Tag: complaince

Categories
Blog

Compliance Lessons from Bela Lugosi’s Dracula

As many of my readers know, I am a huge fan of the Classic Universal Picture Movie Monsters, focusing on the period from 1931 to the mid-1950s. In October, I traditionally use our Halloween-ending month to explore the Classic Universal Movie Monsters, along with other films from the Hammer Studio, those produced by Val Lewton, and those starring Vincent Price.  This year, I wanted to go back to basics by looking at the Classic Universal Movie Monsters, starting with Dracula and Frankenstein in 1931, followed by The Invisible Man in 1933, The Mummy in 1936, and ending with The Wolf Man in 1940.

Over the next five weeks, I will examine each of these movies through the lens of compliance and extract compliance lessons from each one. Today, I continue with the Classic Universal Movie Monster, Bela Lugosi’s version of Dracula. If you want to take a deeper dive into this movie in the podcast format, check out the special series on Popcorn and Compliance, hosted by my friends Fiona and Timothy. These podcasts will be posted alongside the blog post each Friday during October.

When Bela Lugosi first spoke the words, “I am Dracula,” in Tod Browning’s 1931 classic, audiences were mesmerized. His piercing stare, deliberate speech, and aristocratic charm redefined horror cinema. But beneath the gothic atmosphere lies something compliance professionals know all too well: the dangers of deception, unchecked power, and the failure to recognize risk until it’s too late.

The Lugosi Dracula is not just a horror film; instead, think of it as a parable of compliance. The Count operates as a smooth-talking third-party who gains access, conceals his true motives, and ultimately causes destruction when left unmonitored. For the corporate compliance professional, there are striking lessons in risk management, due diligence, and the importance of cultural awareness.

We continue our look at the Classic Universal Monster Movies by reviewing five key compliance lessons from the Lugosi Dracula.

1. Third Parties Are Your Greatest Risk

Dracula does not walk into London as a monster. He enters as an exotic nobleman, charming, well-spoken, and seemingly trustworthy. The people around him take him at face value. Only too late do they discover the truth: he is feeding off their lifeblood. This is the archetype of third-party risk. Business partners, agents, or distributors may present themselves as polished and reputable, but without thorough due diligence, they can bring immense legal and reputational risk.

Compliance takeaway: Treat every third-party relationship as a potential source of risk. Conduct due diligence, monitor relationships, and never rely solely on surface-level reputation. A charming exterior may conceal dangerous intentions.

2. Beware the Power of Influence

One of Lugosi’s most memorable traits is his hypnotic gaze. With it, he bends others to his will: Renfield, Mina, and Lucy, as each falls victim not by force, but by subtle manipulation. In the compliance world, influence is often exerted by powerful executives, dominant cultures, or high-performing employees. When individuals exercise undue influence, they can pressure others to bend the rules, ignore red flags, or accept unethical behavior as usual.

Compliance takeaway: Compliance officers must watch for undue influence in corporate cultures. Strong tone from the top matters, but so does tone in the middle. Employees must feel empowered to resist pressure, report concerns, and recognize when influence becomes coercion.

3. Risk Hides in the Shadows

Much of the horror in Dracula comes not from what is seen, but from what lurks in the shadows. The Count moves by night, unseen, exploiting darkness to conceal his actions. By the time victims realize what has happened, the damage is already done. This resonates with how misconduct often operates in organizations. Corruption, fraud, and abuse typically occur out of sight, through falsified invoices, shell companies, or hidden payments. By the time regulators or auditors arrive, the harm is already inflicted.

Compliance takeaway: Continuous monitoring and data analytics are the compliance professional’s tools for shining light into the shadows. Proactive detection: real-time alerts, AI-driven monitoring, and transactional reviews help catch misconduct before it metastasizes.

4. Cultural Blindness Increases Vulnerability

One of the early warnings comes from the locals in Transylvania, who beg Jonathan Harker not to go to Dracula’s castle. They know the legends, they understand the risks, and they offer charms for protection. Yet he dismisses them as superstition. This is a classic case of ignoring cultural risk signals. In multinational operations, compliance failures often occur when the headquarters dismisses local knowledge, customs, or warnings. By failing to respect the insights of those closest to the risk, organizations make themselves vulnerable.

Compliance takeaway: Listen to local voices. Local compliance officers, employees, and partners often see risks first. A compliance program that ignores or downplays its input is doomed to fail. Respecting cultural context is essential for effective risk management.

