This April, FinCEN brought its first-ever enforcement action against a trust company since the agency’s founding in 1990 —a $1.5 million penalty that could change the shape of financial services compliance going forward. Ian Herbert and Leah Moushey of Miller & Chevalier break down the case and what other trust companies could learn from it. Namely that check-the-box compliance efforts are not enough to keep regulators happy.
FinCEN’s action against South Dakota-based Kingdom Trust claimed that the company had willfully violated the Bank Secrecy Act (BSA) — which obligates financial institutions to implement measures to detect and prevent money laundering — by, among other things, failing to accurately and timely report hundreds of suspicious transactions to FinCEN.
This leads to a key question: What does the Kingdom Trust enforcement action mean for other trust companies that fail to meet AML compliance obligations? Here is how risk and compliance professionals for trust companies can learn from Kingdom Trust’s missteps.
How it all unfolded
Founded in 2010, Kingdom Trust is headquartered in South Dakota and is organized under South Dakota law despite largely operating its trust services business out of Kentucky. While the company primarily offered custody services for self-directed IRAs (SDIRAs) — which includes settlement, safekeeping and reporting related to those SDIRAs — it also provided account and payment services to foreign securities and investment firms, as well as money services businesses in high-risk circumstances.
Three years after its initial incorporation, Kingdom Trust partnered with a consulting group with ties to broker-dealers in Argentina and Uruguay. The broker-dealers sought to establish bank accounts in the U.S. — and Kingdom Trust facilitated this process, providing them accounts in order to custody fixed income securities and hold cash. The trust then processed more than $4 billion in transactions for these broker-dealers.
Though this sudden influx of financial activity appeared to be a departure from the SDIRA services previously offered, Kingdom Trust did not develop sufficient additional controls to identify and report suspicious transactions associated with this new line of business, according to FinCEN. In fact, the agency characterized Kingdom Trust’s process around filing suspicious activity reports (SARs) as “severely underdeveloped and ad hoc” and noted that until December 2018, it had created no standalone process to screen for, identify and report suspicious transactions.
By 2019, Kingdom Trust did create a process to identify potentially suspicious activity. However, the process relied upon a single compliance employee without prior AML or BSA experience. As a relative novice tasked with conducting daily reviews of countless transactions, this person failed to review relevant transaction information beyond the names of counterparties.
By 2020, Kingdom Trust had hired a compliance analyst with AML experience. However, due to the manual nature of the review process among other shortcomings, the company filed only four SARs between February 2020 and March 2021. The FinCEN consent order does not explicitly state whether Kingdom Trust filed any SARs prior to 2020, but FinCEN identified hundreds of suspicious transactions regarding which Kingdom Trust did not file SARs.
Finally, after other financial institutions closed at least 11 accounts for which Kingdom Trust maintained correspondent accounts, company leadership questioned whether to continue with the foreign custody business and engaged a third party to conduct a BSA/AML audit. That audit identified deficiencies related to Kingdom Trust’s high-risk customers. But even with that information, the company failed to remediate — either by exiting the high-risk customers or updating its controls.
What we can expect in aftermath of FinCEN’s enforcement action
Kingdom Trust took on significant risk when it added payment services for foreign businesses to its offerings, but it failed to expand its BSA/AML controls to mitigate that risk. While many of the issues that affected Kingdom Trust were unique to its high-risk business line, it is possible that other trust companies could face similar issues.
That is why companies and risk and compliance professionals must be prepared to reassess their approach to compliance whenever business models change — especially as regulatory scrutiny ramps up. Below are five takeaways from this precedent-setting enforcement action.
1. Heightened scrutiny of U.S.-based trust companies may be on the horizon
It is still too early to know whether FinCEN’s action against Kingdom Trust signals that the agency will investigate and take further action against other U.S. trust companies. But in the agency’s news release regarding the Kingdom Trust enforcement action, FinCEN’s acting director, Himamauli Das, specifically mentioned trust companies with “weak compliance programs that fail to identify and report suspicious activities,” stating that the agency would not “tolerate” trust companies that fail to sufficiently detect and prevent money laundering.
To minimize risk of an investigation or subsequent enforcement action, all trust companies — even those only providing administrative services and/or those that don’t fall under regulatory oversight of a particular federal agency — should evaluate their AML programs and determine whether their controls sufficiently address the level of risk accompanying their services. After all, it is not uncommon for trust companies to offer traditional money transmitting services that create greater risk.
2. Compliance resources must evolve as risk increases
In particular, trusts that expand into high-risk service areas must dedicate ample resources to BSA compliance. As this enforcement action reminds us, manual reviews carried out by limited personnel are not sufficient for companies that process thousands of daily transactions.
Instead of relying on manual reviews, financial entities subject to BSA requirements often implement automated transaction monitoring software to flag suspicious behavior and to monitor daily cash flows. This approach has proven to be far more efficient and effective at vetting transactions, particularly when coupled with experienced, manual oversight.
Furthermore, if all transaction-facing employees — not just the compliance team — are trained to spot red flags across financial accounts, there is a higher likelihood that the institution will identify and report suspicious activity quickly. This is particularly important in companies with a limited number of compliance team members.
3. Check-the-box compliance activities are not sufficient
While Kingdom Trust undertook certain AML efforts, FinCEN highlighted significant shortcomings in the company’s approach.
For instance, Kingdom Trust provided AML training, but its training presentations were not tailored to the company’s risk mitigation activities and, therefore, did not provide meaningful guidance. Those presentations referenced several red flags — such as customer requests for anonymity, customer attempts to open an account without identification and nominal account balances that increased rapidly and significantly — that were inconsistent with the company’s compliance processes because employees could not have identified such red flags based on a review of the daily transaction reports alone.
This serves as an important reminder that firms covered by the BSA’s requirements should engage in activities that drive firms and their personnel to take a more tailored approach to risk mitigation.
4. Cooperation during an investigation can be beneficial but alone is not enough
While the agency’s consent order says Kingdom Trust provided substantial cooperation during its investigation, BSA’s SAR reporting obligations serve as proactive, ex ante cooperation. Though FinCEN acknowledged the company’s post hoc cooperation, such cooperation cannot make up for the failure to meet its preemptive obligations, including filing SARs.
5. Expect more than just a civil penalty for non-compliance
In addition to agreeing to pay a $1.5 million civil penalty, Kingdom Trust must hire an independent consultant at its own expense.
This independent consultant is tasked with conducting a SAR lookback review into certain transactions, testing the effectiveness of Kingdom Trust’s AML program though an AML program review and providing recommendations for enhancements. From there, the independent consultant must submit written reports of its activities to FinCEN.
The requirement to hire an independent consultant, like other forms of corporate monitorships, can be costly and burdensome. To avoid such expenses, financial institutions should take proactive measures to assess the effectiveness of their AML programs — not just wait for enforcement authorities to mandate them.
Learning from Kingdom Trust’s shortcomings
Kingdom Trust’s AML compliance shortcomings may seem obvious to an outside observer. But the lessons for other trust companies are clear. Any trust company that has not dedicated sufficient resources for BSA compliance obligations (including SAR requirements) could easily find themselves in FinCEN’s crosshairs. Because trust companies often start by working for single families or providing limited services, AML compliance may not be top of mind. But as a trust company’s business model grows and expands into different business lines and geographies, it is important that AML compliance grows along with it. This may include dedicating additional resources and developing new processes related to AML compliance, including but not limited to the identification and reporting of suspicious transactions.