Compliance Personal Liability Vs. U.S. AML/CFT Enforcement
Robert M. Axelrod is a consultant in the New York City area specializing in financial crime compliance
Three recent anti-money laundering (AML) enforcement cases have extended the confusion around the personal liability calculus for AML compliance personnel in the United Sates.
The Securities and Exchange Commission (SEC) action against Wells Fargo Advisors (PDF) and the Department of Justice (DOJ) case against US Bank (PDF) appeared so indulgent toward personal accountability that the outcomes could spur executives to increasingly pressure compliance officers to ease their AML programs. In the Rabobank case, however, targeted a relatively junior compliance officer, but not the seemingly more culpable executives. This could potentially encourage other junior counterparts to believe they are either unfairly prioritized for enforcement or are better off hiding than reporting deficiencies and cooperating with federal prosecutors.
The 2017 Thomas Haider settlement (PDF) identified some logical drivers for personal liability for anti-money laundering (AML) compliance personnel. Personal liability tended to attach to those who failed to promptly declare material problems to persons within the company, failed to take action to remediate problems and enlist others to help, failed to fight to address resourcing constraints, and ignored without explanation more conservative views of other personnel.
Prior notable AML compliance enforcement actions described compliance officers with good intentions but limited effectiveness with management. The Haider case suggested a move away from a purely personal-guarantor theme of liability for compliance officers in flawed programs.
These three major, post-Haider AML enforcements instead invite assessment of why the AML compliance officers were not personally accountable, even though they caused or actively concealed violations. As is often the case, these actions supply elaborate narratives written by prosecutors or regulators of individual and corporate wrongdoing.
The lack of personal sanctions (with one exception) muddles the bargaining position and credibility of AML compliance personnel in facilitating well-functioning programs, because it furthers the notion that compliance can blamelessly afford errors that management might otherwise be compelled to fix.
The abject, destructive incompetence among AML compliance personnel detailed in the SEC's action against Wells Fargo Advisors (PDF) appears not to be a sufficient condition for personal liability, as compared with the competence attributed to the compliance officer liable in the Brown Brothers case, whose fault seemed to be a failure to cause management to act quickly.
Dissembling with the regulator did not earn personal liability under the facts set out in Rabobank's guilty plea (PDF) information, filed by the Department of Justice (DOJ). The DOJ also brought a criminal prosecution against US Bank (PDF), resolved by a Deferred Prosecution Agreement (DPA). However, it did not seek personal liability against a chief compliance officer, who was described as concealing information from the Office of the Comptroller of the Currency (OCC).
The analysis of these cases is based on the public record, namely the DPAs, guilty plea, and regulator-generated settlement documents.
Wells Fargo Advisors
The Wells Fargo Advisors case (November, 2017) demonstrated remarkably incompetent decision-making. In early 2012, two incoming AML compliance officers – one designated a senior manager in the AML compliance program, and the other an interim supervisor of the AML surveillance group – told existing AML compliance staff that there were "too many" Suspicious Activity Reports (SARs) and that continuing activity SARs were not, in fact, required under the regulations. They curtailed the investigations of continuing activity. They also indicated that SARs were to be filed only when there was "proof" of criminal activity. As a consequence, many SARs were not filed until these errors were later corrected by others.
Wells Fargo Advisors' AML compliance officers not only made flagrant errors in this regard, but they overrode the then correct suspicious activity reporting process. Suspicious activity requires a SAR, even if there is a prior SAR for prior similar activity, as earlier enforcement actions and FinCEN guidance, have made very clear.
No seasoned AML compliance officer would publicly opine to the contrary, although some firms find frustrating the need to expend the labor to file such SARs, even when there may be no government follow-up. Moreover, SARS do not require "proof" of criminal activity. For a broker like Wells Fargo Advisors, 31 CFR sec 1023.320 requires filing a SAR upon merely having "reason to suspect" that financial transactions involve the proceeds of illegal activity or have no apparent lawful purpose or reasonable explanation. That is why they are called "suspicious" activity reports. The firm was fined $3.5 Million.
While there is no indication the compliance officers made these basic "errors" under pressure from management to reduce costs and avoid staffing increases, the errors are so fundamental that the most ready explanation is that some such improper motivation, rather than ignorance, was likely operative.
The lack of personal liability clashes here with recent prominent actions where compliance officers who were fined apparently tried to encourage the firm to address glaring AML program flaws. Perhaps, however, they did not try hard enough, as in the Brown Brothers case and Banamex (reading both the 2017 DPA (PDF) with the bank and the FDIC fine against individuals (PDF)).
The Wells Fargo compliance officers do not seem to have even tried for a compliant approach. The SEC, in the same post-Haider time frame, has also reverted to a personal guarantor theme of liability in its settlement with a Windsor Capital (PDF) compliance officer.
Rabobank compliance personnel did not just make Wells Fargo-level bad decisions, they actively concealed AML violations from regulators and squelched compliance officers acting properly. Regulators identified several of the wrongdoers as "executives," including those responsible for supervising Rabobank's entire AML program, but only a (non-executive) manager in compliance (George M.) was charged, seemingly the least likely compliance target of those discussed in the enforcement action. George M. reportedly had misgivings about the AML compliance violations he helped to establish at Rabobank and confided these misgivings to the press in 2011, while still on the job, and then to federal prosecutors.
It is hard to question the decision to charge him, but having him be the only person allocated direct responsibility for the Rabobank scenario does not reflect a satisfying accountability framework.
