When it comes to BSA/AML compliance programs, success has a hundred fathers, but failure is, apparently, an orphan

“FinCEN Penalizes U.S. Bank Official for Corporate Anti-Money Laundering Failures”

In 1961 President John F. Kennedy commented on the failed Bay of Pigs invasion: “victory has a hundred fathers and defeat is an orphan”. This statement came to mind as I read the Treasury Department’s March 4, 2020 assessment of a $450,000 penalty against the former Chief Operational Risk Officer of US Bank for the bank’s failures to implement and maintain an effective anti-money laundering (AML) program. And although the bank itself, and its holding company US Bancorp, were sanctioned and paid hundreds of millions of dollars in penalties, it appears that no other officers or directors of US Bank were personally sanctioned.

I have previously written that running an AML program in an American financial institution is like Winston Churchill’s description of Russia in 1939: a riddle, wrapped in a mystery, inside an enigma. The riddle is how to meet your obligations to provide law enforcement with actionable, effective intelligence (the stated purpose of the US AML laws set out in Title 31 of the US Code). That riddle is wrapped in the mystery of how to satisfy the multiple regulatory agencies’ “safety and soundness” requirements set out in Title 12 of the US Code. And the enigma is the personal liability you face for failing to satisfy either or both of those things.

And that enigma of personal liability was recently brought front and center with the March 4, 2020, announcement from FinCEN that the former Chief Operational Risk Officer of US Bank, Michael LaFontaine, was hit with a $450,000 penalty for his failure to prevent BSA/AML violations during his seven to ten year tenure.

Before going further, keep this in mind: it is inconceivable that a single person could run an AML program in one of the largest banks in the United States. They would need hundreds if not thousands of others to help design, implement, modify, test, audit, oversee, and examine that program. Everyone from a first-year analyst to the Board of Directors. But it is equally inconceivable – with all the checks and balances built into the US financial sector regulatory regime, with the three lines of defense, and all the auditors, examiners, and directors – that a single person could single-handedly screw up that same AML program over a period of five years. Yet that is the conclusion that seems to have been made: no matter how many people were responsible for US Bank’s AML program over a five year period, only one was held accountable for it.

“FinCEN Penalizes U.S. Bank Official for Corporate Anti-Money Laundering Failures” – FinCEN Press Release

March 04, 2020

WASHINGTON—The Financial Crimes Enforcement Network (FinCEN) has assessed a $450,000 civil money penalty against Michael LaFontaine, former Chief Operational Risk Officer at U.S. Bank National Association (U.S. Bank), for his failure to prevent violations of the Bank Secrecy Act (BSA) during his tenure.  U.S. Bank used automated transaction monitoring software to spot potentially suspicious activity, but it improperly capped the number of alerts generated, limiting the ability of law enforcement to target criminal activity.  In addition, the bank failed to staff the BSA compliance function with enough people to review even the reduced number of alerts enabling criminals to escape detection.

“Mr. LaFontaine was warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised.  His actions prevented the proper filing of many, many SARs, which hindered law enforcement’s ability to fully combat crimes and protect people,” said FinCEN Director Kenneth A. Blanco.  “FinCEN encourages technological innovations to help fight money laundering, but technology must be used properly.”

In February 2018, FinCEN, in coordination with the Office of the Comptroller of the Currency (OCC) and the U.S. Department of Justice, issued a $185 million civil money penalty against U.S. Bank for, among other things, willfully violating the BSA’s requirements to implement and maintain an effective anti-money laundering (AML) program and to file Suspicious Activity Reports (SARs) in a timely manner.

Mr. LaFontaine was advised by two subordinates that they believed the existing automated system was inadequate because caps were set to limit the number of alerts.  The OCC warned U.S. Bank on several occasions that using numerical caps to limit the Bank’s monitoring programs based on the size of its staff and available resources could result in a potential enforcement action, and FinCEN had taken previous public actions against banks for the same activity.

