2014 Year-End Review of BSA/AML and Sanctions Developments

This post highlights what we believe to be the most significant developments during 2014 for financial institutions with respect to U.S. Bank Secrecy Act/anti-money laundering (“BSA/AML”) and U.S. sanctions programs, including sanctions administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), and identifies significant trends. The overarching trend that is likely to continue for the foreseeable future is an intense focus on BSA/AML and sanctions compliance by multiple government agencies, combined with increasing regulatory expectations and significant enforcement actions and penalties.

Executive Summary

The year 2014 was marked by record-setting fines and precedent-setting criminal prosecutions and enforcement actions against financial institutions for violations of BSA/AML and sanctions laws. In addition, individuals faced personal liability and public accountability for their actions and for compliance-related deficiencies within their areas of responsibility. In light of the increased risk environment, and new and heightened expectations of regulators and enforcement agencies, compliance and risk management must be a focus of boards of directors and senior management of financial institutions.

We discuss in Part I of the complete publication the new and heightened expectations with regard to compliance risk management and the culture of compliance. Risk management-related weaknesses associated with BSA/AML and OFAC compliance are at the core of several of the most high-profile and costly enforcement actions taken by regulators and law enforcement in 2014, and the banking regulators have repeatedly cited them as among the issues driving Matters Requiring Attention (“MRAs”), Matters Requiring Immediate Attention, and enforcement actions.

These developments leave no room for doubt that BSA/AML and OFAC sanctions compliance are of critical importance in structuring a risk-governance framework that is consistent with regulatory expectations. In 2014, the Board of Governors of the Federal Reserve System (the “Federal Reserve”) and the Office of the Comptroller of the Currency (the “OCC”) both established formal heightened risk management expectations for certain large financial institutions. Although those expectations do not specifically reference BSA/AML and OFAC compliance risks, it is imperative that financial institutions properly account for those risks in developing, maintaining, and updating their risk-management frameworks. The regulatory emphasis on BSA/AML and OFAC compliance risk-management seems unlikely to abate in the near term.

At the same time, regulators and law enforcement expressed concern in 2014 that some institutions are “de-risking,” or exiting whole business lines that carry increased risk, instead of improving risk management and controls and evaluating customers individually. In 2014, regulators placed particular emphasis on relationships with money services businesses (“MSBs”) and third-party payment processors (“TPPPs”). Concerns were also voiced by foreign businesses and countries that believe themselves excluded from the U.S. banking system. The concerns regarding “de-risking”—when juxtaposed with the intense regulatory scrutiny risk management practices are now receiving and the potentially severe consequences institutions and individuals face for BSA/AML and OFAC compliance-related lapses—present financial institutions with a dilemma. It is costly to maintain BSA/AML and OFAC compliance systems and controls sufficient to properly manage risks associated with these businesses (which typically are not significant revenue generators for banks), and, as mentioned, there are potentially severe consequences for mismanaging those risks. Weighing the costs and benefits, a financial institution could reasonably conclude that the potential down-sides of maintaining MSBs, TPPPs, or other potentially high-risk businesses as customers outweigh the possible rewards. Until benefits come to better align with costs, “de-risking” will continue to be an issue.

For these and other reasons, including protestations from businesses and even countries that believe themselves excluded from the U.S. banking system, we believe regulatory interest in the “de-risking” phenomenon with respect to MSBs and TPPPs will likely continue for the foreseeable future. Further, as the social and technological landscapes in the United States continue to evolve, this interest will almost certainly expand to other business lines and customers that may carry increased risk. In this regard, we see digital wallet services, mobile and other alternative payment systems, virtual currencies, and newly legal (at the state or local level) marijuana businesses as possible targets in 2015 for, simultaneously, risk-related regulatory focus and regulatory “de-risking” concerns. In 2015, financial institutions will almost certainly be presented with novel challenges related to properly identifying and managing the risks associated with these and other advancements, requiring institutions to make complex, but important, risk-related decisions. Although regulators have in the past shown a willingness to address risk management-related issues presented by advancements when they arise, including by issuing several pieces of guidance in 2014 pertaining to MSBs, TPPPs, and virtual currency, it seems doubtful that guidance will be able to keep pace—all the more reason for financial institutions to have in place a robust risk-management framework.

