The Financial Crimes Enforcement Network (FinCEN) recently announced its first enforcement action against a trust company for willful violations of the Bank Secrecy Act (BSA) and its implementing regulations. The BSA imposes compliance and reporting obligations on "financial institutions," which includes among other entities, any "commercial bank or trust company," to help detect and prevent money laundering. And yet, until last month, FinCEN had not brought an enforcement action against a trust company.

Background

On April 26, 2023, FinCEN announced a $1.5 million civil penalty against the Kingdom Trust Company (Kingdom Trust or the Company) for willful violations of the BSA stemming from the Company's failure to have sufficient controls around filing Suspicious Activity Reports (SARs). 

According to the Consent Order, Kingdom Trust is a trust company organized under South Dakota law that operates the majority of its trust services business out of Kentucky. Though its primary offering is custody services to individuals with self-directed IRAs, during the relevant time period, Kingdom Trust also provided account and payment services to foreign securities and investment firms and money services businesses in high-risk circumstances. Specifically, in 2014, Kingdom Trust began a business relationship with a consulting group that worked with broker-dealers in Argentina and Uruguay that had difficulty establishing bank accounts in the United States. Through this business relationship, Kingdom Trust provided accounts to the foreign firms to custody fixed income securities and to hold cash. As a result, Kingdom Trust processed more than $4 billion in transactions. 

Among the other shortcomings identified, FinCEN characterized Kingdom Trust's process for identifying and reporting potential suspicious transactions as "severely underdeveloped and ad hoc." According to the Consent Order, prior to December 2018, the Company had no standalone process to screen for, identify, and report suspicious transactions. Rather, staff were instructed to simply flag potentially suspicious activity identified in the ordinary course of performing their duties. After December 2018, Kingdom Trust created a process to identify potentially suspicious activity but relied upon a single compliance employee with no prior anti-money laundering (AML) or BSA experience to conduct a daily review of a large volume of transactions. The daily transaction review did not include relevant contextual information about the customer or counterparty beyond their name. In 2020, Kingdom Trust hired a compliance analyst with AML experience. However, given the manual nature of the review process among other shortcomings, the Company filed only four SARs between February 2020 and March 2021.

In addition, Kingdom Trust maintained correspondent bank accounts for customers at other financial institutions – and at least 11 of those other financial institutions closed the accounts maintained by Kingdom Trust. In response, Kingdom Trust management questioned whether to continue with the foreign custody business and engaged a third party to conduct a BSA/AML audit. The audit identified deficiencies related to Kingdom Trust's high-risk customers, but the Company did not exit the high-risk customer relationship, make meaningful changes to its controls, or file SARs. 

Five Key Takeaways

1. Heightened Scrutiny of U.S.-based Trust Companies by FinCEN: In a press release accompanying the enforcement action, FinCEN's Acting Director, Himamauli Das underscored that the instant matter "is an important statement that we will not tolerate trust companies with weak compliance programs that fail to identify and report suspicious activities, particularly with respect to high-risk customers whose businesses pose an elevated risk of money laundering." It is still too early to know whether the enforcement action against Kingdom Trust signals that FinCEN will more actively investigate and initiate actions against U.S. trust companies, and many of the services offered by Kingdom Trust are similar to those offered by traditional banks (i.e., providing accounts to foreign brokerage firms to custody fixed income securities, including U.S. government bonds, and to hold cash). Nevertheless, in light of FinCEN's Consent Order and public statements, all trust companies (including those that provide only administrative trust services) should consider whether its AML program is sufficient to address the level of risk that accompanies the services it offers. This includes private trust companies without a federal functional regulator (i.e., an oversight agency such as the Office of the Comptroller of the Currency (OCC) or the U.S. Securities and Exchange Commission (SEC)), which, as of March 2021, are no longer exempt from certain BSA requirements.¹
2. Compliance Resources Must Track an Evolving Risk Profile: According to the Consent Order, even after Kingdom Trust expanded into a new line of business offering services to customers that involved heightened risks of money laundering, the Company failed to recruit sufficient personnel with AML compliance experience and relied on manual processes to monitor thousands of transactions daily. As a company's risk profile grows (whether because of new service/product offerings, new market entry, or otherwise), it is critical that the resources dedicated to complying with BSA requirements track the heightened risk profile. For example, most entities subjected to the BSA's requirements find that implementing automated transaction monitoring software to flag suspicious behavior and to monitor daily cash flows for potential signs of illegal activity is far more efficient and effective than manual reviews. Furthermore, if all transaction-facing employees (not just the compliance team) are trained to spot red flags of money laundering and other atypical transactions, there is a higher likelihood that the institution will identify and timely report suspicious activity. This is particularly important in companies with a limited number of compliance team members.
3. Check-the-Box Compliance Activities are Not Sufficient: FinCEN acknowledged that Kingdom Trust undertook certain AML efforts but highlighted significant shortcomings. The Consent Order indicated that Kingdom Trust provided AML training, but noted that training presentations were not tailored to the Company's risk mitigation activities. For example, training presentations included red flags – such as "customer requests for anonymity, customer attempts to open an account without identification, and an account opened with a nominal balance that subsequently increased rapidly and significantly" – that employees could not have identified based on a review of the daily transaction reports alone. The order also notes that after financial institutions began closing correspondent accounts that Kingdom Trust maintained, Kingdom Trust engaged a third party to conduct a BSA/AML audit. The audit identified deficiencies related to Kingdom Trust's high-risk customers and their transactions. However, according to FinCEN, Kingdom Trust did not exit relationships with high-risk customers, failed to make "meaningful changes" to its controls, and failed to file any SARs related to the high-risk business line. These examples serve as an important reminder that firms covered by the BSA's requirements should engage in compliance-related activities that not only "check the box" but that drive firms and their personnel to actually mitigate risks posed.
4. The Role of Cooperation: Kingdom Trust did not voluntarily disclose the violations, but the order reveals that the company "provided substantial cooperation to FinCEN" and cooperated with federal law enforcement regarding certain of the Company's high-risk customers. However, the BSA's SAR reporting obligations serve as proactive, ex ante cooperation, and the order makes clear that post-investigation cooperation cannot make up for failing to meet such preemptive obligations.
5. Hiring of an Independent Consultant: In addition to agreeing to pay a $1.5 million civil penalty, Kingdom Trust undertook to hire an independent consultant, subject to FinCEN's approval, (1) to conduct a SAR Lookback Review related to certain of the Company's transactions; and (2) to test the effectiveness of Kingdom Trust's AML program though an AML Program Review and to provide recommendations for enhancements. The independent consultant must submit written reports of the activities to FinCEN. The requirement to hire an independent consultant, like other forms of corporate monitorships, can be costly and create administrative burdens. Companies can seek to avoid such requirements by taking proactive measures to assess the effectiveness of its AML program, rather than waiting for enforcement authorities to mandate such assessments.

------------

¹See 85 FR 57129

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.