GRITZNER, District Judge:
California Pacific Bank (the Bank) appeals the issuance of a cease and desist order by the Board of Directors of the Federal Deposit Insurance Corporation (FDIC). The FDIC Board, which adopted in full the Recommended Decision of the Administrative Law Judge (ALJ), found that the Bank violated the Bank Secrecy Act (BSA), 31 U.S.C. §§ 5311-5330, and ordered the Bank to implement a corresponding plan to bring the Bank into compliance. The FDIC Board concluded that the Bank did not comply with the BSA's implementing regulations because it failed to establish and maintain procedures designed to ensure adequate internal controls, independent testing, administration, and training. The Bank filed a timely petition for review, challenging the constitutionality of the BSA and its implementing regulations and alleging that the FDIC Board's decision is not supported by substantial evidence. We deny the Bank's petition for review.
The BSA establishes, among other things, the recordkeeping and reporting requirements for private individuals, banks, and other financial institutions. 31 U.S.C. §§ 5311-5330; 12 U.S.C. §§ 1829b and 1951-1959. The BSA was enacted in 1970 as Title II of the Bank Records and Foreign Transactions Act, which was a response to rising Congressional concern over the use of foreign banks to launder the proceeds of illegal activity and evade federal income taxes. Pursuant to its purpose of identifying the source, volume, and movement of currency and other monetary instruments into and out of the United States or deposited into financial institutions, the BSA requires banks and other financial institutions to maintain a paper trail by keeping appropriate records of financial transactions.
To ensure compliance, Section 8(s) of the Federal Deposit Insurance Act directs the FDIC to issue regulations requiring banks to maintain a BSA compliance program, to review the program during bank examinations, to describe any problems with the program in its report of examination (ROE), and to state in that report whether a bank has failed to correct any problem with its program. 12 U.S.C. § 1818(s). In the event that a bank fails to correct any problem with its BSA compliance that the FDIC previously brought to its attention, the FDIC is required to issue a cease and desist order against the bank. 12 U.S.C. § 1818(s)(3)(B). FDIC regulations require that all insured nonmember banks "establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of" the BSA and its implementing regulations. 12 C.F.R. § 326.8(a). Section 326.8(c) outlines the "four pillars" of compliance, which require that insured nonmember banks, at minimum,
The failure of any individual pillar can result in the FDIC deeming a bank noncompliant with the BSA. The Federal Financial Institutions Examination Council (FFIEC) Manual clarifies compliance requirements and provides for consistent examination
As defined by the BSA, the Bank is a "State non-member bank" and an "insured depository institution." 12 U.S.C. § 1813(c)(2) and (e)(2). The Bank is a community bank with offices in San Francisco and Fremont, California. In 2012, the Bank had fewer than fifteen employees, approximately 200 customers, and approximately 500 deposit accounts. The Bank's customer base consists of a significant number of import-export customers, accounts held by non-resident aliens, and accounts with international transactions.
In July 2010, FDIC Examiner Heather Rawlins conducted a safety and soundness examination of the Bank. Rawlins deemed the Bank's BSA program satisfactory but identified several areas that "must be corrected." Among the corrective requirements were that the Bank document its director training and incorporate a method of testing employees' knowledge of training; designate new customers that have high levels of activity as high risk for at least six months; monitor and analyze aggregate activity for at least three months to establish a pattern of activity; and increase the risk rating for the customer base. Rawlins reviewed the results of the examination with the Bank's CEO, Richard Chi, and the Bank's third-party auditor, Joan Vivaldo. The Bank's management agreed to the recommendations.
During 2011, at least four individuals served sequentially as the Bank's BSA compliance officer (BSA Officer). In August 2011, Alan Chi, CEO Richard Chi's son, became acting BSA Officer without the Bank's Board of Directors interviewing for the position. Further, the Bank's Board of Directors did not recruit anyone else for the vacancy. Following election by the Bank's Board of Directors in January 2012, Alan Chi became the Bank's permanent BSA Administrator, in addition to the Bank's Senior Vice President, Senior Credit Officer, Chief Financial Officer, Internal Auditor, and Operations Compliance Officer.
