Perspective on Risk - Oct. 16, 2024 (More on TD Bank)
Fincen Consent Order; Crypto Finds A Way In; Karen Petrou Comments
Sorry for the spam, but I missed a report in the last post.
Fincen Consent Order
So there is another document that I missed in my last post: TD’s CONSENT ORDER IMPOSING CIVIL MONEY PENALTY with FINCEN. It’s a doozy - much more salacious detail.
In September 2013, FinCEN issued a Civil Money Penalty and the OCC brought a parallel enforcement action to TD Bank for failures to file suspicious activity reports (SARs) associated with its involvement in the Scott Rothstein Ponzi scheme, which occurred from April 2008 through October 2009.
TD Bank vastly underinvested in its AML compliance efforts, with TD Bank knowingly spending an order of magnitude less than its peers. … when a host of significant AML compliance issues arose … the Bank consistently chose to address them in the least costly way possible, even if it meant ignoring failures and refusing to meaningfully remediate issues and prevent recurrences.
TD Bank’s BSA Program was non-compliant for the following reasons:
(i) its BSA Officer and AML management failed to seek, and TD Bank otherwise failed to allocate, sufficient resources across budget, personnel, and technology;
(ii) it had a siloed governance structure that resulted in the designated BSA Officer lacking sufficient control or accountability for the Bank’s AML program; and
(iii) there was a lack of oversight over the Bank’s high-risk operations and gaps described below for which the BSA Officer failed to take accountability, including the BSA Officer’s awareness of material gaps in the Bank’s transaction monitoring system that went unabated for many years.
Board & Senior Management Oversight
The U.S. Parent Board was informed about the issue, but did not act in a timely manner, despite mounting evidence that the issues were not resolving over the years.
… failures by the Bank’s Board to provide adequate resources for the BSA Officer to discharge their duty of assuring the Bank’s compliance with the BSA
… reporting by the BSA Officer to the Boards and the AML Oversight Committee consistently showed the AIU Detection and Further Investigations teams in “red” status, indicating significant backlogs.
In sum, for several years, the BSA Officer presented overly optimistic expectations to other AML senior management and to the U.S. Parent Board that the backlogs would be alleviated, even as the Bank continued to miss internal deadlines and failed to make meaningful investments in resources to address them. The U.S. Parent Board was informed about the issue, but did not act in a timely manner, despite mounting evidence that the issues were not resolving over the years.
FinCEN’s investigation identified instances in which TD Bank’s BSA Officer, and other AML senior management, presented unrealistically optimistic forecasts to Bank executives and the Boards.
AML management did not timely escalate requests for additional resources to executive management or the Boards, although the U.S. Parent Board was made aware that “inadequate staffing levels” were a root cause of issues that persisted
Appointing multiple AML managers without any prior experience in AML also hindered the BSA Officer’s ability to effectively monitor the Bank’s day-to-day compliance with the BSA. In particular, the heads of the AIU and AML Operations … oversaw critical AML processes without any previous AML experience.
Structural Governance Issues
With respect to the U.S. subsidiary banks, the BSA/AML obligations were managed by the BSA Officer, who reported to both the Chief Risk Officer of the Bank in the U.S. and the Global Head of AML in Canada. This reporting structure led to complications; many AML senior managers with BSA responsibilities, most notably an AML Technology head and head of AML Operations, only reported to the BSA officer via a “dotted line” and reported directly to the Global Head of AML at the Canadian parent. Furthermore, the BSA Officer delegated management and oversight of critical functions within the Bank’s AML program (e.g., transaction monitoring) to these individuals.
Incentives
TD Bank’s compensation system reflected the apparent disincentive for the BSA Officer to incur costs needed to assure the Bank’s compliance with the BSA. At times during the Relevant Time Period, both the Global Head of AML and the BSA Officer’s annual self-assessments noted as an “accomplishment” their respective abilities to “develop [the AML] program within a flat cost paradigm without compromising risk appetite.”
Escalation
TD Bank also failed to properly monitor checks, even though AML senior management knew of this gap and the risks these transactions posed. … There is no evidence the BSA Officer escalated the issue to other AML management or the Boards.
Policies, Procedures & Limits
AML personnel identified customers engaged in funnel account activity in the spring of 2019. AML investigators were also aware that, with respect to funnel accounts, “bad actors target TD [Bank],” including because the Bank maintained different policies than other peer financial institutions.
The Bank’s CDD policies and procedures were deficient, as information obtained about customers at account opening and the Bank’s analysis of such information was inadequate to properly assess the customers’ risk and support the Bank’s effective suspicious activity monitoring.
Internal Controls
The Bank’s cash operations also suffered from deficient monitoring of high-risk transactions. Compared to peers, TD Bank engaged in cash processes that created higher risk for the Bank to be used as a vehicle to facilitate illicit activity. … limitations in the transaction monitoring scenarios applicable to this activity led to ineffective monitoring for potentially suspicious activity. The Bank produced internal reports highlighting which customers … generated the greatest amount of cash activity in a given period. These manual reports were not reviewed and were not designed to mitigate AML risks, and therefore did not serve as an effective control.