Mr. LaFontaine received internal memos from staff claiming that significant increases in SAR volumes, law enforcement inquiries, and closure recommendations, created a situation where the AML staff “is stretched dangerously thin.”  Mr. LaFontaine failed to take sufficient action when presented with significant AML program deficiencies in the Bank’s SAR-monitoring system and the number of staff to fulfill the AML compliance role.  The Bank had maintained inappropriate alert caps for at least five years.

FinCEN has coordinated this action with the OCC and appreciates the assistance it provided.

FinCEN’s March 2020 action against Mr. LaFontaine was the third of a series of actions in the last five years against US Bank, its parent US Bancorp, and now, one of its former officers.

The US Bank Cases – 2015, 2018, and 2020

In October 2015 the OCC and US Bank entered into a Cease & Desist Order (on consent) for longstanding and extensive BSA/AML program failures and failures relating to suspicious activity monitoring and reporting. US Bank was compelled to perform a lengthy list of remedial actions, including a “look-back” of activity. Apparently, US Bank eventually satisfied the OCC, and in November 2018 that Order was lifted or terminated. But no individuals were singled out.

In February 2018 US Bank was hit with a series of orders and actions relating to (1) those aforementioned BSA/AML program and SAR failures, and (2) a multi-billion dollar, multi-year payday lending fraud that was effectuated, in part, through the fraudster’s accounts at US Bank (the so-called “Scott Tucker” fraud). Among other orders and penalties, US Bank and/or its parent US Bancorp paid a $75 million fine to the OCC, a $70 million fine to FinCEN, a $15 million fine to the Federal Reserve, and forfeited $453 million to the Department of Justice (and those forfeited funds were later distributed to the victims of the Scott Tucker fraud) in a federal civil case filed in the Southern District of New York (civil case no. 18CV01357). US Bank also consented to a one-count criminal charge and entered into a two-year Deferred Prosecution Agreement (DPA) with the US Attorney for the Southern District of New York. Finally, the Treasury Department brought a civil case against US Bank, also in the Southern District, to “reduce” the FinCEN $70 million penalty to a civil judgment: that was civil case no. 18CV01358. Again, no individuals were singled out.

The (former) Chief Operational Risk Officer was held personally accountable: but who is actually responsible for a bank’s BSA/AML compliance program?

US Bank – the 5th Largest Bank in the United States

Based on all the orders and civil and criminal complaints, it appears that the core period of time the government was concerned about were the years 2010 through 2014. Based on the Annual Reports of US Bank, during that period the bank had:

  • Between thirteen and fifteen directors each year. Eleven of those directors served from at least 2009 through 2014
  • A Managing Committee made up of:
    • 1 Chairman and CEO (the same person for the entire period);
    • Eight to ten Vice-Chairmen each year, one of which was the Chief Risk Officer in 2014; and
    • Four to six Executive Vice-Presidents each year, one of which was the Chief Risk Officer from 2005 through 2013, and one of which was Michael LaFontaine as Chief Operational Risk Officer in the 2012 and 2013 annual report

It’s fair to say that since US Bank listed these people – the Board of Directors and the Managing Committee – in its Annual Reports, these people were seen as being collectively responsible for overseeing and managing the affairs of US Bank.

OCC’s Regulations for BSA/AML Compliance – Title 12 of the Code of Federal Regulations

US Bank’s primary regulator is the OCC. The OCC’s regulations for a BSA/AML compliance program are set out at 12 CFR § 21.21. Subsection (a) describes the “purpose” for the section: “to assure that all national banks and savings associations establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of subchapter II of chapter 53 of title 31, United States Code, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR Chapter X.” So the purpose of the OCC’s BSA/AML program requirement is to assure that banks meet their requirements under FinCEN’s legislation and regulations.

12 CFR § 21.21 continues. Subsection (c) goes beyond mere procedures and compels banks to “develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR Chapter X. The compliance program must be written, approved by the national bank’s or savings association’s board of directors, and reflected in the minutes of the national bank or savings association.”