After becoming acting BSA Officer in 2011, Alan Chi revised the Bank's new customer deposit account risk assessment form. Under the revised form, accounts would be downgraded (assessed a lower score on the risk-point scale) if a customer already maintained an account at the bank or if a customer had been referred to the Bank by an employee or well-known customer. Vivaldo criticized the revised scoring methodology, and in correspondence with Alan Chi, noted that this methodology failed to identify three new high risk deposit accounts. Vivaldo commented that Alan Chi's use of an automatic twelve point reduction for certain customers "could turn around and bite them someday." Vivaldo informed Alan Chi that if he ignored her, he would be left "to the tender mercies of the FDIC." Alan Chi replied that he deemed the lower risk rating satisfactory, given his longstanding knowledge of the customers. In a follow-up communication, Vivaldo flagged the potential for the FDIC to criticize the Bank for failing to report high risk accounts. This prompted Alan Chi to further revise his risk assessment form. In the updated version, accounts would be downgraded only if directly
Alan Chi also revised the risk assessment form the Bank used to assess its own risk. Using this altered methodology resulted in the Bank having a "low," rather than "medium to high," overall risk rating. Vivaldo disagreed with the new methodology.
FDIC examiner Rawlins performed another examination of the Bank beginning on December 3, 2012, which used the Bank's information as of September 30, 2012. The FDIC's 2012 ROE concluded that the Bank failed to administer a BSA compliance program in accordance with the four pillars and failed to file a Suspicious Activity Report (SAR) where one was needed.
Rawlins assessed the Bank's progress for the first BSA pillar, internal controls, by selecting twenty-four deposit accounts for review. Rawlins found that the information contained within sixteen of the accounts was incomplete and that activity in those accounts was higher than expected. Although Alan Chi informed Rawlins that the Bank's loan accounts contained additional information, Rawlins reviewed only the deposit accounts. Rawlins echoed Vivaldo's concerns regarding the Bank's revised risk ratings. Rawlins discovered that the Bank had persisted with daily batch reviews of account activity, rather than adopting Rawlins' recommendation for longer-term monitoring. The Bank's loan documentation revealed four site visits between August 2009 and May 2012, only one of which occurred after Alan Chi became acting BSA Officer. Rawlins considered Alan Chi's due diligence with respect to site visits to be inadequate. Alan Chi testified at the ALJ hearing that he kept his BSA assessments relating to the site visits "in my head, as well as [the heads of] the other officers that went with me."
The FDIC's review of the second pillar, independent testing, centered on Vivaldo. Vivaldo was the Bank's internal auditor from 2005 through the second quarter of 2012 and performed quarterly reviews. Prior to the 2012 review, FDIC examiners had not criticized Vivaldo's methods. Nonetheless, Rawlins deemed Vivaldo's 2012 review inadequate. Rawlins noted that Vivaldo's 2012 report failed to assess Alan Chi's qualifications as BSA Officer, to assess the sufficiency of the Bank's compliance training, or to identify the deficiencies relating to risk rating and customer monitoring that the examiners discovered during the 2010 examination and continued in the 2012 examination. Rawlins also considered Vivaldo's role with the Bank to be a conflict of interest. Although Vivaldo was the Bank's designated auditor, her engagement agreement with the Bank identified her role as "consultant," and she provided monthly BSA administrator reports directly to the Bank's Board of Directors. Vivaldo also drafted the Bank's BSA Policy Manual in 2006 and recommended yearly updates.
The FDIC's review of the third pillar, administration, centered on Alan Chi. Alan Chi had received no training in BSA compliance before taking over as BSA Officer in August 2011. After his appointment, he attended several Independent Community Bankers of America courses and completed a webinar. He also gained familiarity with the BSA through interactions with the FDIC and review of FDIC reports. Rawlins determined that this was inadequate experience to administer the Bank's BSA compliance program. Rawlins also concluded
With regard to the fourth pillar, training, Alan Chi offered presentations to Bank staff on customer identification, currency transaction reporting, anti-money laundering, identity theft, and unlawful internet gambling. He also provided employees with copies of the Bank's BSA Policy Manual and tested their knowledge through quizzes. Employees were expected to attend a webinar, which Rawlins considered rudimentary. Rawlins found that the Bank's training materials were not tailored to specific job functions. Rawlins concluded that Alan Chi was an inadequate BSA Officer who was not qualified to serve as the sole person responsible for BSA compliance training, thus rendering the training insufficient.
In addition to her review of the Bank's compliance with the four pillars, Rawlins noticed that the Bank did not file a SAR or document its decision not to file a SAR relating to several transactions.
After the Bank refused to agree to a consent order following the 2012 examination, the FDIC issued a notice of charges seeking to impose a cease and desist order against the Bank. The Bank's Answer denied the material allegations contained in the notice. The ALJ, C. Richard Miserendino, conducted a four-day hearing in San Francisco. The ALJ's Recommended Decision concluded that the Bank had violated the BSA and its implementing regulations. The ALJ found the Bank's ancillary defenses that the BSA regulations and the FDIC's alleged bias violated the Bank's due process rights were unavailing. The ALJ recommended the issuance of a cease and desist order. The FDIC Board affirmed the ALJ's Recommended Decision and issued a cease and desist order.
