Personal Liability Exposure for AML Compliance Officers: Lessons From Haider

Robert M. Axelrod

By Robert Axelrod

Robert Axelrod is a consultant in the New York City area specializing in financial institution compliance regarding anti-money laundering and other financial crimes. His experience includes assisting institutions with their responses to enforcement actions and regulatory requirements.

Maybe the more important your job is, the more demanding, even unfairly demanding, the principles of personal liability will be. As anti-money laundering (AML) issues include profoundly serious criminal events like multimillion dollar drug cartel transactions and Ponzi schemes, and terrorist financing activities, the critical nature of AML compliance and the enforcement priority around compliance failures has perhaps inevitably led to a personal liability exposure that some compliance officers find akin to a personal guarantee jeopardizing their own financial and career stability. There is a sometimes a sense of indignation that while the financial services industry has been in some instances unenthusiastic about allocating resources and influence to AML compliance, it is compliance, and the compliance officers, who may shoulder the blame for compliance shortcomings personally. The latest big addition to this discussion is the May 3, 2017 settlement agreement (Haider agreement) in the case between the U. S. Department of Treasury and Thomas Haider, the former chief compliance officer of MoneyGram International Inc. (U.S. Department of the Treasury v. Thomas Haider, Civil No. 15-1518, D. Minn.).

In going through the lessons from this case, it is worth bearing in mind that some persons, like physicians and attorneys, have malpractice considerations that are not present for those in other occupations such as clothing store salesmen and theater ushers – not because these latter occupations aren’t valid ways to earn a living, but because mistakes in these realms are not as consequential, and because there is not a perceived professional community standard of competence by which to judge them. The personal enforcement actions against AML compliance personnel do not uniformly or clearly articulate a meaningful professional standard against which they could measure themselves and, in turn, be consistently measured by others. Nonetheless, the Haider case has the makings of a lodestar for other regulators, at least in the U.S. It may presage a movement away from effectively requiring the AML compliance officer to simply guarantee an effective and implemented AML program, but nonetheless may treat the officer as responsible to act with considerable corporate bravery and to meticulously document the rationale for decisions.

We can leave aside those situations in which an AML compliance officer or other compliance officer actively abets the violation of anti-money laundering laws or regulations, and/or conspires with wrongdoers to move the proceeds of crime through an otherwise legitimate financial institution. Personal liability there doesn’t require an explanation. The big issue that has roiled AML compliance officers for the past five to ten years has been whether and when they will be deemed personally responsible for AML compliance mishaps in organizations they simply do not substantially control, and what in the world they can and should do as things spin out of whatever modest control they do possess, and it is apparent that there are ongoing, sustained violations of AML laws and regulations.

The Haider settlement document does not definitively answer all of these questions, but it provides an attractive vehicle for firms and their AML compliance officers to channel many of the right issues to the right personnel and to mitigate personal exposure all around. The complaint that was settled was brought on behalf of the primary U.S. AML regulator, the Financial Crimes Enforcement Network (FinCEN), and so may be particularly impressive to other regulators in their AML roles. In December, 2014, FinCEN issued a $1 million assessment against Haider. However, Haider declined to simply consent. In 2015, FinCEN ended up having a complaint brought by the U.S. Attorney in the Southern District of New York to collect. The complaint in substance follows the framework of some prior personal liability enforcement actions. These nominally indicate that since the AML compliance officer is charged with overseeing the AML program, failures of the program are failures of his or her oversight and thus effectively comprise personal liability. The complaint alleges ongoing egregious fraudulent behavior of others associated with MoneyGram and that the behavior was allegedly known by, and not terminated by, Haider. This framework, which appears in the Haider complaint as the compliance officer’s “failure to ensure” an effective AML program, may be described as the “personal guarantor” formula. [complaint at pars. 4 et seq.] Of course, since almost every AML program in a complex organization has some level of failure (and all too often some material failure), this formula, if taken literally, would mean that almost any AML compliance officer’s freedom from personal liability would be the evanescent gift of an indulgent regulator or prosecutor. This would not be a positive career element.

