2015 Review of BSA/AML and Sanctions Developments

This post highlights what we believe to be the most significant developments and trends during 2015 for financial institutions with respect to U.S. Bank Secrecy Act/anti-money-laundering (“BSA/AML”) and U.S. sanctions programs, including sanctions administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”). In 2015, the overarching trend continued to be an intense focus on BSA/AML and sanctions compliance by multiple government agencies, combined with increasing regulatory expectations and significant enforcement actions and penalties, and an increased focus on individuals. Government agencies continued to emphasize money-laundering and terrorist-financing risks, threats and vulnerabilities seen in prior years, as well as the emergence of certain new threats associated with advances in technology. We do not see these trends abating in the near term.

Executive Summary

In 2015, we continued to see record-setting fines and significant criminal prosecutions and enforcement actions against financial institutions for violations of BSA/AML and sanctions laws. As of year-end 2015, four of the five largest banks by asset size were subject to public enforcement actions addressing BSA/AML or sanctions compliance concerns. Of the 151 public enforcement actions issued by the federal banking agencies against financial institutions in 2015, 34 (approximately 22 percent) addressed primarily BSA/AML compliance concerns, while nine (approximately six percent) addressed both BSA/AML and OFAC or only OFAC sanctions compliance concerns. Accordingly, more than 28 percent of public enforcement actions issued by federal banking agencies against financial institutions in 2015 addressed BSA/AML and/or OFAC sanctions concerns. These statistics leave no doubt that BSA/AML and OFAC compliance risk management must remain a focus of boards of directors and senior management of financial institutions.

Importantly, in 2015 we saw a continued focus on holding individuals accountable in corporate cases. This emphasis was apparent in a new policy from the U.S. Department of Justice (the “DOJ”) addressing individual liability in matters of corporate wrongdoing, new proposed regulations from the New York Department of Financial Services (“DFS”), public enforcement actions, and the public remarks of high-level agency officials. For example, Mary Jo White, Chair of the Securities and Exchange Commission (“SEC”) stated that “in the enforcement arena, the most effective deterrent is strong enforcement against responsible individuals, especially senior executives,” while Stanley Fischer, Vice Chairman of the Federal Reserve, observed that individuals responsible for some of the “worst aspects of bank behavior” have not been punished severely and that this may have resulted in misaligned incentives and ineffective risk management, and Benjamin M. Lawsky, then-Superintendent of the DFS, highlighted the DFS’s “actions to expose and penalize misconduct by individual senior executives—including all the way up to the C-Suite, when appropriate.”

We anticipate this focus will continue in 2016, with regulators and law enforcement increasingly seeking to hold individual directors, officers and employees accountable in cases arising from corporate investigations.

At the same time, we also saw an emphasis on traditional money-laundering and terrorist-financing risks, threats and vulnerabilities, both in the banking agencies’ enforcement actions and in the publication of the National Money Laundering Risk Assessment (“NMLRA”) and the National Terrorist Financing Risk Assessment (“NTFRA”). In 2015, regulators and law enforcement focused heavily on customer-based risk and, in particular, risks presented by third-party payment processors and correspondent banking customers. This is not a new emphasis, and it has almost certainly contributed to the “de-risking” we discuss later in this memorandum. Indeed, the NMLRA and NTFRA warn of the particular vulnerabilities associated with correspondent banking (and, in the case of the NMLRA, third-party payment processing).

The long-awaited assessments—the last NMLRA was published 10 years ago and this is the first NTFRA—provided insights into these and other familiar risks, threats and vulnerabilities facing the U.S. financial system, including: widespread use of cash (e.g., bulk cash smuggling), use of funnel accounts and trade-based money-laundering (“TBML”) schemes, use of structured transactions to avoid reporting requirements, unregistered money service businesses (“MSBs”), concealment of the nature, purpose, ownership and control of accounts (e.g., master/sub accounts, omnibus accounts and intermediated relationships), AML compliance deficiencies, and complicit merchants and violators within financial institutions. The assessments also highlighted several risks, threats and vulnerabilities associated with advancements in technology, including virtual currency and cybercrime. In particular, according to the NMLRA, “the rapid evolution of the market, the development of new business models and entry of new virtual currency payments developers and providers—many from a non-financial services environment (e.g., the technology sector), where industry is not as highly regulated as in the financial sector—together with the potential to operate without a domestic presence, is leading to service providers entering the market that do not comply with BSA obligations.” As a result, virtual currencies and other new payment technologies are vulnerable to exploitation by cybercriminals for money-laundering purposes. The NTFRA similarly identified virtual currency and cybercrime as potential emerging terrorist-financing threats and vulnerabilities.

The NMLRA and NTFRA findings highlight a final trend we observed in 2015: the increasing convergence of cybersecurity and virtual currency, on the one hand, with BSA/AML and sanctions compliance, on the other hand. It is unclear what the practical implications of convergence will be. With respect to cybersecurity, regulators focused on cyber-preparedness and the incorporation of cybersecurity considerations into the BSA/AML frameworks of individual institutions. At the same time, there was a recognition that the response to cyber threats needs to be broad-based. Indeed, in the Cybersecurity Act of 2015, Congress acknowledged the need for a broad-based response, empowering institutions to share cybersecurity information with one another—information that may be key to thwarting money-laundering and terrorist financing.

With respect to virtual currencies, in 2015, the Conference of State Bank Supervisors issued a model regulatory framework, and at least one state issued final rules for regulating virtual currency firms, each of which includes provisions related to BSA/AML compliance, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) highlighted virtual currency as an ongoing priority, including through its first enforcement action against a virtual currency exchange.

In sum, the clear trend continues to be an intense focus on BSA/AML and sanctions compliance by multiple government agencies, combined with increasing regulatory expectations and significant enforcement actions and penalties, and an increasing focus on individuals. Institutions remain potentially vulnerable to all of the money-laundering and terrorist-financing risks, threats and vulnerabilities seen in the past, plus an expanding list of new threats stemming from advances in technology. We do not see these trends abating soon. Accordingly, BSA/AML and OFAC compliance risk management must remain a focus of boards of directors and senior management of financial institutions, and financial institutions must remain aware of their vulnerabilities, assess the risk of their activities and client base, and take appropriate measures to mitigate those risks and remediate any deficiencies.

The complete publication, including footnotes, is available here.