The Financial Crimes Enforcement Network (FinCEN) and Office of the Comptroller of the Currency (OCC) yesterday announced the assessment of a $7 million civil money penalty against Merchants Bank of California of Carson, California, for willful violations of several provisions of the Bank Secrecy Act (BSA). (The FinCEN press release is here and assessment is here; the OCC press release is here and consent order is here.) FinCEN and the OCC found that the bank failed to (a) establish and implement an adequate anti-money laundering (AML) program, (b) conduct required due diligence on its foreign correspondent accounts, and (c) detect and report suspicious activity. FinCEN found that “Merchants’ failures allowed billions of dollars to flow through the U.S. financial system without effective monitoring to adequately detect and report suspicious activity. Many of these transactions were conducted on behalf of money services businesses (MSBs) that were owned or managed by Bank insiders who encouraged staff to process these transactions without question or face potential dismissal or retaliation.” In addition, FinCEN determined that bank insiders directly interfered with the BSA staff’s attempts to investigate suspicious activity related to these insider-owned accounts.
The OCC (Merchants’ federal functional regulator) previously identified deficiencies in Merchants’ BSA/AML compliance program which resulted in the issuance of consent orders in June 2010 and June 2014. Those consent orders required the bank to correct deficiencies in all four pillars of its BSA program (the system of internal controls, independent testing, a designated individual or individuals responsible for coordinating and monitoring BSA/AML compliance, and training for appropriate personnel). OCC concluded that Merchants violated numerous provisions of those consent orders, which no doubt contributed to the decision by FinCEN and the OCC to impose such a significant civil money penalty against the bank.
Merchants specialized in providing banking services for check-cashers and money transmitters (commonly referred to as “money services businesses” or MSBs). However, FinCEN found that it provided those services without adequately assessing the money laundering risks and without designing an effective AML program. Merchants also provided its high-risk customers with remote deposit capture services without adequate procedures for monitoring their use.
FinCEN’s assessment disclosed that one of Merchants’ MSB customers was the subject of a federal criminal investigation into its anti-money laundering compliance program. That customer, a Los Angeles-based check cashing store, its head manager, and its designated anti-money laundering compliance officer eventually pleaded guilty to criminal charges including conspiracy to fail to file currency transactions reports (CTRs) and failing to maintain an effective anti-money laundering program in connection with over $8 million in transactions. The head manager was sentenced to 5 years in prison, and the AML compliance officer was sentenced to 8 months in prison. FinCEN concluded that even after learning that this customer was under criminal investigation in February 2012, Merchants failed to report the customer and its activity on a Suspicious Activity Report (SAR).
According to FinCEN, Merchants also failed to provide the necessary level of authority, independence, and responsibility to its BSA officer to ensure compliance with the BSA as required, and compliance staff was not empowered with sufficient authority to implement the Bank’s AML program. Merchants’ leadership impeded BSA analysts and other employees from investigating activity on transactions associated with accounts that were affiliated with Bank executives, and the activity in these accounts went unreported for many years. FinCEN found that Merchants’ interest in revenue compromised efforts to effectively manage and mitigate its deficiencies and risks.
In addition, Merchants banked customers located in several jurisdictions considered to be high-risk but did not identify these customers as foreign correspondent customers and therefore did not implement the required customer due diligence program. In a three-month period, Merchants processed a combined $192 million in high-risk wire transfers through some of these accounts.
Merchants consented to imposition of the $7 million civil money penalty and accepted the findings of FinCEN that the bank had willfully violated the BSA’s program, recordkeeping, and reporting requirements. Merchants also consented to imposition of another OCC consent order. Notably, FinCEN’s settlement with Merchants does not preclude consideration of separate enforcement actions that may be warranted with respect to any financial institution or any partner, director, officer, or employee of a financial institution, suggesting the possibility that future criminal or civil enforcement actions may be forthcoming.
The specific findings made by FinCEN and accepted by the bank are outlined in more detail below.