5. Complacency Enables Catastrophe

Finally, one of the key reasons Dracula thrives in London is that no one believes such evil could exist among them. Van Helsing recognizes the threat, but others mock him or rationalize the strange events. Denial and complacency give Dracula the space to flourish. In corporate compliance, complacency is equally dangerous. When companies assume “it can’t happen here,” they let their guard down. When managers dismiss warning signs as anomalies, they enable misconduct to spread. Complacency is the enemy of effective compliance.

Compliance takeaway: Compliance professionals must cultivate vigilance. Risk assessments should be ongoing, investigations must be taken seriously, and whistleblower reports must never be ignored. The moment an organization believes it is immune, it becomes most vulnerable.

Conclusion: Dracula in the Boardroom

Bela Lugosi’s Dracula is remembered for its elegance and terror. But for compliance officers, it offers something more: a reminder that risk often comes disguised as opportunity, that influence can corrupt, that danger thrives in shadows, that cultural insights matter, and that complacency kills.

Just as Van Helsing armed himself with crucifixes, garlic, and sunlight, compliance professionals must arm their organizations with due diligence, monitoring, cultural awareness, and vigilance. The Lugosi Dracula teaches us that evil is not always obvious; rather, it often comes in a tuxedo, with a charming smile and a foreign accent, promising value while draining the lifeblood of those who trust too easily.

The compliance professional’s mission is clear: don’t let Dracula through the door without asking the hard questions, shining the light into dark places, and ensuring that your organization is prepared for what lurks in the night.

Join us next Friday as we jump to 1940 and consider compliance lessons from Lon Chaney Jr.’s The Wolf Man.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Compliance Lessons from The Invisible Man

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week concludes a 5-part series on compliance lessons from Classic Universal Movie Monsters, focusing on Claude Rains’ portrayal of Jack Griffin in The Invisible Man.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
#RiskNYC Speaker Series

#Risk New York Speaker Series- Upping Your Game with Tom Fox

Join myself and hundreds of other GRC professionals in the city that never sleeps, New York City on July 9 & 10 for one of the top conferences around #Risk New York. current US landscape – shaped by evolving policies, rapid AI advancements, and shifting global dynamics – demands adaptive strategies and cross-functional collaboration.

At #RISK New York you will master the New Regulatory Reality by Getting ahead of US regulatory shifts and their impact. Conquer AI & Tech Risk by Safeguarding your organization in an AI-driven world and understand the implications of major tech investments. Navigate Financial & Crypto Volatility by Protecting assets and explore solutions in a dynamic market. Strengthen Your GRC Framework by Leverage governance, risk, and compliance for strategic advantage. Protect Digital Trust by Addressing challenges in cybersecurity, data privacy, and combating misinformation. All while meeting

In this episode of the Risk New York podcast series, Tom Fox introduces the upcoming Risk New York Conference, scheduled for July 9-10 at Fordham Law School. The conference, hosted by GRC World Forums, will focus on various aspects of risk management, including AI, tech risk, financial and crypto risk, and GRC frameworks. Tom discusses his keynote based on his book ‘Upping the Game’ and highlights key speakers and exhibitors, including Robert Clark from Howard University, Bill Coffin and Erica Alburn from Ecosphere, and Michael Rasmussen, known as the father of GRC. The episode emphasizes the significance of the conference and provides information on discounted tickets and other details available in the show notes.

Resources

#Risk Conference Series

#RiskNYC-Tickets and Information

Categories
Blog

Compliance in a Time Warp: Lessons from Star Trek’s Tomorrow Is Yesterday

Show Summary

In the ever-expanding universe of Star Trek: The Original Series, the episode “Tomorrow Is Yesterday” offers an unexpected bounty of compliance insights. On its surface, the story is a classic time-travel romp: the USS Enterprise is accidentally flung back to 1960s Earth, intercepted by a U.S. Air Force jet, and must find a way to return to the 23rd century without altering the course of history. But below the sci-fi action lies a deeper commentary on responsibility, decision-making, and the unforeseen consequences of even well-intentioned actions, making it a surprising compliance masterclass in disguise.

As compliance professionals, we often deal with risks not just of what is known but of what could happen: the unknown impact of an overlooked third-party relationship, a lack of controls in an emerging market, or a cultural blind spot that results in reputational fallout. In “Tomorrow Is Yesterday,” the crew must tread carefully to avoid disrupting the timeline, and in doing so, they offer lessons on ethics, documentation, information handling, and more. Let’s break it down: each lesson begins with a scene from the episode, followed by a compliance insight that today’s professionals can apply.

Lesson 1: Every Action Has Ripple Effects

Illustrated By: When the Enterprise accidentally ends up in the Earth’s atmosphere in the 1960s, it is detected by U.S. military radar. An Air Force pilot, Captain Christopher, is scrambled to intercept. The crew beams him aboard to save his life when his aircraft is destroyed—but now, they’ve interfered with the timeline.

