CALIFORNIA PACIFIC BANK v. F.D.I.C.

OPINION

GRITZNER, District Judge:

California Pacific Bank (the Bank) appeals the issuance of a cease and desist order by the Board of Directors of the Federal Deposit Insurance Corporation (FDIC). The FDIC Board, which adopted in full the Recommended Decision of the Administrative Law Judge (ALJ), found that the Bank violated the Bank Secrecy Act (BSA), 31 U.S.C. §§ 5311-5330, and ordered the Bank to implement a corresponding plan to bring the Bank into compliance. The FDIC Board concluded that the Bank did not comply with the BSA's implementing regulations because it failed to establish and maintain procedures designed to ensure adequate internal controls, independent testing, administration, and training. The Bank filed a timely petition for review, challenging the constitutionality of the BSA and its implementing regulations and alleging that the FDIC Board's decision is not supported by substantial evidence. We deny the Bank's petition for review.

I. BACKGROUND

The BSA establishes, among other things, the recordkeeping and reporting requirements for private individuals, banks, and other financial institutions. 31 U.S.C. §§ 5311-5330; 12 U.S.C. §§ 1829b and 1951-1959. The BSA was enacted in 1970 as Title II of the Bank Records and Foreign Transactions Act, which was a response to rising Congressional concern over the use of foreign banks to launder the proceeds of illegal activity and evade federal income taxes. Pursuant to its purpose of identifying the source, volume, and movement of currency and other monetary instruments into and out of the United States or deposited into financial institutions, the BSA requires banks and other financial institutions to maintain a paper trail by keeping appropriate records of financial transactions.

To ensure compliance, Section 8(s) of the Federal Deposit Insurance Act directs the FDIC to issue regulations requiring banks to maintain a BSA compliance program, to review the program during bank examinations, to describe any problems with the program in its report of examination (ROE), and to state in that report whether a bank has failed to correct any problem with its program. 12 U.S.C. § 1818(s). In the event that a bank fails to correct any problem with its BSA compliance that the FDIC previously brought to its attention, the FDIC is required to issue a cease and desist order against the bank. 12 U.S.C. § 1818(s)(3)(B). FDIC regulations require that all insured nonmember banks "establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of" the BSA and its implementing regulations. 12 C.F.R. § 326.8(a). Section 326.8(c) outlines the "four pillars" of compliance, which require that insured nonmember banks, at minimum,

The failure of any individual pillar can result in the FDIC deeming a bank noncompliant with the BSA. The Federal Financial Institutions Examination Council (FFIEC) Manual clarifies compliance requirements and provides for consistent examination procedures.1 In January 2012, the Bank issued its revised "Bank Secrecy Act/Anti-Money Laundering Program Risk Assessment" Manual (Bank BSA Policy Manual), which serves as the Bank's in-house guide for BSA compliance.

As defined by the BSA, the Bank is a "State non-member bank" and an "insured depository institution." 12 U.S.C. § 1813(c)(2) and (e)(2). The Bank is a community bank with offices in San Francisco and Fremont, California. In 2012, the Bank had fewer than fifteen employees, approximately 200 customers, and approximately 500 deposit accounts. The Bank's customer base consists of a significant number of import-export customers, accounts held by non-resident aliens, and accounts with international transactions.

In July 2010, FDIC Examiner Heather Rawlins conducted a safety and soundness examination of the Bank. Rawlins deemed the Bank's BSA program satisfactory but identified several areas that "must be corrected." Among the corrective requirements were that the Bank document its director training and incorporate a method of testing employees' knowledge of training; designate new customers that have high levels of activity as high risk for at least six months; monitor and analyze aggregate activity for at least three months to establish a pattern of activity; and increase the risk rating for the customer base. Rawlins reviewed the results of the examination with the Bank's CEO, Richard Chi, and the Bank's third-party auditor, Joan Vivaldo. The Bank's management agreed to the recommendations.

During 2011, at least four individuals served sequentially as the Bank's BSA compliance officer (BSA Officer). In August 2011, Alan Chi, CEO Richard Chi's son, became acting BSA Officer without the Bank's Board of Directors interviewing for the position. Further, the Bank's Board of Directors did not recruit anyone else for the vacancy. Following election by the Bank's Board of Directors in January 2012, Alan Chi became the Bank's permanent BSA Administrator, in addition to the Bank's Senior Vice President, Senior Credit Officer, Chief Financial Officer, Internal Auditor, and Operations Compliance Officer.

After becoming acting BSA Officer in 2011, Alan Chi revised the Bank's new customer deposit account risk assessment form. Under the revised form, accounts would be downgraded (assessed a lower score on the risk-point scale) if a customer already maintained an account at the bank or if a customer had been referred to the Bank by an employee or well-known customer. Vivaldo criticized the revised scoring methodology, and in correspondence with Alan Chi, noted that this methodology failed to identify three new high risk deposit accounts. Vivaldo commented that Alan Chi's use of an automatic twelve point reduction for certain customers "could turn around and bite them someday." Vivaldo informed Alan Chi that if he ignored her, he would be left "to the tender mercies of the FDIC." Alan Chi replied that he deemed the lower risk rating satisfactory, given his longstanding knowledge of the customers. In a follow-up communication, Vivaldo flagged the potential for the FDIC to criticize the Bank for failing to report high risk accounts. This prompted Alan Chi to further revise his risk assessment form. In the updated version, accounts would be downgraded only if directly related to any loan or existing deposit account. Vivaldo's concerns persisted: "Again, I suggest you lower the score tiers to pre July 2011 levels. With the proposed ranges, almost no account will be medium risk or high risk. An unnatural system. The FDIC recommended the pre July 2011 scoring tiers."

