Categories
Compliance Tip of the Day

Compliance Tip of the Day – Lessons Learned From Telefónica Venezolana

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider 3 key takeaways from the Telefónica Venezolana FCPA enforcement action announced last week.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Blog

10 Compliance Lessons Learned from the Telefónica Venezolana FCPA Enforcement Action

Last week, the Department of Justice (DOJ) announced a resolution of a Foreign Corrupt Practices Act (FCPA) enforcement action involving Telefónica Venezolana, the Venezuelan subsidiary of Telefónica S.A. (Telefónica) involving significant compliance failures. Telefónica agreed to a $85.2 million penalty and Deferred Prosecution Agreement (DPA). Tom Fox will review the Top 10 Lessons for Compliance Professionals in this blog post.

  • Understanding the FCPA Risks in High-Risk Jurisdictions

Telefónica confirms the compliance risks inherent in high-risk jurisdictions where government intervention and currency restrictions are common. If you had any question that Venezuela was not high risk, this matter confirms it once again. Currency access is tightly controlled, creating opportunities for corruption in currency auctions that companies might exploit to obtain preferential treatment. Telefónica’s bribery of Venezuelan officials for U.S. dollar access exemplifies how companies in such markets might resort to unethical tactics to stay competitive.

Lesson Learned. High-Risk. High-Risk. High-Risk. Businesses operating in high-risk regions must be vigilant in identifying regulatory challenges that could prompt employees or agents to seek shortcuts, including bribery or fraud. Implementing strong local compliance measures, training employees on anti-bribery practices, and emphasizing adherence to legal processes—no matter the regulatory hurdles—are essential to maintaining compliance integrity.

  • The Role of Third Parties in Concealing Corrupt Practices

In the scheme, the Company indirectly engaged suppliers to pay bribes, concealing these payments as inflated prices on equipment purchases. Third-party risks remain one of the most challenging aspects of compliance, as intermediaries are often used to circumvent direct involvement in corrupt activities, thereby masking unethical practices from internal oversight.

Lesson Learned. For the past 25 years, corrupt third parties have had the highest risk in FCPA compliance. This makes comprehensive third-party due diligence as crucial as any other part of your compliance program. Every relationship with suppliers, contractors, or intermediaries should undergo rigorous vetting, including checks for conflicts of interest, bribery risks, and financial irregularities. Companies should employ contract clauses requiring third parties to comply with anti-corruption laws and establish transparent compliance reporting and monitoring mechanisms. However, the key is managing the relationship after the contract is signed.

  • Internal Controls and Transaction Monitoring: The First Line of Defense

The bribery scheme involved purchasing equipment from two suppliers at inflated prices and funneling bribes through manipulated invoices. A robust internal control system might have flagged these irregularities, potentially preventing or detecting the misconduct earlier. The case illustrates the importance of scrutinizing financial transactions, especially those that deviate from standard pricing practices.

Lesson Learned. This case demonstrates that strengthening internal controls is vital, particularly in financial transaction monitoring. Implementing controls such as approval hierarchies, independent review of non-standard transactions, and regular financial audits by third parties can reduce opportunities for corrupt practices. Compliance professionals should also integrate forensic accounting expertise into their monitoring and investigative functions to analyze suspicious transactions and identify potential compliance breaches.

  • A Proactive Approach to Third-Party Payment Oversight

Telefónica used inflated equipment purchase prices to conceal bribes, showing how intermediaries and indirect payments can mask corrupt practices. The company has since improved its compliance framework, including enhanced oversight of third-party payments through proprietary software.

Lesson Learned. For Compliance Professions, the lesson is that companies must develop and enforce rigorous third-party payment controls. Companies can detect unusual payment patterns that may signal compliance risks by implementing technology solutions to monitor payment flows. Finally, compliance teams must collaborate with finance departments to establish alerts for atypical payment activities, thus fostering cross-departmental vigilance against corruption.

  • Building a Robust and Independent Compliance Function

In response to its FCPA violations, Telefónica strengthened its compliance function, appointing a Chief Compliance Officer (CCO) with direct access to the Audit Committee and investing in compliance resources. This demonstrates the need for compliance independence and empowerment to address corporate misconduct effectively.

Lesson Learned. For a compliance program to be effective, it must be both empowered and independent. The CCO should report directly to the Board of Directors or the Audit Committee to ensure unfiltered communication of compliance concerns directly to the company’s top. Companies should also continually assess their compliance structures and allocate sufficient resources to compliance functions, ensuring the team has the tools and authority to address risks proactively.