Compliance Lesson:

This scene serves as a powerful reminder that even minor actions can have significant consequences when not carefully considered. In compliance, well-meaning decisions made under pressure, such as rushing a vendor through onboarding or bypassing standard procedures to hit a deadline, can trigger cascading problems. A missing due diligence step today might become tomorrow’s enforcement action.

The key takeaway is that compliance must always be mindful of unintended consequences. Strong controls and decision-making frameworks help teams slow down just enough to assess risks before acting. Preventing compliance failures often comes down to building in that pause, the moment of reflection before action.

Lesson 2: Do not Underestimate the Importance of Containment

Illustrated By: Captain Christopher now knows too much. He’s seen a starship, spoken with its crew, and witnessed 23rd-century technology. Spock warns that releasing him could change the course of Earth’s future. The crew must now decide whether to detain him, erase his memory, or seek an alternative solution.

Compliance Lesson:

When sensitive information is accidentally exposed, whether it is confidential business data, personal employee details, or insider information, containment becomes the first and most crucial response step. Like the Enterprise crew managing the fallout of their accidental encounter, compliance professionals must act quickly and decisively to limit exposure.

This lesson is especially critical in the era of data privacy regulations, such as GDPR and CCPA. Companies must have protocols in place to isolate breaches, report them within the required timeframes, and prevent further spread. Your compliance team should conduct tabletop exercises that simulate this kind of scenario, where exposure has already occurred, and now it is about mitigating the damage.

Lesson 3: Documentation and Traceability Are Critical

Illustrated by: As the crew works to reverse their time jump, they must carefully reconstruct a plan to erase all evidence of their presence in the past. They go so far as to recover physical recordings and tamper with computer logs to restore the timeline to its original state.

Compliance Lesson:

This scene underscores the importance of meticulous recordkeeping. While the Enterprise crew is in a rare situation of removing data for the good of the universe, in the corporate world, proper documentation is essential to ensure traceability, accountability, and auditability. Without documentation, there is no proof of process, no evidence of decisions, and no way to defend against accusations or demonstrate compliance.

Whether you are conducting due diligence, implementing a policy, or investigating a report, thorough documentation serves as the foundation of defensible compliance. Ensure that every step is captured, from the decision to engage a third party to the delivery and recording of employee training.

Lesson 4: Ethics Must Guide Decision-Making Under Uncertainty

Illustrated By: Faced with conflicting outcomes, if they return Captain Christopher to Earth, he may reveal classified knowledge; if they don’t, they alter his family line. Kirk and Spock must weigh ethical considerations against practical risks. Ultimately, they learn that Christopher’s unborn son will become pivotal to Earth’s future space exploration, so they must return him.

Compliance Lesson:

When policies do not offer a clear answer, ethical judgment must guide your decision-making. In many situations, especially those involving gray areas or new technologies, compliance teams are left to interpret principles rather than rules. That’s where a well-structured code of ethics becomes essential.

Training should teach employees not only what the law says but also how to apply ethical reasoning when there is no perfect option. Ethical leadership, modeled by those at the top, also reinforces that it’s not just about staying within bounds but rather about doing the right thing even when the stakes are high.

Lesson 5: Cross-Functional Collaboration Enhances Compliance Outcomes

Illustrated By: To return to their time and restore the timeline, the crew must coordinate multiple systems across engineering, science, navigation, and command. Mr. Scott recalibrates the engines, Spock calculates gravitational trajectories, and Sulu pilots the ship at precisely the right moment.

Compliance Lesson:

Compliance cannot operate in a silo. Like the crew of the Enterprise, compliance teams must work across various departments—such as legal, IT, HR, operations, and more—to execute effective risk mitigation. Whether you’re launching a third-party review process, addressing a whistleblower complaint, or updating privacy policies, your success depends on collaboration.

This involves building trust, facilitating effective communication, and aligning incentives across various functions. Consider forming cross-functional compliance working groups to stay informed about emerging risks and ensure shared ownership of compliance outcomes.

Lesson 6: Time Is of the Essence

Illustrated By: As the Earth’s gravitational pull begins to reassert itself, the Enterprise must execute its time-warp escape with split-second precision. A single delay could strand them in the 20th century or, worse, destroy the ship.

Compliance Lesson:

Timing can be the difference between a manageable issue and a full-blown crisis. Regulatory deadlines, investigation windows, and breach notification requirements all operate on strict timelines. Compliance professionals must be equipped to respond swiftly and decisively, particularly in crises.

