LAW.coLAW.co

CALIFORNIA PACIFIC BANK, Petitioner, v. FEDERAL DEPOSIT INSURANCE CORPORATION, Respondent.

United States Court of Appeals for the Ninth2018-03-12No. No. 16-70725
885 F.3d 560

Authorities cited

No cited authorities resolved to law.co cases yet.

Opinion

majority opinion

GRITZNER, District Judge:

California Pacific Bank (the Bank) appeals the issuance of a cease and desist order by the Board of Directors of the Federal Deposit Insurance Corporation (FDIC). The FDIC Board, which adopted in full the Recommended Decision of the Administrative Law Judge (ALJ), found that the Bank violated the Bank Secrecy Act (BSA), 31 U.S.C. §§ 5311 - 5330, and ordered the Bank to implement a corresponding plan to bring the Bank into compliance. The FDIC Board concluded that the Bank did not comply with the BSAs implementing regulations because it failed to establish and maintain procedures designed to ensure adequate internal controls, independent testing, administration, and training. The Bank filed a timely petition for review, challenging the constitutionality of the BSA and its implementing regulations and alleging that the FDIC Boards decision is not supported by substantial evidence. We deny the Banks petition for review.

I. BACKGROUND

The BSA establishes, among other things, the recordkeeping and reporting requirements for private individuals, banks, and other financial institutions. 31 U.S.C. §§ 5311 - 5330 ; 12 U.S.C. §§ 1829b and 1951 - 1959. The BSA was enacted in 1970 as Title II of the Bank Records and Foreign Transactions Act, which was a response to rising Congressional concern over the use of foreign banks to launder the proceeds of illegal activity and evade federal income taxes. Pursuant to its purpose of identifying the source, volume, and movement of currency and other monetary instruments into and out of the United States or deposited into financial institutions, the BSA requires banks and other financial institutions to maintain a paper trail by keeping appropriate records of financial transactions.

To ensure compliance, Section 8(s) of the Federal Deposit Insurance Act directs the FDIC to issue regulations requiring banks to maintain a BSA compliance program, to review the program during bank examinations, to describe any problems with the program in its report of examination (ROE), and to state in that report whether a bank has failed to correct any problem with its program. 12 U.S.C. § 1818(s). In the event that a bank fails to correct any problem with its BSA compliance that the FDIC previously brought to its attention, the FDIC is required to issue a cease and desist order against the bank. 12 U.S.C. § 1818(s)(3)(B). FDIC regulations require that all insured nonmember banks establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of the BSA and its implementing regulations. 12 C.F.R. § 326.8(a). Section 326.8(c) outlines the four pillars of compliance, which require that insured nonmember banks, at minimum,

(1) Provide for a system of internal controls to assure ongoing compliance;

(2) Provide for independent testing for compliance to be conducted by bank personnel or by an outside party;

(3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and

(4) Provide training for appropriate personnel.

The failure of any individual pillar can result in the FDIC deeming a bank noncompliant with the BSA. The Federal Financial Institutions Examination Council (FFIEC) Manual clarifies compliance requirements and provides for consistent examination procedures. In January 2012, the Bank issued its revised Bank Secrecy Act/Anti-Money Laundering Program Risk Assessment Manual (Bank BSA Policy Manual), which serves as the Banks in-house guide for BSA compliance.

As defined by the BSA, the Bank is a State non-member bank and an insured depository institution. 12 U.S.C. § 1813(c)(2) and (e)(2). The Bank is a community bank with offices in San Francisco and Fremont, California. In 2012, the Bank had fewer than fifteen employees, approximately 200 customers, and approximately 500 deposit accounts. The Banks customer base consists of a significant number of import-export customers, accounts held by non-resident aliens, and accounts with international transactions.

In July 2010, FDIC Examiner Heather Rawlins conducted a safety and soundness examination of the Bank. Rawlins deemed the Banks BSA program satisfactory but identified several areas that must be corrected. Among the corrective requirements were that the Bank document its director training and incorporate a method of testing employees knowledge of training; designate new customers that have high levels of activity as high risk for at least six months; monitor and analyze aggregate activity for at least three months to establish a pattern of activity; and increase the risk rating for the customer base. Rawlins reviewed the results of the examination with the Banks CEO, Richard Chi, and the Banks third-party auditor, Joan Vivaldo. The Banks management agreed to the recommendations.

During 2011, at least four individuals served sequentially as the Banks BSA compliance officer (BSA Officer). In August 2011, Alan Chi, CEO Richard Chis son, became acting BSA Officer without the Banks Board of Directors interviewing for the position. Further, the Banks Board of Directors did not recruit anyone else for the vacancy. Following election by the Banks Board of Directors in January 2012, Alan Chi became the Banks permanent BSA Administrator, in addition to the Banks Senior Vice President, Senior Credit Officer, Chief Financial Officer, Internal Auditor, and Operations Compliance Officer.

After becoming acting BSA Officer in 2011, Alan Chi revised the Banks new customer deposit account risk assessment form. Under the revised form, accounts would be downgraded (assessed a lower score on the risk-point scale) if a customer already maintained an account at the bank or if a customer had been referred to the Bank by an employee or well-known customer. Vivaldo criticized the revised scoring methodology, and in correspondence with Alan Chi, noted that this methodology failed to identify three new high risk deposit accounts. Vivaldo commented that Alan Chis use of an automatic twelve point reduction for certain customers could turn around and bite them someday. Vivaldo informed Alan Chi that if he ignored her, he would be left to the tender mercies of the FDIC. Alan Chi replied that he deemed the lower risk rating satisfactory, given his longstanding knowledge of the customers. In a follow-up communication, Vivaldo flagged the potential for the FDIC to criticize the Bank for failing to report high risk accounts. This prompted Alan Chi to further revise his risk assessment form. In the updated version, accounts would be downgraded only if directly related to any loan or existing deposit account. Vivaldos concerns persisted: Again, I suggest you lower the score tiers to pre July 2011 levels. With the proposed ranges, almost no account will be medium risk or high risk. An unnatural system. The FDIC recommended the pre July 2011 scoring tiers.

Alan Chi also revised the risk assessment form the Bank used to assess its own risk. Using this altered methodology resulted in the Bank having a low, rather than medium to high, overall risk rating. Vivaldo disagreed with the new methodology.