  • The Importance of Timely and Transparent Cooperation in Government Investigations

Telefónica’s delayed cooperation with the DOJ affected the investigation’s efficiency and ultimately impacted the company’s cooperation credit. It also no doubt frustrated the DOJ lawyers handling the matter. While the Company later assisted DOJ investigators, this case reinforces that delays in providing relevant information can result in increased penalties or reduced credit in FCPA investigations.

Lesson Learned. When under investigation, timely, transparent cooperation with government authorities is essential. Delaying the disclosure of relevant information hinders the investigation and may also increase penalties or other sanctions. Companies should have protocols for efficiently gathering and disclosing information to authorities, especially when compliance breaches are suspected.

  • Remedial Actions as a Key to Reducing Penalties

Telefónica implemented significant remedial measures to address its compliance failings, including employee terminations, third-party vetting improvements, and transaction review process overhauls. These actions likely contributed to the DOJ’s decision to reduce the penalty by 20%, reflecting the importance of remedial actions in mitigating penalties.

Lesson Learned. Remediation is critical when responding to compliance failures. Swift and decisive action—such as disciplining or terminating employees involved in misconduct, overhauling control processes, and enhancing compliance programs—demonstrates a genuine commitment to addressing and preventing future issues. These actions can positively influence regulators’ decisions, potentially reducing fines or penalties.

  • Lessons on the Impact of Prior Compliance Failures

Telefónica’s parent company, Telefónica S.A., has a history of compliance failures, including a prior FCPA enforcement action involving a subsidiary, Telefónica Brasil. The enforcement action involving the Venezuelan subsidiary shows how previous infractions can impact a company’s current settlement terms, as regulators consider a company’s past compliance record when determining penalties.

Lesson Learned. Companies should be mindful that a history of compliance breaches can affect regulatory leniency in future cases. Ensuring that corrective actions are implemented following any past compliance issues—and documented as part of a continuous improvement process—is critical for maintaining regulatory goodwill and potentially reducing penalties in subsequent cases.

  • Global Cooperation in Compliance Investigations

In Telefónica’s case, the DOJ coordinated with international authorities in Panama, Switzerland, and Luxembourg to gather evidence and move the investigation forward. The international cooperation underscores the global nature of anti-corruption enforcement and the heightened risk of detection and prosecution across jurisdictions.

Lesson Learned. Compliance officers should understand that global regulatory cooperation makes it harder for companies to evade accountability. With enforcement agencies increasingly sharing information and resources, companies must adopt a global approach to compliance, ensuring their practices align with international regulations and anti-bribery standards.

  • Long FCPA Tail

The underlying facts of this matter occurred in 2012-2013. This demonstrates the lengthy (some say forever) tail of FCPA enforcement. Writing in Law360, Dorothy Martin noted, “But prosecutors allege in 2014, Telefónica Venezolana participated in a corrupt currency auction that allowed the telecom giant to exchange its local currency for more than $110 million in U.S. dollars. According to court documents, during the auction, Telefónica  allegedly won more than 65% of the $172 million that the local government awarded to 16 telecom companies.”

Lesson Learned. The lesson for compliance professionals is that actions from a subsidiary from many years can come back and bite you in your collective corporate backside. It was clear that Telefónica did not self-disclose, nor did it initially cooperate with the DOJ. These actions and positions taken by the Company may have been because the distance of time between the illegal actions and investigation may have made the Company perform an investigation and even dig out documents. This involves data and access to data by the compliance function.

The Telefónica Venezolana FCPA enforcement is a stark reminder of the consequences of FCPA violations, particularly in high-risk markets where bribery and corruption risks are prevalent. This case highlights the critical need for strong internal controls, rigorous third-party oversight, and a proactive approach to compliance culture. By learning from these lessons, compliance professionals can better equip their companies to navigate complex regulatory environments and avoid the costly consequences of corruption.

Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending November 9, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings you the compliance professional and the compliance stories you need to know to end your busy week. Sit back, and in 10 minutes, hear the stories every compliance professional should know from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • Canada shuts down TikTok. (NYT)
  • US backs Argentina in fight of YPF. (FT)
  • FinTechs need to be more proactive around regulatory compliance. (American Banker)
  • French soccer corruption investigations expand. (Bloomberg)
  • The cost of flouting corruption. (Forbes)
  • Fat Leonard was sentenced. (USNI)
  • How corruption facilitates organized crime. (UN)
  • SEC needs to prepare for more regulatory challenges.  (WSJ)
  • It turns out audit reports do matter.    (WSJ)
  • Warren rebukes DOJ over TD Bank settlement.    (WSJ)