Establishing a rapid-response protocol with clearly defined roles and pre-approved escalation paths is critical. Regularly review these protocols through simulated drills and update them based on lessons learned from real-world experiences. Like the crew navigating their return through time, your team must be prepared to act quickly when risk strikes.

Conclusion: Compliance for the Future—Rooted in Responsibility

“Tomorrow Is Yesterday” reminds us that ethical conduct isn’t just about navigating today’s rules but also about understanding the impact of our actions on tomorrow. For the crew of the Enterprise, that meant carefully extracting themselves from history without doing damage. For compliance professionals, it means building systems and cultures that consider not only legal obligations but also ethical consequences, unintended impacts, and the interconnectedness of our global environment.

In an era of accelerating technology, geopolitical shifts, and complex regulatory changes, these lessons are more relevant than ever. Whether it’s responding to a data breach, managing an FCPA risk, or updating your training protocols, ask yourself, “What ripple effects could this create? Are we prepared? Are we acting with integrity? ”

To boldly go where no compliance program has gone before, we must learn from the past, act responsibly in the present, and remain ever-mindful of the future. So, let’s not just manage compliance—let’s lead it ethically, collaboratively, and with a focus on the future.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Implementing Internal Controls

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

How to implement an internal controls regime in your organization.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Blog

Compliance Lessons Learned: Building Meaningful Workplace Connections

In today’s business environment, compliance professionals are often praised for their pivotal role in fostering ethical, sustainable, and resilient corporate cultures. A recent HBR article, What Employers Get Wrong About How People Connect at Work, provides a compelling framework that compliance officers can integrate into their strategies to strengthen organizational integrity and trust.

The authors believe that connections in the workplace are commonly thought of as a single dimension that prioritizes interpersonal relationships with co-workers. However, the authors have identified that connections in the workplace are made up of four interrelated and essential elements: employee connections with their colleagues, leader, employer, and role. This more accurate and nuanced view of workplace connections has implications for how organizations can design intentional talent strategies to create workplaces where employees are committed, engaged, and performing. They introduce the CLEAR framework to help facilitate transformative workplace lessons. I have adapted their ideas for the compliance professional.

  • Colleague Connection: Compliance as a Collaborative Endeavor

In compliance, collaboration is non-negotiable. The CLEAR framework emphasizes the importance of trust and mutual support among colleagues, a principle that extends seamlessly into compliance programs. When employees feel connected to their peers, they are more likely to share insights and raise concerns, a cornerstone of effective whistleblowing mechanisms. For compliance professionals, this means building platforms and safe spaces for employees to collaborate. Initiatives like ethics roundtables or cross-departmental compliance champions can foster peer-to-peer connections, encouraging the open exchange of ideas and concerns about compliance issues.

  • Leader Connection: Ethical Leadership in Action

The article identifies leader connection as a key factor, noting that 70% of the variance in team engagement is attributed to managerial quality. For compliance professionals, this underscores the need for leadership at all levels to embody ethical conduct. Leaders who communicate, provide constructive feedback, and model ethical behavior are indispensable in embedding compliance into an organization’s DNA. You should work to train your business leaders to be compliance ambassadors. This means both senior managers and middle managers as well. Equip them with tools to integrate compliance into their everyday leadership practices, from reinforcing training to discussing real-world ethical dilemmas with their teams.

  • Employer Connection: Aligning Compliance with Corporate Values

A strong employer connection, where employees see their work as meaningful and aligned with organizational goals, is critical. Compliance professionals are central in shaping this narrative by linking ethical practices to the company’s mission. When employees view compliance as an enabler of corporate success rather than a hindrance, their engagement deepens. Positioning compliance as a competitive business advantage and using internal communications to highlight how ethical practices contribute to the organization’s reputation, financial health, and long-term success will further align your employees with your overall goal of doing business ethically and in compliance.

  • Role Connection: Engaging Through Purpose

Role connection thrives when employees find satisfaction in their work and see clear pathways for growth. Compliance means integrating ethical considerations into individual roles and responsibilities. Employees who understand how their job contributes to the company’s compliance goals are likelier to take ownership of ethical behavior. Here, your compliance team should work to tailor compliance training to individual roles. Move beyond generic programs to create targeted, role-specific training that shows employees how compliance intersects with their day-to-day responsibilities.

  • CLEAR Connections and the Return-to-Office Debate

The authors critique a narrow focus on colleague connections in return-to-office mandates, warning that neglecting other CLEAR elements can undermine employee engagement. For compliance teams, this presents a nuanced challenge. Remote work can dilute compliance oversight, but rigid in-office policies may harm trust and morale. This will allow your compliance function to adopt flexible compliance monitoring strategies. Use technology to maintain oversight while respecting diverse work arrangements and ensure employees feel trusted and supported regardless of where they work. 