II. STANDARD OF REVIEW
"Whether a statute or regulation is unconstitutionally vague is a question of law and the standard of review is de novo." United States v. Helmy, 951 F.2d 988, 993 (9th Cir. 1991) (citation omitted). Due process
Under the Administrative Procedure Act (APA), agency action must be set aside if it is "arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law" or if it is "unsupported by substantial evidence." 5 U.S.C. § 706(2)(A) and (E). "Substantial evidence is more than a mere scintilla but less than a preponderance; it is such relevant evidence as a reasonable mind might accept as adequate to support a conclusion." De La Fuente v. FDIC, 332 F.3d 1208, 1220 (9th Cir. 2003) (citation omitted). The substantial evidence standard requires that this court review the administrative record as a whole, weighing both the evidence that supports and the evidence that detracts from the ALJ's conclusion. Andrews v. Shalala, 53 F.3d 1035, 1039 (9th Cir. 1995). The ALJ is responsible for determining credibility and resolving ambiguities when relevant. Id. The APA's standard of review is "highly deferential, presuming the agency action to be valid and affirming the agency action if a reasonable basis exists for its decision." Indep. Acceptance Co. v. California, 204 F.3d 1247, 1251 (9th Cir. 2000) (citation omitted).
A. Constitutional Challenges
The Bank advances two constitutional challenges. The Bank first challenges that the BSA and its implementing regulations are unconstitutionally vague. The Bank's second constitutional challenge is that the FDIC conducted a biased investigation that violated the Bank's due process rights.
As a preliminary matter, the FDIC argues that the Bank's constitutional challenges were waived because they were inadequately briefed. In resistance, the Bank argues that it did not waive its constitutional challenges, as its brief cited Supreme Court decisions and facts from the record that support its constitutional challenges.
Federal Rule of Appellate Procedure 28(a)(8)(A) requires that the argument section of a brief contain "appellant's contentions and the reasons for them, with citations to the authorities and parts of the record on which the appellant relies." We have held that arguments are waived where the appellant does not present any argument to support its assertions and cites no authority. United States v. Alonso, 48 F.3d 1536, 1544-45 (9th Cir. 1995). Inadequately briefed and perfunctory arguments are also waived. United Nurses Assocs. of Cal. v. NLRB, 871 F.3d 767, 780 (9th Cir. 2017).
In support of its constitutional vagueness challenge, the Bank cites 12 C.F.R. § 326.8(c) (the FDIC's four pillars regulation) and three Supreme Court decisions that discuss vagueness. The Bank also cites passages from the record comparing the 2010 and 2012 ROE findings. In addition, the Bank references the ALJ's finding that the FFIEC Manual is not entitled to Chevron deference. The Bank's argument relating to FDIC bias, while similarly abbreviated, cites to the record and references a Supreme Court case. For both constitutional arguments, the Bank cites valid legal authorities and references the record, and therefore has at least minimally preserved its constitutional challenges. See Fed. R. App. P. 28(8)(A); Alonso, 48 F.3d at 1544.
Turning to the merits of the constitutional challenges, the Bank argues that the BSA is unconstitutionally vague because neither the statute nor its implementing regulations were precise enough to inform the Bank of its required conduct. The Bank also contends that the statute and regulations are unconstitutionally vague because the FDIC can arbitrarily determine whether BSA compliance procedures are sufficient. The Bank further argues that the FFIEC Manual cannot clarify compliance procedures because the FFIEC Manual lacks the force and effect of law.
"To pass constitutional muster against a vagueness attack, a statute must give a person of ordinary intelligence adequate notice of the conduct it proscribes." Craft v. Nat'l Park Serv., 34 F.3d 918, 921 (9th Cir. 1994) (quoting United States v. 594,464 Pounds of Salmon, 871 F.2d 824, 829 (9th Cir. 1989)). Various factors affect our analysis, including "whether or not the statute at issue (1) involved only economic regulation, (2) contained only civil, not criminal penalties, (3) contained a scienter requirement, ... and (4) threatened any constitutionally protected rights." Hanlester Network v. Shalala, 51 F.3d 1390, 1398 (9th Cir. 1995) (citing Vill. of Hoffman Estates v. Flipside, Hoffman Estates, Inc., 455 U.S. 489, 498-99, 102 S.Ct. 1186, 71 L.Ed.2d 362 (1982)). "Further, exactness can be achieved not just on the face of the statute, but also through limiting constructions given to the statute by the ... enforcement agency." Hess v. Bd. of Parole & Post-Prison Supervision, 514 F.3d 909, 914 (9th Cir. 2008).
