FDIC Enforcement Spotlights Deficiencies in Kansas Bank’s Anti-Money Laundering Program
On December 27, 2024, the Federal Deposit Insurance Corporation (FDIC) announced a notice of assessment of a civil money penalty against a Kansas-based bank. The action, originally brought in November, imposed a $20.4 million civil money penalty against the bank and alleged violations of the Bank Secrecy Act (BSA), 31 U.S.C. § 5311 et seq., for its failure to implement an adequate anti-money laundering and counter-terrorism program.
The FDIC asserts that between December 2018 and August 2020, the Bank’s AML/CFT compliance program failed to address risks associated with its high-volume international banking operations. These operations included processing $27 billion in wire transfers for foreign banks in 2018 alone and facilitating bulk cash shipments from Mexico. Specific deficiencies cited by the FDIC include:
Inadequate Internal Controls. The bank’s reliance on flawed AML monitoring software and manual reviews failed to detect red flags, such as large, suspicious transactions and activity linked to high-risk jurisdictions. Although the banks employed external auditors to analyze its BSA compliance, the complaint claims the testing was too limited and lacked sufficient data.
Customer Due Diligence Failures. The bank failed to establish and maintain an effective customer due diligence program, as the BSA Officer’s ongoing due diligence for the bulk cash business was limited to comparing actual to expected cash deposits without conducting denomination analysis or monitoring outgoing wire activity, resulting in missed data indicative of money laundering and terrorist financing risk.
Deficient Reporting. The bank failed to file hundreds of suspicious activity reports (SARs) required by federal law, and did not implement sufficient customer due diligence or foreign correspondent account monitoring. The FDIC also found that the bank’s BSA Officer was not properly empowered to make SAR filings, SAR filing decisions were instead made collectively by a committee consisting of various C-suite executives of the bank.
Unqualified Oversight. The appointed BSA officer during the relevant period lacked necessary experience and authority to manage the bank’s AML compliance program effectively, pointing to deficiencies in the bank’s BSA/AML training program.
The FDIC described the alleged violations as part of a “pattern of misconduct” and noted that the bank benefited financially from these failures, generating significant fee income.
Putting It Into Practice: The FDIC’s action was swiftly challenged by the bank. On November 19, it filed a complaint in the U.S. District Court for the District of Kansas challenging the FDIC’s findings, emphasizing that the bank ceased the operations in question in 2020 and took swift corrective actions. In its complaint, the bank also argues that the fine penalizes “years-old conduct” and disregards the bank’s current compliance improvements.
Listen to this post
Second Circuit Adopts “At Least One Purpose” Rule for False Claims Act Cases Premised on Anti-Kickback Statute Violations
On December 27, 2024, the U.S. Court of Appeals for the Second Circuit held in U.S. ex rel. Camburn v. Novartis Pharmaceuticals Corporation that a relator adequately pleads a False Claims Act (“FCA”) cause of action premised on violation of the Anti-Kickback Statute (“AKS”) by alleging, with sufficient particularity under Federal Rule of Civil Procedure 9(b) (“Rule 9(b)”), that at least one purpose (rather than the sole or primary purpose) of the alleged kickback scheme was to induce the purchase of federally reimbursable health care products or services.[1]
In doing so, the Second Circuit joins seven other Circuit Courts—the First, Third, Fourth, Fifth, Seventh, Ninth, and Tenth Circuits—in adopting the “at least one purpose” rule. This ruling lowers the bar in the Second Circuit for relators pleading AKS-based FCA claims.
