Subject to Inquiry: White Collar, Congressional, SEC, Energy Enforcement & Other Government Inquiries

On April 27, 2011, the U.S. Department of Justice announced that it had entered into a deferred prosecution agreement with CommunityONE Bank, N.A., which is based in Asheboro, North Carolina.  The Justice Department’s announcement is the latest development in the area of AML enforcement since Assistant Attorney General Lanny Breuer’s creation of the Money Laundering and Bank Integrity Unit within the Criminal Division’s Asset Forfeiture and Money Laundering Section.

The Bank Integrity Unit, as Mr. Breuer called it for short in a speech before a joint conference of the American Bankers’ Association and the American Bar Association, was established to focus criminal investigation and prosecution efforts on three types of money laundering violators: (1) financial institutions, including officers and other employees; (2) professional money launderers who service criminal organizations; and (3) persons engaged in money laundering using sophisticated techniques, such as virtual currency and mobile payment systems.  Mr. Breuer acknowledged that effective compliance programs are costly, but he stated that, considering the Justice Department’s record of going after banks – big and small – for inadequate AML compliance programs, it makes business sense for banks to get into compliance.

In light of the Justice Department’s deferred prosecution agreement with Wachovia Bank, N.A., in which Wachovia was required to pay $160 million in forfeited funds and civil monetary penalties in March 2010 for lapses in AML compliance, it is understandable that the Department would take every opportunity to remind financial institutions of their Bank Secrecy Act obligations.  However, no less an AML compliance authority than John Byrne, who, since 2010, has served as Executive Vice President of the Association of Certified Anti-Money Laundering Specialists (ACAMS), was taken aback by a warning of sorts issued by Mr. Breuer to the conference attendees.  Mr. Breuer stated that if there was one message he could leave with the audience, it would be that “financial institutions simply cannot cut corners on compliance [because] having a compliance program that works is worth it. . . . [and] failing to adopt and maintain a real compliance structure will have serious consequences.”  Mr. Byrne, who works closely with all types of financial institutions, wonders what prompted Mr. Breuer to fire such a “shot across the bows” at an industry that is so committed to AML compliance. 

Committed or not, financial institutions must acknowledge that the compliance obligation is a continuous one.  It requires, at a minimum, periodic risk assessments, training, recordkeeping, reporting, and audits, as well as necessary adjustments in order to keep pace with the criminals who would use the financial institution to commit crime and to conceal the origin of illicit funds.  The failure of CommunityONE Bank to take these steps led to criminal prosecution, culminating with an agreement deferring prosecution in the Western District of North Carolina.  In its deferred prosecution agreement, the bank agreed to pay restitution to victims of an investment fraud scheme run through the bank by an individual who was convicted of fraud in December 2010.

It is abundantly clear that the Justice Department is increasing its enforcement of Bank Secrecy Act requirements against financial institutions of all sizes.  As a result, banks and other financial institutions covered by the Bank Secrecy Act can no longer claim to be the victims of fraud under circumstances in which the underlying misconduct could have been detected, and perhaps even prevented, with a robust AML compliance program.

In the words of Anne Tompkins, the U.S. Attorney for the Western District of North Carolina, “Banks asleep at the switch need to wake up. . . .  [T]he Bank Secrecy Act applies to more than just drug and terrorist financing.”

Now that’s a warning.

Recent statements from the federal government’s top anti-money laundering (AML) official make clear that the government views AML and anti-fraud as necessarily intertwined.  Banks and other financial institutions ignore this fact at their own peril.  John Byrne and Chris Swecker hit the nail on the head when they wrote earlier this year that banks should waste no time in integrating their AML and anti-fraud capabilities. 

Money laundering is, generally speaking, conduct that involves transporting, concealing, or avoiding reporting requirements in connection with the proceeds of a Specified Unlawful Activity (SUA) or property used to facilitate an SUA.  By definition, then, money laundering requires the existence of an underlying SUA, such as fraud.  So where there is fraud, there may be money laundering.  Financial institutions risk the non-detection of money laundering whenever they withhold information about potential fraud from AML analysts.  Failing to detect money laundering exposes them to further financial losses and regulatory scrutiny. 