Alan Chi also revised the risk assessment form the Bank used to assess its own risk. Using this altered methodology resulted in the Bank having a "low," rather than "medium to high," overall risk rating. Vivaldo disagreed with the new methodology.

FDIC examiner Rawlins performed another examination of the Bank beginning on December 3, 2012, which used the Bank's information as of September 30, 2012. The FDIC's 2012 ROE concluded that the Bank failed to administer a BSA compliance program in accordance with the four pillars and failed to file a Suspicious Activity Report (SAR) where one was needed.

Rawlins assessed the Bank's progress for the first BSA pillar, internal controls, by selecting twenty-four deposit accounts for review. Rawlins found that the information contained within sixteen of the accounts was incomplete and that activity in those accounts was higher than expected. Although Alan Chi informed Rawlins that the Bank's loan accounts contained additional information, Rawlins reviewed only the deposit accounts. Rawlins echoed Vivaldo's concerns regarding the Bank's revised risk ratings. Rawlins discovered that the Bank had persisted with daily batch reviews of account activity, rather than adopting Rawlins' recommendation for longer-term monitoring. The Bank's loan documentation revealed four site visits between August 2009 and May 2012, only one of which occurred after Alan Chi became acting BSA Officer. Rawlins considered Alan Chi's due diligence with respect to site visits to be inadequate. Alan Chi testified at the ALJ hearing that he kept his BSA assessments relating to the site visits "in my head, as well as [the heads of] the other officers that went with me."

The FDIC's review of the second pillar, independent testing, centered on Vivaldo. Vivaldo was the Bank's internal auditor from 2005 through the second quarter of 2012 and performed quarterly reviews. Prior to the 2012 review, FDIC examiners had not criticized Vivaldo's methods. Nonetheless, Rawlins deemed Vivaldo's 2012 review inadequate. Rawlins noted that Vivaldo's 2012 report failed to assess Alan Chi's qualifications as BSA Officer, to assess the sufficiency of the Bank's compliance training, or to identify the deficiencies relating to risk rating and customer monitoring that the examiners discovered during the 2010 examination and continued in the 2012 examination. Rawlins also considered Vivaldo's role with the Bank to be a conflict of interest. Although Vivaldo was the Bank's designated auditor, her engagement agreement with the Bank identified her role as "consultant," and she provided monthly BSA administrator reports directly to the Bank's Board of Directors. Vivaldo also drafted the Bank's BSA Policy Manual in 2006 and recommended yearly updates.

The FDIC's review of the third pillar, administration, centered on Alan Chi. Alan Chi had received no training in BSA compliance before taking over as BSA Officer in August 2011. After his appointment, he attended several Independent Community Bankers of America courses and completed a webinar. He also gained familiarity with the BSA through interactions with the FDIC and review of FDIC reports. Rawlins determined that this was inadequate experience to administer the Bank's BSA compliance program. Rawlins also concluded that Alan Chi could not dedicate sufficient time to compliance amidst his many roles at the Bank. Rawlins believed that sharing BSA and credit responsibilities created a conflict of interest and inhibited Alan Chi's ability to assess the Bank's compliance efforts objectively.

With regard to the fourth pillar, training, Alan Chi offered presentations to Bank staff on customer identification, currency transaction reporting, anti-money laundering, identity theft, and unlawful internet gambling. He also provided employees with copies of the Bank's BSA Policy Manual and tested their knowledge through quizzes. Employees were expected to attend a webinar, which Rawlins considered rudimentary. Rawlins found that the Bank's training materials were not tailored to specific job functions. Rawlins concluded that Alan Chi was an inadequate BSA Officer who was not qualified to serve as the sole person responsible for BSA compliance training, thus rendering the training insufficient.

In addition to her review of the Bank's compliance with the four pillars, Rawlins noticed that the Bank did not file a SAR or document its decision not to file a SAR relating to several transactions.2 In 2011 and 2012, the Bank received grand jury subpoenas seeking information on several customers who were part of a Federal Bureau of Investigation (FBI) investigation into international espionage and misappropriation of trade secrets. The Department of Justice (DOJ) directed the Bank to "maintain the utmost secrecy with regard to this Federal grand jury subpoena." Alan Chi interpreted this to mean that he could not disclose any aspect of the FBI investigation and decided not to file a SAR. Rawlins' draft 2012 ROE concluded that the Bank should have filed a SAR pursuant to 12 C.F.R. § 353.3(a)(4), describing at a general level the suspicious transactions of the customers who were under investigation. Although Edmund Wong, Rawlins' immediate supervisor, initially disagreed, he ultimately concluded that the Bank should have filed a SAR after Wong discovered evidence of a so-called "layering scheme" involving several customers.

After the Bank refused to agree to a consent order following the 2012 examination, the FDIC issued a notice of charges seeking to impose a cease and desist order against the Bank. The Bank's Answer denied the material allegations contained in the notice. The ALJ, C. Richard Miserendino, conducted a four-day hearing in San Francisco. The ALJ's Recommended Decision concluded that the Bank had violated the BSA and its implementing regulations. The ALJ found the Bank's ancillary defenses that the BSA regulations and the FDIC's alleged bias violated the Bank's due process rights were unavailing. The ALJ recommended the issuance of a cease and desist order. The FDIC Board affirmed the ALJ's Recommended Decision and issued a cease and desist order.3 The Bank timely filed this petition for review.

II. STANDARD OF REVIEW

"Whether a statute or regulation is unconstitutionally vague is a question of law and the standard of review is de novo." United States v. Helmy, 951 F.2d 988, 993 (9th Cir. 1991) (citation omitted). Due process challenges are also subject to de novo review. Lord Jim's v. NLRB, 772 F.2d 1446, 1448 (9th Cir. 1985).