Interplay Between FCA and AKS Violations
Under the AKS, “a claim that includes items or services resulting from a violation [of the AKS] … constitutes a false or fraudulent claim” under the FCA.[2]
The AKS prohibits persons from, among other things, “knowingly and willfully” soliciting or receiving “any remuneration (including any kickback, bribe, or rebate) directly or indirectly, overtly or covertly, in cash or in kind—
in return for referring an individual to a person for the furnishing or arranging for the furnishing of any item or service for which payment may be made in whole or in part under a federal health care program, or
in return for purchasing, leasing, ordering, or arranging for or recommending purchasing, leasing, or ordering any good, facility, service, or item for which payment may be made in whole or in part under a Federal health care program[.]”[3]
Alleged “Sham” Speaker Events & Excessive Compensation
In U.S. ex rel. Camburn, the relator, a former Novartis sales representative, filed a qui tam action in the U.S. District Court for the Southern District of New York alleging violations of the FCA premised on violations of the AKS. The relator alleged that Novartis operated a kickback scheme with the intent of bribing providers to prescribe Gilenya, a multiple sclerosis drug. Specifically, the relator alleged that Novartis operated a sham peer-to-peer speaker program that served as a mechanism for the company to offer remuneration to physicians in exchange for prescribing Gilenya. The relator alleged that the payments made to providers under the guise of this speaker program “caused pharmacies and physicians to submit false claims to the government and to the states for healthcare reimbursement under programs including Medicare Part D, Medicaid, and TRICARE.”[4]
U.S. District Court’s Dismissal with Prejudice
The federal government, as well as 29 states and the District of Columbia, among other parties, declined to intervene in the lawsuit. After granting the relator multiple opportunities to amend his complaint to plead factual allegations with sufficient particularity required by Rule 9(b), the district court held that the relator still failed to adequately plead the existence of a kickback scheme. Because the relator’s FCA claim was based on violations of the AKS, the district court dismissed the relator’s Third Amended Complaint with prejudice and did not address whether the relator sufficiently pled the remaining elements of his FCA claim.
Second Circuit’s Adoption of “At Least One Purpose” Rule
On appeal, the Second Circuit adopted the “at least one purpose” rule and found that, to survive dismissal, the relator “needed only to allege that at least one purpose of the remuneration was to induce prescriptions, without alleging a cause-and-effect relationship (a quid pro quo) between the payments and the physicians’ prescribing habits.”[5] Applying this standard, the Second Circuit concluded that the relator adequately pleaded an AKS violation with respect to the following three categories of allegations: (1) holding “sham” speaker events with no legitimate attendees, (2) excessively compensating physician speakers for canceled events, and (3) deliberately selecting and retaining certain speakers to induce a higher volume of prescriptions of Gilenya.
Specifically, the Second Circuit found that the relator’s “illustrative examples” of physician-speakers presenting solely to other Novartis speakers or to members of their own practice over lavish restaurant meals supported a strong inference that at least one purpose of the speaker program was to provide kickbacks to prescribers. The panel also found that the relator’s allegations that the compensation paid to physician speakers for canceled events ($20,000 to $22,500 to each speaker) over a two-year period in comparison to the dollar value of the allegedly fraudulent claims submitted to the government for reimbursement (between to $1 to $1.7 million) during that same period gave rise “to a strong inference that the payments constituted, at least in part, unlawful remuneration.”[6] Likewise, the relator’s inclusion of testimony from two Novartis sales representatives regarding the company’s alleged practice of offering speaking engagements to physicians to incentivize them to prescribe Gilenya suggested that these engagements were organized to induce providers to prescribe the drug.
The Second Circuit held that these allegations, accepted as true for purposes of the motion to dismiss, “plausibly and ‘strongly’ suggest Novartis operated its speaker program at least in part to remunerate certain physicians to prescribe Gilenya.”[7] Accordingly, the Second Circuit remanded the case to the district court to determine whether the relator sufficiently pleaded the remaining elements of his FCA claim and to weigh the adequacy of the claims under state and municipal law.
