Vol. 49 No. 21
December 7, 2016
ANTI-MONEY LAUNDERING ENFORCEMENT: THE RISE OF INDIVIDUAL LIABILITY FOR COMPLIANCE PROFESSIONALS
Individual AML compliance officers appear to be increasingly threatened with liability for failure to detect and prevent wrongdoing at their financial institutions. After setting out the key elements of the current regime of AML regulation, the authors describe the current trend as it has emerged in public statements from regulators, recent AML enforcement actions, and regulatory developments. They conclude with program suggestions to reduce risk for compliance professionals and their employers.
By Sharon Cohen Levin, Elizabeth J. Hogan, and Tamar Kaplan-Marans *
"Another core principle of any strong enforcement program is to pursue responsible individuals wherever possible . . . . Companies, after all, act through their people."1
A notable response to the financial crisis has been the call for individual accountability for corporate bad acts. In her speech quoted above, U.S. Securities and Exchange Commission ("SEC") Chair Mary Jo White comments that "[r]edress for wrongdoing must never be
1 Mary Jo White, SEC Chair, Deploying the Full Enforcement Arsenal, Speech at Council of Institutional Investors Fall Conference in Chicago, IL (Sept. 26, 2013), available at http://www.sec.gov/News/Speech/Detail/Speech/ 1370539841202.
seen as `a cost of doing business' made good by cutting a corporate check. Individuals tempted to commit wrongdoing must understand that they risk it all if they do not play by the rules. When people fear for their own reputations, careers, or pocketbooks, they tend to stay in line." But contrary to the direct misconduct described by Chair White, in the anti-money laundering ("AML") context, we see a shift toward more actions against compliance officers for what are essentially supervisory or program failures. Increasingly, individual AML compliance officers are being threatened with liability for failure to detect or prevent wrongdoing because of poor management, oversight, or program gaps. In these AML enforcement actions, the compliance officers typically have little to no involvement in the underlying illegal activity, and do not receive any financial benefit from the misconduct. Nevertheless, regulators have
SHARON COHEN LEVIN is a partner in WilmerHale's Regulatory and Government Affairs Department; ELIZABETH J. HOGAN is a counsel in the firm's Securities Litigation and Enforcement Department; and TAMAR KAPLAN-MARANS is a senior associate in the firm's Litigation/Controversy Department. Their e-mail addresses are email@example.com; firstname.lastname@example.org; and email@example.com.
December 7, 2016
RSCR Publications LLC Published 22 times a year by RSCR Publications LLC. Executive and Editorial Offices, 2628 Broadway, Suite
29A, New York, NY 10025-5055. Subscription rates: $1,197 per year in U.S., Canada, and Mexico; $1,262 elsewhere (air mail delivered). A 15% discount is available for qualified academic libraries and full-time teachers. For subscription information and customer service call (937) 387-0473 or visit our website at www.rscrpubs.com. General Editor: Michael O. Finkelstein; tel. 212-876-1715; e-mail firstname.lastname@example.org. Associate Editor: Sarah Strauss Himmelfarb; tel. 301-294-6233; e-mail email@example.com. To submit a manuscript for publication contact Ms. Himmelfarb. Copyright 2016 by RSCR Publications LLC. ISSN: 0884-2426. All rights reserved. Reproduction in whole or in part prohibited except by permission. For permission, contact Copyright Clearance Center at www.copyright.com. The Review of Securities & Commodities Regulation does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions, or for the results obtained from the use of such information.
imposed fines against these individuals and suspended them from their industries. This regulatory trend of holding compliance officers liable in this context raises significant concerns, not only for compliance professionals, but also for financial institutions and their ability to secure competent talent and maintain adequate compliance programs. The question is, therefore, whether the movement toward personal liability against compliance officers and other corporate employees is well-placed in the context of AML enforcement. In this article, we address recent AML enforcement actions and regulatory developments that relate to individual liability, and provide some suggestions for best practices for both compliance officers and financial institutions to mitigate risks they might face on the AML front.
I. AML REGULATION: THE CURRENT REGIME
The Bank Secrecy Act ("BSA") governs AML compliance and requires financial institutions to have policies and procedures in place to counter money laundering and to report suspicious activity to the government.2 Under the BSA and its implementing regulations, the key elements to an effective and satisfactory AML compliance program are:
1. develop and maintain internal policies and procedures to ensure compliance with the BSA;
2. designate a BSA officer;
3. conduct relevant and ongoing compliance training for employees;
4. conduct independent testing of the firm's AML program; and
5. implement appropriate risk-based procedures for conducting ongoing customer due diligence.3
2 31 U.S.C. 5311 et seq., and its implementing regulations at 31 C.F.R. Chapter X (formerly 31 C.F.R. Part 103).
