Board-level Accountability and the New Era of AML Enforcement

GIR Guide to Anti-Money Laundering, Fourth Edition

Authored Article

Author(s) , ,

Introduction

The boardroom has become a central locus of responsibility in the federal government’s campaign against money laundering. Once considered a compliance function delegated to operational staff, anti-money laundering (AML) oversight has been elevated to the highest echelons of corporate governance, with regulators and prosecutors increasingly focusing their attention on the directors and executives who set institutional priorities. The October 2024 plea agreement in United States v TD Bank, NA serves as the most striking illustration of this shift: TD Bank agreed to pay approximately US$1.9 billion in combined criminal penalties after admitting that it had wilfully “failed to maintain an AML program that complied with the [Bank Secrecy Act]” and “prioritized a ‘flat cost paradigm’ across operations and the “customer experience’” over AML compliance.TD Bank laid bare years of board-level failures, from inadequate oversight of transaction-monitoring systems to disregard of repeated regulatory warnings. For directors and executives of financial institutions, the TD Bank case is more than a cautionary tale – it is a roadmap of precisely what not to do.

This chapter examines the evolving landscape of board responsibility for Bank Secrecy Act (BSA) and AML compliance. Drawing upon recent enforcement actions and consent orders, it provides practical guidance for boards of directors seeking to fulfil their obligations and mitigate the substantial personal and institutional risks that attach to AML failures.

The legal framework: board responsibility under the BSA

The BSA, enacted in 1970 and subsequently amended by the USA PATRIOT Act and subsequent legislation, requires financial institutions to establish and maintain AML programmes to detect and prevent money laundering and terrorist financing. The regulatory requirements are deceptively simple: institutions must provide for (1) a system of internal controls; (2) independent testing; (3) designation of an AML compliance officer; (4) ongoing employee training; and (5) risk-based customer due diligence procedures. Yet the implementing regulations and examination guidance make clear that the board of directors bears ultimate responsibility for ensuring these programmes are effective.

The Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual states unambiguously that the board is responsible for “setting the tone at the top” and for ensuring that the institution has an effective BSA/AML compliance programme commensurate with its risk profile. This responsibility cannot be delegated away. As the Office of the Comptroller of the Currency (OCC) has repeatedly emphasised in consent orders, including those issued to Bank of America, Blue Ridge Bank and numerous other financial institutions, the board must actively oversee the AML programme, ensure adequate resources are committed to compliance, and personally review and approve policies and risk assessments.

TD Bank starkly illustrates these principles. The plea agreement emphasised that the bank’s own policies placed “ultimate responsibility for oversight of the BSA/AML program with the board of directors, and that the board is accountable for monitoring its effectiveness regularly”. The board’s responsibilities included “setting the ‘tone from the top’ commitment” and “participating in briefings regarding inherent risks and controls, so that board members attain an adequate level of understanding, as well as challenging the information presented to them about the [BSA/AML] Program matters.” Yet despite these defined responsibilities, TD Bank’s boards of directors at various corporate levels were aware of significant deficiencies identified by regulators and internal auditors over more than a decade – and failed to ensure they were remediated.

Tone at the top: why culture matters

The concept of “tone at the top” appears throughout regulatory guidance and enforcement documents, but what does it mean in practice? At its core, tone at the top refers to the ethical climate established by an organisation’s leadership – the unwritten rules that govern behaviour when no one is watching. In the AML context, tone at the top determines whether compliance is viewed as a genuine institutional priority or a bureaucratic box-checking exercise.

The TD Bank case demonstrates what happens when the tone is wrong. Bank senior executives repeatedly prioritised customer experience and profitability over AML compliance. They enforced a budget mandate, internally referred to as a “flat cost paradigm”, that set expectations that compliance budgets would not increase year over year. This cost-cutting mentality had direct consequences: the bank did not substantively update its transaction monitoring system from 2014 through 2022, despite rapid growth in business volume and risk, and despite repeated warnings from regulators and internal auditors.

The cultural dysfunction extended throughout the organisation. According to the plea agreement, “Bank employees openly discussed the Bank's facilitation of criminal activity”. Internal communications revealed AML staff joking about their inability to obtain resources for compliance projects because “GAML cannot properly code the scenario to give us what we want and it’s too much money to hire a coder”. When employees at all levels understand that profits take precedence over compliance, the AML programme is doomed to fail, regardless of what the policies say on paper.

Boards seeking to establish an appropriate tone should consider several practical measures. First, directors should ensure that compliance metrics are incorporated into executive compensation. The TD Bank plea agreement's compliance commitments now require the bank to implement “compensation and bonus systems designed to incentivize adherence” to compliance programmes, including “prohibitions on bonuses for directors, officers, and employees who do not satisfy compliance performance requirements” and “compensation reduction provisions permitting the bank to seek to recoup compensation paid to directors, officers, and employees” who commit violations. Forward-thinking boards should implement such structures proactively rather than waiting for a consent order to mandate them.

Second, directors should visibly champion compliance in their communications with management and staff. Board members should attend AML training sessions, actively participate in compliance committee meetings, and ensure their questions and challenges to management demonstrate genuine engagement rather than perfunctory oversight.

Third, boards should establish clear escalation procedures that ensure compliance concerns reach the board level without being filtered or suppressed by management. The TD Bank case revealed that some concerns identified by internal auditors and third-party consultants were known to compliance leadership but not adequately communicated to or addressed by the board.

Understanding third-party risks: fintech partnerships and beyond

One of the most significant developments in banking over the past decade has been the proliferation of partnerships between traditional banks and financial technology companies. These arrangements, often called banking-as-a-service (BaaS) relationships, allow fintechs to offer banking products to their customers while relying on the bank’s charter and regulatory infrastructure. From an AML perspective, these relationships present substantial risks that boards must understand and actively oversee.

Recent enforcement actions demonstrate that regulators are paying close attention to banks’ management of third-party risks. The OCC’s consent order against Blue Ridge Bank specifically addressed deficiencies in the bank’s oversight of fintech partnerships, requiring the bank to adopt a comprehensive third-party risk management program that addresses “due diligence and risk assessment criteria for selecting and approving each third-party relationship that is appropriate and unique to the particular products, services, and activities provided”. The order imposed significant restrictions on the bank’s ability to onboard new fintech partners until it can demonstrate that BSA/AML risks are “effectively controlled”.

Similarly, the consent order against Hatch Bank required the board to increase its “supervision and direction of Bank management, and its oversight and monitoring of the AML/CFT Program” in relation to third-party relationships defined broadly to include “any business arrangements between the Bank and another person or entity” involved in bank activities. The order mandated comprehensive reviews of third-party relationships performing BSA compliance functions on behalf of the bank.

For boards overseeing banks with fintech partnerships, several practical considerations apply. First, directors must understand that the bank, not the fintech partner, bears ultimate regulatory responsibility for AML compliance. When a fintech partner onboards customers using the bank’s charter, those are the bank’s customers for BSA purposes, and the bank is responsible for ensuring that customer identification, due diligence, transaction monitoring, and suspicious activity reporting meet regulatory requirements.

Second, boards should ensure that management conducts appropriate due diligence before entering fintech partnerships and maintains ongoing oversight of partner activities. This includes evaluating the fintech’s own compliance capabilities, establishing contractual rights to audit partner activities and access relevant data, and maintaining the ability to terminate relationships that present unacceptable compliance risks.

Third, boards should receive regular reporting on fintech partner activities, including transaction volumes, suspicious activity trends and any compliance concerns identified through the bank's oversight processes. Directors should ask probing questions about whether the bank has adequate visibility into partner activities and sufficient resources to monitor them effectively.

Personal liability: when directors and officers face individual consequences

Perhaps no development in AML enforcement has captured board attention more than the prospect of personal liability for directors and officers. While the BSA has always provided for civil and criminal penalties against individuals, regulators have become increasingly willing to pursue individual accountability for AML failures.

FinCEN’s March 2020 enforcement action against Michael LaFontaine, former Chief Operational Risk Officer at US Bank, illustrates the risks executives face. FinCEN assessed a US$450,000 civil money penalty against LaFontaine personally for his “failure to prevent violations of the Bank Secrecy Act during his tenure”. The enforcement action revealed that LaFontaine had been “warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised”, but failed to take sufficient action. As FinCEN Director Kenneth Blanco noted, “LaFontaine's actions prevented the proper filing of many, many SARs, which hindered law enforcement’s ability to combat crimes and protect people fully.”

The LaFontaine enforcement action was not an isolated incident. FinCEN has also pursued enforcement actions against BSA compliance officers who failed to fulfil their responsibilities. In one notable case, FinCEN imposed a US$100,000 civil money penalty against Gyanendra Kumar Asre, a credit union supervisory committee member and BSA compliance officer, for violations including failure to maintain adequate AML programmes and failure to report suspicious activities. The consent order included a five-year ban on participation in financial institutions.

The SEC complaint against Silvergate Capital Corporation and its executives, filed in 2024, demonstrates that personal liability exposure extends beyond FinCEN enforcement actions. The SEC alleged that Silvergate’s CEO and other executives made “false and misleading statements . . . regarding the effectiveness of its BSA/AML compliance program”, especially related to crypto industry risks. The complaint detailed how executives had touted the bank’s compliance programme as a “competitive advantage” while knowing it suffered from fundamental deficiencies.

For directors, the implications are clear: passive oversight is not sufficient to avoid liability. Directors must actively engage with AML compliance, ask difficult questions, demand adequate resources for compliance functions and ensure that management addresses identified deficiencies. The Ninth Circuit’s decision in California Pacific Bank v FDIC reinforced these principles, upholding findings that a bank’s BSA officer lacked the requisite time and independence befitting an adequate BSA officer, given that the officer held multiple roles that created conflicts of interest.

There is a growing drumbeat among policymakers, including Elizabeth Warren, to hold bank executives personally accountable for BSA/AML failures, reflecting an increasing push to move beyond institutional penalties and impose consequences on individual decision-makers. In response to the TD Bank plea agreement, Senator Warren criticised the DOJ for pursuing only lower-level employees while warning that failing to hold senior executives accountable will encourage banks to treat AML penalties as a routine cost of doing business rather than a serious compliance obligation.

The whistleblower imperative: managing internal reporting risks

The Anti-Money Laundering Act of 2020 (AMLA) and subsequent amendments have created powerful new incentives for employees to report AML violations directly to federal authorities. The AMLA whistleblower programme, administered by FinCEN, offers monetary awards of between 10% and 30% of collected monetary sanctions exceeding US$1 million and provides robust anti-retaliation protections for employees who report potential violations.

According to FinCEN Director Andrea Gacki, on 6 May 2024, the programme had received over 270 unique tips since its inception, and “many of the tips received have been highly relevant to many of Treasury’s top priorities”. On 30 March 2026, the Trump Administration announced a notice of proposed rulemaking to fully implement the program and launched a FinCEN whistleblower portal for submitting tips. The programme’s potential to generate enforcement actions should concern every board, particularly given that whistleblowers may report directly to regulators without first raising concerns internally.

Boards should recognise that robust internal compliance programs and effective whistleblower channels reduce the risk of external whistleblower reports. Employees who believe their concerns will be taken seriously internally have less incentive to bypass institutional processes and report directly to regulators. Conversely, employees who perceive that compliance concerns are ignored or that reporters face retaliation are more likely to seek external recourse.

The TD Bank plea agreement’s compliance commitments recognise this dynamic. The bank must now implement and maintain a system for internal and, where possible, confidential reporting by directors, officers, employees, and applicable agents and business partners of alleged violations of compliance programs and AML laws. Critically, the system must “include protections against retaliation for the reporting directors, officers, employees, and applicable agents and business partners”. The bank must also “implement and maintain mechanisms designed to ensure that the system for internal reporting of alleged violations and the related protections against retaliation are effectively communicated” throughout the organisation.

Recent litigation has tested the boundaries of whistleblower protections in the BSA context. In Albert v Lincoln Bancorp, a BSA officer alleged that he was retaliated against after reporting potential violations to federal agencies. The court allowed his whistleblower claim to proceed, finding that his “reports were subjectively and objectively reasonable” and that the subsequent adverse employment actions could support an inference of retaliation. Similarly, in Park v Shinhan Bank America, employees brought claims under both the AMLA whistleblower provisions and the Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA) for reporting BSA-related concerns.

For boards, the whistleblower landscape requires proactive attention. Directors should ensure that the institution has effective internal reporting mechanisms, that reported concerns are promptly investigated, that employees who raise concerns in good faith are protected from retaliation, and that investigation outcomes are documented and addressed. Board members should receive periodic reporting on whistleblower activity, including the nature of concerns raised, investigation outcomes and any disciplinary actions taken.

Learning from failure: what the TD Bank case teaches us

The TD Bank plea agreement provides an unusually detailed window into the failures that can lead to catastrophic AML enforcement actions. Examining the specific deficiencies identified in the statement of facts offers practical guidance for boards seeking to avoid similar outcomes.

First, and most fundamentally, TD Bank failed to update its transaction monitoring system despite years of growth and repeated warnings. “From at least 2014 to late 2022, TDBNA failed to implement any new transaction monitoring scenarios or make any substantive changes to the parameters of its existing transaction monitoring scenarios, despite significant unaddressed risks.” The bank lacked scenarios to monitor customer behavioural anomalies or to provide targeted oversight of high-risk customer categories. When enhancements were proposed, they were repeatedly postponed or cancelled to reduce costs.

The board should have been asking probing questions about the adequacy of transaction monitoring capabilities. Were monitoring scenarios being updated to address emerging risks and typologies? Were adequate resources being committed to monitoring system maintenance and enhancement? Were the monitoring gaps identified by the internal audit being addressed? The TD Bank board apparently did not ask these questions with sufficient persistence – or, if it did, did not take adequate action when management failed to address the identified deficiencies.

Second, TD Bank failed to maintain adequate staffing for its AML programme. Internal memoranda revealed that AML staff were “stretched dangerously thin” due to increasing SAR volumes and law enforcement inquiries. Despite these warnings, the bank’s “flat cost paradigm” prevented necessary increases in compliance resources. An effective board would have ensured that compliance staffing was adequate for the institution’s risk profile and would have challenged management’s cost-cutting priorities when they conflicted with compliance requirements.

Third, TD Bank’s failures enabled insider misconduct. Five bank employees conspired with money laundering organisations to open and maintain accounts used to launder US$39 million. These employees opened accounts in exchange for bribes ranging from US$50 to US$2,500 per account and used their positions to resolve issues arising from the illicit accounts. The statement of facts noted that “TDBNA’s failure to effectively manage its employee risk contributed to this insider misconduct—a result that was reasonably foreseeable to GAML and US-AML leadership in light of TDBNA’s pervasive AML failures.”

Boards must ensure that institutions have adequate controls to prevent and detect insider misconduct. This includes background screening, monitoring employee activities, restricting employee access to customer accounts and implementing policies to prevent conflicts of interest. When AML programmes are weak, employees with criminal intent have a greater opportunity to exploit the institution.

Fourth, TD Bank failed to address concerns raised by regulators and auditors adequately. The bank had been subject to enforcement actions by FinCEN and the OCC in 2013 for BSA violations, paying US$37.5 million in civil monetary penalties. Despite this prior enforcement history, the bank “failed to effectively or substantively adapt its transaction monitoring system after the 2013 enforcement actions”. Internal audit repeatedly identified deficiencies that remained unresolved for years. Third-party consultants identified “fundamental weaknesses” in the AML programme.

The board’s role in ensuring remediation of identified issues cannot be overstated. When regulators or auditors identify deficiencies, board members should insist on documented remediation plans with clear timelines and accountability. Progress against those plans should be reported to the board regularly, and delays or failures to remediate should trigger escalation and, potentially, personnel consequences.

Practical recommendations for boards

Based on the lessons from TD Bank and other recent enforcement actions, boards should consider implementing the following practices:

  • Establish a dedicated compliance committee with appropriate expertise. Several consent orders, including those against Bank of America and Blue Ridge Bank, have required institutions to establish compliance committees with independent-majority boards. Even without a regulatory mandate, boards should consider whether a dedicated committee structure would improve oversight effectiveness.
  • Ensure adequate board education on AML risks and requirements. Directors should receive regular training on BSA requirements, emerging money laundering typologies, and the institution’s specific risk profile. Training should include case studies from recent enforcement actions to ensure directors understand the practical consequences of compliance failures.
  • Require comprehensive reporting on the AML programme status. The board should receive regular reporting that includes the following: risk assessment updates; transaction monitoring effectiveness metrics, including alert volumes, investigation outcomes, and SAR filing trends; staffing adequacy assessments; internal audit findings and remediation status; regulatory examination results and management responses; and whistleblower and internal complaint activity.
  • Challenge management on resource adequacy. Directors should critically evaluate whether compliance budgets are commensurate with institutional risks. The “flat cost paradigm” that contributed to TD Bank’s failures exemplifies the danger of allowing cost considerations to override compliance requirements. Boards should be prepared to approve increased compliance spending when warranted by risk assessments.
  • Ensure accountability for compliance performance. Compliance metrics should be incorporated into executive compensation decisions. When individuals fail to fulfil compliance responsibilities, there should be consequences. Boards should establish clear expectations that compliance failures will affect performance evaluations and compensation.
  • Document board oversight activities. Board minutes should reflect meaningful discussion of compliance matters, including the questions directors asked, the information they reviewed, and the decisions they made. Documentation serves both as evidence of appropriate oversight and as a means to promote discipline that encourages directors to engage substantively with compliance issues.
  • Maintain independence between compliance and business functions. The TD Bank case illustrated the dangers of allowing cost considerations to override compliance judgments. Boards should ensure that compliance officers have appropriate independence and that business line executives cannot override their concerns focused on revenue or cost targets.

Conclusion

The enforcement landscape for AML compliance has shifted decisively toward holding boards and executives accountable for compliance failures. The TD Bank plea agreement represents the most significant AML enforcement action in history, and its lessons should be studied carefully by every bank board in the country. The government’s willingness to pursue individual liability, combined with the new whistleblower incentives created by the AMLA, means that directors and executives face substantial personal risks from AML non-compliance.

Yet these developments also create an opportunity. Boards that embrace their oversight responsibilities – that establish appropriate tone at the top, ensure adequate compliance resources, actively oversee third-party relationships, protect whistleblowers and hold management accountable for compliance performance – can build institutions that are both more compliant and more resilient. In an environment where regulators view strong compliance as essential to institutional safety and soundness, effective board oversight of AML programmes is not merely a legal obligation; it is essential to institutional safety and soundness. It is a business imperative.

The choice for directors is clear: take BSA/AML compliance seriously, or risk becoming the next cautionary tale. As the TD Bank case demonstrates, the consequences of choosing poorly can be devastating – for the institution, for its shareholder and for the individuals who failed in their oversight responsibilities.

Republished with permission. This article, "Board-level Accountability and the New Era of AML Enforcement," was published in the GIR Guide to Anti-Money Laundering on June 30, 2026.