As announced on Friday, the Industrial and Commercial Bank of China (ICBC) and its New York branch will pay $32.4m in fines to the Federal Reserve Board (FRB) and the New York Department of Financial Services (NYDFS) for what the regulators called numerous Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and sanctions violations.
The FRB and NYDFS said, in separate charges, that the ICBC had also backdated certain books and records and disclosed some confidential supervisory information (CSI).
The NYDFS fined the bank $30m, and the Fed fined the bank $2.4m; the order also requires ICBC to create a written plan to enhance compliance policies and other oversight and reporting requirements as discussed below.
BSA/AML and OFAC screening compliance
After a routine examination of the bank, the FRB entered a cease and desist order in March 2018 with ICBC and the New York Branch, ordering ICBC to address significant deficiencies in the New York Branch’s compliance with BSA/AML requirements and OFAC regulations.
That order cited areas needing improvement, including the bank’s corporate governance and management oversight, customer due diligence, and suspicious activity monitoring and reporting.
Following the C&D Order, the deficiencies identified in the New York Branch’s BSA/AML and OFAC compliance programs persisted for several more years and through repeated examination cycles, the NYDFS said.
In a tip from an ICBC New York branch employee, the NYDFS learned that a senior employee of the New York Branch took certain liberties to satisfy an internal Know Your Customer program policy.
In 2022, the NYDFS and the FRBNY conducted a joint examination that included a targeted review of the New York Branch’s BSA/AML and OFAC compliance programs. The examination found that although the New York Branch’s OFAC compliance program was adequate, its BSA/AML compliance program continued to exhibit deficiencies and required additional enhancements.
In 2023, improvements were noted, but the agencies both said additional improvements were needed.
The most recent examination (later in 2023) showed the bank had remediated all prior examination findings in the areas under scrutiny.
Backdating claims
In a tip from an ICBC New York branch employee, the NYDFS learned that a senior employee of the New York Branch took certain liberties to satisfy an internal Know Your Customer (KYC) program policy. (The policy was one applicable to the bank and not one premised on any regulation or law.)
The policy required the New York Branch to periodically obtain documents from banking clients relating to those banks’ own KYC programs, including a USA PATRIOT Act certification by which the banking client would certify that it complied with the Act.
Upon receipt, this certification was to be acknowledged and counter-signed by a member of the New York Branch’s staff — typically, the banking client’s relationship manager.
In 2015, when the senior employee learned that certain clients’ certifications had not been counter-signed by a member of the bank’s staff, the senior employee reached out to the staff member who had been the relationship manager for the account at the time the signed certifications were due.
That person had left the bank to pursue other employment; but the senior employee still made the former employee sign and backdate the certification forms, NYDFS said.
“Although the Bank asserts that the backdated Certifications ultimately were not included in the banking clients’ KYC files, the conduct by the senior employee constituted a violation of the New York Branch’s obligation to maintain appropriate books and records pursuant to New York Banking Law,” the order states.
An internal investigation at the New York branch of the bank revealed the backdating and signing had occurred – but the bank took eight months to report the discovery to the NYDFS, the regulator said.
Disclosing confidential information
When a foreign regulator requested information about any NYDFS/FRB investigation of ICBC, the New York Branch counsel sent an email to the senior staff member advising that responses about the ongoing investigations would amount to the disclosure of CSI, and the New York Branch’s regulators would need to approve the release of such information as a result.
In early November 2021, the bank’s counsel approached the Department, the FRB, and the FRBNY and provided the background as well as proposed language to send to the overseas regulator to respond to that regulator’s request. In the same month, and prior to receiving proper authorization, the original proposed language and additional documents were sent to an overseas affiliate, which then forwarded the information to its local regulator thereby sharing the confidential information in contravention of regulations.
The New York branch of the bank discovered the information breach and disclosed it two weeks after learning of it to the NYDFS and FRB.
