The California subsidiary of Rabobank has pleaded guilty to conspiracy to defraud the U.S. and will pay $369 million to settle charges of accepting illegal proceeds from Mexican drug traffickers, the Associated Press reports. According to U.S. regulators, drug traffickers deposited at least $369 million in Rabobank National Association branches in two towns on the Mexican border between 2009 and 2012. This was done to bypass Mexican government limits on the size of cash deposits in that country's banks. When deposits in those towns increased 20 percent, regulators say the bank should have known the money was tied to drug trafficking and organized crime. Instead, bank executives tried to cover up the suspicious activity after a whistleblower reported it to them. Rabobank National Association agreed to cooperate with U.S. officials to avoid additional criminal charges.
In attempting to explain how Rabobank covered up such a massive amount of money laundering, it is clear that the bank could have done more to detect and prevent those activities. That is despite the numerous regulations and guidance detailing what is expected of banks. Here are some considerations for internal auditors:
- All regulated U.S financial institutions are required to file periodic financial and other information with the Federal Deposit Insurance Corporation. One of the required reports is the quarterly Consolidated Report of Condition and Income, which reports financial data about a bank's financial condition and the results of its operations. However, the required categories for reporting do not include anything specifically related to anti-money laundering, although this might be covered under a broader category such as Income From Foreign Offices. There is a form that lists up to four bank officers responsible for anti-money laundering activities, but in the couple of publicly available, sample Rabobank reports I reviewed, these entries were labeled "confidential."
- In 2016, the U.S. Office of the Comptroller of the Currency (OCC) issued a 150-page Comptroller's Handbook booklet, Internal and External Audits, for use by OCC examiners in examining and supervising national banks and federal savings associations. This document contains useful information regarding the roles and procedures of external audit, management's responsibility for oversight, risk management and effective controls, and reporting matters. Surprisingly, given the increasingly international nature of bank ownership and operations, it contains little guidance specific to money laundering, either as a risk or audit practice focus.
- One might be skeptical of Rabobank's management declarations, such as on its website, that the OCC has recognized "the material improvements the bank has made to its [Bank Secrecy Act/anti-money laundering] compliance program." There appears to have been some systemic collusion among its senior management — including its vice president responsible for anti-money laundering investigations — to cover up this fraud for several years.
- Finally, where were the internal and external auditors? Internal audit, while independent in its work and reporting, remains a part of an organization's management structure. Rabobank's senior management cover-up activities blocked information that could have revealed the problem earlier. It also is possible that the bank's information systems were exploited to help the cover up. For example, if the transaction was not completed using the bank's core banking system, internal auditors would have less of a chance to catch discrepancies, unless they scrutinized every aspect of the operations daily to find lesser-known or hidden systems. Moreover, there is the question of whether the bank's internal auditors possess the requisite training to detect money laundering activities.