.jpg?h=975&iar=0&w=2560&rev=-1&hash=ABFE245163347BED2AF7249138E60389?w=3840&q=75)
30 January 2024 • 8 minute read
China’s largest commercial bank resolves anti-money laundering and related matters with US regulators: Key takeaways
Earlier this month, alongside its New York branch, Industrial and Commercial Bank of China Ltd. (ICBC) – a Chinese state-owned commercial bank and the country’s largest commercial bank – resolved ongoing investigations by both the Board of Governors of the Federal Reserve System (the Fed) and New York State Department of Financial Services (NYDFS).
Consent orders issued by each agency will resolve years-long investigations into the bank’s alleged (and already-remediated) anti-money laundering (AML) compliance deficiencies and alleged mishandling of confidential supervisory information (CSI). Cumulatively, the bank will pay $32.4 million to US regulators.
Below, we explore the key details and set out key takeaways.
Disclosure of confidential supervisory information
CSI is nonpublic information that is created or obtained in furtherance of the Fed’s “supervisory, investigatory, or enforcement activities, including activities conducted by a Federal Reserve Bank under delegated authority, relating to any supervised financial institution, and any information derived from or related to such information.” 12 C.F.R. § 261.2. Similarly, section 36(10) of the New York Banking Law provides that “[a]ll reports of examinations and investigations, correspondence and memoranda concerning or arising out of such examination and investigations” are confidential. It is illegal to disclose CSI without prior approval of the appropriate banking regulator.
In September 2021, ICBC sought to transfer an employee from its New York branch to an overseas affiliate. The transfer required approval from a non-US regulator where the affiliate was located. As part of the approval process, that regulator sent a questionnaire asking whether the employee or the New York branch was the subject of any regulatory or disciplinary investigations. In early November 2021, the bank sought approval from the Fed and NYDFS to disclose CSI in response to the regulator’s request.
However, in November 2021, without prior authorization from the Fed or NYDFS, the New York branch responded to the regulator’s questionnaire, disclosing CSI to the overseas regulator. Although the bank later self-reported the unauthorized disclosure of CSI, both the Fed and NYDFS orders penalized the bank for the disclosure to the foreign regulator. The Fed’s order fined ICBC approximately $2.4 million for the unauthorized use and disclosure of CSI and requires the bank to submit a formal plan to improve “internal controls and compliance functions regarding the identification, monitoring, and control of CSI.”
NYDFS’s fine for past Bank Secrecy Act/AML deficiencies
Although the Fed’s order focused solely on the unauthorized disclosure of CSI, the NYDFS order also alleged deficiencies in the bank’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) sanctions compliance program. Specifically, NYDFS alleged that the bank failed to promptly (1) improve its internal BSA/AML and OFAC compliance programs and (2) report that an employee had backdated certain documents required in the bank’s “Know Your Customer” (KYC) due diligence file under the bank’s internal policies.
Notably, the NYDFS order stated that NYDFS’s most recent examination, conducted in 2023, found that the New York branch’s BSA/AML and OFAC compliance programs were “adequate” based on “significant improvements.” The NYDFS order further acknowledged the bank’s “significant efforts toward enhancing its BSA/AML and OFAC compliance programs” and stated that the bank “successfully remediat[ed] all prior examination findings in those areas.”
Nonetheless, the NYDFS fined ICBC for “long standing weaknesses in BSA/AML and OFAC” compliance programs. NYDFS cited a 2018 consent order between the bank and the Fed directing the New York branch to remediate deficiencies in corporate governance and management oversight, customer due diligence, and suspicious activity monitoring and reporting. Because the deficiencies cited in the New York branch’s BSA/AML and OFAC compliance programs persisted for several years following the 2018 consent order, NYDFS fined the bank notwithstanding the “significant improvements” that the entity had implemented.
The NYDFS order also contended that the bank failed to promptly disclose instances of “embezzlement, misapplication, larceny, forgery, fraud, dishonesty, making of false entries and omission of true entries, or other misconduct, whether or not a criminal offense,” as required under New York law. The bank’s internal KYC program policy required the New York branch to periodically obtain documents from banking clients, including a certification, by which the banking client would certify that it complied with the USA PATRIOT Act. Under the bank’s internal policy, upon receipt of a client certification, the certification needed to be counter-signed by a member of the New York branch’s staff – typically, the banking client’s relationship manager. The specific counter-signature requirement was part of the New York branch’s own internal policy and “was not a [specific] statutory or regulatory requirement.”
In August 2015, a senior New York branch employee learned that certain banking clients’ certifications had not been counter-signed by a member of the New York branch’s staff. Despite this, the bank had obtained “valid” and timely certifications; only the countersignatures were missing. By that time, however, the individual who had been the relationship manager for the clients had left the New York branch. Upon encountering the unsigned certifications, the senior employee contacted the former employee and asked the former employee to counter-sign and backdate the certifications. The former employee obliged, signed, backdated, and returned to the bank signed copies of the certifications for five different banking clients. Although the bank asserted that the backdated certifications were not included in its KYC files (and thus presumably did not violate any AML regulations), NYDFS concluded that the conduct by the senior employee constituted a violation of the New York branch’s more general obligation to maintain appropriate books and records.