The Second Circuit affirmed, however, the district court’s conclusion that the relator “failed to link Novartis’s DVD initiative, ‘entertainment rooms,’ visual aids for billing codes, and one-on-one physician dinners with a strong inference that Novartis used these tools, at least in part, to induce higher prescription-writing,” with the caveat that another FCA claim predicated on an AKS violation may in fact survive dismissal if similar facts were pleaded with greater particularity.[8]
Practical Takeaways
This case highlights the importance of drug manufacturers and other regulated entities’ duty to implement robust and ongoing health care compliance programs in order to continuously and thoroughly evaluate enforcement and whistleblower risk relative to marketing and other business activities.
This decision’s adoption of the “at least one purpose” rule lowers the bar for relators in the Second Circuit to plead FCA violations premised on noncompliance with the AKS. Indeed, the Second Circuit rejected arguments that remuneration is unlawful under the AKS only if the “sole purpose” or “primary purpose” of the payment is to induce health care purchases. As eight circuits across the country have now held, allegations involving a single improper purpose can allow a case to survive dismissal. In these circuits, a relator merely needs to allege that at least one purpose of the remuneration was to induce the purchase of federally reimbursable health care products or services.
The heightened Rule 9(b) pleading standard fully applies in FCA cases premised on AKS violations. While the “at least one purpose” rule broadens liability, the district court and Second Circuit made clear that FCA allegations will be scrutinized to ensure they comport with the heightened Rule 9(b) pleading requirements.
Epstein Becker Green Attorney Ann W. Parks contributed to the preparation of this post.
ENDNOTES
[1] 2024 WL 5230128 (2d Cir. Dec. 27, 2024).
[2] 42 U.S.C. § 1320a-7b(g).
[3] Id. at § 1320a-7b.
[4] Camburn, 2024 WL 5230128, at *2.
[5] Id. at *4.
[6] Id. at *6.
[7] Id. at *6 (cleaned up) (quoting Hart, 96 F.4th 145, 153 (2d Cir. 2024)).
[8] Id. at *19.
Federal Government Urges Court of Appeals to Uphold Constitutionality of FCA Qui Tam Provisions
Headlines that Matter for Companies and Executives in Regulated Industries
Federal Government Urges Court of Appeals to Uphold Constitutionality of FCA Qui Tam Provisions
In a brief filed earlier this week, the US federal government has urged the Eleventh Circuit Court of Appeals to uphold the constitutionality of the False Claims Act’s (FCA) qui tam provisions, challenging a Florida district court’s ruling that found them to be unconstitutional.
The appeal stems from an underlying case with relator Clarissa Zafirov, who filed a qui tam action in 2019 against several health care entities, accusing them of misrepresenting patient conditions to Medicare. While the government initially declined to intervene, it later elected to defend the constitutionality of the FCA’s provisions.
At the district court level, the court found that whistleblowers are officers of the United States and must be appointed according to the appointments clause, leading to the dismissal of Zafirov’s suit. Per the government’s appellate brief, the district court decision is an “outlier ruling” that contradicts US Supreme Court precedent. The government specifically pointed to the decision in Vermont Agency of Natural Resources v. United States ex rel. Stevens, 529 US 765 (2000), in which the Supreme Court held that the FCA’s qui tam provisions are consistent with Article III and argued that this makes clear that relators do not exercise executive power when they sue under the Act. Instead, relators are “pursuing a private interest in the money they will obtain if their suit prevails.” As such, they do not exercise executive power and do not require appointment under the appointments clause.
The government further emphasized that qui tam actions are subject to government oversight and cannot proceed without the government’s decision on intervention. Accordingly, the federal government now seeks to reverse the district court’s decision and has urged the Eleventh Circuit Court of Appeals to maintain the established legal framework supporting whistleblower actions under the FCA.
The case is Clarissa Zafirov v. Florida Medical Associates LLC et al., Nos. 24-13581 and 24-13583, in the US Court of Appeals for the Eleventh Circuit. The government’s appellate brief is available here.