And then subsection (d) sets out the minimum contents that the program shall have. It shall:

(1) Provide for a system of internal controls to assure ongoing compliance;

(2) Provide for independent testing for compliance to be conducted by national bank or savings association personnel or by an outside party;

(3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and

(4) Provide training for appropriate personnel.

So the OCC’s regulations tell us how a bank’s program is documented, who approves it (the board of directors), and what it must contain (at a minimum, the four “pillars” from subsection (d) – internal controls, independent testing, a BSA compliance officer, and training). Those OCC regulations don’t specifically set out who is responsible for the program. But they do refer to subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR Chapter X. What do those provide? Do those laws and regulations set out who is responsible for a bank’s BSA/AML program?

FinCEN’s Regulations for BSA/AML Compliance – Title 31 of the Code of Federal Regulations

31 CFR Part X, specifically § 1010.210, provides that “each financial institution (as defined in 31 U.S.C. 5312(a)(2) or (c)(1)) should refer to subpart B of its chapter X part for any additional anti-money laundering program requirements.” The subpart B for national banks, like US Bank, provides as follows:

31 CFR § 1020.210

Anti-money laundering program requirements for financial institutions regulated only by a Federal functional regulator, including banks, savings associations, and credit unions. A financial institution regulated by a Federal functional regulator that is not subject to the regulations of a self-regulatory organization shall be deemed to satisfy the requirements of 31 U.S.C. 5318(h)(1) if the financial institution implements and maintains an anti-money laundering program that:

(a) Complies with the requirements of §§1010.610 and 1010.620 of this chapter;

(b) Includes, at a minimum:

(1) A system of internal controls to assure ongoing compliance;

(2) Independent testing for compliance to be conducted by bank personnel or by an outside party;

(3) Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;

(4) Training for appropriate personnel; and

(5) Appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:

(i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. For purposes of this paragraph (b)(5)(ii), customer information shall include information regarding the beneficial owners of legal entity customers (as defined in §1010.230 of this chapter); and

(c) Complies with the regulation of its Federal functional regulator governing such programs.

So, other than the OCC regulation having only four pillars while the FinCEN regulation has five, neither the OCC nor the FinCEN BSA/AML program regulations specifically describe who, if anyone, in a bank, is actually responsible for the BSA/AML program. But we know from the Michael LaFontaine case that the Chief Operational Risk Officer was found personally accountable for the failures of the program.

Regulatory Guidance – the FFIEC BSA/AML Examination Manual

So if the answer isn’t in the regulation, perhaps it can be found in regulatory guidance. For BSA/AML purposes, the golden source for regulatory guidance is set out in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual. All five editions of the Manual (from 2005 through 2014) provide: “The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.” (At page 29 of the most recent (2014) edition).

Hmmm … that appears to indicate that the board of directors is ultimately responsible, but the “acting through senior management” interjection is confusing. But the details that follow (again, the same language since 2005) provide clarity:

BSA Compliance Officer

The bank’s board of directors must designate a qualified individual to serve as the BSA compliance officer.[1] The BSA compliance officer is responsible for coordinating and monitoring day-to-day BSA/AML compliance. The BSA compliance officer is also charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations; however, the board of directors is ultimately responsible for the bank’s BSA/AML compliance.

While the title of the individual responsible for overall BSA/AML compliance is not important, his or her level of authority and responsibility within the bank is critical. The BSA compliance officer may delegate BSA/AML duties to other employees, but the officer should be responsible for overall BSA/AML compliance.  The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.

This seems pretty clear: the board of directors is ultimately responsible for the bank’s BSA/AML compliance program, and for ensuring that the BSA compliance officer has the tools to do their job.

In addition, the Manual makes it clear that the BSA Officer cannot be “layered”: the BSA Officer must directly report to and take direction from the Board. The Manual provides:

“The line of communication should allow the BSA compliance officer to regularly apprise the board of directors and senior management of ongoing compliance with the BSA.  Pertinent BSA-related information, including the reporting of SARs filed with FinCEN, should be reported to the board of directors or an appropriate board committee so that these individuals can make informed decisions about overall BSA/AML compliance.  The BSA compliance officer is responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes.”

