Mark Taylor
Senior Editorial Manager
Canada’s financial services sector has been put on notice after regulators criticised Toronto-Dominion Bank’s compliance framework and ordered the lender to overhaul its risk management controls.
The Office of the Superintendent of Financial Institutions (OSFI) identified serious failings with TD Bank’s regulatory compliance management (RCM) following an exam, the Globe and Mail reported.
Problems with the bank’s regulatory compliance systems were also identified by US regulators, whose involvement complicates TD’s ambition of growth in North America.
The bank’s attempt to buy US lender First Horizon was torpedoed by a US Department of Justice (DOJ) probe last year, and there are currently at least four ongoing regulatory investigations into its compliance failings.
TD said it is holding ongoing discussions with the OFSI Office over enhancements to its risk management practices, and has set around half a billion dollars aside to deal with the fallout. The true cost may run into multiple billions, financial crime experts have noted.
What is regulatory compliance management?
RCM helps large, complex organisations manage regulatory compliance risks; a key part of the framework is obligation management, and staying stay compliant with various regulations, laws and directives in multiple countries.
Regulated firms can have vastly different RCM practices due to factors like size; ownership structure; nature, scope and complexity of operations; corporate strategy; risk profile; and geographical locations.
Regulators consider RCM to be a vital part of any financial services firm’s approach to risk management, and reviews take in aspects such as the quality of tools, processes, and standards of supervision.
It was reported that weaknesses in TD’s anti-money laundering (AML) compliance controls, an integral part of RCM, were spotted by OFSI officials.
The Financial Transactions and Reports Analysis Centre of Canada (FinTRAC), the country's financial crime watchdog, also carried out a probe and informed OFSI of its findings.
In April, FinTRAC handed down its largest-ever monetary penalty of $9.18m on TD following a compliance examination which uncovered several regulatory violations.
Sanctions from US agencies are expected to be significantly higher, and may involve criminal charges.
“We continuously invest in our RCM program to address changing market dynamics, regulatory feedback and any potential findings. As the operating environment’s complexity intensifies, banks must always be focused on enhancing their programs. That work is ongoing at TD,” a spokeswoman for TD Bank said.
Risky business over the border
The bank has said it is working to improve its AML controls in the US, amid pressure to reveal more about the transactions which have piqued the interest of Washington, DC enforcers
It is reserving around $450m to deal with any penalties linked to multiple probes ongoing regarding the bank’s involvement in a major money-laundering and drug-trafficking case, following accusations Chinese gangs bribed bank staff to wash proceeds from fentanyl sales.
Some experts believe the financial penalties could top $2bn, not including the costs from replacing its compliance program, installing monitors to supervise the improvements, and the hit from reputational damage.
At least three separate US agencies are said to be investigating the bank, as FinTRAC said it has the authority to exchange information with other regulators and US agencies.
It was reported that Canada’s Finance Minister Chrystia Freeland instructed regulators to resolve any outstanding problems at TD following concerns raised by US officials.
TD said it has fired 12 people following the scandal, and is working to enhance its RCM program by shaking up leadership and installing new tools.
Chief risk officer Ajai Bambawale acknowledged the bank’s AML program needed fixing in a call with analysts.
“[W]e always endeavour to be best in class in every risk area, but yes, from time to time, we find we’ve fallen behind in a particular area, and we’re out there owning the issue that we fell behind in our program and our program did not pick up things it should have picked up,” Bambawale said.
Referencing the bank’s US operations in regard to the money laundering failures, he said he was “disappointed that some of our colleagues didn’t follow our code of ethics”
“We’re not denying it. We’re owning it,” he said.
How TD is upgrading its RCM
To mitigate the various issues, the bank has brought in risk specialists Proviti as a monitor if its controls, and launched a major restructuring of its global anti-money-laundering program, which will include new managers and technology.
“We did not meet our expectations or our regulatory obligations to monitor, detect, report and respond to suspicious activity. As a result, criminals broke through our defences and used the bank to launder money,” the bank’s CEO Bharat Masrani said in an internal memo to staff.
“This is absolutely unacceptable. While our systems stopped a lot of activity, I am deeply disappointed there were serious instances where we failed to stop these criminals. It goes against our values and everything we believe.”
In an earnings call, Masrani said the bank had failed to stop criminal activity on multiple occasions, triggering a significant probe from US Department of Justice officials.
It was reported that TD’s controls testing may have been a source of weakness, and that its RCM framework had been updated multiple times over the last decade.
As part of efforts to improve the framework, it is working to improve its data management processes, having suffered from operational silos as a consequence of its growth.
It has also strengthened compliance processes and controls related to identifying client risk, following a compliance exam in 2023.
Canada’s evolving regulatory expectations
OFSI said it cannot comment on confidential matters related to individual cases, but generally it expects senior stakeholders to be more engaged in mitigating compliance risks.
“We expect boards to comprehensively examine their oversight of non-financial risks and synthesize them into an enterprise-wide approach to protecting their institutions from threats to their integrity and security,” said OFSI Superintendent Peter Routledge.
OSFI’s RCM requirements date to 2014. The guidance notes that banks should review and update their RCM frameworks at least once a year to stay pace with evolving regulatory compliance risks.
CUBE comment
The TD case has two important takeaways.
The first is how overseas businesses operating in the US must be on top of their regulatory compliance management; not least because the prospect of penalties and punishments is much harsher than on their own patch.
And, gaps in Canada’s regulatory framework have been heavily exploited by criminals. The latter is something legislators are keen to fix, and recently announced the biggest shake-up of risk management rules in 25 years.
Government estimates put the amount of money laundered via Canada each year to be somewhere between $43bn to $113bn.
Such distortion of the financial system undermines the country’s integrity; Canada has slipped down corruption indexes as criminals increasingly take advantage of weak oversight.
The more comprehensive regulatory ecosystem in the US, by comparison, encourages proactive reporting of suspicious transactions. Enforcement agencies are keen to ensure if businesses operate in the US, they follow US laws and regulations closely.
Businesses which transgress often find regulatory punishment to be far more costly and damaging than the expenditure on a more advanced RCM framework. Automation of key processes can cut compliance spend by 40%, significantly reduce human error, and generate efficiencies that free executives to spend more time on strategy.