On October 10, TD Bank pleaded guilty to violations of the Bank Secrecy Act and conspiracy to commit money laundering. The plea agreement outlines the facts that led to the charges and the consequences the Bank and its parent company will face, including a historic $3 billion in fines, asset caps, limits on the Bank’s ability to expand and significant remediation measures.

Background

On October 10, 2024, the U.S. Department of Justice (DOJ) announced that TD Bank, the tenth largest bank in the United States, and its parent company (together “the Bank”) pleaded guilty to violations of the Bank Secrecy Act (BSA) and conspiracy to commit money laundering.[1] As part of the agreement, the Bank agreed to pay over $1.8 billion in penalties—the largest penalty ever imposed under the BSA. The plea also marked a rare instance of a major US financial institution pleading guilty to a money laundering charge. The Bank’s guilty pleas are part of a larger resolution totaling approximately $3 billion in penalties with the Board of Governors of the Federal Reserve Board (FRB), the Financial Crimes Enforcement Network (FinCEN) and the Treasury Department’s Office of the Comptroller of the Currency (OCC).

In announcing the charges, Deputy Attorney General Lisa Monaco issued a stark warning to financial institutions, advising that “every bank compliance official in America should be reviewing today’s charges as a case study of what not to do. And every bank CEO and board member should be doing the same. Because if the business case for compliance wasn’t clear before—it should be now.”

“Chronic Failures Provided Fertile Ground for Illicit Activity”

The Bank pleaded guilty to willful failure to maintain an adequate anti-money laundering (AML) program, conspiracy to knowingly fail to file accurate Currency Transaction Reports (CTRs) (both violations of the BSA) and conspiracy to commit money laundering. Notably, each of these criminal penalties have intentionality and knowledge requirements, thus involving conduct more serious than negligence.

According to the plea agreement, for more than a decade the Bank had systemic deficiencies in its AML policies, procedures and controls, and further failed to take appropriate remedial action. In contrast to prior settlements with financial institutions related to systemic deficiencies in compliance programs, here, the DOJ alleged that the Bank actively enforced a system which prevented any budget increase to the AML compliance program year over year, despite the identification of problems by federal regulators and internal auditors. According to Attorney General Merrick Garland, “By making its services convenient for criminals, it became one.”

As alleged in the plea agreement, specific failures were known by the Bank at every level. Among them, the plea agreement details that the Bank did not automatically monitor domestic automated clearinghouse (ACH) transactions, most check activity and other types of transactions and failed to meaningfully monitor transactions involving high-risk countries. Between January 2018 and April 2024, the Bank failed to monitor approximately $18.3 trillion worth of transaction activity, which allowed hundreds of millions of dollars connected to crime and criminal organizations to flow through the bank. Attorney General Garland commented that employees “openly joked” about the Bank’s lack of AML compliance.

More than general compliance failures, the active conduct of Bank employees also plays a significant role in the plea agreement, several of which have been individually prosecuted, although no Bank executives were charged in connection with the resolution. Branch office employees systemically failed to file internal “unusual transaction reports” as required for some transactions that exceed $10,000. Employees are also alleged to have chosen to allow more than $5 billion in transaction activity to continue, even after making internal decisions to close accounts over risk concerns. These intentional failures made the Bank an “easy target for the bad guys,” and permitted three separate money laundering networks to move a total of $670 million through the Bank spanning back to 2014.

As part of the historic agreement, the Bank faces significant penalties, including:

• $1.4 billion cumulative fine for each day the Bank failed to comply with the BSA
• $400 million in criminal forfeiture
• $1.3 billion penalty to FinCEN—the largest penalty ever assessed
• $450 million penalty to the OCC
• $123.5 million fine to the FRB (credited from the resolution to the DOJ matter)
• Retention of an independent compliance monitor for a period of three years and a five-year probationary period
• The imposition of an asset cap of $434 billion, which also limits the bank’s business functions and consolidated assets, and can be lowered further if the bank fails to comply with remediation requirements
• Limits on opening new branches
• Limits on dividend payments

Takeaways

Maintaining an Adequate Risk-Based Compliance Program

The plea agreement requires the Bank to demonstrate a “high-level” commitment to compliance going forward, including “strong, explicit, and visible support for and commitment to compliance” demonstrated by “rigorous support … via words and actions.” The agreement sets forth requirements that the Bank’s compliance program must meet, which additionally serve as helpful reminders of the hallmarks of an effective compliance program which DOJ considers in determining whether a program is adequate. Companies should thus consider the requirements outlined in the agreement as illuminative of the DOJ’s view on what makes a compliance program effective. Some critical requirements include:

• A tested system for the designation of high-risk customers
• Appropriate procedures for KYC and Customer Due Diligence
• Reviews for high-risk accounts
• Periodic account and accountholder reviews for illicit activity or money laundering risk
• Automated transaction monitoring
• Periodic threshold testing and analysis of transaction monitoring scenarios
• Timely and appropriate account closures, response to law enforcement requests and legal process, filing of suspicious activity reports (SARs) and CTRs, and periodic testing of CTR thresholds

Under the agreement, the Bank is now required to generate reports for management review of patterns or outliers in transaction activity. It must consider CTR summary reports, funds transfer reports, significant balance change reports and ATM transaction reports, among other data.