Under the Administrative Procedure Act (APA), agency action must be set aside if it is "arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law" or if it is "unsupported by substantial evidence." 5 U.S.C. § 706(2)(A) and (E). "Substantial evidence is more than a mere scintilla but less than a preponderance; it is such relevant evidence as a reasonable mind might accept as adequate to support a conclusion." De La Fuente v. FDIC, 332 F.3d 1208, 1220 (9th Cir. 2003) (citation omitted). The substantial evidence standard requires that this court review the administrative record as a whole, weighing both the evidence that supports and the evidence that detracts from the ALJ's conclusion. Andrews v. Shalala, 53 F.3d 1035, 1039 (9th Cir. 1995). The ALJ is responsible for determining credibility and resolving ambiguities when relevant. Id. The APA's standard of review is "highly deferential, presuming the agency action to be valid and affirming the agency action if a reasonable basis exists for its decision." Indep. Acceptance Co. v. California, 204 F.3d 1247, 1251 (9th Cir. 2000) (citation omitted).

III. DISCUSSION

A. Constitutional Challenges

The Bank advances two constitutional challenges. The Bank first challenges that the BSA and its implementing regulations are unconstitutionally vague. The Bank's second constitutional challenge is that the FDIC conducted a biased investigation that violated the Bank's due process rights.

1. Waiver

As a preliminary matter, the FDIC argues that the Bank's constitutional challenges were waived because they were inadequately briefed. In resistance, the Bank argues that it did not waive its constitutional challenges, as its brief cited Supreme Court decisions and facts from the record that support its constitutional challenges.

Federal Rule of Appellate Procedure 28(a)(8)(A) requires that the argument section of a brief contain "appellant's contentions and the reasons for them, with citations to the authorities and parts of the record on which the appellant relies." We have held that arguments are waived where the appellant does not present any argument to support its assertions and cites no authority. United States v. Alonso, 48 F.3d 1536, 1544-45 (9th Cir. 1995). Inadequately briefed and perfunctory arguments are also waived. United Nurses Assocs. of Cal. v. NLRB, 871 F.3d 767, 780 (9th Cir. 2017).

In support of its constitutional vagueness challenge, the Bank cites 12 C.F.R. § 326.8(c) (the FDIC's four pillars regulation) and three Supreme Court decisions that discuss vagueness. The Bank also cites passages from the record comparing the 2010 and 2012 ROE findings. In addition, the Bank references the ALJ's finding that the FFIEC Manual is not entitled to Chevron deference. The Bank's argument relating to FDIC bias, while similarly abbreviated, cites to the record and references a Supreme Court case. For both constitutional arguments, the Bank cites valid legal authorities and references the record, and therefore has at least minimally preserved its constitutional challenges. See Fed. R. App. P. 28(8)(A); Alonso, 48 F.3d at 1544.

2. Vagueness

Turning to the merits of the constitutional challenges, the Bank argues that the BSA is unconstitutionally vague because neither the statute nor its implementing regulations were precise enough to inform the Bank of its required conduct. The Bank also contends that the statute and regulations are unconstitutionally vague because the FDIC can arbitrarily determine whether BSA compliance procedures are sufficient. The Bank further argues that the FFIEC Manual cannot clarify compliance procedures because the FFIEC Manual lacks the force and effect of law.

"To pass constitutional muster against a vagueness attack, a statute must give a person of ordinary intelligence adequate notice of the conduct it proscribes." Craft v. Nat'l Park Serv., 34 F.3d 918, 921 (9th Cir. 1994) (quoting United States v. 594,464 Pounds of Salmon, 871 F.2d 824, 829 (9th Cir. 1989)). Various factors affect our analysis, including "whether or not the statute at issue (1) involved only economic regulation, (2) contained only civil, not criminal penalties, (3) contained a scienter requirement, ... and (4) threatened any constitutionally protected rights." Hanlester Network v. Shalala, 51 F.3d 1390, 1398 (9th Cir. 1995) (citing Vill. of Hoffman Estates v. Flipside, Hoffman Estates, Inc., 455 U.S. 489, 498-99, 102 S.Ct. 1186, 71 L.Ed.2d 362 (1982)). "Further, exactness can be achieved not just on the face of the statute, but also through limiting constructions given to the statute by the ... enforcement agency." Hess v. Bd. of Parole & Post-Prison Supervision, 514 F.3d 909, 914 (9th Cir. 2008).

Where economic regulation is involved, vagueness is less of a concern because "the regulated enterprise may have the ability to clarify the meaning of the regulation by its own inquiry, or by resort to an administrative process." United States v. Doremus, 888 F.2d 630, 634-35 (9th Cir. 1989) (quoting Hoffman Estates, 455 U.S. at 498, 102 S.Ct. 1186). "In considering whether an administrative regulation is unconstitutionally vague, the reviewing court must assess it within the context of the particular conduct to which it is being applied." Great Am. Houseboat Co. v. United States, 780 F.2d 741, 747 (9th Cir. 1986) (citing United States v. Nat'l Dairy Prods. Corp., 372 U.S. 29, 33-36, 83 S.Ct. 594, 9 L.Ed.2d 561 (1963)). We must consider if the regulation "applies to `a select group of persons having specialized knowledge.'" United States v. Elias, 269 F.3d 1003, 1015 (9th Cir. 2001) (quoting United States v. Weitzenhoff, 35 F.3d 1275, 1289 (9th Cir. 1993)).