Even where there is no known or suspected connection between a fraudulent transaction and money laundering, banks and other financial institutions still have a legal obligation to file a Suspicious Activity Report (SAR) relating to the fraud, assuming the transaction meets a minimal threshold.  The legal obligation (as well as the voluntary option) to file a SAR must be addressed in the written AML program and is subject to regulatory oversight by AML examiners.  Thus, it seems clear that financial institutions should integrate their AML and anti-fraud capabilities.

Since September 2008, when he spoke to the Florida Bankers Association, James H. Freis, Jr., Director of the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), has been extolling the virtues of understanding the intersection of AML and anti-fraud efforts and urging financial institutions to take a landscape approach toward compliance.  Director Freis has repeatedly made the point that, especially in this economic downturn where resources are scarce, corporate compliance departments can and should combine their AML and anti-fraud resources.

Recently, in a talk to the Institute of International Bankers, Director Freis stated that a robust AML program can pay for itself through the prevention and detection of fraud.  He explained that a recent study indicated that, in 2008, banks suffered $788 million in card fraud-related losses, $1 billion in check fraud-related losses, and another $100 million in ACH fraud-related losses.  Rather than accept this nearly $2 billion in annual losses as a cost of doing business, Director Freis suggested that banks would increase their detection and prevention of fraud, and therefore significantly cut their losses due to fraud, by more closely aligning their AML and anti-fraud functions.

AML and anti-fraud efforts should also be combined for purposes of taking full advantage of FinCEN’s voluntary information sharing program, which is authorized by section 314(b) of the USA PATRIOT Act of 2001.  Section 314(b) is a program in which financial institutions (and associations of financial institutions) are protected from liability when they share information with other financial institutions that may involve possible money laundering and terrorist financing.  Because money laundering requires an SUA as a predicate, FinCEN issued guidance reminding financial institutions that information may be shared under section 314(b) if financial institutions suspect that a questionable transaction may involve the proceeds of an SUA.  By sharing information under section 314(b), financial institutions can combat money laundering and terrorist financing while saving money on fraud prevention.

Financial institutions should not wait for a significant law enforcement or regulatory action to be taken before they integrate their AML and anti-fraud efforts.  Integration is a win-win proposition and now is the time to do it.

A recent case in Florida provides an excellent reminder of the confidentiality restrictions that govern the release of Suspicious Activity Reports (SARs) (pdf). By way of background, the Bank Secrecy Act (BSA) prohibits banks and other financial institutions from notifying any person involved in a suspicious transaction that the transaction has been reported. When a financial institution receives a subpoena or other request to disclose a SAR from any person (other than a law enforcement or bank supervisory agency), regulations implementing the BSA require the institution to decline to produce the SAR or any information that would disclose that a SAR has been prepared or filed.

FinCEN interprets the SAR confidentiality provisions of the BSA even more broadly than the confidentiality restrictions imposed by the regulations, and, last year, FinCEN issued a proposed rule (pdf) to codify its broad interpretation by requiring banks and other financial institutions to decline to produce to any person a SAR or any information that would reveal the existence of a SAR. The preamble to the proposed rule stated that this broader standard has been upheld by courts and that the BSA created an unqualified and non-waivable privilege in civil litigation. Several federal bank regulators, such as the OCC (pdf), proposed similar regulations contemporaneous with FinCEN’s proposed rule.

That brings us to Regions Bank, et al. v. Scott Allen, et al. (pdf), which was decided by the Fifth District Court of Appeal in Florida on March 12, 2010. Regions Bank sought review of a trial court’s order compelling the bank to produce documents in discovery despite the bank’s assertion of the SAR privilege. The plaintiffs sought “investigatory” material including the bank’s internal emails and communications regarding certain accounts. Following a hearing on the plaintiffs’ motion to compel, the trial court determined that any SAR, to the extent it existed, was privileged and could not be disclosed by the bank to the plaintiffs. However, the court ordered the bank to produce any other requested document. The bank could redact references to a SAR or any language disclosing whether a SAR existed or would be prepared, but the trial court held that the bank’s internal emails and communications could not be withheld in their entirety under the SAR privilege.

