FDIC Seeks Significant Fine from Small Kansas Bank
Allegations center on BSA/AML issues
In a court filing last Friday, the FDIC acknowledged publicly for the first time that it is seeking an approximately $20.4 million civil money penalty from Weir, Kansas-based CBW Bank. A penalty of this magnitude would likely rank among the highest levied by the FDIC in the past 40+ years,1 but the proposed fine is really made notable by the size of its target: CBW reported approximately $73.6 million in total assets (and approximately $23 million in equity capital) as of September 30.
The FDIC’s filing comes in response to a challenge by CBW to the FDIC’s authority to seek this fine via in-house proceeding. In a preliminary injunction motion last month, CBW argued that under the logic of the Supreme Court’s decision earlier this year in Jarkesy banks charged with offenses like these have the right to have their cases tried, if at all, before a jury in federal court.
The FDIC’s response to CBW’s motion contends that (1) 12 USC 1818(i) prohibits a court from interfering in the FDIC’s enforcement action by issuing the injunction CBW has requested and (2) even if 12 USC 1818(i) does not categorically prohibit the court from granting CBW an injunction, CBW is not entitled to an injunction here because this sort of FDIC enforcement action falls within the public rights exception described in Jarkesy.
Don’t worry, this isn’t going to be another post about Jarkesy. The point of including the two paragraphs above is just to say that though the FDIC’s proposed fine was what spurred CBW to bring its case to court, the court case — for now — is not about the merits of the FDIC’s allegations. It is about where those allegations may be heard.
Assuming a factfinder somewhere someday eventually will reach the merits, this post looks at the FDIC’s allegations and what factors might be driving the size of the fine the FDIC is seeking.
The FDIC’s Allegations
Unless otherwise noted, the allegations and quotations below come from the FDIC’s notice of assessment of civil money penalty, which was made public last Friday for the first time as an exhibit to the FDIC’s response to CBW’s preliminary injunction motion. The usual disclaimer applies: this notice presents only the FDIC’s side of the story, and CBW may one day have the chance to set out a different version of the facts.
CBW’s International Money Transfer Business
The FDIC’s notice states that though CBW Bank operated as a community bank serving a “mainly rural, retail customer base” in southeastern Kansas, CBW also “operated a multi-billion-dollar international money transfer business.”2 Through this business, CBW “generated the bulk of its earnings from fee-based correspondent banking services for foreign financial institutions (FFIs).”
The FDIC throughout the notice offers additional context on the nature and size of CBW’s business, as relevant to the alleged failings at issue. (The “Review Period” here is December 2018 to August 2020.)
During the Review Period, Respondent provided international banking services for more than 30 FFIs, at least six money services businesses (MSBs), and several other businesses providing financial services to individuals and entities in Central and South America, Europe, Africa, and the Middle East.
During the Review Period, Respondent’s internal controls were deficient in its major business lines: U.S. dollar repatriation, international wire, and [Remote Deposit Capture (RDC)].
Respondent provided U.S. dollar repatriation services during the Review Period, including millions of dollars in bulk cash shipments from Mexico for five Mexico-chartered banks and an MSB.
Respondent processed over $27 billion in wire transactions for FFIs in 2018 alone, and billions in other years as well. . . . Many wires processed by Respondent through Context Engine were for FFIs in Mexico that participated in that country’s SPID program, a U.S. dollar settlement program for Mexican banks run through Mexico’s central bank. Respondent processed more than $13 billion in SPID transactions in 2018 and continued the activity throughout the duration of the Review Period.
Respondent processed approximately $461 million in RDC transactions in 2018 with additional transactions continuing through the Review Period. In the first quarter of 2019, Respondent processed more than 39,000 checks totaling over $134 million for a mix of institutional clients including FFIs and MSBs.
An Escalating Series of Actions
The lines of business described above, which CBW later exited,3 are services that are legal for banks to offer. But because these services are regarded by U.S. regulators as presenting elevated risks for money laundering and terrorist financing, banks that offer them are expected to have robust BSA/AML compliance programs commensurate with these risks.
The FDIC alleges that CBW’s compliance program failed to meet this standard, and that CBW failed repeatedly to correct issues after they were identified by the agency.
The notice states that the FDIC as early as 2017 identified “several deficiencies” in CBW’s BSA/AML compliance program, “including in the areas of customer due diligence; BSA policies and procedures; BSA risk assessment; and independent testing.”
After a 2019 BSA exam conducted by the FDIC identified further BSA/AML issues, the agency ultimately in August 2020 issued a public consent order. The consent order required CBW to undertake a series of corrective actions intended to enhance the bank’s BSA/AML controls. It also required CBW to “cease all activity pertaining to foreign financial institution customers . . . and all activity pertaining to domestic MSB transfers” until the bank had “made sufficient progress with the requirements of” the consent order such that the FDIC would permit it to “resume some or all of the ceased subject activities.”