3 See, e.g., 31 C.F.R. 1020.210 (AML Program Rule for Banks). The last "pillar," also known as the Customer Due Diligence ("CDD") Rule, is FinCEN's recent addition to the AML rules
These requirements, often referred to as the "Five Pillars," are intended to be risk-based, and regulators have stressed that there is no one-size-fits-all approach to AML.
Multiple federal and state regulatory agencies and self-regulatory organizations enforce the principles of the BSA, whose reach extends beyond traditional banks: broker-dealers, futures commission merchants, casinos, money services businesses, insurance companies, and mutual funds are among the financial institutions subject to these regulations.4 Foremost is the Financial Crimes Enforcement Network ("FinCEN"), a bureau of the U.S. Treasury Department, which administers the BSA and promulgates regulations that set forth how financial institutions must comply with the statute. FinCEN has broad authority to bring enforcement actions and to seek civil money penalties for an individual's "willful" violation of the BSA, which it has long interpreted to include "reckless disregard or willful blindness."5 There can be criminal as well as
footnote continued from previous column...
and was finalized on May 11, 2016. See Customer Due Diligence Requirements for Financial Institutions, 81 Fed. Reg. 29,398, 29,451 (May 11, 2016) (to be codified at 31 C.F.R. pts. 1010, 1020, 1023, 1024, 1026). The CDD Rule requires certain financial institutions to "look through" the nominal account holder to identify the account's beneficial owners who own or control (directly or indirectly) certain legal entity customers. The CDD Rule is a key part of the Obama administration's array of announced steps to combat money laundering, terrorist financing, and tax evasion on the heels of the "Panama Papers," which aroused a good deal of public uproar over the purported use of offshore shell companies to hide personal financial information for illegal purposes.
4 31 C.F.R. 1010.100(t). Although investment advisers (including hedge funds and other money managers) are not currently subject to AML regulation, FinCEN issued a new proposed rule last year that would require certain investment advisers to implement AML programs and to file suspicious activity reports under the BSA. 80 Fed. Reg. 52680 (Sept. 1, 2015).
5 In re B.A.K. Precious Metals, Inc., FinCEN No. 2015-12 (Dec. 30, 2015) at 3 n. 6. ("In civil enforcement of the Bank Secrecy Act , to establish that a financial institution or
December 7, 2016
civil penalties for money laundering and AML compliance failures, but neither FinCEN nor the U.S. Department of Justice ("DOJ") has brought criminal charges against a compliance officer for violation of the BSA.6
In addition to FinCEN and the DOJ, the SEC, Financial Industry Regulatory Authority ("FINRA"), U.S. Commodity Futures Trading Commission, National Futures Association, Internal Revenue Service, and all of the federal banking regulators have varying enforcement authority in the AML compliance space. With respect to broker-dealers, the SEC has authority to enforce Section 17(a) of the Exchange Act, and Rule 17a-8 thereunder, which requires broker-dealers to comply with the reporting and recordkeeping requirements of the BSA.7 Because Rule 17a-8 does not impose on broker-dealers an obligation to establish and maintain an AML program, the SEC has focused its enforcement efforts on customer identification and suspicious activity reporting rather than AML program deficiencies. In contrast, FINRA has an expansive authority pursuant to FINRA Rule 3310, which requires member firms to maintain an AML program.8 Under Rule 3310, FINRA can broadly
footnote continued from previous page...
individual acted willfully, the government need only show that the financial institution or individual acted with either reckless disregard or willful blindness. The government need not show that the entity or individual had knowledge that the conduct violated the Bank Secrecy Act, or that the entity or individual otherwise acted with an improper motive or bad purpose."). Because the BSA authorizes only low penalties ($500 to $50,000) for negligent violations, FinCEN almost always charges under the willfulness provision. 31 U.S.C. 5321(a)(6).
6 See, e.g., 18 U.S.C. 981-82; 31 U.S.C. 5321-22.
7 15 U.S.C. 78q(a); 17 C.F.R. 240.17a-8.
8 Under FINRA Rule 3310, an AML program must, at a minimum:
(1) establish and implement policies and procedures that can be reasonably expected to detect and cause the reporting of transactions...;
(2) establish and implement policies, procedures, and internal controls reasonably designed to achieve compliance with the Bank Secrecy Act and the implementing regulations ...;
(3) provide for annual  independent testing for compliance...;
(4) designate and identify  an individual ...responsible for implementing and monitoring the day-to-day operations and internal controls of the program.
allege program violations, including failure to have policies and procedures to report suspicious activity. While there is no strict liability for AML failures, regulators have become increasingly aggressive in this space, leaving financial institutions -- and the individuals who work there -- at risk.
II. HOW DID WE GET HERE AND WHERE IS THIS GOING?
The demand for personal responsibility for corporate acts has become common in today's current regulatory environment. In the AML field, the call for individual accountability is repeatedly echoed in public statements by agency heads, and is reflected in recent enforcement actions, as well as regulatory developments.