Haider’s case has a rich documented factual backdrop, courtesy of the stipulated statement of facts in the deferred prosecution agreement (DPA) that MoneyGram entered into with the Department of Justice in 2012. The DPA included payment by MoneyGram of $100 Million in penalties and restitution, and the statement of facts within the DPA recited that MoneyGram, as a money services business (MSB), had various MSB agents that facilitated fraudulently induced transactions from customers, and helped to obfuscate the worldwide movement of moneys that were fraud proceeds. [statement of facts at pars. 10-31]. These problematic activities are cited as taking place between 2003-2009, with explicit notice to MoneyGram personnel cited as taking place at least by 2007. The statement of facts also indicates that some of the personnel in the MoneyGram fraud department attempted to mitigate these issues, but were overridden by sales department decisions, and that some of the notice of problematic activity came explicitly from federal government sources.

Several years after the DPA, FinCEN announced the $1 million assessment against Haider as the compliance officer responsible for the AML program. Haider’s case was unusual in the canon of AML compliance personal liability cases because after Haider declined to consent and a federal complaint was filed, he answered, moved to dismiss, changed the venue of the case and otherwise litigated it before a federal district court judge (as opposed to merely negotiating with the enforcement arm of a regulator, for example). The case was eventually settled with Haider’s agreement to pay $250,000 and to be enjoined from certain compliance activities for a period of years.

Comparing the complaint with the settlement agreement, the personal guarantor formula seems to have evolved into something more measured and forgiving. The terms of the settlement pose a newly constructive basis for liability. While the complaint and the assessment framed Haider’s conduct as problematic because he “failed to ensure” various aspects of the implementation of MoneyGram’s AML program and the termination of ostensibly fraudulent agents, according to the settlement agreement [at pp. 3-4], the key to Haider’s personal liability was not simply his chief compliance officer stewardship of the AML program (he supervised the AML officers) in the midst of AML compliance failure. Rather it was the premise of specific authority he had that he failed to exercise or exercised in a way so as to undercut the independence of the compliance function. Unlike the personal guarantor formula, this one implies safety steps for the compliance officer and the institution, particularly through the posing and documenting of a series of questions within the institution, well before the advent of enforcement proceedings against either the financial institution or the compliance officer. We look at these steps in two segments. First, what personal liability enforcement guidelines can be gleaned from Haider? Second, in a later section of this article, we ask, how are these guidelines consistent with some recent high-profile AML compliance officer liability cases?

As we consider Haider and other personal liability enforcement actions, we must qualify the discussion as follows. The “facts” for consideration are only those included in the public enforcement action documents, particularly complaints and settlements. We presume where events such as documentation of valid reasons for a decision are not mentioned in this record, and they would appear to be significant for the parties such that they would be expected to be mentioned, that the events did not occur. This means the discussion is about the public record these actions left behind. As to what actually happened at these institutions and what the acts and intentions were of the persons held liable and the other people at their institutions, we do not have any more direct indication. We are, in effect, where the parties have left the public and the financial services industry.

Haider Guidelines

Authority: What is the actual authority of the compliance officer? This could be tested and documented. If the compliance officer cannot, for example, unilaterally terminate a client relationship, establishing that fact early on counters the notion that a client relationship with a suspected criminal is ipso facto a compliance blunder, and, equally importantly, explicitly identifies with whom that responsibility lies, so that that the appropriate person or persons (who may well be outside of compliance) can think through and document their decision accordingly. While one might hope that policies and procedures would neatly anticipate authority questions, they often fail to do so. Nonetheless, as issues unfold, whatever other authority shortcomings a compliance officer can have, written and oral communications and presentations to senior management, the board of directors, the chief auditor and others are available tools in managing and clearly defining limitations on direct authority.

In Haider, one of the alleged problems at MoneyGram was the failure to terminate MSB agencies that had a recurrent history of strong indications of fraud. The settlement agreement indicated compliance had squarely been faced with the issue of dealing with (by termination or otherwise) potentially bad actors who were clients or employees or agents. In most financial institutions, compliance does not have carte blanche to discontinue business relationships. No dialogue with compliance, including any explanation of a compliance decision not to exercise termination authority, appears in the document, and so the statement [Haider agreement at par. 2(d)] that Haider in fact had but did not exercise the full authority to terminate agents, was problematic for Haider.

