On November, 1, 2017, the US Department of the Treasury, Financial Crimes Enforcement Network (FinCEN), announced that Lone Star National Bank (Lone Star), operating in Texas, entered into a civil money penalty consent for alleged willful violations of the Bank Secrecy Act (BSA) and 31 C.F.R. Chapter X regulations involving inadequate anti-money laundering (AML) compliance program systems. This action primarily related to requirements for high-risk foreign correspondent account banking services. Lone Star, a privately held depository institution, agreed to pay a $2 million civil money penalty to resolve the matter. FinCEN’s action follows a Consent Order for a Civil Money Penalty in 2015 for $1 million imposed by the Office of the Comptroller of the Currency against Lone Star for alleged programmatic AML deficiencies.
FinCEN asserted that, from 2010-2014, Lone Star failed (i.e., with reckless disregard or willful blindness) to: (1) establish and implement an adequate AML compliance program; (2) conduct required due diligence on a foreign correspondent account; and (3) report suspicious activity. As a result of these failures, Lone Star’s conduct permitted a foreign financial institution (apparently located in Mexico) to transfer hundreds of millions of US dollars in suspicious bulk cash shipments through the US financial system. Most notably, Lone Star allegedly had insufficient internal controls and staff inexperienced with the BSA’s obligations. Consequently, Lone Star did not undertake appropriate due diligence, transaction monitoring, and reporting of suspicious activity, when engaging in high-risk foreign correspondent banking services.
The Assessment of Civil Monetary Penalty provides a factual overview of what a depository institution, particularly one engaged in international banking, must not do. For example, FinCEN alleged that Lone Star consistently failed to:
- Follow Section 312 of the USA PATRIOT Act requiring financial institutions to undertake heightened obligations to establish, maintain, administer, or manage correspondent accounts in the United States for foreign financial institutions;
- Determine whether a correspondent account is subject to enhanced due diligence;
- Assess the money laundering risk presented by the correspondent account;
- Apply risk-based procedures and controls reasonably designed to detect and report known or suspected money laundering activity, including a periodic review of activity sufficient to determine consistency with information obtained about type, purpose, and anticipated activity of the correspondent account.
More generally, FinCEN asserted that Lone Star also did not sufficiently:
- Collect and analyze information necessary to assess each customer’s risk, some of which was available by open, public source information;
- Develop and implement specific customer risk profiles;
- Identify basic features of the customer’s account, such as the intended purpose, the anticipated transactional activity, the nature of the business, the types of bank products and services used by the customer, and geographic indicators of risk;
- Risk-rate certain of its customers during the account opening process, which was necessary for proper monitoring of transactions conducted through the accounts;
- Identify correctly or monitor new and existing high-risk accounts that posed an elevated risk for money laundering;
- Assess operations with foreign financial institutions, including transactions in US bulk currency from extensive foreign exchange operations in the United States/Mexico border regions and US dollar bulk cash deposits;
- Investigate transactions after red flags should have been detected; or
- Report suspicious transactions as required.
This enforcement matter underscores the importance that, if a US depository institution engages in international correspondent banking services, it must be prepared to undertake enhanced AML compliance obligations with respect to these services to comply with applicable laws and regulations. A failure to do so, particularly if systematic deficiencies are identified over time, may contribute to substantial liability for the institution and responsible individuals.