"Interpretations such as those in opinion letters — like interpretations contained in policy statements, agency manuals, and enforcement guidelines, all of which lack the force of law — do not warrant Chevron-style deference." Christensen v. Harris Cty., 529 U.S. 576, 587, 120 S.Ct. 1655, 146 L.Ed.2d 621 (2000). However, an agency-issued instruction manual, even if lacking the force of law itself, can clarify what conduct is expected of a person subject to a particular regulation and thus mitigate against vagueness. See Pinnock v. Int'l House of Pancakes Franchisee, 844 F.Supp. 574, 581 (S.D. Cal. 1993) (citing Ward v. Rock Against Racism, 491 U.S. 781, 795, 109 S.Ct. 2746, 105 L.Ed.2d 661 (1989); Hoffman Estates, 455 U.S. at 502, 504, 102 S.Ct. 1186; Grayned v. City of Rockford, 408 U.S. 104, 110, 92 S.Ct. 2294, 33 L.Ed.2d 222 (1972)); accord United States v. Woodley, 9 F.3d 774, 778 (9th Cir. 1993) (rejecting a vagueness challenge to Health Care Financing Administration's "related party regulation" based, in part, on the fact that the regulation referenced a "Provider Reimbursement Manual" that had been issued by the Department of Health and Human Services); Magic Valley Potato Shippers, Inc. v. Sec'y of Agric., 702 F.2d 840, 841-42 (9th Cir. 1983) (per curiam) (rejecting a vagueness challenge to a Department of Agriculture regulation based, in part, on the availability of "instructional manuals" issued by that agency).

Not only are the BSA and FDIC's implementing regulations economic in nature and threaten no constitutionally protected rights, but it is clear that a detailed manual issued by agencies with enforcement authority, such as the FFIEC Manual, can put regulated banks on notice of expected conduct. The BSA authorizes the FDIC to review banks for compliance. 12 U.S.C. § 1818(s). The FFIEC Manual frames the examiners' expectations in anticipation of routine compliance checks. The Bank knew these expectations. Indeed, the FDIC Board found that provisions of the FFIEC Manual were incorporated in the Bank's own BSA Policy Manual, and copies of the FFIEC Manual were found scattered throughout the Bank. A BSA Officer at the Bank bearing the requisite "specialized knowledge" would understand that compliance with the FFIEC Manual ensures compliance with the BSA. See Elias, 269 F.3d at 1015. The BSA and its implementing regulations are not unconstitutionally vague.

3. Investigative Bias

The Bank's second constitutional challenge is that the FDIC violated its due process rights by conducting a biased investigation. The Bank argues that comments made by examiners charged with assisting in the investigation demonstrate that the 2012 examination was predetermined. As examples of bias, the Bank points to Rawlins' decision to disregard the Bank's loan files when she was reviewing the Bank's deposit files for due diligence information, her criticism of Alan Chi for not filing a SAR, and her refusal to look at Vivaldo's Fourth Quarter 2011 Report. The Bank also asserts that bias was demonstrated by the ALJ's failure to consider the 2010 ROE, which concluded that the Bank's BSA program was generally adequate. The FDIC counters that the Bank's unconstitutional bias charge fails as a matter of law and as a matter of fact.

"[W]hen governmental agencies adjudicate or make binding determinations which directly affect the legal rights of individuals, it is imperative that those agencies use the procedures which have traditionally been associated with the judicial process." Hannah v. Larche, 363 U.S. 420, 442, 80 S.Ct. 1502, 4 L.Ed.2d 1307 (1960). However, "when a general fact-finding investigation is being conducted, it is not necessary that the full panoply of judicial procedures be used." Id. "Whether the Constitution requires that a particular right obtain in a specific proceeding depends upon a complexity of factors. The nature of the alleged right involved, the nature of the proceeding, and the possible burden on that proceeding, are all consider[ed]." Id. Inherent in an agency's power of investigation is the authority "to prevent the sterilization of investigations by burdening them with trial-like procedures." Id. at 448, 80 S.Ct. 1502. Administrative prosecutors are thus "accorded wide discretion" and "need not be entirely `neutral and detached.'"4 Marshall v. Jerrico, Inc., 446 U.S. 238, 248, 100 S.Ct. 1610, 64 L.Ed.2d 182 (1980) (quoting Ward v. Vill. of Monroeville, 409 U.S. 57, 62, 93 S.Ct. 80, 34 L.Ed.2d 267 (1972)). However, the Supreme Court has advised that we should be chary of schemes that inject "a personal interest, financial or otherwise, into the enforcement process [which] may bring irrelevant or impermissible factors into the prosecutorial decision and in some contexts raise serious constitutional questions." Id. at 249-50, 100 S.Ct. 1610. In the event there was no scheme injecting a personal or financial interest into the FDIC examiners' investigation, and in the event the Bank received neutral adjudicatory review by the ALJ and the FDIC Board, the Bank's due process rights were not violated.

The FDIC examiners' function is exclusively fact-finding. Thus, their review of the Bank during the 2012 examination need not have been "neutral and detached." See id. at 248, 100 S.Ct. 1610 (quoting Ward, 409 U.S. at 62, 93 S.Ct. 80). Even were the Bank correct in pointing to examiner comments and Rawlins' examination protocol as examples of bias, the Bank has failed to demonstrate that the FDIC examiners worked under a scheme which injected a personal or financial interest into their enforcement efforts. Moreover, the Bank participated in an ALJ hearing, during which it could cross-examine the FDIC's allegedly biased examiners, and the FDIC Board reviewed the ALJ's findings. The Bank's charge that the FDIC examiners were unconstitutionally biased is unavailing.