  • The Patchwork Principle: Balancing Connection Needs

The authors propose the “patchwork principle,” urging leaders to adopt a portfolio of policies that reflect employees’ diverse connection preferences. Compliance teams can take inspiration from this approach to design policies that address various needs while ensuring alignment with regulatory requirements. The DOJ has long clarified that your compliance program should be based on your company’s compliance risks. This means you should customize your compliance program. Consider employee demographics, cultural nuances, and risk profiles when designing policies and procedures, ensuring they resonate across the organization.

Final Thoughts: CLEAR Insights for Compliance Success

The CLEAR framework challenges compliance professionals to think beyond policies and procedures, emphasizing the human connections that underpin ethical behavior. By fostering meaningful relationships across these four pillars, compliance leaders can build a culture that adheres to regulations and thrives on trust, engagement, and integrity.

Incorporating these lessons is not simply about compliance but redefining how organizations connect, collaborate, and succeed. By adopting these principles, compliance professionals can lead the way in creating workplaces that are not only compliant but also connected and committed to excellence.

Categories
FCPA Compliance Report

FCPA Compliance Report: Unlocking Financial Gains Through Proactive Compliance: Insights with Nicolas Tollet

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this edition of the FCPA Compliance Report, Tom Fox cross post the first episode of a new podcast series from Nicolas Tollet, partner at Hughes, Hubbard and Reed

In this episode, Tollet delves into the substantial financial benefits stemming from robust compliance measures. Tollet recounts a company’s journey through two deferred prosecution agreements (DPAs) related to bribery and corruption allegations in Africa and Brazil, detailing how proactive compliance actions saved the company approximately $100 million. He emphasizes the crucial role of an independent monitor and in-depth compliance reviews in identifying and mitigating misconduct. Tollet explores the implementation of compliance policies and training programs, drawing comparisons with high-profile cases like Walmart’s FCPA settlement, to illustrate the long-term financial stability and operational integrity gained through early compliance investment.

Highlights in this Episode:

  • The First Deferred Prosecution Agreement (DPA)
  • The Second DPA and Lava Jato Investigation
  • Compliance as a Competitive Advantage
  • Detecting and Addressing Misconduct
  • Remediation and Strengthening Compliance
  • Financial Benefits of Compliance
  • Comparing with Walmart FCPA Case

 Resources:

Nicolas Tollet at Hughes Hubbard & Reed

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For an audio/video version of the Compliance Kids book, Speaking Up is AWESOME, contact Tom Fox.

Categories
Blog

TD Bank: Part 3 – Lessons Learned for Compliance

We continue our exploration of the resolution of the AML/BSA enforcement action involving the TD Bank US (the Bank) wholly owned by the TD Bank Group,  a publicly traded (NYSE: TD) international banking and financial services corporation headquartered in Toronto, Canada. Today, we explore some key lessons learned for the AML compliance professional. We begin with what Attorney Merrick Garland noted: “Three money laundering networks took advantage of TD Bank’s failed anti-money laundering system.”

The 3 Money-Laundering Scheme

The David Scheme

Da Ying Sze, also known as David, used the Bank as a money laundering and unlicensed money transmitting scheme for which he pled guilty in 2022. David conspired to launder and transmit over $653 million, with more than $470 million laundered through TDBNA. He bribed bank employees with over $57,000 in gift cards to facilitate the scheme. David laundered money by depositing large amounts of cash, sometimes exceeding $1 million in a single day, into accounts opened by other individuals. He also instructed bank employees to send wires and issue official checks. The Bank needed to correctly identify David as the person conducting the transactions in over 500 CTRs, which covered more than $400 million in transaction value, despite David directly depositing large cash sums into accounts he allegedly did not control.

Bank Insiders

Five Bank employees provided material assistance to a second money laundering scheme, which laundered millions of dollars from the United States to Colombia. The five individuals, referred to as “TDBNA Insiders,” held various positions within the bank, including Financial Service Representative, Retail Banker, Assistant Store Manager, and Store Supervisor at TDBNA stores in New Jersey and Florida. These insiders helped the money laundering networks by opening accounts and providing dozens of ATM cards used to launder funds through high-volume ATM withdrawals. They also assisted in maintaining these accounts by issuing new ATM cards and overcoming internal controls and freezes on account activity. Through these actions, approximately $39 million was laundered through the bank. Despite significant internal red flags, TDBNA did not identify the insiders’ involvement in the money laundering scheme until law enforcement arrested Insider-1 in October 2023.

