by Thomas C. Baxter Jr., Michael M. Wiseman, and Jordan M.H. Wish

Court Defers to the FDIC and the Bank Secrecy Act/Anti-Money Laundering Examination Manual in Rejecting a Rare Challenge by a Bank to an Agency-Imposed Cease-and-Desist Order

Summary

On March 12, in California Pacific Bank v. FDIC, the U.S. Court of Appeals for the Ninth Circuit refused to set aside a cease-and-desist order imposed by the Federal Deposit Insurance Corporation (the “FDIC”) on California Pacific Bank (“California Pacific”).[1]  The order requires the bank to comply with, and correct identified violations of, the Bank Secrecy Act (the “BSA”) by improving the bank’s BSA compliance program and Suspicious Activity Report (“SAR”) filing procedures.  In reaching its decision, the court deferred to the Bank Secrecy Act/Anti-Money Laundering Examination Manual, which is published by the Federal Financial Institutions Examination Council (the “FFIEC Manual”),[2] as a definitive statement of the regulatory requirements for satisfying BSA program obligations.  This deference along with an agency-friendly standard of review confirm the broad discretion that the FDIC and other federal banking agencies have in determining violations of the BSA and requiring related remedial actions.

Background

California Pacific is an insured state nonmember bank with two offices in California, fewer than 15 employees and approximately 200 customers.

In July 2010, an FDIC examination deemed California Pacific’s BSA compliance program satisfactory, but required changes in certain areas, such as training, account activity review and risk assessments.

In December 2012, the FDIC again examined California Pacific.  This examination found that the bank’s BSA compliance program violated the BSA by not incorporating all changes required by the 2010 examination and by failing to satisfy any of the four “pillars” set forth in the relevant FDIC regulation:   (1) a system of internal controls; (2) independent testing; (3) designation of an individual responsible for BSA compliance; and (4) appropriate training.[3]  The examination also concluded that the bank violated the BSA by not filing a SAR with respect to customers for which the bank received a grand jury subpoena and in light of evidence of a “layering scheme” involving the customers.[4]

The bank refused the FDIC’s request to consent to a cease-and-desist order.  Following issuance of a notice of charges, a hearing was held before an Administrative Law Judge (the “ALJ”) who ruled against California Pacific and agreed with the examiner’s conclusions that the bank’s BSA compliance program did not satisfy any of the four required pillars and that the bank failed to file a SAR when required to do so.  In determining whether the bank satisfied the four pillars, the ALJ relied in part on relevant guidance in the FFIEC Manual.  The board of directors of the FDIC (the “FDIC Board”) adopted the ALJ’s recommended decision and issued a cease-and-desist order.[5]

California Pacific sought review of the FDIC Board’s decision in the Ninth Circuit, challenging it on both constitutional grounds and under the Administrative Procedure Act (the “APA”).[6]

The Ninth Circuit’s Decision

In a unanimous decision, the Ninth Circuit rejected all of California Pacific’s challenges.

A. Constitutional claims

California Pacific contended that the BSA is unconstitutionally vague, with neither the BSA nor the implementing regulations providing sufficient clarity of what was required by the bank.  Pointing to the economic nature of the BSA, the statute’s lack of any threat to constitutionally protected rights and the ability of banks to be on notice of expected conduct, including by means of the FFIEC Manual, the court held that the BSA is not impermissibly vague.  The court also rejected the bank’s argument that the FDIC’s examiners and the ALJ were unconstitutionally biased.

B. Administrative PROCEDURE ACT claims

California Pacific raised two arguments that the Ninth Circuit interpreted as arising under the APA:  first, that the FDIC inappropriately relied on the FFIEC Manual—which is not legally binding—in determining that the bank’s compliance program did not satisfy the BSA and implementing regulations.  And second, that there was insufficient evidence to support the conclusions that the bank’s compliance program failed to satisfy any of the four “pillars” then required for a compliant BSA program[7] and that the bank should have filed a SAR.  Before addressing either argument, the Ninth Circuit stressed the limits of its review.  The APA’s standard of review, the court explained, is “highly deferential” to the agency.[8] 

Reliance on the FFIEC Manual

The Ninth Circuit looked to the “Auer deference” doctrine in holding that the FDIC permissibly relied on the FFIEC Manual in determining what was required of California Pacific’s compliance program under each of the four pillars.  That doctrine obliges courts to treat as authoritative an agency’s interpretation of its own ambiguous regulation.[9]  Citing the complexity of BSA compliance, the need for FDIC examinations and the fact that different banks take different approaches in their BSA compliance programs, the Ninth Circuit determined that the FDIC’s regulation laying out the four pillars is ambiguous.  As a result, because the FDIC has advised banks that it considers the FFIEC Manual to reflect the agency’s supervisory expectations,[10] the Ninth Circuit concluded that Auer deference was required:  “The FDIC Board,” the court held, “acted in accordance with the law in referencing the FFIEC Manual to clarify the four pillars analysis for determining violations of the BSA.”[11]

