Mike Volkov often told the story of watching the Watergate Hearings as a teenager and being a seminal influence on his later professional life in the legal profession and government service. It was my first exposure to long-term Congressional hearings, at least when they were not the claptrap theater we have in place today. Perhaps the single thing I remember the most clearly was Tennessee Senator Howard Baker’s question, “What did the President know, and when did he know it?” The answer that we learned during the Watergate hearings was that President Nixon had known all along that the crimes of Watergate originated in the White House. Today, I want to use that question to explore what TD Bank knew, when they knew, and what that tells us about the culture of the world’s 30th-largest bank and 10th-largest bank in the US.
Prior OCC, FinCEN, and DOJ Enforcement Actions
In September 2013, the OCC and FinCEN levied a $37.5 million civil monetary penalty against the Bank for violating the Bank Secrecy Act (BSA) related to a Ponzi scheme run by a Florida attorney. Despite the numerous AML alerts triggered by its transaction monitoring system, the Bank failed to identify and report approximately $900 million in suspicious activity. This failure stemmed, in part, from inadequate anti-money laundering (AML) training for both AML and retail personnel. FinCEN emphasized that poorly resourced and trained staff managing critical compliance functions is unacceptable, underscoring the importance of adequate training and resources in compliance programs.
Following these enforcement actions, the Bank needed to adapt its transaction monitoring system to address its deficiencies substantively. The OCC had directed the bank to establish policies and procedures that could respond systematically and promptly to environmental or market changes, such as developing new monitoring scenarios. However, the bank’s failure to implement these recommendations meant it could not effectively mitigate emerging risks. This oversight revealed significant gaps in the Bank’s AML compliance efforts, particularly its ability to adjust its program to evolving threats.
In 2015, the OCC instructed the Bank to enhance its transaction monitoring program for high-risk customers, who were subject to the exact scenarios and thresholds as the rest of the Bank’s customers despite their higher risk profile. In 2016, the AML function and the Bank technology teams began to develop new high-risk customer scenarios. That effort was put on hold in October 2016 by AML executives due to a lack of resources. After being briefly revived in early 2017, this project was again put on hold, this time by the head of AML at the Bank partly due to “cost.” Although US-AML leadership informed the OCC during its 2017, 2018, and 2019 examinations that these scenarios were in development, the Bank never implemented the required enhanced transaction monitoring of high-risk customers. By 2018, the OCC determined that the Bank’s planning and execution of its AML technology systems remained insufficient. The Bank had delayed implementing key AML technology projects, which directly contributed to its failures around AML compliance.
The Bank even misrepresented itself to the Department of Justice (DOJ). In February 2018, the Bank entered a settlement over its failure to file Suspicious Activity Reports (SARs). The Bank’s issues were partly due to its cessation of transaction monitoring scenario threshold testing. The Bank’s US-AML executives were aware of this resolution and acknowledged the importance of monitoring transactions for suspicious activity. One key AML leader at THE BANK emphasized that their AML team reviewed similar enforcement actions to ensure their compliance programs aligned with regulatory expectations, particularly around scenario threshold testing.
He explained to the AML Oversight Committee that the Bank conducted a detailed analysis below scenario thresholds to determine if SARs should have been filed, adjusting thresholds accordingly. This approach was intended to avoid the failures that led to the other bank’s settlement. However, despite these assurances, by early 2018, THE BANK’s AML team and its technology partners effectively halted its threshold testing due to competing priorities and resource limitations.
As a result, between 2018 and 2022, the Bank conducted threshold testing, or “quantitative tuning,” on only one out of approximately 40 U.S. transaction monitoring scenarios. This significant reduction in testing left gaps in the Bank’s AML compliance program, potentially exposing the bank to similar risks and regulatory scrutiny that had affected other institutions in the industry.
Where Was Internal Audit?
The question in these massive enforcement actions is often, ‘Where was the internal audit?’ Regarding the Bank, the answer is simple: Right Here, Doing Our Job. In 2018, the Bank’s Internal Audit function uncovered a critical issue within the bank’s AML program: the high-risk jurisdiction transaction monitoring scenarios were based on an outdated list, meaning the bank was not flagging transactions from jurisdictions currently deemed high-risk. This oversight severely impacted the bank’s ability to monitor and address risks associated with these regions. The findings revealed a gap in how the bank’s transaction monitoring system adapted to evolving regulatory expectations and global risk landscapes, compromising the effectiveness of its AML efforts.