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: November 4, 2024 – The Shame of it All Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News—all from the Compliance Podcast Network. Each day, we consider four business world stories: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • Warren rebukes DOJ over TD Bank settlement.   (WSJ)
  • The Bank of Israel uses shaming to fight money laundering. (TheJerusalemPost)
  • BDO is in hot water for failure to pay an arbitration award for wrongful termination. (FT)
  • Fat Leonard is to be sentenced. (SanDiegoPost)

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Blog

Navigating Compliance in Interesting Times

I once had a boss whose catchphrase was, ‘May you live in interesting times.’ That applied back in the first decade of this century and is even more appropriate now. In a world that often feels like it is constantly shifting beneath our feet, the role of the corporate compliance professional has never been more crucial or challenging. In recent New York City Bar Association Compliance Institute remarks, Principal Associate Deputy Attorney General Marshall Miller offered timely insights on the Department of Justice’s (DOJ) evolving approach to corporate criminal enforcement. His message was that compliance professionals are essential to organizational success, national security, and the broader rule of law.

  • Individual Accountability as the Cornerstone of Corporate Compliance

Miller emphasized that individual accountability remains a primary focus of the DOJ’s corporate criminal enforcement. According to Miller, they are prosecuting individuals at the top or throughout the corporate hierarchy, as it sends a strong message that misconduct is not tolerated and reinforces deterrence across the board.

For compliance officers, this focus on individual accountability reinforces the importance of training and awareness programs that help employees understand the personal stakes of unethical behavior. Compliance programs must communicate that misconduct has consequences for the organization and those directly involved.

This means compliance professionals should regularly update training modules to reinforce the personal consequences of non-compliance. Consider scenarios that show employees how individual misconduct can lead to legal repercussions, strengthening the deterrence message.

  • Transparency and Consistency in Enforcement Policies

One of the most significant updates shared by Miller is the DOJ’s emphasis on clarity, consistency, and predictability across its corporate enforcement policies. In past years, self-reporting or cooperating with investigations was often perceived as a gamble. Today, under new DOJ guidelines, a clear framework outlines expectations, rewards cooperation, and even encourages voluntary self-disclosure of misconduct.

This transparency is a game-changer for compliance professionals, who often need concrete examples and assurances to secure buy-in from executives and board members. Compliance leaders can now present a more straightforward business case for ethical behavior, outlining the risks of non-compliance and the potential benefits of self-disclosure.

Every corporate compliance function should leverage the DOJ’s published guidelines to develop a compliance strategy that aligns with the DOJ’s expectations. Create resources for your leadership team that show the tangible benefits of voluntary self-disclosure, including reduced penalties and favorable resolutions.

  • Empowering Whistleblowers and Enhancing Self-Disclosure Programs

Miller announced the launch of a new two-part DOJ whistleblower program that provides different rules and incentives based on whether the whistleblower was involved in criminal conduct. For those not involved, a DOJ awards program now provides a percentage of forfeited funds to the whistleblower. For those involved, whistleblower non-prosecution agreements are available.

This change holds significant implications for compliance programs. Whistleblower protection and incentive structures must be communicated and properly managed, ensuring employees know their rights and the benefits of reporting unethical behavior. With DOJ’s strong support, compliance leaders can strengthen whistleblower protections and encourage a culture of transparency.

Expanding whistleblower training and reporting channels to reflect the DOJ’s updated stance would be best. Emphasize protection and incentivization and ensure employees understand how these policies can benefit them if they report wrongdoing.

  • The Role of Incentives and Compensation Clawbacks in Compliance

The DOJ’s updated compliance approach emphasizes the role of compensation structures in promoting compliance or enabling unethical behavior. DOJ now evaluates incentive structures as part of every criminal resolution, rewarding companies that utilize clawbacks when executives are involved in misconduct.

For compliance professionals, this focus on compensation is an opportunity to align reward structures with ethical performance. Compliance officers can work with human resources to design and implement compensation plans that deter risky behavior by incorporating elements such as escrow accounts for bonuses and clawback provisions for executives involved in wrongdoing.

This means every corporate compliance function and personnel should collaborate with HR to develop compensation structures that support compliance goals, such as incorporating ethical behavior as a performance metric or establishing escrow accounts that hold bonuses contingent on compliance-related performance.

  • Strengthening Governance Structures for Accountability

Miller’s remarks also underscore the need for solid governance frameworks that prevent misconduct from slipping through the cracks. Accountability measures, from board oversight to compliance committee functions, ensure corporate misconduct is detected early and handled appropriately. He noted that companies with rigorous internal governance structures and compliance frameworks are more likely to avoid criminal charges.

