S. v. CommerceWest Bank, Consent Decree for Permanent Injunction and Civil Money Penalty (available at http://www.justice.gov/file/347431/download, last accessed January 30, 2016). 70 Id. P. 4. 71Id. P. 4. 72 Id. P. 8. 73 Id. P. 7. 74 Id. P. 8. 75 Id. P. 5-8. 76 Id. P. 5. 77 Id. P. 8.

http://www.justice.gov/file/347431/download


business and registered with FinCEN, or provides documentation to the bank stating that no registration is required.78

ii. The bank should conduct due diligence on the third-party payment processor’s merchants and not delegate that responsibility to the third-party payment processor.79

iii. The bank should monitor the merchants as if they were direct customers of the bank itself.80

iv. Conduct reasonable, good faith, due diligence to the best of the bank’s ability and knowledge, regarding a merchants business practices for fraudulent, unfair, deceptive, or abusive business practices against consumers, both in the federal sphere and in each state where the business or consumers are located.81

v. Conduct reasonable, good faith, due diligences to the best of the bank’s ability and knowledge, of the merchant’s licensing requirements, registration requirements, and legal standards in both the federal sphere and in each state where the business or consumers are located.82

vi. All of the due diligence should be documented and maintained for inspection.83

IV. Criminal Cases

A. Preview

Each of the criminal cases researched for this paper resulted in a Deferred Prosecution Agreement. A Deferred Prosecution Agreement typically gives a criminal defendant an opportunity to comply with certain conditions which will result in the dismissal of the criminal charges. In each of the cases reviewed, the U.S. obtained an agreement to increase the quality of the BSA/AML program’s effectiveness in very specific and measurable ways. This research will review some of the failures and how the U.S. may determine if a BSA/AML program is “effective” going forward.

B. Lesson #5: For Higher Risk Customers or Products, Validate Staffing Analysis

United States v. CommerceWest (2015) (criminal). Parallel with the CommerceWest Civil suit, the U.S. pursued a criminal case by filing a criminal information against CommerceWest Bank.84 The criminal case states the bank willfully failed to report

78 Id. P. 5-6. 79 Id. P. 6. 80 Id. P. 6. 81 Id. P. 6. 82 Id. P. 6-7. 83 Id. P. 7. 84 United States v. CommerceWest Bank, 8:15-cr-00025-CJC (C.D. CA.) (unpublished) (available at: http://www.justice.gov/opa/pr/commercewest-bank-admits-bank-secrecy-act-violation-and-reaches-49-million-settlement-justice, last accessed January 30, 2016).

http://www.justice.gov/opa/pr/commercewest-bank-admits-bank-secrecy-act-violation-and-reaches-49-million-settlement-justice


suspicious transactions.85 The criminal case uses a regulatory guidance letter as a basis to form the bank’s knowledge of red flags of merchant fraud.86 The criminal allegations also state the bank’s need to hire temporary workers to process the large volume of returned transactions coupled with repeated warnings, letters and phone calls warning of fraud.87 Even after the bank “attempted, but was unable, to obtain evidence that the processor processed legitimate transactions,” no SAR was filed.88

C. Lesson #6: For Negative News, Validate the Due Diligence Before the Date of the Negative News

United States v. Commerzbank AG, 2015. In 2015, the U.S. filed a criminal information against Commerzbank AG alleging a violation by failure to maintain an adequate BSA program.89 This revolved around a multibillion dollar securities fraud scheme operated through the bank.90

D. Lesson #7: Validate the “Tone at the Top” Regarding BSA/AML

Red Flags. An international affiliate of CommerzBank declined to provide false documents to a bank customer, but then provided options on how to refuse to disclose information critical to an audit.91 Later the bank had senior and executive level individuals discuss suspicions, fraud, asset stripping, market manipulation, tax offenses, lack of reasonable explanation, and bank executives turning a “blind eye” or intentionally remaining ignorant of concerning information.92

Wires. When two wires of $455 million and $67 million dollars were processed by the bank, the bank’s AML system alerted and triggered due diligence requests to the bank’s international affiliate.93 The international affiliate responded and did not convey any of the concerns about the structures and transactions.94 Ultimately, the bank did not file a SAR until more than two years after the fraud was revealed.95

E. Lesson #8: Validate the “Request for Information” Escalation Process

BSA/AML Program Deficiencies. The bank’s BSA/AML program had difficulties obtaining responses to request for information, many of these investigations were closed without obtaining information and based on limited publicly available information.96 This lead to the conclusion that the bank’s BSA/AML program was inadequate with regard to know your customer information from its own foreign

85 Id., Criminal Information P. 5. 86 Id. P. 3. 87 Id. P. 4. 88 P. 4. 89 United States v. CommerzBank AG, _____ (D. Columbia) (unpublished) (available at http://www.justice.gov/opa/pr/commerzbank-ag-admits-sanctions-and-bank-secrecy-violations-agrees-forfeit-563-million-and, last accessed January 30, 2016). 90 Id., Criminal Information P. 11. 91 Id. P. 12. 92 Id. P. 12-13. 93 Id. P. 13-14. 94 Id. P. 14. 95 Id. P. 14. 96 Id. P. 14-15.

http://www.justice.gov/opa/pr/commerzbank-ag-admits-sanctions-and-bank-secrecy-violations-agrees-forfeit-563-million-and


branches and affiliates.97 The exact language of the criminal offense charged is as follows:

i. Willfully “failed to adequately conduct investigations of transactions that were deemed potentially suspicious or that ‘alerted’ in [the bank’s] automated AML software, instead of closing investigations of potentially suspicious transactions based on no or insufficient information received in response to requests for information;”98

ii. Willfully “failed to support suspicious activity including wire transfers through [the bank] that ultimately furthered the [securities fraud scheme of a bank customer];”99

iii. Willfully “failed to adequately monitor billions of dollars in correspondent banking transactions, including by failing to conduct any due diligence on [the bank’s] branches and inadequate due diligence on [the bank’s] affiliates.”100

