In the world of compliance, every scandal can be a learning opportunity or, at the very least, a reminder not to fall into the trap of complacency.

New accusations against one of President Trump’s lawyers should prompt savvy compliance and risk officers to pursue a reinvigorated and creative strategy for Bank Secrecy Act procedures and anti-corruption efforts.

On May 8, attorney Michael Avenatti—representing Stephanie Clifford, the adult film actress known as Stormy Daniels—released a bombshell of a report  accusing Michael Cohen, a Trump confidant and attorney, of all manner of alleged financial shenanigans. Just before the election in 2016, Cohen created a limited liability corporation that paid Clifford $130,000 in exchange for her silence regarding an alleged sexual dalliance with Trump.

That payment triggered suspicions of possible bank fraud and campaign finance violations. Earlier this year, Cohen’s office, home, and hotel room were subsequently raided by federal officials. The raid was ordered by the U.S. attorney’s office in Manhattan, acting on a referral from special prosecutor Robert Mueller.

Avenatti’s report, while short on sourcing, describes some of the alleged transactions involving Cohen’s consulting firm:

In October 2016, Cohen allegedly established a limited liability company named Essential Consultants by filing the requisite paperwork with the Secretary of State in Delaware.

Less than one month before the 2016 presidential election, Cohen allegedly established a new business account at a First Republic Bank branch located in New York City.

To establish the account, Cohen allegedly submitted information claiming that Essential Consultants is a real estate consulting company that collects fees for investment consulting work.

From October 2016 through January 2018, Cohen allegedly used his First Republic account to engage in suspicious financial transactions totaling $4.4 million.

Among those alleged suspicious financial transactions were approximately $500,000 in payments received from Viktor Vekselberg, a Russian oligarch, routed through eight payments by a company named Columbus Nova.

Also included among the suspicious financial transactions were payments made by global pharmaceutical giant Novartis directly to Essential in four separate transactions of $99,980 each. On Wednesday, the company admitted that it paid Cohen roughly $1.2 million for insight into health insurance reforms in the new administration.

AT&T, based in Dallas, made four payments of $50,000 apiece to Essential at the end of last year, as payment for consulting work and “insights” into the then-new Trump administration.

A $150,000 payment in November 2017 was allegedly received from Korea Aerospace Industries, an aircraft manufacturer.

The allegations contained in the report raise many red flags that might otherwise be missed or ignored at your company.

The resulting media spotlight on AT&T and Novartis should encourage conversations between CCOs and their boards about how to defend a company if it faces similar reputational risk and pay-to-play accusations.

Claims that Cohen was paid for “insights” into the administration, as AT&T has acknowledged, could be tough to defend. If that payment was instead made to an associate of a Mexican politician, or a member of the National Congress of Brazil, you can be assured this could be a matter worth investigating under the Foreign Corrupt Practices Act, instead of being shrugged off as the cost of doing business with a “consultant.”

The case should also reinvigorate the need for banks to scrutinize know-your-customer policies and suspicious activity reports’ best practices.

The Bank Secrecy Act requires financial institutions to implement and maintain an AML compliance program reasonably designed to detect suspicious activity indicative of money laundering and other crimes and assure and monitor compliance with recordkeeping and reporting requirements. Those requirements include robust filing of suspicious activity reports.

Those reports, commonly known as SARs, have been hotly debated in recent weeks, with many in the banking world questioning their utility and whether the cost and compliance burden is worth it. Most SARs, critics say, don’t uncover crimes, so much as add data to a case that was already uncovered.

The Federal Financial Institutions Examination Council, a formal U.S. government interagency body composed of the five banking regulators, says the following about SARs in its Bank Secrecy Act/Anti-Money Laundering Examination Manual:

“Examiners and banks should recognize that the quality of SAR content is critical to the adequacy and effectiveness of the suspicious activity reporting system.”


The following is the official statement released by Novartis.
In February 2017, shortly after the election of President Trump, Novartis entered into a one-year agreement with Essential Consultants.
With the recent change in administration, Novartis believed that Michael Cohen could advise the company as to how the Trump administration might approach certain US healthcare policy matters, including the Affordable Care Act. The agreement was for a term of one year, and paid Essential Consultants 100,000 USD per month.
In March 2017, Novartis had its first meeting with Michael Cohen under this agreement. Following this initial meeting, Novartis determined that Michael Cohen and Essential Consultants would be unable to provide the services that Novartis had anticipated related to US healthcare policy matters and the decision was taken not to engage further. As the contract unfortunately could only be terminated for cause, payments continued to be made until the contract expired by its own terms in February 2018.
The engagement of Essential Consultants predated Vas Narasimhan becoming Novartis CEO and he was in no way involved with this agreement. Contrary to recent media reports, this agreement was also in no way related to the group dinner Dr. Narasimhan had at the World Economic Forum in Davos with President Trump and 15 Europe based industry leaders. Suggestions to the contrary clearly misrepresent the facts and can only be intended to further personal or political agendas as to which Novartis should not be a part.
In terms of the Special Counsel’s office, Novartis was contacted in November 2017 regarding the company’s agreement with Essential Consultants. Novartis cooperated fully with the Special Counsel’s office and provided all the information requested. Novartis considers this matter closed as to itself and is not aware of any outstanding questions regarding the agreement.
Source: Novartis

“As part of the examination process, examiners should review individual SAR filing decisions to determine the effectiveness of the bank's suspicious activity identification, evaluation, and reporting process,” it adds.

Among the activities that can trigger a SAR: potential criminal activity; transactions designed to evade the BSA; and the type of transaction that the particular customer would not normally be expected to engage in.

Paying hush money to a former adult film star assuredly meets the last criteria. One might also assume that using the same Delaware-incorporated shell company to collect monetary deposits from a Russian oligarch and Fortune 500 companies alike would also demand a SAR.

Despite criticisms that SARs only build upon criminal cases (but do not break them), there is speculation that leaked documents may have informed Avenatti’s accusations. For his part, he is demanding that the Treasury Department make public any relevant SARs related to Cohen.

Beyond suspicious activity reports, financial institutions are required to have a customer identification program (CIP) as part of a know-your-customer stage where all “politically exposed persons” must be identified and reported to the those in charge of the BSA compliance function.

Although PEPs are usually considered and designated in reviews of foreign officials, banks are increasingly considering, and documenting, domestic PEPs. If your bank isn’t doing so, the accusations against Cohen illustrate why it should.

The Financial Action Task Force, an independent inter-governmental body that develops anti-money-laundering best practices, says that, “Because the risks presented by PEPs will vary by customer, product/service, country, and industry, identifying, monitoring, and designing controls for these accounts and transactions should be risk-based.”

“In high-profile cases over the past few years, PEPs have used banks as conduits for their illegal activities, including corruption, bribery, and money laundering. Banks should establish risk-based controls and procedures that include reasonable steps to ascertain the status of an individual as a PEP and to conduct risk-based scrutiny of accounts held by these individuals.”

In assessing domestic PEPs, screens could consider many of the same triggers applied to foreign PEPs, especially looking for a “close associate” of a senior political figure, someone who is in a position to conduct domestic and international financial transactions on behalf of that official. Cohen’s relationship with Trump and the international transactions funneled through his shell company should encourage financial institutions to expand their definition of a PEP to include anyone in a similar position.

In Cohen’s situation, this is particularly noteworthy when considering one of the criteria for “close associates” established by FATF: “Anyone who has the sole beneficial ownership of a legal entity which is known to have been set up for the benefit de facto of the PEP.”

The ultimate lesson here for compliance and risk officers at financial institutions is to fine tune both data collection and the enterprise risk management and GRC software that empowers them to sift through the voluminous data they collect, seeking trends and outliers that demand manual attention. CCOs at public companies might spare their organizations reputational headaches by flagging and questioning payments similar to the ones made by AT&T and Navartis to Cohen. A bank doing similar transactions should also be able to isolate any curiosities and possible illegal activities.

Recent events and accusations also remind us of a controversial rulemaking petition, currently in limbo before the Securities and Exchange Commission despite garnering more than 1 million comment letters. It would require public companies to disclose all politically motivated payments (including what is paid to trade associations) to shareholders. Democrats have embraced the idea. Republicans have sought to kill it with prohibitory language inserted in spending bills.

An architect of the rule, Robert Jackson, a former professor at Columbia Law School, is a current SEC commissioner.

Residing in legislative Neverland is the Shareholder Protection Act that would:

Mandate a shareholder vote to approve an annual political expenditure budget chosen by the management for a publicly held corporation;

Require that each specific corporate political expenditure over a certain dollar threshold be approved by the board of directors and promptly disclosed to shareholders and the public; and

Post on the SEC Website how much each corporation is spending on elections and which candidates or issues they support or oppose.

Recent controversies, especially given the involvement of at least two public companies, could once again renew interest in either the proposed rule or stalled legislation, both of which have set a goal for flagging pay-for-play corruption.