How Not to Use Test Results: A $613 Million Enforcement Action Story
Financial institutions rely on caps and limits. There are minimum deposits and credit scores and limits on ATM withdrawals and overdraft fees. But there are some places caps don’t belong, U.S. Bank learned earlier this year as the result of $613 million in civil money penalties and fines from the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the Financial Crimes Enforcement Network (FinCEN), and the Justice Department.
According to the bevy of enforcement action, from 2011 to 2014, the $452 billion-asset bank put a cap on the alerts generated by its automated transaction monitoring system for Bank Secrecy Act (BSA) compliance. If an account generated an alert within the last 90 days, no new alert would be generated regardless of how potentially suspicious the activity was.
This prevented the bank from reporting $318 million in suspicious activity and 1,528 SARs during a six-month period from 2013 to 2014. These and other SARs that were filed late included some transactions over six figures.
This was no accident, regulators say. The bank’s own internal testing revealed there were serious oversights. In November 2011, it conducted “below-threshold” testing on sample alerts that were just below limits. The results showed 50 percent of those transactions would have needed an SAR to be filed.
Rather than follow the recommendations of employees who suggested thresholds be lowered to catch these SARs, the bank instead chose to eliminate testing in April 2012. It took the issue one step further by encouraging employees not to mention it to the OCC. One anti-money laundering officer described “U.S. Bank’s AML program as an effort to use ‘smoke and mirrors’ to ‘pull the wool over the eyes’ of the OCC.”
That wasn’t the only problem with the bank’s BSA program, according to the enforcement actions. It didn’t conduct risk-based monitoring of its customers’ accounts, had a deficient system of internal controls, and failed to provide independent validation of its automated transaction monitoring system despite regulators’ recommendations. From July 2014 to May 2015 it filed thousands of materially inaccurate currency transaction reports (CTRs), leaving out the name of the money service businesses that benefitted from the transactions.
Why was U.S. Bank dangerously slacking in its BSA efforts? It was to save money on staffing costs, regulators say.
“Nonetheless, the Bank failed to address the numerical caps because those fixed caps permitted the Bank to hire fewer employees and investigators in its AML department,” FinCEN’s EA says.
The bank employed just 30 anti-money laundering investigators, regularly losing experienced investigators to other institutions because of its below-market pay. The internal notes of one employee stated: “The number of query alerts that we work are increasingly [sic] based solely on staffing levels. This is a risk item.”
Now U.S. Bank is paying the price in civil money penalties totaling $613 million including $70 million to FinCEN, $75 million to the OCC, $15 million to the Federal Reserve and $453 million to the Justice Department.
While many institutions dedicate resources to uncovering hidden problems so they can correct them before regulators find them, U.S. Bank took the opposite approach: discontinuing testing that revealed a problem rather than solving the problem.
Make sure your institution is making the most of test results, using them to find and correct weaknesses. Deficiencies have a way of announcing themselves whether you want them to or not. And as these fines remind us, the cover up is often worse than the crime.