The Office of the Comptroller of the Currency (“OCC”) recently released new guidance on the process it uses when considering enforcement actions against banking institutions and individuals for potential non-compliance with Bank Secrecy Act (“BSA”) compliance program requirements and anti-money laundering (“AML”) rules.  At the same time, the OCC also issued a revised policy for assessing civil monetary penalties against both institutions and individuals for compliance violations. The revised policy makes clear that the OCC intends to use the threat of monetary penalties to hold individuals – compliance officers, managers, executives, directors, or any employee of a banking institution – accountable for compliance violations. Compliance with BSA/AML programs is not simply an institutional or bank-only issue; responsibility for ensuring compliance with these programs rests with Boards of Directors, management and individual compliance personnel. Additionally, compliance is not merely a regulatory concern; the recent OCC guidance also makes clear that the OCC will notify criminal law enforcement authorities (including FinCEN, the Financial Crimes Enforcement Network) of “all formal and informal enforcement actions” pursued by the regulators.

The OCC has a statutory mandate to issue a cease-and-desist order when problems or weaknesses in a bank’s compliance systems and controls rise to the level of noncompliance with BSA requirements or result in repeat or uncorrected compliance issues. In addition to a mandatory cease-and-desist order, the OCC may also pursue civil monetary penalties (“CMP”).  The OCC’s process generally allows notice and an opportunity to respond within 15 days of written notice of noncompliance to either an institution or individual. The OCC’s new guidance sets forth the process by which a bank or an individual may respond to a notice of noncompliance.

The OCC’s new CMP policy – known as PPM 5000-7 (REV), which supersedes in its entirely the OCC’s long-standing CMP policy published 23 years ago – includes a complex matrix and three-tier system of penalties which are designed to “quantify the degree of severity of violations, unsafe or unsound practices, and breaches of fiduciary duty” which the OCC elects to pursue. CMPs are generally designed to serve as a deterrent to future compliance violations, and to encourage correction of existing violations.  The revised policy states specifically that the OCC “may use its CMP authority as deemed appropriate to achieve these objectives,” and that a CMP against an “institution-affiliated party” (or “IAP”) emphasizes “the accountability of individuals.” By law, an IAP can be any director, officer, employee, or agent of an insured depository institution. As recent guidance makes clear, an institution’s tone of compliance is set at the top, at the Board and management level, and FinCEN in particular has noted that it is the responsibility of bank leadership to establish a culture of compliance.

When determining CMP amounts, the OCC is required to consider four statutory factors: (1) the size of financial resources and good faith of the institution charged; (2) the gravity of the violation; (3) the history of previous violations; and (4) such other matters as justice may require. The OCC’s CMP matrix reflects the progressive levels of severity associated with potential compliance violations. An individual may be held liable for the most severe penalties (Tier 3) not only when he or she knowingly violates a law or regulation, but also when he or she knowingly engages in any “unsafe or unsound practices,” or knowingly commits a breach of fiduciary duty, which results in a substantial loss to the institution or substantial gain to the individual.  Less severe penalties (Tier 1 and Tier 2) may be imposed for a non-willful violation of a law or regulation or breach of fiduciary duty, or when the individual engages in “reckless unsafe or unsound practices.”

Relatedly, the New York State Department of Financial Services recently issued a proposal that would allow the state to hold compliance officers accountable for AML compliance violations. Although that proposal has not passed, these measures, taken together, signal a new willingness by federal and state regulators to hold managers, directors, compliance officers, and other bank employees accountable for compliance violations.

To view the OCC’s guidance on enforcement actions, please click here.

To view the PPM 5000-7 (REV) and the CMP matrix, please click here.