The world’s largest money transmitter will pay nearly $600 million to U.S. authorities, the largest compliance-related penalty ever against a money services business, for enabling a range of frauds and financial crimes, failures in agent oversight, and not filing thousands of suspicious activity reports.

In the order, Englewood, Colorado-based Western Union will forfeit $586 million and enter into a deferred prosecution agreement (DPA) with the U.S. Department of Justice, the Federal Trade Commission (FTC) and U.S. Attorney’s offices in Pennsylvania, California and Florida on charges of wire fraud and having a criminally lax anti-money laundering (AML) program.

At its heart, the order centers around one the MSB sector’s most oft-criticized and weakest links, their far-flung networks of often diminutive agents. These are frequently one or two-person operations doing business on behalf of a larger remitter, and in many cases can be working for several remitters at one time, making paying attention to the obligations of any one a chore.

The order focuses on actions between 2004 and 2012, where Western Union violated U.S. AML laws and anti-fraud statutes by “processing hundreds of thousands of transactions for Western Union agents and others involved in an international consumer fraud scheme,” involving rogue agents and sub agents in and doing business with jurisdictions including Mexico, Latin America, the United Kingdom and China.

“Western Union, the largest money service business in the world, has admitted to a flawed corporate culture that failed to provide a checks and balances approach to combat criminal practices,” said U.S. Attorney Wifredo Ferrer of the Southern District of Florida, in a statement.

“Today’s historic agreement, involving the largest financial forfeiture by a money service business, makes it clear that all corporations and their agents will be held accountable for conduct that circumvents compliance programs designed to prevent criminal conduct,” he said.

The penalty is also another reminder – for any entity considered a financial institution, not just MSBs – that obligations to stop financial crime do not end at creating, staffing and filing suspicious activity reports (SARs) under explicit AML rules and guidance.

The clear message from this latest Western Union action, and prior actions involving competitor MoneyGram and other banks, is that the AML program must tacitly go further into the realm of fraud. This includes understanding when transactions give hints of, say, "Nigerian prince" and romance scams, and when it appears customers are being taken advantage of, a connection that could made at the teller level with proper training and classic and emerging red flags.

Enforcement action cites lack of 'compliance culture' as factor

The various actions – including a $184 million penalty issued by the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), deemed satisfied by paying the FTC forfeiture – also detail the challenges of crafting an enterprise-wide, multi-jurisdictional compliance program that has adequate coverage, implementation and oversight no matter the distance from headquarters.

To that end, FinCEN cites a failure by Western Union to create a “culture of compliance” – a loudly buzzing buzzword in AML compliance circles because it has found its way into a bevy of enforcement actions in recent years and still has yet to be properly defined or given bright line parameters, something that could change in the aftermath of a penalty of this magnitude.

The DPA notes key gaps in the supervision and management of agents and subagents, including instances where Western Union's analytics spotlighted problem actors with months or years of issues, but nothing was done in response.

The orders also note a failure for agents to actually visit sub agents in risky regions and determine, in person, if they are following protocols or are potential puppets for the criminally inclined.

The documents even detail some humorous elements.

In one of the few cases Western Union firmly ousted a problem agent, the person came back a few months later and slid right in due to weak due diligence and background checks at the outset.

The failures to conduct adequate due diligence on these domestic and foreign agent locations included “not conducting adequate reviews (e.g., background checks and on-site reviews) of its higher-risk new agents, and not conducting enhanced due diligence on Latin American-based agent locations that were at higher risk for money laundering,” according to the orders.

In 2012, Western Union brings in the big (hired) guns

It’s no surprise the DPA puts a hard date of 2012 on the bulk of the compliance and agent oversight problems, as it’s around that time when Western Union hired several well-known compliance officers who significantly retooled the program domestically and internationally, said Jeff Sklar, managing director of SHC Consulting Group in Bellmore, NY.

“The AML program has made leaps and bounds” since 2012 and 2013, he said, adding that although one part of the government is chastising Western Union, other agencies, like the Department of Homeland Security, is lauding the company for its work to fight human trafficking. “There has been a revolution and evolution.”

The company has also highlighted its new technologies, data analytics and linkage powers in the fight against terror financing at industry conferences.

While at one time certain agents were “clearly bad players, the company has clearly remediated a lot of this,” Sklar said, adding that many large banks have had trouble spotting scams against the elderly and vulnerable where fraudsters are working in small dollar amounts across different victims in multiple states and countries. “You have to keep this in context.”

Agent oversight has been at the heart of some of the largest financial crime compliance-related penalties against remitter industry heavyweights MoneyGram and Western Union.

In February of 2016, MoneyGram paid $13 million to settle an investigation by U.S. states stemming from customer complaints that scam artists duped them into wiring funds via the money transfer service.

That action followed prior problems tied to fraud and AML. In 2012, MoneyGram was hit with a $100 million monetary penalty by the US Department of Justice for widespread failings in its AML and fraud programs.

The key issue related to agents actively scamming individuals in “secret shopper” and other frauds and the company not terminating them, even though they knew about the problems, because these were also highly profitable agent portals.

That bled over into 2014, when FinCEN levied a $1 million individual penalty against Thomas Haider, who oversaw MoneyGram’s AML and fraud prevention program during a six-year period in which the money transfer service processed thousands of transactions for agents involved in fraud schemes.

Western Union has also not been spared major penalties tied to AML programs and agent actions, prior to the record action Thursday.

The company paid $94 million in 2010 to settle charges by investigators in Arizona and other states that it, and its agents, were not doing enough to stop human traffickers and drug gangs in the Southwest Border.