A. Public statements from regulators.
In direct response to the criticism from Congress, the media, consumer advocates, and even the judiciary,9 that no top Wall Street executives were imprisoned after the 2008 crisis, several federal agencies publicly committed to the pursuit of individual liability. For example, in early 2014, speaking at the Florida International Bankers Association Anti-Money Laundering Conference, FinCEN's then-director Jennifer Shasky Calvery emphasized that FinCEN would "hold accountable those institutions and individuals who recklessly allow our financial institutions to be vulnerable to terrorist financing, money laundering, proliferation finance, and other illicit financial activity."10 On a separate occasion, she stated that FinCEN has "broad authority" under the BSA to obtain injunctions against individuals and "to impose civil penalties not only against domestic financial institutions, but also against partners, directors, officers and employees of such entities who themselves participate in misconduct."11 Director Shasky Calvery
9 The call to pursue individuals became the subject of extrajudicial comments when Judge Jed S. Rakoff, a federal judge in the Southern District of New York, published an article in the New York Review of Books in January 2014. Jed S. Rakoff, The Financial Crisis: Why Have No High-Level Executives Been Prosecuted?, The New York Review of Books (Jan. 4, 2014) available at http://www.nybooks.com/articles/2014/01/09/ financial-crisis-why-no-executive-prosecutions/.
10 Remarks, Florida International Bankers Association AntiMoney Laundering Conference (Feb. 20, 2014), available at https://www.fincen.gov/news/speeches/remarks-jennifershasky-calvery-director-financial-crimes-enforcement-network9 (emphasis added).
11 Remarks, Global Gaming Expo (Sept. 24, 2013), available at https://www.fincen.gov/news/speeches/ remarks-jennifer-
December 7, 2016
also specifically highlighted "calls for more accountability on the business side of an organization when AML compliance fails," noting that "[t]his is where a focus on individuals, as well as institutions, might come into play."12
State regulators have made similar remarks, such as former New York State Superintendent of Financial Services Benjamin M. Lawsky, who stated that "[u]ltimately, when there's bad conduct at a bank, at an insurance company, at a financial institution, it's not the institution itself that's acting; it's the people who work there. And if you want to deter that going into the future and make our system better, there needs to be consequences for those people."13
The move to hold individuals accountable for corporate malfeasance was most notably addressed in the September 2015 "Yates Memo," issued by Deputy Attorney General Sally Q. Yates.14 The Yates Memo, which restated and reinforced the agency's commitment to targeting corporate executives in cases of corporate wrongdoing, also requires that a company seeking to qualify for any cooperation credit in connection with a DOJ investigation must provide the agency with all relevant facts about the individuals involved in the misconduct. The Yates Memo therefore not only reinforces the federal agency's policy on individuals, but
footnote continued from previous page...
12 Remarks, Securities Industry and Financial Markets Association AML and Financial Crimes Conference (Jan. 30, 2014), available at https://www.fincen.gov/news/speeches/ remarks-jennifer-shasky-calvery-director-financial-crimesenforcement-network-8 (emphasis added).
13 Benjamin Lawsky, The Sheriff Of Wall Street, To Hand In His Badge, National Public Radio (June 3, 2015), available at http://www.npr.org/2015/06/03/411660155/benjamin-lawskythe-sheriff-of-wall-street-to-hand-in-his-badge ("We also took a real focus on individual accountability over time. You needed more than just a large fine if you wanted to change conduct."); see also Annual Report of the New York Department of Financial Services (May 4. 2015), available at http://www.dfs.ny.gov/reportpub/annual/dfs_annualrpt_2014.p df ("To get real deterrence, we need to have individuals who are personally held to account.").
14 Sally Quillan Yates, Individual Accountability for Corporate Wrongdoing, U.S. Department of Justice (Sept. 9, 2015), available at https://www.justice.gov/dag/file/769036/ download.
actually incentivizes a corporation to provide evidence implicating its employees.
As noted above, top-level SEC officials including Chair White have also made similar statements about individual accountability.15 But the SEC has simultaneously attempted to reassure nervous compliance professionals that they need not fear an action against them personally in their capacity as chief compliance officers ("CCOs") in every investigation. Following two SEC enforcement actions against CCOs for violations of the Investment Advisers Act and significant industry concern, Director of Enforcement Andrew Ceresney offered some guidance to CCOs in his remarks at the 2015 National Conference of the National Society of Compliance Professionals. He expressed the Commission's support "for the compliance function and its resource needs," and noted that the SEC only brings cases against CCOs who: (1) "are affirmatively involved in misconduct that is unrelated to their compliance function," (2) "engage in efforts to obstruct or mislead the Commission staff," or (3) "where the CCO has exhibited a wholesale failure to carry out his or her responsibilities."16
B. Recent AML Enforcement Actions with Individual Liability for Compliance Officers
Amidst these calls from regulators for personal accountability, a new pattern of AML enforcement actions involving charges against individuals has emerged, giving rise to serious concerns about individual liability and the potential impact this trend may have on retaining qualified, competent, compliance officers in positions of oversight.
