It is, by now, common practice for financial institutions (and other businesses as well) to adopt and maintain comprehensive and costly Anti-Money Laundering (AML) and Office of Foreign Assets Control (OFAC) compliance programs, to train their employees on AML/OFAC compliance generally and those in-house programs in particular, and periodically to update all of these. In recent remarks delivered at Columbia Law School, New York Superintendent of Financial Services Benjamin Lawsky decried what he considers to be pervasive compliance shortcomings in this area. Mr. Lawsky proposed that senior executives attest to the adequacy of their institutions’ compliance systems in a manner analogous to Sarbanes-Oxley verifications about the correctness of a public company’s financial statements and the effectiveness of its internal controls. Mr. Lawsky’s proposal, if instituted, would hold individual bank executives personally responsible for their employers’ AML/OFAC compliance system shortcomings.
One can see where Mr. Lawsky is coming from. Recent years have witnessed federal and state fines and civil penalties in the hundreds of millions – and even in some cases billions – for widespread violations of AML and OFAC requirements by financial institutions, predominantly foreign banks. Many of those fines and penalties, as we have previously noted here and here, have been levied by Mr. Lawsky’s own agency, the New York Department of Financial Services (DFS).
Mr. Lawsky does not regard these enormous penalties levied solely against institutions as adequate deterrence, telling the audience at Columbia, “A whack-a-mole approach – simply bringing enforcement actions when we find problems – is not, by itself, enough. Particularly because we believe there are likely widespread problems with transaction monitoring and filtering systems throughout the [financial services] industry.”
As evidence of these “problems,” he pointed to an independent monitor’s finding that a bank had failed to flag literally millions of suspicious transactions. “We basically ran the company’s transactions through our own filtering system and compared the results. This was a new approach. In the past, regulators have largely relied on self-reporting by firms that discover... that banned transactions occurred for some reason. What regulators have not done is actively tested the effectiveness of the filtering systems banks are using. That needs to change.” Thus DFS may also initiate random audits of companies’ AML systems to test whether they are successfully flagging suspicious transactions.
Placing bank executives in DFS’s cross-hairs should come as no surprise. It is a natural outgrowth of Mr. Lawsky’s call for more accountability by, and aggressive investigation and pursuit of, individual corporate officers during a speech last year to the Exchequer Club in Washington, D.C. that we reported here.
Mr. Lawsky calls his initiative “financial federalism” and invokes Justice Louis Brandeis’s famous dictum about states as laboratories for policy experiments. Yet the Brandeis quote seems inapposite, as New York does not have its own AML or anti-terrorism laws. Moreover, Mr. Lawsky has been subject to criticism for getting out in front of the federal bank regulators, the Financial Crimes Enforcement Network (FinCEN), OFAC, and the Department of Justice, with respect to purely federal regulatory regimes, especially when doing so might lead to inconsistent regulatory requirements. Mr. Lawsky has, however, anticipated this criticism and asserts that regulatory harmony or consistency is not the only important principle at issue and that both of these “are often subtle instruments that some on Wall Street use to try and weaken key financial reforms” and to “try and play one regulator off another” in order to get all the “regulators – in the interest of ‘consensus’ – to settle for watered-down rules... until they succeed in producing Swiss-cheese regulations riddled with loopholes.”
Assuming, as seems likely, that Mr. Lawsky will move forward with this program, the stakes for AML/OFAC compliance will be raised, and, on top of enterprise liability for noncompliance, individual CEOs or CFOs may face personal liability if their attestations prove incorrect. Thus, financial institutions subject to DFS supervision, or to supervision by other state regulators who choose to follow Mr. Lawsky’s lead, will be well-advised to have their compliance policies, procedures, and systems vetted on at least an annual basis by lawyers and consultants expert in the field.
