UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY FINANCIAL CRIMES ENFORCEMENT NETWORK IN THE MATTER OF: ) ) ) ) Number 2006-3BANKATLANTIC ) FORT LAUDERDALE, FLORIDA ) ) ASSESSMENT OF CIVIL MONEY PENALTY

EX-10.2 3 g01079exv10w2.htm ASSESMENT OF CIVIL MONEY PENALTY Assesment of Civil Money Penalty
 

Exhibit 10.2
UNITED STATES OF AMERICA
DEPARTMENT OF THE TREASURY
FINANCIAL CRIMES ENFORCEMENT NETWORK
             
IN THE MATTER OF:
    )      
 
    )      
 
    )      
 
    )     Number 2006-3
BANKATLANTIC
    )      
FORT LAUDERDALE, FLORIDA
    )      
 
    )      
ASSESSMENT OF CIVIL MONEY PENALTY
I. INTRODUCTION
     Under the authority of the Bank Secrecy Act and regulations issued pursuant to that Act,1 the Financial Crimes Enforcement Network has determined that grounds exist to assess a civil money penalty against BankAtlantic, Fort Lauderdale, Florida (“BankAtlantic” or “Bank”). To resolve this matter, and only for that purpose, BankAtlantic has entered into a CONSENT TO THE ASSESSMENT OF CIVIL MONEY PENALTY (“CONSENT”) without admitting or denying the determinations by the Financial Crimes Enforcement Network, as described in Sections III and IV below, except as to jurisdiction in Section II below, which is admitted.
     The CONSENT is incorporated into this ASSESSMENT OF CIVIL MONEY PENALTY (“ASSESSMENT”) by this reference.
II. JURISDICTION
     BankAtlantic is a savings association headquartered in Fort Lauderdale, Florida, with 74 branches located in seven Florida counties. BankAtlantic was established in 1952 and acquired Mega Bank of Miami in 1995, Bank of North America of Fort Lauderdale in 1996, and Community Savings, F.A. of North Palm Beach in 2002. As of September 30, 2005, BankAtlantic had over $6 billion in total assets and $55 million in net income. The Office of Thrift Supervision examines BankAtlantic for compliance with the Bank Secrecy Act and its implementing regulations.
     At all relevant times, BankAtlantic was a “financial institution” and a “bank” within the meaning of the Bank Secrecy Act and the regulations issued pursuant to the Act.2
 
1   31 U.S.C. § 5321 and 31 C.F.R. § 103.57.
 
2   31 U.S.C. § 5312(a)(2) and 31 C.F.R. § 103.11.


 

2

III. DETERMINATIONS
A. Summary
     BankAtlantic failed to implement an adequate Bank Secrecy Act compliance program, including an anti-money laundering program with internal controls and other measures to detect and report potential money laundering and other suspicious activity.
     BankAtlantic operates a substantial wire transfer department that facilitated over 100,000 incoming and outgoing funds transfers annually since 2001. BankAtlantic’s primary market, South Florida, is designated both as a High Intensity Money Laundering and Related Financial Crime Area and a High Intensity Drug Trafficking Area. One Branch of the Bank catered to high income/net worth clients including many nonresident aliens, offshore businesses, consulates and politically exposed persons about which BankAtlantic had not sufficiently gathered or verified information. Despite the heightened risk, BankAtlantic conducted business without effective systems and controls, as appropriate and practical, to detect and timely report suspicious activity.
     The Bank’s geographic location, potentially high-risk customers and product lines and funds transfer operations required measures to control the risk of money laundering and other financial crimes. Nevertheless, BankAtlantic processed funds transfers without systems and controls reasonably designed to manage the risk of money laundering and ensure compliance with the Bank Secrecy Act. BankAtlantic failed to conduct adequate independent testing and did not effectively respond to, or take corrective actions to address, adverse audit findings. The designated Bank Secrecy Act officer at BankAtlantic failed to coordinate and monitor day-to-day compliance with the Bank Secrecy Act. BankAtlantic also failed to provide adequate training to applicable personnel to ensure compliance with the Bank Secrecy Act. In view of the Bank’s transaction volume, geographic reach, customer base, and other risk considerations, BankAtlantic failed to comply with its obligations under the Bank Secrecy Act and the regulations issued pursuant to that Act. BankAtlantic’s failure to comply with the Bank Secrecy Act was serious, longstanding and systemic. Failures in internal controls and independent testing led, in turn, to a failure on the part of BankAtlantic to timely report suspicious transactions.
B. Violations of the Requirement to Implement an Anti-Money Laundering Program
     The Financial Crimes Enforcement Network has determined that BankAtlantic violated the requirement to establish and implement an adequate anti-money laundering program. Since April 24, 2002, the Bank Secrecy Act and its implementing regulations have required savings associations to establish and implement anti-money laundering programs.3 The anti-money laundering program of BankAtlantic meets these requirements if the program conforms to rules of the Office of Thrift Supervision that govern anti-money laundering programs. Since 1989, the Office of Thrift Supervision has required a program reasonably designed to assure and monitor compliance with reporting and record keeping requirements under the Bank Secrecy Act.4
 