Shell Company Scammers

From March 2021 through March 2023, a money laundering organization known as “MLO-1,” which claimed to be involved in the wholesale diamond, gold, and jewelry business, maintained accounts for at least five shell companies at the Bank. These accounts moved approximately $123 million in illicit funds through the bank. The Bank knew these shell companies were connected, sharing the same account signatories. Despite these red flags, The Bank did not file a Suspicious Activity Report (SAR) on MLO-1 until law enforcement notified the bank in April 2022. By then, MLO-1’s accounts had been open for over 13 months and had transferred nearly $120 million through TDBNA.

Lessons Learned

This enforcement action is a sobering reminder of compliance’s critical role in preventing and detecting financial crimes like money laundering. With over $470 million laundered in one scheme, $39 million moved through insiders, and $123 million transferred via shell companies, significant compliance failures occurred.  Of course, these are only a part of the $18.3 trillion in transactions that the Bank does not monitor due to its conscious compliance failures. These incidents underscore the importance of maintaining robust internal controls, employee oversight, and proper reporting mechanisms.

Failing to Detect Obvious Red Flags

In this case, one of the most glaring issues is the bank’s failure to identify the obvious red flags associated with laundering large sums of money. In the case of David, the Bank failed to file accurate CTRs for over $400 million in transactions. David regularly deposited enormous amounts of cash, over $1 million in a single day, into accounts opened by others, yet the bank failed to link him to these transactions.

The key takeaway for compliance professionals is to ensure that their systems are calibrated to flag suspicious activities, especially when transactions exceed certain thresholds. Large cash deposits, frequent activity involving multiple accounts, and nominee account holders should always trigger enhanced due diligence and review. Automated systems must be updated and combined with human oversight to catch these patterns.

The Role of Corrupt Employees in Facilitating Money Laundering

The involvement of the Bank Insiders in the second laundering scheme is a textbook example of how internal corruption can undermine even the most sophisticated compliance programs. These employees assisted money laundering networks by opening accounts, providing ATM cards, and circumventing internal controls and account freezes. In exchange, they received bribes, showing the vulnerability of staff in critical roles.

This scenario mandates why employees must undergo regular anti-bribery and anti-corruption training to reinforce the consequences of accepting bribes and engaging in unethical behavior. In addition, a strong compliance culture should include mechanisms for detecting internal misconduct, such as anonymous reporting systems and independent audits to identify corrupt employees early. Creating ethical guardrails within your organization, alongside frequent checks and balances, can protect against insider threats.

CTRs and SARs Must be a Priority

A key regulatory requirement under the Bank Secrecy Act (BSA) is the filing of Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). The Bank’s failure to file accurate CTRs in David’s case and delayed filing of SARs in the Shell Company Scammers scheme underscores how devastating the consequences can be when compliance teams do not take their regulatory obligations seriously. Even after identifying that shell companies were linked to each other by shared account signatories, the Bank failed to act quickly, allowing nearly $120 million to be laundered through their systems.

The timely filing of CTRs and SARs is not just a best practice; it is a regulatory requirement. Compliance officers must ensure that processes for flagging suspicious activity are effective and swift. Training staff to recognize when CTRs and SARs are needed and implementing systems that automatically flag transactions for review will help ensure compliance with reporting obligations.

Third-Party Risk and Shell Companies: Know Your Customer (KYC) Failures

The shell companies used to launder $123 million demonstrate a significant lapse in the bank’s Know Your Customer (KYC) protocols. The Bank knew the shell companies were linked by the same account signatories yet failed to act for over a year. This gap in KYC enforcement allowed significant funds to pass through without appropriate scrutiny or action.

KYC processes should be foundational to every compliance program. Regular reviews and enhanced due diligence are required when dealing with high-risk entities like shell companies. Compliance professionals should prioritize the identification of ultimate beneficial ownership (UBO) and remain vigilant when patterns suggest potential fraud, even if account openings appear legitimate at first glance. Your KYC protocols must also integrate ongoing monitoring, not just one-time checks.

The Consequences of Ignoring Red Flags

Across all three schemes, the Bank ignored significant internal red flags—whether employees directly deposited large sums of cash, insiders actively assisting in laundering activities, or shell companies linked by shared signatories. Compliance must be more than just a checkbox exercise. Red flags must be taken seriously and escalated quickly to prevent further damage.

Compliance teams must be empowered to act decisively when red flags are raised. This includes having the authority to freeze accounts, file reports, and escalate issues to senior management and regulatory authorities when needed. Additionally, a strong culture of compliance, backed by leadership, should encourage immediate action when suspicious activity is detected.