Rabobank had two problems. First, Rabobank, acting through George M. and an unnamed compliance manager ("Manager A," not described as an executive) who supervised him and worked in tandem with him, helped to create violative exceptions to the suspicious activity transaction monitoring process. This resulted in blatant failures to capture suspicious activity, particularly around money flows between two Rabobank branches straddling the U.S./Mexico border.
Cash coming into the Mexico branch was so abundant that the branch began to assist depositors with an armored car service. The bank was deemed on notice that these monies included the proceeds of narcotics trafficking. Rabobank had a cash and monetary instruments reporting (CMIR) "mitigation policy" that prevented adequate investigations into suspicious customer activity. Compliance staff also increased by one hundred-fold a "safe list" of customers whose transactions would no longer be investigated, even if they generated alerts.
The second Rabobank problem was about obstruction. The firm brought in a new AML compliance officer (AMLCO) to replace the one who presided over the George M. era. The new AMLCO quickly became aware of the shortcomings that George M. and his immediate supervisor helped to arrange, and notified management, including an "executive" who ultimately directed her to cease the disclosures, and acted effectively as her supervisor.
An outside consultant was brought in to evaluate the program, and the new AMLCO candidly told the OCC, which regulates the bank, about the consultant's work. The OCC, naturally, not having been given the work, asked for it. At this point, the executive (supervisor) prohibited the new AMLCO from speaking with the OCC, caused her to accept a leave of absence and exchanged emails with the other executives about how best to mischaracterize the consultant's work to the OCC. The executive, along with the compliance officer's AML predecessor (described as another "executive"), conspired to mislead the OCC about the nature of existing AML gaps, as well.
These events form the second count of the information to which Rabobank pled guilty. Those executives controlled the AML compliance function and related OCC communications (whether explicitly as compliance officers is not stated), and they worked to mislead the OCC. They also actively muzzled the good (new) AMLCO. All these events gave rise to Rabobank's payments of approximately $369 million, arising out the guilty plea, as well as $50 Million from a consent order with the OCC (PDF), all coming in February, 2018.
The reluctance in this setting to seek sanctions against senior compliance personnel calls to mind the concerns raised by a number of former prosecutors, and particularly Judge Jed Rakoff. Federal prosecutors can find large monetary penalties against institutions all by themselves, a safe path to career success, and may thus avoid bringing the tougher cases against well-defended, high-ranking personnel. The same reasoning seems to apply to banking regulators.
The decision not to initiate any personal enforcement actions in the US Bank case parallels the approach taken with the Rabobank executives. US Bank's February 2018 deferred prosecution agreement (PDF) recites that "…the Bank's then Chief Compliance Officer concealed the bank's [violative] practices from the Office of Comptroller of the Currency….". The US Bank CCO rejected without explanation a forthright disclosure approach proposed by others in US Bank with the OCC, and misinformed others in the bank that the OCC had already been made aware of AML-violative practices.
These were explicit, intentional acts. They also reflect the second count of the Rabobank case – defrauding the United States – although that count was framed in terms of a conspiracy.
One might argue in mitigation that the US Bank CCO was cited in the DPA as having been an inexperienced hire regarding AML several years earlier. However, there was time enough for anyone to have learned the basics on the job, especially given explicit directions from the OCC about the underlying compliance issues and, more pointedly, this shortfall in basics concerned dissembling to a federal banking regulator. How tough could it have been to learn that over several years?
The US Bank effort to misinform the OCC was patent. The AMLCO told a colleague that the bank's communications approach was one of "smoke and mirrors" designed to "pull the wool over the eyes" of the OCC. Further, when junior compliance officers offered a more forthright approach –specifically drafting language to present the issue to the OCC – the CCO edited the concerns out of the documents that went to the OCC. Thus, just as had Haider, the US Bank CCO ignored the more prudent conclusions of other (albeit junior) compliance officers. Very similar behavior (around not filing a SAR) triggered personal liability in the OCC's action against the chief compliance officer of Gibraltar Private Bank and Trust Company (PDF). Yet neither the CCO nor anyone else was named or held liable at US Bank.
The items being concealed were, moreover, meaningful. The bank predetermined the number of transactions it would investigate based on the (small) number of investigators it had, rather than by the risk presented by the bank's business. This "capping" of alerts continued despite US Bank's own internal analysis, which demonstrated that it was missing 25-50 percent of the SARs it should have been filing, because of the capping. It was also forbidden by the Bank Secrecy Act (BSA) Examination Manual (PDF) published by the banking regulators (including the OCC), which specifically (at page 77) provides that the volume of alerts and investigations cannot be set solely by staffing levels.
Some additional issues arise in US Bank, including the failure to timely file SARs on the convicted fraudster Scott Tucker, and inadequate surveillance of transactions from a large money services business, but these are not as directly framed in the DPA in terms of personal liability. Between the DPA and the associated consent order with the OCC, and a civil assessment by FinCEN (PDF)parroting the DPA language, US Bank was effectively fined approximately $600 Million.
Why should we worry about compliance officers facing inconsistent enforcement outcomes? Because a consistent approach to personal liability would promote alignment of behavior and stubbornness around clear AML compliance requirements. That would, in turn, facilitate a common approach between business and compliance executives, as well as encourage clear thinking and expression from junior compliance personnel.
Consistency may also address the dearth of candor, as some in an organization see large compliance gaps as occasions to act and others see them as triggers for strategies to avoid regulators' speedy recognition. There may of course be extraneous reasons why some compliance personnel were not held personally liable, such as a family illness or other extenuating circumstances. However, by constructing the elaborate narratives in these three cases, prosecutors and regulators have established clear and multiple examples of bad behavior that was free to the individuals. If bad behavior is seen as free to the individuals, other compliance officers are undercut in their acts to make AML programs effective.