On January 19, the Federal Reserve Board (FRB) and New York Department of Financial Services (NYDFS) each issued orders settling an action against a large global bank for alleged BSA/AML violations and other compliance failures. The FRB issued a cease and desist order with a $2.4 million civil money penalty, while the NYDFS issued a consent order with a $30 million civil money penalty.

The bank had been under a 2018 cease and desist order for “significant deficiencies” in its compliance with BSA/AML and OFAC regulations. After a recent examination, the NYDFS and FRB found that while BSA/AML compliance had significantly improved in 2023, the bank had persistent BSA/AML deficiencies through prior examination cycles. 

In addition to the BSA/AML compliance failures, the NYDFS found that the bank failed to self-report instances of fraud—the examination revealed that a former employee backdated several compliance documents at the direction of a then-current branch employee and the bank failed to report this misconduct to the NYDFS in a timely fashion. In addition, the FRB and the NYDFS both found the bank unlawfully disclosed confidential supervisory information (CSI) to an overseas regulator without prior approval. 

Putting it into Practice: While the BSA/AML allegations dominate the headlines, the enforcement actions also highlight how seriously regulators take the safeguarding of CSI. The FRB’s action was solely predicated on the bank’s unauthorized dissemination of CSI and its lack of internal controls preventing such dissemination. Financial institutions should ensure they have strong policies, procedures, and internal controls in place governing the identification, receipt, and management of CSI. Moreover, institutions may also want to identify a CSI officer who can serve as a resource to bank employees on those issues.