FDIC examiner Rawlins performed another examination of the Bank beginning on December 3, 2012, which used the Banks information as of September 30, 2012. The FDICs 2012 ROE concluded that the Bank failed to administer a BSA compliance program in accordance with the four pillars and failed to file a Suspicious Activity Report (SAR) where one was needed.

Rawlins assessed the Banks progress for the first BSA pillar, internal controls, by selecting twenty-four deposit accounts for review. Rawlins found that the information contained within sixteen of the accounts was incomplete and that activity in those accounts was higher than expected. Although Alan Chi informed Rawlins that the Banks loan accounts contained additional information, Rawlins reviewed only the deposit accounts. Rawlins echoed Vivaldos concerns regarding the Banks revised risk ratings. Rawlins discovered that the Bank had persisted with daily batch reviews of account activity, rather than adopting Rawlins recommendation for longer-term monitoring. The Banks loan documentation revealed four site visits between August 2009 and May 2012, only one of which occurred after Alan Chi became acting BSA Officer. Rawlins considered Alan Chis due diligence with respect to site visits to be inadequate. Alan Chi testified at the ALJ hearing that he kept his BSA assessments relating to the site visits in my head, as well as [the heads of] the other officers that went with me.

The FDICs review of the second pillar, independent testing, centered on Vivaldo. Vivaldo was the Banks internal auditor from 2005 through the second quarter of 2012 and performed quarterly reviews. Prior to the 2012 review, FDIC examiners had not criticized Vivaldos methods. Nonetheless, Rawlins deemed Vivaldos 2012 review inadequate. Rawlins noted that Vivaldos 2012 report failed to assess Alan Chis qualifications as BSA Officer, to assess the sufficiency of the Banks compliance training, or to identify the deficiencies relating to risk rating and customer monitoring that the examiners discovered during the 2010 examination and continued in the 2012 examination. Rawlins also considered Vivaldos role with the Bank to be a conflict of interest. Although Vivaldo was the Banks designated auditor, her engagement agreement with the Bank identified her role as consultant, and she provided monthly BSA administrator reports directly to the Banks Board of Directors. Vivaldo also drafted the Banks BSA Policy Manual in 2006 and recommended yearly updates.

The FDICs review of the third pillar, administration, centered on Alan Chi. Alan Chi had received no training in BSA compliance before taking over as BSA Officer in August 2011. After his appointment, he attended several Independent Community Bankers of America courses and completed a webinar. He also gained familiarity with the BSA through interactions with the FDIC and review of FDIC reports. Rawlins determined that this was inadequate experience to administer the Banks BSA compliance program. Rawlins also concluded that Alan Chi could not dedicate sufficient time to compliance amidst his many roles at the Bank. Rawlins believed that sharing BSA and credit responsibilities created a conflict of interest and inhibited Alan Chis ability to assess the Banks compliance efforts objectively.

With regard to the fourth pillar, training, Alan Chi offered presentations to Bank staff on customer identification, currency transaction reporting, anti-money laundering, identity theft, and unlawful internet gambling. He also provided employees with copies of the Banks BSA Policy Manual and tested their knowledge through quizzes. Employees were expected to attend a webinar, which Rawlins considered rudimentary. Rawlins found that the Banks training materials were not tailored to specific job functions. Rawlins concluded that Alan Chi was an inadequate BSA Officer who was not qualified to serve as the sole person responsible for BSA compliance training, thus rendering the training insufficient.

In addition to her review of the Banks compliance with the four pillars, Rawlins noticed that the Bank did not file a SAR or document its decision not to file a SAR relating to several transactions. In 2011 and 2012, the Bank received grand jury subpoenas seeking information on several customers who were part of a Federal Bureau of Investigation (FBI) investigation into international espionage and misappropriation of trade secrets. The Department of Justice (DOJ) directed the Bank to maintain the utmost secrecy with regard to this Federal grand jury subpoena. Alan Chi interpreted this to mean that he could not disclose any aspect of the FBI investigation and decided not to file a SAR. Rawlins draft 2012 ROE concluded that the Bank should have filed a SAR pursuant to 12 C.F.R. § 353.3(a)(4), describing at a general level the suspicious transactions of the customers who were under investigation. Although Edmund Wong, Rawlins immediate supervisor, initially disagreed, he ultimately concluded that the Bank should have filed a SAR after Wong discovered evidence of a so-called layering scheme involving several customers.

After the Bank refused to agree to a consent order following the 2012 examination, the FDIC issued a notice of charges seeking to impose a cease and desist order against the Bank. The Banks Answer denied the material allegations contained in the notice. The ALJ, C. Richard Miserendino, conducted a four-day hearing in San Francisco. The ALJs Recommended Decision concluded that the Bank had violated the BSA and its implementing regulations. The ALJ found the Banks ancillary defenses that the BSA regulations and the FDICs alleged bias violated the Banks due process rights were unavailing. The ALJ recommended the issuance of a cease and desist order. The FDIC Board affirmed the ALJs Recommended Decision and issued a cease and desist order. The Bank timely filed this petition for review.

II. STANDARD OF REVIEW

Whether a statute or regulation is unconstitutionally vague is a question of law and the standard of review is de novo . United States v. Helmy , 951 F.2d 988, 993 (9th Cir. 1991) (citation omitted). Due process challenges are also subject to de novo review. Lord Jims v. NLRB , 772 F.2d 1446, 1448 (9th Cir. 1985).

Under the Administrative Procedure Act (APA), agency action must be set aside if it is arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law or if it is unsupported by substantial evidence. 5 U.S.C. § 706(2)(A) and (E). Substantial evidence is more than a mere scintilla but less than a preponderance; it is such relevant evidence as a reasonable mind might accept as adequate to support a conclusion. De La Fuente v. FDIC , 332 F.3d 1208, 1220 (9th Cir. 2003) (citation omitted). The substantial evidence standard requires that this court review the administrative record as a whole, weighing both the evidence that supports and the evidence that detracts from the ALJs conclusion. Andrews v. Shalala , 53 F.3d 1035, 1039 (9th Cir. 1995). The ALJ is responsible for determining credibility and resolving ambiguities when relevant. Id. The APAs standard of review is highly deferential, presuming the agency action to be valid and affirming the agency action if a reasonable basis exists for its decision. Indep. Acceptance Co. v. California , 204 F.3d 1247, 1251 (9th Cir. 2000) (citation omitted).

III. DISCUSSION

A. Constitutional Challenges

The Bank advances two constitutional challenges. The Bank first challenges that the BSA and its implementing regulations are unconstitutionally vague. The Banks second constitutional challenge is that the FDIC conducted a biased investigation that violated the Banks due process rights.

1. Waiver

As a preliminary matter, the FDIC argues that the Banks constitutional challenges were waived because they were inadequately briefed. In resistance, the Bank argues that it did not waive its constitutional challenges, as its brief cited Supreme Court decisions and facts from the record that support its constitutional challenges.

Federal Rule of Appellate Procedure 28(a)(8)(A) requires that the argument section of a brief contain appellants contentions and the reasons for them, with citations to the authorities and parts of the record on which the appellant relies. We have held that arguments are waived where the appellant does not present any argument to support its assertions and cites no authority. United States v. Alonso , 48 F.3d 1536, 1544-45 (9th Cir. 1995). Inadequately briefed and perfunctory arguments are also waived. United Nurses Assocs. of Cal. v. NLRB , 871 F.3d 767, 780 (9th Cir. 2017).

In support of its constitutional vagueness challenge, the Bank cites 12 C.F.R. § 326.8(c) (the FDICs four pillars regulation) and three Supreme Court decisions that discuss vagueness. The Bank also cites passages from the record comparing the 2010 and 2012 ROE findings. In addition, the Bank references the ALJs finding that the FFIEC Manual is not entitled to Chevron deference. The Banks argument relating to FDIC bias, while similarly abbreviated, cites to the record and references a Supreme Court case. For both constitutional arguments, the Bank cites valid legal authorities and references the record, and therefore has at least minimally preserved its constitutional challenges. See Fed. R. App. P. 28(8)(A) ; Alonso , 48 F.3d at 1544.

2. Vagueness

Turning to the merits of the constitutional challenges, the Bank argues that the BSA is unconstitutionally vague because neither the statute nor its implementing regulations were precise enough to inform the Bank of its required conduct. The Bank also contends that the statute and regulations are unconstitutionally vague because the FDIC can arbitrarily determine whether BSA compliance procedures are sufficient. The Bank further argues that the FFIEC Manual cannot clarify compliance procedures because the FFIEC Manual lacks the force and effect of law.

To pass constitutional muster against a vagueness attack, a statute must give a person of ordinary intelligence adequate notice of the conduct it proscribes. Craft v. Natl Park Serv. , 34 F.3d 918, 921 (9th Cir. 1994) (quoting United States v. 594,464 Pounds of Salmon , 871 F.2d 824, 829 (9th Cir. 1989) ). Various factors affect our analysis, including whether or not the statute at issue (1) involved only economic regulation, (2) contained only civil, not criminal penalties, (3) contained a scienter requirement, ... and (4) threatened any constitutionally protected rights. Hanlester Network v. Shalala , 51 F.3d 1390, 1398 (9th Cir. 1995) (citing Vill. of Hoffman Estates v. Flipside, Hoffman Estates, Inc. , 455 U.S. 489, 498-99, 102 S.Ct. 1186, 71 L.Ed.2d 362 (1982) ). Further, exactness can be achieved not just on the face of the statute, but also through limiting constructions given to the statute by the ... enforcement agency. Hess v. Bd. of Parole & Post-Prison Supervision , 514 F.3d 909, 914 (9th Cir. 2008).

Where economic regulation is involved, vagueness is less of a concern because the regulated enterprise may have the ability to clarify the meaning of the regulation by its own inquiry, or by resort to an administrative process. United States v. Doremus , 888 F.2d 630, 634-35 (9th Cir. 1989) (quoting Hoffman Estates , 455 U.S. at 498, 102 S.Ct. 1186 ). In considering whether an administrative regulation is unconstitutionally vague, the reviewing court must assess it within the context of the particular conduct to which it is being applied. Great Am. Houseboat Co. v. United States , 780 F.2d 741, 747 (9th Cir. 1986) (citing United States v. Natl Dairy Prods. Corp. , 372 U.S. 29, 33-36, 83 S.Ct. 594, 9 L.Ed.2d 561 (1963) ). We must consider if the regulation applies to a select group of persons having specialized knowledge. United States v. Elias , 269 F.3d 1003, 1015 (9th Cir. 2001) (quoting United States v. Weitzenhoff , 35 F.3d 1275, 1289 (9th Cir. 1993) ).

Interpretations such as those in opinion letters-like interpretations contained in policy statements, agency manuals, and enforcement guidelines, all of which lack the force of law-do not warrant Chevron -style deference. Christensen v. Harris Cty. , 529 U.S. 576, 587, 120 S.Ct. 1655, 146 L.Ed.2d 621 (2000). However, an agency-issued instruction manual, even if lacking the force of law itself, can clarify what conduct is expected of a person subject to a particular regulation and thus mitigate against vagueness. See Pinnock v. Intl House of Pancakes Franchisee , 844 F.Supp. 574, 581 (S.D. Cal. 1993) (citing Ward v. Rock Against Racism , 491 U.S. 781, 795, 109 S.Ct. 2746, 105 L.Ed.2d 661 (1989) ; Hoffman Estates , 455 U.S. at 502, 504, 102 S.Ct. 1186 ; Grayned v. City of Rockford , 408 U.S. 104, 110, 92 S.Ct. 2294, 33 L.Ed.2d 222 (1972) ); accord United States v. Woodley , 9 F.3d 774, 778 (9th Cir. 1993) (rejecting a vagueness challenge to Health Care Financing Administrations related party regulation based, in part, on the fact that the regulation referenced a Provider Reimbursement Manual that had been issued by the Department of Health and Human Services); Magic Valley Potato Shippers, Inc. v. Secy of Agric. , 702 F.2d 840, 841-42 (9th Cir. 1983) (per curiam) (rejecting a vagueness challenge to a Department of Agriculture regulation based, in part, on the availability of instructional manuals issued by that agency).

Not only are the BSA and FDICs implementing regulations economic in nature and threaten no constitutionally protected rights, but it is clear that a detailed manual issued by agencies with enforcement authority, such as the FFIEC Manual, can put regulated banks on notice of expected conduct. The BSA authorizes the FDIC to review banks for compliance. 12 U.S.C. § 1818(s). The FFIEC Manual frames the examiners expectations in anticipation of routine compliance checks. The Bank knew these expectations. Indeed, the FDIC Board found that provisions of the FFIEC Manual were incorporated in the Banks own BSA Policy Manual, and copies of the FFIEC Manual were found scattered throughout the Bank. A BSA Officer at the Bank bearing the requisite specialized knowledge would understand that compliance with the FFIEC Manual ensures compliance with the BSA. See Elias , 269 F.3d at 1015. The BSA and its implementing regulations are not unconstitutionally vague.

3. Investigative Bias

The Banks second constitutional challenge is that the FDIC violated its due process rights by conducting a biased investigation. The Bank argues that comments made by examiners charged with assisting in the investigation demonstrate that the 2012 examination was predetermined. As examples of bias, the Bank points to Rawlins decision to disregard the Banks loan files when she was reviewing the Banks deposit files for due diligence information, her criticism of Alan Chi for not filing a SAR, and her refusal to look at Vivaldos Fourth Quarter 2011 Report. The Bank also asserts that bias was demonstrated by the ALJs failure to consider the 2010 ROE, which concluded that the Banks BSA program was generally adequate. The FDIC counters that the Banks unconstitutional bias charge fails as a matter of law and as a matter of fact.

[W]hen governmental agencies adjudicate or make binding determinations which directly affect the legal rights of individuals, it is imperative that those agencies use the procedures which have traditionally been associated with the judicial process. Hannah v. Larche , 363 U.S. 420, 442, 80 S.Ct. 1502, 4 L.Ed.2d 1307 (1960). However, when a general fact-finding investigation is being conducted, it is not necessary that the full panoply of judicial procedures be used. Id. Whether the Constitution requires that a particular right obtain in a specific proceeding depends upon a complexity of factors. The nature of the alleged right involved, the nature of the proceeding, and the possible burden on that proceeding, are all consider[ed]. Id. Inherent in an agencys power of investigation is the authority to prevent the sterilization of investigations by burdening them with trial-like procedures. Id. at 448, 80 S.Ct. 1502. Administrative prosecutors are thus accorded wide discretion and need not be entirely neutral and detached. Marshall v. Jerrico, Inc. , 446 U.S. 238, 248, 100 S.Ct. 1610, 64 L.Ed.2d 182 (1980) (quoting Ward v. Vill. of Monroeville , 409 U.S. 57, 62, 93 S.Ct. 80, 34 L.Ed.2d 267 (1972) ). However, the Supreme Court has advised that we should be chary of schemes that inject a personal interest, financial or otherwise, into the enforcement process [which] may bring irrelevant or impermissible factors into the prosecutorial decision and in some contexts raise serious constitutional questions. Id. at 249-50, 100 S.Ct. 1610. In the event there was no scheme injecting a personal or financial interest into the FDIC examiners investigation, and in the event the Bank received neutral adjudicatory review by the ALJ and the FDIC Board, the Banks due process rights were not violated.

The FDIC examiners function is exclusively fact-finding. Thus, their review of the Bank during the 2012 examination need not have been neutral and detached. See id. at 248, 100 S.Ct. 1610 (quoting Ward , 409 U.S. at 62, 93 S.Ct. 80 ). Even were the Bank correct in pointing to examiner comments and Rawlins examination protocol as examples of bias, the Bank has failed to demonstrate that the FDIC examiners worked under a scheme which injected a personal or financial interest into their enforcement efforts. Moreover, the Bank participated in an ALJ hearing, during which it could cross-examine the FDICs allegedly biased examiners, and the FDIC Board reviewed the ALJs findings. The Banks charge that the FDIC examiners were unconstitutionally biased is unavailing.

The Bank further argues that the ALJ was biased, specifically noting that the ALJ failed to consider the 2010 ROE. Contrary to the Banks challenge, the ALJ did consider the 2010 ROE. The ALJ noted that, while the Banks compliance was generally adequate, the 2010 ROE concluded there were a number of areas that needed improvement, particularly given the Banks risk profile. Cal. Pac. Bank , 2016 WL 2997645, at *20. The ALJ highlighted two places where the Bank came up short in implementing the 2010 ROE: by failing to monitor and aggregate activity in high risk accounts and by improperly lowering its self-assessed risk rating. The Banks charge that the ALJ failed to consider the 2010 ROE is contradicted by the record. There are no other allegations of bias relating to the ALJ. And in reviewing the record, we find that the ALJs extensive four-day hearing was conducted in a fair, impartial, and efficient manner as FDIC regulations require. 12 C.F.R. § 308.5(a).

Neither the FDICs investigation nor the ALJ was unconstitutionally biased against the Bank.

B. The FDIC Boards BSA Compliance Findings

Under the APA, agency action can be set aside only if arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law or unsupported by substantial evidence. 5 U.S.C. § 706(2)(A) and (E). The APAs standard is highly deferential. Indep. Acceptance Co. , 204 F.3d at 1251. The FDIC Board adopted in full the ALJs findings, which looked to the FFIEC Manual as an authority on compliance with the FDICs four pillars regulation. The FDIC Board found that the Bank failed to comply with the four pillars of BSA compliance: adequate controls, independent testing, administration, and training. The FDIC Board further found that the Bank did not file a SAR where one was required. The Bank argues that the FDIC Board erred with each of these decisions.

1. FDIC Reference to the FFIEC Manual

The Bank takes issue with the FDICs use of the FFIEC Manual as relevant authority in interpreting what the four pillars regulation required of the Bank. The Bank argues that the FDIC

Boards reliance on the guidance and recommendations found in the FFIEC Manual was not in accordance with the law, as the FFIEC Manual could not impose legal obligations on the Bank. The FDIC counters that an agency may properly rely on, and clarify regulations with, an instructional manual promulgated to provide guidance on what is required by the regulation it administers.

Under Auer v. Robbins , 519 U.S. 452, 117 S.Ct. 905, 137 L.Ed.2d 79 (1997), an agencys interpretation of its own regulations is controlling unless plainly erroneous or inconsistent with the regulation. Id. at 461, 117 S.Ct. 905 (citation and internal quotation marks omitted). Under Auer ... the court must first determine whether the regulation was ambiguous. Bassiri v. Xerox Corp. , 463 F.3d 927, 931 (9th Cir. 2006) (citing Christensen , 529 U.S. at 588, 120 S.Ct. 1655 ). Ambiguous regulations include those that are not entirely free from doubt, id. (quoting Providence Health System-Washington v. Thompson , 353 F.3d 661, 665 (9th Cir. 2003) ), or susceptible to different interpretations and ... discretionary elements, Siskiyou Regional Education Project v. U.S. Forest Service , 565 F.3d 545, 557 (9th Cir. 2009). If the regulation in question is ambiguous, we defer to the agencys interpretation unless an alternative reading is compelled by the regulations plain language or by other indications of the [agencys] intent at the time of the regulations promulgation. Bassiri , 463 F.3d at 931 (alteration in original) (quoting Thomas Jefferson Univ. v. Shalala , 512 U.S. 504, 512, 114 S.Ct. 2381, 129 L.Ed.2d 405 (1994) ). An agencys interpretation of its own regulation can be advanced through informal means, including an agency manual. See Pub. Lands for the People, Inc. v. U.S. Dept of Agric. , 697 F.3d 1192, 1199 (9th Cir. 2012) (according wide deference to the U.S. Forest Services interpretation of a regulation contained in the Forest Service Manual).

The FDICs four pillars regulation is ambiguous. The four pillars are not entirely free from doubt, given the complexity of BSA compliance and the need for FDIC officials to conduct administrative examinations of bank BSA programs. See Bassiri , 463 F.3d at 931. That banks can design different compliance programs further demonstrates that the four pillars are susceptible to different interpretations. See Siskiyou , 565 F.3d at 557.

In Financial Institution Letter 17-2010, the FDIC announced the release of the 2010 version of the FFIEC Manual. Though the FFIEC Manual was written collaboratively among multiple federal and state agencies, the Letter clarified that the FFIEC Manual contained the FDICs supervisory expectations with respect to BSA compliance. We must thus defer to the FFIEC Manual unless it is plainly erroneous or inconsistent with the FDICs four pillars regulation, or unless an alternative reading is compelled by the regulations plain language. Auer , 519 U.S. at 461, 117 S.Ct. 905 ; Bassiri , 463 F.3d at 931 (quoting Thomas Jefferson , 512 U.S. at 512, 114 S.Ct. 2381 ); Pub. Lands , 697 F.3d at 1199. As the ALJ noted, the FFIEC Manual is a uniformly recognized authority on BSA policies, procedures, and processes with [e]ach section serv[ing] as a platform for the BSA/AML examination and, for the most part, address[ing] the legal and regulatory requirements of the BSA/AML compliance program. Cal. Pac. Bank , 2016 WL 2997645, at *36. As explained in the next section, the FFIEC Manual defines and provides clarifying guidance on each of the four pillars. Rawlins testified that FDIC examiners and banks alike use the FFIEC Manual as a roadmap for banks compliance with the four pillars. Fittingly, Vivaldo also described the FFIEC Manual as an authority for BSA compliance, and the Banks own BSA Policy Manual repeatedly referenced the FFIEC Manual. The FFIEC Manual is not plainly erroneous or inconsistent with the FDICs four pillars regulation. Nor is an alternative reading compelled by the plain language of 12 C.F.R. § 326.8(c), given the generalized framing of the four pillars. The FFIEC Manual must receive Auer deference.

The FDIC Board acted in accordance with the law in referencing the FFIEC Manual to clarify the four pillars analysis for determining violations of the BSA.

2. The Four Pillars

The Bank next argues that the FDIC Boards determination that the Bank failed to comply with each of the BSAs four pillars-internal controls, independent testing, administration, and training-is not supported by substantial evidence.

a. Internal Controls

The first pillar of BSA compliance requires that banks [p]rovide for a system of internal controls to assure ongoing compliance. 12 C.F.R. § 326.8(c)(1). The FFIEC Manual advises that [t]he level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity of the bank. The FFIEC Manual provides that banks are required to maintain controls that identify vulnerabilities and monitor the banks risk profile.

The FDIC Board adopted the ALJs findings that the Bank failed to conduct and document adequate customer due diligence, to identify certain customers as high risk, to conduct adequate site visits, and to sufficiently monitor accounts for suspicious activity. The Bank argues that the FDIC Boards decision is not supported by substantial evidence. The Bank asserts that its deposit and loan documentation, as well as its review of daily batch reports, demonstrate that it adequately evaluated and monitored its depositors. The Bank also argues that its site visits were sufficiently documented in its loan files and that the 2010 ROE recommendations were either complied with or were unnecessary.

Although Rawlins deemed the Banks overall compliance satisfactory in her 2010 ROE, she identified several areas that must be corrected. In the event a bank has failed to correct any problem with BSA compliance that was previously brought to its attention, the FDIC shall issue a cease and desist order against the bank. 12 U.S.C. § 1818(s)(3)(B) (emphasis added).

The FDIC Board found that the Bank failed to adequately collect, document, and update BSA-relevant information about its depositors, as shown by the lack of information in the Banks deposit account files. During her 2012 examination, Rawlins reviewed twenty-four deposit accounts. Although eight were adequate, Rawlins determined that the information contained within the remaining sixteen was incomplete, with account activity significantly higher than expected. The Bank argues that Rawlins failed to consider the Banks loan files, which it asserts provided the information that was absent from the twenty-four accounts reviewed by Rawlins. Rawlins focused on the Banks deposit files, not its loan files, since suspicious account activity was more likely to be found in the deposit files. Loan files, by contrast, generally focus on a customers creditworthiness rather than on the sources of funds deposited into a bank. The Banks BSA Policy Manual also provided that deposit accounts should be the locus of risk assessment and that depositors

loan files would be copied into the Banks deposit account files. The FDICs Boards finding that the Bank did not sufficiently document its depositors is supported by substantial evidence.

The FDIC Board also found that the Bank failed to adequately monitor depositors activity. Regarding the monitoring requirement, the FFIEC Manual provides that review of customer accounts can involve either daily reports or reports covering a period of time. However, this choice bears the caveat that [t]he type and frequency of reviews and resulting reports used should be commensurate with the banks BSA/AML risk profile and appropriately cover its higher-risk products, services, customers, entities, and geographic locations. The 2010 ROE determined that for certain customers the Bank needed to monitor and analyze aggregate activity over three months or more to establish a pattern of activity, rather than rely on daily reports to monitor those customers. The Bank, however, persisted with daily batch reviews of account activity. The FDIC Boards finding that, by failing to monitor long-term activity, the Bank contravened the 2010 ROE is supported by substantial evidence.

The FDIC Board also found that the Bank failed to properly risk-rate its depositors accounts. The 2010 ROE directed that the Bank designate new customers with high levels of activity as high risk for at least six months and to increase the risk rating for the customer base overall to medium or high risk. Rawlins determined that the Banks customer base, lack of internal controls, deficient BSA program, and geographic location demonstrated an overall high risk for the Bank. Following her 2010 review, Rawlins made clear to Richard Chi and Vivaldo the need for a higher risk assessment, which was tailored to a bank of their size and their complexity with their risk profile.

After assuming the role of BSA Officer in 2011, Alan Chi revised the Banks new customer deposit account risk assessment form. Vivaldo advised Alan Chi that the revised risk ratings failed to identify high risk accounts. Alan Chi amended the risk assessment form in light of Vivaldos criticisms. However, instead of using the FDICs recommended scoring tiers, he merely altered the circumstances under which customer risk would be downgraded. Alan Chi also revised the risk assessment form the Bank used to assess its own risk, which resulted in a low risk rating for the Bank and drew further criticism from Vivaldo. The ALJ found no evidence, nor does the record indicate, that Alan Chi followed through on Vivaldos guidance. The FDIC Boards finding that the Banks risk assessment practices did not accord with the 2010 ROE is supported by substantial evidence.

The FDIC Board also found that the Bank failed to document BSA site visits to its customers. The Bank argues that it did conduct site visits, and that documentation relating to the visits was included in its loan files. However, Vivaldo testified that not all of the site visits were documented in the loan files, and Alan Chi testified that he kept BSA assessments in [his] head. Rawlins considered the Banks loan site visits inadequate, reasoning that they focused more on credit risk than cash activity. The ALJ found that the Banks loan documentation revealed just four site visits, only one of which occurred after Alan Chi became the Banks BSA Officer-a visit that was prompted by a loan application and not a newly opened deposit account. The FDIC Boards finding that the site visits did not reflect adequate monitoring is supported by substantial evidence.

The Banks failure to correct problems with its internal controls that were previously brought to its attention in the 2010 ROE, on its own, required the FDIC to issue a cease and desist order against the Bank. 12 U.S.C. § 1818(s)(3)(B). As repeatedly noted, the Banks failure to address corrective measures from the 2010 ROE is a material factor in reaching the substantial evidence threshold. De La Fuente , 332 F.3d at 1220 (Substantial evidence ... is such relevant evidence as a reasonable mind might accept as adequate to support a conclusion.). The FDIC Boards determination that the Bank did not maintain adequate internal controls, and thus, did not comply with the BSA, is supported by substantial evidence.

b. Independent Testing

The second pillar of compliance requires that banks [p]rovide for independent testing for compliance to be conducted by bank personnel or by an outside party. 12 C.F.R. § 326.8(c)(2). The FFIEC Manual provides that independent testing includes, at a minimum, providing sufficient information to allow a reviewer to reach a conclusion about the overall quality of the BSA/AML compliance program. The FFIEC Manual further provides that an auditor must not be involved in any part of the banks BSA/AML compliance program. The FDIC Board adopted the ALJs findings that Vivaldos 2012 Quarterly Report was deficient and that the Banks independent testing was inadequate. The Bank argues that this decision is not supported by substantial evidence.

The Bank argues that the examiners failed to consider Vivaldos Fourth Quarter 2011 Report, which it asserts concluded that the Banks performance was satisfactory. At the ALJ hearing, however, Vivaldo conceded that, while the Fourth Quarter 2011 Report described certain components of the Banks BSA program as satisfactory, the report lacked an explicit conclusion with respect to the BSA program as a whole.

Moreover, despite Rawlins request for copies of any audits completed since the 2010 ROE, the Bank provided Rawlins with only one audit report prepared by Vivaldo covering the first two quarters of 2012. Rawlins found Vivaldos review inadequate, as it lacked an overall assessment and failed to identify the deficiencies that had been identified by the FDIC examiners. For example, Vivaldo did not assess Alan Chis qualifications or review the Bank Boards decision-making in appointing Alan Chi as the Banks BSA Officer. Although Vivaldo noted the Banks review of daily batch reports, she did not assess whether this was adequate for monitoring risk. Similarly, while Vivaldo observed that the Banks staff attended a webinar, she did not assess whether this was adequate training. The FDIC Boards finding that Vivaldos 2012 report was inadequate is supported by substantial evidence.

Although the FDIC Board primarily based its finding that the Banks independent testing was inadequate on Vivaldos 2012 report, the record further suggests that Vivaldo had a conflict of interest. Vivaldos testimony at the ALJ hearing contradicted her 2011 criticism of Alan Chis revised risk rating methodology. As noted, in 2011, Vivaldo told Alan Chi that his revised ratings were inadequate and flagged concerns with respect to several customers whose risk scores were underrated. At the ALJ hearing, on the other hand, Vivaldo testified that Alan Chis revised risk assessment form was not a bad form at all and that she thought they had a very good handle on the activity of their portfolio by virtue of various monitorings they do. In addition to contradicting her contemporaneous criticisms, Vivaldos role with the Bank was described as consultant, and she wrote and updated the Banks BSA Policy Manual. Vivaldos close involvement with the Bank and its BSA compliance program contravened the FFIEC Manuals guidance on independent testing.

The FDIC Boards decision that Vivaldo did not perform independent testing as required by the BSA is supported by substantial evidence.

c. Administration

The third pillar of compliance requires that banks [d]esignate an individual or individuals responsible for coordinating and monitoring day-to-day compliance. 12 C.F.R. § 326.8(c)(3). The FFIEC Manual provides,

The BSA compliance officer should be fully knowledgeable of the BSA and all related regulations. The BSA compliance officer should also understand the banks products, services, customers, entities, and geographic locations, and the potential money laundering and terrorist financing risks associated with those activities. The appointment of a BSA compliance officer is not sufficient to meet the regulatory requirement if that person does not have the expertise, authority, or time to satisfactorily complete the job.

The FDIC Board adopted the ALJs finding that Alan Chi lacked the experience, training, and time to adequately perform as BSA Officer. The Bank argues that this decision was not supported by substantial evidence, asserting that Alan Chi was qualified based on his experience serving in multiple roles at the Bank, his on-the-job training, and his prior interactions with the FDIC. The Bank further argues that Alan Chis due diligence adhered to the 2010 ROE.

Alan Chi acknowledged that until taking over as BSA Officer in the summer of 2011, he had received no training in BSA compliance. Alan Chi was appointed without the Bank recruiting or interviewing anyone else, nor did the Bank interview Alan Chi before hiring him as its BSA Officer. Furthermore, the extent of Alan Chis training for the role included only his attending several Independent Community Bankers of America courses and a webinar. Interactions with the FDIC and review of FDIC reports provided him with some additional on-the-job training. The FDIC Boards findings that Alan Chi was an underqualified candidate, and that his on-the-job training did not equip him with the expertise the FFIEC Manual advises a BSA Officer have before assuming the role, is supported by substantial evidence.

In addition to serving as BSA Officer, Alan Chi held five other senior roles at the Bank. Rawlins testified that not even the most experienced BSA officer would be able to have the time to run an adequate BSA program given this many other duties at the institution. Rawlins further concluded that Alan Chis overlapping loan approval and BSA compliance roles created a conflict of interest, with Alan Chi potentially unwilling to objectively risk-rate longstanding customers. Alan Chi admitted that he considered his BSA Officer and Senior Credit Officer roles an aggregate, and as noted, Alan Chis revised risk assessment methodology contravened the 2010 ROE. The FDIC Boards finding that Alan Chi lacked the requisite time and independence befitting of an adequate BSA Officer is supported by substantial evidence.

The FDIC Boards decision that Alan Chi was an inadequate BSA Officer, and thus, the Bank did not comply with the BSA, is supported by substantial evidence.

d. Training

The fourth pillar of compliance requires that banks [p]rovide training for appropriate personnel. 12 C.F.R. § 326.8(c)(4). The FFIEC Manual advises,

Training should include regulatory requirements and the banks internal BSA/AML policies, procedures, and processes. ... The training should be tailored to the persons specific responsibilities. ... The BSA compliance officer should receive periodic training that is relevant and appropriate given changes to regulatory requirements as well as the activities and overall BSA/AML risk profile of the bank.

The 2010 ROE advised the Bank to test employees knowledge and document director training. The FDIC adopted the ALJs findings that the Banks training was not targeted to each employees role and was generally inadequate. The Bank argues that this decision is not supported by substantial evidence and asserts that its training materials, including quizzes and presentations, were satisfactory.

To carry out the FDICs recommendation on training, Alan Chi offered presentations on customer identification, currency transaction reporting, anti-money-laundering, identity theft, and unlawful internet gambling. He also provided the Banks employees with copies of the Banks BSA Policy Manual. Alan Chi expected employees to read the manual and perform satisfactorily on the quizzes. Rawlins found that requiring employees to attend a webinar provided only rudimentary BSA training. Although quizzes were administered, the record contains no evidence suggesting that training materials were tailored to specific job functions at the Bank. Rawlins also found that given Alan Chis lack of experience, he was unqualified to serve as the sole person responsible for BSA training.

The FDIC Boards decision that the Banks inadequate training did not comply with the BSA is supported by substantial evidence.

3. Suspicious Activity Reporting

The FDIC Board affirmed the ALJs finding that the Bank failed to file a SAR where one was needed and to document its decision on whether or not to file a SAR. The Bank argues that this decision is not supported by substantial evidence. The Bank argues that it could not have been obligated to file a SAR because the FBI and DOJ told the Bank not to disclose any aspect of an ongoing federal criminal investigation. The Bank further contends that the examiners manufactured a new justification for filing a SAR months after the 2012 examination was complete.

Pursuant to 12 C.F.R. § 353.1, an insured state nonmember bank must file a SAR whenever it suspects a known or suspected criminal violation of federal law or a suspicious transaction related to a money laundering activity or a violation of the Bank Secrecy Act. For transactions of $5000 or more that involve potential money laundering or BSA violations, a SAR must be filed with the appropriate federal law enforcement agencies and the Financial Crimes Enforcement Network, where [t]he transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities or [t]he transaction has no business or apparent lawful purpose or is not the sort of transaction in which the particular customer would normally be expected to engage, and the bank knows of no reasonable explanation for the transaction. Id. § 353.3(a)(4)(i) and (iii). The FFIEC Manual advises banks to review account activity for any customer for whom the bank receives a subpoena and to independently evaluate the need to file a SAR based on the banks review of those materials. The FFIEC Manual discourages banks from referencing receipt or existence of a grand jury subpoena in the SAR and states that the SAR should only reference any underlying facts supporting the determination that the transaction at issue in the SAR is suspicious.

During 2011 and 2012, the Bank received grand jury subpoenas seeking documentation and other information regarding certain customer transactions. These customers were part of an FBI investigation into international espionage and misappropriation of trade secrets. The FBI executed a search warrant on the Bank and interviewed Alan Chi and other Bank employees regarding these accounts. In early 2012, some of these customers were indicted for economic espionage and theft of trade secrets.

It is undisputed that the Bank did not file a SAR or document its decision not to file a SAR. The only issue is whether the Banks non-action was excused. The FDIC Board found that the Bank was not legally precluded from filing a SAR. On August 10, 2011, the DOJ sent the Bank a letter, directing the Bank to maintain the utmost secrecy with regard to the federal grand jury subpoena. Alan Chi interpreted this to mean that he could not disclose any aspect of the FBI investigation-including providing notice to regulators of customer activity in a SAR, even if that SAR did not include any mention of the FBI investigation. But this interpretation was erroneous. The Federal grand jury subpoena letter advised that you and employees of California Pacific Bank [are required to] maintain the utmost secrecy with regard to this Federal grand jury subpoena. In recounting his conversation with an FBI agent, when Alan Chi asked if he could file a SAR, he recalled the agent saying, Dont mention anything about the subpoena ... just dont mention the subpoena. The FFIEC Manual explicitly contemplates the filing of SARs for customer activity that is also subject to law enforcement investigations and subpoenas, which suggests that investigations and subpoenas should often prompt filing SARs. The Banks BSA Policy Manual reflected this guidance as well. Nothing prevented the Bank from filing a SAR that only referenced the suspicious activity at a general level without mentioning receipt of the subpoenas. The FDIC Boards finding that the Bank was able to file a SAR is supported by substantial evidence.

Rawlins draft 2012 ROE concluded that the Bank should have filed a SAR pursuant to 12 C.F.R. § 353.3(a)(4)(i) after learning of the indictments. Edmund Wong, Rawlins immediate supervisor, initially disagreed, and concluded after conducting a second-level review of the ROE that an indictment alone was insufficient to support filing a SAR. However, upon receiving additional information on the accounts, Wong determined that the Bank should have filed a SAR. Wong detected several red flags, including large dollar and round dollar amounts that were much larger than the anticipated activity in the accounts, large wire transfers, and transactions that lacked any information on source of income, purpose of account, or expected activity-all of which he deemed evidence of a layering scheme. The FDIC Boards findings that the filing of a SAR was warranted and that the examiners did not manufacture a justification for filing a SAR are supported by substantial evidence.

The FDIC Boards decision that, in failing both to file a SAR and to document its decision not to file a SAR, the Bank violated 12 C.F.R. § 353 and did not comply with the BSA is supported by substantial evidence.

IV. CONCLUSION

We hold that the BSA and its implementing regulations are not unconstitutionally vague, and the FDIC did not exhibit unconstitutional bias against the Bank. We further hold that the FDIC acted in accordance with the law by relying on the FFIEC Manual to clarify its four pillars regulation. The FDIC Boards decisions that the Bank failed to comply with the four pillars and that the Bank failed to file a SAR where one was needed, and thus, that the Bank did not comply with the BSA, are supported by substantial evidence. Accordingly, the Banks petition for review is denied.

DENIED.

The FFIEC Manual is written collaboratively among the FDIC, the Board of Governors of the Federal Reserve System, the National Credit Union Administration, the Office of the Comptroller of the Currency, state banking agencies, and the Financial Crimes Enforcement Network.

To the extent that this opinion references information that has been filed under seal, we hereby unseal that information for purposes of this opinion.

The FDIC Boards Decision and Order to Cease and Desist, and the ALJs Recommended Decision, can be found at Cal. Pac. Bank , No. FDIC-13-094b, 2016 WL 2997645 (Feb. 17, 2016).

The Bank concedes that, generally, bias exhibited during a regulatory investigation does not rise to the level of a due process violation. Petrs Br. 21.

This assessment correlated with Part I of the Banks BSA Policy Manual, which noted that the Banks Inherent Risk Assessment of BSA/AML is HIGH because the Bank is in both a High Intensity Drug Trafficking Area and a High Intensity Financial Crime Area. Vivaldos Fourth Quarter 2011 Report also described the Banks risk as inherently High.

The FDIC Boards SAR determination overlaps with the first pillar, but it also falls under an FDIC regulation distinct from the four pillars. It is therefore addressed separately. See infra Part III.B.3.

The Bank concedes that it brought up the Fourth Quarter 2011 Report for the first time at the exit meeting for the 2012 examination.

The Bank advances several additional arguments that merit only brief discussion. The Bank argues that because Vivaldo had extensive experience and had not been criticized previously by the FDIC, her auditing was satisfactory. But a record of successful examinations alone is not sufficient to overcome the substantial evidence that supports the FDIC Boards decision. Moreover, the FDIC was not estopped from citing inadequate independent testing in 2012 simply because it did not raise that issue in the 2010 ROE. See De La Fuente , 332 F.3d at 1220. The Bank argues that the examiners assessment of Vivaldo was based on guidance in the FFIEC Manual, which has no legal effect. This argument is mooted by our conclusion that the FDIC Board acted in accordance with the law in relying on the FFIEC Manual as an interpretive authority on the FDICs four pillars regulation. Finally, the Bank argues that Rawlins was not a credible expert under Federal Rule of Evidence 702, because she, unlike Vivaldo, failed to consider relevant facts in the form of the Banks loan files. Contrary to this argument, the record indicates that Rawlins did consider the loan files, but refused to accord them any weight in her examination.

The Bank argues that Alan Chi should be subject to a lesser standard of qualification for the role of BSA Officer, given the Banks smaller size. This argument is unavailing. The FFIEC Manual provides that compliance should be tailored to both a Banks size and risk profile. The Banks customer base reflects a high risk profile. [A]ll institutions, regardless of size, must operate in a safe and sound manner. First Bank of Jacksonville , No. FDIC-96-155b, 1998 WL 363852, at *13 (May 26, 1998), affd mem. , First Bank of Jacksonville v. FDIC , 180 F.3d 269 (11th Cir. 1999) (unpublished table decision).

The FFIEC Manual also recommends that banks [p]rovide for dual controls and the segregation of duties to the extent possible.

The Bank argues that Alan Chis long-term investment in the Bank, a family business, provided sufficient disincentive to loan money to anyone potentially involved in illegal activity. The FDIC Boards rejection of this line of reasoning, which was based on the fact that Alan Chi was a longstanding credit officer with customer relationships to maintain, and thereby conflicted, is supported by substantial evidence.

The Bank argues that it did not need to tailor training to individual employees because personnel responsibilities frequently overlap at a smaller bank. The Bank acknowledges, however, that staff performed different tasks at the Bank, and the FFIEC Manual advises that training should be tailored to specific responsibilities. The Bank could have, but did not, conduct both group and role-based BSA compliance training.