The Industrial and Commercial Bank of China (ICBC) and its New York branch agreed to pay $32.4 million in penalties levied by two regulators for failing to address long-standing compliance failures and for the unauthorized disclosure of confidential supervisory information (CSI) to an overseas regulator.

The New York State Department of Financial Services (NYDFS) fined the ICBC $30 million for failing to correct deficiencies found in its anti-money laundering (AML) and sanctions screening processes over several examination cycles from 2018-22, according to a press release Friday.

The Federal Reserve Board separately announced a $2.4 million fine against the ICBC for the unauthorized use and disclosure of CSI.

The details: In 2018, the Fed entered into a cease-and-desist order with the ICBC and its New York branch and ordered it to “remediate the deficiencies identified in areas including corporate governance and management oversight, customer due diligence, and suspicious activity monitoring and reporting,” according to the NYDFS’s order. The deficiencies continued through repeated Fed and NYDFS examination cycles, the order said.

The NYDFS also found issues with the bank’s compliance documents. In 2015, a senior bank employee backdated know your customer documents and had them signed by a bank manager who was no longer employed by the bank. The alleged scheme was raised internally by a bank employee in 2017 and confirmed after an internal investigation, but the NYDFS said it wasn’t made aware until January 2018.

The breach of CSI involved the transfer of a New York-based employee to an overseas affiliate in September 2021, the NYDFS order said. As part of the approval of the transfer, an overseas regulator asked whether the employee or the New York branch was the subject of any regulatory or disciplinary investigations. Providing that information required the permission of both the NYDFS and Fed before being sent to the overseas regulator.

In November 2021, the bank’s counsel provided background and proposed language regarding the CSI to the NYDFS and Fed. But later that same month, without the authorization of either regulator, the bank sent the background, proposed language, and other documents to the overseas regulator, which then forwarded them to a local regulator. The NYDFS said it and the Fed learned about the breach in December 2021.

In its order, the Fed said the bank lacked policies and procedures for properly handling CSI.

Compliance considerations: While remediations to the bank’s sanctions screening program were deemed sufficient by 2022, the AML deficiencies had still not been adequately addressed, the NYDFS said. A joint examination by the NYDFS and Fed concluded in 2023 found the bank adequately addressed the matter.

In settling with the NYDFS, the ICBC agreed to create a written plan “detailing enhancements to compliance policies and procedures, corporate governance and management oversight, customer due diligence requirements, and the handling of confidential supervisory information.”

The Fed required the bank’s New York branch to establish “effective governance, compliance, and audit policies and procedures designed to detect and prevent the unauthorized use and dissemination of CSI, including policies, procedures, training, and monitoring.”

Bank response: The ICBC said in a statement the deficiencies described by the NYDFS and Fed “do not reflect the current state of the branch’s compliance programs and internal controls.”

“Compliance and risk management have been, and continue to be, a top priority for ICBC New York Branch,” the bank said. “… ICBC New York Branch is fully committed to meeting all of the requirements of the orders and to satisfying regulatory expectations.”