The Bank further argues that the ALJ was biased, specifically noting that the ALJ failed to consider the 2010 ROE. Contrary to the Bank's challenge, the ALJ did consider the 2010 ROE. The ALJ noted that, while the Bank's compliance was generally adequate, the 2010 ROE concluded "there were a number of areas that needed improvement, particularly given the Bank's risk profile." Cal. Pac. Bank, 2016 WL 2997645, at *20. The ALJ highlighted two places where the Bank came up short in implementing the 2010 ROE: by failing to monitor and aggregate activity in high risk accounts and by improperly lowering its self-assessed risk rating. The Bank's charge that the ALJ failed to consider the 2010 ROE is contradicted by the record. There are no other allegations of bias relating to the ALJ. And in reviewing the record, we find that the ALJ's extensive four-day hearing was conducted in a fair, impartial, and efficient manner as FDIC regulations require. 12 C.F.R. § 308.5(a).

Neither the FDIC's investigation nor the ALJ was unconstitutionally biased against the Bank.

B. The FDIC Board's BSA Compliance Findings

Under the APA, agency action can be set aside only if "arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law" or "unsupported by substantial evidence." 5 U.S.C. § 706(2)(A) and (E). The APA's standard is "highly deferential." Indep. Acceptance Co., 204 F.3d at 1251. The FDIC Board adopted in full the ALJ's findings, which looked to the FFIEC Manual as an authority on compliance with the FDIC's four pillars regulation. The FDIC Board found that the Bank failed to comply with the four pillars of BSA compliance: adequate controls, independent testing, administration, and training. The FDIC Board further found that the Bank did not file a SAR where one was required. The Bank argues that the FDIC Board erred with each of these decisions.

1. FDIC Reference to the FFIEC Manual

The Bank takes issue with the FDIC's use of the FFIEC Manual as relevant authority in interpreting what the four pillars regulation required of the Bank. The Bank argues that the FDIC Board's reliance on the guidance and recommendations found in the FFIEC Manual was not in accordance with the law, as the FFIEC Manual could not impose legal obligations on the Bank. The FDIC counters that an agency may properly rely on, and clarify regulations with, an instructional manual promulgated to provide guidance on what is required by the regulation it administers.

Under Auer v. Robbins, 519 U.S. 452, 117 S.Ct. 905, 137 L.Ed.2d 79 (1997), an agency's interpretation of its own regulations is "controlling unless plainly erroneous or inconsistent with the regulation." Id. at 461, 117 S.Ct. 905 (citation and internal quotation marks omitted). "Under Auer ... the court must first determine whether the regulation was ambiguous." Bassiri v. Xerox Corp., 463 F.3d 927, 931 (9th Cir. 2006) (citing Christensen, 529 U.S. at 588, 120 S.Ct. 1655). Ambiguous regulations include those that are "not entirely `free from doubt,'" id. (quoting Providence Health System-Washington v. Thompson, 353 F.3d 661, 665 (9th Cir. 2003)), or "susceptible to different interpretations and ... discretionary elements," Siskiyou Regional Education Project v. U.S. Forest Service, 565 F.3d 545, 557 (9th Cir. 2009). If the regulation in question is ambiguous, we defer to the agency's interpretation unless "an alternative reading is compelled by the regulation's plain language or by other indications of the [agency's] intent at the time of the regulation's promulgation." Bassiri, 463 F.3d at 931 (alteration in original) (quoting Thomas Jefferson Univ. v. Shalala, 512 U.S. 504, 512, 114 S.Ct. 2381, 129 L.Ed.2d 405 (1994)). An agency's interpretation of its own regulation can be advanced through informal means, including an agency manual. See Pub. Lands for the People, Inc. v. U.S. Dep't of Agric., 697 F.3d 1192, 1199 (9th Cir. 2012) (according "wide deference" to the U.S. Forest Service's interpretation of a regulation contained in the "Forest Service Manual").

The FDIC's four pillars regulation is ambiguous. The four pillars are not entirely "free from doubt," given the complexity of BSA compliance and the need for FDIC officials to conduct administrative examinations of bank BSA programs. See Bassiri, 463 F.3d at 931. That banks can design different compliance programs further demonstrates that the four pillars are "susceptible to different interpretations." See Siskiyou, 565 F.3d at 557.

In Financial Institution Letter 17-2010, the FDIC announced the release of the 2010 version of the FFIEC Manual. Though the FFIEC Manual was written collaboratively among multiple federal and state agencies, the Letter clarified that the FFIEC Manual contained the FDIC's supervisory expectations with respect to BSA compliance. We must thus defer to the FFIEC Manual unless it is "plainly erroneous or inconsistent" with the FDIC's four pillars regulation, or unless "an alternative reading is compelled by the regulation's plain language." Auer, 519 U.S. at 461, 117 S.Ct. 905; Bassiri, 463 F.3d at 931 (quoting Thomas Jefferson, 512 U.S. at 512, 114 S.Ct. 2381); Pub. Lands, 697 F.3d at 1199. As the ALJ noted, the FFIEC Manual is "a uniformly recognized `authority' on BSA policies, procedures, and processes" with "[e]ach section serv[ing] as a platform for the BSA/AML examination and, for the most part, address[ing] the legal and regulatory requirements of the BSA/AML compliance program." Cal. Pac. Bank, 2016 WL 2997645, at *36. As explained in the next section, the FFIEC Manual defines and provides clarifying guidance on each of the four pillars. Rawlins testified that FDIC examiners and banks alike use the FFIEC Manual as a roadmap for banks' compliance with the four pillars. Fittingly, Vivaldo also described the FFIEC Manual as an authority for BSA compliance, and the Bank's own BSA Policy Manual repeatedly referenced the FFIEC Manual. The FFIEC Manual is not plainly erroneous or inconsistent with the FDIC's four pillars regulation. Nor is an alternative reading compelled by the plain language of 12 C.F.R. § 326.8(c), given the generalized framing of the four pillars. The FFIEC Manual must receive Auer deference.

