The One with Insufficient Compliance Resources

The Bank Secrecy Act requires broker-dealers to file suspicious activity reports. Under the SAR Rule (31 C.F.R. § 1023.320(a)(2)), every broker-dealer has to file a report for a transaction of at $5000 that

  1. Involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity
  2. Is designed to evade any requirements under the Bank Secrecy Act
  3. Has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage
  4. Involves use of the broker-dealer to facilitate criminal activity

That’s all a bit vague. So FINRA has produced a list of more actionable items, most recently compiled in FINRA Regulatory Notice 19-18 (May 2019).

There are vendors who sell software that will monitor transactions and flag those that meet the criteria in the FINRA Notice.

OTS Link used one of those automatic surveillance systems. For the first six months of 2021 the system raised over 1800 alerts for transactions to be reviewed. For those 300 alerts a month, the compliance team at OTS Link only devoted 5 hours a month. No surprise, they failed to investigate any or file any SARs.

In the Order, the SEC says that if OTS Link had properly surveilled transactions it would have spotted:

(a) a large volume of thinly-traded, low-priced securities;
(b) a sudden spike in investor demand for, coupled with a rising or decreasing price in, thinly-traded, low-priced securities;
(c) suspicious manipulative, pre-arranged or wash trading activity;
(d) subscribers who were publicly known to be the subject of criminal, civil or regulatory actions for crime, corruption, or misuse of public funds.

In response to the SEC exam, OTS Link added two people to its AML compliance team and hired a third-party compliance consultant to review the program.

The SEC order mandates additional reporting and levied a $1.19 million fine. You either pay for compliance or you PAY for compliance failure.

Sources:

J.P. Morgan’s Madoff Failure

jp morgan and compliance

Yesterday J.P. Morgan agreed to forfeit $1.7 billion for its failure related to the Bernie Madoff fraud, plus several hundred million in fines. As part its deferred prosecution agreement, the bank agreed that it did not have the proper systems in place to catch Madoff. It’s easy to target the bank for compliance failures but I wanted to dig a little deeper to see what went wrong. The picture is not very clear and I’m not sure why the bank forfeited so much cash.

J.P. Morgan was the main bank for Madoff from 1986 until the fraud collapsed. With money moving in an out of the accounts, J.P. Morgan could presumably have noticed something wrong with the flow of money. But that would likely be difficult. Madoff would have moved money around through several accounts. It would not be a simple task to track the flow of cash and see the fraud. If it were that simple, it would have been spotted much earlier. The agreement notes a few flags on the account and some inadequate diligence by the relationship personnel. None of that data seems to indicate a bigger problem with the flow of cash.

There was a mid 1990s transaction that looked like check kiting between an unnamed private bank client of Chemical Bank (which was eventually consumed by J.P. Morgan), Madoff and a second bank. The second bank ended up terminating the relationship and filing a suspicious activity report. J.P. Morgan did not. The private bank client did not terminate the relationship because Madoff had turned the investment from $183 million to $1.7 billion over 12 years. Madoff’s fake returns bought silence.

In the late 1990s and again in 2007 divisions of J.P. Morgan were considering having its private bank invest in Madoff. But Madoff was unwilling to help with the bank’s diligence efforts and the the bank expressed concerns when it was unable to reverse engineer Madoff’s returns.

In 2006 the London office of the bank had set up an exotic derivative that would provide clients with synthetic exposure to a hedge fund without making a direct investment in the fund itself. To cover the other side, J.P. Morgan invested in a Madoff feeder fund. Apparently, the derivative was wildly successful and hit the bank’s $100 million exposure limit. The traders went to an internal committee to get an exposure increase to $1 billion. The committee tabled approval because the bank couldn’t get the diligence it wanted. Madoff refused to allow the bank to conduct due diligence on his fund directly.

That triggered more diligence efforts and an increasing unease at the bank about having exposure to Madoff. J.P. Morgan began redeeming its interests in the Madoff feeder funds. This was 2008 and Lehman had just collapsed and the Madoff fraud would be exposed in a few months. J.P. Morgan also began unwinding those synthetic exposures. It looks like the bank was able to save $250 million before the Madoff collapse.

