On May 4, 2017, the US Attorney’s Office for the Southern District of New York (SDNY) and the Financial Crimes Enforcement Network (FinCEN) announced the settlement of civil claims brought under the Bank Secrecy Act (BSA) against the former Chief Compliance Officer of MoneyGram International, Inc. (MoneyGram), Thomas Haider, stemming from MoneyGram’s failure to implement and maintain an effective anti-money laundering (AML) program or to timely file suspicious activity reports (SARs).[1] The settlement represented the resolution of the first-ever suit filed by the federal government against an individual compliance officer in the finance industry,[2] and is likely to add fuel to increasing anxiety regarding the Department of Justice’s (DOJ) willingness to hold corporate executives liable for compliance failings. 

MoneyGram operated a service that enabled individuals to electronically transfer money through independently-owned outlets belonging to MoneyGram’s network.[3] The case against Haider stemmed from a DOJ investigation into mass marking and consumer fraud phishing schemes perpetrated or enabled by MoneyGram outlets.[4] Specifically, between 2003 and 2009, MoneyGram’s network was used in a fraud scheme through which vulnerable individuals were convinced to wire funds to the perpetrators.[5] In November 2012, MoneyGram entered a deferred prosecution agreement with the US Attorney’s Office for the Middle District of Pennsylvania in which MoneyGram admitted to a willful failure to implement an effective AML program to prevent these fraudulent transactions.[6]

On December 18, 2014, the SDNY and FinCEN brought suit against Haider stemming from these same violations.[7] The Complaint against Haider sought $1 million in statutory penalties due to Haider’s alleged failure to implement and maintain an effective AML program[8] and ensure the timely filing of SARs.[9] In January 2016, the District Court denied a motion by Haider seeking to dismiss the Complaint on numerous grounds, finding that, inter alia, individual officers may be held personally liable for failing to establish appropriate AML programs under the BSA.[10] Subsequently, on May 4, 2017, the SDNY and FinCEN announced a settlement pursuant to which Haider agreed to pay a civil penalty of $250,000, and to be barred for three years from performing a compliance function for any money transmitter.[11] Haider also admitted his responsibility for MoneyGram’s BSA violations, acknowledging that, inter alia: 

He had “direct supervisory authority” over MoneyGram’s Fraud and AML Compliance Departments.

He failed to implement a policy for terminating or disciplining outlets that presented a high risk of fraud despite having authority to do so and despite having been presented with a draft discipline policy.

He failed to terminate or discipline 49 MoneyGram outlets that had been identified to him as being involved in a disproportionate number of fraudulent transfers, even when termination had been specifically recommended by MoneyGram’s Director of Fraud.

He structured MoneyGram’s AML program such that information regarding MoneyGram’s outlets was not generally provided to analysts responsible for filing SARs. For this reason, numerous outlets were identified by MoneyGram’s Fraud Department as having accumulated a disproportionate number of reports of fraudulent activity, but no SARs were filed regarding those outlets.

The resolution of the case against Haider brings to the fore compliance officers’ fears that DOJ may hold them personally accountable for the failings of the corporate compliance programs they oversee. From the outset of the Haider case, compliance officers and practitioners have cautioned that DOJ’s attempt to impose individual liability against compliance officers could “send shock waves through the compliance profession[,] perhaps caus[ing] some top executives to rethink their decisions to do such work,”[12] and have warned that it might force corporations to alter the compensation and protections offered to such employees.[13] DOJ’s decision to aggressively litigate its case against Haider for over two years, and to extract a substantial penalty and admission of culpability, lends validity to these concerns.

The Haider resolution also lands squarely in the crosshairs of two key DOJ priorities: Increased scrutiny of individual misconduct in the corporate ranks, and intense focus on the efficacy of corporate compliance programs. After filing suit against Haider, DOJ adopted the Yates Memorandum, which mandates that both criminal and civil corporate investigations “focus on individual wrongdoing.”[14] Moreover, several high-ranking civil and criminal DOJ officials have recently made public statements emphasizing that DOJ considers individual liability for corporate failings a key component of the resolution of any investigation related to corporate wrongdoing.[15] In the compliance arena, DOJ’s Fraud Section created a new position dedicated to dissecting the compliance programs of corporations under investigation.[16] The Fraud Section’s most recent paper on evaluating corporate compliance programs shows that, among other factors, DOJ will probe the extent to which a corporation has empowered its compliance professionals to implement a robust program, including closely examining the extent to which top management has demonstrated a commitment to robust compliance, the autonomy and stature of the compliance function within the company, the effectiveness of compliance reporting mechanisms, and the adequacy of controls related to the compliance function.[17] Although many attorneys have speculated whether DOJ under the current administration will continue to prioritize individual accountability and compliance,[18] the pursuit of a large penalty against Haider suggests no major shift in the near term.

Nonetheless, it is far from clear that the Haider case represents a new era in which the DOJ will hold compliance officers criminally responsible for corporate compliance failures. The Haider case in many ways represents an extreme example of a compliance officer’s failure to perform his basic duties: As Haider admitted in the settlement agreement, he did not simply fail to design an adequate AML policy, but instead failed to take any remedial actions despite being presented with straightforward evidence regarding the substantial risk that numerous MoneyGram outlets were engaged in fraud.[19] Indeed, statements from FinCEN and the SDNY following the settlement indicate that the need for individual accountability in this particular case stemmed largely from Haider’s failures to take remedial action or to remedy MoneyGram’s problematic AML program “despite being presented with various ways to address clearly illicit use of the financial institution.”[20] These concerns were likely exacerbated by the central importance that compliance—and AML programs in particular—plays in the highly-regulated financial industry. 

It remains to be seen whether in less egregious cases—where, for example, a compliance program failed to prevent or detect misconduct but the compliance officer had no actual knowledge of misconduct, or where the regulatory scheme at issue imposed fewer obligations than the BSA—DOJ would similarly seek to hold compliance officers liable. The questions laid out in DOJ’s “Evaluation of Corporate Compliance Programs” implicitly recognize that, all too often, corporations do not give their compliance professionals the autonomy, resources, and business backing to implement effective controls. Instead, corporations may view compliance professionals as a cost center to tolerate and a barrier to revenue generation. They may view compliance as a topic owned by compliance professionals rather than a responsibility shared by all personnel. In such an environment, imposing personal liability on compliance officers may create significant disincentives for high quality, skilled professionals to take on the role. 

These disincentives may be particularly acute in the financial services industry, where corporations are subject to extensive regulatory schemes, more burdensome legal obligations, and where the possible points of risk—which could stem from any of the thousands of transactions that such entities are constantly engaged in—are essentially incalculable. Time will tell whether the threat of individual liability serves as a powerful incentive to improve oversight of corporate compliance programs, or simply deters much needed highly-qualified individuals from taking on compliance roles in highly-regulated industries.