The FDIC Board acted in accordance with the law in referencing the FFIEC Manual to clarify the four pillars analysis for determining violations of the BSA.

2. The Four Pillars

The Bank next argues that the FDIC Board's determination that the Bank failed to comply with each of the BSA's four pillars — internal controls, independent testing, administration, and training — is not supported by substantial evidence.

a. Internal Controls

The first pillar of BSA compliance requires that banks "[p]rovide for a system of internal controls to assure ongoing compliance." 12 C.F.R. § 326.8(c)(1). The FFIEC Manual advises that "[t]he level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity of the bank." The FFIEC Manual provides that banks are required to maintain controls that identify vulnerabilities and monitor the bank's risk profile.

The FDIC Board adopted the ALJ's findings that the Bank failed to conduct and document adequate customer due diligence, to identify certain customers as high risk, to conduct adequate site visits, and to sufficiently monitor accounts for suspicious activity. The Bank argues that the FDIC Board's decision is not supported by substantial evidence. The Bank asserts that its deposit and loan documentation, as well as its review of daily batch reports, demonstrate that it adequately evaluated and monitored its depositors. The Bank also argues that its site visits were sufficiently documented in its loan files and that the 2010 ROE recommendations were either complied with or were unnecessary.

Although Rawlins deemed the Bank's overall compliance satisfactory in her 2010 ROE, she identified several areas that "must be corrected." In the event a bank "has failed to correct any problem" with BSA compliance that was previously brought to its attention, the FDIC shall issue a cease and desist order against the bank. 12 U.S.C. § 1818(s)(3)(B) (emphasis added).

The FDIC Board found that the Bank failed to adequately collect, document, and update BSA-relevant information about its depositors, as shown by the lack of information in the Bank's deposit account files. During her 2012 examination, Rawlins reviewed twenty-four deposit accounts. Although eight were adequate, Rawlins determined that the information contained within the remaining sixteen was incomplete, with account activity significantly higher than expected. The Bank argues that Rawlins failed to consider the Bank's loan files, which it asserts provided the information that was absent from the twenty-four accounts reviewed by Rawlins. Rawlins focused on the Bank's deposit files, not its loan files, since suspicious account activity was more likely to be found in the deposit files. Loan files, by contrast, generally focus on a customer's creditworthiness rather than on the sources of funds deposited into a bank. The Bank's BSA Policy Manual also provided that deposit accounts should be the locus of risk assessment and that depositors' loan files would be copied into the Bank's deposit account files. The FDIC's Board's finding that the Bank did not sufficiently document its depositors is supported by substantial evidence.

The FDIC Board also found that the Bank failed to adequately monitor depositors' activity. Regarding the monitoring requirement, the FFIEC Manual provides that review of customer accounts can involve either daily reports or reports covering a period of time. However, this choice bears the caveat that "[t]he type and frequency of reviews and resulting reports used should be commensurate with the bank's BSA/AML risk profile and appropriately cover its higher-risk products, services, customers, entities, and geographic locations." The 2010 ROE determined that for certain customers the Bank needed to monitor and analyze aggregate activity over three months or more to establish a pattern of activity, rather than rely on daily reports to monitor those customers. The Bank, however, persisted with daily batch reviews of account activity. The FDIC Board's finding that, by failing to monitor long-term activity, the Bank contravened the 2010 ROE is supported by substantial evidence.

The FDIC Board also found that the Bank failed to properly risk-rate its depositors' accounts. The 2010 ROE directed that the Bank designate new customers with high levels of activity as high risk for at least six months and to increase the risk rating for the customer base overall to medium or high risk. Rawlins determined that the Bank's customer base, lack of internal controls, deficient BSA program, and geographic location demonstrated an overall high risk for the Bank.5 Following her 2010 review, Rawlins made clear to Richard Chi and Vivaldo the need for a higher risk assessment, which was tailored to "a bank of their size and their complexity with their risk profile."

After assuming the role of BSA Officer in 2011, Alan Chi revised the Bank's new customer deposit account risk assessment form. Vivaldo advised Alan Chi that the revised risk ratings failed to identify high risk accounts. Alan Chi amended the risk assessment form in light of Vivaldo's criticisms. However, instead of using the FDIC's recommended scoring tiers, he merely altered the circumstances under which customer risk would be downgraded. Alan Chi also revised the risk assessment form the Bank used to assess its own risk, which resulted in a "low" risk rating for the Bank and drew further criticism from Vivaldo. The ALJ found no evidence, nor does the record indicate, that Alan Chi followed through on Vivaldo's guidance. The FDIC Board's finding that the Bank's risk assessment practices did not accord with the 2010 ROE is supported by substantial evidence.

The FDIC Board also found that the Bank failed to document BSA site visits to its customers. The Bank argues that it did conduct site visits, and that documentation relating to the visits was included in its loan files. However, Vivaldo testified that not all of the site visits were documented in the loan files, and Alan Chi testified that he kept BSA assessments "in [his] head." Rawlins considered the Bank's loan site visits inadequate, reasoning that they focused more on credit risk than cash activity. The ALJ found that the Bank's loan documentation revealed just four site visits, only one of which occurred after Alan Chi became the Bank's BSA Officer — a visit that was prompted by a loan application and not a newly opened deposit account. The FDIC Board's finding that the site visits did not reflect adequate monitoring is supported by substantial evidence.

