Gaping Gaps: Perspective on the Ruthless TD Bank Consent Order

Reality is indeed more curious than fiction. Every time I read a major consent order, I end up thinking this is it; it can’t get any worse. And then just like that, without much fanfare, there comes another consent order that magically wipes away all the optimism I closed the previous consent order with.

I had written a blog post on Binance consent around ending with the premise:. Here I am reading another black hole of failures, this time by a full-fledged bank.

I am not even sure if people do end up reading these lengthy (often over 100 pages) consent orders doled out by the meticulous global regulators. If they would, the same bloody problems would not recur year after year, for decades on end.

On October 10, 2024, TD Bank (the 10th largest bank in the U.S. by assets) pleaded guilty to multiple charges related to failures in its anti-money laundering (AML) program. The bank has agreed to pay a staggering $3 billion in penalties, marking it as the largest fine ever imposed under AML legislation in U.S. history.

The implications of this guilty plea are profound. Attorney General Merrick Garland stated that by neglecting compliance measures, TD Bank effectively made its services accessible to criminals.

A – Thematic view

Fundamentally, in the eyes of the regulator, TD Bank ‘wilfully’ failed to implement an AML program aligned with BSA requirements during the period of review. This single failing could be surmised as the parent concern.

As we have consistently seen in the past, intent is crucial in context to how regulators respond to deviations. Wherever intent fails, almost everything else becomes incidental. All large fines/penalizations always have this as the underlying thread.

The crux of the violations stems from TD Bank’s inability to monitor and report suspicious transactions effectively. According to court documents, between 2014 and 2023, TD Bank exhibited “long-term, pervasive, and systemic deficiencies” in its AML program.

The bank’s systemic failures spanned all pillars of its AML program, including ineffective oversight, inadequate internal controls, and insufficient training for staff on AML risks and typologies.

B – Specific deficiencies

1 – Oversight and Management:

There was ineffective oversight by the designated BSA officer, who failed to escalate material issues adequately. Additionally, the compliance resources were not given sufficient powers to address the issues in an independent manner. Secondly, the Board consistently chose not to allocate sufficient resources for compliance efforts. This oversight failure was part of broader systemic issues within TD Bank’s AML framework, which lacked sufficient resources and management attention.

Some interesting issues quoted in the consent order

• TD Bank’s compensation system reflected the apparent disincentive for the BSA officer to incur costs needed to assure the bank’s compliance with the BSA. At times during the review period, both the global head of AML and the BSA officer’s annual self- assessments noted as an “accomplishment” their respective abilities to “develop [the AML] program within a flat cost paradigm without compromising risk appetite.”
• Despite self-identifying the need for additional resources, the head of the AML Investigation Unit (AIU) recommended waiting to reassess the need to hire new employees to fill this gap and extending the contracts of temporary employees in the meantime.
• Appointing multiple AML managers without any prior experience in AML also hindered the BSA officer’s ability to effectively monitor the bank’s day-to-day compliance with the BSA.
• The BSA Officers lacked direct authority over an AML Technology Head, who oversaw the transaction monitoring system, as well as the head of AML Operations within the AML function.

2 – Chronic underperformance in AML Transaction Monitoring:

“Unless absolutely required, new scenario development in [the transaction monitoring system] is regrettable spend.” – TD Management

The Bank’s transaction monitoring system was described as willfully deficient and understaffed, leading to significant gaps in reporting suspicious activity. Approximately $18 trillion in customer activity went unmonitored due to inadequate transaction monitoring systems. This included a staggering 92% of total transaction volume that was not automatically monitored.

An action plan submitted to internal audit in June 2018 identified the backlog’s root cause as inadequate staffing levels, as well as transaction monitoring system issues. In 2018, the AML program registered over 70,000 backlogged detection alerts and roughly 3,000 aged subpoena responses and further investigation cases. Despite such a glaring situation, the Bank refused to make the requisite investments to prevent future violations until near the end of the review period.

The Bank failed to monitor a number of transaction types, including ACH, certain funds transfers, and certain monetary instruments. This failure represented over 80% of the activity in these types of transactions and aggregated to trillions of dollars in value.

