Individual Accountability in AML Cases

by Ballard Spahr LLP

Settlement of FinCEN Action Against Former AML Chief Compliance Officer Serves as Possible Bellwether of Future Cases

This post discusses individual liability in AML/BSA enforcement, which is an area of increasing attention. Indeed, according to public statements by the government, individual liability is the focus of enhanced scrutiny across the enforcement table.

Although the raw number of enforcement actions against individuals in the AML/BSA realm (or even in the broader realm of general financial crime) has not climbed dramatically, even a few enforcement actions can have a profound effect on an industry – and that appears to be occurring in the AML realm. We begin our discussion here with a recent settlement of a high-profile enforcement action against a former AML compliance officer, and how it highlights potential individual liability.  Ironically, special scrutiny can apply to the very people specifically tasked with maximizing compliance at a corporation, and such scrutiny can end up pitting them against a company’s management and board.

The Haider Settlement

As has been widely reported, Thomas E. Haider, the former Chief Compliance Officer (“CCO”) of MoneyGram International, recently agreed to pay a $250,000 penalty and accepted a three year injunction barring him from any compliance employment for any money transmitter in order to settle claims regarding alleged violations of the BSA brought by FinCEN and the U.S. Attorney’s Office for the Southern District of New York. Although the injunction is for three years, this result presumably spells the real-world end of Mr. Haider’s career as an AML professional, to the extent that the mere fact of being charged did not already spell that result.

According to the press release issued by FinCEN, Haider admitted as part of the settlement to (1) failing to terminate certain outlets after receiving information from the company’s fraud department which indicated that those outlets were complicit in consumer fraud schemes; (2) failing to implement a policy for terminating outlets that posed a high risk of fraud; and (3) structuring an AML program that aggregated the analysis of agents and outlets, so that consumer fraud reports were not generally provided to the analysts responsible for filing suspicious activity reports (“SARs”) with FinCEN.

This settlement resulted from a suit filed by the Department of Justice (“DOJ”) seeking to enforce a $1 million civil penalty issued by FinCEN in 2014 against Haider for allegedly failing to ensure that the company abided by AML requirements, and seeking to enjoin Haider from further employment in any “financial institution,” as defined under the BSA. In 2012, the company had entered a deferred prosecution agreement with the DOJ to settle charges that it willfully had failed to implement an effective AML program and forfeited $100 million.

The Basis of Individual Liability for AML Program Failures

The settlement also arrived after the government obtained a favorable court ruling which endorsed its theory of individual liability for an insufficient AML program. Specifically, Haider had challenged FinCEN’s assessment under 31 U.S.C. § 5318(h), the BSA provision which creates the requirement for AML programs by providing that, “[i]n order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs[.]” Haider had argued that the government’s claim should be dismissed because this provision applies only to financial institutions and not to individuals. However, in January 2016, the court overseeing the action ruled that Section 5318(h) did apply to corporate officers and employees like Haider, who was responsible for designing and overseeing the company’s AML program. The court also noted in passing that the government was alleging that the $1 million penalty which it was seeking was “substantially less” than what it could seek, because the alleged AML violations carried a potential penalty of $25,000 per day; therefore – according to FinCEN – Haider faced a total penalty of $4.75 million for AML violations alone. Thus, the BSA’s combination of individual legal liability for an institutional failure and escalating monetary penalties – not to mention potential criminal liability – presents a formidable risk to in-house AML professionals (and to corporate officers in general at financial institutions).

The general interest in individual accountability has expanded steadily since the DOJ issued its principles of prosecution regarding individual accountability through the so-called “Yates Memo” in September 2015, which in effect increased the pressure on all companies to cooperate against their own employees. The Yates Memo stated that “[o]ne of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.” The Acting FinCEN Director echoed this sentiment in a statement following the Haider settlement by stressing the importance of pursuing individuals in order to “effectively fight money laundering, fraud and terrorist financing.” Highlighting the fact that Haider had drawn special scrutiny as a result of his position, the Acting FinCEN Director further stated that “[c]ompliance professionals occupy unique positions of trust in our financial system. When that trust is broken, it is important that we take action so that the reputations of thousands of talented compliance officers are not diminished by any one individual’s outlying egregious actions.”

Other Individual AML Enforcement Actions

The enforcement action against Haider is the largest public civil AML enforcement action against an individual to date, and it is certainly the most well-known. However, it was not the first such action. In June 2015, FinCEN assessed a $60,000 penalty against a food mart which also operated as a money services business in Los Angeles and its individual owner, who doubled as the designated AML compliance officer for the business. Similarly, in March 2016, FinCEN assessed a $10,000 penalty against a similar business and its owner/designated compliance officer in Lexington, Kentucky. However, and aside from the lower monetary amounts, these prior two actions were unlike the Haider case because they focused on the owners of small businesses – i.e., the practical lines between the individuals and the businesses were very thin to non-existent – not on a true AML professional working within a large corporation.

