As compliance professionals take a seat at their desks for another year of policing internal conduct at their firms, they face a new risk themselves: individual liability that could result in millions of dollars in fines and the effective end of their careers. Last month, the Financial Crimes Enforcement Network (FinCEN) and the US Attorney’s Office for the Southern District of New York combined to take action in United States Department of the Treasury v. Thomas E. Haider1 against a former Chief Compliance Officer for MoneyGram International Inc. for his alleged failure to implement and maintain a compliance program designed to protect against money laundering and to report suspicious activity. On the basis of its determination that this failure constituted a violation of the Bank Secrecy Act (BSA) and its implementing regulations, FinCEN assessed a $1 million civil penalty against Haider. A civil action, filed by the US Attorney’s Office the same day the assessment was announced, seeks to turn FinCEN’s assessment into an enforceable judgment and an injunction barring Haider from the financial industry. This litigation, certain to be contested, could signal a new approach by federal regulators and law enforcement seeking to hold individual compliance personnel responsible for programmatic failures.
Summary of FinCEN’s Assessment and the Litigation
As Chief Compliance Officer from 2003 until he left MoneyGram in 2008, Haider supervised MoneyGram’s Fraud and Anti-Money Laundering (AML) Compliance Departments.2 MoneyGram enables customers to transfer money from one location to another through a global network of agents and outlets.3 MoneyGram’s Senior Director of AML Compliance, Director of AML Compliance and Fraud, and Director of Fraud (communications from all of whom are quoted in the assessment and complaint) “worked under, and had direct contact with” Haider.4 Haider allegedly had the authority to terminate or otherwise discipline MoneyGram agents and outlets due to “compliance concerns” and also allegedly had the authority to decline to approve new agents or outlets.5 Although he did not report directly to MoneyGram’s Board of Directors, he made presentations quarterly to the Audit Committee on developments in MoneyGram’s AML program and those presentations “were not screened by MoneyGram’s other senior managers.”6
In 2009, after Haider had left MoneyGram, the Federal Trade Commission filed a complaint against MoneyGram alleging that, between 2004 and 2008, MoneyGram agents in the United States and Canada “aided fraudulent telemarketers and other perpetrators of telephone and internet scams who misled US consumers into wiring tens of millions of dollars” to participants in fraudulent schemes.7 In 2012, MoneyGram entered into a deferred prosecution agreement (DPA) with the US Department of Justice’s Asset Forfeiture and Money Laundering Section and the US Attorney’s Office for the Middle District of Pennsylvania on charges of aiding and abetting wire fraud and willfully failing to implement an effective AML program.8
As part of the DPA, MoneyGram admitted that it had “willfully failed to maintain an effective anti-money laundering program that was reasonably designed to prevent it from being used to facilitate money laundering.”9 The specific programmatic failings to which MoneyGram admitted included:
- a failure to implement policies or procedures governing the termination of MoneyGram agents involved in fraud and money laundering;
- a failure to implement policies or procedures to file required suspicious activity reports (SARs) when victims reported fraud to MoneyGram on transactions over $2,000;
- a failure to file SARs on agents known to MoneyGram to be involved in fraud (MoneyGram’s SARs instead listed the victim of the fraud as the likely wrongdoer);
- a failure to conduct effective AML audits of MoneyGram’s agents and outlets10;
- a failure to implement policies or procedures to review MoneyGram transfer checks of agents known or suspected to be involved in check pooling, and
- a failure to conduct adequate due diligence on prospective MoneyGram agents or on agents seeking additional outlets.11
FinCEN’s assessment and the action filed by the US Attorney’s Office essentially seek to hold Haider personally responsible for many of the same programmatic failures to which MoneyGram admitted as part of its DPA. Although there are several instances where the assessment and complaint allege Haider had knowledge of specific compliance failings, for the most part they are based on Haider’s authority to implement appropriate policies and procedures and his alleged failure to do so. The assessment and complaint also use Haider’s acknowledgement of responsibility against him: Haider is quoted as saying, “I told you the buck stops with me,” when asked who was responsible for the failure to terminate a particular outlet suspected of wrongdoing.12
The Government claims that Haider’s alleged failings entitle it to “far more” than the $1 million penalty FinCEN assessed. On the basis of Haider’s “willful failure” to ensure that MoneyGram implemented and maintained an effective compliance program for a period encompassing approximately 190 days, the Government contends that under the BSA he is subject to a penalty of $25,000 per day of non-compliance.13
There are several important legal and policy questions raised by this new approach:
First, there is the question of whether individuals may be held liable under the BSA for what appear to have been, at bottom, institutional failures. Although the BSA requires a financial institution to establish an AML program and to designate a compliance officer to assure day-to-day compliance with any such program,14 neither the BSA nor its implementing regulations specify what is required, if anything, of compliance officers such that a cause of action against individuals could be said to have been created. Rather, the regulations merely list what designated compliance officers’ responsibilities will include.15 Thus, while an institution may run afoul of the BSA for failing to establish the required AML program, it remains to be seen whether compliance officers may themselves be held liable for failing to carry out their listed responsibilities in an adequate manner.
Second, the Government’s interpretation of the willfulness requirement in 31 U.S.C. § 5321(a)(1) may be subject to challenge, both broadly and in this specific instance. In the complaint and assessment against Haider, the Government claims that willfulness for purposes of the BSA covers not only “knowing violations” but also those in which the defendant “acted recklessly or with willful blindness.”16 It remains an open question whether the type of inaction attributed to Haider in the assessment and complaint will satisfy such a standard.
Third, and perhaps most importantly, is the issue of the effect of this new approach, pursuant to which individuals may be held financially responsible for each day a financial institution’s AML program is not in compliance with federal regulations. Already, industry observers are questioning whether the action taken against Haider will have negative effects on the ability of financial institutions to hire and retain qualified professionals willing to take on these jobs.17 Compliance personnel serve a key role in advising businesses on regulations that seemingly are ever-increasing in their complexity. They are an important backstop and internal check on the business. Now, compliance personnel face the specter of a regulator or law enforcement agency holding them individually responsible after the fact for the advice they provide on where lines can be drawn.
1 No. 14 CV 9987 (S.D.N.Y. Dec. 18, 2014).
2 Compl. at ¶ 13.
3Id. at ¶ 30.
4Id. at ¶ 46.
5Id. at ¶ 49.
6Id. at ¶ 52.
7Id. at ¶ 61.
8Id. at ¶ 62-63.
9United States v. MoneyGram Int’, Inc., 12-cr-291 (M.D. Pa 2012).
10 In support of this allegation, the DPA (and the assessment and complaint) cite a refusal on the part of MoneyGram’s Senior Director of AML to conduct audits on certain outlets suspected of being involved in fraud and money laundering that MoneyGram refused to terminate because such outlets were “criminal operations” and sending audit teams into those outlets would place MoneyGram’s personnel in “physical danger.” Id.; Compl. at ¶ 63.
12 Compl. at ¶ 92.
13Id. at ¶ 132-34.
14 31 U.S.C. § 5318(h).
15 31 C.F.R. § 1022.210(d)(2).
16 Id. at ¶ 27.
17See, e.g., “In bid to punish individual, FinCEN pursued MoneyGram business leaders, but caught compliance chief – source,” by Brett Wolf, Thomson Reuters (May 20, 2014), available at:http://blog.thomsonreuters.com/index.php/in-bid-to-punish-individual-fincen-pursued-moneygram-business-leaders-but-caught-compliance-chief-source/.