The FDIC in examinations after the consent order was issued determined that CBW had “failed to correct many” BSA/AML issues previously identified,4 and the agency ultimately concluded that a money penalty was warranted.
An Underequipped BSA/AML Compliance Function
Part of the story in the FDIC’s notice is a pretty standard one, not uncommon to recent BSA/AML consent orders against smaller banks, including in the BaaS space. This is a story of a bank compliance function that was, at best, poorly prepared to deal with the new and in some cases innovative businesses that the bank had jumped into.
For example, the notice relates a series of anecdotes about a tool called “Context Engine,” “an affiliate-developed AML/CFT monitoring software” that CBW used as its “primary AML/CFT tool to identify suspicious activity.” Context Engine is portrayed in the notice as a pretty underwhelming tool,5 and in any case one that produced outputs CBW couldn’t really explain.
After collecting information on a transaction, Context Engine generated a score for each transaction. If the score was 75 or above, Context Engine was intended to flag the transaction for review by an analyst. Respondent maintained no rationale or support for Context Engine’s rules and their assigned risk weights; no identification or support for model changes, like removing or adding rules; and no explanation to address Context Engine’s text search function and how it scored matches.
Furthermore, according to the notice, Context Engine often erred in both directions. On the one hand, “[i]n many instances, Context Engine failed to detect suspicious transactions.” On the other, Context Engine did flag “thousands of transactions” based on scenarios developed by CBW, but “[d]espite the volume of flagged transactions, most scenarios did not directly relate to ML/TF risks.” This meant that flagged transactions had to be manually reviewed to identify suspicious activity, and responsibility for this review fell to an overwhelmed small team of reviewers.
At the human review level, Respondent tasked only four analysts to review thousands of daily wires that Context Engine flagged. Respondent repeatedly failed to detect or report suspicious activity in wires flagged for manual review.
These and other failings allegedly led to some potentially egregious AML/CFT misses, including in the context of international wire services provided to a customer that maybe had ties to a terror group.6
Keeping the Customers’ Interests in Mind
While the allegations described above and elsewhere in the notice are enough to make you wince, the really serious allegations in the notice, and what seems to be driving the size of the proposed fine, is that the FDIC does not think this is actually a story about a bank trying its best to comply with supervisory expectations for a high risk line of business and falling short. Instead, the FDIC seems to see this, fairly or unfairly, as a story about a bank that simply did not try very hard in the first place.
In particular, the FDIC alleges that CBW chose not to “expend the resources necessary to achieve a compliant AML/CFT compliance program.” The FDIC further alleges that this choice earned CBW “millions in fee income that it otherwise would not have earned if it had maintained an adequate AML/CFT compliance program,” and allowed CBW to “exaggerat[e] increases in net income through reduced overhead.”7
According to the FDIC:
The President of the Bank told FDIC examiners that Respondent needed to keep its customers’ interests in mind when considering whether to file SARs.
CBW’s BSA Officer from August 2018 to February 2020, who according to the notice “admitted to the FDIC he was not qualified for the role when hired,” also had this to share:
BSA Officer A told the FDIC that he was as concerned with losing a customer as he was with identifying and reporting suspicious activity.
Though the notice does not always make this connection explicitly, the implied allegation is that the mindset reflected in the statements above led to underinvestment in several areas. For example, although CBW engaged an outside auditor to conduct independent testing, the testing that was conducted “severely lacked depth and breadth of review.”
The auditor only sampled 10 wires for review despite Respondent processing in excess of 60,000 wires in 2018. Further, the auditor did not test any RDC transactions. The auditor also limited its suspicious activity review to ten cases where Respondent filed a SAR and three where Respondent decided not to file after review. In addition, the auditor only assessed transactions that Respondent itself elevated for a SAR filing review.
As another example, the notice says that CBW failed to “grant its BSA Officers the authority, independence, and access to resources” commensurate with the risks present in CBW’s business. For instance, CBW did not give its BSA Officer the unilateral authority to decide whether to file Suspicious Activity Reports. Instead, SAR filing decisions were made by a committee made up of the BSA Officer, the VP/Cashier, the VP of Correspondent Banking, and the President of the Bank. There were predictable results:
BSA Officer A told the FDIC while he should have retained the ultimate authority to file SARs, the committee made SAR filing decisions collectively, and the committee members would often rely on the Bank’s VP of Correspondent Banking’s explanations for why a transaction did not require a SAR.