Some case studies quoted in the consent order

• Since at least 2012, TD Bank knew it failed to monitor virtually any domestic ACH transactions. In 2012, AML employees recognized a need to do so and proposed a scenario to monitor such ACH transactions. An AML senior manager rejected their request.
• Between 2016 and 2019, TD Bank went through a transition to upgrade to a new system. During this upgrade, the bank paused all changes to transaction monitoring scenarios but did not end up selecting a new system up until 2021. Overall, including the transition phase, no new scenarios or modifications to old scenarios were performed for a total of 4 years.
• From August 2023 to February 2024, there were at least four presentations to TD Bank executives that compared the coverage between the old and new systems, with each presentation noting a substantial difference between the two, and one describing a monthly increase of “$220 billion of transactions (123% increase)” covered under the new system’s transaction codes. However, during this time, TD Bank executives did not apply mitigating controls or notify regulators.
• Bank leadership temporarily “paused” scenarios to remain dormant for years and failed to implement new scenarios even after identifying risks. The bank also did not effectively test its transaction monitoring system to ensure that it captured the bank’s risks comprehensively.

3 – Customer Due Diligence (initial & ongoing monitoring)

The bank’s customer due diligence processes were pretty inadequate, failing to identify discrepancies between expected and actual customer activities. This included a lack of ongoing monitoring to update customer information and assess risk profiles effectively.

Failure to establish an effective CDD program and critical, ongoing issues with the Bank’s customer risk rating processes allowed millions of high-risk customers to remain unscored during the review period, significantly impeding the Bank’s ability to monitor its customer base and address associated risks.

Some case studies quoted in the consent order

• Owing to a lack of resources, there was a significant delay in de-marketed high-risk customers. For example, from 2018 to 2021, such customers received more than $5 billion into their accounts, with an average of more than $250,000 per account after a request to initiate account closure by an AML employee.
• For a customer—a HVAC company—undetected suspicious activity spanned a nine- month period, from July 2023 to April 2024, and included over $3.5 million in a combination of more than 1,000 P2P transactions, as well as check deposits, withdrawals, and ACH transactions. This high volume of activity drastically conflicted with the customer due diligence documentation collected by TD Bank, which reported the maximum annual sales revenue of this customer as $500,000.
  Various expenses included those pertaining to visa, airfare, immigration services, ATM withdrawals from high-risk countries, etc., clearly indicating potential for human trafficking, but there was no action taken in this regard by the bank. Even the STRs submitted were incomplete and not reflective of the nature and extent of potential vulnerabilities.
• In July 2019, the bank onboarded accounts for a New York-based religious institution despite its leader’s ties to terrorist organizations and involvement as an unindicted co- conspirator in the 1993 World Trade Center bombings. Despite this publicly available negative news, TD Bank failed to perform adequate due diligence at account opening and failed to understand its customers’ terrorism-related associations.

4 – SAR & CTR filing

The bank did not file timely and accurate Suspicious Activity Reports (SARs) for transactions that met the threshold for reporting.

The investigation noted that the bank willfully filed more than 1,000 inaccurate CTRs, some of which not only failed to meet regulatory reporting requirements but also misled law enforcement. FinCEN’s investigation identified more than 4,000 late-filed CTRs covering more than $150 million in cash transactions filed weeks after the required deadline.

TD Bank willfully failed to timely file over 6,000 SARs, which involved suspicious transactions totaling more than $500 million. This delay in reporting was attributed to significant backlogs in investigations of potentially suspicious activities.

• The bank produced internal reports highlighting which customers—and the branches at which they transacted—generated the greatest amount of cash activity in a given period. These manual reports were not reviewed and were not designed to mitigate AML risks and therefore did not serve as an effective control.
• Cash activity identified a New York-area company purporting to operate in the clothing industry as among the bank’s top customers for cash transactions, with this customer conducting $8 million to $20 million each quarter over hundreds of transactions across multiple TD Bank branches. This included a period during the COVID-19 pandemic when many cash-intensive businesses experienced declines in transaction volumes. DOJ later indicted an individual associated with the customer.