Although banking and financial crimes regulations don’t specifically spell out who is responsible for a bank’s BSA/AML program, written guidance makes it clear that the Board of Directors is responsible for ensuring that a bank implements and maintains an effective BSA/AML program.

But that isn’t what has happened in this case. The former Chief Operational Risk Officer – not the Board of Directors, nor the BSA compliance officer(s) that should have reported directly to the Board, nor anyone on the Managing Committee of the bank – was held accountable. Why was that? The answer may lie in FinCEN’s assessment against Mr. LaFontaine.

The March 4, 2020 FinCEN Assessment of Civil Money Penalty

What were the allegations against Mr. LaFontaine?

Page 2 – “Mr. LaFontaine at various times had responsibility for overseeing U.S. Bank’s compliance program and therefore shares responsibility for the Bank’s violations of the requirements to implement and maintain an effective AML program and file SARs in a timely manner.”

So it appears from this that Mr. LaFontaine shared responsibility for the program violations. Who did he share that responsibility with? Some detail is provided on page 3:

Page 3 – “Beginning in or about January 2005, and continuing through his separation from U.S. Bank in or about June 2014, Mr. LaFontaine held senior positions within the Bank’s AML hierarchy, involving oversight of the Bank’s AML compliance functions, from approximately 2008 through April 2011, and then from October 2012 through June 2014. He was the Chief Compliance Officer (CCO) of the Bank from 2005 through 2010, at which time he was promoted to Senior Vice President and Deputy Risk Officer. Thereafter, in October 2012, Mr. LaFontaine was promoted again to Executive Vice President and Chief Operational Risk Officer. In this latter position, which Mr. LaFontaine held throughout the remainder of his employment at the Bank, he reported directly to the Bank’s Chief Executive Officer (CEO) [Footnote: From early 2014 to the end of his tenure, Mr. LaFontaine reported to the Bank’s new Chief Risk Officer and had direct communications with the Bank’s Board of Directors.] As Chief Operational Risk Officer, Mr. LaFontaine oversaw the Bank’s AML compliance department (which was referred to internally as Corporate AML), and he supervised the Bank’s CCO, AML Officer (AMLO), [Footnote: The AMLO did not report directly to Mr. LaFontaine following the hiring of new Chief AML and BSA officers in the spring and summer of 2012. After these hirings, the AMLO reported to the Bank’s CCO, who reported to Mr. LaFontaine] and AML staff.”

We don’t know why the Board of Directors, any one or more of the directors (and there were at least eleven of them that were directors during the entire period in question), or any other senior officers of US Bank (and there were about a dozen of them every year), weren’t held accountable. And in this case, in at least six (6) regulatory, civil, and criminal orders running to hundreds of pages filed over a five (5) year period, we didn’t find out who the government felt was responsible for this bank’s BSA/AML compliance program. Other than Mr. LaFontaine, who was held accountable.

But one of those documents had an interesting take on responsibility. Paragraph 18 of the Treasury Department’s civil complaint against US Bank (Case No 18CV01357, filed February 15, 2018) referenced the FFIEC BSA/AML Manual. The paragraph provided:

“18. Under the BSA/AML Manual, a bank’s risk profile informs the steps it must take to comply with each of the BSA’s requirements. To develop appropriate policies and controls, banks must identify “banking operations . . . more vulnerable to abuse by money launderers and criminals . . . and provide for a BSA/AML compliance program tailored to manage risks. Similarly, while banks must designate an individual officer responsible for ensuring compliance with the BSA, such designation is not alone sufficient. Instead, the BSA/AML Manual notes that banks are responsible for ensuring that their compliance functions have ‘resources (monetary, physical, and personnel) [necessary] to administer an effective BSA/AML compliance program based on the bank’s risk profile.’”

In fact, as set out above, that is not what the Manual provides: according to the Manual, published by the OCC and FinCEN, among many other FFIEC agencies, the board of directors is responsible for ensuring that the bank implements and maintains an effective AML program. Not the “bank”, nor, in this case, the Chief Operational Risk Officer.