This year also focused institutions on the importance of maintaining a “culture” of compliance and risk management. Regulators sent a strong signal that a robust risk-management framework that is consistent with regulatory expectations will not be enough by itself; rather, to be truly effective, the framework must be reinforced by the proper “tone at the top.” In 2014, regulators placed the responsibility squarely on the shoulders of management (and, to a meaningful extent, boards of directors) to build and maintain (and in the case of boards, to oversee) a strong risk culture that promotes responsible business practices and safety and soundness. On a similar note, throughout 2014, various factions within the U.S. government and members of the media called repeatedly—and vocally—for accountability for BSA/AML and OFAC compliance failures, up to and including potential criminal liability. Further, 2014 continued to demonstrate that the consequences of BSA/AML weaknesses, even where there are less serious enforcement actions, are likely to lead to supervisory ratings downgrades, which can preclude expansion and other activities.

We see one additional BSA/AML-related development in 2014 as presenting particular challenges to financial institutions. In July, the Financial Crimes Enforcement Network (“FinCEN”) proposed amendments to existing BSA regulations that would impose explicit customer due diligence (“CDD”) requirements, including a new beneficial ownership requirement (the “Proposed CDD Rule”). The Federal Financial Institutions Examination Council BSA/AML (“FFIEC BSA”) Examination Manual and other guidance identify CDD as the cornerstone of a strong BSA/AML compliance program, but FinCEN regulations currently do not include explicit CDD requirements. The codification of CDD suggests that CDD will be an area of continued regulatory interest and a prospective enforcement focus. The new beneficial ownership requirements, in particular, would pose challenges to financial institutions, particularly where legal entity customers have complex or opaque ownership and control structures or are domiciled in secrecy jurisdictions. These and other significant BSA/AML-specific developments during 2014 are discussed in Part II of the complete publication.

In Part III of the complete publication, we discuss U.S. sanctions developments. The year 2014 was active in this regard. Of perhaps most significance, the United States, in response to the Russian intervention in Ukraine, established several sanctions programs targeting various persons and entities—generally in Russia—with the goal of stabilizing the situation in Ukraine and of influencing the policy of the Russian Federation towards the situation in Ukraine. Although these programs generally continued the recent trend in sanctions administered by OFAC towards the use of targeted and list-based sanctions, in December 2014, the United States imposed a broad and comprehensive ban on trade and investment in the Crimea region of Ukraine.

The targeted sanctions under the Ukraine-related sanctions programs, and questions thereunder, appeared to lead OFAC to revisit prior guidance issued in 2008 regarding the approach that U.S. persons must take when dealing with entities that are owned or controlled by one or more sanctions-targeted persons or entities. The new guidance had the effect of making dealings with such entities more likely to be problematic, and also heightened the importance of due diligence by financial institutions and others as to matters of beneficial ownership.

After several years of seemingly constant change, most particularly as a result of legislative initiatives, Iran-related sanctions stayed relatively constant in 2014 while the U.S. and the other P5+1 nations continue a dialogue with Iran over its nuclear ambitions. However, in December 2014, President Obama announced a major change in U.S. policy towards Cuba, announcing that the United States and Cuba would move to normalize diplomatic and economic relations and the United States would implement significant changes to its sanctions policies and regulations with respect to Cuba. These changes were implemented in January 2015.

Although Congress did not enact material new Iran-related sanctions, Congress remained active in the sanctions area. Congress passed additional Ukraine-related sanctions, in the Ukraine Freedom and Support Act, and adopted for the first time legislation that requires the President of the United States to impose sanctions on officials of the Government of Venezuela or their proxies if the President determines they have engaged in human rights abuses in response to anti-government protests that began in February 2014.

Finally, this year has also been groundbreaking in the area of sanctions and BSA/AML enforcement. We have now seen the first guilty pleas in federal and New York state courts with respect to violations of OFAC sanctions regimes by a large, globally important financial institution, BNP Paribas S.A. (“BNP Paribas”), and the imposition of money penalties—roughly $8.9 billion—that were exponentially larger than amounts previously imposed. BNP Paribas was also subject to the first suspension imposed on U.S. dollar clearing services in connection with settling sanctions violations. There was also increased sanctions enforcement activity against entities providing custody and other financial intermediary services, in particular a multi-million settlement between OFAC and Clearstream Banking S.A. (“Clearstream”). In the BSA/AML sphere, JPMorgan Chase Bank, N.A. (“JPMC”), entered into a deferred prosecution agreement and was assessed over $2 billion in penalties in an action that gave rise to concerns that the government could impose severe sanctions for failure to file a single suspicious activity report (“SAR”) in the absence of broader BSA/AML program failures. In both the BSA/AML and sanctions areas, enforcement actions increasingly focused on publicly identifying individuals involved in wrongdoing and holding those individuals, including compliance officers, accountable.

In summary, 2014 saw increasing compliance burdens coupled with increasingly stringent enforcement measures in an environment where regulatory expectations remain both increasing and not clearly articulated. Taken together, it appears that compliance-related risk has increased substantially when measured against periods prior to 2014.

The complete publication is available here.