Avoiding the Next $3B Fine: AML Insights from TD Bank's Case

On October 10th, it was announced that TD Bank will pay $3.09 billion to several U.S. regulatory bodies, including the Office of the Comptroller of the Currency (OCC), the Department of Justice (DoJ), and the Financial Crimes Enforcement Network (FinCEN), for systemic violations of the Bank Secrecy Act (BSA) and failures in its anti-money laundering (AML) program. The fines resulted from TD’s involvement in enabling the movement of over $670 million through money-laundering schemes over a 6-year period, detailed in FinCEN’s Consent Order. The bank's underfunded AML system failed to detect or prevent these illicit transactions.

The penalties highlight the persistence of issues TD Bank faced in 2013 with the Scott Rothstein Ponzi scheme. After the 2013 enforcement, TD Bank committed to improving its AML controls, including better transaction monitoring and internal governance. However, the 2024 violations show many of these promised changes were either incomplete or ineffective, and despite prior commitments, the bank's Transaction Monitoring System (“TMS”) remained underfunded and understaffed. The lack of accountability and effectiveness of TD Bank’s AML program led to one of the largest penalties ever assessed under the BSA and highlights the importance of an effective AML framework.

Sia Partners has designed a framework for an effective BSA/AML program applicable to all covered financial institutions (e.g. Banks, Trusts, Broker Dealers, etc.), broken down into 6 key program areas that can be utilized to prevent the issues identified within the Consent Order.

1. Governance

Governance is the backbone of the Sia Partners framework as its presence is found in each of the other 5 pillars. For an effective BSA/AML program to function, those on the governance team are responsible for:

• Strategic planning,
• Oversight and board reporting,
• Issue management and regulatory change management,
• Ensuring all BSA/AML activities align with enterprise policies, programs, and procedures,
• Establishing and maintaining enterprise standards and guidelines,
• Conducting annual risk assessments, and
• Overseeing the administration of the BSA/AML program.

The governance of TD Bank’s AML program was described as “siloed” and ineffective as the BSA Officer responsible for overseeing compliance had insufficient control over key aspects of the AML program, including a lack of authority over the AML Technology Head, who oversaw the Transaction Monitoring system, as well as the Head of AML Operations. This structure led to TD Bank’s BSA Officer not being accountable for persistent control gaps within the program and no evidence was found that the BSA Officer ever raised concern about the structure to the Board.

A successful AML framework prioritizes a sustainable governance structure with:

1. Proper documentation and risk acceptances for decisions,
2. Ongoing monitoring of systems and processes to ensure up-to-date and effective, including using independent testing,
3. Quick and exhaustive remediations of known issues or deficiencies,
4. Assessments to identify gaps on a regular cadence,
5. Responsive enhancements to processes or tooling to address known risks, and
6. Defined roles and responsibilities for compliance controls.

2. Risk Assessment

Risk assessment programs are typically structured in a systematic manner to ensure coverage of all relevant areas, which include the assessment of the institution’s inherent risks and control structure to determine the institution’s residual risk. Institutions conduct risk assessments on a periodic basis and in ad-hoc situations such as when a new product and service is added. The results of these assessments help senior management understand where the compliance risks reside.   

TD Bank’s methodology to assess risk across its entire AML program, via its annual assessments, was inadequate and overlooked key risk and control factors that materially impacted the analyses of the Bank’s risk profile. The assessments lacked depth and specificity, which prevented AML management from accurately assessing the BSA/AML risks associated with the bank. Inaccurate risk assessments, which included inconsistent risk ratings of certain bank products, demonstrate the bank lacked an understanding of the illicit financial activity risks within products and services it offered.

A risk assessment program should be integrated into all aspects of the business and should include a detailed understanding of the businesses offerings in order to properly assess risks.

3. Training and Staffing

Employee training should focus on a financial institution’s internal policies, roles, and procedures to create accountability and risk reduction in the workplace. Training should be tailored to the individuals’ responsibilities. Resources should be proportional to alert volume and should be adaptable to changing volumes and lookbacks. Under-resourcing led to prolonged backlogs and contributed to missed SAR filings at TD Bank.

Insufficient training remains a systematic problem, and the consent order claims, “TD Bank’s AML management failed to properly ensure the requisite employees received appropriate training”.

A successful AML framework prioritizes an adaptable operations structure with knowledgeable team members, including:

1. An up-to-date training program tailored for the needs of the workflow
2. Specialized expertise for the relevant review scenarios and products
3. A proactive and flexible staffing model to handle changes in volume and to meet service-level agreements

4. Internal Controls

Internal controls are the foundation on which policies and procedures are written. Effective internal controls for Transaction Monitoring and Regulatory Reporting include alert generation modules, which provide full transaction coverage, so alerts are reviewed and dispositioned correctly and within SLA, the proper identification of reportable transactions through Suspicious Activity Reports (“SARs”), and processes for taking additional actions to remove the identified risk from the platform.

TD Bank’s transaction monitoring system was found to be outdated and failed to cover key areas of risk, for example a significant number of ACH transactions were not monitored. Additionally, TD Bank failed to file timely SARs in several instances, including large Ponzi Schemes and customer accounts with ties to suspicious transactions across jurisdictions. In most cases, SARs were only filed after external law enforcement inquiries or when serious investigations were already underway.  

A successful AML framework prioritizes a comprehensive alert investigation process with

1. Clear escalation pathways and guidance
2. Product-specific reviews with procedures to identify suspicious activity specific to each product’s intended usage
3. An exhaustive list of red flag indicators, including up-to-date high-risk jurisdictions
4. A review approach tailored to customer facts, trends, and peers
5. Utilization of signals from cross-functional compliance teams
6. Proper remediation of past risk exposures with lookback procedures

5. Lines of Defense

Establishing roles and responsibilities for the 1st, 2nd, and 3rd line is critical for ensuring there is proper segregation of duties, and the necessary controls required are being implemented through the organization.

TD Banks failures mentioned throughout the consent order highlight a failure to establish roles and responsibilities between the various lines of defense. Negligence within the AML department around deficient policies and procedures, inadequate staffing, outdated trainings, and a siloed governance structure represents how proper segregation of duties was ignored and the necessary controls were not implemented.

Between 2018 to 2020, TD Bank’s Internal Audit identified issues such as inadequate staffing, high-risk jurisdictions not properly monitored, and past-due reviews for up to three years, and appropriate actions weren’t taken.

Clearly delineated lines of defense ensure that everyone has a role to play in effectively mitigating AML risks.

6. Technology & Systems

Tools and systems help a program function efficiently and ensure that compliance teams have the necessary information to correctly mitigate risk. A strong AML program relies on technology & systems to correctly identify money laundering typologies and red flags such as:

• Unusual customer behavior
• Structuring (e.g., Smurfing)
• Funnel accounts
• Use of wire transfers
• Use of credit cards, checks, promissory notes
• Frequent and rapid movement of funds
• Multiple large transactions
• High-risk jurisdictions

TD Bank’s failure to invest in the technology necessary to implement its program, which required a functioning transaction monitoring system, led to failures to identify and timely report money laundering activity. In late 2019, TD Bank decided to consider changing vendors for its transaction monitoring system but did not select the successor system until early 2021. The new transaction monitoring system only began a phased implementation in August 2024 and will continue roll out in phases extending in 2025.

A successful AML framework prioritizes robust models and tooling designed for the needs of the program, with

1. A full, up-to-date coverage of transactions
2. Properly mapped data elements for models and rules to utilize
3. The ability to customize thresholds and conditions to meet specific needs, such as product nuances
4. Proper priorities such that mitigation of risk is not compromised by reduction of false positives
5. Investment in a tech stack designed to make reviews effective
6. The ability to adapt to changing requirements in a timely manner
7. An iterative approach to development to ship and enhance risk mitigating features quickly
8. Utilization of AI in key areas within an AML program such as customer segmentation and the categorization of SAR data

Following these violations, TD Bank has agreed to remediate several key areas, including upgrading its TMS with advanced scenarios to detect suspicious activity, hiring over 700 AML specialists to address staffing shortages, establishing a BSA/AML oversight committee, and appointing new leadership. The bank is also improving customer due diligence processes for high-risk customers and conducting a SAR lookback to review and report previously missed suspicious transactions. By addressing these critical gaps, TD Bank can rebuild trust with regulators and avoid further costly fines. The issues addressed above highlight the necessity to apply a comprehensive and effective framework to every BSA/AML program.