Paragraph 31 of the February 15, 2018 civil complaint provided that “US Bank delegated the responsibility for ensuring that it met its obligations under the BSA to its AML compliance department, which it referred to internally as Corporate AML.”

It would have been more accurate to write “US Bank attempted to delegate the responsibility for ensuring that it met its obligations under the BSA to its AML compliance department, which it referred to internally as Corporate AML; but the Board of Directors retained ultimate responsibility.” As the Manual provides, the board of directors maintains ultimate responsibility for the bank’s BSA/AML compliance, with their board-appointed BSA compliance officer “charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations.”

Based on everything that is in the various pleadings, orders, and press releases, it appears that Mr. LaFontaine didn’t do that part of his job that involved managing Corporate AML. As one of the senior officers in the chain of command of US Bank’s risk organization, and as a member of the Managing Committee in 2012 and 2013, he had some responsibility and accountability: he appears to have organizationally been positioned somewhere between the BSA officers and the Board, and apparently thwarted or ignored the warnings of the AML Officer and/or BSA Officer(s) – who should have been reporting to the Board.

There is much we don’t know about this case. No one person – not even a CEO or Chairman of the Board – has the ability to run an AML program, let alone screw up that program. But apparently the Government has concluded that one person alone can be found accountable for the failures of a mega-bank’s AML program. Which begs a few questions …

Question 1 – Did the OCC inform the Board of Directors that BSA/AML risks weren’t being managed?

Paragraph 58 of the February 2018 civil complaint provided that “… despite recommendations and warnings from the OCC dating back to 2008, the Bank failed to have [the transaction monitoring system] independently validated.”

The phrase “warnings from the OCC dating back to 2008” could be explored. In the section in the Manual titled “Examiner Determination of the Bank’s BSA/AML Aggregate Risk Profile” is the following: “when the risks are not appropriately controlled, examiners must communicate to management and the board of directors the need to mitigate BSA/AML risk.” At this point, we don’t know what the OCC told the board, or when. We do know that the OCC issued a public Cease & Desist Order (on consent) in 2015.

Question 2 – Where was Internal Audit?

Independent testing, or internal audit, is one of the four (Title 12) or five (Title 31) required (minimum) pillars of a BSA/AML compliance program. And the Exam Manual provides that “the persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.” (see page 30 of the 2006 Manual, page 12 of the 2014 Manual). Which begs the question: where was US Bank’s audit team during the six+ years that there was capping of alerts and staffing issues? Shouldn’t the audit function have reported to the Board that there were long-standing issues with the transaction monitoring system and AML staffing, and that the OCC had made recommendations and warnings that went unheeded?

Question 3 – Where were the BSA Officers?

As a former BSA Officer, this was the question that was most on my mind as I read the March 4, 2020 FinCEN Assessment, and re-read the 2015 OCC order and the orders and complaints from February 2018. Indeed, I was relieved when the March Assessment came out and it was not against any of the former BSA Officers. The 2015 and 2018 documents showed an organization that appeared to organizationally bury its BSA officers, didn’t empower them, didn’t give them the required access to the Board, and certainly didn’t provide sufficient resources to allow for an effective program (all of which has been corrected with US Bank’s current BSA Officer and organization). And the March 2020 FinCEN Assessment describes two AML Officers and one Chief Compliance Officer, all reporting directly or indirectly into Mr. LaFontaine, who raised serious concerns over a number of years. At page 10 of the Assessment is this:

“In or about November 2013, a meeting was scheduled, at the request of the Bank’s CEO, so that the AMLO and CCO could update the CEO on the Bank’s AML program. In advance of that meeting, the AMLO and CCO prepared a PowerPoint presentation that began with an “Overview of Significant AML Issues,” the first of which was “Alert volumes capped for both [Security Blanket] and [Q]uery detection methods.” The AMLO and CCO put the alert caps issue first because, from their perspective, it was the most pressing of the Bank’s AML issues.  The PowerPoint identified the alert caps as a “[c]overage gap” that “could potentially result in missed Suspicious Activity Reports.” It also said that the “[s]ystem configuration and use could be deemed a program weakness, with potential formal actions including fines, orders, and historical review of transactions.” Prior to the meeting with the CEO, Mr. LaFontaine reviewed the PowerPoint, yet failed to raise the issue of the alert caps with the CEO during the meeting, choosing instead to prioritize other compliance-related issues.”

