Office of the Comptroller of the Currency (OCC)

OCC Identifies AML/BSA and Cyber Threats as Elevated Risks Facing Banks

Last week, the Office of the Comptroller of the Currency (“OCC”) published the Spring 2018 Semiannual Risk Perspective (the “Report”), which uses up-to-date data to identify risks to U.S. banks and measure their compliance with applicable laws and regulations.  The Report concluded that some of the OCC’s primary concerns are with banks’ abilities to comply with the anti‑money laundering (“AML”) laws and regulations, as well as to manage risks associated with cybersecurity threats.

Many of the OCC’s observations and recommendations remained the same from its Fall 2017 report, about which we previously blogged, begging readers to wonder what will spur less conversation and potentially more action among OCC-supervised banks or concrete guidance by the OCC.  Regardless, a common thread running throughout both reports is the potential risk presented to financial institutions by emerging technologies, which carry the simultaneous blessing and curse of business opportunities and compliance risks. Continue Reading OCC Report: Same Threats, Different Season

Incorporation Solidifies Customer Due Diligence as “Fifth Pillar” to BSA/AML Compliance Program

May 11, 2018 was the much anticipated effective date for the Customer Due Diligence (“CDD”) Requirements for Financial Institutions Rule (the “Beneficial Ownership Rule”) issued by the Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”). On the same day, the Federal Financial Institutions Examination Council (“FFIEC”) released two updates to the Bank Secretary Act/Anti-Money Laundering (“BSA/AML”) examination manual that incorporate and clarify the CDD Requirements and Beneficial Ownership Rule.  The FFIEC is an interagency body that is “empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions.”  The FFIEC examination manual drives the principles and obligations of covered financial instructions in creating BSA/AML compliance programs.  The new updates further clarify the FinCEN rules and solidify CDD as the fifth pillar of the BSA/AML compliance regime.

As we previously blogged here, when FinCEN announced its final rule on CDD requirements it established two important requirements for covered financial institutions.  First, the covered financial institutions were required to establish procedures to identify and verify the beneficial owners of all legal entity customers. Second, the rule required covered financial institutions to adopt ongoing risk-based CDD procedures as part of their AML compliance programs – including developing and updating customer risk profiles and conducting ongoing AML monitoring.  We previously provided practical guidance to aid covered financial institutions in preparing for implementation of these two requirements.  Now we will highlight the key considerations of FFIEC examination manual addressing these topics.  Of particular interest, the new FFIEC examination manual provisions state in part that regulatory examiners are not supposed to engage in second-guessing specific decisions; rather, during an examination “the bank should not be criticized for individual customer decisions unless it impacts the effectiveness of the overall CDD program, or is accompanied to evidence of bad faith or other aggravating factors.” Continue Reading FFIEC Manual Incorporates Beneficial Ownership Rule and CDD Requirements

Last week, the Office of the Comptroller of the Currency (“OCC”) released its semiannual risk report (“Report”) highlighting credit, operational, and compliance risks to the federal banking system.  The Report focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended to be used as a resource to by those financial institutions to address the key concerns identified by the OCC.  Specifically, the OCC places cybersecurity and Anti-Money Laundering (“AML”) among the top concerns highlighted in the Report.  The Report further observes that the total number of enforcement actions by the OCC against banks — instituted for any kind of alleged violations — have declined steadily after peaking in 2009. Continue Reading OCC Report: Cybersecurity and Money Laundering Threats are the Key Risks Facing Banks

FinCEN recentlty announced entry of a $2 million assessment against Lone Star National Bank, a private bank operating out of Texas, for the bank’s allegedly willful violations of the Bank Secrecy Act (“BSA”) and inadequate Anti-Money Laundering (“AML”) monitoring programs.  The primary violations relate to Lone Star’s alleged failure to comply with due diligence requirements imposed by Section 312 of the USA PATRIOT Act in establishing and conducting its correspondent banking relationship with a Mexican bank.  As a result of Lone Star’s insufficient due diligence and AML program, the Mexican bank was “allowed to move hundreds of millions of U.S. dollars in suspicious cash shipments through the U.S. financial system in less than two years.”  The FinCEN’s announcement warns that this “action underscores the dangers that institutions face when taking on international correspondence activities without properly equipping themselves” to manage the enhanced obligations that arise with such relationships.

