U.S. Bancorp pays $613-million for deficient AML measures

On February 12, 2018, U.S. Bancorp (“USB”) – the parent company of U.S. Bank and the fifth largest bank in the United States – entered into a deferred prosecution agreement (the “DPA”) with the U.S. Department of Justice in which it agreed to penalties of $613 million for failing to maintain adequate anti-money laundering (“AML”) measures.

In the DPA, USB accepted responsibility for “wilfully failing to maintain an adequate anti-money laundering program” and “wilfully failing to file a Suspicious Activity Report” in contravention of the Bank Secrecy Act. The charges arose from USB’s failure to identify and report suspicious transactions that should have raised money laundering alerts as early as 2009. In particular, USB failed to report the suspicious banking activities of its long-time customer Scott Tucker, convicted of using several USB accounts to launder over $2-billion in fraudulent payday lending proceeds.

Prosecutors attributed this and other USB systemic oversights to a combination of inadequate AML staffing – the bank, which has over $340-billion in assets, had only 25-30 AML investigators, many paid below-market salaries and some with little or no AML experience –  and the bank’s practise of “capping” the number of suspicious transactions that were reported.

USB admitted to capping the number of alerts generated by its transaction monitoring systems according to the bank’s staffing levels and resources, leading to glaring oversight – for example, in June of 2013 over 57,000 alerts were generated but just 100 were investigated. USB’s Chief Compliance Officer then concealed this practise from the Office of the Comptroller of the Currency, the bank’s primary regulator. USB also failed to conduct adequate below-threshold testing (“BTT”), used to determine how much suspicious activity occurs below alert thresholds. USB’s BTT results indicated high levels of suspicious activity which should have resulted in it lowering its threshold; instead, USB terminated its BTT testing altogether, citing resource limitations.

Under the terms of its two-year DPA, USB will be required to pay approximately $613-million in penalties and settlements, reform its AML compliance and monitoring programs, cooperate in the investigation against it, and more. (Note that unlike in the United States, DPAs are currently not available in Canada to corporate accused or where businesses are regularly audited. For further detail, see Osler’s previous article on Anti-Corruption and Bribery in Canada.)

AML and compliance programs in Canada

Canadian anti-money laundering law is legislated under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and associated regulations (“Canadian AML Law”) and predominantly enforced by the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”). Businesses and individuals subject to the Act are required to establish and implement a comprehensive and effective compliance program to meet various reporting, record keeping, client identification and know-your-client requirements.

In particular, FINTRAC requires compliance programs to have five elements, as enumerated in guidance issued December 2017:

  1. Compliance officer: Companies are required to appoint a person who will be responsible for the implementation of the compliance program.
  2. Compliance policies and procedures: Companies are required to develop and apply written compliance policies and procedures that need to be kept up to date and include enhanced measures to mitigate high risks.
  3. Risk assessment: Companies are required to conduct a risk assessment of your business activities and relationships.
  4. Compliance training: Companies are required to develop and maintain a written ongoing compliance training program for employees, agents and others authorized to act on your behalf.
  5. Effectiveness review: Companies are required to institute and document an effectiveness review of your compliance program (policies and procedures, risk assessment and training program) every two years (minimum) for the purpose of testing its overall effectiveness.

In addition to having satisfactory compliance programs, entities subject to Canadian AML Law must navigate a host of other complicated requirements including reporting, record-keeping, client identification, and more. The complex suite of Canadian AML Laws apply to a wide variety of entities including banks, accountancies, money services firm, notaries, insurers, casinos, real estate brokerages, and more. Although regulators recognize that the sophistication of a compliance program varies with an entity’s size, complexity, structure, and risk profile, the failure to abide by Canadian AML laws may have severe civil and criminal consequences.