Community Health Network Reaches Third FCA Settlement in 10 Years, Agreeing to Pay $135 Million to Resolve Outstanding Claims
In a deal reached two years after the Indiana health care system agreed to pay $345 million to settle FCA allegations with the federal government, Community Health Network has now agreed to pay $135 million to resolve federal health care fraud claims brought by its former chief financial officer.
Over 10 years ago, in 2014, Community Health CFO and COO Thomas Fischer filed a lawsuit under the FCA’s qui tam provisions, alleging that Community Health overpaid physicians to secure referrals in violation of state and federal laws, including the federal Stark Law and Anti-Kickback Statute (AKS). Per the complaint, Community Health utilized an “aggressive strategy” to grow its physician network and garner referrals, including the recruitment of doctors by providing payment in excess of the market rate through large base salaries and sizable bonuses, among other means.
The US Department of Justice (DOJ) elected to intervene in the case. The $345 million settlement addressed some of Fischer’s claims, leaving others unresolved. In 2020, the district court allowed Fischer to file an amended complaint that asserted additional FCA claims separate from those pursued by the government. This latest settlement with Community Health resolves those remaining claims. Among other things, the deal resolves claims that (1) Community Health paid above fair-market value rent to a physician-owned real estate partnership to induce those doctors to refer patients to a Community Health-owned ambulatory surgical center in violation of the AKS, and (2) Community Health overpaid physicians employed by the organization and also by an independent oncology group that contracted exclusively with the health nonprofit.
Notably, Community Health additionally reached a $20.3 million settlement with the DOJ in 2015 to resolve civil allegations that the health nonprofit submitted false claims to Medicare and Medicaid programs. All told, Community Health has now paid more than half a billion dollars to resolve three FCA matters over the past 10 years. Nonetheless, Community Health has emphasized that all claims were resolved with no finding of wrongdoing, and the issues were unrelated to the quality or appropriateness of the health care provided by Community Health to its patients.
The case is US and State of Indiana ex rel Fischer v. Community Health Network, Inc., et al., Case No. 1:14-cv-1215, in the US District Court for the Southern District of Indiana.
The DOJ’s press release on the 2015 $20.3 million settlement is available here. The DOJ’s press release on the 2023 $345 million settlement is available here.
Athira Pharma Inc. Agrees to Pay Over $4 Million to Settle FCA Allegations
Athira Pharma Inc., based in Bothwell, Washington, has agreed to pay $4,068,698 to settle allegations that it violated the FCA.
Per the DOJ, this settlement will resolve allegations that, between January 1, 2016, and June 20, 2021, Athira failed to report allegations of research misconduct regarding grant applications and grant award progress reports and assurances to both the National Institutes of Health (NIH) and the US Department of Health and Human Services (HHS) Office of Research Integrity. The alleged misconduct included that Athira’s former CEO, Leen Kawas, falsified and manipulated scientific images in her doctoral dissertation and in published research papers that were referenced in several grant applications submitted to NIH, including in a grant that NIH funded in 2019.
Notably, Athira immediately notified NIH of the research misconduct after the full board of directors learned of it. Underscoring the significance of cooperation credit, the DOJ noted specifically that “the company’s transparency significantly helped Athira mitigate its damages and demonstrated its resolve towards coming into compliance with the relevant law and regulations.”
The settlement additionally resolves claims brought under the FCA’s qui tam provisions, with whistleblower Andrew P. Mallon, Ph.D., receiving $203,434.
The DOJ’s press release is available here.
Iron Man 2 Actor Sentenced for COVID-19 Scam
Earlier this week, Keith Lawrence Middlebrook, a bodybuilder and actor known for his role in Iron Man 2, was sentenced to over eight years in prison for attempting to defraud investors by falsely claiming he had discovered a cure for COVID-19 and that National Basketball Association legend Magic Johnson was a major investor.
