Settlement of FinCEN Action Against Former AML Chief Compliance Officer Serves as Possible Bellwether of Future Cases
This post discusses individual liability in AML/BSA enforcement, which is an area of increasing attention. Indeed, according to public statements by the government, individual liability is the focus of enhanced scrutiny across the enforcement table.
Although the raw number of enforcement actions against individuals in the AML/BSA realm (or even in the broader realm of general financial crime) has not climbed dramatically, even a few enforcement actions can have a profound effect on an industry – and that appears to be occurring in the AML realm. We begin our discussion here with a recent settlement of a high-profile enforcement action against a former AML compliance officer, and how it highlights potential individual liability. Ironically, special scrutiny can apply to the very people specifically tasked with maximizing compliance at a corporation, and such scrutiny can end up pitting them against a company’s management and board.
The Haider Settlement
As has been widely reported, Thomas E. Haider, the former Chief Compliance Officer (“CCO”) of MoneyGram International, recently agreed to pay a $250,000 penalty and accepted a three year injunction barring him from any compliance employment for any money transmitter in order to settle claims regarding alleged violations of the BSA brought by FinCEN and the U.S. Attorney’s Office for the Southern District of New York. Although the injunction is for three years, this result presumably spells the real-world end of Mr. Haider’s career as an AML professional, to the extent that the mere fact of being charged did not already spell that result.
According to the press release issued by FinCEN, Haider admitted as part of the settlement to (1) failing to terminate certain outlets after receiving information from the company’s fraud department which indicated that those outlets were complicit in consumer fraud schemes; (2) failing to implement a policy for terminating outlets that posed a high risk of fraud; and (3) structuring an AML program that aggregated the analysis of agents and outlets, so that consumer fraud reports were not generally provided to the analysts responsible for filing suspicious activity reports (“SARs”) with FinCEN.
This settlement resulted from a suit filed by the Department of Justice (“DOJ”) seeking to enforce a $1 million civil penalty issued by FinCEN in 2014 against Haider for allegedly failing to ensure that the company abided by AML requirements, and seeking to enjoin Haider from further employment in any “financial institution,” as defined under the BSA. In 2012, the company had entered a deferred prosecution agreement with the DOJ to settle charges that it willfully had failed to implement an effective AML program and forfeited $100 million.
The Basis of Individual Liability for AML Program Failures
The settlement also arrived after the government obtained a favorable court ruling which endorsed its theory of individual liability for an insufficient AML program. Specifically, Haider had challenged FinCEN’s assessment under 31 U.S.C. § 5318(h), the BSA provision which creates the requirement for AML programs by providing that, “[i]n order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs[.]” Haider had argued that the government’s claim should be dismissed because this provision applies only to financial institutions and not to individuals. However, in January 2016, the court overseeing the action ruled that Section 5318(h) did apply to corporate officers and employees like Haider, who was responsible for designing and overseeing the company’s AML program. The court also noted in passing that the government was alleging that the $1 million penalty which it was seeking was “substantially less” than what it could seek, because the alleged AML violations carried a potential penalty of $25,000 per day; therefore – according to FinCEN – Haider faced a total penalty of $4.75 million for AML violations alone. Thus, the BSA’s combination of individual legal liability for an institutional failure and escalating monetary penalties – not to mention potential criminal liability – presents a formidable risk to in-house AML professionals (and to corporate officers in general at financial institutions).
The general interest in individual accountability has expanded steadily since the DOJ issued its principles of prosecution regarding individual accountability through the so-called “Yates Memo” in September 2015, which in effect increased the pressure on all companies to cooperate against their own employees. The Yates Memo stated that “[o]ne of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.” The Acting FinCEN Director echoed this sentiment in a statement following the Haider settlement by stressing the importance of pursuing individuals in order to “effectively fight money laundering, fraud and terrorist financing.” Highlighting the fact that Haider had drawn special scrutiny as a result of his position, the Acting FinCEN Director further stated that “[c]ompliance professionals occupy unique positions of trust in our financial system. When that trust is broken, it is important that we take action so that the reputations of thousands of talented compliance officers are not diminished by any one individual’s outlying egregious actions.”
Other Individual AML Enforcement Actions
The enforcement action against Haider is the largest public civil AML enforcement action against an individual to date, and it is certainly the most well-known. However, it was not the first such action. In June 2015, FinCEN assessed a $60,000 penalty against a food mart which also operated as a money services business in Los Angeles and its individual owner, who doubled as the designated AML compliance officer for the business. Similarly, in March 2016, FinCEN assessed a $10,000 penalty against a similar business and its owner/designated compliance officer in Lexington, Kentucky. However, and aside from the lower monetary amounts, these prior two actions were unlike the Haider case because they focused on the owners of small businesses – i.e., the practical lines between the individuals and the businesses were very thin to non-existent – not on a true AML professional working within a large corporation.