15 See, e.g., Mary Jo White, SEC Chair, Three Key Pressure
Points in the Current Enforcement Environment, Remarks at NYC Bar Association's Third Annual White Collar Crime
Institute (May 19, 2014), available at http://www.sec.gov/ News/Speech/Detail/Speech/1370541858285 ("The simple fact
is that the SEC charges individuals in most of our cases, which is as it should be."); Mary Jo White, SEC Chair, Opening
Remarks at the 21st Annual International Institute for
Securities Enforcement and Market Oversight, (Nov. 2. 2015) ,
available at https://www.sec.gov/news/statement/remarks-21st-
international-institute-for-securities-enforcement.html ("[W]hen investigating misconduct, [the SEC'] first looks at
the individual conduct and works out to the entity, rather than starting with the entity as a whole and working in.").
16 Andrew Ceresney, Director, 2015 National Society of
Compliance Professionals, National Conference: Keynote
Address, Washington, D.C. (Nov. 4, 2015), available at
December 7, 2016
1. U.S. Department of Treasury v. Haider
Perhaps the most notable example is the recent federal civil enforcement action brought by FinCEN and the United States Attorney's Office for the Southern District of New York against Thomas Haider, the former Chief Compliance Officer and head of the Fraud Department of MoneyGram, for his "willful" failure to ensure compliance with AML statutes and regulations.17 FinCEN alleged that Haider not only had knowledge of specific compliance failings at MoneyGram, but also had the authority to implement appropriate AML policies and procedures, yet failed to do so.18 After MoneyGram entered into a deferred prosecution agreement with the DOJ for admitted AML program failures, FinCEN sought to hold Haider individually liable on the ground that he was responsible for designing and overseeing MoneyGram's AML program. FinCEN alleged that under Haider's watch, MoneyGram agents solicited customers to send money through participating MoneyGram outlets, telling them that they had won a lottery, or had been selected to receive a prize, or to participate in an exclusive program. The agents told the customers that to receive the items or winnings, they had to pay MoneyGram in advance. Despite the thousands of complaints received by the Fraud Department, Haider never suspended or terminated any agents that were participating in this illicit activity. He also allegedly failed to file suspicious activity reports (SARs) on agents whom he knew or had reason to suspect were engaged in fraud, money laundering, or other criminal activity. In addition to seeking a $1 million civil money penalty, FinCEN moved to bar Haider from the financial industry.
grants the bureau specific enforcement authority against individuals. This case is also the first and only time that FinCEN has targeted an individual compliance officer of a large financial institution without bringing parallel charges against the institution at the same time.20 Although Haider is unlikely to be the last word on the issue of individual liability, and it is unclear what will happen as the case moves forward to trial, it raises the stakes for compliance officers of large financial institutions, and will ultimately be critical in determining regulators' ongoing ability to proceed against individuals for AML program deficiencies.
While Haider is the leading case on individual liability for compliance officers, Haider's alleged conduct was much closer to the direct misconduct cautioned against by Chair White than the mere supervisory or program failures typical of AML enforcement actions. As a result of his alleged inaction, "thousands of innocent individuals," many of whom were elderly victims, were "duped out of millions of dollars through fraud schemes that funneled, and sometimes laundered  illicit profits through MoneyGram's money transmission network." 21 Indeed, the extreme nature of this case was not lost on FinCEN. In the press release announcing the $1 million penalty against Haider, Director Shasky Calvery noted that in her experience, compliance officers are typically "the most dedicated and trustworthy professionals in the financial industry," and that regulators "greatly depend on their judgment and their diligence in our common fight against money laundering, fraud, and terrorist finance."22 In contrast, FinCEN alleged that Haider's "willful violations ... created an environment where
On January 8, 2016, a federal district court in Minnesota denied Haider's motion to dismiss the charges and found that the BSA permits FinCEN to bring suit against individuals for willfully violating the BSA's AML program requirement.19 The court found that the plain language of the statute provides that a civil penalty may be imposed on corporate officers and employees like Haider, who was responsible for MoneyGram's AML program. The Haider decision is the first opinion in a civil action brought by FinCEN and
17 U.S. Dep't of Treasury v. Haider, No. 14-CV-9987 (S.D.N.Y.
filed Dec. 18, 2014). The case was transferred to the District of
Minnesota pursuant to 28 U.S.C. 1404(a) on March 17, 2015.
18 When asked who was responsible for the failure to terminate a particular outlet suspected of wrongdoing, Haider answered "I told you the buck stops with me." Id., Compl. at 92.
