Among a bank board of directors’ many obligations is the responsibility to assure the bank complies with Bank Secrecy Act and other anti-money laundering laws and regulations.
This includes providing oversight for senior management and the BSA compliance officer, staying abreast of internal AML developments and reporting within the bank, and considering external market factors and regulatory developments. But even in a regulatory environment where penalties for BSA/AML violations have increased in amount, frequency and reputational importance, some boards are slowly reacting to recent Congressional legislation designed to further incentivize bank employees to blow the whistle on perceived or actual AML lapses. Here are five things bank boards need to know one year after the implementation of the Anti-Money Laundering Act of 2020 (AMLA).
1. Congress uncapped whistleblower awards
Congress enacted the AMLA in January 2021, which significantly revised the existing whistleblower provisions of the BSA and sought to bolster AML enforcement. Prior to the AMLA, the BSA’s whistleblower provisions were sparse and rarely invoked. The prior law allowed whistleblower rewards for information relating to a violation of the BSA, but capped the award amount at $150,000, which contributed to the law being underutilized. The new law removed that cap; now, whistleblowers who voluntarily provide original information to their employer or the departments of Treasury or Justice could collect up to 30% of amounts collected in actions where over $1 million in sanctions are ordered. As the industry knows, 30% of recent fines is substantial. If a whistleblower qualified in connection with the three 2021 actions from the Financial Crimes Enforcement Network, or FinCEN, their awards could have amounted up to $2.4 million, $30 million and $117 million, respectively.
2. Looking to prior precedent.
The new AML whistleblower program is largely modeled on the Securities and Exchange Commission’s successful program established under the Dodd-Frank Act, which may provide a window into the future of AML enforcement. The SEC’s program has been a resounding success over the past 10 years, resulting in more than 52,400 tips as well as $1.2 billion awarded to 238 individuals. According to the SEC’s recent Annual Report to Congress, fiscal year 2021 was a record-breaking year for the program in terms of tips received and amounts awarded to whistleblowers: $564 million was awarded to 108 individuals.
3. Employees can blow the whistle to their managers
Unlike the SEC’s program, a “whistleblower” under the new AML program includes employees who provide information to an employer — including as a part of their job duties — in addition to those who report to Treasury or DOJ. This means employees can blow the whistle if they observe compliance failures, and everyday interactions between management and financial intelligence unit investigators could be deemed whistleblower tips that trigger anti-retaliation protections and a possible award.
4. Tips are already being filed
Even though FinCEN has not issued rules implementing this new whistleblower law, tipsters do not need to wait to file a complaint with their employer or the government. Banks should react accordingly. In fact, it was recently reported that a tip has already been made to FinCEN detailing a wide-ranging money laundering scheme, and one lawyer has reported several inquiries received from internal compliance personnel interested in blowing the whistle. There is also recent precedent that the government does not need to wait until regulations are written to provide awards: In November 2021, the National Highway Traffic Safety Administration announced a $24 million award — its first ever — even though the agency is still writing its rules. In other words, the doors are open to AML whistleblowers now.
Number of SEC Whistleblower Tips
5. Boards should not wait to act
Boards should consider the implications and the expanded legal risk of the AMLA whistleblower law on their existing whistleblower programs. Among other steps that can be taken now, boards should provide oversight to senior management in:
- Developing enterprise-wide training tailored to specific positions within the bank, including for directors, that covers how to identify a tip for purposes of the new AML law, how to respond to an internal whistleblower and best practices to protect the bank from retaliation lawsuits.
- Reviewing and updating policies and procedures for internal whistleblowers.
- Assessing internal reporting structures, including hotlines and other channels.
- And triaging recent internal tips and conducting reviews of the response, where appropriate.
Among the many threats to shareholder value that bank directors must address, the risk of internal fraud is among the most challenging. Virtually all bank directors recognize their obligation to actively oversee the way the bank monitors its employees to mitigate the risk of fraud, but most directors also understand the need to avoid micromanaging day-to-day operations.
First, have a whistleblower policy/program in place, now, so that if/when a claim arises, the board is prepared to handle it effectively, appropriately and lawfully. All employees should be trained on the policy and encouraged to report up the chain, pursuant to the policy, any corporate misconduct they discover. It is far better in the end if the bank self-discovers and remedies the problem, than if the government does it for you. Second, work hard to maintain the confidentiality of the whistleblower. Maintaining confidentiality, and even anonymity, helps to ensure no retaliatory action is taken against the reporting employee. At all costs, avoid retaliation. Finally, conduct an independent internal investigation, and do so with the understanding that the reported misconduct could lead to criminal and/or civil litigation. Engage your legal counsel early in the process to ensure preservation of evidence and legal privileges.
Banks should handle possible whistleblower complaints very seriously. Regulatory agencies have shown a more severe response to banks over the last few years and whistleblower complaints can reinforce a perception, however inaccurate, that some banks do not have a proactive approach to compliance issues generally. Banks should have procedures for dealing with such claims and allow employees to air their concerns without fear of reprisal. Some may wonder whether this approach may encourage the raising of false claims, but at least banks would have an opportunity to triage employee concerns and demonstrate that they take those concerns seriously.
Bank boards should authorize their audit committees to handle complaints concerning securities law violations. An audit committee’s charter should make clear that the committee may retain appropriate advisors to investigate such complaints. The board should also ensure that management promulgates guidance for internal reporting on violations. Employees should be encouraged to report violations to appropriate representatives of the compliance, internal audit or legal staff. Recipients of complaints about violations should be instructed to forward them to the chairperson of the audit committee. Upon receipt of a complaint, the chairperson should ensure that it is investigated thoroughly. If no violation is found, the complainant should be so informed within 120 days after the complaint was made. If a securities violation is found, the bank should decide whether to report the violation to the Securities and Exchange Commission. A report to the SEC should be made within 120 days after the complaint was made.
Both public and private banks have potential exposure to Dodd-Frank and Sarbanes-Oxley whistleblower claims. Therefore, a bank should have proper compliance and anti-retaliation policies in place (reviewed regularly) setting forth behavioral expectations, encouraging reporting, and establishing protocols for handling reports. The bank should also designate a team to investigate and respond to reports. All employees should be thoroughly trained regarding these policies and, in particular, managers should be trained to identify when an employee is reporting and the need to escalate the report within the organization, as many employees do not use “hotlines” or Internet-based reporting mechanisms. Most important, the bank’s senior leadership must lead by example. Senior leadership needs to sincerely and repeatedly promote the virtues of the bank’s compliance, ethics and code of conduct policies. Reporting questionable conduct, no matter how insignificant, must be genuinely encouraged. And finally, senior leaders must demonstrate integrity in all that they do.
Whistleblower complaints need to be treated seriously. Avoid the temptation to view all whistleblowers as disgruntled employees who are asserting claims against innocent individuals to further their own selfish goals. Failure to promptly address a legitimate complaint will only exacerbate the problem. Regulators look favorably on companies that take prompt action and see them as having strong and effective management. The opposite is true for companies that are unresponsive or hostile to employees’ concerns. Plus, treating whistleblower complaints seriously sends the message that employees will be treated fairly and sets a tone at the top that should foster stronger ethical behavior within the company. The board needs policies and procedures for investigating whistleblower complaints and coordinating corrective action and must communicate them to employees. Doing so will create the conditions necessary for the effective management of whistleblowing.
On August 12, 2011, the Securities and Exchange Commission’s (“SEC”) final rules implementing the sweeping whistleblower program in the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) became effective. Like all entities within the SEC’s jurisdiction, publicly-traded banks and their compliance officials should take the time now to understand the whistleblower provisions and the new challenges they pose.