u/TheAMLBrief

The November 2023 Binance settlement gets covered as a crypto story, however compliance professionals treat it as a typical tone-at-the-top failure with a paper trail most enforcement actions don't have.

Binance registered with FinCEN as a money services business in 2019, which served as a written acknowledgment of Bank Secrecy Act obligations. Binance then filed zero SARs with FinCEN while processing more than 100,000 transactions between Binance users and people in sanctioned jurisdictions.

FinCEN identified over $898 million in transactions flowing to Iranian parties. As a result, OFAC fined Binance $968 million due to the heavy transaction flow to a sanctioned country.

Binance's compliance team wasn't operating in the dark, as the DOJ revealed internal messages that documented awareness of criminal activity flowing through the platform. Former CCO Samuel Lim's assessment was direct: "Like come on. They're here for crime."

Binance's lack of SAR filings seemed to be influenced by their leadership team. If other institutions had any crypto-related exposure (e.g.; correspondent relationships, payment rails, wire transfers touching Binance's US entity), their failure to file created upstream gaps in their SAR coverage as well.

For compliance teams still treating crypto as a minor concern, FinCEN has been clear since 2013 that virtual currency exchanges operating as money transmitters carry BSA obligations. The Binance settlement was proof that regulators will take this seriously, compounded by deliberate inaction by Binance's leadership team.

For those working in traditional banking and crypto, did your institution go back and review SAR gaps that might trace to exchanges like Binance that weren't filing? It would be interesting to hear perspectives on how your teams handled the downstream exposure and whether your transaction monitoring was actually catching activity that should have come from Binance's side first.

Out of nowhere, the TD Bank case exploded into headlines, mainly because of the massive $3.09 billion penalty levied against them. Hidden beneath the penalty was roughly $18.3 billion tied to suspicious transactions. All this resulted in TD becoming the first US bank in history to plead guilty to conspiracy to commit money laundering.

The number practitioners keep coming back to is smaller, which was that five TD branch employees took $57,000 in gift cards and cash to open fake accounts and suppress escalations. Even though federal agents caught them, the bank’s private investigative team missed it entirely.

An institution processing that volume of suspicious activity had insiders actively facilitating it and nobody inside caught them. It could mean blind spots in tracking staff behavior. Or perhaps warnings were ignored when spotted. Compliance teams often wait until after trouble surfaces before moving, performing investigations from a reactionary stance rather than proactively addressing red flags.

Resetting norms, the deal shifted how examiners view bank behavior nationwide. Since then, at every major US bank, compliance teams have faced repeated requests which focus on proving where their systems would’ve spotted this failure. Lately, phrases like “convenience over compliance,” pulled straight from the DOJ’s critique of TD, pop up often in federal reviews. Examiners specifically look for the facts to fit this pattern.

What shifted how TD's board acted was the Fed’s limit on assets. Fines are just taken in stride in the highly regulated banking industry. But when a bank can’t grow because operations are boxed in till fixes meet Fed standards, things feel different and pressure to comply rises.

Has your organization re-examined its insider threat program since the TD Bank settlement? Specifically how you monitor employee conduct rather than just external typologies. I'm curious to see what that looks like in practice within your company.

*We break down enforcement actions like this every Tuesday in The AML Brief. Free at theamlbrief.com*