When the Department of Justice investigated money laundering at TD Bank, it found emails and instant messages between employees about the criminal activity they and their colleagues were abetting. For instance, this one:
AML technologist: What do the bad guys have to say about us?
AML manager: LOL easy target
AML technologist: damnit
AML manager: Old scenarios; old CRRs; tech agility is poor to react to changes
AML manager: Bottomline we have not had a single new scenario added since we first implemented SAS due to various issues with the install [Scenarios are predefined patterns in financial transactions that are used to detect and investigate potential money-laundering activities; CRRs are customer risk ratings.]
Another anti-money-laundering employee messaged, “:P why all the really awful ones bank here lol.” A colleague replied, “because … we are convenient.” (TD Bank’s motto is “America’s Most Convenient Bank.”)
TD branch managers also emailed each other, joking about the money laundering going on in their stores. And a criminal who laundered more than $653 million through TD Bank gave employees $57,000 in gift cards.
When the bankers in charge of anti-money-laundering efforts, as well as branch staff, are LOLing fraud, taking bribes and willingly aiding criminals, there are obviously leadership and culture issues.
But old technology, a compliance department starved of resources and failure to update AML software are factors.
Overarching reasons for AML failures
TD Bank ultimately was forced to pay $3 billion for failing to monitor 92% of transactions for signs of money laundering from January 2018 to April 2024 — $18.3 trillion worth. It’s one of dozens of banks regulators have penalized for AML failings in recent months.
There are many, multilayered reasons why banks overlook money laundering.
“It’s a culture issue, also a compliance or legal issue, because when you have employees doing bad things, it’s about, do you have the appropriate processes and training in place to make sure that your employees understand exactly what’s expected of them,” said Chuck Subrt, fraud and AML practice research director at Datos Insights. “It’s about making sure compliance and risk management is as important as everything else, and there’s an incentive component to employee reviews, compensated bonuses.”
Another problem is that bank AML officers typically are not given enough authority and banks don’t dedicate enough people to this area, according to Sarah Beth Felix, CEO of Palmera Consulting and co-founder and chief AML officer at Acceleron Bank, a de novo in Vermont.
“It all flows up to the fact that none of these people are executives,” Felix said. “If a bank were to make that change and have a chief AML officer listed as a chief AML officer — not chief risk officer, not chief compliance officer — who reports directly to the board, that one little change would have a waterfall of effects.”
Banks tend to have a chief compliance officer who wears many hats, Felix said. “Money laundering and sanctions are huge and nuanced, and you have to actually be thinking like a criminal,” Felix said. “You have to have a hyper suspicious mindset from that chief AML officer all the way down to the lowest level analyst. They have to be thinking, how is this person or this company going to exploit my rails? You don’t take that same stance in general compliance.”
For instance, keeping AML scenarios and customer risk ratings up-to-date requires experts in SQL, Python and data who have the bandwidth to update scenarios and risk ratings, Felix said. Such people know how to look for threats and red flags that AML systems aren’t catching.
Insufficient resources — people, money and technology — are another factor. “Even as profits rose, the bank starved its compliance program of the resources it needed to obey the law,” said Deputy Attorney General Lisa Monaco when announcing the government’s action against TD Bank.
“These things do take time, and if you don’t have the time or the resources to do it, you’re not going to be able to execute,” Subrt said.
Many U.S. banks are in aggressive cost-cutting mode.
“If they don’t have to invest more into people, processes and technologies that will mitigate this, they won’t,” said Aaron Ansari, who oversaw anti-money-laundering efforts at a large U.S. bank in a prior job and is now an independent consultant, in an American Banker podcast that will air January 7. “That’s not just anti-money laundering. That’s everything: software programs, benefits. Most organizations don’t want to invest more than a bare minimum.”
In TD’s case, there were also issues with AML training and testing, according to the Department of Justice.
Where technology makes a difference
The primary way banks use technology to prevent money laundering is by using AML software to monitor transactions. The AML software is programmed with scenarios — patterns of suspicious behavior — that the software identifies and flags for a closer look by sending an alert to a human AML analyst. Banks are supposed to update these scenarios each time regulators and law enforcement agencies post new advisories about criminal activities.
This would all work better if regulators and law enforcement agencies shared more intel about the crime they’re seeing, Felix said. “But there has to be a secure messaging system, or else we’ll telegraph our path, which means that the criminals are going to intercept it,” she said.
