Mitigating the Peril of the Chief Compliance Officer

By: David A. Holley

In December, I wrote here about the New York State Department of Financial Services’ (DFS) proposed regulation, Part 504 of the DFS Superintendent’s Regulations, to bolster regulated financial institutions’ abilities to combat terror financing and money laundering. The proposed rule provides, among other things, minimum guidelines for institutions’ transaction monitoring and sanctions interdiction programs. In addition, the regulation has a Sarbanes-Oxley–like component requiring the chief compliance officer (CCO) or functional equivalent to submit a yearly certification attesting that the firm is compliant with the new regulation.

The certification component of the proposed rule is no doubt causing anxiety among compliance officers in New York. Anxiety levels will surely run higher now that a federal judge in Minnesota has refused to dismiss a lawsuit brought by the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) to collect a $1 million penalty assessed against a former CCO for failing to maintain an effective anti-money laundering program under the Bank Secrecy Act (BSA).

Individual Liability for BSA Failures

The case, U.S. Department of the Treasury vs. Thomas E. Haider, Civil Action No. 15-1518 (D. of Minn.), stems from Thomas Haider’s employment as CCO of Moneygram International Inc., a money services business, from 2003 to 2008. At some point after Haider left Moneygram, a grand jury was empaneled in Pennsylvania to investigate whether Moneygram violated the BSA. In 2010, FinCEN requested and was granted access to the grand jury materials, which were later permissibly shared with the U.S. Attorney’s Office for the Southern District of New York. In November 2012, Moneygram entered into a deferred prosecution agreement with the Department of Justice and agreed to forfeit $100 million and retain an independent monitor.

In December 2014, FinCEN assessed a $1 million civil penalty against Haider individually, for “willfully failing to ensure that Moneygram maintained an effective anti-money laundering program” and for not filing suspicious activity reports (SARs) in a timely manner. On the same day, the U.S. Attorney’s Office for the Southern District of New York filed the above action to reduce the FinCEN penalty to a judgment and to ban Haider from working in a “financial institution” as defined by the BSA. The action was transferred from New York to Minnesota, and on January 8, 2016, the federal judge in Minnesota denied Haider’s motion to dismiss the action against him.

Among the arguments addressed by the Court in its order denying Haider’s motion to dismiss, and the one sure to raise the tensions of chief compliance officers, is the Court’s determination that Section 5318(h) of the BSA applies to individuals, and not just financial institutions. In his motion to dismiss, Haider asserted that Section 5318(h)—“in order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs…”—did not apply to him as an individual, because Section 5318(g) provides that “any financial institution, and any director, officer, employee or agent of any financial institution, may be required to report any suspicious transactions relevant to a possible violation of law or regulation.” The Court analyzed the plain meaning of the statute and sided with the government in determining that the general penalty provision of the BSA, Section 5321(a)(1), authorizes the imposition of civil penalties against Haider under Section 5318(h), because under the general penalty provision, penalties may be assessed against “…a partner, director, officer or employee of a domestic financial institution…willfully violating this subchapter or a regulation prescribed or order issued under this subchapter…”

Chief Compliance Officers Need Help to Succeed

While this case will continue, and both Haider and FinCEN will have ample opportunity to argue the merits of their respective positions, there are some takeaways from this matter and the DFS’ proposed regulation. Foremost, having the resources to comply with the BSA and proposed DFS regulations is vitally important. A financial institution’s risk assessment must be calibrated to effectively evaluate whether the institution has the people, technology, and other resources to successfully manage its regulatory risk. In addition, we recommend that all financial institutions:

  • Empower the CCO with clear authority, a direct reporting line to the chief executive officer and the board of directors, and budget sufficient to accomplish the job
  • Ensure the proper governance and management oversight of the BSA/AML, and sanctions policies and procedures and systems, so that systems cannot be manipulated to achieve a desired result (e.g., reduced workflow due to, for example, the reduced sensitivity of the sanctions filtering software)
  • Independently test and validate, on a periodic basis, all sanctions interdiction and transaction monitoring systems, including testing and documenting any changes made to watch lists or filtering sensitivity
  • Keep senior management up to date on compliance issues and performance through monthly reports to a risk management committee or similar function, as well as periodic reports to the board of directors
  • Hold individuals accountable for compliance failures, including violations of company policies and procedures (performance metrics should be a part of each employee’s annual review)
  • Raise compliance issues to top management as they arise, not only when they become problems

Ensuring that CCOs are properly supported in terms of resources, authority, and oversight will go a long way toward increasing the longevity of their tenures and preventing the expensive compliance failures and subsequent costly remediation efforts we have seen in financial institutions over the last few years.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s