by Brad S. Karp, H. Christopher Boehning, Jessica S. Carey, Michael E. Gertzman, Roberto J. Gonzalez, Richard S. Elliott, Rachel Fiorill and Karen R. King
On August 28, 2017, the New York State Department of Financial Services (“DFS”) announced a “Notice of Hearing and Statement of Charges” that seeks to impose a nearly $630 million civil penalty against Habib Bank Limited and its New York Branch (“the Bank”) based on allegations of persistent Bank Secrecy Act/anti-money laundering (“AML”) and sanctions compliance failures.[1] A hearing is scheduled for September 27, 2017 before Cassandra Lentchner, DFS’s Deputy Superintendent for Compliance. The Bank – the largest bank in Pakistan – has contested DFS’s allegations and indicated that it plans to challenge the penalty and surrender its DFS banking license, thus eliminating its only U.S. branch. DFS also issued two related orders, which (1) expanded the scope of a review of prior transactions for AML and sanctions issues, that was already underway under the terms of an earlier consent order; and (2) outlined the conditions under which the Bank could surrender its DFS banking license, including the retention of a DFS-selected consultant to ensure the orderly wind down of its New York Branch.
The severity of the language and proposed penalty in DFS’s statement of charges reflects the large number and extent of alleged compliance failures at the Bank, which DFS claims persisted for more than a decade, despite agreements with DFS and the Federal Reserve Board of Governors (“Federal Reserve”). According to DFS, these failures are “serious, persistent and apparently affect the entire [Bank] enterprise” and indicate a “dangerous absence of attention by [the Bank’s] senior management for the state of compliance at the New York Branch.”
This enforcement action illustrates that a DFS-regulated institution’s failure to show steady progress in remedying identified concerns can have significant and franchise-threatening consequences. We describe the enforcement action in more detail below, including the numerous compliance failures alleged by DFS.
History of Compliance Challenges at the Bank’s New York Branch
In 2006, the Bank entered into a written agreement with DFS and the Federal Reserve relating to deficiencies in its AML and sanctions compliance.[2] According to DFS, the Bank has since “struggled to comply” with New York banking laws and has been plagued by “repeated breakdowns” in its AML and sanctions compliance programs, with violations occurring every year since 2006 (other than 2009).
In 2015, the Bank entered into new agreements with DFS and the Federal Reserve and agreed to undertake extensive remedial actions and engage an independent monitor.[3] Despite these commitments, a 2016 examination by DFS again identified “serious deficiencies” in the Bank’s compliance program and concluded that the Bank’s management had failed to establish an “appropriate BSA/AML control environment to manage its high-risk client base[.]”
DFS’s Allegations In Its Statement of Charges
DFS’s statement of charges alleges the following AML/sanctions deficiencies at the Bank’s New York Branch, which were identified during DFS’s 2016 examination and a related investigation:
- Over 13,000 transactions with SWIFT payment messages that omitted essential information, such as the identities of the ultimate originator and beneficiary of each transaction.
- Improper aggregation of SWIFT payment messages, which prevented effective screening for suspicious or prohibited activity.
- Insufficient diligence on high-risk customers.
- DFS specifically highlighted the Bank’s correspondent banking relationship with Al Rajhi, the largest private bank in Saudi Arabia – an entity which has been the subject of Congressional and media scrutiny for alleged links to Al Qaeda and terrorist financing. Noting that transactions with Al Rajhi represent almost a quarter of the transactions conducted through the Bank’s New York Branch, DFS identified a range of alleged control deficiencies in the documentation and administration of the Bank’s customer due diligence program. For example, the Al Rajhi account at the Bank’s Head Office engaged in downstream correspondent clearing activities for several of Al Rajhi’s own affiliates, including Al Rajhi branches in Malaysia and Jordan. This nested account activity was entirely unknown to New York Branch management, as it was not captured in the relevant customer file or correspondence, and was not caught by the Branch’s transaction monitoring system.
- Insufficient customer risk ratings, including insufficient risk-based foreign correspondent due diligence.
- “Wire-stripping,” which involved the intentional removal of identifying information from payment instructions so as to avoid potential scrutiny.
- Alleged instances of wire-stripping included a payment involving a Chinese weapons manufacturer that was subject to U.S. non-proliferation sanctions, and an approximately $107,000 payment to an individual included on OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List.
- 855 “batch-waived” transaction alerts, a group of alerts that were allegedly disposed of summarily, without appropriate review or rationale for failure to review the alerts.
- Defective “good guys” lists, which contained 154 terms corresponding to identical entries on OFAC’s SDN List, resulting in a failure to screen over 4,000 transactions valued at over $250 million.
- Failure to identity or report nearly 200 additional instances of suspicious activity, such as “(i) payments lacking economic purpose (g., a payment to a technology company for leather goods); (ii) instances of structuring; (iii) shell company activity; and (iv) politically exposed person activity.” These cases sometimes involved “negative media associated with the parties and/or their beneficial owners, including allegations of terrorist financing, black market trading, drug trafficking, smuggling, and fraud.”
- Insufficient training.
- Insufficient senior management and head office governance, oversight, and documentation.
- Weaknesses in BSA/AML independent testing and the New York Branch’s audit program, including weaknesses in the internal audit program’s rating methodology.
