<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

FinCEN Hits Chief Risk Officer with $450k Penalty

4 min read
Mar 18, 2020

You may remember a story we published back in July 2018 about how U.S. Bank was forced to pay $613 million in forfeitures and civil money penalties for “willfully violating the BSA’s requirements to implement and maintain an effective anti-money laundering (AML) program and to file Suspicious Activity Reports (SARs) in a timely manner.”

Long story short, U.S. Bank put a cap on the number of suspicious activity alerts its automated transaction monitoring software-generated so it wouldn’t have to spend money on investigating them, according to the FinCEN, the OCC, and the Justice Department. Just as bad, the bank didn’t even have enough people on staff to review the alerts that it did get.

This went on for years, preventing the bank from filing thousands of SARS reports. In just a six-month period from 2013 to 2014, the bank failed to report 1,528 SARS covering $318 million in suspicious activity. Some transactions were over six figures.

And now the former chief operational risk officer is dealing with another six-figure sum: a $450,000 civil money penalty.

What Went Wrong?

Michael LaFontaine got nailed because he was responsible for overseeing U.S. Bank’s compliance programs.  FinCEN and other regulatory agencies said that he failed to take “sufficient steps to ensure that the bank’s compliance division was appropriately staffed to meet regulatory expectations.”

Let’s take a closer look at his mistakes:

Poor due diligence. Wachovia got in trouble for a similar BSA violation in 2010, and LaFontaine should have recognized the parallels between Wachovia and U.S. Bank’s program or conducted further diligence to make an appropriate determination, the assessment of penalty says.

Employees told him there was a problem. Two anti-money laundering officers told him the system was flawed. Later LaFontaine recruited a new AMLO and chief compliance officer who also raised the alarm. They even put it at the top of a presentation they prepared for the CEO but LaFontaine skipped over that part.

The OCC warned him to stop. The OCC repeatedly had told the bank to stop putting a cap on alerts. It knew they existed because the bank had run below threshold testing on the alert cap for years, finding that 30 percent to 80 percent of reviewed transactions would have required filing a SAR. Instead of ending alerts, LaFontaine ended below-threshold testing.

He didn’t hire enough staff. A 2009 memo to LaFontaine reported AML staff was “stretched dangerously thin.”

His employees felt the need to go above him. When he wouldn’t take action, the CCO and AMLO decided to go above LaFontaine’s head to the chief risk officer (who also moved slowly).

“Mr. LaFontaine was warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised.  His actions prevented the proper filing of many, many SARs, which hindered law enforcement’s ability to fully combat crimes and protect people,” said FinCEN Director Kenneth A. Blanco.

Why Did the Buck Stop with Him?

It’s common for a FI to get in trouble for major BSA violations, but it’s not every day you see a C-level employee get hit with such a huge fine.

Why did FinCEN think LaFontaine was responsible?

He had a long history with AML. He’d overseen AML between 2008 through April 2011 and October 2012 through June 2014. He was the CCO from 2005 to 2010 before being promoted to senior vice president and deputy risk officer before his final promotion to executive vice president and chief operational risk officer in 2012.

The AML officer reported to him. He oversaw the AML compliance program and the AML officer reported either directly to him or his direct subordinate.

He had the ear of the board and C-suite. LaFontaine reported to the CRO and had direct communications with the board. He was in a position to end the problem or choose to let it go.

As FinCEN put it, “LaFontaine failed to take sufficient action when presented with significant AML program deficiencies in the Bank’s SAR-monitoring system and the number of staff to fulfill the AML compliance role.  The Bank had maintained inappropriate alert caps for at least five years.”

The Takeaways

Bankers are professionally and personally responsible for following the law. It’s a commitment they need to take seriously for the sake of their institution, their career, and their wallet.

Avoiding this kind of problem is easy with three simple steps:

Make sure compliance and risk management have sufficient resources. LaFontaine gave BSA/AML woefully inadequate resources, and there is nothing in the assessment of a civil money penalty to suggest he did anything to seek out more resources. His staff told him AML was stretched too thin. They even prioritized it as the top concern in a presentation to the CEO on the bank’s BSA program—but LaFontaine chose not to talk about those slides.

Ask for resources if you need them and document a case for why they are needed.  It’s one thing to ask for more resources and be turned down. It’s another thing to not even try to get them or tell the CEO there is a major compliance issue.

Take compliance responsibilities seriously. Board members and bankers can be financially liable for compliance violations. Recognize the risk this poses and have a compliance management system (CMS) in place to mitigate it.  That includes three key components:

  • Board & management oversight
  • A compliance program
  • Violation of law and consumer harm

A CMS should be tailored to fit the size, complexity, and level of risk of the FI. It should also take into account the unique products, services, and profile of your institution.

If you see something, say something—and document it. There was a long trail of reports, memos, and even OCC warnings pointing out the problem. Having documentation prevented LaFontaine from trying to foist the blame on an employee that was trying to protect the institution by raising the issue.


Don’t neglect the basics of compliance and risk management. Make sure you have good systems and sufficient resources—and that you use them.


Related: Creating Reliable Risk Assessments

Subscribe to the Nsight Blog