AML Compliance Concerns Continue to Swell as New York Fines Mega Bank US$180 Million

On August 19, 2016, the New York Department of Financial Services (DFS) entered into a consent order with Mega International Commercial Bank Co., Ltd. New York Branch (Mega Bank-New York) and its parent, Mega International Commercial Bank Co., Ltd. (together, Mega Bank), fining Mega Bank US$180 million for violating New York's anti-money laundering (AML) laws and regulations. The consent order further evidences an environment of enhanced AML enforcement risk that, combined with the recent imposition of new federal and state AML rules, should prompt all financial institutions to thoughtfully re-evaluate their approach to AML compliance.

The enforcement action follows the DFS' 2015 examination of Mega Bank-New York, where the DFS found myriad deficiencies in the branch's AML compliance program, including a flawed compliance structure, inadequate expertise in both the AML officer and chief compliance officer positions, deficient transaction monitoring and filtering systems and policies, and failures to perform adequate reviews of Mega Bank's affiliates' correspondent banking activities at Mega Bank-New York. The DFS stated in the consent order that these compliance failures indicated "a lack of understanding ... of the need for a vigorous compliance structure."

The DFS also identified serious deficiencies relating to high-risk customers and transactions. Noting that Mega Bank conducts significant financial activities in and through Panama—facilitated by the operation of branch offices in Panama City and Colón, Panama—the DFS stated that Mega Bank-New York failed to perform enhanced due diligence on high-risk customers, and did not heed warnings that, in the DFS' view, indicated that Panama was a high-risk money laundering jurisdiction (citing the publication of the Panama Papers as one indication). Finally, the DFS found that Mega Bank's head office lacked diligent oversight of the New York branch and criticized the branch for seeking to refute the 2015 examination findings rather than acting quickly to remedy the deficiencies.

Based on these findings, the DFS concluded that Mega Bank failed to maintain an effective and compliant AML program and Office of Foreign Assets Control (OFAC) compliance program in violation of 3 N.Y.C.R.R. § 116.2, failed to maintain and make available at its New York branch true and accurate books, accounts, and records reflecting all transactions and actions in violation of N.Y.B.L. § 200-c, and failed to submit a report to the Superintendent immediately upon discovering fraud, dishonesty, making of false entries and omission of true entries, and other misconduct, in violation of 3 N.Y.C.R.R. § 300.1.

To settle these violations, Mega Bank agreed to pay a penalty to the DFS in an amount of US$180 million and commit to several remedial measures:

• Develop and submit to the DFS AML compliance program policies and procedures that ensure robust corporate governance and management oversight, internal controls, employee training, monitoring and reporting, and customer due diligence.
• Develop written policies and procedures that govern the conduct of Mega Bank-New York's personnel in all supervisory and regulatory matters, including interaction with DFS examiners.
• Engage a compliance consultant for up to six months to consult, oversee, and address deficiencies in Mega Bank-New York's compliance function.
• Retain an independent monitor for a minimum of two years to conduct: (i) a review of Mega Bank-New York's AML compliance program; and (ii) a look-back review of Mega Bank-New York's U.S. dollar clearing transaction activity from January 1, 2012 to December 31, 2014 to determine whether Mega Bank-New York properly identified and reported all transactions occurring at, by, or through the branch in accordance with the applicable AML and OFAC laws and regulations. The independent monitor must report to the DFS all findings of each review.

Importantly, although the DFS acknowledged that no further action will be taken against Mega Bank for the conduct detailed in the consent order, the DFS preserved the right to penalize Mega Bank for activities or transactions found to be in contravention with OFAC sanctions regulations or suspicious activity reporting regulations. Specifically, the DFS carved out issues that come to light as a result of the look-back review, stating that it "may undertake additional action against Mega Bank for transactions or conduct that comes to the attention of the [DFS], either as a result of the Transaction and OFAC Sanctions Review, or in some other manner."

In addition to the Mega Bank enforcement action, there have been a number of other recent regulatory developments aimed at ensuring financial institutions are equipped to combat money laundering and terrorist financing, and collectively create an enhanced set of regulatory expectations for financial institutions.               

• FinCEN's Customer Due Diligence Rule. In May 2016, the Financial Crimes Enforcement Network (FinCEN) adopted its long-awaited customer due diligence rule (CDD Rule), which established requirements for financial institutions to identify and verify the identity of the beneficial owners of all legal entity customers at the time a new account is opened. The CDD Rule also formalized existing expectations of customer due diligence imposed on financial institutions as the "fifth pillar" of AML compliance. Specifically, the CDD Rule amends the federal AML program regulations explicitly to include risk-based procedures for conducting ongoing customer due diligence, which includes understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile. Covered financial institutions must comply with the new CDD Rule by May 11, 2018.

• Other DFS Enforcement Actions. Although the Mega Bank action imposes the heaviest monetary penalty, it is just the latest in a series of DFS enforcement actions against foreign banks operating in New York since December of 2015. The DFS also brought actions against the National Bank of Pakistan, Industrial Bank of Korea, and Habib Bank Limited¹ for deficiencies in the banks' AML compliance programs. All four enforcement actions closely followed DFS examinations of the branches and required the banks to develop written plans to enhance corporate governance and management oversight of branch AML operations, develop and enhance written AML and OFAC compliance programs, and commit to ongoing compliance reporting to the DFS.

• New DFS AML Rule. On June 30, 2016, the DFS adopted a final rule requiring New York-regulated financial institutions to bolster their AML programs and, most significantly, personally certify to the DFS that those enhanced programs meet the DFS' expectations. Specifically, the new Part 504, Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications, requires regulated institutions to establish and maintain a transaction monitoring and filtering program with particularized attributes aimed at curing potential shortcomings in existing AML programs. On an annual basis, either the board of directors as a governing body or a senior officer personally will be required to certify that the new program is compliant and that the governing body or individual certifying has undertaken all necessary steps to make such certification. Covered financial institutions must comply with the new DFS rule by January 1, 2017 and submit their first AML certifications on April 15, 2018.

Given the increasing number of significant AML-related regulatory developments, senior management and compliance professionals should thoughtfully evaluate their financial institutions' approach to AML compliance, including corporate governance and resource allocations necessary to meet state and federal regulators' rising expectations and new AML rules. Moreover, as the Mega Bank enforcement action demonstrates, financial institutions should continue to monitor important regulatory developments and, on a proactive basis, refine their compliance operations accordingly.

* * * *

Arnold & Porter's financial services team handles some of the most significant matters affecting the financial services industry and is active in a variety of AML matters for our financial services clients, including internal investigations, defense of enforcement actions and civil and criminal litigation, development and documentation of compliance programs, public policy issues, and regulatory counseling. Our AML team includes former federal prosecutors as well as former senior officials from the intelligence agencies, the US Department of State, and the US federal banking agencies.

On September 8, Arnold & Porter will host a New York Regulatory Roundtable with industry participants, external AML consultants, and attorneys from Arnold & Porter's financial services team to discuss AML developments impacting the banking industry, focusing on the impact of the New DFS AML Rule, best practices for development and implementation of the Rule's requirements, and various strategic considerations and alternatives, including the eight critical questions your institution should be asking to determine whether to remain subject to the DFS' jurisdiction.

Visit our event page to register.