- Weaknesses in data mapping and integrity.
- Allegedly insufficient sanctions screening for several financial products offered at the New York Branch.
- Breakdowns in transaction monitoring, including instances in which screening terms were “wholly insufficient to identify all of the activity the term [was] intended to identify” (g., “Embassy of Pakistan” failing to identify payment messages containing the phrase “Pakistan Embassy”).
DFS stated that the Bank’s “compliance function is dangerously weak”; that “Head Office Screening, which the Branch has repeatedly relied on as an excuse for its own lax attitude regarding BSA/AML safeguards, appears to be as weak as that of the Branch itself – if not even more inadequate”; and that the Bank’s “recent misconduct has produced grave risks to itself, to banking institutions in New York State and the U.S., and to the financial system as a whole.” DFS concluded that although the Bank “has been given more than sufficient opportunity to rectify its deficiencies, it has utterly failed to do so – demonstrating a sheer inability to accomplish remediation, a stubborn unwillingness to do so, or both.”
Citing the deficiencies above and other alleged conduct, DFS’s statement of charges lists 53 counts alleging that, from January 1, 2007, the Bank violated a number of New York statutes and regulations and the terms of the Bank’s previous agreements with DFS. Based on these allegations, DFS seeks to impose a monetary payment in an amount up to $629,625,000.
In a rare instance of a bank publicly declining to settle (at least initially) with DFS, the Bank has countered that it has implemented “sincere and extensive remediation measures” and that DFS has failed to recognize its progress. At a press briefing in Islamabad, the Bank’s Chief Executive said: “Yes there are mistakes, but we are saying that the fine for these mistakes is disproportionate.”[4] Nevertheless, the Bank has already decided to wind down its U.S. operations and surrender its DFS banking license, despite the fact that the statement of charges itself does not seek revocation of the Bank’s license.
As noted, in addition to the statement of charges, DFS has issued an order imposing conditions on the surrender of the Bank’s banking license, including a requirement that the Bank “shall immediately engage and pay for an independent consultant of [DFS’s] selection (in its sole discretion) to assist [the Bank] in the safe, sound, and lawful wind down of the affairs of the New York Branch.” DFS has also issued a separate order expanding the scope of a transactional lookback conducted by an independent consultant, which was already underway under the terms of the December 2015 consent order between DFS and the Bank.
Implications
This enforcement action illustrates the severe consequences that a DFS-regulated institution can face when DFS perceives that the institution has been unable or unwilling over the course of years to remedy its AML/sanctions compliance deficiencies. Apparently unable to reach a consensual resolution, DFS has taken the rare step of pursuing an enforcement action and the Bank has publicly stated that it will contest the action and also take steps to withdraw from New York. The Bank’s New York Branch processed approximately $287 billion in correspondent banking transactions in 2015, and it is unclear how the Bank could efficiently continue to clear U.S. dollars without its New York Branch and without resolving these outstanding AML/sanctions concerns.
This enforcement action, if successful, would mark the largest AML/sanctions penalty in Superintendent Vullo’s tenure to date. That tenure has seen a $425 million resolution with Deutsche Bank, a $235 million resolution with Intesa Sanpaolo, a $215 million resolution with Agricultural Bank of China and a $180 million resolution with Mega Bank. As with this latest enforcement action, certain of those actions show DFS’s increasing tendency to impose penalties for a broad range of perceived compliance deficiencies, and not just for specific violative transactions. A previous Paul, Weiss memorandum (PDF: 479 KB) describes these DFS actions in greater detail and outlines recommendations that banks may consider for strengthening AML/sanctions compliance programs.
The full notice of hearing and statement of charges can be found here (PDF: 12,866 KB). The order regarding the surrender of the Branch’s banking license can be found here (PDF: 1,617 KB). And the order regarding the expanded transactional lookback can be found here (PDF: 482 KB).
Footnotes
[1] The August 24, 2017 notice of hearing and statement of charges from DFS (“DFS Order”) is available here (PDF: 12,866 KB). While the document is dated August 24, 2017, DFS did not publish it until August 28, 2017.
[2] The December 19, 2006 agreement among the Bank, the Federal Reserve, and the New York State Banking Department is available here (PDF: 354 KB).
[3] The December 15, 2015 agreement between the Bank and DFS is available here (PDF: 5,121 KB). The December 11, 2015 consent agreement between the Bank and the Federal Reserve is available here (PDF: 55 KB).
[4] See Aug. 28, 2017 Letter from Nausheen Ahmad to the General Manager of the Pakistan Stock Exchange Limited (PDF: 278 KB); see also Syed Raza Hassan, Pakistani bank calls potential $630 million U.S. fine ‘disproportionate,’ Reuters (Aug. 29, 2017).
Brad S. Karp is chairman and partner at Paul, Weiss, Rifkind, Wharton & Garrison LLP. H. Christopher Boehning, Jessica S. Carey, Michael E. Gertzman and Roberto J. Gonzalez are partners in the litigation department at Paul, Weiss, Rifkind, Wharton & Garrison LLP. Richard S. Elliott is International Trade Counsel and Rachel Fiorill and Karen R. King are counsel in the litigation department at Paul, Weiss, Rifkind, Wharton & Garrison LLP.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.