F. Lesson #9: Validate the Correspondent Banking Due Diligence

Correspondent Banking. “Correspondent accounts are generally considered to be higher risk than other banking accounts, because the bank does not have a direct relationship with, and therefore has no [due] diligence information on the correspondent financial institution’s customers who initiated the wire transfers. To mitigate this risk…U.S. law requires financial institution to conduct due diligence on all non-U.S. entities…for which it maintains correspondent accounts. There is no exception for foreign financial institutions within the same parent company,…branches and affiliates of the same bank.”101 This due diligence includes:

i. Transaction monitoring;102

ii. Identify of ultimate sender of funds;103

iii. Identify of ultimate recipient of funds;104 and

iv. Risk assessment of the foreign correspondent account, including market served, type, purpose and the activity of the account, the nature and duration of relationship, AML and supervision regime of the banking jurisdiction of the accountholder, and information readily available about the account holder’s AML record. There is no exception for foreign branches or affiliates.105

G. Lesson #10: Validate the BSA/AML Function’s Independence and Authority

97 Id. P. 15-16. 98 Id. P. 16. 99 Id. P. 16. 100 Id. P. 16. 101 Id., Deferred Prosecution Agreement P. 59, BSA/AML Statement of Facts P. 2. 102 Id. P. 61. 103 Id. P. 61. 104 Id. P. 61. 105 Id. P. 61-62.


BSA/AML Independence. The bank’s foreign business unit “did not permit the U.S. AML compliance program to act independent from [the bank’s business line], by, for example, insisting on the restoration of correspondent accounts that had been blocked for AML reasons by U.S. AML compliance personnel.”106

United States v. HSBC Bank USA, 2012. In 2012, the U.S. filed criminal charges against HSBC Bank USA for Bank Secrecy Act violations.107 The criminal acts alleged were:

i. Ineffective due diligence or “know your customer” information on bank affiliates;108

H. Lesson #11: Validate the Wire Risk Assessment and Wire Monitoring Process

i. Failure to monitor international wire transfers from countries not labeled as higher risk;109

ii. Failure to monitor bulk cash purchases;110

iii. Failure to provide adequate AML staffing and resources; and111

iv. Failure to conduct due diligence on foreign correspondent accounts.112

I. Lesson #12: Validate Remediation and Gap Assessment Processes

Remediation. The Deferred Prosecution Agreement extensively lays out the bank’s remediation efforts:

i. Acceptance of Responsibility;113

ii. A “new leadership team, including [CEO], General Counsel, Chief Compliance Officer, AML Directors, Deputy Chief Compliance Officer, and Deputy Director of its Global Sanctions Program”;114

iii. The bank “’clawed back’ deferred compensation (bonuses) for a number of their most senior AML and compliance officers, to include the Chief Compliance Officer, AML Directors, and [CEO]”;115

iv. The bank “spent…approximately nine times more” on its AML program;116

106 Id. P. 64. 107 United States v. HSBC Bank USA, Cr. No. 12-763 (E.N.N.Y.) (available at http://www.justice.gov/sites/default/files/usao-edny/legacy/2015/04/06/HSBC%20Memorandum%20and%20Order%207.1.13.pdf, last accessed January 30, 2016). 108 Id. P. 12. 109 Id. P. 12. 110 Id. P. 12. 111 Id. P. 12. 112 Id. P. 13. 113 Deferred Prosecution Agreement P. 4. 114 Id. P. 5. 115 Id. P. 5. 116 Id. P. 5.

http://www.justice.gov/sites/default/files/usao-edny/legacy/2015/04/06/HSBC%20Memorandum%20and%20Order%207.1.13.pdf

http://www.justice.gov/sites/default/files/usao-edny/legacy/2015/04/06/HSBC%20Memorandum%20and%20Order%207.1.13.pdf


v. The bank “increased its AML staffing from 92 full time employees and 25 consultants…to approximately 880 full time employees and 267 consultants;”117

vi. The bank “reorganized its AML department to strengthen its reporting lines and elevate its status within the institution…providing…the AML Director report directly to the Board and senior management about [the bank’s] Bank Secrecy Act (‘BSA’) and anti-money laundering (AML) program;”118

vii. The bank “revamped its KYC program and now treats…[a]ffiliates as third parties that are subject to the same due diligence as all other customers”;119

viii. The bank “implemented a new customer risk-rating methodology based on a multifaceted approach that weighs the following factors: 1) the country where the customer is located, 2) the products and services utilized by the customer, 3) the customer’s legal entity structure, and 4) the customer and business type;”120

ix. The bank “exited 109 correspondent relationships for risk reasons;”121

x. The bank “has a new automated monitoring system. The new system monitors every wire transaction that moves through [the bank]. The system also tracks the originator, sender and beneficiary of a wire transfer, allowing [the bank] to look at its customer’s customer;”122

xi. The bank “made significant progress in remediating all customer KYC files in order to ensure they adhere to the new AML policies;”123

xii. The bank “exited the Banknotes business;”124

xiii. The bank “spent over $290 million on remedial measures”;125

xiv.The bank is implementing a “single global standard shaped by the highest or most effective anti-money laundering standards available in any location where [the bank] operates. This new policy will require that all [bank] Affiliates will, at a minimum, adhere to U.S. anti-money laundering standards;”126

xv. The bank “elevated” the compliance position to “one of the…most senior employees at [the bank] globally;”127

117 Id. P. 5. 118 Id. P. 6. 119 Id. P. 6. 120 Id. P. 6. 121 Id. P. 6. 122 Id. P. 6. 123 Id. P. 6. 124 Id. P. 6. 125 Id. P. 6. 126 Id. P. 7. 127 Id. P. 7.


xvi.The compliance position “has been given direct oversight over every compliance officer globally, so that both accountability and escalation now flow directly to and from…Compliance”;128

xvii. “Material or systemic AML control weaknesses at any affiliate…are reported with all other [line of business] heads facilitating horizontal information sharing;”129

xviii. The bank “restructured its senior executive bonus system so that the extent to which the senior executive meets compliance standards and values has a significant impact on the amount of the senior executive’s bonus, and failure to meet those compliance standards and values could result in voiding of the senior executive’s entire year-end bonus;”130

xix.The bank “commenced a review of all customer KYC files across the entire [bank]. The first phase of this remediation will cost an estimated $700 million to complete over five years”;131

xx. The bank “will defer a portion of the bonus compensation for its most senior officers…during the deferred prosecution agreement;”132

xxi.The bank “adopted a set of guidelines to be taken into account when considering whether [the bank] should do business in countries posing a particularly high corruption/rule of law risk as well as limiting business in those countries that pose a high financial crime risk;”133

xxii. The bank’s “new global sanctions policy…will be utilizing key Office of Foreign Assets Control (OFAC) and other sanctions lists to conduct screening in all jurisdictions, in all currencies.”134