According to NYDFS, “the making of the backdated [c]ertifications plainly constituted false entries…which should have been reported … immediately upon discovery.” Instead, NYDFS learned of the backdating in January 2018 following an internal investigation conducted by the New York branch in April 2017.
Pursuant to the consent order, ICBC agreed to pay $30 million to NYDFS. Further, ICBC agreed to submit a status report on its BSA/AML compliance program, other BSA/AML-related enhancements including with respect to its governance framework and customer due diligence program, and enhancements to its handling of CSI within 60 days of the order. Lastly, ICBC agreed to submit annual reports to NYDFS that provide updates on “any changes to the New York [b]ranch’s BSA/AML program and ICBC’s governance structure and supervision thereof, including any changes in management and senior personnel of the compliance functions at ICBC and the New York [b]ranch” for the next two years.
Takeaways for companies
Remain vigilant for unauthorized disclosure of CSI. Multinational banks regulated by the Fed, the FDIC, and/or the Office of the Comptroller of the Currency should be cognizant of potential challenges when a US branch of a non-US bank wants or needs to share information with its parent company or other non-US affiliates or regulators. As demonstrated here, an ordinary situation like transferring an employee from a US branch to an overseas affiliate can create a risk of improper disclosure of CSI. Operationally, it may be very challenging where multinational banks seek time-sensitive regulatory advice from their parent companies or may have internal policies requiring them to report information that could be CSI. Therefore, financial institutions should focus on internal controls to oversee all CSI disseminated internally and seek appropriate banking agency approval for the disclosure of CSI to overseas parent or affiliate companies or non-US regulators.
Although often necessary upon identifying a potential violation, remedial measures alone may not be sufficient to prevent enforcement penalties. Although the NYDFS order stated that the “New York Branch’s BSA/AML and OFAC compliance programs were adequate due to significant improvements” made by the bank, the NYDFS nevertheless fined ICBC for past deficiencies. Financial institutions should therefore be vigilant in ensuring prompt attention to supervisory criticisms, particularly related to any deficiencies in BSA/AML compliance.
Draft policies thoughtfully and create structures where such policies can be implemented and followed. The NYDFS action is also notable for penalizing the bank for violating its own internal policies and procedures for countersigning client certifications. Banking (and other) regulators may find concerns about a bank’s control environment and/or its commitment to compliance where the bank does not or cannot comply with its own internal policies. Banking regulators in these instances may conclude that a company’s failure to follow its own policies, particularly those related to central functions like AML and KYC, reflects poorly on the bank’s management and could impact the entity’s ability to operate in a safe and sound manner.
Accuracy is key. All companies, especially financial institutions, should be mindful of the accuracy of any entry or record, whether such entry is mandated by regulation or merely internal bank policies.
For more information, please contact the authors.
Consent orders issued by each agency will resolve years-long investigations into the bank’s alleged (and already-remediated) anti-money laundering (AML) compliance deficiencies and alleged mishandling of confidential supervisory information (CSI). Cumulatively, the bank will pay $32.4 million to US regulators.
Below, we explore the key details and set out key takeaways.
Disclosure of confidential supervisory information
CSI is nonpublic information that is created or obtained in furtherance of the Fed’s “supervisory, investigatory, or enforcement activities, including activities conducted by a Federal Reserve Bank under delegated authority, relating to any supervised financial institution, and any information derived from or related to such information.” 12 C.F.R. § 261.2. Similarly, section 36(10) of the New York Banking Law provides that “[a]ll reports of examinations and investigations, correspondence and memoranda concerning or arising out of such examination and investigations” are confidential. It is illegal to disclose CSI without prior approval of the appropriate banking regulator.
In September 2021, ICBC sought to transfer an employee from its New York branch to an overseas affiliate. The transfer required approval from a non-US regulator where the affiliate was located. As part of the approval process, that regulator sent a questionnaire asking whether the employee or the New York branch was the subject of any regulatory or disciplinary investigations. In early November 2021, the bank sought approval from the Fed and NYDFS to disclose CSI in response to the regulator’s request.
However, in November 2021, without prior authorization from the Fed or NYDFS, the New York branch responded to the regulator’s questionnaire, disclosing CSI to the overseas regulator. Although the bank later self-reported the unauthorized disclosure of CSI, both the Fed and NYDFS orders penalized the bank for the disclosure to the foreign regulator. The Fed’s order fined ICBC approximately $2.4 million for the unauthorized use and disclosure of CSI and requires the bank to submit a formal plan to improve “internal controls and compliance functions regarding the identification, monitoring, and control of CSI.”
NYDFS’s fine for past Bank Secrecy Act/AML deficiencies
Although the Fed’s order focused solely on the unauthorized disclosure of CSI, the NYDFS order also alleged deficiencies in the bank’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) sanctions compliance program. Specifically, NYDFS alleged that the bank failed to promptly (1) improve its internal BSA/AML and OFAC compliance programs and (2) report that an employee had backdated certain documents required in the bank’s “Know Your Customer” (KYC) due diligence file under the bank’s internal policies.