For compliance leaders, this means assessing and strengthening their organization’s governance structures to support effective oversight. It also means advocating for periodic audits, third-party evaluations, and regular reviews of compliance policies to keep governance on track. Conduct a governance review to identify potential gaps in oversight and ensure that compliance officers have the authority to raise concerns without interference. Advocate for regular compliance audits and policy updates to keep pace with regulatory developments.

  • Preparing for Emerging Risks Related to National Security and Technology

Miller highlighted increasing corporate criminal investigations involving national security, particularly in the construction, agriculture, telecommunications, and technology sectors. Fueled by sanctions evasion and emerging technologies like artificial intelligence, national security risks are now a major focal point for the DOJ.

Compliance programs need to reflect this shift. Compliance professionals must prioritize emerging risks, especially cybersecurity, AI, and national security. Integrating these areas into the broader compliance program ensures that companies are prepared for the expanding scope of corporate crime.

You should update risk assessments to include national security risks and develop response plans for data security, sanctions compliance, and AI ethics. Equip your compliance team to monitor these evolving threats through specialized training and cross-functional collaboration.

  • A Call to Compliance Professionals: The Business Case for Compliance

Miller concluded with a direct call to compliance professionals, emphasizing the DOJ’s commitment to empowering compliance leaders to advance corporate ethics and compliance. He stressed the importance of making a compelling business case for compliance, using DOJ’s guidelines to advocate for investment in robust compliance programs.

In today’s regulatory environment, compliance is a strategic advantage, not a cost center. Compliance officers must seize this moment to champion the business case for ethics, highlighting the DOJ’s transparent policies and the tangible benefits of voluntary self-disclosure, cooperation, and strong compliance frameworks.

Position your compliance program as an essential part of your business strategy. Use DOJ’s new approach as a lever to secure greater resources and authority, demonstrating that investing in compliance can directly impact organizational resilience and profitability.

  • Final Thoughts

Principal Associate Deputy Attorney General Marshall Miller’s remarks signal a turning point for compliance professionals, who are no longer seen as gatekeepers but as strategic partners in risk management and national security. With the DOJ’s commitment to transparent enforcement policies, expanded whistleblower incentives, and a stronger emphasis on accountability, compliance officers have a clear mandate to champion ethical business practices.

These changes offer a roadmap for compliance leaders to build stronger programs that protect their organizations and reinforce their role as trusted advisors in corporate governance. By adopting the DOJ’s updated principles, compliance professionals can safeguard their organizations, enhance their credibility, and make a compelling case for a proactive approach to corporate ethics.

In our “interesting times,” compliance is no longer just about rules and regulations. It is about building an integrity culture that benefits the organization and the broader community.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Unveiling RTX’s Costly Compliance Failures and Corporate Misconduct

The award-winning Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the RTX Foreign Corrupt Practices Act enforcement action.

Their discussion unveils complex bribery schemes involving millions paid to Qatari agents and the family of the Emir to secure defense contracts. Despite strict regulatory oversight, Raytheon’s (now RTX) compliance missteps spanned from 2012 into the 2020s, resulting in massive fines. Matt and Tom scrutinize these failures, detailing the SEC and DOJ’s mandates for dual monitorships due to violations of the False Claims Act and FCPA and the Board’s critical role in addressing these issues. Additionally, a comparative look at other significant FCPA cases, including Moog’s penalties for bribery in India, highlights persistent corporate misconduct and the ongoing challenges in achieving effective corporate compliance.

Key Highlights:

  •  Overview of Raytheon’s Violations
  •  Qatari Agent and Further Corruption
  •  Raytheon’s Compliance Failures
  • Management and Compliance Failures
  • Board Oversight and Responsibilities
  •  Reflections on Compliance and Enforcement

Resources

1.    Blogs

Matt in Radical Compliance

2.     Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending October 19, 2024

Welcome to 10 For 10, the podcast which brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes hear about the stories every compliance professional should be aware of from the prior week.

Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • Kenya impeaches deputy President.  (Al Jazeera)
  • McKinsey is close to settling its part in the opioid crisis.  (Reuters)
  • A Boeing judge wants additional information on Monitor and selection. (Law360)
  • RTX settles FCPA and fraud cases. (WSJ)
  • Meta fires staff who abused $25 meal credits. (FT)
  • Is routine legal advice risky? If you advise paying a bribe. (Law.com)
  • Grewal moves to Wall Street. (WSJ)
  • Which EU country is the most corrupt? (EuroNews)
  • Moog settles FCPA claim. (WSJ)
  • Canada’s reputation for clean banking is gone in 40 minutes. (The Globe and Mail)

