Shinhan Bank America ("Shinhan"), a New York-based subsidiary of a Korean bank, faced coordinated enforcement actions on September 29 from the Financial Crimes Enforcement Network ("FinCEN"), Federal Deposit Insurance Corporation ("FDIC"), and the New York Department of Financial Services ("NYDFS"). These concurrent actions resulted in a total of $25 million in civil penalties for failing to develop and implement an effective AML program in accordance with the Bank Secrecy Act ("BSA") and New York law, based on ongoing, unremedied compliance failures that the agencies allege were apparent dating back to at least 2015.
The consent orders provide valuable insight into current areas of regulatory oversight and focus, applicable not just to traditional financial institutions, but to Fintechs and virtual asset companies as well. In fact, although it took more than six years of alleged failures to meet AML requirements outlined in formal agreements between Shinhan and regulators before the bank faced civil penalties, we know that Fintechs and virtual asset entities are likely to face a much shorter grace period from federal and state regulatory agencies who feel the Fintech risk environment demands faster action.
Key Takeaways:
- This coordinated action between FinCEN, NYDFS, and FDIC reflects increased coordination and cooperation among federal and state financial regulators.
- New York's Part 504.3 certification requirement sets up a complicated risk analysis for certifying annual transaction monitoring compliance.
- Compliance governance, change management, and appropriate staffing are key elements to a defensible AML compliance program.
- Regulators expect AML compliance data systems to provide a 360-degree view of customers, meaning systems that are integrated, flag shared customer attributes, and are properly tuned for alerting.
Not surprisingly, recurring AML deficiencies and repeated failures to remediate create a high risk of penalty action and regulators with overlapping jurisdiction share information among themselves. An enforcement action of one regulator can generate a related enforcement action by another. Here, Shinhan was the subject of two earlier FDIC consent orders in 2017 and 2022, along with a NYDFS Memorandum of Understanding in 2020, all of which detailed the compliance shortcomings that became the subject of the most recent actions now taken in a coordinated fashion by FinCEN, NYDFS, and FDIC.
NYDFS Certification Requirements
Under Part 504.3 of New York's Codes, Rules, and Regulations, companies must attest that their transaction monitoring programs meet New York's requirements (Part 500.17(b), which contains a certification requirement related to a firm's cybersecurity program). New York's transaction monitoring regulations are both more specific and expansive than related federal requirements, and require regular risk-based internal audits, improvements, and data management and integration. Part 504 certifications must also be authorized by a company's Board of Directors or Senior Officer. Here, NYDFS points to Shinhan's inability to complete the action plans developed as part of the 2020 MOU as evidence that the bank certified Part 504 compliance even though it still had several outstanding compliance gaps. This shouldn't come as a surprise to financial institutions licensed in New York -- Past Consent Orders have similarly reflected the Department's expectation that annual Part 504 certifications adhere to the proscriptive requirements of Part 504.3.
Compliance Resources and Board Management
Understaffed or underqualified compliance teams are low hanging fruit for regulators looking to measure the adequacy of an institution's BSA program. Corporate governance and sufficient oversight and involvement of boards of directors and compliance committees is also crucial, especially for New York-regulated entities who have specific corporate governance requirements under 3 NYCRR § 116.2 and Part 200.15, for virtual asset Bitlicensees. In these actions, the regulators highlight that the bank's AML department was "chronically understaff[ed]" which contributed to a sizable backlog of transaction monitoring alerts and the inability to timely file SARs. The FinCEN Action also highlights Shinhan's "difficulty ensuring continuity in leadership, particularly in the BSA compliance officer role," and failure to establish clear lines of communication between employees and board.
In its consent order, FinCEN calls out Shinhan's board of director's failure to adequately bring the bank into compliance. Directors and officers can be personally liable for AML violations and, in some situations, may be barred from reimbursement through their organization's directors and officers' liability insurance. For example, in its Financial Institution Letter, "Director and Officer Liability Insurance Policies, Exclusions, and Indemnification for Civil Money Penalties," the FDIC reminded covered depository institutions (FDIC-supervised banks and savings associations, including community institutions with total assets under $1 billion) that a depository institution and its holding company are prohibited from purchasing an insurance policy that "would indemnify institution-affiliated parties (IAPs) for civil money penalties (CMPs) assessed against them [in an administrative proceeding or civil action commenced by any federal banking agency]... [even] if the IAP agrees to reimburse the depository institution for the cost of such coverage."
AML Data and Systems Management
Shinhan was also faulted for failures related to its compliance with FinCEN's 2018 CDD rule in risk rating of customers during its know your customer ("KYC") onboarding process. Specifically, the bank allegedly collected information from its customers about their anticipated activity, but then failed to use or validate that information, instead relying solely on the customer's early actual transaction activity to establish a risk baseline. Further, the bank's automated and "rigid" risk rating calculations used factors not tailored to the bank's cash-intensive customer base, which had a high volume of wire transfers.
FinCEN also flagged Shinhan's failure to identify common elements across customer accounts (e.g., customers acting as signatories or owners of related accounts) that should have triggered transaction monitoring alerts for multiple accounts belonging to the same customer relationship. FinCEN noted the bank's transaction monitoring tools were unable to holistically analyze related accounts and aggregate transaction activity to identify patterns of potentially suspicious activity. Because these processes did not adequately address and investigate potentially suspicious activity, the bank was unable to file SARs within the 90-day timeline stipulated by the BSA.
The Bottom Line
In addition to the risks of continued non-compliance and the unique risk posed by NYDFS' certification requirement, the Shinhan consent orders reveal regulators' expectation that financial institutions utilize the KYC information collected for customers--across all related accounts--to inform customer and risk profile systems. Data integration of transaction monitoring, onboarding, and other backend systems should, in an ideal world, allow processes to "speak to each other" and identify related accounts and suspicious activity patterns across customer populations. At the same time, regulators assess a financial institution's compliance profile by evaluating the urgency and comprehensiveness of its remediation efforts and the adequacy and investment of its directors and officers in necessary compliance programs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.