- Failure to Establish and Implement an Adequate AML Program
The OCC requires each bank under its supervision to develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the BSA’s recordkeeping and reporting requirements. At a minimum, a bank’s AML compliance program must: (a) provide for a system of internal controls to assure ongoing compliance; (b) provide for independent testing for compliance to be conducted by bank personnel or by an outside party; (c) designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and (d) provide training for appropriate personnel. FinCEN found that Merchants failed to establish and maintain adequate internal controls to assure ongoing compliance. In particular, Merchants did not conduct a sufficient independent audit commensurate with the institution’s complexity and risk profile; it failed to provide the necessary level of authority, independence, and responsibility to its BSA Officer to ensure day-to-day compliance; and it did not provide adequate training for appropriate personnel.
Merchants provided banking services for as many as 165 check-cashing customers and 44 money transmitters, many of which were located hundreds of miles away from the bank. According to the assessment, Merchants did so without adequately assessing the money laundering risk of these customers and designing an effective AML program to address those risks. Specifically, it did not implement adequate due diligence programs and provided its high-risk customers with remote deposit capture services (RDC) without adequate procedures for monitoring their use. In addition, in several instances, bank insiders directly interfered with the BSA staff’s attempts to investigate suspicious activity related to insider-owned accounts. Insiders owned or managed MSBs, which had accounts at Merchants, and from 2007 to September 2016 certain of these accounts demonstrated highly suspicious transaction patterns including possible layering schemes, transactions not commensurate with the business’s purpose, and commingling of funds between two independent check cashing entities. Merchants’s leadership impeded BSA analysts and other employees investigating activity on transactions associated with accounts that were affiliated with Bank executives, and the activity in these accounts went unreported for many years. Employees who attempted to report suspicious activity in these accounts were threatened with possible dismissal or retaliation. Merchants’s executives weakened the Bank’s AML program by creating a culture that did not sufficiently detect or report on suspicious activity involving the accounts of insiders.
Until 2015, Merchants failed to conduct an independent audit that was commensurate with the Bank’s customer complexity and risk profile. Merchants is required to conduct independent compliance testing commensurate with the BSA/AML risk profile of the Bank to monitor and maintain an adequate program. By not conducting the required independent review, Merchants was unable to identify vulnerabilities in its compliance program and properly monitor the account activity of its customers to detect suspicious activity going through the Bank.
Merchants failed to have proper requirements within the Bank’s AML program to ensure that the audit firm conducted a comprehensive independent audit of its program. Specifically, Merchants failed to adequately review the engagement proposal of the audit firm to confirm it was sufficient in scope to identify weaknesses in the Bank’s program.
Merchants’ independent audit was not commensurate to the risk and complexity of the types of customers Merchants served, including its high-risk MSB customers. Therefore the 2012 independent audit failed to identify internal control deficiencies in Merchants’s AML program. The audit’s scope, procedures, and transaction review of Merchants’s independent testing were inadequate, given the bank’s high-risk customer base. In 2014, a new independent consultant conducted an audit but failed to identify significant gaps in Merchants’s overall BSA compliance program. In 2015, Merchants hired a different independent consultant only to conduct a required SAR look-back review of the bank’s MSB account activity. During this review, the consultant identified a number of AML compliance issues that Merchants’s former auditors failed to identify. The consultant identified issues that were consistent with Merchants’s internal controls violations related to providing banking services to high-risk MSBs without implementing the appropriate risk-based controls required by the BSA or creating an appropriate due diligence program.
2. Due Diligence Program for Correspondent Accounts
From 2008 to 2014, Merchants failed to maintain a due diligence program for foreign correspondent accounts, which FinCEN refers to as “gateways to the U.S. financial system.” In particular, FinCEN concluded that the bank did not have policies and procedures to elevate foreign correspondent bank customers for enhanced due diligence, as required by the USA PATRIOT Act. For example, Merchants had four banking customers located in several jurisdictions considered to be high-risk including Honduras, Mexico, Colombia, and Romania but did not identify these customers as foreign correspondent customers, and therefore did not implement the required customer due diligence program. These four customers sent and received a combined $192 million in high-risk wire transfers during the period of August 2014 through October 2014. Merchants failed to establish adequate alert parameters for these accounts, resulting in the exclusion of this wire activity from monthly transactional monitoring because the bank failed to establish appropriate alert parameters on the accounts. Merchants also failed to identify suspicious wires and report that activity to FinCEN during this time.