The court of appeal held that the trial court ruled properly with respect to the non-disclosure of the SARs, but that the trial court’s decision regarding the bank’s other internal documents was too broad. The appellate court found that “redaction will not be adequate to protect the confidentiality of a SAR investigation or the fact of a SAR’s preparation” because “[r]edaction of a document does not change its character.” Instead, the court ordered the trial court to conduct an in camera examination of documents that fell within the “grey area of disclosure.”

The Regions Bank case provides a useful reminder to banks and other financial institutions of the broad scope of SAR confidentiality and their obligation to invoke the SAR privilege in civil litigation.

The filing of a lawsuit on May 21, 2010 by the American Medical Association (AMA) against the Federal Trade Commission (FTC) could signal yet another delay of the enforcement deadline of the Red Flags Rule.

The Red Flags Rule requires many businesses to develop, implement and administer an Identity Theft Prevention Program designed to detect the warning signs (or red flags) of identity theft, as well as to prevent and mitigate them.  Similar to an AML program, the Identity Theft Prevention Program should be tailored to the risks of identity theft and must contain certain core elements.

The FTC’s original enforcement deadline of November 1, 2008 for non-bank entities has been delayed several times already and currently is scheduled to take effect on June 1, 2010.  Federal regulatory banking agencies have already begun enforcing the rule. 

The AMA’s lawsuit (pdf), filed on behalf of physicians, follows on the heels of successful lawsuits brought by the American Bar Association (ABA) on behalf of lawyers and the American Institute of Certified Public Accountants (AICPA) on behalf of accountants.  In those cases, federal courts granted summary judgment for the ABA and enjoined the FTC from enforcing the Red Flags Rule against accountants for 90 days after a decision has been rendered by the court of appeals in the ABA case.

Congress is also considering legislation that would provide exemptions from the Red Flags Rule for certain professions, including lawyers, accountants and physicians.  Despite passing in the House of Representatives by a 400-0 vote on October 20, 2009, H.R. 3763 (pdf) has yet to be considered by the Senate, and no related bills have been introduced in the Senate.

In light of the federal court’s injunction preventing enforcement of the FTC’s Red Flags Rule against accountants, it appears probable that a similar injunction will be entered in the action filed by the AMA.  That is, the court may decide that the interests of justice are best served by enjoining enforcement of the Red Flags Rule against physicians until the FTC’s appeal in the ABA case has been decided. 

In the meantime, hospitals, physicians’ offices, and other businesses that may be subject to the Red Flags Rule should become knowledgeable about the Red Flags Rule’s requirements and prepare to implement an Identity Theft Prevention Program in the event the enforcement deadline is not delayed past June 1, 2010.

On March 23, 2010, a federal jury in the Western District of North Carolina, which encompasses Charlotte and Asheville, convicted a Nigerian citizen on conspiracy and wire fraud charges in connection with an “advance-fee” scheme that involved the use of money services businesses (MSBs) to transfer money.

In its press release, the U.S. Department of Justice described the scam as follows: The defendant and his co-conspirators sent spam e-mails to potential victims that falsely informed them that they had won a foreign lottery or had inherited a large sum of money. If an individual responded to the email, the defendant or his co-conspirators instructed the individual to wire funds to The Netherlands, Spain, or the United Kingdom through Western Union and other money transfer service companies in order to pay the necessary expenses and legal fees required to complete the transaction. According to the testimony during trial, at least 18 United States and international victims lost more than $9.5 million as a result of the scheme.

Putting aside the obvious question of why anyone would fall victim to this type of scheme, the important questions for MSBs and depository institutions concern whether you, too, are being used to “advance” this type of scheme:

• Do you have proper policies and internal controls in place to detect advance-fee scheme transactions?
• Have your associates been adequately trained on the red flags and on the proper responses to those red flags?
• Do your associates know your protocols for filing Suspicious Activity Reports (SARs) on advance-fee schemes and/or contacting law enforcement by telephone?