Today, I continue my exploration of the TD Bank AML/BSA enforcement action through two of the most significant cases regarding Boards of Directors and corporate compliance: the Caremark and Stone v. Ritter decisions. The former decision was released in 1996, and the latter, some ten years later, in 2006. The original Caremark decision laid the foundation for the modern obligations of Boards of Directors in oversight of compliance in general and a company’s risk management profile in particular. Stone v. Ritter confirmed the ongoing vitality of the original Caremark decision.
Caremark
In Caremark, the Court noted that director liability for a breach of the duty to exercise appropriate attention can come up in two distinct contexts. The first, liability can occur from a board decision that results “in a loss because that decision was ill-advised or “negligent.” In the second, board liability for a loss “may be said to arise from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”
However, there is a second type of liability that boards can run afoul of under Caremark, and it is the one that seems to be the liability under which most boards are found wanting in successful Caremark claims. It is when “director liability for inattention is theoretically possible to entail circumstances in which a loss eventuates not from a decision but from unconsidered inaction.” Board obligations had changed, and the Caremark court noted the following: the “obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that is reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with the law and its business performance.”
Stone v. Ritter
This case involved money laundering and a bank’s failure to report suspicious activity, which led to an employee running a Ponzi scheme. The bank in question was fined over $40 million. Once again, the plaintiffs needed to be more successful in their claims. The Stone v. Ritter court approved the Caremark Doctrine and further specified that Caremark required a “lack of good faith as a “necessary condition to liability.” It is because the Court was not focusing simply on the results but on the board’s overall conduct “of the fundamental duty of loyalty.“ It follows that because a showing of bad faith conduct “is essential to establish director oversight liability, the fiduciary duty violated by that conduct is the duty of loyalty.”
The Stone v. Ritter court ended by refining the Caremark Doctrine to define the necessary conditions for director liability under Caremark.
They are:
- Directors utterly failed to implement any reporting or information system or controls. This is called a Prong 1 claim or the ‘Information-Systems Theory‘ and
- If they have implemented such a system or controls, they have consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention. This is called a Prong 2 claim or the ‘Red Flag Theory.’
In either situation, imposition of liability requires a showing that the directors knew they were not discharging their fiduciary obligations. Where directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith.
Board AML Obligations
TD Bank’s Board of Directors had a variety of obligations regarding compliance and the bank’s AML program. According to the Information, these duties included:
- Supervision and Strategy. The Board oversaw the Group’s overall operations to ensure the effective execution of major strategies and enterprise risk management.
- Executive Oversight. The Board is responsible for executive hiring and management and provides leadership across the Group’s subsidiaries.
- Internal Controls and Compliance. The Board was mandated to ensure that internal controls were effective and that the Group complied with applicable regulations. It was also mandated to set the tone for corporate integrity and culture and promote a compliance-oriented environment throughout the organization.
- Subsidiary Oversight. For TD Bank’s U.S. operations, the Board of TDBUSH was to oversee and monitor the BSA/AML program. They appointed the BSA Officer, were mandated to ensure the program’s effectiveness, and allegedly received regular updates on its performance. (More on this in a later blog.) The board also challenges information and actively participates in risk briefings to understand the program’s risks and controls adequately.
Overall, the Board was accountable for maintaining a strong compliance culture, particularly around AML policies, and ensuring a top-down commitment to these principles. Which, if any, of the above did the TD Bank actually fulfill?
Board Knowledge of AML and Compliance Deficiencies
Over at least eleven years, the Board of Directors at TD Bank Group and its subsidiaries was repeatedly made aware of failures in the Banks’ AML program through several channels. These channels included:
- Regulatory Actions. In 2013, enforcement actions by the OCC and FinCEN resulted in a $37.5 million penalty, with the board of TDBNA signing the agreement. The failure to identify $900 million in suspicious activity highlighted concerns about inadequate AML training.
- Ongoing Audits. Between 2017 and 2020, internal audits identified multiple unresolved AML deficiencies, such as outdated transaction monitoring scenarios and governance issues. The Board was informed of these audit findings and the associated remediation plans.
- Third-Party Consultants. Between 2018 and 2021, external consultants flagged key weaknesses, including delays in AML technology upgrades, outdated parameters, and inefficiencies in testing transaction monitoring scenarios. The Board was informed of these reports.
- Direct Board Briefings. In 2021, the Boards of TD Bank Group, TDGUS, and TDBUSH were directly briefed on the need for a more adaptive AML framework to address evolving risks, which had yet to be adequately implemented over time.
Despite multiple alerts from regulators, auditors, and consultants, the Board of Directors needed to take sufficient action to resolve the identified deficiencies in the AML program, which led to significant unmonitored customer activity.
The Board and Caremark
As previously noted, the standard for violation of the Caremark Doctrine is one of two potential claims:
- Directors utterly failed to implement any reporting or information system or controls. This is called a Prong 1 claim or the ‘Information-Systems Theory‘ and
- If they have implemented such a system or controls, they have consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention. This is called a Prong 2 claim or the ‘Red Flag Theory.’
It appears that the Board of Directors was well aware of its obligations regarding AML reporting and oversight. Yet, for some reason, the Board failed to act on any of the information presented to it.