The wording in the latest penalty documents also appears to leave the door open for individual prosecutions against Western Union staffers other than agents if investigators later find enough evidence, said an individual familiar with the matter, who asked not to be named.

Compliance officers at money transmitters can be “singled out for harsh treatment,” said the person, referencing the Haider case. “So we still could be waiting for the other shoe to drop.”

Recalcitrant agents given the powder puff treatment

For agent locations Western Union believed were possibly complicit in illicit activities, it had a range of punitive options, including “temporary suspension, training, compliance inspections, and termination,” according to the orders, but relied on them inconsistently and, “at times, allowed business interests to comment on appropriate corrective actions.”

The order specifically names Western Union Financial Services Inc., (WUFSI), a wholly owned subsidiary of The Western Union Company.

WUFSI offers consumer to consumer remittance services through the branded payment services of Western Union, Vigo, and Orlandi Valuta, which comprise a network of some 500,000 agent locations in roughly 200 countries and territories worldwide.

And prosecutors have been scrutinizing, and prosecuting, that network more aggressively over the past 15 years.

Since 2001, federal prosecutors, in conjunction with the U.S. Postal Inspection Service, have charged and convicted 26 Western Union Agents in the United States and Canada “who conspired with international fraudsters to defraud tens of thousands of U.S. residents via various forms of mass marketing schemes,” according to the agreement.

Part of the issue for Western Union has to do with an internal policy that persisted until 2012 – roughly the time when the remitter hired several AML compliance heavy hitters to engage in a massive remediation effort – that forbade in most cases the company from filing SARs on its own agents, even when those agents took more than three months to file reports on suspicious activity.

“Although WUFSI filed thousands of SARs on customers of its agent locations, it rarely filed SARs on its agent locations,” according to FinCEN. “WUFSI’s practice was not to identify agent locations as ‘subjects’ of SARs unless it found the agent location to be complicit.”

But the company typically only found an agent to be complicit if the person was “arrested, publicly identified to be implicated in illicit transactions, or if WUFSI’s own investigation determined that the agent location was complicit,” according to penalty documents, noting that delayed getting information that could have helped U.S. investigators in new and ongoing cases.

Rejected agents not dejected for long

But even complicit and rejected agents in some cases were not out in the cold for too long, due to poor due diligence practices.

WUFSI’s failures to conduct sufficient initial due diligence into certain agent locations resulted in providing “new agent” agreements to agents owned by individuals who had previously been terminated by WUFSI for money laundering concerns, according to the DPA.

In one example, in October 2011, with the assistance of law enforcement, Western Union identified that four commonly owned agent locations in Peru accounted for nearly half of the transactions related to consumer fraud reports in Peru.

After these agents processed transactions for another six months, Western Union “suspended these locations for this activity in April 2012," according to the orders.

Even so, "Despite these suspensions and WUFSI’s determination that the commonly-owned locations were high risk for fraud, WUFSI failed to identify these concerns when it allowed the common owner of these agents to open another location in December 2012,” according to documents.

But those dynamics are also changing, with Western union doubling down on finding and correcting issues large and small, according to investigators.

In addition to the hefty payments, Western Union has “also agreed to a number of remedial undertakings, including increased scrutiny and periodic reporting regarding agent SAR reporting and disclosure of corrective actions taken against agents,” according to FinCEN.

Western Union has also agreed to the appointment of an independent compliance auditor to ensure adequate due diligence is conducted on all prospective and existing Western Union agents, and that “necessary steps are taken to monitor and investigate agent activity.”

The Western Union agreement also had specific guidance on what it, and other federal and state regulators, want to seen when it comes to domestic and foreign agent oversight. FinCEN stated MSBs should, among other things, establish:

  • ·Procedures for conducting reasonable, risk-based due diligence on potential and existing foreign agents and counterparties to help ensure that such foreign agents and counterparties are not themselves complicit in illegal activity involving the MSB’s products and services, including reasonable procedures to evaluate, on an ongoing basis, the operations of those foreign agents and counterparties;
  • ·Procedures for risk-based monitoring and review of transactions from, to, or through the United States that are conducted through foreign agents and counterparties sufficient to enable the MSBs to identify and, where appropriate, report as suspicious such occurrences as instances of unusual wire activity; and
  • ·Procedures for responding to foreign agents or counterparties that present unreasonable risks of money laundering or the financing of terrorism, including procedures that provide for the implementation of corrective action on the part of the foreign agent or counterparty or for the termination of the relationship with any foreign agent or counterparty that an MSB determines poses an unacceptable risk of money laundering.

If those more minor corrective actions are taken on the front end, it could forestall more severe actions that result in heavy penalties, remediations that can double or triple compliance costs and nigh incalculable reputational costs, key lessons the broader financial industry would be wise to learn.

The actions detailed in the enforcement orders against Western Union “are serious and should be taken as cautionary by all financial institutions, not just money transmitters,” said Jorge Guerrero, chief executive officer of the Optima Compass Group, a compliance consultancy, adding that the need for a “marriage between AML and anti-fraud controls” was spelled out previously in the 2012 MoneyGram action.

“We should consider, however, that the practices alleged in the DPA took place between 2004 and 2012 and reflect practices that fortunately have evolved in the majority of the money transfer industry,” he said. “Because of better AML programs, information systems, improved AML controls, and greater awareness and sensitivity to the risks, those practices are not prevalent in the industry.”

Nevertheless, all financial institutions “should take this opportunity and do a self-assessment and mitigate any weaknesses in their agent activation, agent monitoring or agent termination program, as well their SAR filing procedures and anti-fraud controls,” Guerrero said.