Dithering: What is the rationale for an institution’s dithering or sluggishness in responding to indications of gross criminal or similarly problematic behavior? Since the AML compliance officer is generally likely to have relatively intimate knowledge of such a situation, he or she is also likely to be among the earliest people in the institution to recognize that time is slipping by and not much good is happening. Knowledge all by itself may not be power. However, failure to act once knowledge is acquired, without some rather good excuse, supports culpability. Put another way, the AML compliance officer may be effectively responsible to recognize an AML compliance crisis, and to act accordingly with the appropriate level of urgency and forcefulness of communication. We can imagine the scenario of an executive level employee who sees armed robbers breaking into the door of his or her bank – the executive would be expected to do something more than to file a memo or make a casual suggestion at the next meeting about security.

While this may seem like just an echo of the failure of compliance to exercise whatever authority is attributable to it, there is more involved. Barring outright lack of knowledge and experience, the alleged ongoing rampant fraud at MoneyGram seems incapable of having continued without Haider’s notice. This was framed in part by the written recommendations by people Haider supervised that MoneyGram (and by inference, Haider) change related policies and implementation strategies. [Haider agreement at pars. 2(f) and 2(g)]. Those with exquisite knowledge who suffer a bad situation to fester may thereby risk enhanced culpability. Compliance may have such knowledge early on, but it can narrow the gap from situation to action by at least bringing others into the same state of awareness through prompt written communication. In particular, compliance could have attempted to create, propose and then enforce a timetable to deal with the problematic relationships. This might have been preferable to ongoing back and forth discussions during which the problematic activity simply continued. Had compliance taken a timing position, one which might have been vetted with other executives and with regulators in the then current moment, there could have been some insulation from personal liability, or a more emphatic stimulus to MoneyGram itself to expedite resolution of open AML issues.

Rejecting More Conservative Views: What is the rationale for rejecting more conservative treatment than the compliance officer ultimately requests or accepts? Because AML compliance is so wrapped up in common sense business judgments, everyone, especially those outside of compliance, can have a credible opinion about what to do. On top of those opinions, there are the ones voiced by external consultants, junior compliance officers, auditors and, where especially salient and virtually tantamount to advice, noteworthy relevant enforcement actions or regulatory pronouncements. While there may be some operational difficulties just in keeping track of all of these, where a senior compliance officer takes a less aggressive position than the one others have suggested, it is critical to set out the reasons why and even to communicate those reasons to others. There is no assurance that if compliance ends up on the wrong side of a reasonably different opinion (the wrong side being the one deemed later to have contributed to a significant compliance failure) that personal liability will be elided, but there will at least be a fair dialogue. Well reasoned mistakes made in good faith may be less culpable than opaque judgments that may appear to have been opportunistic in hindsight.

The company’s fraud department, which Haider supervised, recommended a policy to terminate or discipline agents associated with recurrent fraud. Haider, who had the authority to accept the policy, did not approve it because of objections by the sales department [Haider agreement at pp. 6-7]. There appears to have been no contemporaneous documented explanation of why the business’s view prevailed, why the view of the junior (to Haider) compliance personnel was undermined by a less aggressive view, or why alternative approaches were not implemented.

Declaring Problems: When the compliance officer is in the midst of an evident crisis over time, some things become elevated in priority from a personal liability point of view. One substantial way to mitigate personal liability of a competent AML compliance officer is, after making basic decisions to protect the institution from facilitating criminal activity, to recruit as many allies and persons with aligned interest as possible, to heighten the ability to fix a problem. That includes, among other things, ensuring that law enforcement is moving forward, since communications from them underscoring problematic behavior will create leverage with others at the institution who may not otherwise appreciate the urgency. In turn, that means, as a minimum, filing timely and comprehensive suspicious activity reports (SARs).