The FDIC concludes the notice by saying that CBW’s actions or omissions amount to CBW having “recklessly engaged in unsafe or unsound practices” that were part of a pattern of misconduct resulting in financial gain or other benefit to CBW.8
***
It is often difficult to form strong opinions on the merits of certain U.S. banking agency enforcement actions. The confidential nature of supervision can make it tough to tell exactly what happened and whether the agency’s response was justified, even when (a carefully curated portion of) the facts become public. For me this struggle is particularly acute with BSA/AML actions, which on the one hand concern an area where I absolutely believe there often is genuinely bad behavior, but on the other hand can seem at times to be driving toward a system where no amount of SAR filings or other compliance machinery is ever enough to satisfy regulators, sometimes with pretty bad results for vulnerable people.
But regardless of what you think of the FDIC’s claims here, there may be an even more interesting question. Say for the sake of argument that the FDIC has both the facts and the law on its side, and that CBW’s actions or inactions in fact warrant a significant penalty. What should that penalty be, and should it matter if the penalty, according to CBW in its preliminary injunction motion, “could imperil the Bank’s financial viability”?9
A search of Civil Money Penalty orders in the FDIC’s Enforcement Decisions and Orders Search Form returns results dating back to 1981. Larger fines than the one proposed here include a $140 million penalty against Banamex USA (a joint action with the California state banking regulator) and a $65 million penalty against ServiceLink Holdings (jointly with the other federal banking regulators). There are also several other orders where the civil money penalty itself was comparatively low, but the parties agreed to pay restitution in the tens of millions of dollars.
It is not clear if the FDIC’s database is comprehensive, and even if the database is comprehensive the FDIC is of course only one of the federal banking regulators, and the one that as a general rule tends to supervise the smallest banks. If you added in institutions supervised by the Federal Reserve Board or OCC, a proposed $20.4 million fine would pretty quickly slide down the list of largest monetary penalties imposed against a bank or its holding company.
So there are a bunch of caveats you can add to the claim in the main text above. But even with those caveats, the bottom line point that this fine is strikingly large both in terms of the FDIC’s historical practice and relative to the size of the target is on pretty solid footing.
See also CBW’s latest CRA evaluation from December 2022, which notes:
While the bank offers traditional banking products and services, the primary business focus has historically been providing a variety of services to foreign financial institutions, money service businesses, and consumer loan products provided nationwide through multiple financial technology companies.
You should probably read “historically” in the above quote as more in the sense of since 2009 or so, rather than since time immemorial.
CBW’s motion characterizes the FDIC as going after them for “years-old conduct that occurred in the Bank’s since-abandoned correspondent banking and money services businesses.”
The notice specifically refers to findings “documented in the subsequent 2022 and 2023 Reports of Examination.” Note however that CBW’s preliminary injunction motion states that the FDIC as early as November 2022 had indicated to the bank that the FDIC was considering imposing a monetary penalty. If that is so, it is not clear the extent to which these subsequent findings, particularly from the 2023 exam, played a role in the FDIC’s decision to seek a money penalty.
See for example paragraphs 41 and 42 of the notice.
At the automated review level, Context Engine failed to detect many suspicious wire transactions. As an example, Context Engine failed to flag repeated cross-border transactions below the preset $10,001 threshold that Respondent had determined was the proper level for suspicious activity detection. Context Engine scenarios also ran only against individual transactions and did not screen for recurring patterns or aggregation.
Context Engine did not contain a ruleset to identify potential concentration accounts, accounts which combine multiple individual customer transactions into a single account for transaction purposes; this lack of a ruleset potentially disguised the identity of the ultimate originator or the purpose of an individual transaction.
This is paragraphs 92-93 of the notice.
. . . Customer E utilized the Respondent’s international wire services to transmit hundreds of millions of dollars. Respondent’s initial customer due diligence on Customer E, an FFI, acknowledged in 2016 that the former chairman of Customer E “allegedly had connections to Hezbollah,” but went on to state that the individual no longer had “any role in the management or ownership of” Customer E. A 2019 report summarizing ongoing customer due diligence on Customer E prepared by Respondent failed to identify that OFAC added Customer E’s former chairman to OFAC’s Specially Designated Global Terrorist list in 2015, and that the former chairman transferred his ownership interests to one of his children. Under such a transfer, the former chairman was still an “owner” of Customer E.
Respondent also failed to identify negative news related to Customer E. The 2019 report failed to identify a news story on a lawsuit against Customer E over alleged ties to Hezbollah, instead stating, “[t]here were no material negative news stories about Customer E in the past twelve months.”
For what it’s worth, I do not understand the FDIC here to be saying that net income was exaggerated in the sense of being reported inaccurately. Instead, I think this is just the FDIC trying to make the more obvious point that if CBW had spent more on compliance, all else equal it would have had more expenses and less net income.
This tracks the language of 12 USC 1818(i)(2)(B), which describes the conditions under which Tier 2 civil money penalties may be assessed.
Just as the FDIC’s notice represents only its side of the story, it is probably fair to have a bit of skepticism about some of the claims in CBW’s preliminary injunction motion, including this one. But again for the sake of argument, assume it is true here.