19 U.S. Dep't of Treasury v. Haider, No. 15- CV-1518, 2016 WL
107940 (D. Minn. Jan. 8, 2016).
20 In other cases where compliance officers were charged, FinCEN brought the case against the financial institution and the individual together. See, e.g., In re Lee's Snack Shop, Inc. and Hong Ki Yi, FinCEN No. 2015-09 (June 24, 2015) (assessment of civil money penalty) (Mr. Yi was the sole proprietor and chief AML compliance officer of Lee's Snack Shop, a money services business ("MSB")); In re Aurora Sunmart Inc., and Jamal Awad, FinCEN No. 2015-04 (Mar. 18, 2015) (assessment of civil money penalty) (Mr. Awad was the owner, general manager, and AML compliance officer of Aurora Sunmart, also an MSB).
21 FinCEN Press Release, FinCEN Assesses $1 Million Penalty and Seeks to Bar Former MoneyGram Executive from Financial Industry, Individual Accountability Emphasized in Civil Actions, available at https://www.fincen.gov/news/newsreleases/fincen-assesses-1-million-penalty-and-seeks-barformer-moneygram-executive (Dec. 18, 2014).
December 7, 2016
fraud and money laundering thrived, and dirty money rampaged through the very system he was charged with protecting. His inaction led to personal savings lost and dreams ruined for thousands of victims."23 Accordingly, while the Haider case demonstrates that individual accountability is a distinct threat for compliance officers, the case appears to be an outlier due to the nature of Haider's involvement in the alleged misconduct.
2. In re Brown Brothers Harriman & Co., Harold A. Crawford (FINRA)
Although much attention has been spent on the FinCEN case against Haider, FINRA has been the most active of the regulatory authorities in bringing AML enforcement actions against individual compliance officers. In early 2014, in connection with an enforcement action against Brown Brothers Harriman ("BBH"), FINRA fined $25,000 against the company's former global AML CCO, Harold Crawford, and suspended him for one month for AML compliance failures. In Brown Brothers, FINRA alleged that BBH failed to have an adequate AML program in place to monitor and detect suspicious penny stock transactions.24 FINRA alleged that over the course of four-and-a-half years, BBH executed transactions or delivered securities involving at least six billion shares of penny stocks, many on behalf of undisclosed customers of foreign banks in known bank secrecy havens. These penny stock transactions generated at least $850 million in proceeds for BBH's customers. BBH paid a fine of $8 million to FINRA, ceased selling penny stocks for intermediated clients, and implemented certain AML programmatic enhancements.
Crawford allegedly knew of the heightened AML risk in penny stock transactions and potential red flags indicating improper activity from "AML investigations, regulatory inquiries, and other sources."25 Like Haider, Crawford's alleged conduct was more than mere supervisory or program failures typical of AML enforcement actions. Among other claims, FINRA alleged that Crawford was aware foreign individuals were trading anonymously through BBH accounts, that trading volume increased because BBH offered anonymity, and that there was evidence indicating that some of these individuals were engaged in insider
24 See In re Brown Brothers Harriman, & Co. FINRA Case No.
2013035821401 (Feb. 4, 2014) (Letter of Acceptance, Waiver,
trading. Crawford eventually recommended that BBH cease engaging in some of the activities that became the subject of the FINRA action, but his recommendations were never implemented.
FINRA's case against BBH was notable not only for the fine of $8 million levied against the company for AML violations, which at the time was record-breaking, but also for holding a CCO personally liable for AML compliance failures. The sanctions against Mr. Crawford drew attention and criticism because he was well-respected among compliance professionals.26
3. In re Raymond James & Associates, Inc., et al.
More recently, in May 2016, FINRA fined Raymond James & Associates, Inc. ("RJA") and Raymond James Financial Services, Inc. ("RJFS") a total of $17 million for failure to establish and implement adequate AML procedures, which resulted in the firms' alleged failure to properly prevent or detect, investigate, and report suspicious activity for several years.27 In the same action, FINRA also fined RJA's former AML compliance officer, Linda L. Busby, $25,000 and suspended her for three months. In contrast to Haider and Brown Brothers, where the compliance officers allegedly had direct knowledge of the misconduct, Busby was held liable for RJA's failure to establish and implement adequate AML procedures.
FINRA alleged that Raymond James' significant growth between 2006 and 2014 was not matched by commensurate growth in its AML compliance systems and processes. According to the settlement papers, this deficiency left the firms unable to establish AML programs tailored to their businesses, and forced them instead to rely "upon a patchwork of written procedures and systems across different departments to detect suspicious activity."28 This approach allegedly resulted
26 Rachel Louise Ensign, Penalized Brown Brothers Compliance Officer Leaves For eClerx, Wall St. J. (Apr. 30, 2015), available at http://blogs.wsj.com/riskandcompliance/2015/ 04/30/penalized-brown-brothers-compliance-officer-leaves-foreclerx/.