Further, the BSA Officer, as well as people involved in the generation of these reports to the BSA Officer, never questioned why a clothing company would be engaged in such a high level of cash activity volume during the pandemic, even though an AML analyst specifically highlighted this customer in the report. No steps were taken to verify that these reports were reviewed.

• 2,000 transactions were processed for Customer Group C, primarily during a nine-month period, from July 2023 to April 2024, with an aggregate value of over $250 million. Customer Group C, purportedly operating in the sales finance and real estate industries, had informed TD Bank, as part of the Bank’s CDD processes, that their intended wire activity would be minimal and would not exceed $25,000. Additionally, Customer Group C estimated their annual sales would not exceed $1 million; in fact, Customer Group C conducted over $1 billion in transactions through TD Bank, with over 90% of the incoming funds from a UK-based cryptocurrency exchange and more than 60% of outgoing transactions sent as wires to a Colombian financial institution that also offers virtual asset-related services.

5 – Employee Complicity

The report indicates that some TD Bank employees were complicit in various BSA violations, accepting bribes and failing to report suspicious behaviors despite being aware of them. For many of the vulnerable accounts opened via employee complicity, the bank failed to timely file accurate SARs and considerably delayed closing the accounts, which allowed millions of dollars’ worth of suspicious activity to continue to flow unobstructed through the bank.

Case study

Beginning in early 2021, Individual A exploited their position to facilitate money laundering activities in exchange for bribes. During their tenure at the Bank, Individual A opened over 2,000 accounts whose account holders conducted more than 600,000 transactions aggregating to over $200 million, many of which were shell companies with nominee owners.

In return for their role in facilitating the funnel accounts, Individual A received thousands of dollars in bribe payments. Certain of the accounts opened by Individual A were then used to launder narcotics proceeds, including to Colombia.

6 – Training & Development

The bank’s personnel were inadequately trained to recognize and respond to AML risks associated with its products and services. This lack of training contributed to the failure in monitoring transactions effectively and identifying suspicious patterns.

7 – Weak Independent Testing

There was insufficient independent testing of the AML program, which failed to identify material gaps in compliance. The BSA officer did not prioritize or ensure that these tests were conducted adequately, contributing to ongoing vulnerabilities in the bank’s monitoring processes.

The methodology to assess risks via its annual assessments was inadequate and overlooked key risk and control factors that materially impacted the analyses of the Bank’s risk profile. In the testing of the bank’s AML risk assessment process, internal audits simply determined whether controls existed and not whether they were, in fact, being appropriately used.

C – Way forward

The consent order not only imposes financial penalties but also mandates that TD Bank enhance its compliance programs significantly. The bank is required to allocate appropriate resources toward remediation efforts, which include:

• The establishment of an independent monitor for a term of four years to oversee remediation efforts and ensure adherence to BSA/AML compliance standards.
• Undergo a third-party assessment of its BSA/AML program. This independent evaluation will scrutinize the effectiveness of the bank’s compliance measures and ensure that corrective actions are implemented properly.
• Bank to conduct lookback reviews on past transactions to identify any previously unreported suspicious activities. This involves engaging outside consultants to review historical data and file Suspicious Activity Reports (SARs) as necessary.
• The OCC has also introduced a requirement for board certification prior to any dividend payments or capital distributions. This means that TD Bank’s board must certify compliance with all actionable items in the cease-and-desist order before any financial returns can be distributed to shareholders.

D – Lessons Learned

One could very easily spend substantial time deliberating on what should have been done. But as a financial crime compliance professional, I believe they are glaringly self-explanatory. The expectations from the regulators can often be daunting, but systemic failures such as the ones TD Bank has engaged in have very few redemptive features.

I simply reiterate my closing remarks in the post I had written pertaining to Binance.

There is no solution, anywhere, for bad culture and poor tone at the top. However good the controls are, the system will eventually fail.

One understands the frustration of tick-in-the-box compliance and the often onerous requirements, but when our deviations stare right back with the immensity of the damage caused, it is important to take a step back and understand what it is we are trying to build and whether we are truly adding value to the world at large.

Whether we are solving a genuine problem or becoming the problem.

It is satisfying that the Attorney General Merrick Garland stated something similar as a closing remark on TD Bank: “By making its services convenient for criminals, TD Bank became one.”