« Back to The Blog

BSA Violations

FinCEN’s penalty assessment against Gibraltar Private Bank reads like a Stephen King novel for BSA compliance officers. The ongoing deficiencies and either the willful blindness or ignorance by Gibraltar caused me heartburn just reading the assessment report.

Gilbraltar’s issues have been ongoing since at least 2010, when the OCC first warned Gibraltar of its BSA deficiencies. A Consent order was placed in 2014, and finally, both the OCC and FinCEN assessed a combined total of $4 million in penalties in February.

Gibraltar failed to implement and maintain an adequate AML program, develop and implement an adequate customer identification program, and detect and adequately report suspicious transactions. Among the issues identified in the report:

  • Internal controls did not adequately monitor, detect, or report suspicious activity
  • Procedures for monitoring, detecting, and reporting suspicious activity were ineffective
    • “Although Gibraltar used a software system to monitor its accounts for unusual activity going through the Bank, the system and procedures were so flawed, that Gibraltar systematically failed to identify and timely report transactions through numerous accounts that exhibited indicia of money laundering or other suspicious activity.”
    • “Gibraltar’s transaction monitoring system contained account opening information and customer risk profiles that were frequently incomplete, inaccurate, and lacked sufficient analysis and validation. In addition, the anticipated account activity for some customers often did not match the actual transaction activity. Because of the incomplete and inaccurate information, when the Bank’s automated transaction monitoring system generated alerts on certain customers, analysts in the BSA department could not determine effectively when a change in those customers’ activities should have resulted in a change to those customers’ risk ratings.”
    • “Gibraltar’s automated monitoring system deficiencies resulted in its generation of an unmanageable number of alerts that included large numbers of false positives.” “The problems associated with the system were due to Gibraltar’s failure to adequately tailor the parameters and thresholds of the alerts generated by the system to match the high-risk activities it sought to identify and control.” “Gibraltar did not validate or independently test the system’s parameters and thresholds to reduce the number of false positive alerts the system generated. Consequently, Gibraltar’s failure to accurately set, validate, and test the automated monitoring system left Gibraltar overwhelmed by the large volume of alerts, many of which yielded false positive results. Hampered by a large volume, Gibraltar’s BSA analysts were also unable to timely or adequately review or investigate all of the alerts.”
  • Gibraltar failed to adequately assess the money laundering risks associated with its customers
    • “Gibraltar failed to adequately risk rate its high-risk customers and their respective accounts, leaving the Bank ill-equipped to adequately monitor transactions based on a customer’s particular level of risk or the account’s purpose and expected activity. Moreover, on some occasions, when Gibraltar detected a deviation in a customer’s activity from anticipated activity identified at account opening, it would change the anticipated activity in the account rather than changing customer’s risk rating, even when the customer should have been identified as high risk.”
  • Implementation of BSA training was continually inadequate
    • “It failed to provide appropriate training tailored to the needs of specific positions, departments, board members, and other personnel.”
  • Failed to maintain a sufficient customer identification program
    • “Gibraltar’s customer due diligence was insufficient to develop accurate risk profiles and to effectively understand its customers’ business and predicted activity.”
    • “Gibraltar also failed to incorporate its customer identification program into its internal controls, including transaction monitoring.”
  • Failed to adequately report suspicious activity
    • Filed SARs well over 60 days from the time that it knew, or had reason to know, transactions were suspicious.

While Gibraltar’s example is extreme, it should remind credit unions of the need to have a fully functional BSA compliance program, and that all levels of the credit union are involved with compliance – from new account staff capturing member information, to the Board ensuring that the program is functioning as it should.

https://www.fincen.gov/news_room/nr/pdf/Gibraltar_%20Assessment.pdf

   

Compliance Services Group Copyright 2026.© All Rights Reserved | Privacy Policy

No Legal Advice Intended

The information on this website is provided as a service to our clients and visitors. The contents of this website, and the posting and viewing of the information on this website may convey information that can be characterized as “law related services” as defined by Rule 5.7 of the Rules of Professional Conduct (“RPC”) governing lawyers, but should not be construed as, and is not intended to be legal services, legal advice, or forming a client-lawyer relationship. Since CSG is not engaged in the practice of law, neither our services nor our relationship will be governed by the RPCs governing lawyers including, but not limited to, specific RPC rules applicable to privileged communications and prohibitions of conflicts of interest. While CSG uses reasonable efforts to include accurate, up-to-date information on this website, CSG makes no warranties or representations as to its accuracy and assumes no liability or responsibility for any errors or omissions in the content of this website or any third-party websites accessed through links from this website.

Formal Agreement Required for Services

You cannot engage CSG to render services for you through e-mail. CSG is not committed to provide services of any kind to you unless a formal services agreement has been executed by both you and CSG. CSG makes no commitment to you to maintain the confidentiality of any e-mail you send to us nor to respond to any e-mail.

Copyrights

Except for information in the public domain, or whether other ownership is acknowledged, CSG owns the copyright to this web site and all of its content. You may not copy or distribute materials from this web site except for personal, noncommercial use.

Links

Links provided by this web site are to assist our clients and visitors in identifying other useful resources and are not intended to state or imply that CSG sponsors or is associated with these resources or endorses or recommends any of the third party information, products, or services found there.

Compliance Services Group
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.