Risk Monitoring, Information Systems & Reporting
… internal reporting to AML senior management neither highlighted emerging patterns and trends of concern nor conveyed the significance of an insider’s involvement in suspicious activity. This contributed to the Bank’s failure to timely detect related and, in several cases, ongoing employee misconduct. In some cases, the Bank only looked into such activity after law enforcement arrested or charged the relevant employees.
the Bank also experienced challenges with reporting information to AML senior management. In one instance, the AIU reported that it temporarily could not provide accurate volumes and reporting due its ongoing technology issues.
During the transaction monitoring system’s initial implementation in 2008, TD Bank applied certain “off-the-shelf” scenarios provided by its vendor without consideration as to whether such scenarios needed to be tailored for the products and services TD Bank offered or whether they were sufficient to the specific risks the Bank faced. Ultimately, the system’s coverage excluded large swaths of the Bank’s transactions: in 2023 alone, the coverage gaps applied to several trillion dollars of transactions that were not screened by the Bank’s transaction monitoring system.
… the Bank’s Internal Audit department found that not all jurisdictions TD Bank identified as high-risk were subject to monitoring by relevant scenarios in the Bank’s transaction monitoring system. Not only did TD Bank fail to timely address this finding, but also at a subsequent meeting to discuss potential updates to the high-risk jurisdiction scenarios, AML senior management, including the BSA Officer, concluded that only proposed changes that “would have no impact or lower the volume of false positives have been approved to proceed.” This meant the AIU could only remove those jurisdictions from monitoring that were no longer high-risk; the AIU was not allowed to add new jurisdictions, because doing so would increase the volume of alerts.
Of Course Crypto Found A Way In
Of the missed and improperly reported suspicious transactions identified by FinCEN, roughly 2,000 transactions were processed for Customer Group C, primarily during a nine-month period, from July 2023 to April 2024, with an aggregate value of over $250 million. Customer Group C, purportedly operating in the sales finance and real estate industries, had informed TD Bank, as part of the Bank’s CDD processes, that their intended wire activity would be minimal and would not exceed $25,000. Additionally, Customer Group C estimated their annual sales would not exceed $1 million; in fact, Customer Group C conducted over $1 billion in transactions through TD Bank during the relevant period, with over 90% of the incoming funds from a UK-based cryptocurrency exchange and more than 60% of outgoing transactions sent as wires to a Colombian financial institution that also offers virtual asset-related services.
Despite the high volume of suspicious transactions and “red flags” associated with high-risk jurisdictions and rapid movement of funds within a short timeframe, TD Bank failed to proactively report this suspicious activity until it received multiple law enforcement inquiries about Customer Group C.
Karen Petrou weighs in
Why Didn’t Supervisors Stop TD Before Trillions Escaped AML Surveillance?
Karen is funded by the industry clients and has a habit of taking the regulatory authorities to task, but that doesn’t necessarily mean she’s wrong.
… what’s missing from the recounting of TD’s sins is any accountability for why banking-agency supervisors failed to catch violations dating back to 2012 that transgress every compliance, risk-management, and governance norm. Yes, throw the book at TD, but let’s also call the banking agencies on the carpet for why TD was allowed to grow so big even though it was clearly also so bad.
Did the banking agencies ever wonder why? … What of the supervisors? Did supervisors spot problems and fail to escalate as they failed to do in SVB, Signature, First Republic and so many other troubled banks? Did supervisors tolerate managerial backtalk or worse, accept assurances of better to come without evidence of any effort at remediation? Could no one have spotted the sometimes phenomenal acts of egregious risk-taking going on at the bank and done anything about them?
What if the banking agencies had spotted TD’s problems and threatened the death sentence years ago? Could TD have grown to be the tenth largest U.S. bank the agencies doubtless now fear closing if supervisors had brought a quick end to the company’s evident belief that it could grow as large as it wanted without investing anything in compliance that cut into profits and incentive compensation? A smaller bank with TD’s obvious impunity could have been closed, making charter revocation a meaningful threat. The OCC is getting praise now for its stringent cap on TD’s asset growth, but would TD have become “too big to manage” if the OCC had demanded management from the bank’s managers? We’ll never know, but we should.
As I said in my review, it’s not clear what the supervisors knew and when they knew it. The OCC was clearly involved in the initial 2013 review, and were engaged in the 2020 timeframe, but it’s not clear how they followed up on their 2013 enforcement action. She’s not wrong in wanting clarity hear.
I agree with Karen completely. I find it inexcusable for a supervisory agency to take almost 14 years to issue a C&D. A poor control environment, lax governance and conflicts of interest were evident back in 2009....so what happened? Why didn't regulators escalate this issue the first time the remediation plan was insufficient or fell off track. At some point, if you just sit back and watch the car accident your are part of the problem.