Compliance professionals face extraordinary risks – not just for the enterprise but personal risks.  CCOs should not panic or overreact when the government brings an enforcement action against a compliance officer for a company’s compliance failure.

The lesson for compliance officers who work in regulated industries is fairly straightforward – when faced with real compliance problems, compliance professionals have to document efforts to address the deficiencies.  If a compliance professional fails to act in the face of clear and communicated deficiencies, the compliance professional faces risks of civil enforcement by regulatory agencies. 

This unfortunate scenario was underscored by the recent settlement announced by FinCEN and Michael LaFontaine, the former Chief Operational Risk Officer (and prior to that, Deputy Risk Officer and Chief Compliance Officer) at U.S. Bank for his failure to prevent violations of the Bank Secrecy Act (“BSA”).

In  February 2018, U.S. Bank (“USB”) entered into a two-year deferred prosecution agreement (“DPA”) and paid $163 million to settle AML violations.  USB was cited for AML deficiencies and for failing to file suspicious activity reports (“SARs”).  USB paid $458 million in a forfeiture action, a $75 million penalty to the Office of the Comptroller of the Currency, and a $70 million penalty to FInCEN.

FinCEN’s settlement with LaFontaine outlines his involvement in the oversight and operation of USB’s AML program.

At its core, LaFontaine was made aware of two significant deficiencies in USB’s AML program:

First, USB placed an arbitrary cap on the number of transactions flagged by its automatic transaction monitoring program for investigation as “suspicious” because of the limited number of investigators available to follow up on the transactions; and

Second, USB’s AML program was staffed by an inadequate number of personnel in light of its risk profile.

LaFontaine was cited for his failure to act over a nine-year period, 2005 to 2014, in response to clear information concerning USB’s long-standing AML compliance deficiencies.  In particular, USB’s arbitrary cap on suspicious transaction alerts excluded a number of transactions, a significant percentage of which would have required a SARs filing. 

LaFontaine was warned by two AML officers of the arbitrary caps, and the OCC repeatedly warned USB to eliminate these arbitrary caps on transaction alerts but LaFontaine and others at USB failed to act.

In 2009 and 2010, the AML officer wrote memos to LaFontaine alerting him to USB’s AML program deficiencies, which resulted in a failure to file SARs for a number of transactions excluded by the arbitrary cap.  USB personnel wanted to expand the number of transactions flagged for follow up but over the next three years, nothing changed and by 2012, USB decided to discontinue sampling and testing of excluded transactions.

In 2012, USB hired a new CCO and a new AML officer.  The new AML officer raised similar objections concerning USB’s AML program.  The new CCO also raised the issue with LaFontaine, who again failed to act.

In November 2013, USB’s CEO conducted a meeting with the AML officer and CCO to review USB’s AML program.  The PowerPoint presentation highlighted in the beginning the significant deficiencies noted by the AML officer and the CCO.  LaFontaine reviewed the presentation and failed to raise with the CEO the issue of the arbitrary caps and other AML program deficiencies.