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

TD Bank: Part 5 – The Reckoning

Today, I want to review the OCC Consent Order to see the bank’s requirements. This is separate from the DOJ requirements under the Bank’s Plea Agreement(s) and the FinCEN Consent. Further, the DOJ and OCC have mandated separate monitors under their attendant settlement agreements. FinCEN’s Order imposes a four-year independent monitorship, and the DOJ Plea Agreement a 3-year Monitorship. As Matt Kelly noted in Radical Compliance, the remediation steps include:

  • Establishing a dedicated compliance committee at the board level;
  • Drafting a plan within 120 days to overhaul its AML compliance program;
  • Hiring an independent compliance consultant within 60 days to conduct their review of TD’s compliance program;
  • Hiring a senior-level AML compliance officer;
  • Staffing up a more robust AML compliance function; and
  • Implementing new policies, procedures, training, and all the other usual requirements we’ve seen from similar banking settlements.

In this blog post, we will consider some of the highlights above and beyond these remediation steps that the Bank must perform.

The Action Plan

The enforcement order mandates that within 120 days, TDBNA must submit a comprehensive BSA/AML Action Plan to the Examiner-in-Charge for approval. This plan must address the bank’s deficiencies in adhering to the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations. The action plan must include detailed corrective actions, reasonable timelines for implementation, and clear accountability for executing these measures. The board of directors is responsible for overseeing the implementation, ensuring adherence, and monitoring progress, with formal reviews required at least annually.

The Action Plan must be subject to continuous updates and modifications as necessary, particularly if directed by the Examiner-in-Charge or if the bank identifies further areas of improvement. The Examiner-in-Charge must approve any significant deviations or material changes to the plan. TDBNA must also submit quarterly progress reports detailing corrective actions, outstanding issues, and timelines for resolving compliance deficiencies, ensuring transparency in the bank’s efforts to remediate its AML program.

In the event of ongoing issues or independent assessments highlighting further weaknesses, the bank must provide written documentation to the Examiner-in-Charge. The board’s review and response to these assessments will drive accountability and ensure the continuous improvement of TDBNA’s BSA/AML compliance program.

AML Program Assessment and Remediation

TDBNA’s response to its enforcement action underlines the critical role of independent third-party assessments in fortifying a bank’s BSA/AML program. The bank must engage an independent consultant, approved by the OCC, to conduct an exhaustive end-to-end review of its entire BSA/AML framework. This process begins within 60 days of the enforcement order, where TDBNA must submit the proposed consultant’s qualifications, along with a detailed scope of work and timeline, for the OCC’s review. The consultant’s expertise in BSA/AML compliance is a key requirement to ensure the assessment is thorough and capable of addressing the bank’s regulatory obligations.

The independent consultant’s primary objective is to assess the bank’s BSA/AML program against its risk profile, identifying any gaps or weaknesses in its structure and operations. This review will examine whether the bank’s transaction monitoring, suspicious activity reporting, and overall governance are robust enough to meet the demands of U.S. regulatory requirements and the bank’s evolving risk landscape. The consultant’s findings will be critical in determining how effectively TDBNA’s AML framework functions and where improvements are necessary.

Upon completing the review, the consultant will deliver a comprehensive report to TDBNA’s board of directors detailing any deficiencies in the bank’s BSA/AML program. The report will also include recommendations for remediation, ensuring the bank addresses areas of concern in a structured and strategic manner. To ensure transparency and accountability, the board will document its review of the report in official meeting minutes, which must be submitted to the OCC. Additionally, the independent consultant will provide a copy of the report directly to the Examiner-in-Charge, ensuring that regulators have a clear view of the findings and the bank’s planned corrective actions.

Beyond simply identifying deficiencies, the bank must ensure it takes prompt and effective action to remediate the issues raised by the independent consultant. TDBNA must incorporate the necessary remediation efforts into its existing BSA/AML Action Plan, ensuring that all gaps are addressed promptly and comprehensively. This integration is crucial, as failure to properly implement corrective measures could lead to further regulatory actions and potentially severe penalties. The OCC will continue to monitor the bank’s progress by submitting updated action plans and progress reports.

Ultimately, this process highlights the importance of maintaining a dynamic and adaptable BSA/AML program that can respond to emerging risks and regulatory expectations. TDBNA’s engagement with an independent consultant reminds all financial institutions that complacency in AML compliance is not an option. By continually assessing and improving their compliance frameworks, banks can better mitigate risk, avoid regulatory scrutiny, and ensure their AML programs remain strong, effective, and compliant with the law.

Three is Not Always a Crowd

Are you beginning to see a pattern here? The Bank engaged third-party consultants who identified significant weaknesses in its AML program and reported these issues to the Bank’s AML leadership. In 2018, one consultant noted that increasing regulatory requirements and transaction volumes would pressure AML operations, making it difficult to meet demands and deadlines. Additionally, the consultant found that The Bank’s testing of its transaction monitoring scenarios took less than the industry average, highlighting inefficiencies in its ability to assess and capture suspicious activity.

