News & Insights

Client Alert

February 1, 2024

ICBC Settles AML/BSA and CSI Matters with DFS, Fed: Three Take-Aways

AML Developments - What You Need to Know

Earlier this month, the New York State Department of Financial Services (“DFS”) and the Federal Reserve Board of Governors (“FRB”) announced settlements with the Industrial and Commercial Bank of China (“ICBC”) and ICBC’s New York branch (the “Branch”) relating to the alleged unauthorized disclosure of confidential supervisory information (“CSI”), alleged AML/BSA compliance program deficiencies, and the alleged failure to immediately report employee misconduct to DFS. ICBC paid $32.4 million under the two settlements and agreed to extensive reporting and remedial efforts. See Consent Order, In the Matter of Industrial and Commercial Bank of China Ltd. and Industrial and Commercial Bank of China Ltd., New York Branch (DFS Jan. 17, 2024); Order to Cease and Desist and Order of Assessment of a Civil Money Penalty Issued Upon Consent, In the Matter of Industrial and Commercial Bank of China Ltd. and Industrial and Commercial Bank of China Ltd., New York Branch (F.R.B. Jan. 16, 2024). The settlements demonstrate the reach of federal and New York banking regulators and the importance of compliance efforts. We discuss below three key take-aways.

First, ICBC’s settlements illustrate that BSA/AML challenges cast a long shadow. In 2018, ICBC entered into a cease-and-desist order with the FRB relating to BSA/AML requirements and OFAC regulations. DFS Settlement ¶ 7. In 2022, DFS and FRB conducted a joint examination that found that the Bank’s “BSA/AML compliance program continued to have deficiencies and required additional enhancements.” Id. By 2023, ICBC’s AML/BSA and OFAC programs “were in compliance, but additional improvements were still necessary.”  Id. ¶ 8. While the FRB’s settlement addresses CSI only, the DFS, which imposed the vast majority of the penalties at issue, focused on this interim period, stating that ICBC continued to have AML/BSA compliance deficiencies “for several more years [after the 2018 order] and through repeated examination cycles.”  Id. ¶ 6. 

An observer might have concluded that the 2018 settlement and subsequent remediation would resolve matters for ICBC. The DFS settlement shows that alleged compliance failures and related remedial efforts will be scrutinized and may lead to further impacts for the bank, even after a settlement. In addition to its monetary fine, ICBC’s settlement with DFS requires it to provide initial status reports acceptable to DFS that set out detailed assessments of ICBC’s BSA/AML compliance program and governance framework, customer due diligence program, and controls relating to CSI. For two years after the settlement, ICBC agreed to submit annual reports to DFS providing updates on changes to the Branch’s BSA/AML program and ICBC’s governance structure and supervision, including any changes in management and senior compliance personnel at ICBC and the Branch. Id. ¶¶ 33-7. These are onerous requirements that extend beyond the New York Branch and cover the management of the entire bank.

Second, in its settlement, DFS addressed an alleged failure of the bank to immediately report employee misconduct, also relating to the bank’s BSA/AML compliance program.  According to DFS, the bank’s internal policies called for customers to provide a KYC certification, which was to be countersigned by a bank employee. A Branch employee allegedly learned in 2015 that “although valid Certifications had been obtained from the clients, copies of the Certifications counter-signed by a New York Branch staff member were missing from those clients’ KYC files.”  Id. ¶ 14. Following this, a former employee allegedly countersigned and backdated the documents in response to a request from a senior Branch employee. This conduct was reported to DFS by an employee, who had allegedly “raised this issue internally to the Bank by no later than January 2017.” Id. ¶ 16.

DFS alleged that it “only learned about the backdated certifications in January 2018,” id., in violation of the bank’s duty to “to submit a report to the Superintendent immediately upon discovering the occurrence of ‘embezzlement, misapplication, larceny, forgery, fraud, dishonesty, making of false entries and omission of true entries, or other misconduct,’” under 3 NYCRR § 300.1. This charge underscores the importance of responding in a timely manner to internal complaints, including assessing any reporting obligations under section 300.1 and other statutes. In addition, this fact pattern highlights the complexities inherent in implementing AML compliance programs, given the significant operational needs of these programs, and serves as a reminder that employees may benefit from messaging and trainings both on the policies themselves and on the need to consult with legal and compliance personnel when issues arise.

Third, both the DFS and FRB settlements focus on the alleged disclosure of CSI to a foreign affiliate, who then provided the CSI to a local regulator. As defined in the FRB’s regulations, CSI includes “reports of examination and other confidential supervisory communications by the Board or the Federal Reserve Bank of New York ... and any information derived from, related to, or contained in such reports, and any documents prepared by, on behalf of, or for the use of the Board of Governors, a Federal Reserve Bank, or a federal or state financial institution’s supervisory agency.” 12 CFR 261 et seq. Under New York Banking Law, CSI includes “[a]ll reports of examinations and investigations, correspondence and memoranda concerning or arising out of such examination and investigations.” N.Y. Banking Law sec. 36(10). Under Board regulations and New York banking laws, CSI may not be disclosed without prior authorization to any third party.

Here, a foreign regulator asked, as part of an approval process relating to the transfer of an employee, whether the employee had been subject to any regulatory or disciplinary investigations. In connection with this request, ICBC requested authorization from DFS and the FRB to disclose related CSI about ongoing investigations. While this request was pending, the Branch shared the information with its foreign affiliate, which shared it with the foreign regulator. DFS Settlement ¶¶ 19-24. The Branch subsequently reported the disclosure to the FRB and DFS. This fact pattern emphasizes, first, that the definition of CSI is broad. CSI encompasses not just such nonpublic information as the details of examination reports and supervisory assessments but also any information derived therefrom. See 12 CFR § 261.2(b)(1). And the settlements also drive home how critical it is for a licensed entity to assess its policies and procedures relating to the sharing of CSI. As the ICBC settlements show, the disclosure of CSI can be an expensive misstep, leading to enforcement actions and, potentially, scrutiny of other conduct.

As discussed above, the ICBC settlements serve as a reminder of the challenges inherent in implementing and maintaining adequate AML/BSA compliance programs and abiding by CSI requirements. The settlements emphasize the importance of addressing examination findings and internal complaints expeditiously and of building a culture of compliance through implementing reasonable and practical policies. Compliance matters can have a long tail and, as these settlements show, lead to enforcement actions years down the line. Banks are well advised to evaluate whether their programs align with regulatory expectations and to address issues as soon as they arise.

Additional information on King & Spalding’s anti-money laundering capabilities can be found here. In December, King & Spalding presented a wide-ranging webinar with a discussion of 2023 trends in AML enforcement and compliance and an outlook for 2024. A complimentary recording of the webinar can be accessed here.