Executive Liability for Anti-Money-Laundering Controls

Executive Liability for Anti-Money-Laundering Controls

Introduction

In March 2015, the New York State Department of Financial Services (DFS) entered into a consent order with a major German bank (with New York affiliate branches), Commerzbank AG, regarding that bank’s violations of state and federal anti-money-laundering (AML) laws. 1 See Consent Order Under New York Banking Law §§ 39, 44, at 1, In the Matter of Commerzbank AG (N.Y. Dep’t. of Fin. Servs., Mar. 12, 2015), http://www.dfs.ny.gov/ab
out/ea/ea150312.pdf [http://perma.cc/H2JL-KV5D] (stating Commerzbank is “major international banking institution with . . . assets exceeding $670 billion”); Press Release, Dep’t of Fin. Servs., NYDFS Announces Commerzbank to Pay $1.45 Billion, Terminate Employees, Install Independent Monitor for Banking Law Violations (Mar. 12, 2015), http://www.dfs.ny.gov/about/press2015/pr1503121.htm [http://perma.cc/3UR4-TD24] (“Commerzbank turned a blind eye to its anti-money laundering compliance responsibili­ties.” (internal quotation marks omitted)).
And Commerzbank has now paid $1.45 billion to the U.S. government to set­tle the allega­tions that it improperly facilitated business for Iran, Sudan, Cuba, and Myanmar, and “abetted a multibillion-dollar securities fraud” for a Japanese company. 2 Samuel Rubenfeld & Eyk Henning, Commerzbank Settles U.S. Allegations of Sanctions, Money-Laundering Violations, Wall St. J. (Mar. 12, 2015), http://www.wsj.com/
articles/commerzbank-to-settle-u-s-allegations-of-sanctions-and-money-laundering-violation
s-1426177346 (on file with the Columbia Law Review).

The Commerzbank case is just one of several in a recent spate of in­ternational money laundering scandals. 3 See infra section I.B (discussing recent money laundering scandals). These cases have prompted reg­ulators to question the effectiveness of existing money laundering con­trols and provoked thought about the optimal design of AML regula­tion. This Essay considers one recent proposal for bolstering the existing AML regime. In particular, the Essay considers the merits of a February 2015 proposal by the former superintendent of New York State’s Department of Financial Services, Benjamin Lawsky, to increase senior executives’ per­sonal responsibility for a financial institution’s AML controls. 4 Benjamin Lawsky, Superintendent, N.Y. Dep’t. of Fin. Servs., Remarks on Financial Regulation in New York City at Columbia Law School (Feb. 25, 2015), http://www.dfs.ny.g
ov/about/speeches/sp150225.htm [http://perma.cc/Z89X-26YJ] (describing proposal).

In a broad sense, the Essay endorses more robust individual ac­countability for AML compliance. The specter of personal liability would likely force executives to devote more attention to the design and main­tenance of an institution’s AML program. At the same time, however, the Essay stops short of a full-hearted embrace of traditional legal tools for executive liability. A world in which executives are held liable for AML failures could also lead to socially and economically undesirable results. It could, as recent history has shown, encourage institutions to take more than an optimal level of care, reducing access to banking services in cer­tain communities or infringing on other privacy interests in the process. For those reasons, the Essay suggests that industry-generated liability—in the form of privately set standards—could be equally if not more effec­tive than liability imposed by regulatory fiat or enforcement, of the kind that Lawsky suggested.

The Essay proceeds in three parts. Part I briefly discusses the prob­lem of international money laundering in globally active financial institu­tions and provides an overview of the existing AML regime. Part II ex­plores the tools available for increasing executive liability in the AML arena: by adding certification requirements, increasing agency enforce­ment, or pressing the issue as a matter of corporate governance through shareholder suits. Part III then discusses the potential challenges and downsides to certification, enforcement, or litigation. Ultimately, Part III suggests that a more efficient and effective regulatory outcome could be achieved if the private market developed and then adopted standards by which financial firm executives are held liable, by the institutions them­selves, for AML failures.

I. Money Laundering and AML Compliance

This Part illustrates a regulatory puzzle: Despite a robust effort to prevent money laundering through a comprehensive regulatory regime, instances of money laundering still continue to surface in some of the largest, most complex, and sophisticated global banks.

A. Regulating Money Laundering Controls

There is no question that preventing money laundering is a high pri­ority for regulators in the United States and abroad. 5 See, e.g., Bruce Zagaris, The Merging of the Anti-Money Laundering and Counter-Terrorism Financial Enforcement Regimes After September 11, 2001, 22 Berkeley J. Int’l L. 123, 123–30 (2004) (discussing AML regime in United States); James M. Lord, Department of Justice (DOJ) Announces that Anti-Money Laundering Enforcement Is a Top Priority, Nat’l L. Rev. (Mar. 20, 2015), http://www.natlawreview.com/article/department-justice-doj-announces-anti-money-laundering-enforcement-top-priority [http://perma.cc/6V2Y-EQQG] (noting remarks of top DOJ officials describing importance of AML enforcement). Indeed, major fi­nancial economies like the United States and the European Union have taken a strongly prophylactic approach to preventing money laundering in banks. Regulators in these jurisdictions impose significant screening, filtering, and reporting requirements on financial institutions with re­spect to potentially illicit deposits and transfers. 6 See infra note 7; see also Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the Prevention of the Use of the Financial System for the Purpose of Money Laundering or Terrorist Financing, 2015 O.J. (L 141) 73, at ¶3–4, 37, 43, 44, 59 (“address[ing] threat of money laundering” in European Union); U.K. Fin. Conduct Auth., Anti-Money Laundering Annual Report 2013/14, at 11 (2014), https://www.fca.org.uk/static/documents/corporate/anti-money-laundering-annual-report-
13-14.pdf [https://perma.cc/Z3C8-WQLD] (discuss­ing AML regulations and FCA’s super­visory role).

These prevention-oriented AML laws generally require firms to per­form two compliance functions: reporting and due diligence. In the United States, for example, the Bank Secrecy Act (BSA) requires financial institu­tions to screen for and report transactions over a certain dollar amount ($10,000) as well as other “sus­picious” transactions. 7 See The Currency and Foreign Transactions Reporting Act (Bank Secrecy Act) of 1970, Pub. L. No. 91-508, 84 Stat. 1114 (1970) (codified as amended in scattered sections of 12, 18, & 31 U.S.C.); see also 31 C.F.R. ch. X (2015) (detailing BSA implementing regula­tions); 31 C.F.R. ch. I, pt. 103 (2010) (same); FinCEN’s Mandate from Congress: “Bank Secrecy Act,” FinCEN, https://www.fincen.gov/statutes_regs/bsa/ [https://perma.cc/AH9R-ST5N] (last visited Dec. 24, 2015) (providing overview of BSA framework). Institutions must also conduct adequate due dili­gence on their customers. These due diligence rules, often referred to as “Know Your Customer” (KYC), 8 See PWC, Know Your Customer: Quick Reference Guide (2015), http://www.pwc.
com/gx/en/financial-services/publications/assets/pwc-anti-money-laundering-2015.pdf [https://perma.cc/JL6L-WMDL] (providing overview of KYC rules worldwide).
are designed to prevent banks from deal­ing with illicit funds or “Specially Designated Nationals”—persons or entities whom the Treasury Department’s Office of Foreign Asset Control (OFAC) has iden­tified as terrorists, narcotics traffickers, or otherwise sanctioned parties. 9 See U.S. Dep’t of Treasury, Specially Designated Nationals List, http://www.treas
ury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx [http://perma.cc/Y4LP-9ACN] (last updated Oct. 20, 2015) (describing SDN list).