Monitoring and Auditing: Preventing Future Failures

Finally, this case reveals the importance of ongoing monitoring and regular auditing. In all three schemes, the Bank failed to sufficiently monitor account activities and employees, which allowed the laundering schemes to continue for extended periods. Regular audits and automated transaction monitoring systems are essential to detect and prevent similar issues.

Auditing and monitoring systems should be built into your compliance framework, focusing on high-risk accounts, employees, and geographies. By continuously reviewing and auditing compliance processes, teams can identify gaps early and prevent further exploitation. Technology can be key in monitoring, but human oversight is critical to analyzing more complex behavior patterns.

This enforcement action is a stark reminder of the consequences of weak compliance controls, employee corruption, and failure to act on red flags. For compliance professionals, the lessons from this case are clear: robust internal controls, continuous training, effective KYC procedures, and timely reporting are essential to preventing and detecting money laundering. By learning from these failures, compliance officers can strengthen their programs and ensure their organizations remain vigilant in the fight against financial crime.

I will explore this matter in depth over the next several blog posts. Tomorrow, I will consider the Bank’s culture and flat cost paradigm.

Resources

OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks

Categories
Compliance Into the Weeds

Compliance into the Weeds: Adventures in Squeezing Out Compliance – TD Bank’s Flat Cost Paradigm

The award-winning Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the TD Bank BSA and AML enforcement action, which led to $3 billion in fines and penalties.

Tom and Matt discuss TD Bank’s conscious strategy of not raising the budget, known as the Flat Cost Paradigm or Zero Expense Growth Paradigm, and how this strategy severely restricted the Bank’s compliance and AML functions. This tactic aimed to increase profits by keeping expenditures flat year after year. The impact of this strategy is particularly evident in the global AML team’s expenditures on the U.S. anti-money laundering program, which decreased in 2021 compared to 2018. Despite significantly growing U.S. assets and net income, the bank refrained from increasing its budget for essential programs, a fact highlighted in the Justice Department indictment. The Bank’s strategy serves as a clear warning about the dangers of prioritizing profits over compliance.

Key Highlights:

  • Introduction to the Flat Cost Paradigm
  • Details of the Budget Strategy
  • Impact on Anti-Money Laundering Efforts
  • Financial Growth Amidst Budget Constraints

Resources:

  1. Blogs

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

  1. Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

  1. Enforcement Related Material

OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

 DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks

Categories
Blog

TD Bank: Part 2 – When Profits Trump Compliance: A Recipe for Corporate Disaster

We continue our exploration of the resolution of the AML/BSA enforcement action involving TD Bank US (the Bank), which is wholly owned by TD Bank Group, a publicly traded (NYSE: TD) international banking and financial services corporation headquartered in Toronto, Canada. TD Bank Group is one of the thirty largest banks in the world and the second-largest bank in Canada.

The enforcement action came in with a $3 billion penalty against the Bank, which has pled guilty to charges relating to the Bank Secrecy Act (BSA), which requires financial institutions to maintain programs to detect and report suspicious activity by their customers. The Bank also settled a series of civil investigations by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), the Federal Reserve, and the Office of the Comptroller of the Currency (OCC), which mandated a Monitor to oversee the building out of the Bank’s compliance program and imposed an asset cap limiting the growth of the Bank’s U.S. retail business as a result of the breakdown of its controls.

This TD Bank case is right up there with Siemens, Petrobras, Odebrecht, Goldman Sachs, and Volkswagen as some of the most basic violations of corporate law we have ever seen. All of the above cases involved bribery and fraud, and the Bank case involved a violation of the most basic requirement of the BSA and the most basic tenets of an anti-money laundering compliance program. Moreover, the Bank’s conduct was not 20 years ago or even 10 years ago, as the conduct began in 2018, and the illegal conduct was right up to this past year. What led to these failures?

Failures at the Top

For the Bank, it all started at the top, where the very senior executives at the Bank decreed that no additional funds would be made available for compliance, compliance updates, or new technological solutions designed to make fulfillment of compliance obligations more efficient. This funding strangulation was termed the “flat cost paradigm” across the Bank’s operations. As a result, the Bank “willfully failed to remediate persistent, pervasive, and known deficiencies in its AML program, including (a) failing to substantively update its transaction monitoring system, which is used to detect illicit and suspicious transactions through the Bank, between 2014 and 2022 despite rapid growth in the volume and risks of the Bank’s business and repeated warnings about the outdated system.”