In 2019, another consultant flagged sub-optimal transaction monitoring scenarios based on outdated parameters. These outdated scenarios generated many alerts, overwhelming the AML team and limiting their ability to focus on truly high-risk customers and transactions. This finding pointed to a broader issue in the bank’s ability to adapt its monitoring systems to changing regulatory and risk environments, significantly undermining the effectiveness of its AML compliance efforts.

In 2021, a third consultant identified additional limitations within the Bank’s transaction monitoring program, particularly its technology infrastructure. The consultant found that the bank faced technological barriers that restricted its ability to develop new scenarios or adjust existing parameters, further hampering its AML efforts. These ongoing challenges reflect a broader need for the Bank to modernize its systems and ensure its AML program is agile enough to meet regulatory expectations and address emerging risks effectively.

Restriction on Growth

The Consent Order also required the Bank to maintain its total consolidated assets at or below the level reported on September 30, 2024. This mandate prevents the banks from increasing their average total consolidated assets beyond this threshold until they achieve compliance with all actionable articles of the order. The total consolidated assets will be measured using the banks’ respective Consolidated Reports of Condition and Income.

The asset restrictions will remain in place until the banks meet all compliance obligations outlined in the order. However, the Deputy Comptroller can temporarily suspend the asset cap in unusual circumstances. If the banks fail to meet compliance deadlines, the Deputy Comptroller may require a reduction of up to 7% of their total consolidated assets, as reported in the most recent calendar quarter.

If the Bank is notified that a reduction is necessary, it must submit a plan within 30 days for the Comptroller’s approval and have 60 days to implement the asset reduction. If non-compliance continues beyond the first year, the Deputy Comptroller may impose an additional reduction of up to 7% annually, with the same plan submission and implementation requirements applying each successive year until full compliance is achieved.

Jon Hill wrote in Law360 that this is only the second time “that a federal banking agency has slapped such handcuffs on a financial institution’s overall growth.” The first was Wells Fargo, slapped for its fraudulent accounts scandal. Moreover, while the Wells Fargo “cap has remained in place much longer than many observers originally expected, the OCC has designed its cap for TD Bank with more of a need for remedial speed in mind. In particular, the OCC order establishing the cap includes express provisions that allow the agency to reduce the size limit — that is, tighten the cuffs — by up to 7% annually if the bank does not meet certain deadlines for strengthening its U.S. anti-money laundering compliance.” The article quoted Julie A. Hill, a banking law professor and dean at the University of Wyoming College of Law, for the following, “where the asset cap has gone on for years and years as the bank has tried to get compliant.”

Put Money Where Their Mouth Is

Even more than the commitment to do business ethically and in compliance with its AML/BSA requirements, the Bank must also financially commit to compliance. The Order requires that before the Bank can declare or pay dividends, engage in share repurchases, or make any other capital distributions, the Board of Directors must certify in writing to the Examiner-in-Charge that adequate resources and staffing have been allocated to the remediation efforts required by the OCC’s order. This certification must be submitted at least 30 days before any proposed capital action. It must include a detailed description of the Bank’s current allocation of compliance resources, its progress in remediation, any anticipated changes in resource allocation, and the funding source for the proposed payment or distribution. The goal is to ensure that remediation efforts take priority over capital distributions.

Join us next time, where I will consider TD Bank and the Caremark Doctrine.

Resources

OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks

FinCEN

Press Release

Consent Order

Categories
Compliance and AI

Compliance and AI: Navigating AI Compliance: The EC Gang Reviews The 2024 ECCP

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? These questions are but three of the many questions we will explore in this cutting-edge podcast series, Compliance and AI, hosted by Tom Fox, the award-winning Voice of Compliance.

In this episode, Matt Kelly leads the Everything Compliance quartet of Susan Divers, Jonathan Marks, Karen Moore and Tom Fox through a look at Compliance and AI from the prism of the 2024 Evaluation of Corporate Compliance Programs (ECCP).

Kelly examines the complexities of integrating artificial intelligence into corporate compliance frameworks, highlighting the DOJ’s recent guidance on managing AI risks as laid out in the 2024 ECCP. In Deputy Attorney General Nicole Argentieri’s SCCE speech, she noted the overlooked AI risks and compliance requirements and emphasized the need for businesses to assess both internal AI applications and external threats from malicious uses by scammers or fraudsters.

