The Financial Crimes Enforcement Network (“FinCEN”) has assessed a civil money penalty against Gibraltar Private Bank and Trust Company under the Bank Secrecy Act 1970, which it accuses the bank of breaking on purpose. The Office of the Comptroller of the Currency has also fined it $2½ million.

The inert OCC is the bank's primary regulator. It originally expressed doubts about deficiencies in its AML programme that stopped it from monitoring and detecting suspicious activity despite the appearence of several 'red flags.' In typical OCC style, it was not until 2014, after three years of heel-dragging on the part of the bank, that the regulator placed it under a consent order. The now-defunct Office of Thrift Supervision subjected it to a 'cease and desist' order in 2010. This required Gibraltar to take remedial steps with respect to its BSA compliance programme - its failure to do so forms the backdrop to the present fine.

Because of its bad programme, Gibraltar failed to make at least 120 suspicious activity reports (SARs) involving nearly $558 million in transactions that occurred between 2009 and 2013. It also dallied over the reporting of accounts related to a $1.2 billion Ponzi scheme led by Florida attorney Scott Rothstein. Its record-keeping was also deficient. It admits to all these things as part of its settlement.

Every American bank’s anti-money laundering compliance program must:

• provide for a system of internal controls to ensure that it is complying;
• provide for "independent testing for compliance to be conducted by bank personnel or by an outside party" (some might think that "independent testing by bank personnel" was impossible);
• designate an individual or individuals responsible for co-ordinating and monitoring day-to-day compliance; and
• provide training for appropriate people.

The regulator found the bank to be especially deficient in the first and last of these things and also thought that its customer identification programme was not appropriate for its size and type of business. It served highly risky customers without monitoring their accounts properly, with disastrous consequences for its detection and reporting capacity. It used a software system to monitor its accounts for unusual activity going through the Bank, the system and procedures were so flawed that it systematically failed to identify transactions through numerous accounts that showed tell-tale signs of money laundering. The system contained incomplete and inaccurate account-opening information and customer risk profiles and lacked analysis and 'validation,' a word by which the regulator presumably means verification. The anticipated account activity for some customers often failed to match the actual transactional activity. When the automated transaction monitoring system generated alerts on certain customers, analysts in the BSA department were unable to change their risk ratings at the right times, or at all.

The regulator also pinpointed "an unmanageable number of alerts that included large numbers of false positives." This, however, is hardly a testament to its powers of observation - the OTS noticed the same thing in 2010. The bank, obviously unimpressed by this, did not overhaul the system until the middle of 2014. Before 2013, and despite regulatory prompting, it did not even test it. Between early August 2013 and late July 2014, Gibraltar failed to review and close or escalate nearly 60% of its 'monthly alerts' (the regulator does not explain what it means by this odd phrase) in the 30 days prescribed by its own BSA/AML policy. Its BSA analysts, moreover, were overwhelmed by the large volumes of alerts that came their way. In those cases where the BSA team sent alerts up the corporate ladder for further investigation, with a view to generating SARs if needs be, it took more than 60 days to 'escalate' 16 alerts, or 64% of the escalated reviews. Eleven of these reviews resulted in SARs.