According to the TD Bank US Holding Company Information, this policy was pursued by the Bank Audit Committee and by the Bank’s Chief Anti-Money Laundering Officer during the relevant period, and the Bank’s BSA Officer both knew there were long-term, pervasive, and systemic deficiencies in the Defendants’ U.S. AML policies, procedures, and controls. This led to the Bank monitoring only approximately 8% of the volume of transactions because it omitted all domestic automated clearinghouse transactions, most check activity, and numerous other transaction types from its automated transaction monitoring system. Due to this failure, the Bank did not monitor approximately $18.3 trillion of transactions between January 1, 2018, through April 12, 2024.

It is not as if the Board of the Bank and its Canadian overlords were unaware of these deficiencies. As far back as 2013, FinCEN and the OCC brought enforcement actions against the Bank for its failures in its AML program. The Bank’s Board of Directors specifically signed off on the resolution of this enforcement action. IN 2018, the OCC characterized the Bank’s “planning, delivery, and execution of AML technology systems and solutions as insufficient. Specifically, the OCC highlighted the delays in implementing multiple AML technology projects and found those delays to be directly linked to nearly all of TDBNA’s outstanding AML program issues.”

Internal Audits at the bank also identified specific deficiencies in the bank’s AML and BSA compliance programs. In 2018, Internal Audit determined that the Bank’s high-risk jurisdiction transaction monitoring scenarios were using an outdated list of high-risk jurisdictions, meaning the bank’s scenarios were not designed to generate alerts on the jurisdictions currently deemed to be high-risk. Again, in 2020, Internal Audit identified AML compliance deficiencies related to the governance and review of transaction monitoring scenarios.

External third-party consultants also identified deficiencies in the Bank’s AML/BSA programs. One consultant “commented that “increased volumes and regulatory requirements” would pressure AML operations to meet demands and deadlines. The same consultant concluded that the Bank’s required testing of its transaction monitoring scenarios— which assessed whether scenarios were adequately capturing suspicious activity— took twice as long as the industry average.” A second consultant noted the Bank had “sub-optimal [transaction monitoring] scenarios” due, in part, to “outdated parameters” that generated a large volume of alerts that limited the Bank’s ability to focus on high-risk customers and transactions.” Finally, a third consultant “identified numerous limitations in the Bank’s transaction monitoring program, including technology barriers to developing new scenarios or adding new parameters to existing scenarios.”

Knowledge at the Bottom

Perhaps the craziest thing about the Bank’s failures in AML/BSA was that everyone was in on the joke: the Board, senior management, Bank employees, and ‘the bad guys.’ One conversation went like this:

AML Technologist: what do the bad guys have to say about us Lol

AML Manager: Easy target

AML Technologist:  damnit

AML Manager: Old scenarios; old CRR; tech agility is poor to react to changes

AML Manager: Bottomline: we have not had a single new scenario added since we first implemented the SAS

Another example cited in the Information was the following: “Other employees, both in AML and retail, consistently commented on the Bank’s instant messaging platform about the Bank’s motto, “America’s Most Convenient Bank,” and directly linked it to the Bank’s approach to AML. For example, a US-AML employee noted that a reason the Bank had not stopped one of the below-referenced money laundering typologies was because “we r the most convenient bank lol.”

Finally, this example from the information section states that “employees at multiple levels understood and acknowledged the likely illegality of David’s activity. In August 2020, one TDBNA store manager emailed another store manager and remarked, “You guys need to shut this down, LOL.” In late 2020, another store manager implored his supervisors (several TDBNA regional managers) to act, noting that “[i]t is getting out of hand, and my tellers are at the point that they don’t feel comfortable handling these transactions.” In February 2021, one TDBNA store employee saw that David’s Network had purchased more than $1 million in official bank checks with cash in a single day and asked, “How is that not money laundering,” to which a back-office employee responded, “oh it 100% is.” “

In his remarks, Attorney General Merrick Garland cited three examples where Bank employees knew money laundering was ongoing.

  1. In February 2021, one TD Bank store employee saw that David’s network had purchased over $1 million in official bank checks with cash in a single day. The employee asked, “How is that not money laundering?” A back-office employee responded, “Oh, it 100% is.”
  2. In a second, separate money laundering scheme, five TD Bank employees conspired with criminal organizations to open and maintain accounts at the bank that were used to launder $39 million to Colombia, including drug proceeds.
  3. In yet a third scheme, a money laundering network maintained accounts at TD Bank for at least five shell companies. It used those accounts to move over $100 million in illicit funds through the bank.

The bottom line is that everyone knows that the Bank facilitated money laundering and BSA violations. Why? The Bank consciously decided not to fund the compliance function or pay for any upgrades or updates, all in the name of its ‘flat cost paradigm.’

I will explore this matter in some depth over the next several blog posts. Tomorrow, I will consider money-laundering schemes.

Resources

 OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks