u/TheAMLBrief

Transaction monitoring didn't catch Deutsche Bank's mirror trading scheme because the risk only existed at the relationship level, not the transaction level.

Deutsche Bank's Moscow desk moved roughly $10 billion out of Russia through a scheme that looked, transaction by transaction, like ordinary equity trading. A client buys Russian shares in Moscow for rubles. A related, undisclosed counterparty sells the same shares in London for dollars. Both trades settle normally. The laundering isn't in either trade individually, it's in the relationship between the two sides.

That's why transaction monitoring missed it. No structuring pattern in the payment flow. No anomalous volume for a bank with significant Russian institutional business. No sanctions hits on the trades themselves. The risk only becomes visible when someone looks across the Moscow and London books at the same time and asks why the same client network keeps showing up on both sides of the same trades. That cross-desk, cross-jurisdiction view wasn't built into the monitoring architecture.

What makes this case different from a pure detection failure is that Deutsche Bank's own compliance staff in Moscow identified the mirror trading program as high-risk and escalated those concerns internally. The NYDFS consent order states plainly that the bank's management was aware of the compliance concerns associated with the program. The program continued anyway, for roughly four years, until the NYDFS and the FCA issued findings on the same day in January 2017: $425 million from New York, £163 million from London.

Compliance had enough visibility to identify the risk and ask the question. It didn't have enough authority to change the answer once the business decided to not act on the transactions. That's a different problem than "the monitoring system couldn't see it," and it requires a different fix; an escalation path that can actually stop activity, not just document that someone raised a concern.

How does escalation work at your institution when a risk gets flagged at the analyst or compliance officer level but the business wants to keep the relationship? Does the program have real stop authority, or does escalation mostly produce a paper trail?

reddit.com
u/TheAMLBrief — 5 days ago

Most TBML policies say the institution will monitor for indicators. Almost none of them say what flags an over-invoiced letter of credit.

Most TBML policies say the institution will monitor for indicators, however almost none of them specify what the actual detection mechanism is.

That gap is magnified because transaction monitoring wasn't built for trade-based laundering. TM is designed for behavioral anomalies in payment flows: structuring, velocity changes, unusual counterparties, sanctions hits. TBML doesn't produce structuring patterns, it produces normal-volume, normal-frequency payments for international trade. A $500,000 payment against a letter of credit doesn't alert. Neither does one that's 30% above the benchmark price for that commodity, because the TM system doesn't know what the market price is. The anomaly is in the invoice, not the payment.

Most TM platforms don't ingest trade documentation. Letters of credit, bills of lading, and commercial invoices are processed by trade finance teams, not fed into the AML platform. This results in TBML moving through a bank's trade finance operation in one lane while compliance monitors transactions in a separate lane, with no visibility into the documents behind the payments.

The three underlying operational typologies are over/under-invoicing (invoice price above or below market, with the difference representing value transferred outside the financial system), multiple invoicing against the same shipment, and phantom shipments where the supporting documentation is fabricated but the payment is real. Each of these is detectable, but none of them generate a TM alert on their own.

Programs with meaningful TBML detection capability generally have three things most don't: some mechanism for comparing invoice values against market prices for the commodities and corridors they're exposed to, a defined escalation path from trade finance staff to the SAR process, and corridor-based risk logic that applies heightened documentary scrutiny to the channels where TBML concentrates (South America to the U.S., China to Latin America, Middle East to Europe).

FinCEN's advisory on TBML is from 2010 and FATF's foundational typologies report is from 2006. A bank that's never filed a SAR citing TBML indicators hasn't necessarily avoided the exposure. It may have avoided the scrutiny that would make the exposure visible.

What have you all seen within your institutions on how TBML is monitored and handled when compared to your policy documentation?

reddit.com
u/TheAMLBrief — 12 days ago

HSBC didn't fail because it lacked a compliance program. It failed because the program couldn't close profitable accounts or override business decisions.

In December 2012, HSBC entered a deferred prosecution agreement and paid $1.9 billion after FinCEN and the DOJ found that HSBC Mexico had laundered $881 million for the Sinaloa and Norte del Valle cartels. The transaction monitoring system was operational throughout, CTRs were filed, and alerts were generated. The Senate Permanent Subcommittee on Investigations released a 340-page report documenting how it happened.

The report's finding wasn't that HSBC had no AML infrastructure. The problem was what happened when compliance findings conflicted with revenue.

HSBC Mexico was classified as the highest-risk affiliate in the bank's global network. The institutional response was a management initiative called the "Simplification Project," which reduced compliance requirements for that customer base and lowered enhanced due diligence thresholds. The cartels adapted, even going so far as manipulating cash deposit boxes to fit through HSBC Mexico's teller windows. Between 2007 and 2010, approximately $7 billion in physical currency moved from Mexico to the United States. More than 373,000 transactions without adequate monitoring. CTRs were filed on some of those deposits, however SARs weren't.

The OCC flagged AML deficiencies at HSBC for four consecutive examination cycles before the DOJ acted. The compliance function kept generating documentation. The findings kept moving through the system and the business relationship continued.

What distinguishes this case from TD Bank or Binance is the character of the failure. TD Bank's leadership documented its contempt for the compliance function. Binance built a platform with no AML infrastructure and made deliberate decisions not to register with FinCEN. HSBC's program existed, ran, and produced findings. It couldn't close a profitable account. It couldn't file a SAR on a relationship the business wanted to keep. It couldn't get a finding to someone with authority and will to act on it.

A program that can detect risk but can't produce consequences when detection conflicts with revenue isn't a functioning AML program. It's a documentation program. The two look identical from the outside. Both have policies, both generate reports, both satisfy examination requirements. They diverge at the point where a finding would require the business to do something it doesn't want to do.

Most compliance programs can identify unusual activity. Fewer have tested whether the escalation path from detection to consequence actually functions when the consequence involves business disruption. Has anyone seen this occur at your current or prior companies?

reddit.com
u/TheAMLBrief — 19 days ago

Four months for $4.3 billion. Probation for $11 billion. No charges for $3.09 billion. The personal liability question in AML enforcement isn't settled.

Changpeng Zhao pled guilty to willful failure to maintain an effective AML program. Binance as a company paid $4.3 billion. He was sentenced to only four months. The three BitMEX co-founders who operated a crypto exchange with no AML controls on $11 billion in trading volume received probation. TD Bank paid $3.09 billion, the largest BSA penalty in U.S. history for a bank, and no senior executives were criminally charged in connection with the AML program failures.

The Yates Memo, published September 2015, directed prosecutors to pursue individuals behind corporate misconduct, not just the institution. It's been cited in enforcement announcements for a decade. What it's produced in AML cases is a narrower set of individual charges than the policy language suggested, mostly concentrated where prosecutors had documented evidence of personal knowledge and a deliberate decision not to act. CZ's own written legal risk assessment ended up in the federal filing. The BitMEX founders documented their approach to avoiding U.S. regulators. The evidence was their own records.

Where that documentation existed but criminal charges didn't follow, the institutional penalty may be functioning as a substitute for individual accountability rather than a complement. As regaultory enforcement continues, it will be interesting to see if this pattern shifts.

The more practical question for compliance professionals isn't whether the C-suite gets charged, it's where individual liability shows up, if at all.

Cases where individuals at the BSA officer and compliance manager level have appeared in enforcement records don't usually involve billion-dollar institutions. They involve documented findings that weren't escalated, escalations that stalled without a recorded resolution, and SAR decisions made without a detailed rationale. The Yates Memo's logic doesn't stop at the executive level. Individual accountability follows the person whose name is on the decision.

If your program documents what was found but not what was decided about it; if an escalation routes upward and the record goes quiet, or a SAR decision is made without a written rationale, that's the structure that creates individual exposure. The compliance officer's risk is in the documentation trail at the case level.

For practitioners in SAR review or escalation governance, how complete is your documentation chain from identification through decision?

reddit.com
u/TheAMLBrief — 26 days ago

Binance, TD Bank, and Capital One were each damaged by their own compliance team's records. The instinct to document less after reading them is the wrong takeaway.

The Binance CCO wrote in 2018 that the company was "operating as a f***ing unlicensed securities exchange in the USA." The message was accurate. Binance continued operating in the U.S. for years after that, filing zero SARs throughout. That internal message was documented within the DOJ's published statement of facts in 2023.

TD Bank's OCC consent order referenced internal communications showing compliance concerns were treated as obstacles to business growth. "Convenience over compliance" wasn't a regulator's phrase imposed from the outside. It reflected language and posture that was documented inside the institution.

FinCEN's 2021 action against Capital One turned on what the consent order called "documented knowledge." The bank's own risk files, the Genovese associate's conviction, and the Check Cashing Group's high-risk classification were what elevated SAR non-filing from negligent to willful. Without that documentation, FinCEN would have had a harder case.

The natural reaction when you read all three is to think more carefully about what gets written down. That reaction is understandable and wrong.

Undocumented decisions don't protect programs. A risk assessment with no written record of follow-up looks, in retrospect, like a risk assessment that produced no action. A concern raised in a meeting but not captured looks like a concern that was never raised. Regulators and auditors evaluate programs through their documentation. It's the primary evidence of what a program actually does.

What made these records damaging wasn't that compliance teams wrote things down. It was the gap between what was identified and what was done about it. The Binance CCO's message was damaging because an accurate written assessment of regulatory risk was followed by a business-as-usual response. Capital One's risk files were damaging because their thoroughness produced a willful finding when the SARs didn't follow.

The practical discipline isn't "be careful what you write." It's "does your documentation show a finding and then a decision?"

A written high-risk finding paired with no documented escalation or SAR rationale creates a record of knowledge without response. An escalation memo that stalls without a documented resolution shows risk routed upward and stopped there. Meeting notes that capture a concern but not the decision made about it tell half the story, and the missing half is usually what examiners want most.

For anyone who works in escalation governance or SAR review, how does your program document the decision itself, not just the identification of risk? And how do you verify that the chain is complete?

reddit.com
u/TheAMLBrief — 1 month ago

Capital One correctly identified its highest-risk customers. Then didn't build a program to cover them.

Capital One paid $390 million to FinCEN in January 2021 for BSA violations tied to its Check Cashing Group, a business unit the bank had internally classified as high-risk. The violations ran from 2008 through 2014.

FinCEN's finding on SAR non-filing was willful failure, not negligence and not a systems gap. Capital One also failed to file approximately 50,000 CTRs on roughly $16 billion in cash. Two different legal standards, but both trace back to the same root problem of a high-risk portfolio operating without an AML program built to match its risk classification.

The case is worth studying because Capital One didn't skip the risk assessment step. CCG customers were designated high-risk. The classification was documented and internally applied. What the bank didn't do was build monitoring and SAR review processes to match that classification. The risk matrix and the AML program weren't connected.

How far did the gap go? Capital One continued processing over 20,000 transactions worth approximately $160 million for a customer's businesses after that customer had been convicted as an associate of the Genovese organized crime family. The bank had documented knowledge of the conviction. FinCEN's consent order noted that proceeds connected to organized crime, tax evasion, and fraud entered the US financial system unreported through those accounts.

Capital One admitted to the findings. Most enforcement actions are resolved on a neither-admit-nor-deny basis. When an institution admits, the internal documentation evidences that contesting the facts isn't viable. Six years of deficient SAR filing on a portfolio already designated high-risk produced that record.

Are your high-risk designations actually driving program design, or are they sitting in a risk matrix?

A business line or customer segment rated high-risk should generate lower alert thresholds, more monitoring activity, and closer SAR review than a standard account. If your enterprise AML program is calibrated to your typical customer and high-risk segments are layered on without dedicated configuration, the structure that produced the Capital One gap is replicable. The risk rating alone doesn't protect you. What matters is whether that rating is connected to the monitoring program running against those accounts every day.

For anyone who works in transaction monitoring or risk rating governance: how do you verify that high-risk classifications are actually reflected in your alert logic, or is that connection mostly assumed?

reddit.com
u/TheAMLBrief — 1 month ago

The November 2023 Binance settlement gets covered as a crypto story, however compliance professionals treat it as a typical tone-at-the-top failure with a paper trail most enforcement actions don't have.

Binance registered with FinCEN as a money services business in 2019, which served as a written acknowledgment of Bank Secrecy Act obligations. Binance then filed zero SARs with FinCEN while processing more than 100,000 transactions between Binance users and people in sanctioned jurisdictions.

FinCEN identified over $898 million in transactions flowing to Iranian parties. As a result, OFAC fined Binance $968 million due to the heavy transaction flow to a sanctioned country.

Binance's compliance team wasn't operating in the dark, as the DOJ revealed internal messages that documented awareness of criminal activity flowing through the platform. Former CCO Samuel Lim's assessment was direct: "Like come on. They're here for crime."

Binance's lack of SAR filings seemed to be influenced by their leadership team. If other institutions had any crypto-related exposure (e.g.; correspondent relationships, payment rails, wire transfers touching Binance's US entity), their failure to file created upstream gaps in their SAR coverage as well.

For compliance teams still treating crypto as a minor concern, FinCEN has been clear since 2013 that virtual currency exchanges operating as money transmitters carry BSA obligations. The Binance settlement was proof that regulators will take this seriously, compounded by deliberate inaction by Binance's leadership team.

For those working in traditional banking and crypto, did your institution go back and review SAR gaps that might trace to exchanges like Binance that weren't filing? It would be interesting to hear perspectives on how your teams handled the downstream exposure and whether your transaction monitoring was actually catching activity that should have come from Binance's side first.

reddit.com
u/TheAMLBrief — 2 months ago

Out of nowhere, the TD Bank case exploded into headlines, mainly because of the massive $3.09 billion penalty levied against them. Hidden beneath the penalty was roughly $18.3 billion tied to suspicious transactions. All this resulted in TD becoming the first US bank in history to plead guilty to conspiracy to commit money laundering.