The Bank's failure to correct problems with its internal controls that were previously brought to its attention in the 2010 ROE, on its own, required the FDIC to issue a cease and desist order against the Bank. 12 U.S.C. § 1818(s)(3)(B). As repeatedly noted, the Bank's failure to address corrective measures from the 2010 ROE is a material factor in reaching the substantial evidence threshold. De La Fuente, 332 F.3d at 1220 ("Substantial evidence... is such relevant evidence as a reasonable mind might accept as adequate to support a conclusion."). The FDIC Board's determination that the Bank did not maintain adequate internal controls, and thus, did not comply with the BSA, is supported by substantial evidence.6

b. Independent Testing

The second pillar of compliance requires that banks "[p]rovide for independent testing for compliance to be conducted by bank personnel or by an outside party." 12 C.F.R. § 326.8(c)(2). The FFIEC Manual provides that "independent testing" includes, at a minimum, providing sufficient information to allow a reviewer "to reach a conclusion about the overall quality of the BSA/AML compliance program." The FFIEC Manual further provides that an auditor "must not be involved in any part of the bank's BSA/AML compliance program." The FDIC Board adopted the ALJ's findings that Vivaldo's 2012 Quarterly Report was deficient and that the Bank's independent testing was inadequate. The Bank argues that this decision is not supported by substantial evidence.

The Bank argues that the examiners failed to consider Vivaldo's Fourth Quarter 2011 Report, which it asserts concluded that the Bank's performance was satisfactory. At the ALJ hearing, however, Vivaldo conceded that, while the Fourth Quarter 2011 Report described certain components of the Bank's BSA program as "satisfactory," the report lacked an explicit conclusion with respect to the BSA program as a whole.

Moreover, despite Rawlins' request for copies of any audits completed since the 2010 ROE, the Bank provided Rawlins with only one audit report prepared by Vivaldo covering the first two quarters of 2012.7 Rawlins found Vivaldo's review inadequate, as it lacked an overall assessment and failed to identify the deficiencies that had been identified by the FDIC examiners. For example, Vivaldo did not assess Alan Chi's qualifications or review the Bank Board's decision-making in appointing Alan Chi as the Bank's BSA Officer. Although Vivaldo noted the Bank's review of daily batch reports, she did not assess whether this was adequate for monitoring risk. Similarly, while Vivaldo observed that the Bank's staff attended a webinar, she did not assess whether this was adequate training. The FDIC Board's finding that Vivaldo's 2012 report was inadequate is supported by substantial evidence.

Although the FDIC Board primarily based its finding that the Bank's independent testing was inadequate on Vivaldo's 2012 report, the record further suggests that Vivaldo had a conflict of interest. Vivaldo's testimony at the ALJ hearing contradicted her 2011 criticism of Alan Chi's revised risk rating methodology. As noted, in 2011, Vivaldo told Alan Chi that his revised ratings were inadequate and flagged concerns with respect to several customers whose risk scores were underrated. At the ALJ hearing, on the other hand, Vivaldo testified that Alan Chi's revised risk assessment form was "not a bad form at all" and that she thought "they had a very good handle on the activity of their portfolio by virtue of various monitorings they do." In addition to contradicting her contemporaneous criticisms, Vivaldo's role with the Bank was described as "consultant," and she wrote and updated the Bank's BSA Policy Manual. Vivaldo's close involvement with the Bank and its BSA compliance program contravened the FFIEC Manual's guidance on independent testing.

The FDIC Board's decision that Vivaldo did not perform independent testing as required by the BSA is supported by substantial evidence.8

c. Administration

The third pillar of compliance requires that banks "[d]esignate an individual or individuals responsible for coordinating and monitoring day-to-day compliance." 12 C.F.R. § 326.8(c)(3). The FFIEC Manual provides,

The FDIC Board adopted the ALJ's finding that Alan Chi lacked the experience, training, and time to adequately perform as BSA Officer. The Bank argues that this decision was not supported by substantial evidence, asserting that Alan Chi was qualified based on his experience serving in multiple roles at the Bank, his on-the-job training, and his prior interactions with the FDIC. The Bank further argues that Alan Chi's due diligence adhered to the 2010 ROE.9

Alan Chi acknowledged that until taking over as BSA Officer in the summer of 2011, he had received no training in BSA compliance. Alan Chi was appointed without the Bank recruiting or interviewing anyone else, nor did the Bank interview Alan Chi before hiring him as its BSA Officer. Furthermore, the extent of Alan Chi's training for the role included only his attending several Independent Community Bankers of America courses and a webinar. Interactions with the FDIC and review of FDIC reports provided him with some additional on-the-job training. The FDIC Board's findings that Alan Chi was an underqualified candidate, and that his "on-the-job" training did not equip him with the expertise the FFIEC Manual advises a BSA Officer have before assuming the role, is supported by substantial evidence.

In addition to serving as BSA Officer, Alan Chi held five other senior roles at the Bank. Rawlins testified that "not even the most experienced BSA officer would be able to have the time to run an adequate BSA program given this many other duties at the institution."10 Rawlins further concluded that Alan Chi's overlapping loan approval and BSA compliance roles created a conflict of interest, with Alan Chi potentially unwilling to objectively risk-rate longstanding customers.11 Alan Chi admitted that he considered his BSA Officer and Senior Credit Officer roles "an aggregate," and as noted, Alan Chi's revised risk assessment methodology contravened the 2010 ROE. The FDIC Board's finding that Alan Chi lacked the requisite time and independence befitting of an adequate BSA Officer is supported by substantial evidence.

The FDIC Board's decision that Alan Chi was an inadequate BSA Officer, and thus, the Bank did not comply with the BSA, is supported by substantial evidence.

d. Training

The fourth pillar of compliance requires that banks "[p]rovide training for appropriate personnel." 12 C.F.R. § 326.8(c)(4). The FFIEC Manual advises,

The 2010 ROE advised the Bank to test employees' knowledge and document director training. The FDIC adopted the ALJ's findings that the Bank's training was not targeted to each employee's role and was generally inadequate. The Bank argues that this decision is not supported by substantial evidence and asserts that its training materials, including quizzes and presentations, were satisfactory.