This new FinCEN assessment underscores the continued regulatory interest in the AML risks presented by correspondent banking relationships. We therefore first will provide a brief overview of correspondent banking relationships and the enhanced regulatory attention often paid to them. Armed with this context, we then will analyze the findings and lessons learned from the Lone Star assessment, including the value touted by FinCEN of Lone Star’s efforts to cooperate with its own investigation. Further, this new assessment suggests that the U.S. government does not always present a consistent voice regarding correspondent banking relationships: although the U.S. Treasury has tried to encourage financial institutions in general to not “de-risk” and thereby terminate correspondent banking relationships, we see that enforcement agencies continue to penalize institutions in individual cases for not mitigating sufficiently the risks of correspondent banking. Continue Reading FinCEN Fines Texas Bank $2M for Alleged Failure to Vet and Monitor Mexican Correspondent Banking Relationship – But Touts Bank’s Cooperation

As widely reported, the Spanish police raided last year the Madrid offices of the Chinese state-run Industrial and Commercial Bank of China (“ICBC”), the world’s biggest bank by assets. In the nearly 18 months following that raid and the numerous arrests made at that time, very little information about this money laundering investigation became known publically. That is, until Reuters recently published a lengthy article resulting from its review of “thousands of pages of confidential case submissions” and its “interviews with investigators and former ICBC employees.” The article raises numerous questions regarding the enforcement of European money laundering laws against Chinese banks operating abroad, as well as certain unique political and diplomatic considerations that may exist in those enforcement efforts. Below, we will compare these efforts with similar U.S. enforcement efforts, which are potentially gaining steam. Continue Reading High-Profile Spanish Money Laundering Investigation of Chinese Bank Raises Questions About Future of Similar U.S. Enforcement

The Supreme Court granted certiorari on April 3 to decide whether Jordan-based Arab Bank may be liable for claims including allegations that its New York branch processed transactions for known terrorists. While the central issue before the Court will be the scope of the Alien Tort Statute (“ATS”) – namely whether it permits corporate liability for violations of international law – Jesner v. Arab Bank also illustrates how alleged AML/BSA failures can lead to yet another avenue for secondary legal liability for financial institutions, as we previously have noted in other contexts. Depending on the outcome of the Court’s opinion in Jesner, such U.S. exposures may extend to foreign financial institutions even when the alleged conduct occurs primarily abroad.Detail view of the United States Supreme Court Continue Reading Weighing Corporate Liability under the Alien Tort Statute: What it Means for AML/CFT Controls

Employers increasingly face the difficult scenario of employees who misappropriate company data in the pursuit of whistleblower claims alleging misconduct by the employer. Such cases can present a complex mix of regulatory, cybersecurity, and employment issues. These issues were front and center in a recent whistleblower case pitting a bank against its former internal auditor, who engaged in computer-facilitated misappropriation of the bank’s confidential information allegedly to support whistleblower conduct.Whistle

The U.S. District Court for the Southern District of California recently declined to summarily adjudicate whether the employee’s confidentiality agreement precluded any whistleblower affirmative defense based on the employee’s alleged violation of computer fraud, contract, and tort laws. The whistleblower laws in question included the Bank Secrecy Act, Sarbanes-Oxley, Dodd-Frank, and the California Labor Code.

In Erhart v. Bofi Holding, plaintiff Charles Matthew Erhart filed a whistleblower complaint against his employer, Bank of the Internet (BofI), alleging BofI retaliated against him for reporting unlawful conduct to the government. BofI, in turn, filed a complaint, alleging that Erhart breached his employee confidentiality agreement by misappropriating confidential data relating to his employer and its clients and disseminating that data to the government, family members, and the national press.

Erhart illustrates the complex and practical problems faced by employers dealing with employees who engage in conduct that would otherwise constitute computer fraud, intellectual property theft, breaches of employment-related agreements and policies, and related tort claims under the mantle of “whistleblower.” A key issue in the case was whether Erhart would be entitled to pursue his retaliation claims before a jury or would be precluded from doing so as a matter of law given his computer-facilitated theft of confidential information. Continue Reading Bank Whistleblower Suits Highlight Limits of Employee Confidentiality Agreements