Where economic regulation is involved, vagueness is less of a concern because "the regulated enterprise may have the ability to clarify the meaning of the regulation by its own inquiry, or by resort to an administrative process." United States v. Doremus, 888 F.2d 630, 634-35 (9th Cir. 1989) (quoting Hoffman Estates, 455 U.S. at 498, 102 S.Ct. 1186). "In considering whether an administrative regulation is unconstitutionally vague, the reviewing court must assess it within the context of the particular conduct to which it is being applied." Great Am. Houseboat Co. v. United States, 780 F.2d 741, 747 (9th Cir. 1986) (citing United States v. Nat'l Dairy Prods. Corp., 372 U.S. 29, 33-36, 83 S.Ct. 594, 9 L.Ed.2d 561 (1963)). We must consider if the regulation "applies to `a select group of persons having specialized knowledge.'" United States v. Elias, 269 F.3d 1003, 1015 (9th Cir. 2001) (quoting United States v. Weitzenhoff, 35 F.3d 1275, 1289 (9th Cir. 1993)).
"Interpretations such as those in opinion letters — like interpretations contained in policy statements, agency manuals, and enforcement guidelines, all of which lack the force of law — do not warrant Chevron-style deference." Christensen v. Harris Cty., 529 U.S. 576, 587, 120 S.Ct. 1655, 146 L.Ed.2d 621 (2000). However, an agency-issued instruction manual, even if lacking the force of law itself, can clarify what conduct is expected of a person subject to a particular regulation and thus mitigate against vagueness. See Pinnock v. Int'l House of Pancakes Franchisee, 844 F.Supp. 574, 581 (S.D. Cal. 1993) (citing Ward v. Rock Against Racism, 491 U.S. 781, 795, 109 S.Ct. 2746, 105 L.Ed.2d 661 (1989); Hoffman Estates, 455 U.S. at 502, 504, 102 S.Ct. 1186; Grayned v. City of Rockford, 408 U.S. 104, 110, 92 S.Ct. 2294, 33 L.Ed.2d 222 (1972)); accord United States v. Woodley, 9 F.3d 774, 778 (9th Cir. 1993) (rejecting a vagueness challenge to Health Care Financing Administration's "related party regulation" based, in part, on the fact that the regulation referenced a "Provider Reimbursement Manual" that
Not only are the BSA and FDIC's implementing regulations economic in nature and threaten no constitutionally protected rights, but it is clear that a detailed manual issued by agencies with enforcement authority, such as the FFIEC Manual, can put regulated banks on notice of expected conduct. The BSA authorizes the FDIC to review banks for compliance. 12 U.S.C. § 1818(s). The FFIEC Manual frames the examiners' expectations in anticipation of routine compliance checks. The Bank knew these expectations. Indeed, the FDIC Board found that provisions of the FFIEC Manual were incorporated in the Bank's own BSA Policy Manual, and copies of the FFIEC Manual were found scattered throughout the Bank. A BSA Officer at the Bank bearing the requisite "specialized knowledge" would understand that compliance with the FFIEC Manual ensures compliance with the BSA. See Elias, 269 F.3d at 1015. The BSA and its implementing regulations are not unconstitutionally vague.
3. Investigative Bias
The Bank's second constitutional challenge is that the FDIC violated its due process rights by conducting a biased investigation. The Bank argues that comments made by examiners charged with assisting in the investigation demonstrate that the 2012 examination was predetermined. As examples of bias, the Bank points to Rawlins' decision to disregard the Bank's loan files when she was reviewing the Bank's deposit files for due diligence information, her criticism of Alan Chi for not filing a SAR, and her refusal to look at Vivaldo's Fourth Quarter 2011 Report. The Bank also asserts that bias was demonstrated by the ALJ's failure to consider the 2010 ROE, which concluded that the Bank's BSA program was generally adequate. The FDIC counters that the Bank's unconstitutional bias charge fails as a matter of law and as a matter of fact.
"[W]hen governmental agencies adjudicate or make binding determinations which directly affect the legal rights of individuals, it is imperative that those agencies use the procedures which have traditionally been associated with the judicial process." Hannah v. Larche, 363 U.S. 420, 442, 80 S.Ct. 1502, 4 L.Ed.2d 1307 (1960). However, "when a general fact-finding investigation is being conducted, it is not necessary that the full panoply of judicial procedures be used." Id. "Whether the Constitution requires that a particular right obtain in a specific proceeding depends upon a complexity of factors. The nature of the alleged right involved, the nature of the proceeding, and the possible burden on that proceeding, are all consider[ed]." Id. Inherent in an agency's power of investigation is the authority "to prevent the sterilization of investigations by burdening them with trial-like procedures." Id. at 448, 80 S.Ct. 1502. Administrative prosecutors are thus "accorded wide discretion" and "need not be entirely `neutral and detached.'"
