Individual Liability: FinCEN Issues Personal Penalty to Former Chief Compliance Officer

Last week, FinCEN assessed a $450,000 penalty against an attorney and former Chief Compliance Officer (CCO) at a major financial institution for a number of asserted failures related to the financial institution’s anti-money laundering (AML) program. This action follows an earlier Deferred Prosecution Agreement (DPA) entered into by the financial institution involving the Department of Justice and related civil actions by the Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC).

As a reminder of the risk landscape for companies and individuals related to AML program requirements, under 31 U.S.C. § 5321 and other civil provisions, corporations and individuals can face civil monetary penalties and industry debarment if financial regulatory agencies determine that they recklessly disregarded their obligations under the law. Under 31 U.S.C. § 5322, corporations and individuals can be held criminally liable and face criminal fines, civil forfeiture, and even prison if prosecutors establish that they had specific intent and sufficient control to cause the violation.

In the earlier DPA, the government found the financial institution maintained an alert management process to cap alerts generated by its suspicious activity alert systems, and internal communications reviewed by the government indicated that these caps were based on the financial institution’s relatively low number of AML staff rather than a substantive rationale. Regulators charged the financial institution with failing to address the alert capping when below-threshold testing revealed that the financial institution was missing a significant number of required Suspicious Activity Report (SAR) filings.

Two years after the DPA, FinCEN has now resolved an individual action against the Chief Compliance Officer for related conduct. FinCEN’s assessment focused on what it determined to be the person’s willful participation in Bank Secrecy Act violations by failing to respond to subordinate complaints about the alert capping process and failing to sufficiently inform the Board of Directors and the financial institution’s regulator about these limitations and their impacts.

The negotiated language in FinCEN’s assessment provides little direct insight into the facts resulting in the Chief Compliance Officer’s personal penalty. However, a close reading of FinCEN’s assessment laid against the facts in the DPA shows that the Chief Compliance Officer’s actions and inaction inhibited the financial institution’s ability to address deficiencies in its program. We expect that the following facts identified in these actions contributed to the personal penalty against the Chief Compliance Officer and to the government’s view that the person’s violations were willful.

• The financial institution’s AML Officer and several other employees raised concerns regarding the insufficient staffing, alert capping, and resulting missed suspicious activity with the Chief Compliance Officer as early as 2009. In each instance, the government found that the Chief Compliance Officer did not sufficiently respond to requests for more resources, failed to remove the improper alert capping, and, in 2012, was involved in the decision to discontinue the testing that was continually showing reporting failures.
• The Chief Compliance Officer is described as having personally misled the financial institution’s regulator about the financial institution’s alert capping process, including by providing non-responsive answers to the regulator’s inquiries, delaying responses to the regulator, and fostering an environment that inhibited subordinates from discussing the issues with the regulator.
• The Chief Compliance Officer is also said to have intentionally prevented information about AML program concerns from reaching the CEO, to whom the person reported, as well as the Board of Directors. The DPA indicates that the Chief Compliance Officer repeatedly dismissed, and failed to sufficiently raise, concerns with the Board and the CEO. The DPA includes the following specific assertion with respect to a PowerPoint presentation that had been prepared for the CEO by other AML managers in 2013:

 “The CCO reviewed the draft and removed references to alert caps from the presentation, added positive information about the [financial institution]’s AML program, and otherwise altered the deck to present a more favorable image of the [financial institution’s] AML program.”

• Eventually, the government found a newly-hired AML Officer went around the Chief Compliance Officer to raise concerns about the AML program to senior managers of the financial institution. The regulator’s examiners, after being frustrated by what they considered unresponsiveness, including from the Chief Compliance Officer, also went around the person to the financial institution’s more senior managers to raise their concerns about the AML program. After the new AML Officer and the regulator raised these concerns, the financial institution immediately began addressing the issues concerning alert capping and insufficient staffing.

Corporations, their directors, officers, and managers, as well as those with AML program responsibility, can take proactive steps to limit their exposure to personal as well as corporate liability.

Place and keep the right people in your compliance roles – The Chief Compliance Officer had no prior AML experience before assuming the compliance role, but AML is a specialized practice area in which experience matters especially for large, multi-service institutions. Review the qualifications of your hires relative to the size and complexity of your institution, conduct skills gap assessments of current employees, and provide targeted training to enhance employee capabilities.

Show your company prioritizes AML compliance – The financial institution had high turnover from losing AML investigators to their competitors due to below-market salaries. Regulators look to evidence that a company has dedicated appropriate resources to the AML program relative to its size and complexity, and this includes hiring enough qualified people to do the job, documenting staffing size decisions, and paying staff salaries at market rate reflecting the importance of their role.

Know what matters to your regulator – FinCEN specifically highlighted that the Chief Compliance Officer failed to implement lessons from a 2010 action against a different financial institution brought by FinCEN and the regulator for similar conduct. Track examiner inquiries from exam to exam, stay attuned to their yearly examination priorities, and read and internalize prior enforcement actions taken across the financial industry.

Document your decision-making – One employee of the financial institution reported that he or she specifically refrained from documenting a decision because of fear the regulator would find it to be unsupportable. Use written processes to drive intentional decisions and well-supported rationales for AML policies and procedures, including monitoring limits and caps. Make sure these decisions are something you could comfortably share with a regulator and use the exercise to test decision-making.

Provide avenues for employee concerns – The government found that multiple attempts made by new and existing financial institution AML staff to raise issues were ignored and disregarded by the Chief Compliance Officer. Create policies that demonstrate employees are welcome to raise questions about the AML program, provide avenues for anonymous or direct employee engagement, and positively recognize employees that identify compliance concerns. Document the outcomes of decisions where concerns are raised, whether the concerns are validated or not.

In sum, the FinCEN’s action is a sobering reminder that individuals in compliance roles may face personal liability related to the government’s determination that program failures have occurred at their institutions. However, such action is rare and not undertaken lightly by the government, and efforts towards the steps outlined as our Key Takeaways above will make a positive difference.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Laurel Loomis Rimon, an O’Melveny partner licensed to practice law in the District of Columbia and California, Braddock Stevenson, an O'Melveny counsel licensed to practice law in New York and New Jersey, and Vivaan Nehru, an O'Melveny associate licensed to practice law in Maryland, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.