J. Lesson #13: Validate the BSA/AML Program Components

Compliance Monitor.135 The Deferred Prosecution Agreement specifically requires an “independent compliance monitor.”136 The program’s qualifications “shall have, at a minimum, the following qualifications:

i. Demonstrated expertise with respect to the BSA and other applicable U.S. and U.K. anti-money laundering laws;

ii. Experience designing and/or reviewing corporate compliance policies, procedures and internal controls, including BSA and anti-money laundering policies, procedures and internal controls;

128 Id. P. 7. 129 Id. P. 7-8. 130 Id. P. 8. 131 Id. P. 8. 132 Id. P. 8. 133 Id. P. 8-9. 134 Id. P. 9. 135 Simply replacing “the Monitor” with the “AML Program” is a way to determine what the United States Department of Justice expects from an “effective” AML program. 136 Id. P. 15.


iii. The ability to access and deploy resources as necessary to discharge the program’s duties as described in the Agreement;

iv. Sufficient independence from [the bank] to ensure effective and impartial performance of the program’s duties.”137

v. The Department of Justice may reject any proposed monitor and may propose its own.138

As part of the corporate anti-money laundering program, the bank shall:

vi. Cooperate fully with the program;

vii. Facilitate the program’s access to the banks documents and resources;

viii. Provide the program with access to all information, documents, records, facilities and/or employees, as reasonably requested by the program, that fall within the scope of the Mandate of the program;

ix. Not form an attorney client privilege with the program;

x. Adopt within 90 calendar days after receiving the program’s report, the program’s recommendations, except for items the bank objects to in writing due to unduly burdensome, inconsistent with law or regulation, impractical, costly, or otherwise inadvisable;

xi. Report to the bank’s chief legal officer any questionable, improper, or illegal practices with respect to anti-money laundering discovered;

xii. Meet at least annually with the Department of Justice for comments or anti-money laundering improvements the bank may wish to discuss or propose.139

In addition, the program:

xiii. Shall have the authority to take such reasonable steps as may be necessary to be fully informed about the bank’s compliance program;

xiv. Shall conduct an initial review, followed by at least four follow-up reviews;

xv. Shall prepare a written work plan 60 days prior to each review;

xvi. Shall coordinate with bank personnel;

xvii. Shall to the extent the monitor deems appropriate, rely on the results of studies, reviews, audits and analyses conducted by the bank;

xviii. Shall not be expected to conduct a comprehensive review of all business lines, activities, or markets;

xix. Shall make an assessment of the AML program;

137 Id. P. 15-16. 138 Id. P. 16. 139 Id. B-1 to B-11.


xx. Shall make recommendations reasonably designed to improve the AML program effectiveness;

xxi. Shall consult with the bank on an ongoing basis concerning his/her findings and recommendations;

xxii. Shall consider the bank’s comments and input to the extent the Monitor deems appropriate;

xxiii. May focus on those areas with respect to which the Monitor wishes to make recommendations for improvement or which the Monitor determines particular attention is needed; and

xxiv. Shall provide the report to the Board of Directors and the Department of Justice.140

K. Lesson #11: Validate the BSA/AML Staffing and Resources

Staffing. “In the face of known AML deficiencies and high risk lines of business, [the bank] further reduced the resources available to its AML program in order to cut costs and increase its profits.”141 “[A] year after the written agreement had been lifted, [the bank] had fewer AML employees than required by its own internal plans. Moreover…senior business executives instructed the AML department to ‘freeze’ staffing levels as part of a bank-wide initiative to cut costs and increase the bank’s return on equity. This goal was accomplished by not replacing departing employees, combining the functions of multiple positions into one, and not creating new positions.”142 “Even senior compliance officers were not replaced after they left [the bank].”143 Bank senior level employees “confirmed . . . the desire to save costs was the primary justification for merging the two roles.”144 The bank’s “Chief Operating Officer for Compliance conducted an internal review of the Bank’s AML program---[and] found …the AML program…was ‘behind the times’ and needed to be fundamentally changed to meet regulators’ expectations and to achieve parity with other banks.”145 “Specifically, the…AML review noted that AML monitoring…was significantly under-resourced. At the time, only four employees reviewed the 13,000 to 15,000 suspicious wire alerts generated per month. In contrast, following remedial measures undertaken by [the bank], [the bank] currently has approximately 430 employees reviewing suspicious wire alerts.”146 “Despite the findings of the… AML Review, [the bank] failed to address the lack of AML resources.”147

L. Lesson #14: Validate Account Procedures Post SAR Filing

140 Id. P. B-1 to B-11. 141 Id. P. 10. 142 Id. P. 10. 143 Id. P. 10. 144 Id. P. 10. 145 Id. P. 10. 146 Id. P. 10-11. 147 Id. P. 11.


Failure to Terminate Suspicious Accounts. “When suspicious activity was identified, [the Mexico affiliate] repeatedly failed to take action to close the accounts.”148 “Senior business executives at [the bank’s Mexico affiliate] repeatedly overruled recommendations from its own AML committee to close accounts with documented suspicious activity.”149 A “senior compliance officer told [the bank’s Mexico affiliate’s] Chief Compliance Officer that ‘the AML committee just can’t keep rubber-stamping unacceptable risks merely because someone on the business side writes a nice letter.’”150 “Even when [the Mexico affiliate] determined a relationship should be terminated, it often took years for the account to actually be closed.”151

Red Flags. The bank’s Mexico affiliate met with the Central Bank of Mexico and was informed by the Central Bank, that Mexico and U.S. law enforcement were seriously concerned that U.S. dollars being deposited at the Mexico affiliate might represent drug trafficking proceeds.152 The Mexico affiliate “CEO was also told that Mexican law enforcement possessed a recording of a Mexican drug lord saying that [the bank’s Mexico affiliate] was the place to launder money.”153 An internal investigation following this meeting revealed a very small number of customers accounted for a large percentage of the physical U.S. dollar deposits.154

