— Dixie K. Hieb, Partner, Davenport Evans Law Firm
In recent years there have been a number of high-dollar penalties imposed by regulators in connection with the Bank Secrecy Act and anti-money laundering enforcement actions. While the related consent orders generally lay out a list of required actions, as opposed to a list of the specific shortcomings, the regulators sometimes offer background details in cases of particularly egregious actions. Such was the case with the recent cease and desist orders and related penalties against TD Bank, N.A. and TD Bank USA, N.A. (“TD Bank”). In October 2024, TD Bank was subject to enforcement actions involving the Department of Justice, FinCEN, the OCC, and the Federal Reserve, and was ordered to pay $3.1 billion in penalties.
When looking for lessons to be learned from the TD Bank enforcement actions, a financial institution should keep in mind the required components of a compliant BSA/AML program: adoption of policies, procedures, and controls; designation of a BSA/AML compliance officer; ongoing, job-specific employee training; independent testing; and customer due diligence. As the DOJ and various regulators noted, TD Bank placed an emphasis on profitability to such an extent that the components of an effective BSA/AML compliance program were almost completely overlooked.
The orders and press releases issued in connection with the TD Bank enforcement actions describe activities that could come straight from crime fiction. The DOJ’s press release cited TD’s failure to monitor trillions of dollars of transactions – including those involving ACH transactions, checks, high-risk countries, and peer-to-peer transactions – which allowed hundreds of millions of dollars from money laundering networks to flow through the bank, including for international drug traffickers. Per the DOJ press release, TD Bank was aware of these risks and failed to take steps to protect against them, including for two networks prosecuted for money laundering – one that dumped piles of cash on TD Bank’s counters and another that allegedly withdrew amounts from ATMs 40 to 50 times higher than the daily limit for personal accounts. FinCEN’s press release regarding its enforcement action noted that TD Bank’s chronic failures in BSA/AML enforcement provided fertile ground for illicit activity, from fentanyl and narcotics trafficking, to terrorist financing and human trafficking.
Specifically cited AML violations in the various orders included:
- When branch staff made suspicious activity referrals based on a customer group’s large volume of cash deposits, management’s response was to set the customer up with armored car service so branch staff would not receive the cash.
- No risk profile was created for any customer despite high-risk activity.
- The monitoring system omitted 1.6 million customers from the automated risk rating.
- A SAR was filed for the first time on a terrorist organization four years after the activity began.
- High-risk reviews were conducted only every two years.
The regulators and the DOJ decried the criminal activity underlying the enforcement actions. The FinCEN release quoted a Treasury official who stated: “The vast majority of financial institutions have partnered with FinCEN to protect the integrity of the U.S. financial system. TD Bank did the opposite.” FinCEN’s Director stated that for over a decade, TD Bank allowed its AML program to languish, making TD Bank a target for illicit actors—including its own employees. The DOJ press release quoted various DOJ officials, noting that TD Bank, by making its services convenient for criminals, became one, and in doing so earned the distinction of being the largest bank to plead guilty to BSA program failures and the first U.S. bank to plead guilty to conspiracy to commit money laundering.
How did TD Bank reach that point? In part because, in apparent flat-out disregard for BSA/AML compliance, TD Bank enforced a budget mandate, referred to internally as a “flat cost paradigm,” requiring that the budget not increase despite increases in profits and changes in its BSA/AML risk profile. Management also consistently emphasized the “customer experience” over required customer due diligence.
Certainly, the overall size of TD Bank and its aggressive growth model factored into its failure to establish even a basic BSA/AML compliance program, but the TD Bank enforcement actions offer important takeaways for smaller financial institutions. No matter the size of the bank, the following should be lessons learned from the TD Bank enforcement actions for your bank’s BSA/AML program:
- Incorporate BSA/AML risk analysis into the development of any new product or service.
- Ensure that an accurate BSA/AML risk rating is completed for any new customer.
- Establish frequent updates of the bank’s overall BSA/AML risk assessment.
- Establish frequent reviews of the BSA/AML program.
- Confirm that reported suspicious activity is being investigated and SARs are being filed when appropriate.
- Emphasize the importance of job-specific employee BSA/AML training; and
- Use the results of independent testing to improve your BSA/AML compliance program.
“Take steps now to ensure your bank’s BSA/AML program meets regulatory expectations — no bank should be the the subject of a “lesson learned the hard way” BSA/AML enforcement action.”