What happens, then, when the CCO and the MLRO is personally accused of wrongdoing?
By Bachir El Nakib, CAMS
Founder, Senior Consultant, Compliance Alert (LLC)
The Chief Compliance Officer (COO) primary role is primarily responsible for overseeing and managing compliance within an organisation, ensuring that the company and its employees are complying (1) with regulatory requirements, (2) with internal policies and procedures, and ensure that the Board of Directors, management and employees comply with the rules and regulations of regulatory bodies and the financial institutions own policies and procedures, must also inform the Board of Directors about important issues and material violations.
The CCO typically reports to the Chief Executive Officer. The Chief compliance officers (CCOs) now operate in a dynamic legal, regulatory, social, and economic environment that is often characterized by complex and sometimes conflicting rules and regulations. Regulatory expectations have risen globally, placing tremendous pressure on organizations, particularly those with international operations, designing programs that help ensure compliance with all of these regulations and guidelines falls squarely on the shoulders of CCOs, to architect & steward of enterprise compliance strategy, structure and processes, a leader and subject matter expert, is responsible for establishing standards and implementing procedures to ensure that the compliance programs throughout the organization are effective and efficient in identifying, preventing, detecting and correcting noncompliance with applicable rules and regulations.
While the AML Compliance Officer/MLRO Manager has the responsibility of managing and maintaining the organization’s obligations as it relates to the supervision and reporting of money laundering activities, will be responsible for designing, evaluating, supporting, and influencing a culture of compliance throughout the organization, as well as assisting in the management and execution of an efficient compliance monitoring and due diligence program.
The CDD information comprises the facts about a customer that should enable an organisation to assess the extent to which the customer exposes it to a range of risks. These risks include money laundering and terrorist financing. Organisations need to ‘know their customers’ for a number of reasons:
- to comply with the requirements of relevant legislation and regulation
- to help the firm, at the time the due diligence is carried out, to be reasonably certain that the customers are who they say they are, and that it is appropriate
- to provide them with the products or services requested
- to guard against fraud, including impersonation and identity fraud
- to help the organisation to identify, during the course of a continuing relationship, what is unusual and to enable the unusual to be examined;
- if unusual events do not have a commercial or otherwise straightforward rationale they may involve money laundering, fraud, or handling criminal or terrorist property
- to enable the organisation to assist law enforcement, by providing available
- information on customers being investigated following the making of a suspicion report to the FIU.
Consequently a prohibition on setting up anonymous accounts or relationships is the baseline for the international standards, the CDD measures should be applied on a risk-sensitive basis, depending on the type of customer, business relationship or nature of the transaction or activity. Firms must however ‘be able to demonstrate to the supervising authorities that the extent of the measures is appropriate to the risks of money laundering and terrorist financing‘. In line with the FATF requirements the Directive outlines the four parts of customer due diligence, including an explicit requirement for ongoing monitoring. There is a specific requirement to identify the beneficial owners of legal entities and structures and to undertake enhanced due diligence on higher risk customers.
Who is the customer and what is meant by the identification of beneficial owners?
The application of CDD is required when a firm covered by money laundering regulations, ‘enters into a business relationship’ with a customer or a potential customer. This will include occasional ‘one off’ transactions even though this may not constitute an actual business relationship as it is defined below. A customer/business relationship is defined as being formed when two or more parties engage for the purposes of conducting regular business or to perform a ‘one off’ transaction. The term ’business relationship’ applies where a professional, commercial relationship will exist with an expectation by the firm that it will have an element of duration.
The risk-based approach to CDD
International standards require that a risk-based approach is applied to CDD.
Consequently, the measures should be applied on a risk-sensitive basis depending on the type of customer, business relationship or nature of the transactions or activity. Higher risk categories should be subject to enhanced due diligence.
The risk assessment will determine how much of the information collected needs to be independently verified, as the following examples indicate.
- Only simplified or basic account opening information may need to be collected for a low-balance, low-turnover deposit account. The extent of information that is verified can be restricted to the identification evidence and information concerning source of the funds and the expected frequency of deposits and withdrawals.
- For standard-risk customers, i.e. those who are permanently resident in the country, with a salaried job or other transparent source of income, only the standard information provided may need to be verified.
- Enhanced due diligence should be applied to higher-risk customers/clients. Enhanced due diligence must also be applied to the beneficial owners or controllers of higher-risk companies or structures.
- Quoted companies and their wholly-owned subsidiaries are considered to be lower-risk, requiring only simplified due diligence.
Privately owned companies and other entities, e.g. trusts, are generally assessed as higher risk than quoted companies because they are exposed to a lower level of external scrutiny than those that are publicly owned. For such relationships, the identities of the beneficial owners and controllers must also be verified in addition to verifying the identity of the corporate entity. Beneficial owners may also be executive directors or the settlors of trusts.