3   31 U.S.C. § 5318(h)(1) and 31 C.F.R. § 103.120.
 
4   12 C.F.R. § 563.177(b).


 

3

     Reporting requirements under the Bank Secrecy Act include the requirement to report suspicious transactions.5 The Office of Thrift Supervision also requires that an anti-money laundering program contain the following elements: (1) a system of internal controls; (2) independent testing for compliance; (3) the designation of an individual, or individuals, to coordinate and monitor day-to-day compliance; and (4) training of appropriate personnel.6
          1. Internal Policies, Procedures and Controls
     BankAtlantic failed to implement a system of internal controls reasonably designed to comply with the Bank Secrecy Act and manage the risk of money laundering. In fact, it was not until Federal authorities requested extensive information in early 2004 related to BankAtlantic’s anti-money laundering program that the Bank’s management began to implement measures to adequately assess the quality of its compliance with the Bank Secrecy Act.
     Through the early part of 2004, BankAtlantic’s anti-money laundering program did not effectively address critical elements of the Bank Secrecy Act, particularly suspicious activity reporting. BankAtlantic did not have adequate, enterprise-wide transaction monitoring procedures to detect and report suspicious activities, including money laundering. As a result, BankAtlantic failed to timely file a significant number of suspicious activity reports.
     BankAtlantic’s lack of internal controls with respect to Bank Secrecy Act compliance is further evidenced by deficiencies noted in its subpoena handling process, wire transfer operations, and areas of the Bank that catered to high income/net worth clients, including many nonresident aliens, offshore businesses, consulates and politically exposed persons. In addition, BankAtlantic had inadequate policies and procedures in place to assure compliance with the Customer Identification Program.7
     Prior to the early part of 2004, BankAtlantic had no procedures or controls to ensure a comprehensive review of subpoenaed accounts for potential money laundering and subsequent filing of suspicious activity reports. The individual responsible for responding to subpoenas received by BankAtlantic had no direct supervision to assure compliance with the Bank Secrecy Act in regard to the receipt of subpoenas.
     BankAtlantic did not have adequate systems to monitor wire transfer operations for compliance with the suspicious activity reporting requirements of the Bank Secrecy Act, despite repeated audit recommendations on this matter. Furthermore, through early 2004, BankAtlantic did not have effective systems and controls, as appropriate and practical, to detect suspicious activities related to wire transfers or multi-day cash structuring. The Bank also lacked adequate policies and procedures to create and utilize risk matrices and customer profiles for accountholders to ensure compliance with the Bank Secrecy Act. Between 2001 and 2004, BankAtlantic transacted over 690,000 incoming and outgoing wire transfers. During this time, the average number of combined incoming and outgoing wires processed per day doubled from about 500 to over 1,000. Despite the volume, BankAtlantic had no automated system, or even an
 
5   31 C.F.R. § 103.18.
 
6   12 C.F.R. § 563.177(c).
 
7   31 C.F.R. § 103.121(b).