In Haider, one apparent failure to recruit was the failure to file SARs on some of the individuals or agencies that were known to MoneyGram and Haider as recurrent fraud suspects, particularly one James Ugoh. [settlement agreement at pars. 2(i) and 2(i)(e)]. Here is something that the AML compliance officer often does have complete domain over – whether or not to file a SAR. If the AML compliance officer does not have this control, documenting the view that a particular SAR is required by law to file is highly likely to successfully encourage others not to resist the mere filing of a SAR. The old adage, “When in doubt, file” is especially responsive to personal liability considerations, whether you are an AML compliance officer or anyone else at the institution.

It is not clear from the settlement to what if any extent Haider attempted to work with regulators, risk personnel or others to recruit more authority to address egregious AML issues, but such attempts, as documented, could have both relieved Haider’s personal onus and increased the likelihood of different institutional action that could have avoided or mitigated the compliance failures and consequent fines and publicity the company and Haider thereafter endured.

Resourcing/Reasonable Judgments: Where is the power to hire or reallocate resources around a particular compliance problem? What does the AML compliance officer have to do, in order to do “all” that he or she can? Resolving this may make for some awkward or even uncomfortable exchanges within the institution, but it furthers squarely defining the priority of an issue through the communicative stream the compliance officer can set in motion. Once that stream has been initiated, suitable boundaries on behavior and responsibility can be gleaned, both prospectively and looking backwards. The resourcing issue also includes an implied AML compliance officer competence standard of making reasonable judgments – a compliance officer who cannot recognize a gross failure of resources may be accountable not as a guarantor, but as failing to carry out the job accepted.

The Haider settlement does not directly raise resourcing as an issue, but it is not hard to see it as implicit. The strength of a compliance position to have client accounts or agents terminated is dependent at least in part on the depth of investigation and analysis about the underlying transactions and individuals. That is hard to do well with limited resources. More resources could have created more complete and well analyzed investigation results and hence a more implacable business case to make the right termination and SAR moves sooner. The statement of facts of the DPA recites [at par. 31] that MoneyGram failed to adequately resource and staff its AML program.

Haider Guidelines As Seen In Earlier Enforcement Actions

We now consider several recent noteworthy enforcement actions against AML compliance personnel, insofar as they bear upon the Haider framework set out above.

One of the frustrating aspects of assessing enforcement events in this context is that completed litigation, with findings of fact and conclusions of law from an impartial tribunal, such as a court, is rare, and has not coincided with the important AML compliance officer liability cases. This was one thing that made the Haider case so intriguing – that it was, at least for a time, formally contested and even occasioned a court opinion discussing many of the issues in resolving a motion to dismiss -- and one might read the change in enforcement theory between the complaint and the settlement agreement, which occurred after significant pretrial proceedings, as reflecting an air of reality and sophistication to the final approach where there was some attempt to reconcile competing perspectives. The ever-present alternative is a settlement resolution with a regulator or prosecutor that merely arrives at the public statements both sides can live with and agree to in the context of a settlement, and where the interest of clearly defining the theory of liability for the rest of the community as a guide to future behavior does not have the stature it would for a tribunal announcing a reasoned decision. In particular, settlement agreements typically will not compare the case at hand with the earlier cases to show consistency of treatment or explain any changes in approach. In this context, the best we can do is presume there is in fact some overall consistency in the settlement/enforcement environment, and that factual similarities between agreements are not rendered meaningless by what can, at worst, be a sui generis enforcement approach.

Authority: In FINRA v. Brown Brothers Harriman & Co and Harold A. Crawford, No, 2013035821401 (2014), the corresponding letter of acceptance, waiver and consent ( CAWC) provided that the AML compliance officer be fined $25,000 in light of the background and fact pattern the agreement presented. Brown Brothers was also fined $8 Million around AML lapses that were set out that were partly in common with those attributed to the AML compliance officer. A principal theme of the action was Brown Brothers’ stated failure to address transactions that appeared to provide anonymity for parties trading in or custodizing penny stocks under circumstances worthy of investigation. Among other issues, the AWC provides that the AML compliance officer in fact recommended mitigating some of the risk by having the company cease to process transactions for particularly low-priced penny stocks, and underscored the AML risks arising out of a particular party known to be using the firm in relation to its marketing anonymity to foreign investors. (CAWC at pp. 5-7). However, there is no indication this recommendation was followed, nor does this risk analysis appear to have engendered a response. Here is an area where the documentation of follow-up could have provided both some insulation for the compliance officer as well as more clearly defined responsibility (and perhaps, action as a result) within the organization.