The key dagger seems to be when the London office of J.P. Morgan filed a report with the U.K. authorities as a result of its diligence. But J.P. Morgan did not file an equivalent report in the US. Under the Bank Secrecy Act, a bank needs to file Suspicious Activity Reports with FinCEN if the bank notes any suspicious transaction relevant to a possible violation of law or regulation.

The second big failure was that the suspicions were not transmitted from the investment side of the bank to the commercial banking side of the bank. The investment side wanted to limit its exposure and minimize its losses for being invested in a fraud. The banking side would have to take steps to prevent funds from leaving for improper purposes.

From the time the report was filed in London, the Madoff bank account at J.P. Morgan had fallen from $3 billion to $234 million. The $1.7 billion paid by J.P. Morgan is supposed to represent a portion of the money that the bank allowed to leave the Madoff account during that period.

What is boils down to is that in the Fall of 2008, just before the collapse of the Madoff fraud, J.P. Morgan took steps to protect its own business interests but failed to notify FinCEN of the same suspicious, potentially fraudulent, activities.

In the end I suspect J.P. Morgan thought it would not win the case if it went to trial. It has some bad facts on its side. One of the diligence emails joked that they should visit Madoff’s accountant’s office to make sure it wasn’t a car wash. The bank would never find a jury that would offer one iota of sympathy or understanding.

Then it was just a matter of how much cash the bank was willing to pay. It sounds like the initial government ask was about $3 billion: the $2.75 billion that left the Madoff bank account, plus the $250 million that the bank managed to avoid losing by redeeming out of the Madoff feeder funds. I assume the bank is looking to end as much of the regulatory actions from the 2008 financial crisis hanging over its heads as it can. Another one down.

References:

FinCEN and Address Confidentiality Programs

How do you open a bank account when you are hiding from domestic violence?

The rules implementing the Bank Secrecy Act require a financial institution to implement a Customer Identification Program that includes procedures that enable it to form a reasonable belief that it knows the true identity of its customers. The rules also require that a financial institution obtain a residential or business street address from each customer.

To make it easier for the victims of domestic violence, sexual assault or stalking to stay hidden from their attackers, 31 states have enacted Address Confidentiality Programs to help protect the home address of victims. These programs provide a confidential mail forwarding system. Typically, the Secretary of the State assigns a substitute address to the program participant to be used as their legal mailing address. Staff retrieve the participant’s mail and forward it to the participant’s actual physical location.

That is where the Address Confidentiality Program program runs into the Customer Identification Program.

But the Financial Crimes Enforcement Network issued a letter ruling to help financial institutions get out of this pickle. The FinCEN regulations also allow:

“If the individual customer does not have a residential or business street address, then the rules permit the individual customer to provide a “residential or business street address of next of kin or of another contact individual.”

See 31 C.F.R. §103.121(b)(2)(i)(3)(ii), §103.122(b)(2)(i)(A)(3)(ii), §103.123(b)(2)(i)(A)(3)(ii) and§103.131(b)(2)(i)(A)(3)(ii)

In FIN-2009-R003, FinCEN found:

A customer who participates in a state-created ACP shall be treated as not having a residential or business street address and a secretary of state, or other state entity serving as a designated agent of the customer consistent with the terms of the ACP, will act as another contact individual for the purpose of complying with FinCEN’s rules. Therefore, a financial institution should collect the street address of the ACP sponsoring agency for purposes of meeting its CIP address requirement.

Problem solved. At least it will be once knowledge about the ruling is passed along to front line people enforcing the Customer Identification Programs.

Sources:

James H. Fries, Jr. on The Objectives and Conduct of Bank Secrecy Act Enforcement

James H. Fries, Jr., the Director of Financial Crimes Enforcement Network at the U.S. Department of Treasury spoke about The Objectives and Conduct of Bank Secrecy Act Enforcement at the ABA/ABA Money Laundering Enforcement Conference in Washington D.C. on October 20, 2008.

“An essential principle of FinCEN’s enforcement program is to uphold the public policy choice made by the Congress when it enacted the BSA in 1970, and expanded it with the passage of Annunzio-Wylie Anti-Money Laundering Act of 1992, The Money Laundering Suppression Act of 1994, and the USA PATRIOT Act of 2001.”