It is, by now, common practice for financial institutions (and other businesses as well) to adopt and maintain comprehensive and costly Anti-Money Laundering (AML) and Office of Foreign Assets Control (OFAC) compliance programs, to train their employees on AML/OFAC compliance generally and those in-house programs in particular, and periodically to update all of these. In recent remarksdelivered at Columbia Law School, New York Superintendent of Financial Services Benjamin Lawsky decried what he considers to be pervasive compliance shortcomings in this area. Mr. Lawsky proposed that senior executives attest to the adequacy of their institutions’ compliance systems in a manner analogous to Sarbanes-Oxley verifications about the correctness of a public company’s financial statements and the effectiveness of its internal controls. Mr. Lawsky’s proposal, if instituted, would hold individual bank executives personally responsible for their employers’ AML/OFAC compliance system shortcomings.
One can see where Mr. Lawsky is coming from. Recent years have witnessed federal and state fines and civil penalties in the hundreds of millions – and even in some cases billions – for widespread violations of AML and OFAC requirements by financial institutions, predominantly foreign banks. Many of those fines and penalties, as we have previously noted here and here, have been levied by Mr. Lawsky’s own agency, the New York Department of Financial Services (DFS).
Mr. Lawsky does not regard these enormous penalties levied solely against institutions as adequate deterrence, telling the audience at Columbia, “A whack-a-mole approach – simply bringing enforcement actions when we find problems – is not, by itself, enough. Particularly because we believe there are likely widespread problems with transaction monitoring and filtering systems throughout the [financial services] industry.”
As evidence of these “problems,” he pointed to an independent monitor’s finding that a bank had failed to flag literally millions of suspicious transactions. “We basically ran the company’s transactions through our own filtering system and compared the results. This was a new approach. In the past, regulators have largely relied on self-reporting by firms that discover… that banned transactions occurred for some reason. What regulators have not done is actively tested the effectiveness of the filtering systems banks are using. That needs to change.” Thus DFS may also initiate random audits of companies’ AML systems to test whether they are successfully flagging suspicious transactions.