Further, it is not just FinCEN bringing AML-related enforcement actions against individuals. For example, in January 2017, the SEC instituted administrative and cease and desist proceedings against a New York based broker-dealer and its chief compliance and AML officer for alleged violations of the BSA and securities law. The order alleges that AML officer was personally responsible for monitoring customer transactions for suspicious activity and ensuring the firm’s compliance with SAR reporting requirements. Despite having an AML program, the AML officer and company allegedly failed to file SARs for dozens of potentially illegal stock sale transactions by its customers, for a total allegedly exceeding $24.8 million in proceeds. Other agencies which have pursued AML violations against individuals include the FDIC, in December 2016, and FINRA, in February 2014. Doubtlessly, there are more actions to come, particularly now that the government can point to its apparent success in the Haider case.

One enforcement agency which has not yet instituted a public AML enforcement action against an individual is the New York Department of Financial Services (“NYDFS”). Presumably, however, such action is just a matter of time, particularly because as we previously have blogged the NYDFS has issued a new regulation setting forth rigorous standards for monitoring and filtering programs for potential AML violations, and which requires an annual certification of compliance by an individual: each regulated institution must submit to NYDFS by April 15 of each year either a “Senior Officer Compliance Finding” or a resolution of its “Board of Directors” to certify compliance with the regulation. Specifically, the resolution or finding must state that the Senior Officer or Board of Directors has reviewed documents, reports, certifications, and opinions of officers, employees, outside vendors, and other parties as necessary to adopt the resolution or compliance finding. This requirement is currently unique in the AML space, and resembles individual executive attestations required under Sarbanes-Oxley.

Finally, it is not just the government that may file suit – private plaintiffs are now looking to AML failures as a vehicle to pursue corporate officers as well as companies. As we previously have blogged, a shareholder derivative suit against Western Union based on alleged AML/BSA failures also names as individual defendants the CEO and two former CFOs, who allegedly acted as controlling persons of Western Union and, by reason of their positions in the company, allegedly had the power and authority to cause the company to engage in the alleged wrongful conduct.

Individual vs. the Institution?

Drawing lessons from the above enforcement actions, circumstances that may increase the chances of an enforcement action against an individual are quite similar to the circumstances that can increase the chances of enforcement against a company:

  • AML program failures involve systemic breakdowns
  • Issues continued unabated for substantial periods of time
  • Red flags are consistently ignored
  • The facts demonstrate significant customer harm
  • Access to the financial institution is allowed to those engaged in criminal activity

Conversely, individual AML compliance officers can take certain steps which may reduce risk:

  • Ensuring that the AML program is properly tailored and implemented
  • Assessing the institution’s culture of compliance, which starts at the top
  • Ensuring effective training
  • Not allowing situations to become overwhelming for the individuals involved
  • Documenting situations, and escalating matters up through the leadership chain when appropriate
  • Raising internal awareness of the external regulatory environment
  • Maintaining good communications with regulators.

Nonetheless, the reality is that the increasing focus on individual accountability in the enforcement of AML violations highlights the broader issue of the tension between individual employees and the management or boards of companies. For example, the NYDFS certification noted above may create practical tensions between an institution’s board and its compliance department, because one or the other must submit the required form. Someone has to fill out the form, and questions may arise within the corporate hierarchy over who may rely reasonably on who, followed by finger-pointing within the organization if problems subsequently develop.

Thus, the focus on individuals can create potential “Catch 22” scenarios, given an institution’s need to identify potential red flags. On the one hand, acquiring actual knowledge of compliance failures, followed by inaction by the individual or the institution itself, can lead to individual (and corporate) liability. On the other hand, willful ignorance or avoidance of compliance failures also can lead to liability. How much diligence in any given situation is enough? Once a potential problem is identified, how much attention – and at what level – must be paid to it?

Skittish compliance officers may become overly defensive in their reporting of potential issues, or even may turn into whistleblowers – appropriately or not – against the institution. Conversely, if top management or the board is resistant to addressing a systemic problem, then compliance officers may become scapegoats – or at least may feel like they are being made into scapegoats – for what is really an institutional problem. Ultimately, one practical outcome of an increased focus on individual liability may be, ironically, an increased difficulty for institutions in hiring and retaining good AML compliance professionals.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP

Ballard Spahr LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.