Dithering and Declaring Problems: In the U.K. in 2014, the Financial Conduct Authority (FCA) became concerned with the AML compliance of the Bank of Beirut, and ultimately fined the bank over 2 million pounds in that connection in the midst of the bank’s apparently not sufficiently speedy effort to remediate issues. It also fined the bank’s AML compliance officer, Anthony Wills, almost 20 thousand pounds (in addition to fining an internal auditor) for failing to timely inform the FCA of the incomplete state of the promised remediation. The settlement agreements there recite that “senior management” did not give license to these individuals to be fully candid with the FCA, and, effectively, cajoled them into being vague and incomplete if not downright deceptive. There are actions from the FCA against the bank, the compliance officer and the internal auditor, and although the excuse of pressure from senior management is recited, no public fine or censure appears to have been imposed against a member of senior management. Even if there were, apparently the FCA’s view is that a compliance officer needs to stand up more effectively. Resisting the pressure from senior management to smooth things over is, perhaps, some of the table stakes for sitting at the compliance table. The 2015 final notice for Anthony Wills (FCA, 2015) states:

  • Mr Wills has suggested that he was not provided with sufficient resource to conduct his role as Compliance Officer at Bank of Beirut, that at times he felt under pressure from senior management to be “careful” in his communications with the Authority and that he was not given “licence” to explain issues fully to the Authority. While the Authority recognises that Mr Wills’ actions were influenced by comments made by senior management, this does not excuse his misconduct. As Compliance Officer with responsibility for communicating with the Page 4 of 17 Authority, Mr Wills’ role at the Bank was particularly significant. Mr Wills was uniquely placed to understand the full position in relation to Bank of Beirut’s regulatory compliance and as such should have resisted any senior management influence in this regard. As an approved person, he remained personally bound by his own regulatory responsibilities. Mr Wills failed to deal with the Authority in an open and co-operative way. The Authority therefore imposes on Mr Wills a financial penalty of £19,600. [Final Notice at pars. 2.7-8]
FinCEN’s decision not to impose personal responsibility on an AML officer in a recent case is consistent with the Wills approach. The casino’s AML compliance officer referenced in the $1 million assessment in In re Sparks Nugget, Inc., 2016-63 (FinCEN, 2016) presided over an AML program that saw failures to file SARs and currency transaction reports, and had other infirmities. However, she also documented her concerns regarding the firm’s failures, complained in writing about her lack of resources, was instructed by management to not communicate with the AML examiner and was generally ignored by the business, according to the action. She was not named as a party to the case.

Rejecting More Conservative Views: In In Re Charles Sanders, AA-EC-2015-92 (2016), the Office of the Comptroller of the Currency (OCC) fined the chief compliance officer of Gibraltar Private Bank and Trust Company $2,500 because he failed to follow the recommendation of the AML Officer and file a particular SAR. There is no indication of any reasonable basis documented for disagreeing or extenuating circumstances for delay. The OCC found the conduct to reflect a reckless disregard of the law. Once a person, particularly a person of some stature in this regard (the AML compliance officer), announced a view on filing a SAR, disagreement without some convincing contemporaneous written elaboration could place the chief compliance officer in a vulnerable position. The case is noteworthy because amongst U.S. agencies, banking agencies are particularly selective in imposing personal liability, let alone compliance officer personal liability.