What happens, then, when the CCO is personally accused of wrongdoing?
Recent regulatory developments have compliance officers nationwide very concerned about their jobs and the possible consequences of actions (or inactions) taken while employed for financial institutions. Even when the hiring market for compliance professionals has been very active in recent years, the risks that come with the job cannot be overlooked.
A review of the recent enforcement actions published by federal regulatory agencies found several actions against “institution-affiliated parties” for engaging in reckless unsafe or unsound practices. According to the enforcement actions examined these violations or practices were part of a pattern of misconduct that caused more than a minimal loss to the institutions involved. The misconduct noted in these cases resulted in financial and reputational losses to the institutions involved; demonstrated willful or continuing disregard for the safety and soundness of the institutions involved, and involved reckless disregard for the applicable laws or regulations.
Those stakes make compliance a high-pressure job. According to a study from the British Bankers’ Association and LexisNexis Risk Solutions, fifty four percent of those surveyed said they would leave the financial industry if an opportunity arose. In an already hot recruitment situation, this could be devastating for banks and other financial institutions trying to stay on top of the current regulatory environment.
Intensa Bank Case, 16 Dec 2016
New York's state banking regulator on Thursday announced the latest action in its push against banks that fail to properly employ transaction-monitoring systems to combat money laundering, stating it has fined the New York branch of Italian bank Intesa Sanpaolo $235 million.
Among other lapses, during 2014, Intesa's New York branch failed to properly review at least 17,000 alerts generated by its monitoring system, transactions that totaled more than $16 billion, the New York Department of Financial Services said in a consent order.
The alleged misdeeds occurred despite the presence of an independent consultant DFS had installed in 2013 due to previously documented anti-money laundering compliance lapses linked to shady shell company account holders, Iran-linked transactions and other matters that dated back to the mid-2000s.
In a statement, Intesa Sanpaolo said the penalty related to "certain weaknesses and deficiencies in the anti-money laundering controls, policies and procedures of the bank's New York branch."
The bank said the enforcement action began in 2007 and noted that a criminal probe by U.S. authorities ended in 2012 with no charges. The criminal probe was over how the bank cleared U.S. dollars for countries subject to U.S. sanctions, the bank said. The bank did pay $2.9 million to the U.S. Treasury Department in 2013 over apparent sanctions violations.
In fact, the consultant unearthed the transaction monitoring failures – which along with other AML lapses constituted "significant" violations of New York anti-money laundering law and the federal Bank Secrecy Act – earlier this year, the consent order states.
"Effective and responsible transaction monitoring systems are an essential tool in the battle against illicit transactions and terrorist financing in this age of risk. There is little doubt that the negligent conduct of this bank is the type of conduct that can fuel international criminal activity," said Superintendent Maria Vullo.
"If you miss one, you miss one": compliance officer
Intesa's compliance staff "utterly mismanaged" the bank's transaction monitoring system and repeatedly failed to properly identify suspicious transactions until they were discovered by the consultant, DFS said.
DFS added that when one Intesa compliance officer was questioned regarding unauthorized clearing of alerts – activity flagged by the transaction monitoring system for further review and possible escalation – he said written procedures were not being followed because it was "more efficient." The bank's automated system had generated a large number of "false positives," the compliance officer reportedly said.
"The unauthorized process being used was acceptable, he said, because a risk-based policy meant (at least to him) that 'if you miss one, you miss one,'" DFS quoted the compliance officer as having said.
During 2014, about 41 percent of the alerts "improperly closed through the unauthorized and ad hoc clearing process" were not false positives but alerts requiring further investigation, DFS said.
It added that the anti-money laundering compliance officer in the New York branch gave alert reviewers discretion "to decide for themselves how to review transactions based on what 'works best' for them – against the bank's written guidelines and contrary to established industry practices."
The problematic clearing of alerts was flagged by a compliance manager conducting a quality control review in 2014, but while the findings were mentioned in a quarterly report, the matter was never "escalated for higher-level review," DFS said. It added, though, that it is problematic that the bank's head office in Milan did not take note of the issue raised in the report.
The consent order requires the bank to take a number steps to improve its anti-money laundering compliance program and enhance oversight, including bolstering its customer due diligence, internal audit and oversight functions.
Money Gram Case, 13 Nov 2012
Former Chief Compliance Officer Can Be Held Personally Liable for AML Violations
Mar.07.2016
On January 8, the United States District Court for the District of Minnesota denied a motion by Thomas Haider, MoneyGram’s former chief compliance officer, to dismiss a government complaint seeking to hold him personally liable for a $1 million civil penalty for MoneyGram’s violations of the Bank Secrecy Act (BSA).
