By Sven Stumbauer, Director in the Financial Crimes Compliance Practice at AlixPartners, LLP
With the US Department of Justice’s recent announcement that it plans to step up enforcement actions, financial institutions’ board members and senior managers may face increased scrutiny. A spate of recent cases related to the Bank Secrecy Act (BSA), anti–money laundering (AML) compliance and Office of Foreign Assets Control (OFAC) compliance reflect a growing sensibility that individual accountability may play a greater role in prosecutions of alleged compliance failures. As this approach gains traction, the emphasis on individual accountability in top managerial ranks may warrant greater attention in the boardroom.
Effective, enterprise-wide compliance programs that address BSA/AML/OFAC regulations fare best with strong board support. Several recent regulatory enforcement actions have spurred the creation of compliance committees composed of outside directors. Cases in which board members were held personally accountable for financial institutions’ lack of compliance—and in some cases resulted in exposure to shareholder litigation risk—should provide further impetus to action. Further, federal scrutiny is being buttressed by state-level action by the New York State Department of Financial Services, which seeks to have leaders of financial institutions it regulates demonstrate compliance through a commitment to a “tone at the top”.
Effective compliance starts in the boardroom and the C-suite. When adherence to BSA/AML/OFAC regulations is a priority of corporate governance, that message permeates the entire organization. The board of directors and senior management plays a key role in establishing a financial institution’s strategic vision. Under current regulations of both the Bank Secrecy Act and the USA PATRIOT Act of 2001, the board of directors of a financial institution is required to approve an enterprise-wide, anti-money laundering compliance program that includes:
- Policies, procedures and controls that mitigate the institution’s money laundering risks;
- A designated compliance officer with sufficient board-conferred authority across the institution to implement mitigating policies, procedures and controls to meet Bank Secrecy Act and anti-money laundering requirements;
- Ongoing adequate employee training; and
- Ongoing independent testing and auditing.
However, to go beyond technical regulatory requirements, a board should recognize that regulators or others may view them as ultimately responsible for its financial institution’s compliance efforts. Similarly, the board should help establish a culture of compliance that serves to reduce the risk of potential regulatory action based on lack of board oversight and minimizes potential litigation risk.
US Department of Justice to focus on individual wrongdoing
A memorandum from Deputy Attorney General Sally Yates, delivered September 9, 2015, marks another instance of the US Department of Justice (DOJ) emphasizing personal accountability and its own focus on targeting individuals. Many of the concepts in the Yates Memorandum are familiar, and were addressed previously by senior DOJ figures, but one new theme is the agency’s emphasis on the use of both criminal and civil tools—not just criminal indictments, but lawsuits against individuals believed to be responsible for corporate misdeeds.
Yates wrote, “One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.”
Six recommendations she made follow:
- In order to obtain credit for cooperating in a criminal case, a corporation must provide to the department all relevant facts relating to the individuals responsible for the misconduct;
- DOJ’s criminal and civil corporate investigations should focus on individuals from the inception of the investigation;
- DOJ’s criminal and civil attorneys handling corporate investigations should be in routine communication with one another;
- Absent extraordinary circumstances or approved departmental policy, DOJ will not release culpable individuals from civil or criminal liability when resolving a matter with a corporation;
- DOJ attorneys should not resolve matters with a corporation without a clear plan to resolve related individual cases and should memorialize any declinations as to individuals in such cases; and
- DOJ civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay.
As targeting individuals in corporate criminal cases becomes a greater priority, employees who violate anti-money laundering and other statues now must be mindful of potential indictments or civil actions as well.
New York’s Department of Financial Services requires individual certification
The New York State Department of Financial Services is also focusing on individual accountability. In a press release issued on December 1, 2015, Governor Andrew M. Cuomo announced that his administration “is proposing a new antiterrorism and anti-money laundering regulation that includes—among other important provisions—a requirement modeled on Sarbanes-Oxley that senior financial executives certify that their institutions have ‘sufficient systems in place to detect, weed out, and prevent illicit transactions”.
Governor Cuomo said the department conducted a series of investigations into terrorist financing, sanctions violations and anti-money laundering compliance at financial institutions over the past years and has “uncovered (among other issues) serious shortcomings in the transaction monitoring and filtering programs of these institutions and that a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to these shortcomings”.
Based on these findings, the department proposed a new antiterrorism and anti-money laundering regulation, which requires any institution it regulates to maintain a “transaction monitoring” program and a “watch list filtering” program”. While these requirements do not especially differ from federal regulations, what is of particular interest is that the proposed rule requires a senior executive to annually deliver an unqualified attestation to the state department that his or her institution has met its regulatory requirements.
FinCEN’s advisory to US financial institutions on promoting a culture of compliance
An August 2014, advisory notice from the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) that predates these departmental cautions urges senior managers and board members at financial institutions of all sizes to maintain strong cultures of compliance.
Financial executives and boards may draw some important points from the advisory, which pinpoints several deficiencies identified in recent enforcement actions. A financial institution can improve its Bank Secrecy Act and anti-money laundering compliance culture by ensuring the following elements exist:
- Leadership is engaged;
- Compliance is not compromised by revenue interests;
- Information is shared throughout the organization;
- Leadership provides adequate human and technological resources;
- The compliance program is effective and has been tested by an independent and competent party; and
- Both leadership and staff understand how their Bank Secrecy Act reports are used.
The Department of Justice and various regulatory bodies are sending a strong message to financial institutions—namely, that an entire organization, from staff to board members, may be held accountable for Bank Secrecy Act, anti–money laundering and Office of Foreign Assets Control compliance. Perhaps more important, given New York’s proposed rule and the DOJ focus on individual wrongdoing, senior management and the board of directors of a financial institution should reevaluate whether their current compliance efforts are sufficient to shield the institution, and in particular senior management and the board, from regulatory actions, including assessing individual liability in the event that wrongdoing is detected.