Another way to prevent money laundering through technology is by using software to screen customers (complying with know-your-customer and Bank Secrecy Act rules), creating accurate customer risk ratings and updating those risk ratings regularly, as the customer’s profile changes. These customer risk scores also feed into AML scenarios.
Some vendors say upgrading AML software to an artificial intelligence-based system is the answer.
Older AML systems are rules based. “If you think of them as if-then statements, if you deposit more than $10,000 cash, then you get a phone call,” Ansari said. “Or if you transfer more than X amount of dollars in a 48- or 72-hour period, you get a phone call or an investigation.” Criminals understand these rules and know how to bypass them. “And if you start writing 1,000 rules to look at every transaction, your transactions start to slow down,” he said.
Newer, AI-based systems can run complex analyses of millions, if not trillions, of transactions per second. They can identify that a customer has used a placement or layering stage, such as a cryptocurrency exchange, to obfuscate the source of money. They can theoretically combat alert fatigue by analyzing associated data and assigning a hot or cold risk score to each alert the AML system generates.
But AI can also aggravate AML problems, Felix pointed out.
“AI is only as good as the human who trains it and the decisions you’ve made, and if you’ve got analysts that are responsible for monitoring customers and they are dismissing alerts as not suspicious, AI is going to learn from that,” Felix said.
Some third-party AI-based AML models have been trained by people who have never worked in a bank and who don’t know what money laundering looks like, she said.
Preventing employees from colluding
As part of TD Bank’s plea agreement, the Justice Department said the bank must prevent and deter employees from accessing or using the bank’s systems or customer accounts in an unauthorized or illicit manner and from soliciting or receiving bribes, kickbacks, gratuities or gifts in exchange for conducting certain activities from inside the bank.
Here again, if employees are colluding with and taking bribes from criminals, the antidote is about more than technology.
All banks have rules against taking bribes in their employee handbooks and acceptable use documents, according to Ansari. But many things get in the way of people doing what the handbooks say. For instance, most banks incentivize employees to bring in more deposits and open more accounts, as was clear when Wells Fargo employees opened millions of fake bank accounts in a scandal that came to a head in 2016. There is motivation and pressure to open deposit accounts quickly and easily.
Where AML penalties are smaller than the profits made from money laundering, there’s little incentive for bank management to change these incentives.
“If you’re generating a lot of money and loans off of the laundered money, and your fine is much less than that, you’re still making money,” Ansari said. Executives who close their eyes to the lack of compliance don’t go to jail, so some banks accept AML fines as part of the cost of doing business.
And loopholes and regulatory weaknesses allow employees to carry out nefarious behavior without triggering anti-money-laundering software alerts, Ansari said. For instance, some money launderers take out loans and then pay back more than what’s due on the loan each month, so they then have access to additional funds that are deposited back, either to borrow or to get a refund check. From the bank management’s perspective everything looks fine, the customer is paying on time.
Sometimes the fact that different divisions or institutions within a bank use systems that don’t talk to each other lets complicit employees operate under the radar, Ansari said.
“One of the challenges is that any organization is going to have multiple transaction systems,” Subrt said. “How do you build that more holistic view?”
Employee surveillance technology exists that could keep close watch on AML and branch staff. But too much surveillance can backfire, Ansari said.
“Do I want to work in a culture where every decision I make is scrutinized and watched, monitored, questioned? Probably not,” he said. “So having that balance between enabling and trusting the employee to do their job versus ensuring that there aren’t some bad actors within your organization is certainly going to increase. As will the use of software that’s used to look at insider threats or insider malicious activities.”
Employee monitoring should be less about second-guessing AML staff decisions and more about finding collusion, in Subrt’s view.
“This isn’t about questioning judgments or decision making, because ultimately, even in the AML realm, we have to make decisions every day on alerts, reviews, case investigations, when to file a suspicious activity report,” he said. “As long as there’s some reasonable standard, reasonable people can differ on this.”
But what should be monitored is employees accessing systems or accounts they shouldn’t be.
There are no easy answers to fighting money laundering, experts say.
“Building a truly robust AML program is an evolving process that you’ve got to learn from every day,” Subrt said. “Look for your successes, look for your failures, and try to learn from both of them and continue to sort of build. But as we all know, that’s a lot easier said than done.”