FinCEN Penalizes Former Risk Executive for Bank Secrecy Act Violations

A former chief operational risk officer of U.S. Bank, the principal subsidiary of Minneapolis-based U.S. Bancorp, has been assessed a $450,000 civil money penalty for shortfalls in Bank Secrecy Act (BSA) and anti-money-laundering (AML) compliance.

Michael LaFontaine, the former executive, during a nine-year period through 2014, had also served as chief compliance officer and deputy risk officer and reported to the bank's chief risk officer and chief executive officer. The U.S. Treasury Department's Financial Crimes Enforcement Network announced LaFontaine's consent to the penalty on March 4.

The agency, known as FinCEN, has an active compliance-focused enforcement program. In common with similar actions of other financial regulators, when individuals are held accountable, they tend to be compliance officers rather than risk managers. A case in point was a Commodity Futures Trading Commission $150,000 settlement last September of fraud allegations against Rafael Marconato, who was chief compliance officer of a registered commodity pool operator and commodity trading advisor.

In the decade since the post-financial-crisis reforms, some members of Congress and other critics have decried the prevalence of civil actions, as opposed to more aggressive prosecutions reaching up to the C-level if not to CEOs. However, the Office of the Comptroller of the Currency (OCC) cast a wide and pricey net of charges and settlements in January with Wells Fargo Bank leadership - including a civil money penalty of $17.5 million for John Stumpf, who was chairman and CEO during the consumer bank account-opening scandal. Among others ensnared were former community bank head Carrie Tolstedt ($25 million) and two ex-CROs: Claudia Russ Anderson of the community bank ($5 million), and Michael Loughlin ($1.25 million).

Deficient Reporting and Staffing

LaFontaine was held responsible for overseeing U.S. Bank's compliance program and “shar[ing] responsibility for the bank's violations of the requirements to implement and maintain an effective AML program and file SARs [Suspicious Activity Reports] in a timely manner,” FinCEN said in its 14-page enforcement document.

“Among other things,” FinCEN said, “Mr. LaFontaine failed to take sufficient steps to ensure that the bank's compliance division was appropriately staffed to meet regulatory expectations.”

“Both prior to and during Mr. LaFontaine's tenure,” the agency added, “the bank improperly capped the number of alerts generated by its automated transaction monitoring system and failed to adequately staff the BSA compliance function.”

Indeed, the LaFontaine action is the latest in a series involving U.S. Bank over several years. In its March 4 announcement, FinCEN referred to a February 2018, $185 million civil money penalty “in coordination with the Office of the Comptroller of the Currency and the U.S. Department of Justice . . . against U.S. Bank for, among other things, willfully violating the BSA's requirements to implement and maintain an effective anti-money-laundering program and to file Suspicious Activity Reports in a timely manner.”

According to an OCC statement back then, U.S. Bank was cited in a 2015 consent order “for the failure to adopt and implement a compliance program that adequately covered the required BSA/AML program elements . . . because of an inadequate system of internal controls, ineffective independent testing and inadequate training. The bank had systemic deficiencies in its transaction monitoring systems, which resulted in monitoring gaps and a significant amount of unreported suspicious activity.”

Rising in Risk Management

FinCEN detailed LaFontaine's roles in U.S. Bank's “AML hierarchy,” starting in 2005 as chief compliance officer. He was promoted to senior vice president and deputy risk officer in 2010, and to executive vice president and chief operational risk officer in 2012. From 2008 through April 2011, and again from October 2012 through June 2014, he had oversight of AML compliance functions and personnel.

LaFontaine's LinkedIn profile indicates that he went on to be co-founder of KnectIQ, a cybersecurity start-up, and managing director of Redpoint Advisors, a risk, strategy and M&A advisory firm.

Also covered in FinCEN's enforcement action was U.S. Bank's reliance on commercially available SearchSpace software from 2004 through 2014. Because of limits placed on the system's alerts, “an alarming number” of them “were suppressed, preventing suspicious activity from being investigated and reported,” FinCEN said. “U.S. Bank's alert practices were noncompliant for years,” and warnings from the OCC to rectify the practice went unheeded.

The bank maintained inappropriate alert caps for at least five years, said FinCEN, which again coordinated its action with the OCC.

“Mr. LaFontaine was warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised,” said a statement by FinCEN director Kenneth Blanco. “His actions prevented the proper filing of many, many SARs, which hindered law enforcement's ability to fully combat crimes and protect people.

“FinCEN encourages technological innovations to help fight money laundering, but technology must be used properly,” Blanco added.

Accountability of “Gatekeepers”

The facts of the U.S. Bank case “demonstrate that willful violations of the BSA will be severely punished,” said Ross Marrazzo, managing partner of consulting firm Treliant.

Jodi Avergun, partner, white collar litigation, Cadwalader, Wickersham & Taft, commented in the law firm's Cadwalader Cabinet that the FinCEN action is “notable” for holding an individual responsible. The case is “another in a line in which compliance officers and other gatekeepers are increasingly being held individually responsible for system failures,” Avergun wrote, also noting that “the charges are not surprising. The compliance officer was warned not just by internal employees but by regulators as well that an artificial limit on suspicious transaction alerts violated the BSA, and that the bank employed too few AML compliance officers.

“Finally,” the Cadwalader note continued, “as the assessment noted, FinCEN brought a similar case several years earlier against another bank [Wachovia Bank]. Gatekeepers will continue to be a focus of enforcement and regulatory agencies - but they can withstand scrutiny by insuring adequate resourcing in their compliance departments and designing their transaction monitoring systems based on objective risk assessments given the financial institution's customer base and risk profile.”