The FDIC examiners' function is exclusively fact-finding. Thus, their review of the Bank during the 2012 examination need not have been "neutral and detached." See id. at 248, 100 S.Ct. 1610 (quoting Ward, 409 U.S. at 62, 93 S.Ct. 80). Even were the Bank correct in pointing to examiner comments and Rawlins' examination protocol as examples of bias, the Bank has failed to demonstrate that the FDIC examiners worked under a scheme which injected a personal or financial interest into their enforcement efforts. Moreover, the Bank participated in an ALJ hearing, during which it could cross-examine the FDIC's allegedly biased examiners, and the FDIC Board reviewed the ALJ's findings. The Bank's charge that the FDIC examiners were unconstitutionally biased is unavailing.
The Bank further argues that the ALJ was biased, specifically noting that the ALJ failed to consider the 2010 ROE. Contrary to the Bank's challenge, the ALJ did consider the 2010 ROE. The ALJ noted that, while the Bank's compliance was generally adequate, the 2010 ROE concluded "there were a number of areas that needed improvement, particularly given the Bank's risk profile." Cal. Pac. Bank, 2016 WL 2997645, at *20. The ALJ highlighted two places where the Bank came up short in implementing the 2010 ROE: by failing to monitor and aggregate activity in high risk accounts and by improperly lowering its self-assessed risk rating. The Bank's charge that the ALJ failed to consider the 2010 ROE is contradicted by the record. There are no other allegations of bias relating to the ALJ. And in reviewing the record, we find that the ALJ's extensive four-day hearing was conducted in a fair, impartial, and efficient manner as FDIC regulations require. 12 C.F.R. § 308.5(a).
Neither the FDIC's investigation nor the ALJ was unconstitutionally biased against the Bank.
B. The FDIC Board's BSA Compliance Findings
Under the APA, agency action can be set aside only if "arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law" or "unsupported by substantial evidence." 5 U.S.C. § 706(2)(A) and (E). The APA's standard is "highly deferential." Indep. Acceptance Co., 204 F.3d at 1251. The FDIC Board adopted in full the ALJ's findings, which looked to the FFIEC Manual as an authority on compliance with the FDIC's four pillars regulation. The FDIC Board found that the Bank failed to comply with the four pillars of BSA compliance: adequate controls, independent testing, administration, and training. The FDIC Board further found that the Bank did not file a SAR where one was required. The Bank argues that the FDIC Board erred with each of these decisions.
1. FDIC Reference to the FFIEC Manual
The Bank takes issue with the FDIC's use of the FFIEC Manual as relevant authority in interpreting what the four pillars regulation required of the Bank. The Bank argues that the FDIC
Under Auer v. Robbins, 519 U.S. 452, 117 S.Ct. 905, 137 L.Ed.2d 79 (1997), an agency's interpretation of its own regulations is "controlling unless plainly erroneous or inconsistent with the regulation." Id. at 461, 117 S.Ct. 905 (citation and internal quotation marks omitted). "Under Auer ... the court must first determine whether the regulation was ambiguous." Bassiri v. Xerox Corp., 463 F.3d 927, 931 (9th Cir. 2006) (citing Christensen, 529 U.S. at 588, 120 S.Ct. 1655). Ambiguous regulations include those that are "not entirely `free from doubt,'" id. (quoting Providence Health System-Washington v. Thompson, 353 F.3d 661, 665 (9th Cir. 2003)), or "susceptible to different interpretations and ... discretionary elements," Siskiyou Regional Education Project v. U.S. Forest Service, 565 F.3d 545, 557 (9th Cir. 2009). If the regulation in question is ambiguous, we defer to the agency's interpretation unless "an alternative reading is compelled by the regulation's plain language or by other indications of the [agency's] intent at the time of the regulation's promulgation." Bassiri, 463 F.3d at 931 (alteration in original) (quoting Thomas Jefferson Univ. v. Shalala, 512 U.S. 504, 512, 114 S.Ct. 2381, 129 L.Ed.2d 405 (1994)). An agency's interpretation of its own regulation can be advanced through informal means, including an agency manual. See Pub. Lands for the People, Inc. v. U.S. Dep't of Agric., 697 F.3d 1192, 1199 (9th Cir. 2012) (according "wide deference" to the U.S. Forest Service's interpretation of a regulation contained in the "Forest Service Manual").
The FDIC's four pillars regulation is ambiguous. The four pillars are not entirely "free from doubt," given the complexity of BSA compliance and the need for FDIC officials to conduct administrative examinations of bank BSA programs. See Bassiri, 463 F.3d at 931. That banks can design different compliance programs further demonstrates that the four pillars are "susceptible to different interpretations." See Siskiyou, 565 F.3d at 557.
