Community banks can learn from TD Bank’s $3 billion BSA/AML penalty

An increasing volume of enforcement actions show that community banks are vulnerable to a regulatory crackdown on compliance.

While the recent $3 billion penalty against the tenth largest bank in the U.S. may have been an outlier, experts say community banks have heightened risks in the area of Bank Secrecy Act and anti-money laundering compliance.

Earlier this month, the U.S. Department of Justice said TD Bank became the first bank to plead guilty to conspiracy to commit money laundering and the largest bank to plead guilty to BSA program failures. At the heart of the allegations, authorities say TD Bank and TD Bank U.S. Holding Company, subsidiaries of Toronto, Canada’s $1.9 trillion Toronto-Dominion Bank, failed to file accurate currency transaction reports or update its anti-money laundering program in compliance with the BSA, and ultimately allowed criminals and drug traffickers to launder hundreds of millions of dollars through its networks. TD Bank agreed to pay more than $3 billion in combined criminal and civil money penalties.

TD Bank and TD Bank USA are also restricted from growing beyond their combined $434 billion in assets, similar to the growth cap imposed upon Wells Fargo & Co. following its fake accounts scandal in 2019. “Crime doesn’t pay — and neither does flouting compliance,” Deputy Attorney General Lisa Monaco said in a Department of Justice press release about TD Bank’s guilty plea. “Every bank compliance official in America should be reviewing today’s charges as a case study of what not to do. And every bank CEO and board member should be doing the same. Because if the business case for compliance wasn’t clear before — it should be now.”

In a statement outlining the investigation’s resolution and the company’s next steps, TD Bank said it was complying with federal investigators. The bank said it was in the process of overhauling its AML program leadership and talent, introducing stronger bank-wide training and new data analytics capabilities, among other steps.

Group President and CEO Bharat Masrani also apologized to stakeholders, saying, “We have taken full responsibility for the failures of our U.S. AML program and are making the investments, changes and enhancements required to deliver on our commitments. This is a difficult chapter in our bank’s history.”

The scale of the charges levied against TD Bank are extraordinary. But while the Justice Department rarely gets involved, regulators have recently issued more consent orders against smaller banks over BSA/AML compliance, indicating heightened regulatory scrutiny, says Carleton Goss, a partner at Hunton Andrews Kurth.

“When you see a lot of banks get in trouble in the same area, to me, it suggests that maybe it’s because expectations are changing,” Goss says.

Though few banks are on the scale of TD Bank, the consent order does provide some clues as to specific targets for examiners’ attention. For example, TD Bank was accused of ineffective oversight of its BSA program and failing to provide that function with adequate resources to carry out its work, even though federal regulators and its own internal audit had flagged the matter for years.

Board oversight is also a common theme across enforcement orders at smaller banks and particularly when they’re partnering with fintechs or offering banking as a service, says Jason Chorlins, financial services practice leader at Kaufman Rossin CPAs and Advisors.

“There’s been more of an emphasis on designating specific committees that have responsibility for oversight of the higher risk areas of the bank,” he says. Regulators want to know that those board members are getting transparency into the bank’s BSA/AML program and that they understand the possible risks, trends and practices for mitigating risks.

Ideally, more banks would elevate the top AML officer to a C-level role with a direct line of reporting to the board, says Sarah Beth Felix, founder and president of Palmera Consulting. But whether or not it’s a C-level role, the board should hear directly from that person, and not the chief risk officer, about matters like suspicious activity reporting and technology and staffing in the AML function, she says.

“Regardless of whether or not the bank is a BaaS bank or a traditional bank, we’re seeing the AML compliance function is still not taken seriously,” she says.

Directors should break suspicious activity reports out from other key performance indicators. In addition to asking how many SARs the bank has filed over a given period, they should also ask how many requests the bank has received from law enforcement for SAR backup documentation, Felix says.

Additionally, directors should familiarize themselves with money laundering typologies for drug trafficking and human trafficking. If the bank isn’t filing any SARs related to either of those, don’t assume that it isn’t happening, but instead ask what it could be missing, she says. Felix adds that boards might also consider taking advantage of free training offered by the Department of Homeland Security or the Internal Revenue Service’s criminal investigation division.

The board should also consider strategic planning around the BSA/AML function, says Chorlins. That could include planning around staffing of that function. Directors may want to consider succession planning in the BSA/AML function, what certifications those staff have and whether the bank has any cross-trained individuals who are able to meet those key functions if needed.

When it comes to independent testing of the BSA/AML function, directors should understand the qualifications of both the audit firm and the individuals performing the testing, Chorlins adds.

A key best practice is to pay attention to what the bank’s independent audit has flagged, Goss says. That audit will usually give an indication of what kinds of issues might be raised in a BSA examination and gives the bank an opportunity to be proactive. He also recommends periodically switching up the audit firm the bank uses.

“If you’ve been doing an audit with the same group for 10 years, and you are low risk and haven’t had any concerns, it’s probably fine to do them for the 11th year,” he says. ”If you’re going to be involved in a new product line, then it might make sense to bring in a fresh pair of eyes.”

Read the full article at BankDirector.