High-Level Oversight and Enforcement

A reoccurring element throughout the plea agreement and the DOJ’s announcement of the resolution is the knowledge of compliance failures throughout the Bank. The plea agreement accordingly requires the Bank to assign responsibility to one or more members of senior management for the implementation and oversight of its compliance program. These individuals must be highly qualified and experienced within the field and have the authority to report directly to independent monitoring bodies including audit committees.

Under the agreement, the Bank must also institute appropriate disciplinary procedures to address violations of the Compliance Programs and adopt remedial measures and procedures to address any violations. The Bank must further incentivize program buy-in by ensuring that its compensation and bonus systems reflect these goals. Similarly, the Bank is prohibited from providing bonuses for directors, officers and employees who do not satisfy compliance performance requirements. The Bank must further implement compensation reduction provisions to claw back compensation paid to directors, officers or employees who commit a violation, or have supervisory authority over employees or business areas related to the commission of a violation and demonstrate knowledge of or willful blindness to the violation.

Periodic Monitoring, Testing and Audits

Going forward, the Bank’s compliance program must feature periodic reviews and testing designed to evaluate and improve its effectiveness. These reviews should involve risk-based assessments of the Bank’s individualized circumstances, particularly money laundering risk, high-cash customer accounts, foreign ATM withdrawal activity, peer-to-peer payment platform activity, evolving industry standards and other emerging typologies. The compliance program must be accountable to senior management and should be independent of the functions they are auditing or testing.

Preventing “Insider Risk”

As noted above, the plea agreement went beyond the failure to build and maintain an effective compliance program and covered misconduct by employees, including taking bribes, willfully failing to file SARs and CTRs and keeping accounts open despite internal determinations that they were high risk. Under the plea agreement, the Bank must implement policies to mitigate insider risk as related to the BSA, laws prohibiting money laundering and other laws against illicit finance in addition to laws prohibiting bribery of bank employees. These controls should prevent and deter employees from:

• Accessing or using systems in an unauthorized or illicit manner
• Accessing or using customer accounts in an unauthorized or illicit manner
• Soliciting or receiving bribes or kickbacks, gratuities or gifts in exchange for conducting certain activities
• Conducting or processing transactions in a manner designed to circumvent compliance and reporting requirements under the BSA

Conclusion

Maintaining a successful AML compliance program has many moving parts. Financial institutions and other companies seeking to ensure that an AML compliance program is being sufficiently managed and implemented should consult with outside counsel learned in compliance who can aid in benchmarking programs against industry best practices and DOJ guidance. Together with their counsel, companies should consider the requirements set forth in the agreement as illustrative of DOJ’s thinking of what constitutes an effective compliance program, and further consider how they can incorporate best practices into their own compliance programs. Even conduct that does not include all the shortcomings noted in the various settlement documents in this matter are areas companies should revisit in evaluating their compliance protections and risk profiles throughout their institutions.

Finally, as the DOJ has lately repeatedly made clear, companies should be aware that they can earn significant cooperation credit if they cooperate with its investigation and timely and proactively disclose misconduct. In this instance, despite the fact that it did not voluntarily disclose wrongdoing and failed to timely escalate relevant AML concerns to law enforcement, the Bank still received a 20 percent reduction off the criminal penalty due to its cooperation and remediation efforts. Had the Bank timely disclosed its misconduct, it would have been eligible to receive a larger reduction off its criminal penalty pursuant to the Criminal Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy. Financial institutions should thus take note that voluntary self-disclosure and affirmative steps to address similar failures can mitigate some of the severe aspects of the penalties issued in this case.

ENDNOTE

[1]     Press Release, U.S. Dep’t of Just., “TD Bank Pleads Guilty to Bank Secrecy Act and Money Laundering Conspiracy Violations in $1.8B Resolution,” (Oct. 16, 2024), https://www.justice.gov/opa/pr/td-bank-pleads-guilty-bank-secrecy-act-and-money-laundering-conspiracy-violations-18b.

This post come to us from White & Case LLP. It is based on the firm’s memorandum, “Lessons Learned from DOJ’s First Money Laundering Plea by a Major Financial Institution,” dated October 22, 2024, and available here.