 

4

effective manual process, in place to monitor or analyze the wire transfer department for potential money laundering activity and compliance with the Bank Secrecy Act. Furthermore, the Bank lacked adequate automated systems for account or transaction monitoring. For example, systems in place at the time were unable to capture, as appropriate and practical, the geographical locations that funds were sent to, or received from, without reviewing individual wire transfers. Based on available information, the Bank did not begin to effectively implement a system designed to capture data for monitoring for suspicious transactions until the later part of early 2004.
     One Branch of the Bank catered to a client portfolio of high income, high net worth persons, including many nonresident aliens, offshore businesses, consulates and politically exposed persons. Despite the elevated risk, BankAtlantic had not gathered or verified customer information in an adequate manner. Some of the customers in this portfolio conducted extensive international wire transfers to, or from, high-risk jurisdictions and were the focus of numerous Federal investigations known to BankAtlantic over an extended period of time. Examples of the Bank’s inadequate internal controls included:
    ability of employees to authorize large dollar value wire transfers without adequate oversight;
 
    failure to detect and report suspicious transactions conducted by foreign unlicensed money services businesses;
 
    lack of adequate procedures to gather and verify due diligence information on high-risk clients;
 
    lack of risk analysis associated with high-risk clients, many of which were nonresident aliens or offshore businesses located in high-risk jurisdictions;
 
    lack of oversight for pouch activity containing deposits which originated both domestically and internationally; and
 
    loss of “mail logs” for 2002 and 2003, which contained valuable transaction and identifying information on pouch deposits received from high-risk clientele.
          2. Independent Testing
     BankAtlantic’s program for independent testing was materially deficient and could not assure compliance with the Bank Secrecy Act. The scope of BankAtlantic’s audit function was insufficient to assess the adequacy of the anti-money laundering program on an enterprise-wide basis. Furthermore, auditors did not consistently follow-up on prior findings to determine whether corrective action had been taken on certain aspects of the Bank Secrecy Act/anti-money laundering program at BankAtlantic. More importantly, Bank management did not follow-up on, or institute effective corrective action, in response to findings of significant deficiencies identified in the audits. Appearing below is a summary of the deficient audit scope and repeated failures, on the part of both Bank management and the audit function, to follow-up on Bank Secrecy Act audit findings:
    BankAtlantic’s internal audit dated March 2000 rated the Branch of the Bank catering to high income/net worth clients to be unsatisfactory from an operations standpoint, yet the “private banking” component of this Branch was rated


 

5

      satisfactory one month later by the same audit personnel. The scope of the “private banking” audit included a review of a newly opened account that was later deemed to be a significant source of suspected money laundering activity. No concerns were noted during the audit regarding this account. In addition, it was not until after Federal authorities began inquiring in early 2004 that any follow-up reviews of the “private banking” function at this Branch were performed.
    The July 2001 Bank Secrecy Act audit focused on procedures and training but did not address operational risks. Significant findings included recommendations to revise training materials and to conduct subsequent, ongoing training of applicable staff.
 
    The Bank Secrecy Act audit of July 2002 found that the Bank needed to:
    identify and monitor high-risk accounts for suspicious deposits and wire transfers;
 
    improve Know Your Customer processes related to foreign customers; and
 
    develop and document Bank Secrecy Act procedures especially related to monitoring of high-risk accounts.
    The October 2003 Bank Secrecy Act audit rated BankAtlantic’s compliance with Bank Secrecy Act regulations as satisfactory. However, the audit recommended that the Bank’s monitoring of transactions for money laundering needed improvement. Specifically, the audit determined that the Bank’s core systems had no capabilities for automated account or transaction monitoring. For example, the Bank’s systems were unable to capture source of funds, business activity descriptions and expected account activity for monitoring purposes. It was not until late 2004 that the Bank began implementing a system designed to effectively capture data for monitoring purposes. The audit also indicated that the Bank needed to add procedures to its anti-money laundering program to address customer profiles, monitoring of account activity and risk grading customer activity.
 
    In early 2004, an independent external firm performed an audit of Bank Secrecy Act issues associated with the Bank’s inability to adequately monitor wire transfer activity. The auditors indicated that the Bank had no automated ability, via its software programs, to systemically monitor wire activity. The audit took into account the volume of wire transfer activity, noting over 17,000 incoming and outgoing wires, totaling over $4 billion in the month of March 2004. The audit noted that suspicious activity reports were being submitted from all areas of the Bank except the wire transfer department. The report also recommended specific policy and procedures enhancements, mostly related to the Bank’s Customer Identification Program.
 