M. Lesson #15: Validate Horizontal Information Sharing or “Internal Referral” System

Ineffective Information Sharing. The bank “failed to have a formal mechanism for sharing information horizontally among . . . Affiliates.”155 The bank’s Mexico affiliate’s AML problems were not discussed in detail at the meetings attended by the Bank’s U.S. CEO “and did not indicate . . . the problems [that] affected [the U.S. bank’s AML program] or involved the potential laundering of U.S. dollar drug trafficking proceeds.”156 The bank’s global holding company “failed to adequately inform the [U.S. bank] about the problems at [the bank’s Mexico affiliate].”157 “Senior [global holding company] executives, including the CEO, Head of Compliance, Head of Audit, and Head of Legal, were all aware . . . the problems at [the Mexico affiliate] involved U.S. dollars and U.S. dollar accounts, but did not contact their counterparts at [the U.S. bank] to explain the significance of the problems or the potential effect on [the U.S. bank’s] business.”158 The U.S. bank’s AML program director did not learn of the Mexico affiliate problems until years later.159

“The investigation [of the money laundering at the Mexico affiliate] further revealed that drug traffickers were depositing hundreds of thousands of dollars in bulk U.S.

148 Id. P. 13. 149 Id. P. 13. 150 Id. P. 13. 151 Id. P. 13. 152 Id. P. 13. 153 Id. P. 13. 154 Id. P. 14. 155 Id. P. 14. 156 Id. P. 15. 157 Id. P. 15. 158 Id. P. 15. 159 Id. P. 15.


currency each day into HSBC Mexico accounts. In order to efficiently move this volume of cash through the teller windows at HSBC Mexico branches, drug traffickers designed specially shaped boxes that fit the precise dimensions of the teller windows. The drug traffickers would send numerous boxes filled with cash through the teller windows for deposit into HSBC Mexico accounts.”160

“The investigation [of the money laundering at the Mexico affiliate] further revealed that, because of its lax AML controls, [the Mexico affiliate] was the preferred financial institution for drug cartels and money launderers. The drug trafficking proceeds (in physical U.S. dollars) deposited at [the Mexico affiliate] [passed] through [the] Banknotes [line of business]. In addition, many of the . . . wire transfers to exporters in the United States passed through [the Mexico affiliate’s] correspondent account with [the U.S. bank]. As discussed above, [for years the U.S. bank] did not monitor [the] Banknotes transactions or wire transfers from [the Mexico affiliate] and did not detect the drug trafficking proceeds as they flowed into the United States.”161

United States v. JP Morgan Chase, 2014. In 2014, the U.S. filed criminal charges against JPMorgan Chase bank for failure to maintain an adequate anti-money laundering program and failing to file a SAR.162 The bank failed to have effective information sharing for anti-money laundering personnel.163 This predominately revolves around the Madoff Ponzi scheme and the relevant items are as follows:

i. The bank failed “to ensure that information about the Bank’s clients obtained outside the United States was shared with United States compliance and anti-money laundering personnel.”164

ii. The bank “failed to file a Suspicious Activity Report in the United States with respect to transactions in bank accounts maintained by Madoff Securities.”165

iii. The bank maintained the primary Madoff Ponzi scheme accounts from 1986 to 2008 without filing a SAR.166

N. Lesson #15, Part 2: Validate the Horizontal Information Sharing or “Internal Referral” System

i. The bank had knowledge of several instances of serious red flags, well before the public reveal of the Ponzi scheme allegations, such as: An analyst from this Equity Exotics Desk wrote an email/memo on October 16, 2008 about: the “inability to validate Madoff’s trading activity or even custody of assets;” “questioned Madoff’s ‘odd choice’ of a small, unknown accounting firm;” the bank “’seemed to be relying on Madoff’s

160 Id. P. 17. 161 Id. P. 17. 162 United States v. JPMorgan Chase Bank, 1:14-cr-00007-PKC-1 (S.D.N.Y. 2014) (unpublished) Information P. 7 (Deferred Prosecution Agreement available at: http://www.justice.gov/usao-sdny/pr/supporting-documents-deferred-prosecution-agreement-us-v-jpmorgan-chase-bank-na, last accessed January 30, 2016). 163 Id. P. 16, Information P. 4. 164 Information P. 6. 165 Information P. 7. 166 Information P. 3-5.

http://www.justice.gov/usao-sdny/pr/supporting-documents-deferred-prosecution-agreement-us-v-jpmorgan-chase-bank-na

http://www.justice.gov/usao-sdny/pr/supporting-documents-deferred-prosecution-agreement-us-v-jpmorgan-chase-bank-na


integrity’ with little to verify that such reliance was well-placed;” “’there are various elements in the story that could make us nervous,’ including the ‘feeder’ funds manager’s ‘apparent fear of Madoff.’”167

ii. “[A]t various times between the late 1990s and 2008, employees of various divisions of [the bank] raised questions about Madoff . . . , including questions about the validity of Madoff’s . . . investment returns. At no time during the period did [the bank’s] personnel communicate their concerns about Madoff . . . to [anti-money laundering compliance] personnel in the United States responsible for [the bank’s] banking relationship with Madoff . . . . Nor did [the bank] file any [suspicious activity report] in the United States relating to Madoff . . . until after Madoff’s arrest.”168

iii. The bank “served as Madoff’s primary banker for more than 20 years, and continued to do business with Madoff even as individuals within various segments of the Bank developed serious and well-articulated suspicions that Madoff was perpetrating a fraud.”169

iv. The bank filed a SAR in the United Kingdom, but failed to do so in the United States.170

v. As a result of the suspicions, the bank withdrew more than $300 million of its own funds, from Madoff related funds.”171

vi. In the 1990s, two different bank lines of business attempted to perform due diligence into Madoff’s investments for red flags and improbably highly consistent returns. Neither bank line of business was able to answer their questions; however, none of the bank’s AML personnel were informed.172

O. Lesson #16: Compare the Actual versus Expected Use of the Account

i. From 1986 to 2008, the Madoff related accounts received deposits and transfers of approximately $150 billion, yet the funds were not used for the purchase and sale of stocks, corporate bonds, or options, as Madoff had promised his customers he would invest their money.173 Nor were the funds deposited into the [deposit and related] account transferred to other broker-dealers for the purchase and sale of securities.174

ii. The account manager originally assigned to the Madoff account, did not understand the nature of the account (tens of millions versus