In particular, the court upheld the government’s theory that the BSA allows individual liability for willful violations of the Act’s requirement to maintain an effective anti-money laundering (AML) program, and that such violations can occur when a compliance officer fails to prevent willful AML program violations by his financial institution.
This represents only the second time that the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has sued to enforce a civil penalty (the last was in 1994), and this decision appears to be the first to interpret FinCEN’s authority to impose individual liability for AML program violations. It will add fuel to a broader effort by FinCEN and other regulators to hold individuals accountable for AML related failures at their institutions.
MoneyGram entered into a deferred prosecution agreement in 2012 with the Department of Justice in which it admitted to willfully violating the BSA by failing to maintain an effective AML program in relation to repeated incidents of fraud conducted through MoneyGram agents.
FinCEN then assessed a $1 million individual civil penalty against Haider in December 2014, alleging that he violated the BSA’s AML program and suspicious activity reporting provisions by willfully failing to ensure that MoneyGram complied with its BSA obligations on the same facts. The United States Attorney for the Southern District of New York simultaneously brought suit on FinCEN’s behalf to obtain a judgment enforcing the assessed penalty, and also sought to bar Haider from participating in the affairs of a financial institution for a period of years to be determined at trial, the first time FinCEN has sought such an injunction.
Haider argued that he could not be held liable for violations of 31 U.S.C. § 5318(h) because it refers only to the obligation of “financial institutions” to maintain AML programs and does not specify any obligation for individuals, in contrast to other requirements that do. The court rejected this argument, reasoning that the statute’s general civil penalties provision at 31 U.S.C. § 5321(a), establishing penalties for any “domestic financial institution” or “partner, director, officer, or employee” thereof that willfully violates any provision of the BSA except for two excepted provisions, implied the availability of individual liability in non-excepted sections like § 5318(h).
The court also rejected Haider’s argument that the government’s assessment of a civil penalty against him without a prior administrative hearing before a neutral arbiter denied him due process. The court agreed with the government that the assessment itself did not deprive Haider of any property interest because the government was required under the structure of the BSA to file a civil action to enforce it, with factual issues of liability to be determined at trial on a de novo standard of review after full discovery. This holding is consistent with previous BSA actions, but represents a significant difference between enforcement under the BSA and enforcement by other financial regulators, where administrative proceedings before the assessment of a penalty result in a deferential standard of review by federal courts on a record compiled by the agency.
RBS Qatar Case, 20 Jul 2014
The QFC Regulatory Authority has decided to issue a public censure against H. R. Deane, a former employee of the QFC branch of an RBS and to prohibit her from performing any controlled function. This action was taken because Ms Deane provided false and misleading information to the QFC Regulatory Authority. As the person approved to perform the Compliance Oversight and Money Laundering Reporting Officer (MLRO) controlled functions for her employer, Ms Deane was required to have certain regulatory qualifications. Ms Deane misled the QFC Regulatory Authority by representing that she had successfully met those requirements when in fact she had not and when asked to provide evidence that she had obtained the qualifications, Ms Deane provided false and misleading information.
The QFC Regulatory Authority censures Ms Deane under Article 58 of the Financial Services Regulations because she deliberately:
· provided false and misleading information to the Regulatory Authority; and
· concealed information which misled or deceived the Regulatory Authority.
Further, as an approved individual who was subject to the Principles of Conduct for Approved Individuals, Ms Deane committed contraventions in that she:
· failed to act with integrity; and
· failed to deal with the QFC Regulatory Authority to provide information of which the QFC Regulatory Authority would reasonably expect notice. Mr Michael Ryan, CEO of the QFC Regulatory Authority said: “The action taken by the QFC Regulatory Authority reinforces the high professional standards required of employees in the QFC, who must act with integrity and honesty at all times.”
Al MAL Bank Case, 9 May 2012
Disciplinary actions taken by the QFC Regulatory Authority (the “Regulatory Authority”) against Mr K. Chaudhry have been upheld by the QFC Regulatory Tribunal (the “Tribunal”).
These appeals were the first to be heard by the Tribunal. The disciplinary actions relate to failings by the former officer of Al Mal Bank LLC (“Al Mal”), in the performance of the duties while serving as officer of Al Mal.
The Regulatory Authority previously took action to impose a fine on Al Mal and withdraw its authorisation. Al Mal was placed in liquidation in June 2010. Mr Chaudhry was its First Vice President, Compliance. The Regulatory Authority found that he committed serious contraventions of the Regulatory Authority’s rules and regulations and provisions of the Financial Services Regulations. Mr Chaudhry recklessly prepared and submitted Board minutes of Al Mal to the Regulatory Authority which were false or misleading. In relation to Mr Chaudhry, the Regulatory Authority imposed a financial penalty of US$20,000 and a prohibition from performing the Compliance Oversight Function for any authorised firm in the QFC for a period of 12 months.