The Financial Crimes Enforcement Network, or FinCEN, announced in January 2021 that Capital One would be required to pay a hefty $390 million penalty for AML violations under the Bank Secrecy Act (BSA).

The bank admitted to wilfully failing to implement and maintain effective AML procedures to guard against money laundering, also failing to file thousands of Suspicious Activity Reports (SARs) and Currency Transactions Reports (CTRs) with respect to its Cash Checking Group business unit.

The violations occurred from (at least) 2008 – 2014, seeing millions of dollars in suspicious transactions go unreported and therefore laundered through the bank into the US financial system. FinCEN states these proceeds were connected to organised crime, tax evasion, fraud and other financial crimes.

Beyond the eye-watering fine and regrettable criminal interaction, the findings underscore a number of inherent challenges that exist within AML regulations such as the technology required to meet onerous requirements and the true efficacy of current monitoring procedures.

Are suspicious activity reports really the most effective AML tool?

While the negligence Capital One’s AML processes are clear, the role of SARs and their effectiveness is becoming less obvious. Under the Banking Secrecy Act in the US, banks are required to report transaction that involved or aggregate to at least $5,000.00 are conducted by, at, or through the bank, and that the bank ‘knows, suspects or has reason to suspect’ they are suspicious.

A transaction is ‘suspicious’ if it:

(a) involves funds derived from illegal activities, or is conducted to disguise funds derived from illegal activities;

(b) is designed to evade the reporting or recordkeeping requirements of the BSA or regulations under the Act; or

(c) has no business or apparent lawful purpose or is not the sort in which the customer normally would be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including background and possible purpose of the transaction.

Regulators including FinCEN rely on FI’s accurate and timely filing of SARs, but this is not where the query ends. A 2019 report by the US Government Accountability Office founds that even if banks are lodging SARs efficiently and effectively, the supervisory body which is to expected to review these alerts (in this case FinCEN) may lack the tools and resources to respond to these reports effectively.

Further, and as seen within the bigger FinCEN Files scandal in 2020, US banks may continue to lodge significant volumes of SARs but continue to do business with the individual or business as the matter was not investigated nor the suspicion confirmed by the regulatory body. Some argue that this means FIs will use the SAR tool as something of a defensive or ‘get out of jail free card’ to continue servicing the account and/or negate future responsibility.

FI’s ability to do this was discussed in a guidance document published by FinCEN in January this year. The document also reinforces that the onus to determine the bank’s future activity with the suspicious account on the FI, stating that FIs “have the flexibility to develop risk-based procedures and monitoring processes for the purpose of updating the customer risk profile and determining when to maintain or close accounts.”

Former deputy chief counsel of the Office of the Comptroller of the Currency Dan Stipano said delays could well stem from the Office’s relatively small overworked staff. Currently receiving around 3 million SARs each year, the ability to effectively review these volumes is highly unlikely. Also incredibly high, the UK Financial Intelligence Unit (UKFIU) received just under 500,000 in the year ending March 2019.

Stipano added: “The result, however, is that FinCEN sometimes assesses penalties not only years after the violations were committed, but also after they were remediated.”

Investment in technology cannot be avoided

In its findings FinCEN argued that Capital One’s AML controls and processes were “plagued by a number of technical failures that were not promptly addressed, and gave too much credence to dubious explanations from the business line” around its activity.

A spokesperson for the bank recently made clear that it is actively working to address its structural weaknesses and that “Capital One takes its anti-money laundering obligations very seriously.”

The spokesperson added that the bank has invested heavily in the enhancement of its Anti-money laundering (AML) program over the past several years under new AML leadership, and has worked closely with regulators and law enforcement to ensure our compliance processes and protocols are robust and thorough.

Law firm Freshfield Bruckhaus Deringer LLC argued that the enforcement action by FinCEN is among many actions regulators have taken against FIs in relation to their AML technology “and serves as another reminder that these tools may require upgrading and attention over time. This is often more easily said than done.

“To address the risk posed by complicated technology projects, we suggest that companies take a holistic approach to technology needs, put in place appropriate governance around technology investment decisions, and take into account input from multiple stakeholders, including those in legal and compliance roles.”

Further, this push for reliance on improved technology has been addressed by the OCC, which in January released a proposal that would see FIs allowed exemptions to certain Banking Secrecy Act requirements – such as SARs – provided that these banks develop innovative solutions intended to meet BSA requirements more efficiently and effectively. That is, the OCC would be willing to allow banks to bypass the headache of lodging SARs if their technology and processes are deemed more efficient (or clear) than the existing SAR requirements. The Fed and the FDIC have published similar notices.

Capital One is in (not so) good company

The $900 million (AUD) fine borne by the Australian bank Westpac was a record for the nation, which broke AML and terror financing laws over 23 million times.

Notably, in its internal investigation into the scandal the bank stated the failures came down to a combination of technology and human error. The bank consequently pledged to double its compliance staff and revamp AML tools and systems and in June 2020 appointed a new head of IT, Scott Collary, to oversee 7,000 staff in the bank’s new technology and operations unit.

At the time of Collary’s appointment the bank’s CEO said that the merger of technology and operations “will help us continue to drive our technology transformation agenda and accelerate work on simplifying processes,”

Similarly, after a report in 2020 found €36.7 billion in transactions with high money-laundering risk had been processed by Swedbank over a five-year period, the Nordic bank has undertaken an AML rebuild to rectify procedural shortcomings.

The report by Clifford Chance had been commissioned by the bank and uncovered significant inadequacies in the banks technology-led AML processes. So weak in fact, that it was deemed unfit for purpose. In addition to internal upgrades, the bank is also participating in the Nordic KYC collaboration project, with partner (and some similarly scrutinised) banks such as DNB, Danske Bank, Nordea, SEB and Handelsbanken, in order to develop a joint platform for standardised KYC processes.

By December 2020 Fenergo found that global penalties for FIs topped $10 billion during that year, the majority of which being connected to non-compliance with AML rules and standards.

Only increasing in size and frequency, could these AML failures (and consequent fines) be growing into something of a trend led by large FIs across the globe?

It seems the trudge toward digital transformation remains a common thread. With multiple core banking platforms and legacy systems to juggle, incumbent institutions have their transaction monitoring work cut out for them and it is more likely than not that we will see more penalties handed down before FIs are able to consolidate and reinforce their AML processes.