Notably, the NYDFS order stated that NYDFS’s most recent examination, conducted in 2023, found that the New York branch’s BSA/AML and OFAC compliance programs were “adequate” based on “significant improvements.” The NYDFS order further acknowledged the bank’s “significant efforts toward enhancing its BSA/AML and OFAC compliance programs” and stated that the bank “successfully remediat[ed] all prior examination findings in those areas.”
Nonetheless, the NYDFS fined ICBC for “long standing weaknesses in BSA/AML and OFAC” compliance programs. NYDFS cited a 2018 consent order between the bank and the Fed directing the New York branch to remediate deficiencies in corporate governance and management oversight, customer due diligence, and suspicious activity monitoring and reporting. Because the deficiencies cited in the New York branch’s BSA/AML and OFAC compliance programs persisted for several years following the 2018 consent order, NYDFS fined the bank notwithstanding the “significant improvements” that the entity had implemented.
The NYDFS order also contended that the bank failed to promptly disclose instances of “embezzlement, misapplication, larceny, forgery, fraud, dishonesty, making of false entries and omission of true entries, or other misconduct, whether or not a criminal offense,” as required under New York law. The bank’s internal KYC program policy required the New York branch to periodically obtain documents from banking clients, including a certification, by which the banking client would certify that it complied with the USA PATRIOT Act. Under the bank’s internal policy, upon receipt of a client certification, the certification needed to be counter-signed by a member of the New York branch’s staff – typically, the banking client’s relationship manager. The specific counter-signature requirement was part of the New York branch’s own internal policy and “was not a [specific] statutory or regulatory requirement.”
In August 2015, a senior New York branch employee learned that certain banking clients’ certifications had not been counter-signed by a member of the New York branch’s staff. Despite this, the bank had obtained “valid” and timely certifications; only the countersignatures were missing. By that time, however, the individual who had been the relationship manager for the clients had left the New York branch. Upon encountering the unsigned certifications, the senior employee contacted the former employee and asked the former employee to counter-sign and backdate the certifications. The former employee obliged, signed, backdated, and returned to the bank signed copies of the certifications for five different banking clients. Although the bank asserted that the backdated certifications were not included in its KYC files (and thus presumably did not violate any AML regulations), NYDFS concluded that the conduct by the senior employee constituted a violation of the New York branch’s more general obligation to maintain appropriate books and records.
According to NYDFS, “the making of the backdated [c]ertifications plainly constituted false entries…which should have been reported … immediately upon discovery.” Instead, NYDFS learned of the backdating in January 2018 following an internal investigation conducted by the New York branch in April 2017.
Pursuant to the consent order, ICBC agreed to pay $30 million to NYDFS. Further, ICBC agreed to submit a status report on its BSA/AML compliance program, other BSA/AML-related enhancements including with respect to its governance framework and customer due diligence program, and enhancements to its handling of CSI within 60 days of the order. Lastly, ICBC agreed to submit annual reports to NYDFS that provide updates on “any changes to the New York [b]ranch’s BSA/AML program and ICBC’s governance structure and supervision thereof, including any changes in management and senior personnel of the compliance functions at ICBC and the New York [b]ranch” for the next two years.
Takeaways for companies
Remain vigilant for unauthorized disclosure of CSI. Multinational banks regulated by the Fed, the FDIC, and/or the Office of the Comptroller of the Currency should be cognizant of potential challenges when a US branch of a non-US bank wants or needs to share information with its parent company or other non-US affiliates or regulators. As demonstrated here, an ordinary situation like transferring an employee from a US branch to an overseas affiliate can create a risk of improper disclosure of CSI. Operationally, it may be very challenging where multinational banks seek time-sensitive regulatory advice from their parent companies or may have internal policies requiring them to report information that could be CSI. Therefore, financial institutions should focus on internal controls to oversee all CSI disseminated internally and seek appropriate banking agency approval for the disclosure of CSI to overseas parent or affiliate companies or non-US regulators.
Although often necessary upon identifying a potential violation, remedial measures alone may not be sufficient to prevent enforcement penalties. Although the NYDFS order stated that the “New York Branch’s BSA/AML and OFAC compliance programs were adequate due to significant improvements” made by the bank, the NYDFS nevertheless fined ICBC for past deficiencies. Financial institutions should therefore be vigilant in ensuring prompt attention to supervisory criticisms, particularly related to any deficiencies in BSA/AML compliance.
Draft policies thoughtfully and create structures where such policies can be implemented and followed. The NYDFS action is also notable for penalizing the bank for violating its own internal policies and procedures for countersigning client certifications. Banking (and other) regulators may find concerns about a bank’s control environment and/or its commitment to compliance where the bank does not or cannot comply with its own internal policies. Banking regulators in these instances may conclude that a company’s failure to follow its own policies, particularly those related to central functions like AML and KYC, reflects poorly on the bank’s management and could impact the entity’s ability to operate in a safe and sound manner.
Accuracy is key. All companies, especially financial institutions, should be mindful of the accuracy of any entry or record, whether such entry is mandated by regulation or merely internal bank policies.
For more information, please contact the authors.