To carry out the FDIC's recommendation on training, Alan Chi offered presentations on customer identification, currency transaction reporting, anti-money-laundering, identity theft, and unlawful internet gambling. He also provided the Bank's employees with copies of the Bank's BSA Policy Manual. Alan Chi expected employees to read the manual and perform satisfactorily on the quizzes. Rawlins found that requiring employees to attend a webinar provided only rudimentary BSA training. Although quizzes were administered, the record contains no evidence suggesting that training materials were tailored to specific job functions at the Bank.12 Rawlins also found that given Alan Chi's lack of experience, he was unqualified to serve as the sole person responsible for BSA training.

The FDIC Board's decision that the Bank's inadequate training did not comply with the BSA is supported by substantial evidence.

3. Suspicious Activity Reporting

The FDIC Board affirmed the ALJ's finding that the Bank failed to file a SAR where one was needed and to document its decision on whether or not to file a SAR. The Bank argues that this decision is not supported by substantial evidence. The Bank argues that it could not have been obligated to file a SAR because the FBI and DOJ told the Bank not to disclose any aspect of an ongoing federal criminal investigation. The Bank further contends that the examiners manufactured a new justification for filing a SAR months after the 2012 examination was complete.

Pursuant to 12 C.F.R. § 353.1, an insured state nonmember bank must file a SAR whenever it suspects "a known or suspected criminal violation of federal law or a suspicious transaction related to a money laundering activity or a violation of the Bank Secrecy Act." For transactions of $5000 or more that involve potential money laundering or BSA violations, a SAR must be filed with the appropriate federal law enforcement agencies and the Financial Crimes Enforcement Network, where "[t]he transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities" or "[t]he transaction has no business or apparent lawful purpose or is not the sort of transaction in which the particular customer would normally be expected to engage, and the bank knows of no reasonable explanation for the transaction." Id. § 353.3(a)(4)(i) and (iii). The FFIEC Manual advises banks to review account activity for any customer for whom the bank receives a subpoena and to independently evaluate the need to file a SAR based on the bank's review of those materials. The FFIEC Manual discourages banks from referencing receipt or existence of a grand jury subpoena in the SAR and states that the SAR should only reference any underlying facts supporting the determination that the transaction at issue in the SAR is suspicious.

During 2011 and 2012, the Bank received grand jury subpoenas seeking documentation and other information regarding certain customer transactions. These customers were part of an FBI investigation into international espionage and misappropriation of trade secrets. The FBI executed a search warrant on the Bank and interviewed Alan Chi and other Bank employees regarding these accounts. In early 2012, some of these customers were indicted for economic espionage and theft of trade secrets.

It is undisputed that the Bank did not file a SAR or document its decision not to file a SAR. The only issue is whether the Bank's non-action was excused. The FDIC Board found that the Bank was not legally precluded from filing a SAR. On August 10, 2011, the DOJ sent the Bank a letter, directing the Bank to maintain the utmost secrecy with regard to the federal grand jury subpoena. Alan Chi interpreted this to mean that he could not disclose any aspect of the FBI investigation — including providing notice to regulators of customer activity in a SAR, even if that SAR did not include any mention of the FBI investigation. But this interpretation was erroneous. The Federal grand jury subpoena letter advised that "you and employees of California Pacific Bank [are required to] maintain the utmost secrecy with regard to this Federal grand jury subpoena." In recounting his conversation with an FBI agent, when Alan Chi asked if he could file a SAR, he recalled the agent saying, "Don't mention anything about the subpoena... just don't mention the subpoena." The FFIEC Manual explicitly contemplates the filing of SARs for customer activity that is also subject to law enforcement investigations and subpoenas, which suggests that investigations and subpoenas should often prompt filing SARs. The Bank's BSA Policy Manual reflected this guidance as well. Nothing prevented the Bank from filing a SAR that only referenced the suspicious activity at a general level without mentioning receipt of the subpoenas. The FDIC Board's finding that the Bank was able to file a SAR is supported by substantial evidence.

Rawlins' draft 2012 ROE concluded that the Bank should have filed a SAR pursuant to 12 C.F.R. § 353.3(a)(4)(i) after learning of the indictments. Edmund Wong, Rawlins' immediate supervisor, initially disagreed, and concluded after conducting a second-level review of the ROE that an indictment alone was insufficient to support filing a SAR. However, upon receiving additional information on the accounts, Wong determined that the Bank should have filed a SAR. Wong detected several red flags, including "large dollar" and "round dollar" amounts that were much larger than the anticipated activity in the accounts, large wire transfers, and transactions that lacked any information on source of income, purpose of account, or expected activity — all of which he deemed evidence of a "layering scheme." The FDIC Board's findings that the filing of a SAR was warranted and that the examiners did not manufacture a justification for filing a SAR are supported by substantial evidence.

The FDIC Board's decision that, in failing both to file a SAR and to document its decision not to file a SAR, the Bank violated 12 C.F.R. § 353 and did not comply with the BSA is supported by substantial evidence.

IV. CONCLUSION

We hold that the BSA and its implementing regulations are not unconstitutionally vague, and the FDIC did not exhibit unconstitutional bias against the Bank. We further hold that the FDIC acted in accordance with the law by relying on the FFIEC Manual to clarify its four pillars regulation. The FDIC Board's decisions that the Bank failed to comply with the four pillars and that the Bank failed to file a SAR where one was needed, and thus, that the Bank did not comply with the BSA, are supported by substantial evidence. Accordingly, the Bank's petition for review is denied.

DENIED.