167 Information P. 4. 168 Deferred Prosecution Agreement P. 24, Statement of Facts P. 3. 169 Document 4, P. 1. 170 Id. P. 4. 171 Information P. 4-5. 172 Deferred Prosecution Agreement P. 29, Statement of Facts P. 8. 173 Deferred Prosecution Agreement P. 23-24, Statement of Facts P. 2-3. 174 Deferred Prosecution Agreement P. 23-24, Statement of Facts P. 2-3.


billions, small operations expense account versus primary broker-dealer account).175

P. Lesson #17: Review the Quality and Quantity of Readily Available Information to the Financial Investigations Unit

i. “The Madoff . . . banking relationship with [the bank] was handled by [the bank’s] Investment Bank’s Broker-Dealer Banking Group. [However,] “[f]ollowing a restructuring, …client financial statements, regulatory filings, credit reviews, and other documents that had been reviewed by the relationship manager were no longer regularly reviewed.”176

ii. The bank’s “AML investigations team . . . did not have immediate access to computerized information providing the identity of the relationship manager in the event . . . the AML officer deemed it appropriate to contact the relationship manager.”177

iii. The bank’s “efforts to electronically store KYC materials were behind schedule and . . . on some occasions AML investigations teams . . . were unable to access the computerized KYC material.”178

iv. “On two occasions . . . [the computerized AML] system generated ‘alerts’ . . . [for activity amounting to] 27 times the average daily [activity] over the prior 90 days of activity. . . . In both cases, the AML investigators, closed the alerts with a notation . . . the transactions did not appear to be unusual, . . . but in both cases, the investigators attempted to review the KYC file for Madoff . . . [received] error messages [when trying to review the KYC documents] that no file was available, and did not conduct further investigation.”179

Q. Lesson #18: Validate Check Kiting and Other Fraud Detection Processes

i. “Beginning in the mid-1990s, . . . [bank employees] identified a series of transactions . . . which consisted of ‘round trip’ [check] transactions . . . [and] because of the delay between when the transactions were credited and when they were cleared (referred to as the ‘float’), . . . these transactions [made] Madoff’s balances at [the bank] appear larger than they [were].”180 About 1994, a bank employee drafted a memo in which the employee informed Madoff, the bank, and the third party in the transaction of the “float.”181 Then about 1996, another bank invested the round-trip “float” transactions.182 As a result of that other bank’s 1996 investigation, which “concluded that there was not

175 Deferred Prosecution Agreement P. 25, Statement of Facts P. 4. 176 Deferred Prosecution Agreement P. 24, Statement of Facts P. 3. 177 Deferred Prosecution Agreement P. 25, Statement of Facts P. 4. 178 Deferred Prosecution Agreement P. 25, Statement of Facts P. 4. 179 Deferred Prosecution Agreement P. 25, Statement of Facts P. 5. 180 Deferred Prosecution Agreement P. 25-26, Statement of Facts P. 5-6. 181 Deferred Prosecution Agreement P. 26 Statement of Facts P. 6. 182 Deferred Prosecution Agreement P. 26, Statement of Facts P. 6.


legitimate business purpose for these transactions, which appeared to be a ‘check kiting’ scheme, and terminated its banking relationship with Madoff.”183 Further, the bank was notified of the other bank’s closure of the Madoff relationship.184 Unknown to the bank, the other bank filed a suspicious activity report for transactions with no apparent business purpose.185 Following this series of events, the bank did not file a suspicious activity report, nor exit the Madoff relationship.186

ii. After Madoff’s 2008 arrest, the bank’s AML personnel reviewed the round-trip “float” transactions and filed a SAR.187

R. Lesson #19: Validate the MSB Due Diligence & Processes

United States v. Miller, 2013. In 2013, the U.S. filed a criminal information against H. Jack Miller for failure to develop, implement and maintain an effective AML program at the bank and that as the chief executive officer of the bank he failed to report suspicious transactions related to an unlicensed money transmitting business.188

S. Lesson #20: Identify the Higher Risk Customers in Higher Risk Geographies with Higher Risk Products and Validate those BSA/AML Processes

United States v. Wachovia bank, 2010. In 2010, the U.S. filed criminal charges against Wachovia Bank for willful failure to maintain an anti-money laundering program.189 The prosecution revolved around Mexican Casa De Cambio correspondent accounts and their use of bulk cash transfers, pouch deposits and remote deposit capture. In 2005, federal investigations discovered wire transfers from the U.S. to Mexico to purchase planes used to fly illegal narcotics into the U.S.190 These wires were from Mexican Casa De Cambios (similar to a money service business) transferring through correspondent bank accounts at the bank.191 These wires totaled nearly $13 million U.S. dollars and involved over 20,000 kilograms of seized cocaine.192

During the relevant time period, the correspondent banking of Mexican Casa de Cambios was high-risk banking business.193 U.S. agencies and other organizations were publishing the increased money laundering risks presented by Mexican Casa de Cambios.194 Including a FinCEN warning regarding Mexican Casa de Cambios.195 The

183 Deferred Prosecution Agreement P. 26, Statement of Facts P. 6. 184 Deferred Prosecution Agreement P. 26, Statement of Facts P. 6. 185 Deferred Prosecution Agreement P. 26, Statement of Facts P. 6. 186 Deferred Prosecution Agreement P. 26, Statement of Facts P. 6. 187 Deferred Prosecution Agreement P. 26, Statement of Facts P. 6. 188 United States v. H. Jack Miller, 2:13-cr-00445-TJS-1 (E.D. Penn 2014) (unpublished), Indictment P. 2-4. (available at: http://www.justice.gov/usao-edpa/pr/bank-president-charged-failure-comply-requirements-bank-secrecy-act, last accessed January 31, 2016). 189 United States v. Wachovia Bank, NA, Criminal Action No. 1:10-cr-20165 (S.D. Fla. 2010) (unreported) (available at: http://www.justice.gov/archive/usao/fls/PressReleases/2010/100317-02.html, last accessed January 31, 2016), Information p. 4. 190 Deferred Prosecution Agreement P. 2. 191 Deferred Prosecution Agreement P. 2. 192 Deferred Prosecution Agreement P. 3. 193 Deferred Prosecution Agreement P. 3. 194 Deferred Prosecution Agreement P. 4. 195 Id.

http://www.justice.gov/usao-edpa/pr/bank-president-charged-failure-comply-requirements-bank-secrecy-act

http://www.justice.gov/archive/usao/fls/PressReleases/2010/100317-02.html


bank was aware other large U.S. banks were exiting the Mexican Casa de Cambio business based on anti-money laundering concerns.196 Undeterred, the bank continued to offer the high-risk correspondent banking to Mexican Casa de Cambios.

The bank offered three primary banking services to the Mexican Casa de Cambios that allowed for severing of personal identification from the transactions: 1) bulk cash transfers to the bank via armored car, 2) pouch deposits where checks would be aggregated and forwarded to the bank for deposit, and 3) remote deposit capture where checks were remotely deposited.197 Thus, the transactions were high risk and essentially anonymous. During the relevant time period of about three years, over $373 billion of wire transfers were conducted on behalf of Mexican Casa de Cambios and processed approximately $47 billion of remote deposits for correspondent bank accounts.198

T. Lesson #21: Validate the Red Flag Detection Procedures and Actual Results

During the investigation of the bank, federal law enforcement found ready identifiable evidence and red flags of large scale drug money laundering.199 Some examples provided include:

i. “Structured Wire Transactions: . . . multiple round-number wires to be made on the same day or in close succession by the same wire senders, for the benefit of the same account.”200

ii. “Sequentially Numbered Traveler’s Checks that Contained Unusual Markings.”201

iii. “Significant Bulk Cash Transactions in Great Excess of a Customer’s Self-Identified Expectations.”202 “Many of the [Mexican Casa de Cambios] exceeded their expected monthly activity by at least 50 percent.”203

U. Lesson #20, Part 2: Determine the Higher Risk Customers in Higher Risk Geographies with Higher Risk Products and Validate those BSA/AML Processes

The bank “failed to appreciate and address the risks associated with its Mexican [Casa de Cambio] customer base and failed to recognize that its BSA/AML program was inadequate for the task of monitoring suspicious transactions from the [Mexican Casa

196 Id. 197 Id. P. 5. 198 Id. P. 5. 199 Id. P. 5. 200 Id. P. 5. 201 Id. P. 6. 202 Id. P. 6. 203 Id. P. 6.


de Cambios].”204 The investigation identified “seven significant failures in [the bank’s] AML and compliance programs:”205

i. “Lack of policies, procedures, or monitoring controls governing the repatriation of nearly $14 billion of United States dollars in bulk cash for high-risk [Mexican Casa de Cambios] and other foreign correspondent bulk cash customers;”206

ii. “Failure to conduct monitoring of over $40 billion in monetary instruments flowing through international foreign correspondent accounts in the form of RDC for a two year period;”207

iii. “Failure to conduct adequate levels of due diligence of high-risk [Mexican Casa de Cambio] customers;”208

iv. “Failure to adequately monitor [Mexican Casa de Cambios] and other high-risk foreign correspondent banking accounts in order to fulfill suspicious activity reporting obligations.”209

v. “Failure to implement monitoring controls or limits for sequentially numbered traveler’s checks for high-risk [Mexican Casa de Cambio] customers in contravention of [the bank’s] policy.”210

vi. “Failure to detect and report suspicious activity in a timely manner on the $373 billion in wire transfers that were processed by [the bank] for [Mexican Casa de Cambios];”211 and

vii. “Failure to implement effective BSA/AML audit coverage.”212

V. Lesson #23: Effective BSA/AML Program Essentials

“Federal banking regulators have advised banks . . . that an effective AML program should be risk-based and incorporate the following principles into their business practices:

i. Determine the true identity of all customers requesting services;

ii. Determine the particular customer’s source(s) of funds for transactions;

iii. Determine the particular customer’s normal and expected transactions;

iv. Monitor customer transactions to determine if they are consistent with the normal and expected transactions for that customer or for similar categories or classes of customers;

204 Id. P. 7. 205 Id. P. 7. 206 Id. P. 7. 207 Id. P. 7. 208 Id. P. 7. 209 Id. P. 7. 210 Id. P. 7. 211 Id. P. 7. 212 Id. P. 7.


v. Identify customer transactions that do not appear to be consistent with normal and expected transactions for that particular customer or for customers in similar categories or classes; and

vi. Determine if transactions are unusual or suspicious and, if so, report those transactions.”213

The bank collected information on the identities of the Mexican Casa de Cambios, the expected source of funds, the normal or expected transactions, but the information was not sent to or available to the banks’ AML employees, nor was there any critical analysis of actual account activity against the expected activity.214

W. Lesson #24: Validate the Wire Transaction Monitoring Process

“The bulk of the correspondent and [Mexican Casa de Cambio] activity involved wire activity. This wire activity was principally monitored through the use of a computer system. The computer system would generate monthly alerts. . . . The level of scrutiny imposed on the wire transactions was significantly limited by personnel and budgetary concerns. The actual number of alerts . . . the system was designed to generate per month was pre-set, based in part, on the number of investigators available to review the alerts. . . The net result was . . . the understaffed AML unit . . . could not keep up with the volume of wires. The suspicious activity went effectively unmonitored. The $373 billion in [Mexican Casa de Cambio] wire transfers were monitored in this inadequate manner.”215

X. Lesson #25: Validate the Bulk Cash and Other Cash Related Monitoring Process

The bank “had no written formal AML policy or procedure for the monitoring of bulk cash to ensure that suspicious activity was reported. AML and compliance personnel did not examine or review the denominations or the regional sources of the bulk cash to compare it against known trends and customer expectations. [The bank] did not compare the monthly total amount of repatriated bulk currently money against customer expectations. [Although the bank] recorded expected activity . . . no AML or compliance personnel ensured . . . the actual customer activity matched the customer expectations. As a result at least [$4.7 billion U.S. dollars] in bulk cash from Mexican Casa de Cambios went through [the bank over approximately three years] with essentially no AML monitoring.”216

Y. Lesson #26: Validate the Pouch and Remote Deposit Capture Review Process

The bank “never reviewed” the remote deposits made over the first two years of the products existence.217 This was approximately $47 billion U.S. dollars of transactions.218

213 Id. P. 7-8. 214 Id. P. 8. 215 Id. P. 8. 216 Id. P. 8-9. 217 Id. P. 9. 218 Id. P. 9.


The bank had an internal policy to not accept sequentially numbered traveler’s checks exceeding $10,500, but did not provide a monitoring procedure to enforce this rule.219 This resulted in more than 1,000 pouch deposits with thousands of sequentially numbered traveler’s checks.220

Over an approximately two year period, more than $20 million U.S. dollars of sequentially numbered traveler’s checks were processed.221 “The majority of those traveler’s checks contained no legible names. Approximately 64 percent of those traveler’s checks contained unusual markings, that is, markings that were either handwritten or stamped and included numbers, letters, or a combination of both. Such markings, lack of signatures, and the sequential numbering of checks are readily identifiable patterns of money laundering activity.”222

Z. Lesson #12, Part 2: Validate Remediation Tracking and Efforts After Issue Identification

The bank’s “Considerable Cooperation and Remedial Actions. [The bank] retained an outside law firm to assist in investigating the facts relevant to the United States’ investigation. With the assistance of outside counsel, [the bank] made numerous detailed periodic reports to the United States concerning those facts.”223 The bank also:

i. Hired a new chief compliance officer;

ii. Hired a new BSA/AML officer;

iii. Undertook a substantial remediation;

iv. Enhanced its manual transaction party monitoring, with focuses on high-risk countries and financial institution risk; and

v. Developed and provided enhanced AML training for employees and AML staff, including topics such as, regulatory responsibility, red flag detection, black market peso exchange, large cash transactions, wires to high-risk countries, and activity inconsistent with an account’s stated purpose.224

The bank conducted a voluntary lookback covering the Mexican Casa de Cambio account transactions.225

AA. Lesson #4, Part 2: Review Third-Party Payment Processor Due Diligence

The bank maintained third-party payment processors who had high return rates, in some cases over 40 percent returns, such as for “unauthorized” reasons.226 This was approximately $418 million of deposits.227

219 Id. P. 9. 220 Id. P. 9. 221 Id. P. 9. 222 Id. P. 9. 223 Id. P. 9. 224 Id. P. 10. 225 Id. P. 10. 226 Id. P. 10. 227 Deferred Prosecution Agreement, Factual Statement P. 11.


For third-party payment processing, the bank failed to:

i. “Request detailed information about payment processors’ merchant base and major customers;

ii. Have a detailed understanding of the processors’ charge-back history;

iii. Sufficiently scrutinize the processors’ due diligence programs.”228

Had the bank properly monitored return rates and reasons for returns, the monitoring would have resulted in multiple red flags.229

In 2007, the U.S. filed criminal charges against American Express Bank for failing to establish an effective anti-money laundering program.230 The allegations revolve around $55 million of drug proceeds being laundered through the “Black Market Peso Exchange.” 231 The bank “knowingly allowed South American customers to use accounts at the bank to process parallel currency exchange market transactions, many of which turned out to be [Black Market Peso Exchange] transactions. [These] accounts were characterized by . . . suspicious incoming funds transfers: dozens, sometimes hundreds, of sources of incoming funds (typically wire transfers) from person and entities completely unrelated to the accountholder. In many cases, the financial transactions were inconsistent with the nature of the accountholder’s business as understood by bank personnel.”232

“The following summaries the serious and systemic deficiencies uncovered through this investigation:

BB. Lesson #29: Validate the Bearer Share Due Diligence

i. [The bank] failed to exercise sufficient control over accounts held in the names of offshore bearer share corporations, and . . . had no policy or procedure requiring beneficial owners of such accounts to certify in writing their continued ownership of the bearer shares.

CC. Lesson #30: Validate the Risk Assessment

i. [The bank] failed to conduct a risk assessment of its operations . . . and consequently was unable to and did not identify and monitor its highest-risk banking products and transactions.

DD. Lesson #31: Validate the Source of Funds

i. [The bank] failed to monitor adequately the source of funds sent to customer accounts to identify suspicious activities.

EE. Lesson #32: “Trust, but Verify” Information

228 Deferred Prosecution Agreement, Factual Statement P. 12. 229 Deferred Prosecution Agreement, Factual Statement P. 12. 230 USA v. American Express Bank International, 1:07-cr-20602-WJZ (S.D. FL. 2007) (unpublished) (available at: http://lib.law.virginia.edu/Garrett/prosecution_agreements/sites/default/files/pdf/americanexpress.pdf, last accessed January 31, 2016), Criminal Information P. 2. 231 Deferred Prosecution Agreement P. 10-11, Factual Statement P. 1-2. 232 Deferred Prosecution Agreement P. 14-15, Factual Statement P. 6-7.

http://lib.law.virginia.edu/Garrett/prosecution_agreements/sites/default/files/pdf/americanexpress.pdf


i. [The bank] failed to independently verify information on clients provided by private bank relationship managers.

FF. Lesson #10, Part 2: Validate the BSA/AML Function’s Independence and Authority

i. [The bank] failed to provide compliance personnel with authority to identify and prevent suspicious and high-risk banking activities.

GG. Lesson #33: Validate the Audit Plan

i. [The bank] failed to maintain an audit program reasonable designed to ensure the bank’s compliance with BSA/AML laws and regulations.”233

V. Discussion

A. 5+ Years of Significant Federal Legal Action

While the “Bank Secrecy Act”, or varying parts of it, have been in effect since 1970. The real teeth of the federal legal remedies came into effect with the USA. PATRIOT Act of 2001. Even after 2001, the U.S. used the federal courthouse very few times to force U.S. financial institutions to comply. That is until the law had been in effect for about 10 years. Now we see federal civil and criminal cases for “BSA violations” filed on a regular basis since 2010. With five years of significant BSA civil actions and criminal prosecutions, we do have concrete examples beyond the general guidance provided by the FFIEC BSA/AML Exam Manual and the various agency general guidance publications. Here are some of the lessons that should be learned…

B. Individual Responsibility & Competence

Business Line. Individual responsibility, competence, qualifications, background, education, and continuing education is the starting point for all anti-money laundering program effectiveness measures. The business line should be responsible for customer contact, knowing their customer’s line of business and expected banking activities, ensuring information is available to AML personnel, identifying specifically relevant information for AML personnel to review (internal referrals), and for terminating banking relationships with a significant risk of financial crime, fraud, or other money laundering risks.