27 In re Raymond James & Assocs., Inc., FINRA Case No. 2014043592001 (May 18, 2016) (Letter of Acceptance, Waiver, and Consent).
28 FINRA Press Release, FINRA Fines Raymond James $17 Million for Systemic Anti-Money Laundering Compliance Failures (May 18, 2016), available at http://www.finra.org/ newsroom/2016/finra-fines-raymond-james-17-millionsystemic-anti-money-laundering-compliance.
December 7, 2016
in a failure to detect or adequately investigate red flags of potentially suspicious activity. FINRA stated that these alleged failures were "particularly concerning" because RJFS was previously sanctioned in 2012 for inadequate AML procedures and, as part of that settlement, had agreed to review its program and procedures, and certify that they were reasonably designed to achieve compliance.29 Although FINRA generally attributed the AML failures to both the firms and Busby, FINRA specifically noted that Busby "did not have control or oversight over the individuals in other departments handling the AML-related processes," and attributed this deficiency to the fact that "RJA did not have a single written procedures manual describing its AML procedures."30
Like Crawford, the CCO in Brown Brothers, Busby also had strong credentials, years of experience as an AML officer, and was well-regarded in the AML field. Following settlement with FINRA, Busby retired from the compliance industry.
Financial's AML policies and procedures.32 According to the SEC, Yaffar-Pena knew of the existence of the affiliate account and that non-U.S. citizens were trading on their own behalf through the account, and failed to take action.
In contrast to the Brown Brothers and Raymond James cases where the individuals at issue were the financial institutions' AML officers, here the SEC took action against the CEO. The SEC found that "[a]s the firm's president and CEO, Yaffar-Pena was ultimately responsible for [its] AML program, [customer identification program] procedures, and supervision of the firm's AML officer and chief compliance officer."33 While the SEC action was not brought against a compliance professional, Yaffar-Pena nonetheless confirms that regulators remain committed to individual liability in the AML context.
5. Other AML Enforcement Actions Against Individuals
4. In re Yaffar-Pena
Most recently, in mid-October, the SEC settled an action against the former president and CEO of a Miamibased brokerage firm, Lia Yaffar-Pena, for aiding and abetting, and causing violations of AML rules by allowing foreign entities to buy and sell securities without verifying the identities of the non-U.S. citizens who beneficially owned them.31 The SEC had previously settled an enforcement action against YaffarPena's brokerage firm, E.S. Financial, for $1 million for the same alleged violations. Yaffar-Pena agreed to a one-year supervisory suspension and payment of a $50,000 penalty.
The SEC alleged that, over a 10-year period, 23 nonU.S. citizens conducted more than $23 million in securities transactions through the account of one of the firm's financial affiliates without the firm ever collecting, verifying, or maintaining any identification documentation for these individuals. These alleged failures violated both federal securities laws and E.S.
29 Id.; see also In re Raymond James Financial Services, Inc., FINRA Case No. 2009018985203(Mar. 29, 2012) (Letter of Acceptance, Waiver, and Consent).
30 Supra n.27.
31 In re Yaffar-Pena, SEC Administrative Proceeding File No. 317637 (Oct. 19, 2016) (order instituting administrative and cease-and-desist proceedings).
While the Brown Brothers and Raymond James enforcement actions were particularly notable because of the size of the fines levied against the companies, there have been additional AML cases over the last few years that were smaller in scope, but that also targeted CCOs. Several of these actions have barred the compliance professionals at issue from the securities industry, either temporarily or permanently, in addition to imposing large fines.34 Similarly, some regulators have required
32 Federal law requires all financial institutions, including brokerdealers, to maintain an adequate customer identification program to ensure the firms know their customers and do not become a conduit for money laundering or terrorist financing. 31 C.F.R. 1023.220.
33 Supra n.31.
34 See, e.g., In re Finance 500, Inc., FINRA Case No. 2013036837801 (Feb. 2016) (Disciplinary and Other Financial Actions), available at http://www.finra.org/sites/default/files/ February_2016_Disciplinary_Actions.pdf (AML officer suspended for nine months and fined $25,000 for failure to establish and implement an AML program reasonably designed to cause the detection and reporting of suspicious activity, and to monitor low-priced stock trading); Dep't of Enf't v. Halycon Cabot Partners, Ltd., FINRA Disciplinary Proceeding No. 2012033877802 (Oct. 6, 2015) (order accepting offer of settlement) (CEO and CCO barred from securities industry for fraud, sales practice abuses, and widespread supervisory and AML failures); Dep't of Enforcement v. Aegis Capital Corp., FINRA Disciplinary Proceeding No. 2011026386001 (Aug. 3, 2015) (order accepting offer of settlement) (Two CCOs fined and suspended for their supervisory and AML failures); In re
December 7, 2016
that the CCO agree to disclose the action to future employers. In an action brought by the Office of the Comptroller of the Currency in April 2016, the former CCO of Gibraltar Private Bank and Trust Company was fined $2,500 for failure to "file suspicious activity reports on a set of accounts for a customer that was later convicted of crimes related to an illegal Ponzi scheme," and was also ordered to disclose the settlement to any future employers that fall under the definition of a "depository institution."35
C. Regulatory Developments
The focus on individual liability has also caught the attention of Congress. In 2013, Representative Maxine Waters, a member of the House Financial Services Committee, introduced the Holding Individuals Accountable and Deterring Money Laundering Act (HIA-DML Act), which provides a roadmap for strengthening AML enforcement.36 The proposed legislation amends the BSA to impose a civil penalty on directors, officers, partners, or employees of a financial institution for BSA violations, and raises the maximum prison sentence for willfully evading an institution's AML program to 20 years from the typical cap of five years. In addition, it grants independent legal authority to FinCEN to bring legal action to enforce AML laws.
