The US Financial Crimes Enforcement Network (FinCEN), in tandem with the Office of the Comptroller of the Currency and the Department of Justice, has imposed a $185 million civil money penalty on US Bank - a subsidiary of US Bancorp - for failing to obey the Bank Secrecy Act 1970.

$70 million of the money will go to the Treasury. US Bank, according to the assessment document, willfully violated the BSA’s programme and reporting requirements between 2011 and 2015, failing to establish and implement an adequate anti-money-laundering programme between 2011 and 2014, failing to report suspicious activity between 2011 and 2014, and failing to report currency transactions to an adequate degree in 2014-15. US Bancorp, the parent company, has signed a deferred prosecution agreement with the US Attorney’s Office for the Southern District of New York in which it admits these charges and agrees to forfeit $528 million.

US regulators are always inquiring into the percentage of annual turnover that banks devote to compliance, and then making pronouncements in private about how much they ought to be spending, but FinCEN has an objection to US Bank's resourcing arrangements that goes beyond mere penny-pinching. The assessment document states that the bank capped the number of alerts that its automated transaction monitoring system was able to generate for investigation. Testing indicated that these caps caused the bank to fail to investigate and report large numbers of suspicious transactions. Far from removing the alert caps, however, the bank put a stop to its testing instead. Similarly, between May 2009 and June 2014, US Bank allowed non-customers to conduct currency transfers at its branches through a large money transmitter. Although the bank knew that it was obliged by the Bank Secrecy Act to monitor those transfers for suspicious activity, it failed to include them in its transaction monitoring system. It was also lax in identifying 'highly risky' customers and monitoring their transactions. Thousands of suspicious activity reports (SARs) went unmade as a result; indeed, a 'look-back analysis' covering only a portion of the time-period during which these deficiencies persisted caused the bank to send the US Government more than 2,000 SARs regarding transactions worth more than $700 million. Nobody knows whether any of these SARs related to real criminal activity, but the bank should nonetheless have made them far earlier. In 2014-15 the bank also sent thousands of inaccurate currency transaction reports (CTRs) to the Internal Revenue Service's database in Detroit, to which FinCEN and various other agencies have access. The CTRs failed to provide the names of the money service businesses (MSBs) that were the ultimate beneficiaries of the transactions. MSBs are cheque cashers, money transmitters and bureaux de change.

The four pillars

Every bank’s AML/BSA compliance programme must rest on four so-called pillars. It must:

• provide for a system of internal controls to achieve continual compliance;
• provide for 'independent testing' for compliance, although the rules allow it to choose an external firm or even its own people, so the 'independence' of their findings is suspect;
• make someone responsible for co-ordinating and monitoring day-to-day compliance; and
• train people.

US Bank apparently failed to prop up two of these pillars: the first and the second. On the subject of the second, US Bank failed to provide for an independent validation of its automated transaction monitoring system. Despite recommendations from the OCC dating back to 2008, the bank failed to have Searchspace (a well-known AML software vendor) independently validated. For example, in connection with an OCC review of Searchspace in 2008, the OCC found that “management has not validated Searchspace in accordance with OCC Bulletin 2000-16 Model Validation,” whatever that meant. The regulator discussed the results of this review with, among others, the bank's chief compliance officer and its AML officer.

In connection with another review of Searchspace in 2010, the OCC concluded that although “management [had] validated Searchspace” since the OCC’s 2008 review, “the individual who completed the validation [was not] independent, given his primary responsibilities surrounding the Searchspace system.” The OCC wanted the bank to complete an independent validation of Searchspace and it again discussed the results of its review with (among others) the chief compliance officer and AML officer.

The bank, however, did not have Searchspace validated independently at that time. Instead, it relied on one of its employees to conduct 'validations' of Searchspace that were plainly insufficient. After the OCC’s review in 2010, and continuing into 2013, the bank employee who was responsible for managing Searchspace prepared a “biannual Searchspace model validation” and asked another bank employee to review it and acknowledge having done so, while assuring that other employee that he was “not making any representation that [he was] validating anything.”  For the purposes of these biannual reviews, the other employee merely “read [the Searchspace manager’s] documentation and sign[ed] off that...they ma[d]e sense and that [he] believe[d] they [were] accurate.”
 
While US Bank was engaging in this deficient validation process, the Searchspace manager told the other employee that a regulator “could (and probably will at some point), force us to hire outside auditors to perform a more robust independent validation/review,” but added that “this would cost tens of thousands...minimum.” The Searchspace manager told the other employee that “[u]ntil we are forced to go there...you are sufficient.” Such are the perils of cost-cutting.