We’re fairly accustomed now to seeing firms of various stripe fined for AML failings, but for all the talk of personal accountability and statements of responsibility it is still rare for individuals to be held liable for poor AML behaviour. This is why my eye was caught last week by the FinCEN announcement of the US$450,000 “civil money penalty” that it had levied on Michael LaFontaine, former Chief Operational Risk Officer at US Bank National Association. The fifth largest bank in the US, his employer is perhaps better known by the name of its parent company US Bancorp, which has held a banking licence since 1863 and now has 74,000 employees. Like many banks, it relies on software to monitor transactions for unusual activity and then spit out alerts for further enquiry. However, on Mr LaFontaine’s instruction, the bank’s IT elves capped the number of alerts that the system would generate. A risky decision for a risk officer, you might think, and so did FinCEN: “Mr LaFontaine was warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised. His actions prevented the proper filing of many, many SARs, which hindered law enforcement’s ability to fully combat crimes and protect people. FinCEN encourages technological innovations to help fight money laundering, but technology must be used properly.” As Ella Fitzgerald could have told Mr LaFontaine, t’ain’t what you do, it’s the way that you do it, and that’s what gets results.
Before you start to feel professional sympathy with Mr LaFontaine – there but for the grace of God, we’re doing our best here in the compliance department, etc. – let’s fill in the background. In February 2018, US Bancorp was fined $185 million for “wilfully [wilfully!] violating the BSA’s requirements to implement and maintain an effective AML program and to file SARs in a timely manner”. Moreover: “Mr LaFontaine was advised by two subordinates that they believed the existing automated system was inadequate because caps were set to limit the number of alerts. The Office of the Comptroller of Currency warned the bank on several occasions that using numerical caps to limit the bank’s monitoring programs based on the size of its staff and available resources could result in a potential enforcement action, and FinCEN had taken previous public actions against banks for the same activity. Mr LaFontaine received internal memos from staff claiming that significant increases in SAR volumes, law enforcement inquiries, and closure recommendations, created a situation where the AML staff ‘is stretched dangerously thin’. Mr LaFontaine failed to take sufficient action when presented with significant AML program deficiencies in the bank’s SAR-monitoring system and the number of staff to fulfil the AML compliance role. The Bank had maintained inappropriate alert caps for at least five years.”
Now I’ve done a bit of (very amateur) sleuthing to find out how much that $450,000 penalty might hurt Mr LaFontaine. Bill Parker was the bank’s chief risk officer until autumn 2018, and his remuneration in 2016 was a salary of $625,000 as part of a total compensation package of $3.9 million – we know that because it was reported here. Mr Parker was succeeded by Jodi Richard, and she moved into the role – and presumably the remuneration – from her previous job as the bank’s chief operational risk officer (reported here). My logic is that people generally get a maximum 20% salary increase on promotion, so the CORO is probably on about $500,000 a year. Which means that the penalty for at least five years’ poor work for Mr LaFontaine was a year’s salary.