Resourcing: In FINRA v. Raymond James & Associates, Inc., Linda Busby et ux (No. 2014043592001, 2016), The AML compliance officer was fined $25,000 and suspended from such work for the next three months, while the affiliated firms involved were fined a total of $17 million, all around failures of the AML program to be tailored to the particular risks of the business, to be provided adequate resourcing and to otherwise adequately implement the program. The resulting acceptance, waiver and consent [ RJA AWC] describes the persistence of these issues after a prior FINRA action against one of the firms in 2012 resulted in an undertaking to certify the sufficiency of the AML program, which called attention to limited AML resources then in place. Against the backdrop of that notice of insufficiency, and the undertaking, the AWC describes an AML surveillance program involving significant manual review of exception reports covering more than 2 million customer accounts with what appears to be only between six and eight personnel in compliance involved, and failures to timely and completely carry out investigations. [RJA AWC at pp 4, 7-9]. The AWC also describes a lack of controls such that the judgment to rely on an affiliated firm did not have a reasonable basis and a corollary failure to have due diligence and periodic reviews conducted. [Id., at pp. 3, 4]. The AWC effectively presumes the AML compliance officer was accountable to recognize that there were gross resource insufficiencies – the resources that would have been necessary to impose further controls and carry out diligence, reviews and more numerous and more complete and timely investigations. So far as the AWC recites, this obstacle was not precipitated or resolved transparently. Put another way, a compliance officer who would suffer inadequate resources over a sustained period of time without written effective complaint and escalation might not be heard later to complain there was personal accountability. The AWC references no complaint or protest, documented or otherwise, from the AML compliance officer. One who complained, but not effectively, or without appropriate documentation, might not have done enough to properly defend the compliance role. While the AWC frames the AML compliance officer’s responsibility in terms of program failures, and can be read as part of the personal guarantor approach, it also identifies many areas where resource issues, if addressed, could have substantially mitigated the problems posed.


Where does all this leave AML compliance officers? The notion that you must stand up and make a record confronting unsympathetic management may seem like a recipe for career suicide, but this misses the point of comparing the profession of an AML compliance officer to that of a physician or attorney. A compliance officer who knows what should be done but cannot manage his or her relationship with the business productively or make a record that defines the issues so well that those outside compliance are more or less compelled to take some responsibility where compliance cannot do things on its own, is like a jazz musician complaining about a failed concert because when he got to the stage, the notes weren’t written on the page. Some people won’t have sufficient political skills to focus the issues without endangering their job. Maybe those people need to be in a different role without overall responsibility for an AML program. This view is aimed at the overall compliance supervisor and not the intermediary compliance staff. That seems to be the gist of Haider and, to a large extent, earlier enforcement actions, regardless of how they are framed. The Cassandra of myth, who had the gift of accurate foresight but the curse never to be believed by those she advised, would not have been an effective AML compliance officer.

One can be sympathetic to regulators here – do they have to choose between those who turn a blind eye to bad things and those who don’t or can’t figure out what to do what they reasonably might have been expected to do to improve the situation? On the other hand, one could also expect regulators to dig a little deeper regarding business personnel who were resistant to AML compliance advice or demands. Like AML compliance officers, regulators’ focus should be on acting so as to bring about the best AML programs and so as to push firms to channel the resources and judgment they have toward that end.

A compliance officer should not simply be a personal guarantor of results, but the standard of the profession appears to require that within the limits of reasonable substantive competence and well- developed skills for personal interaction, the right program will be designed and implemented. If there are material faults on either of these scores, there should be some clarity that AML compliance was not ignorant or silent and did everything practical to get a better result, particularly when it is hard to believe a competent person wouldn’t recognize an AML compliance crisis. What will happen to the perfect compliance officer in this setting, who stays on the job in a situation with substantial AML violations over the years even with the best communication, documentation and escalation, is another question. This is a question regulators would be well advised to ponder and answer comprehensively in the near future. A good potential start is found in the SEC administrative law case of Theodore Urban, File No. 3-13655 (SEC, 2010)(Initial Decision), where a broker dealer’s general counsel was found to be free from blame after having essentially done all he could reasonably be expected to do to address and make known an ongoing compliance problem, even though he didn’t stop it. However, the durability of that approach for personal compliance officer liability is not at all clear today. In the very least, however, Haider and the lead-up cases sketch out some necessary (if not sufficient) conditions to mitigate personal liability for AML compliance officers.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.