Evidentiary challenges

Under the APA’s deferential standard of review, the Ninth Circuit also held that there was sufficient evidence for the FDIC Board to conclude that (1) deficiencies in the bank’s BSA compliance program meant that it did not satisfy any of the four pillars, and (2) the bank had failed to file a SAR.  The following summarizes the court’s analysis for each of the four pillars and for the SAR filing obligation:

• Pillar 1 (system of internal controls). The FDIC Board found that the bank did not conduct adequate customer due diligence, apply proper risk ratings to certain customers, conduct adequate site visits or sufficiently monitor accounts for suspicious activity.  The court agreed with these findings, citing, for example, the failure to properly document BSA site visits by purportedly relying on the memory of the bank’s BSA officer.
• Pillar 2 (independent testing). The FDIC Board determined that the bank’s third-party auditor performed inadequate independent testing because, among other things, the auditor failed to include an overall assessment of California Pacific’s BSA program and did not address several deficiencies noted by the FDIC.  This evidence, the Ninth Circuit held, was sufficient to support the FDIC Board’s determinations with respect to this pillar.  As further support, the court indicated that the independent auditor may have had a conflict of interest based on (1) providing positive testimony before the ALJ that contradicted concerns the auditor had previously raised, and (2) the auditor’s role as a “consultant” to the bank with respect to the design and operation of its BSA program.  The court’s partial reliance on the “suggest[ion]”[12] of a conflict of interest is in contrast to the FDIC Board’s observation that it found “the evidence in this regard to be thin.”[13]
• Pillar 3 (designation of individuals responsible for BSA compliance). The FDIC Board determined that California Pacific’s BSA officer lacked “the experience, training, and time to adequately perform” that role.[14]  The court, in finding there was sufficient evidence for this determination, cited the BSA officer’s lack of training in BSA compliance prior to his appointment and insufficient subsequent training; the bank’s appointment of the officer without interviewing him or anyone else; and insufficient time and conflicting obligations, because the BSA officer also acted as the bank’s senior credit officer, chief financial officer, internal auditor and operations compliance officer.
• Pillar 4 (appropriate training). The FDIC Board determined that the bank’s training was insufficient as it was not tailored to the roles of individual employees and was generally inadequate.  The court credited the FDIC examiner’s conclusions that the undifferentiated training provided to employees—consisting of presentations and quizzes about the bank’s BSA Policy Manual—was inadequate and not tailored to employee roles.  The court used the FFIEC Manual to reject the bank’s argument that tailoring was unnecessary given that the bank’s small workforce had overlapping responsibilities.  That manual, the court highlighted, provides that BSA “training should be tailored to the person’s specific responsibilities”;[15] accordingly, because the bank acknowledged its staff performed different tasks, it “could have, but did not, conduct both group and role-based BSA compliance training.”[16]
• Required SAR filing. During 2011 and 2012, California Pacific received grand jury subpoenas regarding certain transactions of particular customers who were later indicted for economic espionage and theft of trade secrets.  The bank did not file a SAR related to this activity, purportedly because the BSA officer believed that each subpoena directed the bank to maintain “the utmost secrecy” regarding its contents, and that this admonition precluded the filing of a SAR.  The FDIC Board determined that the bank was required to file a SAR based on the transactional activity.  The Ninth Circuit held that there was sufficient evidence to support the FDIC Board’s determination, pointing out that an FBI agent who spoke with the bank’s BSA officer, as well as the FFIEC Manual, instructed that a SAR may be filed even after receiving a subpoena (although the SAR generally should not mention the subpoena).  Further, the court noted that relevant examination staff concluded that although “an indictment alone was insufficient to support filing a SAR,” red flags such as large transactions that lacked pertinent information provided evidence of a layering scheme and warranted a filing.[17]

The Ninth Circuit also noted with apparent approval the directive in the Federal Deposit Insurance Act that the FDIC was required to issue a cease-and-desist order in these circumstances because California Pacific had failed to correct a problem with BSA compliance that the FDIC previously, in connection with the 2010 examination, had brought to the bank’s attention.[18]

Implications

Deference to the Federal Banking Agencies and Their Examiners

California Pacific appears to be the only published decision by a federal appeals court that addresses a bank’s challenge to a BSA-related cease-and-desist order.  The Ninth Circuit’s deference to the FDIC in this case may help explain why banks rarely litigate supervisory determinations by federal banking agencies.  Auer deference allowed the FDIC to use the (not legally binding) FFIEC Manual in determining what banks must do to comply with the admittedly ambiguous (but legally binding) regulation that requires a four-pillared BSA compliance program.  This deference to the FFIEC Manual is significant, because the court treated nonconformance with its standards as violations of the underlying regulation, even though the FFIEC Manual was not subject to notice and comment rulemaking procedures or submitted to Congress under the Congressional Review Act.[19]   A “highly deferential” standard of review also allowed the agency to prevail if it could point to sufficient evidence to support its conclusions, without needing to show the conclusions were the best readings of the evidence as a whole.  At least with respect to the BSA, the Ninth Circuit thus supports a broad view of the discretion that the federal banking agencies have in applying ambiguous requirements like those under the BSA and its implementing regulations.