The number practitioners keep coming back to is smaller, which was that five TD branch employees took $57,000 in gift cards and cash to open fake accounts and suppress escalations. Even though federal agents caught them, the bank’s private investigative team missed it entirely.

An institution processing that volume of suspicious activity had insiders actively facilitating it and nobody inside caught them. It could mean blind spots in tracking staff behavior. Or perhaps warnings were ignored when spotted. Compliance teams often wait until after trouble surfaces before moving, performing investigations from a reactionary stance rather than proactively addressing red flags.

Resetting norms, the deal shifted how examiners view bank behavior nationwide. Since then, at every major US bank, compliance teams have faced repeated requests which focus on proving where their systems would’ve spotted this failure. Lately, phrases like “convenience over compliance,” pulled straight from the DOJ’s critique of TD, pop up often in federal reviews. Examiners specifically look for the facts to fit this pattern.

What shifted how TD's board acted was the Fed’s limit on assets. Fines are just taken in stride in the highly regulated banking industry. But when a bank can’t grow because operations are boxed in till fixes meet Fed standards, things feel different and pressure to comply rises.

Has your organization re-examined its insider threat program since the TD Bank settlement? Specifically how you monitor employee conduct rather than just external typologies. I'm curious to see what that looks like in practice within your company.

*We break down enforcement actions like this every Tuesday in The AML Brief. Free at theamlbrief.com*

reddit.com
u/TheAMLBrief — 2 months ago
▲ 28 r/moneylaundering+1 crossposts

In October 2024, TD Bank became the first US bank ever to plead guilty to conspiracy to commit money laundering. $3.09 billion in combined penalties. $18.3 billion in suspicious transactions processed. Three criminal networks operating simultaneously through the same institution.

The scale gets the headlines. The failures are what practitioners should be studying.

---

**What actually went wrong**

Three distinct networks moved money through TD accounts at the same time; a Colombian drug trafficking network (~$100M), a fentanyl proceeds network, and the Da Hua Xu network ($653M via shell companies and structured cash deposits). None of them were using particularly sophisticated methods. They didn't need to.

**Failure 1 — Transaction monitoring frozen in time**

TD's TM system hadn't been meaningfully updated since 2014. Hundreds of thousands of transactions fell completely outside monitoring parameters, not because the patterns were novel, but because nobody updated the rules. A decade of deferred maintenance, $18B in suspicious volume.

**Failure 2 — Internal incentives suppressed escalation**

When analysts did flag suspicious activity, the bank's internal culture, which the DOJ characterized as prioritizing "convenience over compliance", actively worked against SAR filings. Customer retention mattered more than escalation. That's not a training problem. That's a governance problem.

**Failure 3 — Bribery at the branch level**

Five TD branch employees were bribed with approximately $57,000 in gift cards and cash to open fraudulent accounts and suppress escalations. That's not an isolated rogue actor situation, that's a cultural environment that made bribery feel like a viable option.

**Failure 4 — No meaningful independent testing**

The consent orders make clear that TD's independent testing function wasn't catching any of this. Either the testing wasn't genuinely independent, wasn't sufficiently scoped, or the findings weren't being escalated effectively.

**Failure 5 — The Fed noticed what the fines couldn't fix**

The Federal Reserve imposed an asset cap on TD Bank, only the second time that penalty has been applied to a major US bank. An asset cap isn't a fine. It's an operational constraint that limits growth until the Fed is satisfied with remediation. That's the penalty that actually changes board-level behavior.

---

**The "convenience over compliance" problem**

That phrase, appearing explicitly in the DOJ consent order, is worth sitting with. It's not just a characterization of TD Bank. It's a signal about how the DOJ intends to frame AML failures going forward.

If your institution's SAR filing volumes don't correlate with its risk profile, if escalation rates are anomalously low, if frontline staff understand that customer retention matters more than escalation, that pattern now has a name in federal enforcement documents. And that name is going to show up in the next examination.

---

**Discussion question:** The TM system not being updated for a decade is the detail that stands out most to us. In your experience, what's the actual barrier to keeping TM rules current; is it budget, competing priorities, model validation requirements, or something else?

---

*We cover enforcement actions like this one every Tuesday in The AML Brief — free newsletter at theamlbrief.beehiiv.com if this kind of breakdown is useful to you.*

u/TheAMLBrief — 2 months ago