By 2020, Internal Audit highlighted even more deficiencies in the bank’s AML compliance, specifically related to the governance and review of transaction monitoring scenarios. Among the key issues were a need for formal timelines for completing scenario reviews, some of which had been outstanding since 2017, and the failure to implement proposed changes from the previous year. Moreover, there needed to be a formal process or documentation to guide the promotion of new monitoring scenarios, a governance gap mirroring issues identified by the OCC seven years earlier. These systemic failures indicated a troubling lack of progress in strengthening the bank’s AML compliance framework.
Despite the findings from 2018 and 2020, Internal Audits reviewed in the following years revealed that these issues remained unresolved. The Bank’s Board of Directors was informed of these ongoing deficiencies and remediation plans, yet the persistent gaps in governance and scenario management continued to hinder the bank’s ability to respond to AML risks effectively. For those keeping score at home, that means Actual Knowledge at the Board.
Three Clarion Calls
Are you beginning to see a pattern here? The Bank engaged third-party consultants who identified significant weaknesses in its AML program and reported these issues to the Bank’s AML leadership. In 2018, one consultant noted that increasing regulatory requirements and transaction volumes would pressure AML operations, making it difficult to meet demands and deadlines. Additionally, the consultant found that The Bank’s testing of its transaction monitoring scenarios took less than the industry average, highlighting inefficiencies in its ability to assess and capture suspicious activity.
In 2019, another consultant flagged sub-optimal transaction monitoring scenarios based on outdated parameters. These outdated scenarios generated many alerts, overwhelming the AML team and limiting their ability to focus on truly high-risk customers and transactions. This finding pointed to a broader issue in the bank’s ability to adapt its monitoring systems to changing regulatory and risk environments, significantly undermining the effectiveness of its AML compliance efforts.
In 2021, a third consultant identified additional limitations within the Bank’s transaction monitoring program, particularly its technology infrastructure. The consultant found that the bank faced technological barriers that restricted its ability to develop new scenarios or adjust existing parameters, further hampering its AML efforts. These ongoing challenges reflect a broader need for the Bank to modernize its systems and ensure its AML program is agile enough to meet regulatory expectations and address emerging risks effectively.
The AML Leadership Team
During the relevant period, the Bank’s AML leadership consisted of key individuals whose responsibilities significantly shaped the Bank’s approach to AML compliance, and, more importantly, all knew of the Bank’s AML deficiencies. They were identified as Individual-1, Individual-2, and Individual-3 in the Information. Individual-1 was hired in 2013 as VP of AML Operations and rose to become the sole Chief AML Officer by 2019, overseeing the bank’s global AML program. His role included setting the annual AML budget, developing strategic priorities, and regularly reporting to the board of directors. Individual-1’s oversight extended to AML technology services and the U.S. Financial Intelligence Unit (FIU), reflecting his pivotal role in the U.S. and global AML operations.
Individual 2 joined THE BANK in 2014 as Head of the U.S. FIU and was critical in overseeing the investigative teams responsible for reporting suspicious activities and managing high-risk customers. By 2019, Individual-2 had assumed the role of BSA Officer and Deputy Global Head of AML Compliance, where they were responsible for managing the U.S. AML program. However, despite these responsibilities, Individual 2 faced limitations due to the Chief AML Officer’s direct control over AML technology, a crucial aspect of the bank’s AML operations, which created challenges in overseeing technology-related AML issues.
Individual-3, a vice president within AML Operations, took on significant responsibilities within the U.S. FIU, especially between 2017 and 2018. In this role, Individual-3 managed the initial review of transaction monitoring alerts and the handling of Unusual Transaction Referrals (UTRs) and reports of suspicious activity submitted by employees. Together, these key figures shaped THE BANK’s AML efforts, though the division of responsibilities and challenges with AML technology governance highlighted areas of vulnerability within the bank’s compliance framework.
What did the Bank know, and when did they know it? As the Information rather dryly noted, “US-AML, including senior leadership, were aware of the lack of domestic ACH and check monitoring.” More importantly, like President Nixon, they knew about their AML failures and consciously chose not to do anything about them.
Resources
Join us tomorrow when I will consider the reckoning for the Bank.
Resources
OCC
DOJ
TD Bank US Holding Company Information
TD Bank US Holding Company Plea Agreement and Attachments