It is also notable that this discretion is not necessarily concentrated only at the level of agency leadership.  The FDIC Board noted that it has “repeatedly recognized the great deference due to the opinions and conclusions of FDIC examiners,” including with respect to determining whether a compliance program satisfied the relevant regulation and, if not, what remedial actions were appropriate.[20]  The Ninth Circuit’s deference to the agency, combined with the agency’s deference to its own examiners, demonstrates the breadth of the authority such examiners have with respect to supervised institutions.

Interpretation of the BSA in the Criminal Context

Although California Pacific arose as a challenge to a banking agency’s administrative enforcement of the BSA, violations of the BSA may also be subject to both civil and criminal penalties outside of the banking agency enforcement context.[21]  For example, the BSA provides that a person “willfully violating” certain provisions of the BSA or a regulation promulgated thereunder—including willful violations of BSA compliance program and SAR filing requirements—may be subject to criminal fines and imprisonment.[22]  The Ninth Circuit made no mention that a violation of the BSA could result in criminal liability, and, in fact, despite noting that potential criminal penalties or a scienter requirement could be relevant to the bank’s constitutional arguments, the court declined to address whether or how those factors affected its analysis.  It remains to be seen whether courts applying the BSA in the criminal context would view nonconformance with FFIEC Manual standards as a basis for a criminal prosecution, or provide as much deference to banking agency or examiner findings.

Other Observation

This case illustrates the particularly difficult financial burden that small banks confront in seeking to comply with the BSA.  For example, a fully dedicated BSA officer would have represented over 5% of California Pacific’s employee base.

Footnotes

[1] California Pacific Bank v. FDIC, No. 16-70725, 2018 WL 1247159 (9th Cir. Mar. 12, 2018).

[2] The FFIEC Manual is prepared by the member agencies of the Federal Financial Institutions Examination Council—the Board of Governors of the Federal Reserve System, the Consumer Financial Protection Bureau, the FDIC, the National Credit Union Administration, the Office of the Comptroller of the Currency and a committee of representatives of state financial institution supervisory agencies—in collaboration with the Financial Crimes Enforcement Network (“FinCEN”) and the Office of Foreign Assets Control.

[3] 12 C.F.R. § 326.8(c).

[4] See 12 C.F.R. § 353.3 (the FDIC regulation determining the situations in which a state nonmember bank must file a SAR).  Layering, the second stage of the money laundering process, involves moving funds around the financial system in a complex series of transactions to create confusion and complication.

[5] In re Cal. Pac. Bank, FDIC-13-094b, 2016 WL 2997645 (F.D.I.C. Feb. 17, 2016).

[6] See 5 U.S.C. §§ 701 et seq.

[7] In 2016, FinCEN issued a regulation concerning customer due diligence that it characterized as a “fifth pillar.”  FinCEN “views the fifth pillar as nothing more than an explicit codification of existing expectations” concerning customer due diligence obligations that had been a component of the “system of internal controls” pillar.  81 Fed. Reg. 29398, 29420 (May 11, 2016).  The regulations promulgated by the FDIC and the other federal banking agencies regarding BSA program obligations have not expressly incorporated this fifth pillar.

[8] Cal. Pac. Bank, 2018 WL 1247159, at *7 (quoting Indep. Acceptance Co. v. California, 204 F.3d 1247, 1251 (9th Cir. 2000)).

[9] See Auer v. Robbins, 519 U.S. 452, 461 (1997).

[10] See FDIC Financial Institution Letter FIL-17-2010 (2010 version of the FFIEC Manual); FDIC Financial Institution Letter FIL-60-2014 (2014 version of the FFIEC Manual).

[11] Cal. Pac. Bank, 2018 WL 1247159, at *9.

[12] Id. at *11.

[13] Cal. Pac. Bank, 2016 WL 2997645, at *6 n.20.

[14] Cal. Pac. Bank, 2018 WL 1247159, at *12; see also FFIEC Manual (2010 version), at 36 (noting that a BSA compliance officer without “the expertise, authority, or time to satisfactorily complete the job” does not satisfy the relevant regulatory requirement).

[15] FFIEC Manual (2010 version), at 37.

[16] Cal. Pac. Bank, 2018 WL 1247159, at *13 n.12.

[17] Id. at *14.

[18] See 12 U.S.C. § 1818(s)(3)(B).

[19] See  Letter from GAO to Senator Pat Toomey, October 19, 2017 (PDF: 174 KB).  For further information, see our Client Memorandum, Congressional Review Act:  GAO Determines That Banking Agencies’ Leveraged Lending Guidance is a “Rule” and Therefore Subject to the Requirements of the Congressional Review Act, dated October 20, 2017.

[20] Cal. Pac. Bank, 2016 WL 2997645, at *9.

[21] 31 U.S.C. §§ 5321-5322.

[22] See, e.g., 31 U.S.C. § 5322(a).

Thomas C. Baxter Jr. is Of Counsel, Michael M. Wiseman is a partner, and Jordan M.H. Wish is an associate at Sullivan & Cromwell LLP

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.