The New York Department of Financial Services ("NYDFS") has also attempted to codify a more stringent approach to individual accountability for AML violations, specifically targeting compliance officers. In 2015, NYDFS proposed a rule that would require the CCO (or equivalent) to file an annual compliance certification.37 The proposed rule, which was subject to much criticism from the industry, would have imposed criminal penalties on the senior compliance officer for
footnote continued from previous page...
FX Direct Dealer, LLC, NFA Case No. 12-BCC-021 (July 24, 2013) (decision) (AML compliance officer fined $75,000 for failing to supervise company's AML program and prohibited from employment as a compliance officer for any NFA member for a period of one year, unless supervised by another person in the compliance department).
35 In re Charles Sanders, OCC No. AA-EC-2015-92 (Mar. 15, 2016) (consent order).
36 H.R. 3317, 113th Cong. (2013-2014).
37 Dep't of Fin. Servs., Proposed Superintendent's Regulations, Part 504, Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications, available at http://www.dfs.ny.gov/legal/regulations/proposed/rp504t.pdf.
incorrect or false certifications, going above and beyond federal AML regulation. On June 30, 2016, NYDFS published the final rule, and in response to industry comments, dropped the provision for criminal penalties and removed the requirement that only the CCO file the certification, requiring instead either a board resolution or "compliance finding" by a senior officer with relevant responsibility.38 The finding must certify that the institution's program is in compliance, "to the best of [the signer's] knowledge."39 However, it is not clear whether the changes will have a practical effect on the individual liability aspect of the rule. The NYDFS rule defines "Senior Officer(s)" as "the senior individual or individuals responsible for the management, operations, compliance, and/or risk of a Regulated Institution." This definition may be an acknowledgement that some CCOs may lack sufficient authority or broad enough perspective within their organizations to certify compliance with all required elements of the transaction monitoring and filtering programs. But the NYDFS rule does not clarify whether a single person with responsibility over just one of these areas (e.g., an operations officer) can satisfy the certification requirement, or whether multiple signers may be required to cover each aspect. Additionally, although the provision for criminal penalties was not included in the final rule, the New York Attorney General and the New York District Attorney's Offices nevertheless have
38 Dep't of Fin. Servs. Superintendent's Regulations, Part 504,
Banking Division Transaction Monitoring and Filtering
Program Requirements and Certifications, available at
504t.pdf. Along similar lines to the NYDFS rule, the Office of
the Special Inspector General for the Troubled Asset Relief
Program recently proposed in its quarterly report to Congress "remov[ing] the insulation around Wall Street CEOs and other
high-level officials by requiring the CEO, CFO, and certain
other senior executives to sign an annual certification that they
have conducted due diligence within their organization, and can
certify that that there is no criminal conduct or civil fraud in their organization." Quarterly Report to Congress, Office of
the Special Inspector General for the Troubled Asset Relief
Program (Oct. 26, 2016) at p.3. The report noted that this "certification would create an incentive for top executives to
institute strong antifraud internal controls on lower level
executives and managers. It will also motivate lower level
executives and managers to have conversations with leaders of the organization if fraud or crime is occurring." Id.
39 The finding must also certify that the signer has reviewed the
relevant documents necessary to adopt the compliance finding, and that he or she has taken "all steps necessary" to confirm that the institution's transaction monitoring and filtering
program complies with NYDFS requirements.
December 7, 2016
authority to prosecute an individual for a false statement under New York Banking Law, and could do so for an incorrect or false compliance certification.40
III. CONSIDERATIONS FOR COMPLIANCE PROFESSIONALS AND THEIR EMPLOYERS LOOKING AHEAD
Currently, there are more questions than answers about where the momentum behind these issues will guide the industry. Will the public statements and threats of personal liability motivate the industry to enhance overall AML compliance programs, or will the fear of stricter penalties and possible repercussions simply deter top talent from pursuing a compliance career? Perhaps industry concern will lead to clearer guidance about the circumstances under which regulators and prosecutors will seek to hold individuals accountable. Regardless, the risks and challenges presented by this trend of cases and regulatory developments are serious and considerable for both financial institutions and executives.