Middlebrook was arrested in March 2020, becoming the first person in the United States charged with a COVID-19-related scam. The case included recorded calls with an undercover FBI agent where Middlebrook claimed his treatments could generate significant profits. Middlebrook’s scheme involved promoting fake COVID-19 treatments and soliciting investments through social media and other channels, falsely claiming Johnson’s involvement to lend credibility.
The recent sentencing follows a guilty verdict on all 11 counts of wire fraud faced by Middlebrook, rendered by a 12-person jury after a three-day trial. During sentencing, and among other things, Middlebrook denied any wrongdoing and claimed to have a relationship with Johnson, who testified that he did not recall meeting Middlebrook. While video evidence showed Middlebrook and Johnson at the same event, the court was unmoved by the defense counsel’s suggestion at trial that Johnson gave false testimony. Specifically, the court noted that it was “inconceivable” that Johnson would have forgotten some of the lengthy interactions that Middlebrook had alleged occurred between them.
In the end, the court’s sentence of 98 months aligned with the sentence sought by the prosecutors.
The case is USA v. Keith Middlebrook, No. 2:20-cr-00229, in the US District Court for the Central District of California.
AI Versus MFA
Ask any chief information security officer (CISO), cyber underwriter or risk manager, or cybersecurity attorney about what controls are critical for protecting an organization’s information systems, you’ll likely find multifactor authentication (MFA) at or near the top of every list. Government agencies responsible for helping to protect the U.S. and its information systems and assets (e.g., CISA, FBI, Secret Service) send the same message. But that message may be evolving a bit as criminal threat actors have started to exploit weaknesses in MFA.
According to a recent report in Forbes, for example, threat actors are harnessing AI to break though multifactor authentication strategies designed to prevent new account fraud. “Know Your Customer” procedures are critical in certain industries for validating the identity of customers, such as financial services, telecommunications, etc. Employers increasingly face similar issues with recruiting employees, when they find, after making the hiring decision, that the person doing the work may not be the person interviewed for the position.
Threat actors have leveraged a new AI deepfake tool that can be acquired on the dark web to bypass the biometric systems that been used to stop new account fraud. According to the Forbes article, the process goes something like this:
“1. Bad actors use one of the many generative AI websites to create and download a fake image of a person.
2. Next, they use the tool to synthesize a fake passport or a government-issued ID by inserting the fake photograph…
3. Malicious actors then generate a deepfake video (using the same photo) where the synthetic identity pans their head from left to right. This movement is specifically designed to match the requirements of facial recognition systems. If you pay close attention, you can certainly spot some defects. However, these are likely ignored by facial recognition because videos are prone to have distortions due to internet latency issues, buffering or just poor video conditions.
4. Threat actors then initiate a new account fraud attack where they connect a cryptocurrency exchange and proceed to upload the forged document. The account verification system then asks to perform facial recognition where the tool enables attackers to connect the video to the camera’s input.
5. Following these steps, the verification process is completed, and the attackers are notified that their account has been verified.”
Sophisticated AI tools are not the only MFA vulnerability. In December 2024, the Cybersecurity & Infrastructure Security Agency (CISA) issued best practices for mobile communications. Among its recommendations, CISA advised mobile phone users, in particular highly-targeted individuals,
Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals.
In a 2023 FBI Internet Crime Report, the FBI reported more than 1,000 “SIM swapping” investigations. A SIM swap is just another technique by threat actors involving the “use of unsophisticated social engineering techniques against mobile service providers to transfer a victim’s phone service to a mobile device in the criminal’s possession.
In December, Infosecurity Magazine reported on another vulnerability in MFA. In fact, there are many reports about various vulnerabilities with MFA.
Are we recommending against the use of MFA. Certainly not. Our point is simply to offer a reminder that there are no silver bullets to achieving security of information systems and that AI is not only used by the good guys. An information security program, preferably one that is written (a WISP), requires continuous vigilance, and not just from the IT department, as new technologies are leveraged to bypass older technologies.