In Financial Institution Letter 17-2010, the FDIC announced the release of the 2010 version of the FFIEC Manual. Though the FFIEC Manual was written collaboratively among multiple federal and state agencies, the Letter clarified that the FFIEC Manual contained the FDIC's supervisory expectations with respect to BSA compliance. We must thus defer to the FFIEC Manual unless it is "plainly erroneous or inconsistent" with the FDIC's four pillars regulation, or unless "an alternative reading is compelled by the regulation's plain language." Auer, 519 U.S. at 461, 117 S.Ct. 905; Bassiri, 463 F.3d at 931 (quoting Thomas Jefferson, 512 U.S. at 512, 114 S.Ct. 2381); Pub. Lands, 697 F.3d at 1199. As the ALJ noted, the FFIEC Manual is "a uniformly recognized `authority' on BSA policies, procedures, and processes" with "[e]ach section serv[ing] as a platform for the BSA/AML examination and, for the most part, address[ing] the legal and regulatory requirements of the BSA/AML compliance program." Cal. Pac. Bank, 2016 WL 2997645, at *36. As explained in the next section, the FFIEC Manual defines and provides clarifying guidance on each of the four pillars. Rawlins testified that FDIC examiners and banks alike use the FFIEC Manual as a roadmap for banks' compliance
The FDIC Board acted in accordance with the law in referencing the FFIEC Manual to clarify the four pillars analysis for determining violations of the BSA.
2. The Four Pillars
The Bank next argues that the FDIC Board's determination that the Bank failed to comply with each of the BSA's four pillars — internal controls, independent testing, administration, and training — is not supported by substantial evidence.
a. Internal Controls
The first pillar of BSA compliance requires that banks "[p]rovide for a system of internal controls to assure ongoing compliance." 12 C.F.R. § 326.8(c)(1). The FFIEC Manual advises that "[t]he level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity of the bank." The FFIEC Manual provides that banks are required to maintain controls that identify vulnerabilities and monitor the bank's risk profile.
The FDIC Board adopted the ALJ's findings that the Bank failed to conduct and document adequate customer due diligence, to identify certain customers as high risk, to conduct adequate site visits, and to sufficiently monitor accounts for suspicious activity. The Bank argues that the FDIC Board's decision is not supported by substantial evidence. The Bank asserts that its deposit and loan documentation, as well as its review of daily batch reports, demonstrate that it adequately evaluated and monitored its depositors. The Bank also argues that its site visits were sufficiently documented in its loan files and that the 2010 ROE recommendations were either complied with or were unnecessary.
Although Rawlins deemed the Bank's overall compliance satisfactory in her 2010 ROE, she identified several areas that "must be corrected." In the event a bank "has failed to correct any problem" with BSA compliance that was previously brought to its attention, the FDIC shall issue a cease and desist order against the bank. 12 U.S.C. § 1818(s)(3)(B) (emphasis added).
The FDIC Board found that the Bank failed to adequately collect, document, and update BSA-relevant information about its depositors, as shown by the lack of information in the Bank's deposit account files. During her 2012 examination, Rawlins reviewed twenty-four deposit accounts. Although eight were adequate, Rawlins determined that the information contained within the remaining sixteen was incomplete, with account activity significantly higher than expected. The Bank argues that Rawlins failed to consider the Bank's loan files, which it asserts provided the information that was absent from the twenty-four accounts reviewed by Rawlins. Rawlins focused on the Bank's deposit files, not its loan files, since suspicious account activity was more likely to be found in the deposit files. Loan files, by contrast, generally focus on a customer's creditworthiness rather than on the sources of funds deposited into a bank. The Bank's BSA Policy Manual also provided that deposit accounts should be the locus of risk assessment and that depositors'
The FDIC Board also found that the Bank failed to adequately monitor depositors' activity. Regarding the monitoring requirement, the FFIEC Manual provides that review of customer accounts can involve either daily reports or reports covering a period of time. However, this choice bears the caveat that "[t]he type and frequency of reviews and resulting reports used should be commensurate with the bank's BSA/AML risk profile and appropriately cover its higher-risk products, services, customers, entities, and geographic locations." The 2010 ROE determined that for certain customers the Bank needed to monitor and analyze aggregate activity over three months or more to establish a pattern of activity, rather than rely on daily reports to monitor those customers. The Bank, however, persisted with daily batch reviews of account activity. The FDIC Board's finding that, by failing to monitor long-term activity, the Bank contravened the 2010 ROE is supported by substantial evidence.
The FDIC Board also found that the Bank failed to properly risk-rate its depositors' accounts. The 2010 ROE directed that the Bank designate new customers with high levels of activity as high risk for at least six months and to increase the risk rating for the customer base overall to medium or high risk. Rawlins determined that the Bank's customer base, lack of internal controls, deficient BSA program, and geographic location demonstrated an overall high risk for the Bank.
After assuming the role of BSA Officer in 2011, Alan Chi revised the Bank's new customer deposit account risk assessment form. Vivaldo advised Alan Chi that the revised risk ratings failed to identify high risk accounts. Alan Chi amended the risk assessment form in light of Vivaldo's criticisms. However, instead of using the FDIC's recommended scoring tiers, he merely altered the circumstances under which customer risk would be downgraded. Alan Chi also revised the risk assessment form the Bank used to assess its own risk, which resulted in a "low" risk rating for the Bank and drew further criticism from Vivaldo. The ALJ found no evidence, nor does the record indicate, that Alan Chi followed through on Vivaldo's guidance. The FDIC Board's finding that the Bank's risk assessment practices did not accord with the 2010 ROE is supported by substantial evidence.
The FDIC Board also found that the Bank failed to document BSA site visits to its customers. The Bank argues that it did conduct site visits, and that documentation relating to the visits was included in its loan files. However, Vivaldo testified that not all of the site visits were documented in the loan files, and Alan Chi testified that he kept BSA assessments "in [his] head." Rawlins considered the Bank's loan site visits inadequate, reasoning that they focused more on credit risk than cash activity. The ALJ found that the Bank's
The Bank's failure to correct problems with its internal controls that were previously brought to its attention in the 2010 ROE, on its own, required the FDIC to issue a cease and desist order against the Bank. 12 U.S.C. § 1818(s)(3)(B). As repeatedly noted, the Bank's failure to address corrective measures from the 2010 ROE is a material factor in reaching the substantial evidence threshold. De La Fuente, 332 F.3d at 1220 ("Substantial evidence... is such relevant evidence as a reasonable mind might accept as adequate to support a conclusion."). The FDIC Board's determination that the Bank did not maintain adequate internal controls, and thus, did not comply with the BSA, is supported by substantial evidence.
b. Independent Testing
The second pillar of compliance requires that banks "[p]rovide for independent testing for compliance to be conducted by bank personnel or by an outside party." 12 C.F.R. § 326.8(c)(2). The FFIEC Manual provides that "independent testing" includes, at a minimum, providing sufficient information to allow a reviewer "to reach a conclusion about the overall quality of the BSA/AML compliance program." The FFIEC Manual further provides that an auditor "must not be involved in any part of the bank's BSA/AML compliance program." The FDIC Board adopted the ALJ's findings that Vivaldo's 2012 Quarterly Report was deficient and that the Bank's independent testing was inadequate. The Bank argues that this decision is not supported by substantial evidence.
The Bank argues that the examiners failed to consider Vivaldo's Fourth Quarter 2011 Report, which it asserts concluded that the Bank's performance was satisfactory. At the ALJ hearing, however, Vivaldo conceded that, while the Fourth Quarter 2011 Report described certain components of the Bank's BSA program as "satisfactory," the report lacked an explicit conclusion with respect to the BSA program as a whole.
Moreover, despite Rawlins' request for copies of any audits completed since the 2010 ROE, the Bank provided Rawlins with only one audit report prepared by Vivaldo covering the first two quarters of 2012.
The FDIC Board's decision that Vivaldo did not perform independent testing as required by the BSA is supported by substantial evidence.
The third pillar of compliance requires that banks "[d]esignate an individual or individuals responsible for coordinating and monitoring day-to-day compliance." 12 C.F.R. § 326.8(c)(3). The FFIEC Manual provides,
The FDIC Board adopted the ALJ's finding that Alan Chi lacked the experience, training, and time to adequately perform as BSA Officer. The Bank argues that this decision was not supported by substantial evidence, asserting that Alan Chi was qualified based on his experience serving in multiple roles at the Bank, his on-the-job training, and his prior interactions with the FDIC. The Bank further argues that Alan Chi's due diligence adhered to the 2010 ROE.
In addition to serving as BSA Officer, Alan Chi held five other senior roles at the Bank. Rawlins testified that "not even the most experienced BSA officer would be able to have the time to run an adequate BSA program given this many other duties at the institution."
The FDIC Board's decision that Alan Chi was an inadequate BSA Officer, and thus, the Bank did not comply with the BSA, is supported by substantial evidence.
The fourth pillar of compliance requires that banks "[p]rovide training for appropriate personnel." 12 C.F.R. § 326.8(c)(4). The FFIEC Manual advises,
The 2010 ROE advised the Bank to test employees' knowledge and document director training. The FDIC adopted the
To carry out the FDIC's recommendation on training, Alan Chi offered presentations on customer identification, currency transaction reporting, anti-money-laundering, identity theft, and unlawful internet gambling. He also provided the Bank's employees with copies of the Bank's BSA Policy Manual. Alan Chi expected employees to read the manual and perform satisfactorily on the quizzes. Rawlins found that requiring employees to attend a webinar provided only rudimentary BSA training. Although quizzes were administered, the record contains no evidence suggesting that training materials were tailored to specific job functions at the Bank.
The FDIC Board's decision that the Bank's inadequate training did not comply with the BSA is supported by substantial evidence.
3. Suspicious Activity Reporting
The FDIC Board affirmed the ALJ's finding that the Bank failed to file a SAR where one was needed and to document its decision on whether or not to file a SAR. The Bank argues that this decision is not supported by substantial evidence. The Bank argues that it could not have been obligated to file a SAR because the FBI and DOJ told the Bank not to disclose any aspect of an ongoing federal criminal investigation. The Bank further contends that the examiners manufactured a new justification for filing a SAR months after the 2012 examination was complete.
Pursuant to 12 C.F.R. § 353.1, an insured state nonmember bank must file a SAR whenever it suspects "a known or suspected criminal violation of federal law or a suspicious transaction related to a money laundering activity or a violation of the Bank Secrecy Act." For transactions of $5000 or more that involve potential money laundering or BSA violations, a SAR must be filed with the appropriate federal law enforcement agencies and the Financial Crimes Enforcement Network, where "[t]he transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities" or "[t]he transaction has no business or apparent lawful purpose or is not the sort of transaction in which the particular customer would normally be expected to engage, and the bank knows of no reasonable explanation for the transaction." Id. § 353.3(a)(4)(i) and (iii). The FFIEC Manual advises banks to review account activity for any customer for whom the bank receives a subpoena and to independently evaluate the need to file a SAR based on the bank's review of those materials. The FFIEC Manual discourages banks from referencing receipt or existence of a grand jury subpoena in the SAR and states that the SAR should only reference any underlying facts supporting the determination that the transaction at issue in the SAR is suspicious.
It is undisputed that the Bank did not file a SAR or document its decision not to file a SAR. The only issue is whether the Bank's non-action was excused. The FDIC Board found that the Bank was not legally precluded from filing a SAR. On August 10, 2011, the DOJ sent the Bank a letter, directing the Bank to maintain the utmost secrecy with regard to the federal grand jury subpoena. Alan Chi interpreted this to mean that he could not disclose any aspect of the FBI investigation — including providing notice to regulators of customer activity in a SAR, even if that SAR did not include any mention of the FBI investigation. But this interpretation was erroneous. The Federal grand jury subpoena letter advised that "you and employees of California Pacific Bank [are required to] maintain the utmost secrecy with regard to this Federal grand jury subpoena." In recounting his conversation with an FBI agent, when Alan Chi asked if he could file a SAR, he recalled the agent saying, "Don't mention anything about the subpoena... just don't mention the subpoena." The FFIEC Manual explicitly contemplates the filing of SARs for customer activity that is also subject to law enforcement investigations and subpoenas, which suggests that investigations and subpoenas should often prompt filing SARs. The Bank's BSA Policy Manual reflected this guidance as well. Nothing prevented the Bank from filing a SAR that only referenced the suspicious activity at a general level without mentioning receipt of the subpoenas. The FDIC Board's finding that the Bank was able to file a SAR is supported by substantial evidence.
Rawlins' draft 2012 ROE concluded that the Bank should have filed a SAR pursuant to 12 C.F.R. § 353.3(a)(4)(i) after learning of the indictments. Edmund Wong, Rawlins' immediate supervisor, initially disagreed, and concluded after conducting a second-level review of the ROE that an indictment alone was insufficient to support filing a SAR. However, upon receiving additional information on the accounts, Wong determined that the Bank should have filed a SAR. Wong detected several red flags, including "large dollar" and "round dollar" amounts that were much larger than the anticipated activity in the accounts, large wire transfers, and transactions that lacked any information on source of income, purpose of account, or expected activity — all of which he deemed evidence of a "layering scheme." The FDIC Board's findings that the filing of a SAR was warranted and that the examiners did not manufacture a justification for filing a SAR are supported by substantial evidence.
The FDIC Board's decision that, in failing both to file a SAR and to document its decision not to file a SAR, the Bank violated 12 C.F.R. § 353 and did not comply with the BSA is supported by substantial evidence.
We hold that the BSA and its implementing regulations are not unconstitutionally vague, and the FDIC did not exhibit unconstitutional bias against the Bank. We further hold that the FDIC acted in accordance with the law by relying