The gang then delved into the dual aspect of AI risk—its creation and reception—and underlining the importance of comprehensive risk assessment and control measures in AI deployment, such as developing bug bounty programs and ensuring anti-fraud mechanisms are robust. We explored the role of compliance officers in AI oversight, focusing on the challenges in governing AI-generated decisions compared to human actions. With various insights on the legal and operational aspects of AI compliance, the discussion urges companies to evaluate the implications of AI use, both in risk management and ethical execution.

Key Highlights:

  • Understanding AI Risks
  • Compliance Guidelines for AI
  • AI in Fraud Prevention
  • Challenges in AI Oversight
  • Compliance Officers and AI
  • Model Validation and AI

Resources:

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

TD Bank: Part 4 – Watergate, Actual Knowledge and Conscious Indifference

Mike Volkov often told the story of watching the Watergate Hearings as a teenager and being a seminal influence on his later professional life in the legal profession and government service. It was my first exposure to long-term Congressional hearings, at least when they were not the claptrap theater we have in place today. Perhaps the single thing I remember the most clearly was Tennessee Senator Howard Baker’s question, “What did the President know, and when did he know it?” The answer that we learned during the Watergate hearings was that President Nixon had known all along that the crimes of Watergate originated in the White House. Today, I want to use that question to explore what TD Bank knew, when they knew, and what that tells us about the culture of the world’s 30th-largest bank and 10th-largest bank in the US.

Prior OCC, FinCEN, and DOJ Enforcement Actions

In September 2013, the OCC and FinCEN levied a $37.5 million civil monetary penalty against the Bank for violating the Bank Secrecy Act (BSA) related to a Ponzi scheme run by a Florida attorney. Despite the numerous AML alerts triggered by its transaction monitoring system, the Bank failed to identify and report approximately $900 million in suspicious activity. This failure stemmed, in part, from inadequate anti-money laundering (AML) training for both AML and retail personnel. FinCEN emphasized that poorly resourced and trained staff managing critical compliance functions is unacceptable, underscoring the importance of adequate training and resources in compliance programs.

Following these enforcement actions, the Bank needed to adapt its transaction monitoring system to address its deficiencies substantively. The OCC had directed the bank to establish policies and procedures that could respond systematically and promptly to environmental or market changes, such as developing new monitoring scenarios. However, the bank’s failure to implement these recommendations meant it could not effectively mitigate emerging risks. This oversight revealed significant gaps in the Bank’s AML compliance efforts, particularly its ability to adjust its program to evolving threats.

In 2015, the OCC instructed the Bank to enhance its transaction monitoring program for high-risk customers, who were subject to the exact scenarios and thresholds as the rest of the Bank’s customers despite their higher risk profile. In 2016,  the AML function and the Bank technology teams began to develop new high-risk customer scenarios. That effort was put on hold in October 2016 by AML executives due to a lack of resources. After being briefly revived in early 2017, this project was again put on hold, this time by the head of AML at the Bank partly due to “cost.” Although US-AML leadership informed the OCC during its 2017, 2018, and 2019 examinations that these scenarios were in development, the Bank never implemented the required enhanced transaction monitoring of high-risk customers. By 2018, the OCC determined that the Bank’s planning and execution of its AML technology systems remained insufficient. The Bank had delayed implementing key AML technology projects, which directly contributed to its failures around AML compliance.

The Bank even misrepresented itself to the Department of Justice (DOJ). In February 2018, the Bank entered a settlement over its failure to file Suspicious Activity Reports (SARs). The Bank’s issues were partly due to its cessation of transaction monitoring scenario threshold testing. The Bank’s US-AML executives were aware of this resolution and acknowledged the importance of monitoring transactions for suspicious activity. One key AML leader at THE BANK emphasized that their AML team reviewed similar enforcement actions to ensure their compliance programs aligned with regulatory expectations, particularly around scenario threshold testing.

He explained to the AML Oversight Committee that the Bank conducted a detailed analysis below scenario thresholds to determine if SARs should have been filed, adjusting thresholds accordingly. This approach was intended to avoid the failures that led to the other bank’s settlement. However, despite these assurances, by early 2018, THE BANK’s AML team and its technology partners effectively halted its threshold testing due to competing priorities and resource limitations.

As a result, between 2018 and 2022, the Bank conducted threshold testing, or “quantitative tuning,” on only one out of approximately 40 U.S. transaction monitoring scenarios. This significant reduction in testing left gaps in the Bank’s AML compliance program, potentially exposing the bank to similar risks and regulatory scrutiny that had affected other institutions in the industry.

Where Was Internal Audit?