This suggests that the CEO wanted to meet with the AMLO and CCO, yet eventually met only with their boss, Mr. LaFontaine. Who took the opportunity to bury the primary message that his BSA Officer wanted the CEO to hear: that they were capping the number of alerts coming from the transaction monitoring system.

A financial institution must not organizationally “bury” its BSA Officer (AML officer): their organizational reporting line must be no more than “two-down” from the CEO and within an independent risk organization (e.g., the BSA Officer reports to the Chief Risk Officer, who reports to the CEO) and – critically – the BSA Officer must personally and directly report to the Board.[2]

It appears from the US Bank documents that neither the organizational structure nor the lines of communication allowed the BSA Officer(s) to “apprise the board of directors and senior management of ongoing compliance with the BSA … so that these individuals can make informed decisions about overall BSA/AML compliance”, as the Exam Manual requires. And it wasn’t the Chief Operational Risk Officer that was “responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes” … it was the BSA Officer(s). But it appears those BSA Officer(s) were organizationally and/or culturally stymied from directly communicating to the Board. In fact, the paragraph immediately after the description of the CEO meeting provides that “[t]he above-described conduct by Mr. LaFontaine continued until May 2014 when the AMLO bypassed Mr. LaFontaine and sent an email to the Bank’s then-Chief Risk Officer referencing the alert caps issue.”] A BSA officer must not be forced to bypass or do end-runs around a blocking boss in order to raise issues.

But whose responsibility is it to ensure that the BSA officer has the organizational stature and resources to do their job, and to ensure that the BSA officer has direct access to senior management and the board? It is the responsibility of the Board of Directors. The Manual is clear: “The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.” It shouldn’t take the regulators and, perhaps, a whistle blower to get the bank to act (page 11 of the 2020 Assessment includes: “The Bank did not begin to address its deficient policies and procedures for monitoring transactions and generating alerts until June 2014, when questions from the OCC and reports from an internal complainant caused the Bank’s Chief Risk Officer to retain outside counsel to investigate the Bank’s practices.”).

But maybe the directors weren’t aware that they were responsible for ensuring that the bank implemented and maintained an effective AML program. Which then begs the question …

Question 4 – Where was the Law Department?

Boards rely heavily on in-house counsel. Among other duties, in-house counsel must ensure that the directors understand their legal and regulatory obligations. In the case of BSA/AML, as the Exam Manual clearly sets out, the BSA program must be in writing and approved by the Board. The Board must designate a qualified individual to serve as the BSA compliance officer. The Board is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program.

The first and last thing in-house counsel should leave the Board with when they are conducting their annual board training and awareness is this: “folks, if you remember one thing, remember this: as directors, you are ultimately responsible for the bank’s BSA/AML compliance.”

Question 5 – Where were the other senior managers of the bank?

The most vexing thing about this is not what is written in the FinCEN assessment or accompanying press release, but what is not written. Anyone who has spent any time in AML compliance in a mid-size to large financial institution knows that there are hundreds to thousands of people involved in designing, implementing, testing, maintaining, auditing, overseeing, and examining an AML program. Nothing happens – or doesn’t happen – without the involvement of modelers, testers, auditors, examiners, and committees; without endless finance meetings, HR meetings, “credible challenge” meetings; without senior management buy-in and support; and without the monthly or quarterly meetings with the board of directors (or a committee of the board) and the annual review and approval of the program and appointment, or re-appointment, of the BSA compliance officer.

The Government has singled out one senior manager in the 5th largest bank in the country for failures in a critical risk program that occurred over a five or six year period: where were the other senior managers?

Which takes us back full circle to the Board of Directors …

Question 6 – If the Board of Directors is responsible for a BSA compliance program, how come the Directors were not held accountable for its failures?

We simply don’t know what the US Bank board of directors knew or didn’t know when it came to the five or six years that the bank’s AML program was, apparently, not meeting regulatory requirements. We don’t know what they approved (or didn’t approve) annually. We don’t know what management, or audit, was reporting (or not reporting) to them. We don’t know whether they understood their responsibilities under the BSA regulations and regulatory guidance. We don’t know whether their annual approval of the AML program and appointment of the BSA Officer was a rubber-stamp or a fair and credible challenge of the program, the BSA Officer, and whether the BSA Officer had the monetary, physical, and personnel resources necessary to administer an effective BSA/AML compliance program based on the bank’s risk profile (paraphrasing the Manual). But it’s fair to assume that the Government found it difficult to find anyone liable where they simply failed to do their appointed task well. “We didn’t know the AML transaction monitoring system had been capped”, or “no one told us that the AML investigations team was grossly under-staffed”, or “none of the audit reports that came to the board indicated there were any problems with the AML program” become reasonably solid defenses when someone is looking to assign blame. It is much easier to find someone liable when they were presented with a problem and failed to address it, or even worse, took actions to hide it.  That said, it may simply go back to this:

“Success has many fathers; failure is an orphan”

Michael LaFontaine was considered a rising star in the banking world. The Minneapolis/St. Paul Business Journal included him in its “40 under 40 – 2014” class. In a March 21 2014 Video Clip for the “40 Under 40” program he said “success doesn’t happen alone”. Unfortunately, it appears that the opposite is true: he appears to have been singled out and left alone when it comes to finding one person responsible for something that many were accountable for. As President Kennedy said, “victory has a hundred fathers and defeat is an orphan”. More than a dozen directors had responsibility for US Bank’s AML program; eleven served from 2009-2014; and four of those are still directors. But none were held accountable.

Conclusion

The point of this article is not to encourage the Government to impose fines on all the directors, senior management, auditors, and BSA Officers involved in a program that has failures and regulatory violations. Rather, it is to point out to all the Boards of Directors out there that they are responsible for their bank’s AML program, and with that responsibility comes accountability. Knowing that, those Boards will push the management of those banks to implement and maintain effective AML programs … and hopefully prevent another individual from the horrors of personal liability.

[1] Footnote 34 in 2014 Manual: “The bank must designate one or more persons to coordinate and monitor day-to-day compliance.  This requirement is detailed in the federal banking agencies’ BSA compliance program regulations: 12 CFR 208.63, 12 CFR 211.5(m), and 12 CFR 211.24(j) (Federal Reserve); 12 CFR 326.8 (FDIC); 12 CFR 748.2 (NCUA); 12 CFR 21.21 (OCC).”

[2] There is a third question. It doesn’t involve responsibility and accountability for a BSA program, but is important nonetheless. And that is … how do you get SAR filing rates of 30% to 80% from below-the-Line testing? Both the 2018 civil complaint and March 2020 FinCEN Assessment describe the results of a look-back conducted in 2011. Paragraph 41 of the February 2018 civil complaint provides, in part: “… in November 2011, the Bank’s AML staff concluded that, during the past year, the SAR filing rates for below threshold testing averaged between 30% and 80%. In other words, between 30% and 80% of the transactions that were reviewed during the below-threshold testing resulted in the filing of a SAR.” The most efficient transaction monitoring systems have alert-to-SAR rates of 20% – 30%. In fact, the industry laments that the “false positive” rate for most transaction monitoring systems is 95% or more, for a true positive rate of 5% or less. So having a false negative rate (which is a below-the-line testing rate) of 30% to 80% makes no sense at all. Particularly since paragraph 64 of the complaint provides that 2,121 SARs were filed as a result of a six-month look back of 24,179 alerts: an alert-to-SAR rate of about 9%. [NOTE: the average value of these “look-back” SARs was over $339,000].