    After inquiries from Federal authorities in early 2004, BankAtlantic’s auditors initiated a complete review of accounts held at the Branch catering to high


 

6

      income/net worth persons. This review revealed many accounts with multiple business relationships, high activity volumes and other indicia of potential suspicious activity. The review also noted the absence of certain Know Your Customer documentation for many of these account relationships. The missing documentation, together with the lack of systems and controls to detect transaction anomalies, illustrates the Bank’s failure to implement an adequate anti-money laundering program to manage the risk of money laundering and ensure compliance with the Bank Secrecy Act.
    In July 2004, BankAtlantic engaged an external firm to conduct a review of the Bank’s Bank Secrecy Act/anti-money laundering risk profile, perform a historical account review to identify suspicious activity, assess polices and procedures and provide guidance on choosing an adequate anti-money laundering software program. The historical account review of the Branch catering to high income/net worth clients found suspicious account activity that previously went undetected. For example, one account with a history of transactions suggesting money laundering activity was identified, and it was concluded that some of the activity in this account may have involved the Black Market Peso Exchange due to wire transfer activity involving Mexican casa de cambios. The review concluded with recommendations to enhance BankAtlantic’s internal controls, policies and procedures, identification of high-risk accounts and training.
     As noted above, multiple audits conducted through early 2004 identified the Bank’s lack of adequate monitoring of wire activity and its failure to adequately identify and monitor high-risk accounts and activities for potential money laundering and Bank Secrecy Act compliance. Despite repeated audit recommendations, BankAtlantic did not begin to effectively respond until the early part of 2004, after receiving inquiries about the Bank’s anti-money laundering program from Federal authorities. The Bank’s inadequate audit scope together with management’s failure to effectively respond to adverse audit findings in a timely, comprehensive manner resulted in a deficient independent testing function.
          3. The Designation of an Individual to Coordinate and Monitor Day-To-Day Compliance with the Bank Secrecy Act
     The designated Bank Secrecy Act compliance officer at BankAtlantic failed to ensure compliance with the Bank Secrecy Act, on an enterprise-wide basis. This is further evidenced by adverse audit findings with respect to adequate staffing and oversight for Bank Secrecy Act compliance, particularly in the wire department, transaction monitoring function and a Branch engaged in higher risk activities. The failure of the designated Bank Secrecy Act compliance officer to monitor and coordinate compliance, on an enterprise-wide basis, resulted in an ineffective anti-money laundering program.
          4. Training
     BankAtlantic failed to provide adequate training of appropriate personnel to ensure compliance with the requirements of the Bank Secrecy Act. For example, the individual


 

7

responsible for responding to subpoenas received by BankAtlantic had no formal Bank Secrecy Act compliance training, or direct supervision, to assure compliance with the Bank Secrecy Act in regard to the receipt of subpoenas. Furthermore, as stated above, the Bank’s audit function recommended in July 2001 that Bank Secrecy Act/anti-money laundering training be revised and conducted for all applicable departments and employees. However, it was not until late 2004 that BankAtlantic had an external consultant provide the Board with comprehensive Bank Secrecy Act/anti-money laundering training that the Bank, in turn, rolled out to all applicable staff.
C. Violations of the Requirement to Report Suspicious Transactions
     The Financial Crimes Enforcement Network has determined that BankAtlantic violated the suspicious transaction reporting requirements of the Bank Secrecy Act and regulations issued pursuant to that Act. These reporting requirements impose an obligation on financial institutions to report transactions that involve or aggregate to at least $5,000, are conducted by, at, or through the financial institution, and that the institution “knows, suspects, or has reason to suspect” are suspicious.8 A transaction is “suspicious” if the transaction: (1) involves funds derived from illegal activities, or is conducted to disguise funds derived from illegal activities; (2) is designed to evade the reporting or record keeping requirements of the Bank Secrecy Act or regulations under the Bank Secrecy Act; or (3) has no business or apparent lawful purpose or is not the sort in which the customer would normally be expected to engage, and the financial institution knows of no reasonable explanation for the transaction after examining the available facts, including background and possible purpose of the transaction.9
     Financial institutions must report suspicious transactions by filing suspicious activity reports and must generally do so no later than thirty (30) calendar days after detecting facts that may constitute a basis for filing such reports.10 If no suspect was identified on the date of detection, a financial institution may delay the filing for an additional thirty (30) calendar days in order to identify a suspect, but in no event may the financial institution file a suspicious activity report more than sixty (60) calendar days after the date of initial detection.11
     BankAtlantic violated the suspicious transaction reporting requirements of 31 U.S.C. § 5318(g) and 31 C.F.R. § 103.18 by failing to timely file a substantial number of suspicious activity reports. BankAtlantic processed funds transfers for originators or beneficiaries that exhibited characteristics and patterns commonly associated with money laundering, including the nature of business, high-risk geographic locations of the originator and/or beneficiary, and transaction activity that was inconsistent with the normal and expected transactions for similar customers. The absence of effective internal controls, training, designated personnel and independent testing at BankAtlantic resulted in numerous violations of the requirement to timely report suspicious transactions. After responding to supervisory authorities, a sharp increase in the Bank’s suspicious activity report filings was noted. In fact, the average number of suspicious activity report filings made by BankAtlantic rose to 114 per month, for the third quarter of 2005,
 