Further, it is not just FinCEN bringing AML-related enforcement actions against individuals. For example, in January 2017, the SEC instituted administrative and cease and desist proceedings against a New York based broker-dealer and its chief compliance and AML officer for alleged violations of the BSA and securities law. The order alleges that AML officer was personally responsible for monitoring customer transactions for suspicious activity and ensuring the firm’s compliance with SAR reporting requirements. Despite having an AML program, the AML officer and company allegedly failed to file SARs for dozens of potentially illegal stock sale transactions by its customers, for a total allegedly exceeding $24.8 million in proceeds. Other agencies which have pursued AML violations against individuals include the FDIC, in December 2016, and FINRA, in February 2014. Doubtlessly, there are more actions to come, particularly now that the government can point to its apparent success in the Haider case.
One enforcement agency which has not yet instituted a public AML enforcement action against an individual is the New York Department of Financial Services (“NYDFS”). Presumably, however, such action is just a matter of time, particularly because as we previously have blogged the NYDFS has issued a new regulation setting forth rigorous standards for monitoring and filtering programs for potential AML violations, and which requires an annual certification of compliance by an individual: each regulated institution must submit to NYDFS by April 15 of each year either a “Senior Officer Compliance Finding” or a resolution of its “Board of Directors” to certify compliance with the regulation. Specifically, the resolution or finding must state that the Senior Officer or Board of Directors has reviewed documents, reports, certifications, and opinions of officers, employees, outside vendors, and other parties as necessary to adopt the resolution or compliance finding. This requirement is currently unique in the AML space, and resembles individual executive attestations required under Sarbanes-Oxley.
Finally, it is not just the government that may file suit – private plaintiffs are now looking to AML failures as a vehicle to pursue corporate officers as well as companies. As we previously have blogged, a shareholder derivative suit against Western Union based on alleged AML/BSA failures also names as individual defendants the CEO and two former CFOs, who allegedly acted as controlling persons of Western Union and, by reason of their positions in the company, allegedly had the power and authority to cause the company to engage in the alleged wrongful conduct.
Individual vs. the Institution?
Drawing lessons from the above enforcement actions, circumstances that may increase the chances of an enforcement action against an individual are quite similar to the circumstances that can increase the chances of enforcement against a company:
AML program failures involve systemic breakdowns
Issues continued unabated for substantial periods of time
Red flags are consistently ignored
The facts demonstrate significant customer harm
Access to the financial institution is allowed to those engaged in criminal activity
Conversely, individual AML compliance officers can take certain steps which may reduce risk:
Ensuring that the AML program is properly tailored and implemented
Assessing the institution’s culture of compliance, which starts at the top
Ensuring effective training
Not allowing situations to become overwhelming for the individuals involved
Documenting situations, and escalating matters up through the leadership chain when appropriate
Raising internal awareness of the external regulatory environment
Maintaining good communications with regulators.
Nonetheless, the reality is that the increasing focus on individual accountability in the enforcement of AML violations highlights the broader issue of the tension between individual employees and the management or boards of companies. For example, the NYDFS certification noted above may create practical tensions between an institution’s board and its compliance department, because one or the other must submit the required form. Someone has to fill out the form, and questions may arise within the corporate hierarchy over who may rely reasonably on who, followed by finger-pointing within the organization if problems subsequently develop.
Thus, the focus on individuals can create potential “Catch 22” scenarios, given an institution’s need to identify potential red flags. On the one hand, acquiring actual knowledge of compliance failures, followed by inaction by the individual or the institution itself, can lead to individual (and corporate) liability. On the other hand, willful ignorance or avoidance of compliance failures also can lead to liability. How much diligence in any given situation is enough? Once a potential problem is identified, how much attention – and at what level – must be paid to it?
Skittish compliance officers may become overly defensive in their reporting of potential issues, or even may turn into whistleblowers – appropriately or not – against the institution. Conversely, if top management or the board is resistant to addressing a systemic problem, then compliance officers may become scapegoats – or at least may feel like they are being made into scapegoats – for what is really an institutional problem. Ultimately, one practical outcome of an increased focus on individual liability may be, ironically, an increased difficulty for institutions in hiring and retaining good AML compliance professionals.