Adequate compliance policies and procedures are key to safeguarding against enforcement actions
As regulatory enforcement actions continue to proliferate and as the regulatory landscape evolves, the importance of having adequate compliance policies and procedures in place cannot be understated. Policies and procedures tailored to a firm’s business, combined with continuous oversight and modifications in conjunction with regulatory changes, and constant vigilance in ensuring that firm practices match compliance goals, play a leading role in safeguarding against violations of the AML laws and Foreign Corrupt Practices Act (FCPA). Inadequate compliance programs were at the root of two AML enforcement orders this year, are central to the burgeoning liability of Chief Compliance Officers (CCOs), and were significant factors in negative findings under the FCPA.
In February, Miami-based brokerage firm E.S. Financial Services (now Brickell Global Markets) settled with the SEC for $1 million for breaking AML protocols. The SEC order found that E.S. Financial committed a willful violation of AML rules in allowing foreign entities to buy and sell securities without verifying the identities of their non-citizen beneficial owners, and by failing to provide the required books and records of the foreign customers upon request. Importantly, there was no finding of fraud here. Instead, liability rested on the finding that their Customer Identification Program (CIP) was deficient, with “significant holes” that left it susceptible to illegality. Furthermore, in neglecting to satisfy the requirements for their existing foreign customers, they failed to comply with their CIP altogether. In addition to their $1 million penalty, E.S. Financial agreed to hire an independent monitor to review its CIP/AML program for two years.
In an enforcement action by the Financial Crimes Enforcement Network (FinCEN) at the end of February, a $4 million civil money penalty was assessed against Gibraltar Private Bank and Trust Company for willfully violating AML laws due to substantial deficiencies in their AML program. Deficiencies included a failure to implement and maintain a suitable AML/CIP program and adequately report suspicious transactions, ultimately leading to Gibraltar’s failure to monitor and detect suspicious activity despite numerous red flags, including transactions surrounding Scott Rothstein’s $1.2 billion Ponzi scheme. The shortcomings in Gibraltar’s compliance programs included a defective Transaction Monitoring System, which contained incomplete and inaccurate account information and customer risk profiles, and ineffective procedures for monitoring, detecting, and reporting suspicious activities. Notably, the bank was informed of and warned of their deficiencies years in advance, but failed to take appropriate remedial measures until much later.
FinCEN determined that the lack of internal controls that could ensure BSA compliance, inadequate staff training, and inappropriate CIP constituted a violation of AML laws. This resulted in Gibraltar servicing high-risk customers without effectively monitoring those accounts and filing late SARs.
Findings of liability against CCOs based on compliance program deficiencies are becoming a trend, even where no harm occurred to clients or where the compliance officer had no involvement in misconduct, as illustrated by the SEC action against SFX Financial Advisory Management Enterprises. In SFX, the SEC used a negligence standard in finding the CCO liable for compliance failures and not adequately supervising the former president, who misappropriated $670,000 from client accounts. Furthermore, FinCEN’s proposed AML Rule for Registered Investment Advisers, expected to be finalized this summer, will expand the scope of CCO liability by ensuring that SEC registered investment advisors are subjected to current AML rules, such as requiring the establishment of an AML program and designation of a compliance officer.
In New York, the Department of Financial Services (DFS) has added another layer of scrutiny with new regulations, accompanied by the possibility of criminal prosecution, that add greater specificity to existing compliance programs by requiring ongoing risk assessments and removing the ability to limit alerts generated by monitoring programs. Part 504 of the Superintendents Regulations would require the CCO of a DFS-regulated institution to personally certify on an annual basis that the financial institution has maintained a transaction monitoring program to detect AML violations, instituted a watch list filtering program to identify prohibited transactions, and enacted measures to ensure the integrity of those two programs.
Enforcement of the FCPA continues to be a high priority for the SEC, which has already brought six FCPA enforcement actions this year. In 2015, nine FCPA enforcement actions were brought, compared to eight in both 2013 and 2014. According to the SEC’s 2015 Annual Report on the Dodd Frank Whistleblower Program, tips concerning FCPA violations were the highest yet in the history of the program, with a total of 186 tips.
The FCPA cases brought this year illustrate the need for companies to include and maintain strong internal procedures and controls, especially in high risk markets or industries. In their order against software manufacturer SAP SE, the SEC found that insufficient internal controls enabled a former SAP executive to bribe Panamanian government officials, disguising the bribes as discounts. In the orders against SciClone Pharmaceuticals and PTC, the SEC found that various sales practices were in violation of the anti-bribery provisions of the FCPA, underscoring the SEC’s emphasis on maintaining vigorous internal controls and the need for sound policies relating to business entertainment.