Loading…

CARES Act and PPP Loans – Has the SBA Actually “Approved” Any PPP Loans? Or Are Its Deputies Doin’ All the Approvin’?

The Small Business Administration (SBA) has announced that as of April 15th it had “approved” about 1,300,000 Paycheck Protection Program (PPP) loans for about $289 billion (that’s just over $220,000 per loan, on average). The program kicked off on April 3rd: so that’s 1,300,000 approvals in 13 days, or 100,000 approvals every day, including weekends.

That’s a marked improvement over the SBA’s 2019 daily approval rate of about 160 loan approvals every day.

In 2019 the SBA approved a total of just under 59,000 loans totaling about $30 billion. In 2020, through March 20th, the SBA approved 24,745 loans for ~$12.5 billion. According to the SBA’s last congressional report (Fiscal 2021 Congressional Justification & Fiscal 2019 Performance Report), it noted that “The time to process a 7(a) non-delegated loan greater than $350,000 decreased from 15 days to 9 days (40 percent efficiency gain) [from FY 2017] and for loans under $350,000, from 6 to 2 days (67 percent efficiency gain).” So in fiscal 2019, the SBA approved about 46,100 7(a) loans totaling $23.2 billion. Each of those took between 2 and 9 days. And based on SBA’s data, about 20% of its 7(a) loans are under $350,000, and 80% are over $350,000.

So when faced with a volume of 59,000 loans in a year, it takes the SBA about two days to process the smaller loans, and nine days to approve the bigger loans.

So how did the SBA go from approving 160 7(a) loans per day in 2019 to approving 100,000 PPP loans per day in 2020? They deputized the lenders!

The CARES Act Has Deputized PPP Lenders – They Get to Approve the Loans They Make!

Section 1102 of the CARES Act creates the PPP and sets out the “what” that needs to be done (the “how” is reserved to the regulations). Section 1102(a) amends the existing section 7(a) of the Small Business Act (15 U.S.C. 636(a)) to add the PPP provisions in subsection 36 of section 7(a). The key is paragraph (F), titled “Delegated Authority”. It provides:

“(ii) DELEGATED AUTHORITY. (I) IN GENERAL.—For purposes of making covered loans for the purposes described in clause (i), a lender approved to make loans under this subsection shall be deemed to have been delegated authority by the Administrator to make and approve covered loans, subject to the provisions of this paragraph.”

That seems pretty clear: the SBA has deputized the lenders, and its the lenders that will make AND approve PPP loans, not the SBA. Is there anything different in the Interim Final Rule, or regulations? No. In fact, the Interim Final Rule refers to lenders making PPP loans, but is silent on lenders approving loans – even the law now gives lenders delegated authority to make and approve PPP loans. The phrase “make and approve” or “making and approving” doesn’t appear in the final rule.

So when the SBA announces that it has approved 1.3 million PPP loans in the first thirteen days of the PPP, what it really means is that its deputies – the roughly 5,000 banks, credit unions, and other lenders that have signed up for the PPP – have made 1.3 million PPP loans and, through the delegation powers in the statute, approved them. But one needs to question whether those 5,000 lenders have actually approved that many PPP loans, or whether they have simply submitted the electronic paperwork to the SBA’s E-Tran system and the SBA has returned 1.3 million PPP Loan Numbers back to those lenders, and are slowly working through the underwriting requirements and approving PPP loans methodically and carefully. It’s likely the latter.

5 + 4 = 6 … Treasury’s New PPP Math Is Creating Unnecessary Confusion, & Here’s a Proposed Solution

I’ve written two articles on the CARES Act’s Paycheck Protection Program (PPP) – the $350 billion, or $350,000,000,000, pot of federal money available for the lucky few hundred thousand or so of the roughly thirty million American small businesses that can navigate the labyrinth of regulatory requirements to apply for and be approved to get a loan that is intended to cover their payroll for 8 weeks or so. See The CARES Act and the PPP – We Know A Surge of Fraud is Coming

On April 13th the Treasury Department issued some guidance intended to clarify how the PPP lenders – mostly banks and credit unions – can satisfy some of their regulatory requirements around identifying the beneficial owners of the small businesses they’ll be lending to. In some of the more creative math I’ve seen in a while, they were somehow able to take the 5 things required under one set of regulations, combine them with the 4 things required under another set of regulations, and come up with 6 things. Instead of speeding up the delivery of the much-needed assistance to small businesses across America, their math may have the opposite effect.

Title 15 Small Business Administration (SBA) requirements

On April 2nd the SBA rolled out its requirements. Among other things, the two-page Borrower Form requires the “authorized representative” of the small business to certify a number of things, notably (for purposes of this labyrinth) five pieces of information – name, SSN/TIN, Address, Title, and Ownership Percentage – of up to five people that own 20 percent or more of the small business. And, according to the Interim Final Rule published on April 2nd, the lender (bank or credit union) can rely on that certification. And the authorized representative has to provide their name, title, and a signature.

So to summarize – for Title 15 SBA purposes, the borrower’s authorized representative needs to certify five pieces of information on as many as five legal owners of the borrower, and the bank lender can rely on that certification.

Title 31 Bank Secrecy Act (BSA) requirements

In May 2018 the federal anti-money laundering regulations were changed to add a requirement that financial institutions collect and verify “beneficial ownership” information of legal entity customers. Beneficial ownership was made up of what is called the “ownership prong” – a natural person owning twenty-five percent or more of the legal entity – and the “control prong” – one person who controlled the legal entity. The regulation also provided a Beneficial Ownership Certification form. The result was that the person opening the account had to certify a number of things, notably (for purposes of this labyrinth) four pieces of information – name, SSN/TIN, address, and Date of Birth (DOB) – of up to five people: up to four that own twenty-five percent or more of the legal entity and the single “control” person. According to the regulation, the bank can rely on that certification ““provided that it has no knowledge of facts that would reasonably call into question the reliability of such information.” And the account opener has to provide their name, title, and a signature. And the bank is required to verify that beneficial ownership information: not that the persons are the beneficial owners, because that can’t reasonably be done, but that the persons are … persons. And that verification needs to be done within a reasonable time after the account is opened.

And there are some complications in the BSA rule around existing customers opening new accounts, and whether the bank can rely on existing beneficial ownership information or not. Essentially, a bank needs to document whether and when and how it will it can rely on existing information, and that documentation is part of what is known as its “risk-based BSA compliance program”.

So to summarize – for Title 31 BSA purposes, the legal entity’s account opener needs to certify four pieces of information on as many as four legal owners and one control person, and the bank can rely on that certification unless it knows of something that calls into question the reliability of the information, and the bank needs to verify that the persons are, in fact, persons.

Title 31 BSA requirements for Title 15 SBA PPP Loans

On April 13 Treasury and the SBA revised previously published FAQs to add a question and answer relating to how the Title 31 BSA requirements relating to collection (and verification) of beneficial ownership information would be applied to the Title 15 SBA PPP loans. And FinCEN issued, for the first time, the same question and answer. These are summarized below:

Treasury FAQ:  Does the information lenders are required to collect from PPP applicants regarding every owner who has a 20% or greater ownership stake in the applicant business (i.e., owner name, title, ownership %, TIN, and address) satisfy a lender’s obligation to collect beneficial ownership information (which has a 25% ownership threshold) under the BSA?

Existing customers:  if the PPP loan is being made to an existing customer and the lender previously verified the necessary information, the lender does not need to re-verify the information.  Furthermore, if federally insured banks and credit unions have not yet collected such beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.

New customers: the lender’s collection of SIX THINGS – owner name, title, ownership %, TIN, address, and date of birth – from as many as 5 natural persons with a 20% or greater ownership stake in the applicant business will be deemed to satisfy applicable BSA requirements and FinCEN regulations governing the collection of beneficial ownership information. Decisions regarding further verification of beneficial ownership information collected from new customers should be made pursuant to the lender’s risk-based approach to BSA compliance.

Leaving aside (for the moment) the vexing issue of what a bank’s risk-based BSA compliance program requires it to do for existing high risk customers applying for PPP loans, the most elaborate labyrinth the government has created is for new customers. For these new-to-the-lender customers, there appears to be a trade-off. Purely for SBA purposes, PPP lenders need to collect but perhaps not verify SIX things – the name, TIN, DOB, address, title, and ownership percentage – one of which (DOB) isn’t on the PPP Form, for up to 5 natural persons as legal owners. The April 13th guidance doesn’t say anything about the BSA “control” person – nor does it say whether the SBA Authorized Representative can be that control person. And because a lender’s risk-based BSA compliance program requires it to verify beneficial owners, the PPP lender still needs to verify that the Beneficial Owners are, in fact, human beings … not that they are, in fact, the Beneficial Owners of the Applicant Borrower. Also, for both the BSA’s “person opening the account” and the SBA’s “Authorized Representative”, the financial institution must collect the person’s name, title, and signature.

A Possible Solution to Treasury’s Math Problem

The likelihood of rampant money laundering through PPP loans is pretty slim. The likelihood of fraud, though, is 100%. How much fraud is dependent on a lot of factors, but banks are adept at lending money and keeping fraud rates down. In normal times. These are not normal times. But everyone involved in this effort wants to get the $350,000,000,000 into the hands of deserving American small businesses as soon as possible, knowing that there will be some abuses, frauds, mistakes, corruption, laziness, willful blindness, etc., etc. in the process.

But making the lenders collect six pieces of information on the owners of small businesses when neither of the applicable regulatory regimes require them to collect more than five seems to add a layer of unnecessary complexity and can only slow down the lending process.

Having to collect 5 pieces of information (but not DOB) from as many as five legal owners for SBA purposes, and to collect four pieces of information (including DOB) from as many as four legal owners AND one control person for BSA purposes, and now to have to collect SIX pieces of information (including DOB) from five persons for SBA/BSA purposes creates confusion. Treasury needs to take its own risk-based approach: satisfy SBA requirements today, BSA requirements before you forgive the loan.

So here’s my suggestion to Treasury (and the regulatory agencies): PPP lenders can rely on the certifications in the Form 2483 PPP Borrower form. Those lenders can satisfy their BSA-related beneficial ownership requirements by the earlier of (i) September 30, 2020, or (ii) before the PPP loan is forgiven. In other words, focus on the PPP borrowers and requirements today, and worry about the BSA requirements later this summer. Full stop.

CARES Act PPP Loans – Is There A Loan “Dead Zone”?

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law by the President on March 27, 2020. It is a stunning piece of legislation meant to support our first responders and medical personnel treating those that are stricken, and to provide emergency economic relief to individuals, small businesses, and even large corporations that have been so adversely impacted by the pandemic.

The ink was barely dry on the CARES Act (enacted March 27th), which created the $349 billion Small Business Administration’s Paycheck Protection Program loan program, when the Interim Final Rules were published (April 3rd). Those PPP loans will be doled out by qualified lenders to qualified Applicants, in increments of up to $10 million per Applicant (limit of one per Applicant). Those loans will bear interest at 1% per year, with interest and principle payments deferred for six months and – here’s the best part – the Government will forgive “qualifying” loans.

As of 7:00 am PST on April 7th, there were about 1,800 lenders that had previously been approved, and another 600 or so that have only recently been approved, to act as SBA PPP lenders. How will they be compensated?

According to the Treasury Department’s Treasury PPP Fact Sheet there is a simple fee schedule:

The SBA – not the small business borrower – will pay the lender a processing fee based on the balance of the financing outstanding at the time of final disbursement in the following amounts:

  • five percent for loans of not more than $350,000;
  • three percent for loans of more than $350,000 and less than $2,000,000; and
  • one percent for loans of at least $2,000,000

(see 15 USC s. 636(a)(36)(P)).

And the SBA Interim Final Rule has similar language to the Treasury Fact Sheet. At page 24 of the  Interim Final Rule is this:

What fees will lenders be paid? SBA will pay lenders fees for processing PPP loans in the following amounts:

i. Five (5) percent for loans of not more than $350,000;

ii. Three (3) percent for loans of more than $350,000 and less than $2,000,000; and

iii. One (1) percent for loans of at least $2,000,000.

So this appears to be pretty simple: a loan up to $350,000 gets the lender a fee of 5% of the amount of the loan. A loan of more than $350,000 and less than $2,000,000 gets the lender a fee of 3%. And a loan of $2,000,000 or more gets the lender a fee of 1%.

Was that the intent?

So a PPP loan of, say, $350,000 gets the lender a fee of $17,500 (at 5%) and a loan of, say, $400,000 gets the lender a fee of $12,000 (at 3%)? Or did Treasury intend that a loan of, say, $500,000, would get the lender a fee of 5% on the first $350,000 and 3% on the next $150,000? Or for loans of, say, $4,000,000, the lender would get a fee of 5% on the first $350,000, 3% on the next $1,650,000, and 1% on the balance? If that was the intent, why didn’t Treasury write something like it had in 13 CFR §120.220, but for PPP loans:

  • for loans up to $350,000, five percent of the loan amount;
  • for loans from $350,000 up to $2,000,000, $17,500 on the first $350,000 and 3% on the balance of the loan amount; and
  • for loans of $2,000,000 up to $10,000,000 (the maximum PPP loan), $60,000 on the first $2,000,000 and 1% on the balance of the loan amount

I did some calculations, and something interesting occurs. We get a range of loans where a lender will make less in fees even when lending out more money. Here’s what it looks like: for loan amounts up to $350,000, the lender gets a fee that goes up to $17,500. But for a loan just over $350,000 – and in this example I went up $25,000 – the lender makes over $6,000 less in fees. As can be seen, there is a “Dead Zone” of PPP loans between $350,000 and $600,000 where the lender makes less in fees than if it loaned $350,000 or less. And the PPP Loan Dead Zone is even broader for Agents: that zone extends from $350,000 to $700,000.

(there is also an Agent fee that follows the same ranges as the lender fee, only in amounts of 1%, 0.5%, and 0.25%).

And a similar PPP Loan Dead Zone occurs at the next step-drop in fees – for loans of $2,000,000 or more, the lender fee is 1%. So a lender will make less on a $6,000,000 PPP loan than it would make on a $1,950,000 loan. The high dollar PPP Loan Dead Zone for Agents is $2,000,000 to $4,000,000.

Could this fee structure create some misaligned incentives for lenders? Could a lender somehow “encourage” those $575,000 loans to become $650,000 loans, even if the borrower has only applied for $575,000? Could a lender process a $350,000 loan – with a $17,500 fee – before it processes a $400,000 loan – with a $12,000 fee?

So where does that leave us? As I wrote in my last article, nobody knows. As Yogi Berra once said,

It’s tough to make predictions, especially about the future.

So how can Treasury eliminate the PPP Loan Dead Zone?

Treasury can change the fee structure to something like this:

  • for loans up to $350,000, five percent of the loan amount;
  • for loans from $350,000 up to $2,000,000, $17,500 on the first $350,000 and 3% on the balance of the loan amount; and
  • for loans of $2,000,000 up to $10,000,000 (the maximum PPP loan), $60,000 on the first $2,000,000 and 1% on the balance of the loan amount

With that, there are no PPP Loan Dead Zones … the larger the loan, the greater the fee. Fair enough, let’s get these loans processed!

The CARES Act and the Paycheck Protection Program – We Know A Surge of Fraud is Coming, Let’s Prevent it Now

SBA’s disaster loan programs suffer increased vulnerability to fraud and unnecessary losses when loan transactions are expedited to provide quick relief and sufficient controls are not in place. The expected increase in loan volume and amounts, and expedited processing timeframes will place additional stress on existing controls. – SBA Inspector General White Paper, “Risk Awareness and Lessons Learned from Audits and Inspections of Economic Injury Disaster Loans and Other Disaster Lending”. April 3, 2020

This article has been updated from its original publication date of April 6, 2020.

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law by the President on March 27, 2020. It is a stunning piece of legislation meant to support our first responders and medical personnel treating those that are stricken, and to provide emergency economic relief to individuals, small businesses, and even large corporations that have been so adversely impacted by the pandemic.

The ink was barely dry on the CARES Act (enacted March 27th), which created the $349 billion Small Business Administration’s Paycheck Protection Program loan program, when the Interim Final Rules were published on various government websites (April 3rd, with publication in the Federal Register scheduled for April 15th). Those PPP loans will be doled out by qualified lenders to qualified Applicants, in increments of up to $10 million per Applicant based on the Applicant’s monthly payroll (essentially 2.5 times the monthly payroll, with some exceptions and limitations), with a limit of one PPP loan per Applicant. Those loans will bear interest at 1% per year, with interest and principle payments deferred for six months and – here’s the best part – the Government will forgive “qualifying” loans.

As soon as the program launched, two things happened. First, thousands of new lenders applied to be PPP lenders – from a pre-PPP of about 1,800 qualified lenders to over 4,000 qualified lenders in a matter of days. Second, many of the qualified lenders were inundated with applications. One of the lenders, Wells Fargo, publicly stated that it had max’ed out its funding capacity ($10 billion) to lend under this new PPP loan program: Wells Fargo was only able to extend its participation after the Federal Reserve relaxed some terms of an asset cap order it had imposed back in February 2020. Bank of America reported that it received 177,000 applications in the first two days seeking $32.6 billion in PPP loans. One week into the program, the SBA apparently had “approved” (more on that later) over 660,000 applications from 4,300 qualified lenders for loans of more than $168 billion. And yet the rules are not yet fully understood, and new guidance is coming out daily.

In 2006 I wrote about the dilemma facing BSA/AML programs:

We’ll be judged tomorrow on what we’re doing today, under standards and expectations that haven’t yet been set, based on best practices that haven’t been shared.

This lament has never been more applicable than it is today with these SBA PPP loans and the BSA obligations that follow.

As I read the Interim Final Rules – the 13 CFR Part 120 IFRs around eligibility generally as well as the 13 CFR Part 121 IFRs around affiliates and the common management standard – it LOOKS like lenders can rely on the documents submitted and certifications given by the borrower and its authorized representative in order to determine eligibility of the borrower, use of the loan proceeds, loan amount, and eligibility for forgiveness … but lenders “must comply with the applicable lender obligations set forth in this interim final rule”.

Here is some of the guidance set out in the Interim Final Rule:

At page 5: “SBA will allow lenders to rely on certifications of the borrower in order to determine eligibility of the borrower and use of loan proceeds and to rely on specified documents provided by the borrower to determine qualifying loan amount and eligibility for loan forgiveness. Lenders must comply with the applicable lender obligations set forth in this interim final rule, but will be held harmless for borrowers’ failure to comply with program criteria; remedies for borrower violations or fraud are separately addressed in this interim final rule.”

That is positive. The Interim Final Rule then poses a question, “What do lenders need to know and do?” then answers it in three sections, each posing a question:

a. Who is eligible to make PPP loans?

b. What do lenders have to do in terms of loan underwriting?

c. Can lenders rely on borrower’s documentation for loan forgiveness?

In response to the second question – what do lender have to do in terms of loan underwriting – the SBA provides the following answer (at pages 21-23 of the Interim Final Rule):

“Each lender shall:

i. Confirm receipt of borrower certifications contained in Paycheck Protection Program Application form issued by the Administration;

ii. Confirm receipt of information demonstrating that a borrower had employees for whom the borrower paid salaries and payroll taxes on or around February 15, 2020;

iii. Confirm the dollar amount of average monthly payroll costs for the preceding calendar year by reviewing the payroll documentation submitted with the borrower’s application; and

iv. Follow applicable BSA requirements:

I. Federally insured depository institutions and federally insured credit unions should continue to follow their existing BSA protocols when making PPP loans to either new or existing customers who are eligible borrowers under the PPP. PPP loans for existing customers will not require reverification under applicable BSA requirements, unless otherwise indicated by the institution’s risk-based approach to BSA compliance.

II. Entities that are not presently subject to the requirements of the BSA, should, prior to engaging in PPP lending activities, including making PPP loans to either new or existing customers who are eligible borrowers under the PPP, establish an anti-money laundering (AML) compliance program equivalent to that of a comparable federally regulated institution. Depending upon the comparable federally regulated institution, such a program may include a customer identification program (CIP), which includes identifying and verifying their PPP borrowers’ identities (including e.g., date of birth, address, and taxpayer identification number), and, if that PPP borrower is a company, following any applicable beneficial ownership information collection requirements. Alternatively, if available, entities may rely on the CIP of a federally insured depository institution or federally insured credit union with an established CIP as part of its AML program. In either instance, entities should also understand the nature and purpose of their PPP customer relationships to develop customer risk profiles. Such entities will also generally have to identify and report certain suspicious activity to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). If such entities have questions with regard to meeting these requirements, they should contact the FinCEN Regulatory Support Section at FRC@fincen.gov. In addition, FinCEN has created a COVID-19-specific contact channel, via a specific drop-down category, for entities to communicate to FinCEN COVID-19-related concerns while adhering to their BSA obligations. Entities that wish to communicate such COVID-19-related concerns to FinCEN should go to www.FinCEN.gov, click on “Need Assistance,” and select “COVID19” in the subject drop-down list.

Each lender’s underwriting obligation under the PPP is limited to the items above and reviewing the “Paycheck Protection Application Form.” Borrowers must submit such documentation as is necessary to establish eligibility such as payroll processor records, payroll tax filings, or Form 1099-MISC, or income and expenses from a sole proprietorship. For borrowers that do not have any such documentation, the borrower must provide other supporting documentation, such as bank records, sufficient to demonstrate the qualifying payroll amount.

So it looks like the obligations include some detailed BSA-related customer due diligence requirements, citing an April 3rd FinCEN press release on risk-based approaches to BSA.

The new (as of April 2nd) Form 2483 PPP Borrower Application has a lot of detail on 20% or more owners as well as whether entities are “Affiliates” based on the Common Management Standard … so can lenders rely on the borrowers’ certifications contained in these forms absolutely, no matter how patently false or incomplete? Probably not. There must be an implied level of due diligence, as there is with beneficial ownership information.

So it looks like risk-based BSA/AML customer due diligence will trump otherwise willfully blind reliance on patently false certifications, and when the PPP lending storm is over and the tide is out two years from now, the SBA will be holding lenders to account for fraudulent applications, dubious certifications, and sloppy underwriting.

The opportunities for PPP-related fraud are off-the-charts.

Every fraudster on the planet knows that the US Government just created a $350 billion pot of money that needs to be lent out in the next 90 days based on eligibility determined by the “certifications” the borrowers will submit. Even if deliberate fraud (fraudulent or fake borrowers created by professional fraudsters) and opportunity fraud (legitimate small businesses that deliberately “fudge” a few facts in order to qualify for a loan or even inadvertently misstate a few facts) amounts to only 1% of this pot of money, that is $3.5 billion, or enough to pay the promised $1,200 to 3 million Americans.[1]

Even if banks can process hundreds of thousands of PPP loans, can the SBA approve them?

This is a trick question, written to make a point. And that point is that it doesn’t look like the SBA will be “approving” these PPP loans like they did (and continue to do) for “regular” 7(a) loans. In 2019 the Small Business Administration approved a total of just under 59,000 loans totaling about $30 billion. In 2020, through March 20th, the SBA approved 24,745 loans for ~$12.5 billion. According to the SBA’s last congressional report (Fiscal 2021 Congressional Justification & Fiscal 2019 Performance Report), it noted that “The time to process a 7(a) non-delegated loan greater than $350,000 decreased from 15 days to 9 days (40 percent efficiency gain) [from FY 2017] and for loans under $350,000, from 6 to 2 days (67 percent efficiency gain).” So in fiscal 2019, the SBA approved about 46,100 7(a) loans totaling $23.2 billion. Each of those took between 2 and 9 days.

There will be hundreds of thousands of SBA PPP loans written in the next 90 days for as much as $349 billion – over 660,000 loans in the first week for almost $170 billion. But the SBA isn’t approving these; it is simply acknowledging that it received the necessary borrower and lender forms and sending the lender back a Loan Number. With that, the lender then processes, underwrites, and disburses the loan proceeds.

SBA’s E-Tran System Has Been Glitchy … and according to the SBA’s most recent report to Congress, it had 4,191 employees in 2019 but only 3,274 in 2020.

The SBA’s E-Tran system is its electronic loan processing system that allows approved lenders to submit loan information and documentation. Lenders upload the information and documentation and provide a certification (more on that later) and the SBA returns a loan number. With that, the lender has the delegated authority to fund the loan.

And my guess is that the first PPP loans to go to the SBA will be from existing (experienced) lenders lending to their current (experienced) borrowers … to be followed by experienced lenders lending to new (inexperienced) borrowers … to be followed by those new (inexperienced) lenders the SBA is currently approving who will likely lend to new (inexperienced) borrowers. Inexperience + Inexperience = Opportunities for Fraud. So expect the fraudsters to migrate to the inexperienced borrowers.

What will the bank lenders need to do to meet their BSA obligations?

It’s too early to know. The SBA requirements for beneficial owners seem to require 20% or more legal ownership (so up to five persons with legal ownership) and a stunningly complex “control” disclosure requirement set out in 13 CFR Part 121. But, it looks like the SBA is going to allow lenders to rely on the certifications of their borrowers. For SBA purposes. Those lenders still must comply with their BSA requirements.

So the SBA lenders will have information on up to five owners and, perhaps, on some affiliated persons under the SBA’s “common management standard”. The BSA requirements for beneficial owners seem simple in comparison: 25% or more legal ownership (so up to four persons with legal ownership) and a simple “control prong” of one person set out in 31 CFR Part X.

And where SBA expectations or guidance is still to be provided, BSA regulatory expectations have been set with FinCEN’s Ruling (in FIN-2018-R004). That Ruling carves out an exemption from the beneficial ownership rule so that banks – in this case lenders – do not need to re-verify beneficial ownership information for extensions of loans that do not require underwriting review and approval. Based on that Ruling, the exemption does not appear to apply to these PPP loans, as they are, by definition, underwritten. So even though FinCEN’s unofficial press release from April 2nd – it wasn’t formal Guidance or a Ruling – says that PPP loans for existing customers will not require re-verification under applicable BSA requirements, that is qualified by “unless otherwise indicated by the institution’s risk-based approach to BSA compliance.” That risk-based approach should have followed the FIN-2008-R004 Ruling that exempted renewals of loans that didn’t require underwriting.

So where does that leave us? Nobody knows. As Yogi Berra once said,

It’s tough to make predictions, especially about the future.

Three things I will predict with certainty, though. First, we will get new guidance, advisories, press releases, and rulings to come from the SBA and from multiple agencies that oversee the BSA, probably on a daily basis (as I was writing this, the Federal Reserve issued a press release that it will establish a facility to facilitate lending to small businesses via the Small Business Administration’s Paycheck Protection Program (PPP) by providing term financing backed by PPP loans). Second, fraudsters are going to exploit the Paycheck Protection Program. And third, we’ll manage through this and come out stronger and better for it.

Back in January and early February, we failed to recognize that the then-nascent COVID-19 epidemic raging through Asia would, by mid-February, become a full-blown pandemic that would ravage the planet. Comparing the inevitable fraud that will emerge from the Paycheck Protection Program to the coronavirus pandemic is ridiculous, but we can learn from our pandemic planning and take the steps now to prevent, detect, and mitigate the fraud that will accompany the PPP.

Late Tuesday evening, April 6, the Treasury Department published FAQs on the PPP program. Treasury PPP FAQs April 6, 2020. The 18th and last Q/A was the following:

18. Question: Are PPP loans for existing customers considered new accounts for FinCEN Rule CDD purposes? Are lenders required to collect, certify, or verify beneficial ownership information in accordance with the rule requirements for existing customers?

Answer: If the PPP loan is being made to an existing customer and the necessary information was previously verified, you do not need to re-verify the information. Furthermore, if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected beneficial ownership information on  existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.

Parsing this answer out, Treasury is giving guidance only on PPP loans for existing customers: existing customers with verified beneficial ownership information, and existing customers without verified beneficial ownership information … unless otherwise indicated by the lender’s BSA policies and procedures. There is nothing about PPP loans for new customers.

What has FinCEN said about the PPP loans? In an April 3rd press release  FinCEN wrote:

Compliance with BSA Obligations – Compliance with the Bank Secrecy Act (BSA) remains crucial to protecting our national security by combating money laundering and related crimes, including terrorism and its financing.  FinCEN expects financial institutions to continue following a risk-based approach, and to diligently adhere to their BSA obligations.  FinCEN also appreciates that financial institutions are taking actions to protect employees, their families, and others in response to the COVID-19 pandemic, which has created challenges in meeting certain BSA obligations, including the timing requirements for certain BSA report filings.  FinCEN will continue outreach to regulatory partners and financial institutions to ensure risk-based compliance with the BSA, and FinCEN will issue additional new information as appropriate.

Beneficial Ownership Information Collection Requirements for Existing Customers – One of the primary components of the CARES Act is the Paycheck Protection Program (PPP).  For eligible federally insured depository institutions and federally insured credit unions, PPP loans for existing customers will not require re-verification under applicable BSA requirements, unless otherwise indicated by the institution’s risk-based approach to BSA compliance.

For non-PPP loans, FinCEN reminds financial institutions of FinCEN’s September 7, 2018 ruling (FIN-2018-R004) offering certain exceptive relief to beneficial ownership requirements.  To the extent that renewal, modification, restructuring, or extension for existing legal entity customers falls outside of the scope of that ruling, FinCEN recognizes that a risk-based approach taken by financial institutions may result in reasonable delays in compliance.

FinCEN will continue to assess reasonable risk-based approaches to BSA obligations and will issue further information, as appropriate, particularly as the CARES Act is implemented.

April 13 FAQs Provide More Guidance

The 25th and last question in the April 13 FAQs provides some clearer guidance on the beneficial ownership issue:

25. Question: Does the information lenders are required to collect from PPP applicants regarding every owner who has a 20% or greater ownership stake in the applicant business (i.e., owner name, title, ownership %, TIN, and address) satisfy a lender’s obligation to collect beneficial ownership information (which has a 25% ownership threshold) under the Bank Secrecy Act?

Answer: For lenders with existing customers: With respect to collecting beneficial ownership information for owners holding a 20% or greater ownership interest, if the PPP loan is being made to an existing customer and the lender previously verified the necessary information, the lender does not need to re-verify the information. Furthermore, if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected such beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to Bank Secrecy Act (BSA) compliance.

For lenders with new customers: For new customers, the lender’s collection of the following information from all natural persons with a 20% or greater ownership stake in the applicant business will be deemed to satisfy applicable BSA requirements and FinCEN regulations governing the collection of beneficial ownership information: owner name, title, ownership %, TIN, address, and date of birth. If any ownership interest of 20% or greater in the applicant business belongs to a business or other legal entity, lenders will need to collect appropriate beneficial ownership information for that entity. If you have questions about requirements related to beneficial ownership, go to FinCEN Resources Link . Decisions regarding further verification of beneficial ownership information collected from new customers should be made pursuant to the lender’s risk-based approach to BSA compliance.

So where does that leave us?

According to the SBA’s March 20th weekly update, roughly 13% of the 21,106 7(a) loans it has approved in 2020 are categorized as “change of ownership”. So beneficial ownership is a dynamic attribute that needs to be managed. Below are my thoughts on where we are at 8:20 a.m. PST on April 7, 2020:

  1. Compliance with the Bank Secrecy Act (BSA) remains crucial. FinCEN expects financial institutions to diligently adhere to their BSA obligations. Not to adhere to BSA obligations, to diligently adhere.
  2. PPP loans for existing customers will not require re-verification (if you’ve already verified them) or verification (if you haven’t previously verified beneficial ownership), unless otherwise indicated by your risk-based approach to BSA compliance. So for your higher- and high-risk customers applying for PPP loans, whether previously verified or not, re-verify beneficial ownership. Be diligent about those “cash intensive” businesses that you likely have characterized as higher- or high-risk.
  3. As to new customers, there appears to be a trade-off of sorts. For Title 31 BSA purposes, non-PPP lenders need to collect and verify the name, TIN, address, and DOB of up to four legal owners and one control person. For Title 13 SBA purposes, PPP lenders need to collect but perhaps not verify the name, TIN, address, DOB, title, and ownership percentage of up to four legal owners. The April 13th guidance doesn’t say anything about the BSA control person and whether the SBA Authorized Representative would or could be that control person.
  4. In answering the question “can lenders rely on borrower’s documentation for loan forgiveness?” the Interim Final Rule – again, published by the SBA and Treasury – provides, “Yes. The lender does not need to conduct any verification … the Administrator [of the SBA] will hold harmless any lender that relies on such borrower’s documents and attestation … section 1106(h) [of the CARES Act] prohibits the Administrator from taking any enforcement action …”. So in two places the rule provides that the SBA Administrator will not and cannot take any action against a lender. That is pretty specific. It doesn’t provide that the Federal Government will not and cannot take any action against a lender … does that mean that the lender’s functional regulator (e.g., the OCC) can bring a “safety and soundness” action against a sloppy PPP lender under Title 12? Can FinCEN bring a Title 31 action? Can the Department of Justice bring a Title 18 action? The answer to those three questions is “probably, maybe, perhaps.”

My advice? As FinCEN reminded us, compliance with the BSA remains crucial. Be diligent and confirm – in writing – whatever you decide to do in your policies and procedures and with your regulators. Remember, you will be judged tomorrow on what you’re doing today, under standards and expectations that haven’t yet been set, based on best practices that haven’t been shared.

[1] This paper deals only with the PPP. There are other COVID-19 related disaster loan programs, such as the emergency Economic Injury Disaster Loan (EIDL) program. The SBA Inspector General issued a White Paper on April 3, 2020 titled “Risk Awareness and Lessons Learned from Audits and Inspections of Economic Injury Disaster Loans and Other Disaster Lending”. In that paper, the IG noted that “SBA’s disaster loan programs suffer increased vulnerability to fraud and unnecessary losses when loan transactions are expedited to provide quick relief and sufficient controls are not in place. The expected increase in loan volume and amounts, and expedited processing timeframes will place additional stress on existing controls.” See https://www.sba.gov/sites/default/files/2020-04/SBA_OIG_WhitePaper_20-12_508_0.pdf

Marijuana $475,000,000 in Tax Revenue? IRS Says “No Thanks, We Have Other Priorities”

On March 30, 2020 the Treasury Inspector General released a OIG Report titled  “The Growth of the Marijuana Industry Warrants Increased Tax Compliance Efforts and Additional Guidance”. It is, in large part, a stinging rebuke of the way the IRS has handled – or has avoided handling – federal income tax payments made, and tax returns filed, by marijuana related businesses, or MRBs.

To the extent that Government laws and regulations discourage banking for marijuana businesses (and to the extent they encourage cash only transactions), they also may be indirectly and unintentionally encouraging tax noncompliance. – Report, page 5

From a federal tax perspective, MRBs face a number of hurdles.

Limited Access to Banking and the Impact on Paying Taxes

“Marijuana businesses have limited access to banking because marijuana is classified as a Schedule I controlled substance, and banks and credit unions who service marijuana businesses can potentially be charged with money laundering. Many financial institutions are not willing to risk potential civil or criminal liability associated with their obligations under the Bank Secrecy Act (BSA).” – Report, page 4.

And the entirety of page 5 of the Report is important:

“One of the main barriers for banks and credit unions is the information reporting requirements when providing banking services to marijuana businesses. For example, BSA regulations require the filing of a Suspicious Activity Report (SAR) when a financial institution knows, suspects, or has reason to suspect that a transaction of $5,000 or more involves funds derived from an illegal activity or is an attempt to disguise funds derived from an illegal activity.

The SAR filing requirement is both costly and risky as the reporting of all transactions the financial institution has with the respective marijuana business can be extensive, and if the activity is incorrectly reported, fines to the financial institution could result. Banks and credit unions that service marijuana businesses may charge large fees to compensate for the extensive reporting requirements and risk for providing services to these businesses. One credit union in California stated it was charging banking fees to marijuana businesses of up to $10,000 as an upfront fee and $5,000 a month for producers and $7,500 a month for dispensaries. Another small credit union in Oregon that serves marijuana businesses stated the credit union filed more than 13,500 individual reports over the past two years (2017 and 2018) for approximately 500 cannabis clients.

We have also identified recent trends with banks and credit unions providing banking services to marijuana businesses. According to the U.S. Treasury Financial Crimes Enforcement Network, the number of financial institutions actively banking marijuana-related businesses increased from 401 in October 2017 to 715 in June 2019. However, the lack of banking access continues to be an issue in the marijuana industry with most banks or credit unions across the United States not willing to accept marijuana business customers. Marijuana businesses without bank account access are also unable to set up merchant accounts for accepting credit or debit cards. This results in most marijuana businesses conducting business transactions in cash only. Marijuana businesses may have automated teller machines on the premises for customers to facilitate cash only transactions.

The main tax-related concern about cash intensive businesses is that cash transactions are more difficult to track and are therefore more likely to go unreported to the IRS. Unlike checks and credit card receipts, cash transactions do not generally result in third-party information capable of being reported to the IRS. To the extent that Government laws and regulations discourage banking for marijuana businesses (and to the extent they encourage cash only transactions), they also may be indirectly and unintentionally encouraging tax noncompliance.”

(citations omitted)

There are at least three issues stemming from the difficulties that cash intensive businesses, such as MRBs, have in obtaining and keeping banking relationships. First is that they may not file tax returns at all: the OIG observed a filing rate of active MRBs to be between 60% to 70%. Second, they may under report income that is not flowing through a bank relationship or is not otherwise being tracked and monitored: the OIG observed an under-reporting rate of about 25%. And third is the penalty that filers must pay for not paying federal taxes electronically. Known as the Failure To Deposit, or FTD penalties for not making tax payments by ACH, the OIG found that almost half the MRBs that were potentially unbanked, based on FTD data, paid penalties. The OIG recommended, at page 22 of the Report:

“Taxpayers including marijuana businesses should not be penalized because they cannot satisfy their respective employment tax obligations via the required electronic transmission process. The current conflict between Federal and State law regarding marijuana business activity is well established regarding banking access. The IRS needs to increase awareness of the current FTD penalty relief policies for unbanked taxpayers such as marijuana businesses.”

This was one of the few (of six) recommendations that the IRS agreed to.

I.R.C. §280E from 1982

In 1982, section 280E was added to the Internal Revenue Code to prohibit businesses engaged in illegal activity from deducting business expenses such as payroll, employee benefits, and rent from gross income for purposes of determining federal income tax. Section 280E was the legislative response to a number of court decisions that allowed illegal businesses to deduct certain expenses incurred in operating those illegal businesses. Since the Controlled Substances Act makes it federally illegal to manufacture or distribute marijuana, §280E then prohibits the deduction of expenses incurred in trafficking controlled substances. The only expenses allowed by §280E  is cost of goods sold, so businesses that sell marijuana can reduce gross receipts by the cost of goods sold but cannot deduct other business expenses.

 

The Report included a hypothetical example of the impact of §280E to a marijuana related business. As seen from Figure 2, the effective tax rate is about 80% – $80,750 on net income of $100,000.

The OIG found that about 60% of the MRBs in their sample that filed federal tax returns improperly applied §280E adjustments, yet “the IRS lacks guidance to taxpayers and tax professional in the marijuana industry” and that “no references to marijuana businesses can be found in IRS publications.” The OIG estimated the 5-year impact on federal tax collected in the three states (California, Oregon, and Washington) was almost $250 million.

 

I.R.C. §471(c) from 2017

The Tax Cuts and Jobs Act of 2017 added section 471(c) to the Internal Revenue Code to provide some relief to small businesses in whether and how they could track and account for their cost of goods sold. The OIG noted:

“Under this new provision, marijuana businesses could argue they are entitled to use a method of accounting that includes all expenses in cost of goods sold to potentially avoid the impact of I.R.C. § 280E. According to IRS Chief Counsel, at least two practitioners have identified this issue and have questioned IRS personnel on how the IRS plans to handle I.R.C. § 471(c) as applied to marijuana industry taxpayers. These practitioners have identified the potential unintended consequence of I.R.C. § 471(c) that appears to allow small marijuana businesses to include non-cost of goods sold expenses in their cost of goods sold and potentially avoid the application of I.R.C. § 280E. IRS Chief Counsel noted that practitioners assert that the new law may provide small business taxpayers wide latitude to characterize all expenditures as cost of goods sold. The effect of the law is still uncertain.” – Report, page 15.

The OIG’s fourth recommendation was that the IRS should publish guidance on the impact of § 471(c) on § 280E. The IRs response was, essentially, that it was too busy:

Recommendation: that the IRS “develop and distribute, internally and externally, specific guidance on the application of I.R.C. § 471(c) in conjunction with I.R.C. § 280E for taxpayers that report Schedule I related activities on Federal tax returns.”

IRS Response: “IRS Chief Counsel disagreed with this recommendation because the Department of the Treasury and Chief Counsel resources at present are focused on priority guidance in response to the Tax Cuts and Jobs Act and identifying and reducing regulatory burdens in response to Executive Order 13789.” – Report, page 22.

Marijuana Businesses – “High Impact” for IRS Attention

The IRS has acknowledged that the marijuana industry is a “high impact compliance area” because of its unique tax compliance risks due to I.R.C. § 280E, cash intensive sales, and potential lost tax revenue. In fact, the OIG report estimated a five-year impact of approximately $475 million. The OIG had two recommendations for the IRS: that the IRS develop a comprehensive compliance approach for the marijuana industry (recommendation 1 on page 13); and that the IRS use more state information (which it was reluctant to use) to identify non-filers (recommendation 5 at page 20). The IRS response to both recommendations was the same:

Recommendation 1 –  IRS should develop a comprehensive compliance approach for the marijuana industry and leverage state marijuana business lists to identify non-compliant taxpayers. IRS Response: “whether it pursues taxpayers in the marijuana industry depends on priorities and available resources … it will use data analytics to identify the size and scope of non-compliant taxpayers and prioritize the compliance activities based on resources available.” – Report, page 13

Recommendation 5 – IRS should leverage publicly available state tax information and expand use of Fed/State agreements to identify non-filers and unreported income in the marijuana industry. IRS Response: “whether it pursues taxpayers in the marijuana industry depends on priorities and available resources … it will review the publicly available State tax information and Fed/State agreements to determine whether and how they could be legally, systemically, effectively, and efficiently used in compliance activities.” – Report, page 20

Conclusion

It’s unfortunate that this report was published in the midst of the Great Pandemic of 2020: but for the pandemic, it would have garnered more attention from the public and Congress. Tax compliance should be encouraged and tax enforcement should be consistently and fairly applied. The Treasury Inspector General has reported that neither is happening with respect to the marijuana industry, and the IRS response to its Inspector General seems to be “we’ll think about, but we’ve got other things to worry about”.  The IRS doesn’t seem too interested in an industry made up of thousands of marijuana related businesses employing hundreds of thousands of people that is apparently under-reporting hundreds of millions of dollars – perhaps billions of dollars – of federal taxes. After the coronavirus pandemic eases, perhaps somebody in Congress can ask the Commissioner of the IRS what would get his attention.

“Descriptive & Memorable” – The Fed’s soon-to-be-published Pandemic Response Accountability Committee Website

The CARES Act, section 15010(g) (1) (A) requires that: “Not later than 30 days after the date of enactment of this Act, the [Pandemic Response Accountability] Committee shall establish and maintain a user-friendly, public-facing website to foster greater accountability and transparency in the use of covered funds and the Coronavirus response, which shall have a uniform resource locator that is descriptive and memorable.”

Subsection (3) provides that the Committee shall ensure that the website provides “materials and information explaining the Coronavirus response and how covered funds are being used. The materials shall be easy to understand and regularly updated”.

There follows thirteen explicit requirements, including … any progress reports, audits, inspections, or other reports … user-friendly visual presentations to enhance public awareness of the use of covered funds and the Coronavirus response … detailed data on any Federal Government awards over $150,000 … by month to each State and congressional district, where applicable … a means for the public to give feedback on the performance of any covered funds and of the Coronavirus response, including confidential feedback … a link to estimates of the jobs sustained or created by this Act to the extent practicable … a plan from each Federal agency for using covered funds.

Stay tuned – April 26th is the due date for this new descriptive, memorable, and critically important website. Congress and, more importantly, the public, need to keep a watchful eye over how the hundreds of billions of dollars are being allocated and spent. Bookmark your calendar … and stay safe.

Update April 27, 2020 – the website went online at https://pandemic.oversight.gov

The CARES Act of 2020: “Tall, Dark, or Handsome” and “Tall, Dark, and Handsome” in one bill

There is a big difference between someone who is tall, dark, and handsome – he is all three of those things – and a guy who is tall, dark, or handsome – he is one of those things. Unfortunately, the new Special Inspector General for Pandemic Recovery is the Congressional version of tall, dark, or handsome, and their peers – the Executive Director and Deputy Executive Director of the Pandemic Response Accountability Committee – are the Congressional versions of tall, dark, and handsome. Although Congress didn’t take my pre-passage advice to spruce up the SIGPR (there wasn’t time, apparently), we can still hope that they are as polished as their PRAC peers.

In an article I wrote in August 2019 titled  “Lessons Learned as a BSA Officer – 1998 to 2018” I covered nine topics:

  1. All the Cooks in the AML Kitchen aka Stakeholders
  2. All the Resources Available to You
  3. The 5 Dimensions of Risk – Up, Down, Across, Out, and Within
  4. FinTech versus Humans
  5. The 7 Cs – What Makes a Good Analyst/Investigator
  6. Tall, Dark and Handsome – Words and Punctuation Matter!
  7. SMEs v SMEs – Subject Matter Experts vs Subject Matter Enthusiasts
  8. Is Transaction Monitoring a Thing of the Past?
  9. The Importance of Courage

I thought of topic 6 – Tall, Dark and Handsome – the morning I read the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) bill that the Senate and House were then negotiating. Back in 2019 I wrote the following:

Tall, Dark, and Handsome – Words (especially adjectives and adverbs) and punctuation matter!

    1. Write simply and clearly

“We know all too well that drugs are killing record numbers of Americans – and almost all of them come from overseas.”  Former AG Jeff Sessions, August 2018 speech

This is a good example of a poorly written sentence that is begging for clarity. The phrase “almost all” means very little: at least 51% and less than 100%. Second, do “almost all” drugs come from overseas, or do almost all Americans come from overseas? And finally, Mexico is the source country for 90% – 94% of heroin entering the US, and the final transit country for 90% of the cocaine entering the US. Mexico isn’t actually overseas from the US.

    1. Use Adjectives and Adverbs Sparingly, if at all

Most modifiers are unnecessary. Whether necessary or not, as a risk professional you should be very aware of both your use of adjectives and adverbs, and when reading others’ use of adjectives and adverbs. When confronted with any modifier, ask yourself (i) why is that modifier being used? (ii) is it being used correctly? (iii) does it change the meaning of the sentence in a way that is unintended? (iv) is it being used consistently with other modifiers? And (v) could it limit or prevent us in the future?

    1. Watch out for Red Flag Words and Phrases

Intended, Primarily, Pilot, Agile Development, shall versus may, Artificial Intelligence, Machine Learning

Special Inspector General for Pandemic Recovery

Section 4018 of the CARES Act calls for the appointment of a new Special Inspector General for Pandemic Recovery. This appears to be a position similar to the TARP (Troubled Assets Relief Program) Inspector General position created after the 2007-2009 economic crisis to manage the TARP monies distributed to banks, the auto companies, and other businesses.

(I’ll point out that, just as the DMV’s vanity license department checks that proposed vanity license plates aren’t offensive, I’m sure someone in the Congressional Research Acronym Program Office checked the title for possible embarrassments. In this case, SIGPaR is much preferable to, say, Pandemic Inspector General.)

What is the federal government looking for in its new Special Inspector General for Pandemic Recovery? As seen from the screen shot of the section in the bill, “the nomination of the Special Inspector General  shall be made on the basis of integrity and demonstrated ability in accounting, auditing, financial analysis, law, management analysis, public administration, or investigations.”

To put it another way, the nomination shall be made on the basis of two things: (i) integrity, and (ii) demonstrated ability in either accounting or auditing or financial analysis or law or management analysis or public administration or investigations.

Prior to the passage of the Act, I suggested that Congress change “or” to “and” on line 8 of section 4018(b). As I wrote in my original article (published March 26th, the day vefore the bill was signed into law), “It would be great if we had a Special Inspector General for Pandemic Recovery who exhibited integrity and demonstrated ability in accounting, auditing, financial analysis, law, management analysis, public administration, and investigations. She’ll need all of those attributes to do her job, I expect.”

Unfortunately, Congress didn’t take up my suggestion.

And oddly enough, pursuant to section 15010(c)(3)(B)(ii) of the CARES Act, two other critical oversight positions created by the Act – the Executive Director and Deputy Executive Director of the Pandemic Response Accountability Committee – shall:

“(I) have demonstrated ability in accounting, auditing, and financial analysis;

(II) have experience managing oversight of large organizations and expenditures; and

(III) be full-time employees of the Committee.”

 There you have it: the legislative equivalent of “tall, dark, or handsome” (the Special Inspector General) and “tall, dark, and handsome” (the Executive Director and Deputy Executive Director of the Pandemic Response Accountability Committee) in one Bill. Yikes!

The Perfect Storm: More Alerts, Fewer Investigators, & More False Positives

The Focus Has Always Been On the Increase in Fraud

Natural disasters bring out the best in some people and the worst in others. Almost fifteen years ago, in the wake of Hurricane Katrina, the Department of Justice formed the National Center for Disaster Fraud[1] to coordinate the investigations and prosecutions of benefits, charities, and cyber-related frauds that sprang up when billions of dollars in federal disaster relief poured into the Gulf Coast region. In October 2017, after a series of hurricanes in the southeast US and Caribbean (Harvey, Irma, and Maria), and California wildfires, the Financial Crimes Enforcement Network (FinCEN) issued an “Advisory to Financial Institutions Regarding Disaster-Related Fraud” that described some of the same fraud scams and instructed firms how to identify and report that activity.

FinCEN Recognizes The Strain on Resources

On March 16, 2020, three days after the President declared a National Emergency in response to COVID-19, FinCEN issued a press release (not an Advisory) encouraging financial institutions to (1) communicate concerns related to the “coronavirus disease 2019 (COVID-19)”, and (2) to remain alert to related illicit financial activity.[2]

Specifically, FinCEN requested that financial institutions contact FinCEN and their functional regulator as soon as practicable if it “has concern about any potential delays in its ability to file required Bank Secrecy Act (BSA) reports.”

This is an important acknowledgment by FinCEN. The previous Advisory focused on the increase in fraud as a result of natural disasters. This press release adds another element: at the same time fraud is increasing, the ability of financial institutions to manage that increase is impacted because of the “shelter in place” or work from home requirements. To put it in simple terms, where a bank may have had 1,000 fraud alerts handled by 50 investigators prior to the pandemic, it may now have 2,000 alerts being handled by only 20 investigators.

The Third Issue – Your Existing Fraud Alerting Logic May Produce More False Positives

Not only will the alerting “numerator” be going up (that is the transactions that a financial institution’s rules find are anomalous) but the denominator, or the volume of and types of transactions, is also changing. Very simply, people transact differently because of the pandemic. There will be more cash withdrawals (both numbers and amounts), and more activity (transactions and interactions) will shift from in-person to mobile, online, and telephone.

Elder fraud is a good example of the impact of the pandemic. The older population is most at risk from COVID-19, and most at risk of various fraud schemes. The alerting logic a bank had programmed was based on historical data relating to, say, changes in elderly customers’ use of online and mobile channels. With the pandemic, elderly customers are using those channels more often, and those alerts will now be hitting on anomalous but now-expected activity. This new current activity will be different than the historical activity on which the bank based its alerting logic.

And all of this at a time when banks have fewer investigators able to handle the output: they’re at home and either unable to access bank systems or less efficient in doing so.

Communication is the Key

As FinCEN points out, financial institutions need to communicate with their regulators if they’re finding that their investigations teams cannot keep up with the increase in fraud cases. One aspect a bank needs to consider is whether it should – and can – move analysts and investigators from AML over to fraud and sanctions screening. Sanctions screening and fraud monitoring requires real- and near-time screening and monitoring to prevent transactions from occurring – whether those are transactions with sanctioned entities, possible Business E-mail Compromise (BEC) frauds, or other frauds. Sanctions and fraud analysts and investigators need to be able to prevent certain transactions and investigate others in real- or near-time. AML analysts and investigators do not operate in the same time-sensitive environment: as a general rule, an AML alert generated in March will involve activity that occurred in February, it will be investigated in April in order to determine whether it was “suspicious”, then a SAR will be filed in May. So part of the external and internal communications a bank will need to have will involve shifting its AML resources over to sanctions and fraud monitoring and investigations.

But more important are the communications banks need to have with their clients and customers to warn them about common disaster-related frauds, and the communications within the bank to adapt to the changes in overall customer activity. How will the changes in customer activity impact the sanctions and fraud monitoring, detection, and alerting systems?

It’s the perfect storm: more alerts, more false positives, fewer investigators.

[1] https://www.justice.gov/disaster-fraud

[2] https://www.fincen.gov/news/news-releases/financial-crimes-enforcement-network-fincen-encourages-financial-institutions

When it comes to BSA/AML compliance programs, success has a hundred fathers, but failure is, apparently, an orphan

“FinCEN Penalizes U.S. Bank Official for Corporate Anti-Money Laundering Failures”

In 1961 President John F. Kennedy commented on the failed Bay of Pigs invasion: “victory has a hundred fathers and defeat is an orphan”. This statement came to mind as I read the Treasury Department’s March 4, 2020 assessment of a $450,000 penalty against the former Chief Operational Risk Officer of US Bank for the bank’s failures to implement and maintain an effective anti-money laundering (AML) program. And although the bank itself, and its holding company US Bancorp, were sanctioned and paid hundreds of millions of dollars in penalties, it appears that no other officers or directors of US Bank were personally sanctioned.

I have previously written that running an AML program in an American financial institution is like Winston Churchill’s description of Russia in 1939: a riddle, wrapped in a mystery, inside an enigma. The riddle is how to meet your obligations to provide law enforcement with actionable, effective intelligence (the stated purpose of the US AML laws set out in Title 31 of the US Code). That riddle is wrapped in the mystery of how to satisfy the multiple regulatory agencies’ “safety and soundness” requirements set out in Title 12 of the US Code. And the enigma is the personal liability you face for failing to satisfy either or both of those things.

And that enigma of personal liability was recently brought front and center with the March 4, 2020, announcement from FinCEN that the former Chief Operational Risk Officer of US Bank, Michael LaFontaine, was hit with a $450,000 penalty for his failure to prevent BSA/AML violations during his seven to ten year tenure.

Before going further, keep this in mind: it is inconceivable that a single person could run an AML program in one of the largest banks in the United States. They would need hundreds if not thousands of others to help design, implement, modify, test, audit, oversee, and examine that program. Everyone from a first-year analyst to the Board of Directors. But it is equally inconceivable – with all the checks and balances built into the US financial sector regulatory regime, with the three lines of defense, and all the auditors, examiners, and directors – that a single person could single-handedly screw up that same AML program over a period of five years. Yet that is the conclusion that seems to have been made: no matter how many people were responsible for US Bank’s AML program over a five year period, only one was held accountable for it.

“FinCEN Penalizes U.S. Bank Official for Corporate Anti-Money Laundering Failures” – FinCEN Press Release

March 04, 2020

WASHINGTON—The Financial Crimes Enforcement Network (FinCEN) has assessed a $450,000 civil money penalty against Michael LaFontaine, former Chief Operational Risk Officer at U.S. Bank National Association (U.S. Bank), for his failure to prevent violations of the Bank Secrecy Act (BSA) during his tenure.  U.S. Bank used automated transaction monitoring software to spot potentially suspicious activity, but it improperly capped the number of alerts generated, limiting the ability of law enforcement to target criminal activity.  In addition, the bank failed to staff the BSA compliance function with enough people to review even the reduced number of alerts enabling criminals to escape detection.

“Mr. LaFontaine was warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised.  His actions prevented the proper filing of many, many SARs, which hindered law enforcement’s ability to fully combat crimes and protect people,” said FinCEN Director Kenneth A. Blanco.  “FinCEN encourages technological innovations to help fight money laundering, but technology must be used properly.”

In February 2018, FinCEN, in coordination with the Office of the Comptroller of the Currency (OCC) and the U.S. Department of Justice, issued a $185 million civil money penalty against U.S. Bank for, among other things, willfully violating the BSA’s requirements to implement and maintain an effective anti-money laundering (AML) program and to file Suspicious Activity Reports (SARs) in a timely manner.

Mr. LaFontaine was advised by two subordinates that they believed the existing automated system was inadequate because caps were set to limit the number of alerts.  The OCC warned U.S. Bank on several occasions that using numerical caps to limit the Bank’s monitoring programs based on the size of its staff and available resources could result in a potential enforcement action, and FinCEN had taken previous public actions against banks for the same activity.

Mr. LaFontaine received internal memos from staff claiming that significant increases in SAR volumes, law enforcement inquiries, and closure recommendations, created a situation where the AML staff “is stretched dangerously thin.”  Mr. LaFontaine failed to take sufficient action when presented with significant AML program deficiencies in the Bank’s SAR-monitoring system and the number of staff to fulfill the AML compliance role.  The Bank had maintained inappropriate alert caps for at least five years.

FinCEN has coordinated this action with the OCC and appreciates the assistance it provided.

FinCEN’s March 2020 action against Mr. LaFontaine was the third of a series of actions in the last five years against US Bank, its parent US Bancorp, and now, one of its former officers.

The US Bank Cases – 2015, 2018, and 2020

In October 2015 the OCC and US Bank entered into a Cease & Desist Order (on consent) for longstanding and extensive BSA/AML program failures and failures relating to suspicious activity monitoring and reporting. US Bank was compelled to perform a lengthy list of remedial actions, including a “look-back” of activity. Apparently, US Bank eventually satisfied the OCC, and in November 2018 that Order was lifted or terminated. But no individuals were singled out.

In February 2018 US Bank was hit with a series of orders and actions relating to (1) those aforementioned BSA/AML program and SAR failures, and (2) a multi-billion dollar, multi-year payday lending fraud that was effectuated, in part, through the fraudster’s accounts at US Bank (the so-called “Scott Tucker” fraud). Among other orders and penalties, US Bank and/or its parent US Bancorp paid a $75 million fine to the OCC, a $70 million fine to FinCEN, a $15 million fine to the Federal Reserve, and forfeited $453 million to the Department of Justice (and those forfeited funds were later distributed to the victims of the Scott Tucker fraud) in a federal civil case filed in the Southern District of New York (civil case no. 18CV01357). US Bank also consented to a one-count criminal charge and entered into a two-year Deferred Prosecution Agreement (DPA) with the US Attorney for the Southern District of New York. Finally, the Treasury Department brought a civil case against US Bank, also in the Southern District, to “reduce” the FinCEN $70 million penalty to a civil judgment: that was civil case no. 18CV01358. Again, no individuals were singled out.

The (former) Chief Operational Risk Officer was held personally accountable: but who is actually responsible for a bank’s BSA/AML compliance program?

US Bank – the 5th Largest Bank in the United States

Based on all the orders and civil and criminal complaints, it appears that the core period of time the government was concerned about were the years 2010 through 2014. Based on the Annual Reports of US Bank, during that period the bank had:

  • Between thirteen and fifteen directors each year. Eleven of those directors served from at least 2009 through 2014
  • A Managing Committee made up of:
    • 1 Chairman and CEO (the same person for the entire period);
    • Eight to ten Vice-Chairmen each year, one of which was the Chief Risk Officer in 2014; and
    • Four to six Executive Vice-Presidents each year, one of which was the Chief Risk Officer from 2005 through 2013, and one of which was Michael LaFontaine as Chief Operational Risk Officer in the 2012 and 2013 annual report

It’s fair to say that since US Bank listed these people – the Board of Directors and the Managing Committee – in its Annual Reports, these people were seen as being collectively responsible for overseeing and managing the affairs of US Bank.

OCC’s Regulations for BSA/AML Compliance – Title 12 of the Code of Federal Regulations

US Bank’s primary regulator is the OCC. The OCC’s regulations for a BSA/AML compliance program are set out at 12 CFR § 21.21. Subsection (a) describes the “purpose” for the section: “to assure that all national banks and savings associations establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of subchapter II of chapter 53 of title 31, United States Code, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR Chapter X.” So the purpose of the OCC’s BSA/AML program requirement is to assure that banks meet their requirements under FinCEN’s legislation and regulations.

12 CFR § 21.21 continues. Subsection (c) goes beyond mere procedures and compels banks to “develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR Chapter X. The compliance program must be written, approved by the national bank’s or savings association’s board of directors, and reflected in the minutes of the national bank or savings association.”

And then subsection (d) sets out the minimum contents that the program shall have. It shall:

(1) Provide for a system of internal controls to assure ongoing compliance;

(2) Provide for independent testing for compliance to be conducted by national bank or savings association personnel or by an outside party;

(3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and

(4) Provide training for appropriate personnel.

So the OCC’s regulations tell us how a bank’s program is documented, who approves it (the board of directors), and what it must contain (at a minimum, the four “pillars” from subsection (d) – internal controls, independent testing, a BSA compliance officer, and training). Those OCC regulations don’t specifically set out who is responsible for the program. But they do refer to subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR Chapter X. What do those provide? Do those laws and regulations set out who is responsible for a bank’s BSA/AML program?

FinCEN’s Regulations for BSA/AML Compliance – Title 31 of the Code of Federal Regulations

31 CFR Part X, specifically § 1010.210, provides that “each financial institution (as defined in 31 U.S.C. 5312(a)(2) or (c)(1)) should refer to subpart B of its chapter X part for any additional anti-money laundering program requirements.” The subpart B for national banks, like US Bank, provides as follows:

31 CFR § 1020.210

Anti-money laundering program requirements for financial institutions regulated only by a Federal functional regulator, including banks, savings associations, and credit unions. A financial institution regulated by a Federal functional regulator that is not subject to the regulations of a self-regulatory organization shall be deemed to satisfy the requirements of 31 U.S.C. 5318(h)(1) if the financial institution implements and maintains an anti-money laundering program that:

(a) Complies with the requirements of §§1010.610 and 1010.620 of this chapter;

(b) Includes, at a minimum:

(1) A system of internal controls to assure ongoing compliance;

(2) Independent testing for compliance to be conducted by bank personnel or by an outside party;

(3) Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;

(4) Training for appropriate personnel; and

(5) Appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:

(i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. For purposes of this paragraph (b)(5)(ii), customer information shall include information regarding the beneficial owners of legal entity customers (as defined in §1010.230 of this chapter); and

(c) Complies with the regulation of its Federal functional regulator governing such programs.

So, other than the OCC regulation having only four pillars while the FinCEN regulation has five, neither the OCC nor the FinCEN BSA/AML program regulations specifically describe who, if anyone, in a bank, is actually responsible for the BSA/AML program. But we know from the Michael LaFontaine case that the Chief Operational Risk Officer was found personally accountable for the failures of the program.

Regulatory Guidance – the FFIEC BSA/AML Examination Manual

So if the answer isn’t in the regulation, perhaps it can be found in regulatory guidance. For BSA/AML purposes, the golden source for regulatory guidance is set out in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual. All five editions of the Manual (from 2005 through 2014) provide: “The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.” (At page 29 of the most recent (2014) edition).

Hmmm … that appears to indicate that the board of directors is ultimately responsible, but the “acting through senior management” interjection is confusing. But the details that follow (again, the same language since 2005) provide clarity:

BSA Compliance Officer

The bank’s board of directors must designate a qualified individual to serve as the BSA compliance officer.[1] The BSA compliance officer is responsible for coordinating and monitoring day-to-day BSA/AML compliance. The BSA compliance officer is also charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations; however, the board of directors is ultimately responsible for the bank’s BSA/AML compliance.

While the title of the individual responsible for overall BSA/AML compliance is not important, his or her level of authority and responsibility within the bank is critical. The BSA compliance officer may delegate BSA/AML duties to other employees, but the officer should be responsible for overall BSA/AML compliance.  The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.

This seems pretty clear: the board of directors is ultimately responsible for the bank’s BSA/AML compliance program, and for ensuring that the BSA compliance officer has the tools to do their job.

In addition, the Manual makes it clear that the BSA Officer cannot be “layered”: the BSA Officer must directly report to and take direction from the Board. The Manual provides:

“The line of communication should allow the BSA compliance officer to regularly apprise the board of directors and senior management of ongoing compliance with the BSA.  Pertinent BSA-related information, including the reporting of SARs filed with FinCEN, should be reported to the board of directors or an appropriate board committee so that these individuals can make informed decisions about overall BSA/AML compliance.  The BSA compliance officer is responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes.”

Although banking and financial crimes regulations don’t specifically spell out who is responsible for a bank’s BSA/AML program, written guidance makes it clear that the Board of Directors is responsible for ensuring that a bank implements and maintains an effective BSA/AML program.

But that isn’t what has happened in this case. The former Chief Operational Risk Officer – not the Board of Directors, nor the BSA compliance officer(s) that should have reported directly to the Board, nor anyone on the Managing Committee of the bank – was held accountable. Why was that? The answer may lie in FinCEN’s assessment against Mr. LaFontaine.

The March 4, 2020 FinCEN Assessment of Civil Money Penalty

What were the allegations against Mr. LaFontaine?

Page 2 – “Mr. LaFontaine at various times had responsibility for overseeing U.S. Bank’s compliance program and therefore shares responsibility for the Bank’s violations of the requirements to implement and maintain an effective AML program and file SARs in a timely manner.”

So it appears from this that Mr. LaFontaine shared responsibility for the program violations. Who did he share that responsibility with? Some detail is provided on page 3:

Page 3 – “Beginning in or about January 2005, and continuing through his separation from U.S. Bank in or about June 2014, Mr. LaFontaine held senior positions within the Bank’s AML hierarchy, involving oversight of the Bank’s AML compliance functions, from approximately 2008 through April 2011, and then from October 2012 through June 2014. He was the Chief Compliance Officer (CCO) of the Bank from 2005 through 2010, at which time he was promoted to Senior Vice President and Deputy Risk Officer. Thereafter, in October 2012, Mr. LaFontaine was promoted again to Executive Vice President and Chief Operational Risk Officer. In this latter position, which Mr. LaFontaine held throughout the remainder of his employment at the Bank, he reported directly to the Bank’s Chief Executive Officer (CEO) [Footnote: From early 2014 to the end of his tenure, Mr. LaFontaine reported to the Bank’s new Chief Risk Officer and had direct communications with the Bank’s Board of Directors.] As Chief Operational Risk Officer, Mr. LaFontaine oversaw the Bank’s AML compliance department (which was referred to internally as Corporate AML), and he supervised the Bank’s CCO, AML Officer (AMLO), [Footnote: The AMLO did not report directly to Mr. LaFontaine following the hiring of new Chief AML and BSA officers in the spring and summer of 2012. After these hirings, the AMLO reported to the Bank’s CCO, who reported to Mr. LaFontaine] and AML staff.”

We don’t know why the Board of Directors, any one or more of the directors (and there were at least eleven of them that were directors during the entire period in question), or any other senior officers of US Bank (and there were about a dozen of them every year), weren’t held accountable. And in this case, in at least six (6) regulatory, civil, and criminal orders running to hundreds of pages filed over a five (5) year period, we didn’t find out who the government felt was responsible for this bank’s BSA/AML compliance program. Other than Mr. LaFontaine, who was held accountable.

But one of those documents had an interesting take on responsibility. Paragraph 18 of the Treasury Department’s civil complaint against US Bank (Case No 18CV01357, filed February 15, 2018) referenced the FFIEC BSA/AML Manual. The paragraph provided:

“18. Under the BSA/AML Manual, a bank’s risk profile informs the steps it must take to comply with each of the BSA’s requirements. To develop appropriate policies and controls, banks must identify “banking operations . . . more vulnerable to abuse by money launderers and criminals . . . and provide for a BSA/AML compliance program tailored to manage risks. Similarly, while banks must designate an individual officer responsible for ensuring compliance with the BSA, such designation is not alone sufficient. Instead, the BSA/AML Manual notes that banks are responsible for ensuring that their compliance functions have ‘resources (monetary, physical, and personnel) [necessary] to administer an effective BSA/AML compliance program based on the bank’s risk profile.’”

In fact, as set out above, that is not what the Manual provides: according to the Manual, published by the OCC and FinCEN, among many other FFIEC agencies, the board of directors is responsible for ensuring that the bank implements and maintains an effective AML program. Not the “bank”, nor, in this case, the Chief Operational Risk Officer.

Paragraph 31 of the February 15, 2018 civil complaint provided that “US Bank delegated the responsibility for ensuring that it met its obligations under the BSA to its AML compliance department, which it referred to internally as Corporate AML.”

It would have been more accurate to write “US Bank attempted to delegate the responsibility for ensuring that it met its obligations under the BSA to its AML compliance department, which it referred to internally as Corporate AML; but the Board of Directors retained ultimate responsibility.” As the Manual provides, the board of directors maintains ultimate responsibility for the bank’s BSA/AML compliance, with their board-appointed BSA compliance officer “charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations.”

Based on everything that is in the various pleadings, orders, and press releases, it appears that Mr. LaFontaine didn’t do that part of his job that involved managing Corporate AML. As one of the senior officers in the chain of command of US Bank’s risk organization, and as a member of the Managing Committee in 2012 and 2013, he had some responsibility and accountability: he appears to have organizationally been positioned somewhere between the BSA officers and the Board, and apparently thwarted or ignored the warnings of the AML Officer and/or BSA Officer(s) – who should have been reporting to the Board.

There is much we don’t know about this case. No one person – not even a CEO or Chairman of the Board – has the ability to run an AML program, let alone screw up that program. But apparently the Government has concluded that one person alone can be found accountable for the failures of a mega-bank’s AML program. Which begs a few questions …

Question 1 – Did the OCC inform the Board of Directors that BSA/AML risks weren’t being managed?

Paragraph 58 of the February 2018 civil complaint provided that “… despite recommendations and warnings from the OCC dating back to 2008, the Bank failed to have [the transaction monitoring system] independently validated.”

The phrase “warnings from the OCC dating back to 2008” could be explored. In the section in the Manual titled “Examiner Determination of the Bank’s BSA/AML Aggregate Risk Profile” is the following: “when the risks are not appropriately controlled, examiners must communicate to management and the board of directors the need to mitigate BSA/AML risk.” At this point, we don’t know what the OCC told the board, or when. We do know that the OCC issued a public Cease & Desist Order (on consent) in 2015.

Question 2 – Where was Internal Audit?

Independent testing, or internal audit, is one of the four (Title 12) or five (Title 31) required (minimum) pillars of a BSA/AML compliance program. And the Exam Manual provides that “the persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.” (see page 30 of the 2006 Manual, page 12 of the 2014 Manual). Which begs the question: where was US Bank’s audit team during the six+ years that there was capping of alerts and staffing issues? Shouldn’t the audit function have reported to the Board that there were long-standing issues with the transaction monitoring system and AML staffing, and that the OCC had made recommendations and warnings that went unheeded?

Question 3 – Where were the BSA Officers?

As a former BSA Officer, this was the question that was most on my mind as I read the March 4, 2020 FinCEN Assessment, and re-read the 2015 OCC order and the orders and complaints from February 2018. Indeed, I was relieved when the March Assessment came out and it was not against any of the former BSA Officers. The 2015 and 2018 documents showed an organization that appeared to organizationally bury its BSA officers, didn’t empower them, didn’t give them the required access to the Board, and certainly didn’t provide sufficient resources to allow for an effective program (all of which has been corrected with US Bank’s current BSA Officer and organization). And the March 2020 FinCEN Assessment describes two AML Officers and one Chief Compliance Officer, all reporting directly or indirectly into Mr. LaFontaine, who raised serious concerns over a number of years. At page 10 of the Assessment is this:

“In or about November 2013, a meeting was scheduled, at the request of the Bank’s CEO, so that the AMLO and CCO could update the CEO on the Bank’s AML program. In advance of that meeting, the AMLO and CCO prepared a PowerPoint presentation that began with an “Overview of Significant AML Issues,” the first of which was “Alert volumes capped for both [Security Blanket] and [Q]uery detection methods.” The AMLO and CCO put the alert caps issue first because, from their perspective, it was the most pressing of the Bank’s AML issues.  The PowerPoint identified the alert caps as a “[c]overage gap” that “could potentially result in missed Suspicious Activity Reports.” It also said that the “[s]ystem configuration and use could be deemed a program weakness, with potential formal actions including fines, orders, and historical review of transactions.” Prior to the meeting with the CEO, Mr. LaFontaine reviewed the PowerPoint, yet failed to raise the issue of the alert caps with the CEO during the meeting, choosing instead to prioritize other compliance-related issues.”

This suggests that the CEO wanted to meet with the AMLO and CCO, yet eventually met only with their boss, Mr. LaFontaine. Who took the opportunity to bury the primary message that his BSA Officer wanted the CEO to hear: that they were capping the number of alerts coming from the transaction monitoring system.

A financial institution must not organizationally “bury” its BSA Officer (AML officer): their organizational reporting line must be no more than “two-down” from the CEO and within an independent risk organization (e.g., the BSA Officer reports to the Chief Risk Officer, who reports to the CEO) and – critically – the BSA Officer must personally and directly report to the Board.[2]

It appears from the US Bank documents that neither the organizational structure nor the lines of communication allowed the BSA Officer(s) to “apprise the board of directors and senior management of ongoing compliance with the BSA … so that these individuals can make informed decisions about overall BSA/AML compliance”, as the Exam Manual requires. And it wasn’t the Chief Operational Risk Officer that was “responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes” … it was the BSA Officer(s). But it appears those BSA Officer(s) were organizationally and/or culturally stymied from directly communicating to the Board. In fact, the paragraph immediately after the description of the CEO meeting provides that “[t]he above-described conduct by Mr. LaFontaine continued until May 2014 when the AMLO bypassed Mr. LaFontaine and sent an email to the Bank’s then-Chief Risk Officer referencing the alert caps issue.”] A BSA officer must not be forced to bypass or do end-runs around a blocking boss in order to raise issues.

But whose responsibility is it to ensure that the BSA officer has the organizational stature and resources to do their job, and to ensure that the BSA officer has direct access to senior management and the board? It is the responsibility of the Board of Directors. The Manual is clear: “The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.” It shouldn’t take the regulators and, perhaps, a whistle blower to get the bank to act (page 11 of the 2020 Assessment includes: “The Bank did not begin to address its deficient policies and procedures for monitoring transactions and generating alerts until June 2014, when questions from the OCC and reports from an internal complainant caused the Bank’s Chief Risk Officer to retain outside counsel to investigate the Bank’s practices.”).

But maybe the directors weren’t aware that they were responsible for ensuring that the bank implemented and maintained an effective AML program. Which then begs the question …

Question 4 – Where was the Law Department?

Boards rely heavily on in-house counsel. Among other duties, in-house counsel must ensure that the directors understand their legal and regulatory obligations. In the case of BSA/AML, as the Exam Manual clearly sets out, the BSA program must be in writing and approved by the Board. The Board must designate a qualified individual to serve as the BSA compliance officer. The Board is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program.

The first and last thing in-house counsel should leave the Board with when they are conducting their annual board training and awareness is this: “folks, if you remember one thing, remember this: as directors, you are ultimately responsible for the bank’s BSA/AML compliance.”

Question 5 – Where were the other senior managers of the bank?

The most vexing thing about this is not what is written in the FinCEN assessment or accompanying press release, but what is not written. Anyone who has spent any time in AML compliance in a mid-size to large financial institution knows that there are hundreds to thousands of people involved in designing, implementing, testing, maintaining, auditing, overseeing, and examining an AML program. Nothing happens – or doesn’t happen – without the involvement of modelers, testers, auditors, examiners, and committees; without endless finance meetings, HR meetings, “credible challenge” meetings; without senior management buy-in and support; and without the monthly or quarterly meetings with the board of directors (or a committee of the board) and the annual review and approval of the program and appointment, or re-appointment, of the BSA compliance officer.

The Government has singled out one senior manager in the 5th largest bank in the country for failures in a critical risk program that occurred over a five or six year period: where were the other senior managers?

Which takes us back full circle to the Board of Directors …

Question 6 – If the Board of Directors is responsible for a BSA compliance program, how come the Directors were not held accountable for its failures?

We simply don’t know what the US Bank board of directors knew or didn’t know when it came to the five or six years that the bank’s AML program was, apparently, not meeting regulatory requirements. We don’t know what they approved (or didn’t approve) annually. We don’t know what management, or audit, was reporting (or not reporting) to them. We don’t know whether they understood their responsibilities under the BSA regulations and regulatory guidance. We don’t know whether their annual approval of the AML program and appointment of the BSA Officer was a rubber-stamp or a fair and credible challenge of the program, the BSA Officer, and whether the BSA Officer had the monetary, physical, and personnel resources necessary to administer an effective BSA/AML compliance program based on the bank’s risk profile (paraphrasing the Manual). But it’s fair to assume that the Government found it difficult to find anyone liable where they simply failed to do their appointed task well. “We didn’t know the AML transaction monitoring system had been capped”, or “no one told us that the AML investigations team was grossly under-staffed”, or “none of the audit reports that came to the board indicated there were any problems with the AML program” become reasonably solid defenses when someone is looking to assign blame. It is much easier to find someone liable when they were presented with a problem and failed to address it, or even worse, took actions to hide it.  That said, it may simply go back to this:

“Success has many fathers; failure is an orphan”

Michael LaFontaine was considered a rising star in the banking world. The Minneapolis/St. Paul Business Journal included him in its “40 under 40 – 2014” class. In a March 21 2014 Video Clip for the “40 Under 40” program he said “success doesn’t happen alone”. Unfortunately, it appears that the opposite is true: he appears to have been singled out and left alone when it comes to finding one person responsible for something that many were accountable for. As President Kennedy said, “victory has a hundred fathers and defeat is an orphan”. More than a dozen directors had responsibility for US Bank’s AML program; eleven served from 2009-2014; and four of those are still directors. But none were held accountable.

Conclusion

The point of this article is not to encourage the Government to impose fines on all the directors, senior management, auditors, and BSA Officers involved in a program that has failures and regulatory violations. Rather, it is to point out to all the Boards of Directors out there that they are responsible for their bank’s AML program, and with that responsibility comes accountability. Knowing that, those Boards will push the management of those banks to implement and maintain effective AML programs … and hopefully prevent another individual from the horrors of personal liability.

[1] Footnote 34 in 2014 Manual: “The bank must designate one or more persons to coordinate and monitor day-to-day compliance.  This requirement is detailed in the federal banking agencies’ BSA compliance program regulations: 12 CFR 208.63, 12 CFR 211.5(m), and 12 CFR 211.24(j) (Federal Reserve); 12 CFR 326.8 (FDIC); 12 CFR 748.2 (NCUA); 12 CFR 21.21 (OCC).”

[2] There is a third question. It doesn’t involve responsibility and accountability for a BSA program, but is important nonetheless. And that is … how do you get SAR filing rates of 30% to 80% from below-the-Line testing? Both the 2018 civil complaint and March 2020 FinCEN Assessment describe the results of a look-back conducted in 2011. Paragraph 41 of the February 2018 civil complaint provides, in part: “… in November 2011, the Bank’s AML staff concluded that, during the past year, the SAR filing rates for below threshold testing averaged between 30% and 80%. In other words, between 30% and 80% of the transactions that were reviewed during the below-threshold testing resulted in the filing of a SAR.” The most efficient transaction monitoring systems have alert-to-SAR rates of 20% – 30%. In fact, the industry laments that the “false positive” rate for most transaction monitoring systems is 95% or more, for a true positive rate of 5% or less. So having a false negative rate (which is a below-the-line testing rate) of 30% to 80% makes no sense at all. Particularly since paragraph 64 of the complaint provides that 2,121 SARs were filed as a result of a six-month look back of 24,179 alerts: an alert-to-SAR rate of about 9%. [NOTE: the average value of these “look-back” SARs was over $339,000].

The Roger Stone Case – The Shenanigans Continue

Federal Court concludes that Roger Stone’s lawyers’ motion to disqualify Judge Amy Berman-Jackson is “nothing more than an attempt to use the Court’s docket to disseminate a statement for public consumption that has the words ‘judge’ and ‘biased’ in it”


www.merriam-webster.com › shenanigan 1 : a devious trick used especially for an underhand purpose. 2a : tricky or questionable practices or conduct —usually used in plural. b : high-spirited or mischievous activity —usually used in plural.

This is the second article I’ve written on the Roger Stone case. The first from February 12th, “The Roger Stone Case: Whether Outraged or Relieved, At Least Be Informed”, can be found here.

Roger Stone’s five lawyers are continuing their high-spirited activity. They filed a motion seeking to disqualify Federal District Court Judge Amy Berman-Jackson. The factual underpinning of their argument was that they had filed a motion for a new trial, alleging that one of the twelve jurors lied on their juror questionnaire and during their questioning by the Court, and that those lies related to their bias against Roger Stone and Donald Trump. That motion was pending during the sentencing hearing on February 20, 2020. Stone’s lawyers argue that during that hearing, Judge Berman-Jackson made statements that give rise to a reason to question her impartiality in connection with that pending motion for new trial based on alleged juror misconduct. They relied on section 455(a) of title 28 of the United States Code (title 28 governs the federal judiciary and judicial procedure). Section 455(a) states: “any justice, judge, or magistrate judge of the United States shall disqualify himself in any proceeding in which his impartiality might reasonably be questioned.” The purpose of section 455(a) is to promote public confidence in the judiciary by avoiding even the appearance of impropriety whenever possible, and in the District of Columbia, where this court sits, recusal is required when “a reasonable and informed observer would question the judge’s impartiality.”

What did Roger Stone’s lawyers argue? They point to this section of Judge Berman-Jackson’s sentencing:

“Sure, the defense is free to say: So what? Who cares? But, I’ll say this: Congress cared. The United States Department of Justice and the United States Attorney’s Office for the District of Columbia that prosecuted the case and is still prosecuting the case cared. The jurors who served with integrity under difficult circumstances cared. The American people cared. And I care.”

Stone’s lawyers argued that the Judge’s use of the words “jurors” and “with integrity” (which Judge Berman-Jackson noted were “three words on the 88th page of the 96-page transcript of a two-and-a-half-hour hearing”) are disqualifying because there is a pending motion for new trial with respect to a single juror, and the hearing has not yet taken place. They wrote:

“The Court’s ardent conclusion of ‘integrity’ indicates an inability to reserve judgment on an issue which has not yet been heard. Moreover, the categorical finding of integrity made before hearing the facts is likely to lead a reasonably informed observer to question the District Judge’s impartiality … The premature statement blessing ‘the integrity of the jury’ undermines the appearance of impartiality and presents a strong bias for recusal.”

How did Judge Berman-Jackson rule? Writing in the third person (“the Court, “it”, and “its”), the Judge wrote the following:

“Its characterization of the jurors’ service was voiced on the record, and it was entirely and fairly based on the Court’s observations of the jurors in the courthouse; through the nine days of voir dire and trial, when they were uniformly punctual and attentive, and through their thoughtful communications with the Court during deliberation … and the delivery of the verdict … Moreover, the record dating back to January of 2019 reflects that the Court took each issue raised by this defendant seriously; that on each occasion, it ruled with care and impartiality, laying out its reasoning in detail; and that it was scrupulous about ensuring his right to a fair trial. It granted important evidentiary motions in his favor; it proposed utilizing a written questionnaire to ensure that the parties could receive more information than is usually available for jury selection; it struck 58 potential jurors for cause based on the defendant’s motions or on its own motion; and it repeatedly resolved bond issues in his favor, even after he took to social media to intimidate the Court, after he violated conditions imposed by the Court, after he was convicted at trial, and after he was sentenced to a term of incarceration. Moreover, at the sentencing hearing that forms the sole basis for the defendant’s motion, the Court concluded, based in part on many considerations put forth by the defendant, that it was appropriate to vary from the applicable Advisory Sentencing Guideline Range.”

And finally the conclusion:

“At bottom, given the absence of any factual or legal support for the motion for disqualification, the pleading appears to be nothing more than an attempt to use the Court’s docket to disseminate a statement for public consumption that has the words “judge” and “biased” in it. For these reasons, defendant’s motion is hereby DENIED. SO ORDERED. AMY BERMAN JACKSON United States District Judge DATE: February 23, 2020”

The five lawyers that filed the motion to disqualify Judge Berman-Jackson are, no doubt, fine attorneys. This has been, and continues to be a grueling legal case (indeed, with 343 documents having been docketed, that is more than 1 each business day since the indictment was filed on January 24, 2019). I trust they’re sleeping well at night … high-spirited activity can be tiring.