On January 15, 2021, the Financial Crimes Enforcement Network (FinCEN) announced that Capital One, National Association (CONA) agreed to pay a $390,000,000 civil money penalty for AML violations under the Bank Secrecy Act (BSA), largely relating to financial institutions that CONA acquired in 2005 and 2006. The settlement represents an eye-popping number for FinCEN and underscores the importance of AML compliance.
The resolution also shows the risks that can stem from M&A and the need to address compliance risks in the context of deals. This continues to be an issue of focus for DOJ, FinCEN and other regulators, as we have discussed elsewhere. We suggest addressing these risks through a combination of pre-signing diligence and post-closing risk assessments.
Our key takeaways from the CONA enforcement action are below.
(1) Deal-related AML risks
FinCEN’s enforcement action focuses on conduct by CONA’s then newly acquired businesses. According to the FinCEN Assessment of Civil Money Penalty, CONA built its retail and commercial bank businesses primarily through a series of acquisitions of regional banks, including Hibernia Bank in 2005 and North Fork Bank (NFB) in December 2006.[i]
Prior to CONA’s acquisitions of Hibernia and NFB, federal and state bank regulators reportedly identified deficiencies in the AML programs at both Hibernia and NFB, including asserted weaknesses in transaction monitoring, suspicious activity identification, and CTR filings. According to FinCEN, CONA’s controls were not sufficient to address these AML risks.[ii]
We recommend that clients undertake a reasonable review of AML and other compliance risks, both before entering into a transaction where feasible and after the transaction has closed. Such a review should enable acquirors to identify and mitigate risks by implementing risk-based policies, procedures, and controls. This review often will assist acquirors in developing a more nuanced understanding of the risk profile and personnel at a newly acquired business, which may help avoid silos or staffing issues down the line.
Furthermore, this review is important not only because an acquired entity’s compliance issues can introduce significant risks into the acquiror’s business and reduce the value of the acquired entity, but also because such compliance issues can also result in a regulatory settlement involving the parent-company acquiror, as happened here.
(2) AML enforcement priorities
The enforcement action also shows that FinCEN is continuing to focus on SAR-filing requirements, despite recent criticism about the burden of these requirements and questions about their effectiveness.
Recent leaks of FinCEN files, including thousands of SARs, have raised questions about whether the number of SARs filed by financial institutions far exceeds FinCEN’s ability to review them. According to Dan Stipano, former deputy chief counsel for the OCC, the number of SARs FinCEN receives overwhelms its current staffing levels.[iii]
In light of this recent criticism, Congress and regulators have focused on simplifying, clarifying, and modernizing SAR-filing requirements. FinCEN recently issued new FAQs to further clarify SAR requirements, including where SARs are not necessary. Additionally, the comments submitted in response to FinCEN’s call for input in its September 2020 Advanced Notice of Proposed Rulemaking suggest that any new regulations may relax SAR standards. For example, a number of comments echoed a desire for FinCEN to raise the monetary threshold that would trigger a potential SAR filing. The OCC also appears to be interested in reducing the burden imposed on financial institutions by SAR-filing requirements—it has recently proposed a new rule that would allow it to issue exemptions to financial institutions from the SAR requirements in situations where the institution has developed “innovative solutions” intended to meet BSA requirement more efficiently and effectively.
While all these efforts may be aimed at reducing the burden on financial institutions, the CONA enforcement action demonstrates that FinCEN will continue to hold financial institutions accountable for compliance with currently applicable standards.
(3) What is the right level of interaction between the business and compliance?
Many compliance programs are based on the three-lines-of-defense model, in which the business plays an important role in risk management. Here, FinCEN alleged that CONA’s compliance group gave “too much credence” to “dubious” explanations provided by CONA’s business personnel.[iv] While it is generally a good idea for those in control functions to gather information from those in the business, this set of allegations shows that compliance departments may be well served in considering when to test explanations they receive from the business and documenting how they have done so.
(4) Technology challenges
Technology can pose a substantial challenge for AML compliance, particularly when multiple legacy systems are in use. Here, FinCEN alleged that CONA’s AML controls and processes were “plagued” by technical failures that were not promptly addressed, even after purported issues were flagged by AML analysts.[v] The enforcement action against CONA is among the many actions regulators have taken against financial institutions in connection with their AML technology and serves as another reminder that these tools may require upgrading and attention over time. This is often more easily said than done. To address the risk posed by complicated technology projects, we suggest that companies take a holistic approach to evaluating technology needs, put in place appropriate governance around technology investment decisions, and take into account input from multiple stakeholders, including those in legal and compliance roles.
The CONA resolution provides useful practice points for BSA / AML compliance. In particular, the resolution demonstrates the importance of conducting due diligence in connection with M&A deals, integrating newly acquired businesses in the institution’s compliance program, and identifying and addressing AML risks in a robust manner.
[i] Assessment, Statement of Facts, p. 5.
[ii] Id. at 6.
[iv] Assessment, Statement of Facts, p. 6, 9.
[v] Id. at 6.