8   31 C.F.R. § 103.18(a)(2).
 
9   31 C.F.R. § 103.18(a)(2)(i) through (iii).
 
10   31 C.F.R. § 103.18.
 
11   31 C.F.R. § 103.18(b)(3).


 

8

in contrast to 11 per month for the first quarter of 2004. For the 22 month period between January 1, 2004 and October 31, 2005, the Bank filed 1,124 suspicious activity reports. Based on analysis by the Financial Crimes Enforcement Network, 369 of these reports were filed on a delinquent basis. The resulting delays impaired the usefulness of the suspicious activity reports by not providing law enforcement with more timely information related to over $189 million in suspicious transactions.
IV. CIVIL MONEY PENALTY
     Under the authority of the Bank Secrecy Act and the regulations issued pursuant to that Act,12 the Financial Crimes Enforcement Network has determined that a civil money penalty is due for violations of the Bank Secrecy Act and the regulations issued pursuant to that Act and described in this ASSESSMENT.
     Based on the seriousness of the violations at issue in this matter, and the financial resources available to BankAtlantic, the Financial Crimes Enforcement Network has determined that the appropriate penalty in this matter is $10,000,000.00.
V. CONSENT TO ASSESSMENT
     To resolve this matter, and only for that purpose, BankAtlantic, without admitting or denying either the facts or determinations described in Sections III and IV above, except as to jurisdiction in Section II, which is admitted, consents to the assessment of a civil money penalty against it in the amount of $10,000,000.00. This penalty assessment shall be concurrent with the $10,000,000.00 penalty assessed against BankAtlantic by the Office of Thrift Supervision and the $10,000,000.00 forfeiture to the Department of Justice. The penalty assessments of the Financial Crimes Enforcement Network and the Office of Thrift Supervision shall be satisfied by the $10,000,000.00 forfeiture to the Department of Justice.
BankAtlantic recognizes and states that it enters into the CONSENT freely and
     voluntarily and that no offers, promises, or inducements of any nature whatsoever have been made by the Financial Crimes Enforcement Network or any employee, agent, or representative of the Financial Crimes Enforcement Network to induce BankAtlantic to enter into the CONSENT, except for those specified in the CONSENT.
     BankAtlantic understands and agrees that the CONSENT embodies the entire agreement between BankAtlantic and the Financial Crimes Enforcement Network relating to this enforcement matter only, as described in Section III above. BankAtlantic further understands and agrees that there are no express or implied promises, representations, or agreements between BankAtlantic and the Financial Crimes Enforcement Network other than those expressly set forth or referred to in this document and that nothing in the CONSENT or in this ASSESSMENT is binding on any other agency of government, whether federal, state, or local.
VI. RELEASE
 
12   31 U.S.C. § 5321 and 31 C.F.R. § 103.57.


 

9

     BankAtlantic understands that its execution of the CONSENT, and compliance with the terms of this ASSESSMENT and the CONSENT, constitute a complete settlement of civil liability for the violations of the Bank Secrecy Act and regulations issued pursuant to that Act described in the CONSENT and this ASSESSMENT.
         
     
  By:   /s/ Robert W. Werner    
    Robert W. Werner, Director   
    FINANCIAL CRIMES ENFORCEMENT NETWORK
U. S. Department of the Treasury

Date: April 26, 2006                  
 
 

10