The question in these massive enforcement actions is often, ‘Where was the internal audit?’ Regarding the Bank, the answer is simple: Right Here, Doing Our Job. In 2018, the Bank’s Internal Audit function uncovered a critical issue within the bank’s AML program: the high-risk jurisdiction transaction monitoring scenarios were based on an outdated list, meaning the bank was not flagging transactions from jurisdictions currently deemed high-risk. This oversight severely impacted the bank’s ability to monitor and address risks associated with these regions. The findings revealed a gap in how the bank’s transaction monitoring system adapted to evolving regulatory expectations and global risk landscapes, compromising the effectiveness of its AML efforts.

By 2020, Internal Audit highlighted even more deficiencies in the bank’s AML compliance, specifically related to the governance and review of transaction monitoring scenarios. Among the key issues were a need for formal timelines for completing scenario reviews, some of which had been outstanding since 2017, and the failure to implement proposed changes from the previous year. Moreover, there needed to be a formal process or documentation to guide the promotion of new monitoring scenarios, a governance gap mirroring issues identified by the OCC seven years earlier. These systemic failures indicated a troubling lack of progress in strengthening the bank’s AML compliance framework.

Despite the findings from 2018 and 2020, Internal Audits reviewed in the following years revealed that these issues remained unresolved. The Bank’s Board of Directors was informed of these ongoing deficiencies and remediation plans, yet the persistent gaps in governance and scenario management continued to hinder the bank’s ability to respond to AML risks effectively. For those keeping score at home, that means Actual Knowledge at the Board.

Three Clarion Calls

Are you beginning to see a pattern here? The Bank engaged third-party consultants who identified significant weaknesses in its AML program and reported these issues to the Bank’s AML leadership. In 2018, one consultant noted that increasing regulatory requirements and transaction volumes would pressure AML operations, making it difficult to meet demands and deadlines. Additionally, the consultant found that The Bank’s testing of its transaction monitoring scenarios took less than the industry average, highlighting inefficiencies in its ability to assess and capture suspicious activity.

In 2019, another consultant flagged sub-optimal transaction monitoring scenarios based on outdated parameters. These outdated scenarios generated many alerts, overwhelming the AML team and limiting their ability to focus on truly high-risk customers and transactions. This finding pointed to a broader issue in the bank’s ability to adapt its monitoring systems to changing regulatory and risk environments, significantly undermining the effectiveness of its AML compliance efforts.

In 2021, a third consultant identified additional limitations within the Bank’s transaction monitoring program, particularly its technology infrastructure. The consultant found that the bank faced technological barriers that restricted its ability to develop new scenarios or adjust existing parameters, further hampering its AML efforts. These ongoing challenges reflect a broader need for the Bank to modernize its systems and ensure its AML program is agile enough to meet regulatory expectations and address emerging risks effectively.

The AML Leadership Team

During the relevant period, the Bank’s AML leadership consisted of key individuals whose responsibilities significantly shaped the Bank’s approach to AML compliance, and, more importantly, all knew of the Bank’s AML deficiencies. They were identified as Individual-1, Individual-2, and Individual-3 in the Information. Individual-1 was hired in 2013 as VP of AML Operations and rose to become the sole Chief AML Officer by 2019, overseeing the bank’s global AML program. His role included setting the annual AML budget, developing strategic priorities, and regularly reporting to the board of directors. Individual-1’s oversight extended to AML technology services and the U.S. Financial Intelligence Unit (FIU), reflecting his pivotal role in the U.S. and global AML operations.

Individual 2 joined THE BANK in 2014 as Head of the U.S. FIU and was critical in overseeing the investigative teams responsible for reporting suspicious activities and managing high-risk customers. By 2019, Individual-2 had assumed the role of BSA Officer and Deputy Global Head of AML Compliance, where they were responsible for managing the U.S. AML program. However, despite these responsibilities, Individual 2 faced limitations due to the Chief AML Officer’s direct control over AML technology, a crucial aspect of the bank’s AML operations, which created challenges in overseeing technology-related AML issues.

Individual-3, a vice president within AML Operations, took on significant responsibilities within the U.S. FIU, especially between 2017 and 2018. In this role, Individual-3 managed the initial review of transaction monitoring alerts and the handling of Unusual Transaction Referrals (UTRs) and reports of suspicious activity submitted by employees. Together, these key figures shaped THE BANK’s AML efforts, though the division of responsibilities and challenges with AML technology governance highlighted areas of vulnerability within the bank’s compliance framework.

What did the Bank know, and when did they know it? As the Information rather dryly noted, “US-AML, including senior leadership, were aware of the lack of domestic ACH and check monitoring.” More importantly, like President Nixon, they knew about their AML failures and consciously chose not to do anything about them.

Resources

Join us tomorrow when I will consider the reckoning for the Bank.

Resources

 OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks