The US Federal Reserve fined Industrial and Commercial Bank of China US$2.43 million for improper use of financial-supervision information.
The New York Department of Financial Services, which also oversees the bank’s branch in the state, hit the firm with an additional US$30 million penalty.
“Confidential supervisory information includes reports of bank examinations and other confidential communications by banking regulators,” the Fed said in a statement Friday. “It is illegal to disclose confidential supervisory information without prior approval of the appropriate banking regulator.”
The Fed said it found that ICBC, the world’s largest lender by assets, lacked any formal policies, procedures, training or other internal controls to instruct employees on the proper handling of confidential supervisory information, or the prevention of unauthorised dissemination and use of such data.
ICBC did not immediately respond to requests for comment.
The New York Department of Financial Services said in a separate statement on Friday that its fine and a consent order with ICBC follow an investigation into the company’s compliance failures, including multiple deficiencies in the New York branch’s Bank Secrecy Act/Anti-Money-Laundering compliance programme from 2018 through 2022.
The investigation found that a former New York branch employee backdated several compliance documents at the direction of colleague, and that ICBC failed to report the misconduct to the department in a timely manner, according to the statement. ICBC also unlawfully disclosed confidential supervisory information to an overseas regulator, the department said, without specifying the regulator.
“Bank Secrecy Act and Anti-Money-Laundering laws and regulations are critical national-security protections, safeguarding financial markets and consumers from bad actors,” said Department of Financial Services Superintendent Adrienne Harris said in the statement.
An order by the Fed requires ICBC to submit, within 90 days, a written plan for enhancing internal controls and compliance functions around the handling of confidential supervisory information, among other reforms.
The plan must be acceptable to the Fed and adopted within 10 days. Then, within 3O days after the end of each quarter, the bank must submit progress reports on its reforms.
The Fed’s order against comes after the bank’s US unit was hit by a cyberattack in November, rendering it unable to clear swathes of US Treasury trades after entities responsible for settling the transactions swiftly disconnected from the stricken systems.