A. Considerations for Compliance Officers
In light of the elevated regulatory scrutiny, individual compliance officers should take steps to protect themselves to mitigate any risk they might face.
2. Strengthen Employee Training at all Levels.
It is well understood that a compliance officer is responsible for developing an AML program that detects suspicious activity. It is also imperative that the officer ensures that employees at all levels of the institution receive detailed training on how to detect suspicious activity and investigate red flags. Awareness of suspicious activity should lead to prompt, effective action through appropriate channels, and thorough documentation of escalations and decision-making. Employees need access to clear procedures about how to initiate and document an investigation, and in particular, any decision not to file a SAR.
3. Conduct Regular Testing and Undertake PostMortems.
Compliance should conduct regular testing to identify gaps in the programs to detect suspicious activity. Just because a problem has not been identified does not mean there is not one waiting to be discovered. In the event that the institution learns that suspicious activity was not detected or that crime proceeds have moved through the institution, compliance needs to proactively initiate a post-mortem review to understand how the suspicious activity was missed, to assess any vulnerabilities, and to implement a remediation plan.
1. Assess the Risk and Tailor the Program.
4. Involve Senior Executives.
On a most basic level, a compliance officer must understand his or her business, carefully assess where the risks are in light of the current regulatory climate, and then implement and maintain a comprehensive AML program to address those risks. As noted earlier, there is no strict liability for AML failures, and accordingly, no one-size-fits-all approach. Regulators expect compliance officers to develop an individualized AML program based on the needs of the specific institution and industry. Moreover, conducting a risk assessment is not a one-time event. Compliance officers should regularly assess whether an already-existing AML program meets the institution's current needs. As an institution grows and industries evolve, new risks must be assessed, and there must be commensurate growth and evolution in AML compliance systems and processes.
40 See, e.g., N.Y. Penal Law 175.30 and 175.35.
An institution's AML program is often subject to the strategic decisions and budgetary constraints set by senior executives. Thus, it is important for compliance officers to ensure that senior executives are aware of AML issues and that if significant problems occur, they are involved in the decision-making process. Even if the compliance officers lack the authority to make the necessary decisions, regulators expect them to educate senior executives on the elements of an effective compliance program and to raise unresolved compliance issues with senior management.
5. Stay Informed and Document Decisions.
Compliance professionals must keep abreast of regulatory developments, maintain good communication with their regulatory counterparts, and keep careful records of all information exchanged. Any decisions, policies, or actions must be thoroughly documented, with the information conveyed to all relevant actors within the institution. Because AML investigations are often conducted years after the misconduct occurs, establishing a paper trail is critical to protect both oneself and the institution.
December 7, 2016
B. Considerations for Financial Institutions
The focus on individual liability has significant implications for financial services institutions as well. As noted above, the recent enforcement actions have made compliance jobs less desirable, and accordingly, institutions have to work harder to bring in -- and maintain --top talent. In the long term, they will be forced to pay higher salaries in an effort to incentivize candidates to assume a difficult and risky job with little upside. Institutions are also faced with questions as to whether to provide their compliance officers with insurance coverage in case of liability, and if so, to consider the scope of and limits to that coverage.
including compliance as a factor in an employee's annual assessment and compensation.
2. Break Down Silos.
For an AML program to function effectively, the business, legal, compliance, and other relevant departments within an institution cannot operate independently. These departments must work across organizational boundaries and share information on a routine basis. Institutions should embrace a holistic approach, where employees understand that they are all working toward the same goal of protecting the institution from money laundering.
Like compliance officers, institutions can also take steps to mitigate any risk they might face on the AML front.
1. Promote a Culture of Compliance.
Regulators have stressed time and time again that the "tone at the top" is critical for an AML program to be successful, and that institutional leaders must promote a positive and consistent culture of compliance. As part of this message, an institution must convey that all individuals -- from the executives in the C-Suite to the employees on the ground implementing the policies -- are responsible for protecting the institution against money laundering. It's not just the tone at the top, but a consistent tone at the middle and the bottom that supports a strong compliance program. Institutions can also consider incentivizing compliance success by
3. Support the AML Program.
Finally, it is imperative that an institution provide support for its AML program and ensure that it is wellfunded with sufficient resources. In the event an AML officer identifies failures or potential violations, institutions should provide the financial support needed to address and remedy these issues.
With so many different regulatory authorities voicing support for greater pursuit of charges against individual corporate actors, absent a new enforcement directive from the upcoming administration or court decision that causes the government to reevaluate this approach, the trend toward greater individual accountability for an institution's AML failures will likely continue.
December 7, 2016