3. Failure to Report Suspicious Transactions
The BSA and its implementing regulations impose an obligation on banks to report transactions that involve or aggregate to at least $5,000, are conducted by, at, or through the bank, and that the bank “knows, suspects, or has reason to suspect” are suspicious. A transaction is “suspicious” if the transaction: (a) involves funds derived from illegal activities, or is conducted to disguise funds derived from illegal activities; (b) is designed to evade the reporting or recordkeeping requirements of the BSA or regulations under the Act; or (c) has no business or apparent lawful purpose or is not the sort in which the customer normally would be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including background and possible purpose of the transaction. From 2012 to 2016, Merchants failed to adequately monitor billions of dollars of transactions for suspicious activity. Because of this failure, Merchants failed to file or file timely on hundreds of millions of dollars of suspicious activity including millions of dollars of transactions of 57 of its customers later identified as part of an independent look-back review.
FinCEN determined that many of Merchants’ failures to file or file timely SARs were related to its higher-risk MSB customers’ activities, which were inconsistent with the anticipated behavior, stated business purpose, or customer profile information of these MSBs. FinCEN’s assessment set forth the following examples:
- One of the MSB customers was a money transmitter located in the basement of the owner’s private residence in New York. Despite several red flags resulting from Merchants’s account review, including the fact that this MSB was the subject of multiple information requests from law enforcement, had significant increases in its account activity, and its wire transfers were, in two instances, rejected by another bank, Merchants determined that its activities were not suspicious and failed to timely file a SAR.
- Merchants failed to file a SAR on another MSB customer engaging in suspicious activity. In a six-month period between 2011 and 2012, the MSB conducted approximately $500,000 and $700,000 in deposits and withdrawals, respectively, and received over $1.3 million in wire transfers. Within two to three days of receiving the funds, the MSB wrote large checks, cashing them out at other financial institutions. In January 2012, Merchants conducted a due diligence analysis on the same MSB’s activity and did not consider it suspicious. In February 2012, after learning of a criminal investigation involving the MSB, Merchants again conducted a due diligence analysis and again failed to report the customer and its activity in a SAR. As noted above, on September 19, 2012, the MSB, its manager, and its compliance officer pleaded guilty to eight counts of failing to file currency transaction reports and one count of failing to maintain an effective AML program.
- Merchants failed to file a SAR on another licensed money transmitter and seller of money orders with physical locations in Nevada and California. This MSB’s customer base was located in Russia, Armenia, the United Kingdom, and Germany, and the MSB sent most of its money transmissions to these regions. Merchants rated this account as high-risk and conducted an account review, which indicated that for several months, the volume of account activity had significantly exceeded the anticipated activity established by the MSB during the account application process. Although the review indicated that Merchants asked the MSB for an explanation of its unexpected account behavior, the customer never provided the requested information and the Bank failed to investigate further. Merchants also failed to identify evidence of structuring flowing through the account.
In 2015, an independent consultant completed a look-back review of a sample of 100 of Merchants’s high-risk MSB accounts for the period of July 1, 2012 through June 30, 2014. The look-back review identified 57 customer accounts with activity that was deemed potentially suspicious and required escalation to management level along with an additional 11 customer accounts requiring further review due to a lack of documentation or a lack of transparency in the customer transactions. As a result of the look-back review, Merchants filed SARs on the activity and transactions identified through the review. The late SAR filings included reports covering structured transactions that were conducted through Merchants for two consecutive years totaling over $400 million. The subjects of one of the SARs engaged in a suspicious pattern of cashing multiple structured checks made to the order of the same individuals in Mexico without providing information concerning source of funds. Also, these subjects engaged in several suspicious wire transfers to the Office of Foreign Assets Control sanctioned countries. These same subjects were under a U.S. federal law enforcement investigation for fraudulent tax returns. This activity started in 2014 and was reported on a SAR two years later only after Merchants was required to conduct a look-back review. Another late SAR covered transactions worth over $395 million related to customers conducting large wire transfers between multiple foreign financial institutions without validating the source of funds or identifying the ultimate beneficiary. This activity resulted in large payouts to unknown entities in Colombia.