NYDFS
The Bank has been ordered to submit, within 60 days of the execution of the consent order, a status report to the NYDFS with updates on any changes to the New York Branch’s BSA/AML compliance program that are planned and/or underway or have been implemented since the 2021 examination. The status report must include updates on the following (among others):
- A system of internal controls reasonably designed to ensure compliance with BSA/AML requirements and relevant state laws and regulations;
- Controls reasonably designed to ensure compliance with all requirements relating to correspondent accounts for foreign financial institutions;
- A comprehensive BSA/AML risk assessment that identifies and considers all products and services of the New York Branch, customer types, geographic locations, and transaction volumes.
- Management of the New York Branch’s BSA/AML compliance program by a qualified compliance officer, who is given full autonomy, independence, and responsibility for implementing and maintaining an effective BSA/AML compliance program that is commensurate with the branch’s size and risk profile, and is supported by adequate staffing levels and resources;
- Comprehensive and timely independent testing for the New York Branch’s compliance with applicable BSA/AML requirements and relevant state laws and regulations; and
- Effective training for all appropriate New York Branch personnel and appropriate ICBC personnel that perform BSA/AML compliance-related functions.
In addition, within 60 days of the execution of the consent order, the bank must submit a status report that is acceptable to the NYDFS on enhancements to the Bank’s handling of confidential information.
FRB
The FRB also requires a written plan from the bank within the same time period – but its order focuses on the identification, monitoring, and control of CSI.
This plan must include the following four items:
- Enhanced policies, procedures, internal controls, and training thereon, governing the identification, receipt, management, and proper use of CSI;
- Designation of a CSI officer who is a voting member of the Branch’s Risk Management Committee with the appropriate qualifications, experience, and stature to serve as a resource to the Bank and Branch employees on issues related to CSI;
- Procedures to promptly escalate to the designated CSI officer any instance of unauthorized CSI disclosure, including procedures related to the timely disclosure to the Board of the unauthorized CSI disclosure; and
- Measures to ensure management’s effective oversight of the Branch’s personnel’s compliance with policies, procedures, and internal controls designed to deter and detect potential employee misconduct in connection with the use or dissemination of CSI.
Compliance oversight
It’s worth writing it all out in the subhead here, as the NYDFS and FRB both spell out in detail what they expect in terms of policies, procedures, internal controls, and training, plus the quality and qualifications of persons like the compliance officer and CSI officer.
Both agencies speak about the actions that the board must take to maintain effective oversight over compliance with relevant laws and regulations – and the expertise required to do so.
NYDFS’s order in particular stresses the adequacy of resources that must be provided to the compliance department so it can perform its duties. And it notes that clearly defined roles, responsibilities and accountability regarding compliance with BSA/AML requirements must be allocated among the bank’s management, compliance and internal audit personnel.
“Although the Bank asserts that the backdated Certifications ultimately were not included in the banking clients’ KYC files, the conduct by the senior employee constituted a violation of the New York Branch’s obligation to maintain appropriate books and records.”
NYDFS
To be sure, effectiveness within the compliance function at any institution depends on those persons occupying it possessing sufficient authority, stature, independence, resources, and access to the board to do their job well.
Management, in turn, must respect the independent duties of the compliance function, and not interfere with them.
The areas of special focus by the compliance function include those that could create reputational risk for the bank, including those at issue in this case – money laundering, country sanctions, and practices involving confidential data.
Handling CSI
Periodic reviews and training are highlighted in both orders, and both regulators state that a designated “subject matter expert should handle employee inquiries and requests regarding the handling and disclosure of CSI”.
Despite their somewhat different approaches, the Fed’s, FDIC’s, and OCC’s regulations make clear the seriousness with which each agency regards the proper protections for CSI, and businesses might want to remind themselves of the rule (12 CFR § 261.20(b)(1)) and guidance on the topic provided by the Consumer Financial Protection Bureau.