The second of a three-part series on the new landscape of anti-money laundering enforcement

In February 2014, the Financial Industry Regulation Authority (FINRA), the self-regulatory body for the U.S. securities industry, suspended a former global anti-money laundering compliance officer at Brown Brothers Harriman & Co. and assessed a record $8 million fine against the firm for its inadequate Bank Secrecy Act (BSA)/anti-money laundering (AML) program and lack of oversight related to suspicious penny stock transactions. The former compliance officer personally paid $25,000 under the settlement he and Brown Brothers Harriman entered with FINRA.

And in December 2014, the U.S. Attorney’s Office for the Southern District of New York filed a civil enforcement action against a former chief compliance officer for MoneyGram to enforce a $1 million penalty assessed by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN). FinCEN based its assessment on the officer’s alleged role in compliance violations related to the use of MoneyGram’s services by perpetrators of fraudulent telemarketing and other schemes. The former officer’s attorneys stated, “FinCEN’s action today marks the first time, to our knowledge, that the government has filed suit to hold an individual compliance officer personally responsible for alleged anti-money laundering compliance failures of his employer.”

The laws subjecting compliance officers to individual liability are not new. Under the BSA, willful violations of the statute or its implementing regulations by an institution and any of its partners, directors, officers, or employees are punishable by a civil penalty of $25,000 (or the amount of the transaction at issue, up to $100,000) per day for each day the violation continues and at each office or location where it occurs or continues. These penalties have long been available against individuals as well as the institutions for which they work. However, until the last year, regulators had rarely sought such penalties against individual officers.

So what is different today? Given the changes in the enhanced regulatory landscape discussed in our article inJanuary, it is no surprise that more cases against individual compliance officers are now being brought. Addressing the Senate Committee on Banking, Housing, and Urban Affairs in March 2013, Treasury Undersecretary David Cohen pledged that FinCEN would make greater use of its ability to impose penalties on individuals, noting that although “FinCEN has employed these tools only occasionally in the past, in the future FinCEN will look for more opportunities to impose these types of remedies in appropriate cases.”

The selection of high-profile former federal prosecutors to head financial regulatory agencies underscores the increased emphasis placed on robust enforcement. For example, the current chair of the Securities and Exchange Commission served as the U.S. Attorney for the Southern District of New York, and FinCEN’s director was chief of the Asset Forfeiture and Money Laundering Section at the U.S. Department of Justice. Whereas regulators may naturally tend to focus on institutions, former prosecutors are at ease with the concept of individual liability for institutional failings.

In this charged atmosphere, how does an individual compliance officer protect him or herself? Because compliance officers are generally at the mercy of strategic decisions and budgetary constraints imposed by high-level executives and boards of directors, they are much less likely to be left holding the bag if they can involve those at the top in the decision-making process. Compliance officers do their job, and thus insulate themselves from liability, by making sure the C-suite is well-aware and oft-reminded of what the rules require, as well as the risks and consequences of not adequately addressing an AML concern. FinCEN made the former MoneyGram compliance officer’s inaction when he knew of illicit activity the center of its allegations. When compliance officers lack authority to make the necessary decisions, their job is to educate those who have that authority, including on the elements of an effective compliance program.

And this is exactly what regulators are looking for. Regulators are convinced that a true culture of compliance can only be achieved with buy-in from the top. Whether it involves improving internal controls, allocating additional funds or hiring more compliance staff, serious deficiencies are rarely addressed without high-level involvement. Similarly, getting the business to manage its risk appetite — regardless of whether that risk relates to a product, a customer, or a service — can rarely be accomplished without senior management weighing in, imposing discipline and making decisions in the best interests of the entire organization. Such a process should be memorialized in written compliance plans, board resolutions and compliance committees made up of employees from various disciplines.

Lest one wonder if this is really the message being sent by regulators and prosecutors, witness the remarks of Thomas Curry, the Comptroller of the Currency, before the Association of Certified Anti-Money Laundering Specialists in March 2014: “There’s a reason why I’ve addressed our concerns to senior executives, including the chief executive officers, of the banks and thrifts we supervise. The fact is, when we look at the issues underlying BSA infractions, they can almost always be traced back to decisions and actions of the institution’s Board and senior management.” Those underlying issues, he explained, involve the organization’s culture of compliance, the strength of its information technology and monitoring process, the resources the organization has allocated to BSA compliance, and the quality of the organization’s risk management. “Those are all matters that require the attention of senior management, starting with the Chief Executive’s office.”

In short, although the heightened enforcement atmosphere means increased scrutiny, BSA/AML compliance officers have an opportunity and an incentive to redouble the involvement of senior management in every aspect of the institution’s compliance regime.

Republished with permission. This article first appeared in Inside Counsel on March 3, 2015 .