Intesa Sanpaolo, the Italian wealth mangement giant, and its New York branch bank is to pay the New York Department of Financial Services a $235 million fine and give the consultancy firm that is already reviewing all its anti-money laundering systems (in line with a previous regulatory penalty agreement in 2013) more time to look at fresly uncovered contraventions of the US Bank Secrecy Act.

The unnamed consultancy firm is not even the first to have the job of overhauling Intesa's systems this century because of a regulatory fine. The Italian banking giant manages wealth and funds for HNW clients, holding $761 billion in total assets and $18 billion at its New York branch.

The regulator found that Intesa's New York branch failed to keep up its AML efforts properly, thus breaking 3 NYCRR s116.2. It also failed to keep true and accurate records, in breach of New York Banking Law s200-c. It failed to send the superintendent of banks a report once it discovered gaps in its entries (in breach of 3 NYCRR s300.1) and did not comply with an agreement it signed with the regulator's predecessor in 2007 on the same subject.

Between one database and another

One controversy surrounds keyword-and-algorythm-based alerts not being migrated from the branch's alert software programme to its case workflow programme (the two systems have no direct automatic interface, a fact that one might expect unscrupulous bank executives to exploit if they ever wanted to wave suspect deals through).

One independent consultant (the consent order is not clear whether it was the first or the second) said that 41% of not alerts that should have been migrated were proper alerts and not false positives.

The central fault that the regulator finds with the bank on this subject is its refusal to follow its own internal policies, which stated very clearly that staff should load each keyword-inspired or algorythmic alert into the workflow programme, with no exceptions. The branch's AML compliance officer (perhaps under pressure from on high, perhaps not) instead followed a policy of allowing everyone to decide for themselves how to transfer the information. This, of course, led to widespread disobedience.

On top of this, around 2012 the compliance officer and his staff began reviewing and 'clearing' (i.e. dismissing) significant volumes of keyword-based alerts without loading them into the other database. It was common for a member of staff, after a mere glance, to conclude that an alert was a 'false positive' and take it out of the spreadsheet of information that stood ready to be loaded into the workflow case management programme.

Even the AML compliance officer was guilty of this on occasion. Between 2012 and 2014, then, people were dismissing these alerts outside the workflow programme without any formal investigation or the creation of reviewable records. Only in March this year did the branch begin to load all alerts into the other database, at the regulator's insistence.

The rules behind the alert system

Even more shockingly, the New York compliance department showed signs of playing fast and loose with the settings of the alert-generating system itself. When tinkering with the wording of the keyword searches one day, a programmer (who was working for a support firm) added an extra space into the query. The NYDFS is generous here, assuming that this was an inadvertent mistake. The upshot of this was several years of the system failing to generate one important type of alert. Indeed, in 2014 alone, one of the independent consultants found that a correct programming of the keyword combination would have generated 1,400 extra alerts.

Other suspect activity came to light in respect of the wording of the alerts. Somebody - the order does not say who - decided that the system was not allowed to search for 'Russia' but only 'Russian federation' and not 'Libya' but 'Libyan Arab Jamahiriya,' a term of which this publication was not previously aware. If this had not been going on, the consultant concluded, the system in 2014 alone would have reviewed at least $9 billion's worth of additional transactions.

No errors listed in the order appear to lack conscious culpability. One algorithm that was designed to search for three or more transactions in a ten-day period (looking for linked transactions, perhaps) only generated an alert when three or more transactions occurred in a single day. Certain other algorithms (which did work properly) were applied only to a small fraction of the correct total of transactions. The order enumerates no instance in which the system blocked too many transactions; it always blocked too few. This seemed rather suspicious to the regulators.

Nevertheless, those regulators are always at pains to use the most diplomatic language when describing the bank's offences. It says that the migration of cases from one database to the other did not happen "for reasons not yet apparent." Instead of using the language of culpability, it writes of the bank "suffering a compliance failure," almost as though it were a passive victim of its own employees.

Sleeping at head office

What did the bank's headquarters think of its transgressions? Here the NYDFS is opaque. It comments that "senior management...at the head office in Milan were unaware of [the] weaknesses, despite the existence of facts that could have led to their discovery." It adds that one internal auditor in New York was aware of alerts not being put on the workflow software system at the time, which implies that he should have told - and probably did tell - head office. The regulator, however, appears reluctant to dwell on this angle of the story.

If only the board knew...

Added to this, somebody was stopping compliance staff below the level of AML compliance officer from notifying the board - the body ultimately responsible for compliance - from knowing about the database problem. A compliance manager did an audit of the problem in 2014 and mentioned it in his quarterly report, but this went no further for reasons that the NYDFS does not explain.

Onerous efforts for the future

Sixty days hence, the bank is going to have to update its AML/BSA compliance 'programme' (written policy) in a way that pleases the NYDFS. It will have to provide for a system of internal controls; correspondent banking controls; a comprehensive AML risk assessment that looks at all products and services that pertain to the New York branch, along with types of customer, places in the world with which the branch deals, and transaction volumes. It will have to analyse and reconfigure its management information systems and pay someone independent to test them, with an expensive round of branch-wide training to follow. One of the stipulations, rather worryingly, is the appointment of a qualified compliance officer with full independence, which begs the question of what happened to the previous one.

From 1st January onwards, chief compliance officers at banks in the state of New York will have to put their signatures on documents that attest to the efficacy of their firms' transaction monitoring and filtering systems, the implication being that they will lose their jobs if they lie.