Senior/Executive Management. The senior and executive level management should support of an effective AML program, ensure the AML program functions independent of income or profit concerns, ensure the quantity and quality of information available is everything that is readily available, provide for escalation of AML program concerns (such as unanswered documentation requests, staffing needs, resource needs, education needs), and ensure the AML program has senior or executive level authority.

AML Investigators. The AML program investigators should have readily available know your customer information, process all transaction alerts timely, document the analysis of the alert and cite to the information obtained, escalate for further attention unanswered requests for documentation, and be of sufficient education, experience,

233 Deferred Prosecution Agreement P. 18, Factual Statement P. 9.


and intellect to enable proper financial crime, fraud, and anti-money laundering and financial due diligence analysis.

AML Program. The AML program function should be responsible for reviewing readily available due diligence and seeking further information as the situation requires, perform additional due diligence on higher risk customers, markets, and products (often called enhanced due diligence), conduct ongoing periodic due diligence as risk dictates, conduct appropriate risk assessments, and perform adequate due diligence investigations for beneficial ownership, customer documentation, public source information, licensing documentation, red flag analysis, and verify information is correct.

Transaction Monitoring. The transaction monitoring function should cover all banking transactions, be appropriately risk based (more attention to higher risk areas, but not ignore those less than higher risk), be tuned to alert for unusual activity, not be tuned based on the amount of available staff or time resources, and should be supplemented by human intelligence (such as horizontal information sharing or “Internal Referral” processes).

BSA/AML Officer. The BSA/AML officer should be a senior or hold an executive position, maintain a direct line of reporting to the board of directors, senior/executive management, lines of business, AML investigators, maintain independence to terminate customers, markets, and products that pose unacceptable risks of financial crime, fraud, and money laundering, and be acutely aware of his/her personal accountability for the entire AML program’s function.

C. Higher Risk Customers

Foreign correspondent banking has unique elevated risks. Products should not be offered that allow essentially anonymous transactions to occur. All transactions flowing through a financial institution should have identified parties and counterparties. Coupling a higher risk customer in a higher risk market with a higher risk product is either unacceptable requiring termination or of such significance that specialized, enhanced, and ongoing due diligence should occur. Money service businesses and Mexican Casa de Cambios with high transaction and dollar volumes are higher risk requiring ongoing, additional due diligence. Certain higher risk customers or products may require a certain level of know your customer’s customer.

D. Red Flag Detection Processes

The AML program function should utilize all readily available sources of red flag identification, such as automated transaction monitoring, manual monitoring, government guidance, law enforcement investigations, public news sources, industry concerns, internal referral of concerning information, actual versus expected account usage, ACH debit transaction return percentages, fraud detection methods, cash monitoring, bearer share due diligence and geographic risk analysis.

E. Measurable Validation, both Qualitative and Quantitative

Not all testing is created equal, so multiple testing methods are needed. An AML program should test itself versus known or published industry standards as a quantitative testing measure. In addition, an AML program should test itself versus


“what could be done” as a qualitative testing measure. Both methods should be internal testing and independent audit testing.

F. Review Trends

The BSA/AML officer, senior/executive management, and board of directors should review staffing and resource trends. If a particular customer, product, or transaction type increases, the AML program should be assessed for ability to effectively review that increase. If the business trend is down, then those AML program resources can be reviewed for re-assignment to the other significant customers, products, or transactions. Be acutely aware of AML staffing and resource declining trends and ensure they correspond to a trend of reduced risk. Increasing business volumes, numbers of customers, markets, and products, requires a corresponding AML program staffing and resources analysis and risk mitigation associated with the increased risk.

G. Act Proactively, Validate Retrospectively, but Not in a Vacuum

The AML program function is designed to prevent money laundering—a crime. Thus it is a proactive measure against crime. This means the program cannot be stable or unchanged. The AML program must remain dynamic and continuously educated of new money laundering methods and indicators. However, rarely can a proactive crime prevention program ever document the crimes it prevented. So the only thing left to do is to review past situations and see how the proactive AML program can best attempt to prevent that crime in the future. Remember, a crime free utopia only exists in fiction.

H. Issue Remediation

When issues are identified, be proactive. Make a list of the issues, brainstorm resolutions, pick a straightforward and effective solution, implement the solution, and maintain the solution going forward. Do not make the same mistake again. If possible, automate the proactive monitoring for that issue that arose. If automation is not possible, schedule the review and testing on a calendar.

I. BSA/AML Program Essentials

An effective AML program should have risk-based approaches to obtain true customer identification, customer’s source of funds, normal and expected transactions, customer transaction monitoring, identify out-of-pattern transactions, perform due diligence on those out-of-pattern transactions, and file unusual or suspicious transactions.

J. Regular Risk Assessments

The effective AML and OFAC function each have regular and ongoing risk assessments. This means an overall risk assessment for the financial institution, but also individualized risk assessments within the financial institution (such as, transactions, customers, products, geography, etc.).

K. Validate the Audit Plan

Grading your own work is a good start and it is necessary to improve the quality of your work and to learn from your mistakes. So an effective audit plan involves some aspects of quality control or self-auditing. However, a financial institution needs an independent auditor to examine your work. This means having appropriately timed and scoped


audits. Generally, each AML program function should be checked periodically by this independent auditor and more frequently by means of quality control or self-auditing. Each of these self and independent audits should cover the lessons learned from the federal civil and criminal actions regarding effective BSA/AML programs. In other words, the process should flow as follows: Red Flag BSA/AML Analyst Performs Work BSA/AML Quality Control Review Performed Work Product Finalized Work Product Self Audit Sample Selected and Reviewed Issue Remediation Independent Audit Sample Selected and Reviewed Issue Remediation.

VI. Conclusion

A financial institution should have the education, experience, knowledge, and resources to review the four separate sources of information (FFIEC BSA/AML Exam Manual, various federal agency guidance, Consent Orders, and the civil and criminal legal actions) and use that information to determine the effectiveness of the AML program as a whole and the effectiveness or ineffectiveness of each individual AML program process. After this, the financial institution should implement ongoing quality control or self-audit processes and ongoing independent audits, both of which should cover all the lessons listed above.

the audit impact of the u.s. department of justice...

Documents