A similar prevention-oriented approach to money laundering exists on the international level, where a transnational regulatory body, the Financial Action Task Force (FATF), establishes AML rules for various global financial institutions. In its most recent set of recommendations, issued in February 2012, the FATF endorsed a “risk-based” approach to interna­tional money laundering, in which member countries are encouraged to require their financial institutions to undertake comprehensive customer due diligence, prohibit anonymous or fictitiously named accounts, and main­tain comprehensive records on all domestic and international transactions. 10 See FATF, International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation 14–15 (2012), http://www.fatf-gafi.org/media/fatf/
documents/recommendations/pdfs/FATF_Recommendations.pdf [http://perma.cc/6BR
K-5DE4] (setting forth FATF recommendations).

Yet notwithstanding these regulatory efforts to ensure that banks fil­ter and monitor transactions, banks still remain vulnerable to (or com­plicit in) money laundering. 11 See Holding Individuals Accountable and Deterring Money Laundering Act, H.R. 3317, 113th Cong. 3 (2013) (introduced in House) (proposing increased civil penalties for violations of money laundering laws); U.S. Dep’t. of Treasury, National Money Laundering Risk Assessment 2015, at 2 (2015), http://www.treasury.gov/resource-center/terrorist-illicit-finance/Documents/National%20Money%20Laundering%20Risk%20Assessment%20%E2%80%93%2006-12-2015.pdf [http://perma.cc/C68Z-4G9Q] (estimating $300 billion is laundered annu­ally in United States despite stringent regulations).

B. When Compliance Fails

Money laundering is pervasive in the global financial markets. By some estimates, laundered money accounts for 2% to 5% of global GDP, totaling somewhere between $800 billion and $2 trillion. 12 Money-Laundering and Globalization, U.N. Office on Drugs & Crime, https://w
ww.unodc.org/unodc/en/money-laundering/globalization.html [https://perma.cc/9CL
V-Z3BV] (last visited Nov. 1, 2015).
Global banks play a key role.

Though certainly not an exhaustive list, a few of these AML cases are instructive. In one 2012 case, the British bank HSBC agreed to forfeit $1.256 billion for violations of U.S. anti-money laundering-related laws to (and entered into a deferred prosecution agreement with) the U.S. Department of Justice (DOJ). 13 Press Release, U.S. Dep’t of Justice, HSBC Holdings Plc. and HSBC Bank USA N.A. Admit to Anti-Money Laundering and Sanctions Violations, Forfeit $1.256 Billion in Deferred Prosecution Agreement (Dec. 11, 2012), http://www.justice.gov/opa/pr/hsbc-holdings-plc-and-hsbc-bank-usa-na-admit-anti-money-laundering-and-sanctions-violations [http://perma.cc/G4WB-BBY6]. Among other deficiencies, a congres­sional investigation found that the HSBC affiliate in the United States—HBUS—“should have . . . treat[ed] [the HSBC affiliate in Mexico] as a high risk correspondent client subject to enhanced due diligence and monitoring” given that Mexico was “under siege from drug crime, vio­lence, and money laundering.” 14 Staff of Senate Permanent Subcomm. on Investigations, Comm. on Homeland Security & Governmental Affairs, 112th Cong., U.S. Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History 4 (2012), http://www.hsgac.senate.
gov/download/report-us-vulnerabilities-to-money-laundering-drugs-and-terrorist-financing-
hsbc-case-history (on file with the Columbia Law Review).
Reportedly, these serious AML deficien­cies persisted for years and were known to the HSBC Group. 15 Id. at 5. One whistleblower has even alleged that HSBC’s compliance prob­lems have not yet been resolved, and its complicity in laundering money continues to this day. Whistleblower Believes HSBC Still Money-Laundering, WND (Feb. 22, 2015, 3:01 pm), http://www.wnd.com/2015/02/whistleblower-believes-hsbc-still-money-laundering/ [http://
perma.cc/2VT6-XJSQ].
The HSBC case, perhaps well known, “wasn’t the first or last bank money-laundering scandal.” 16 Jon Burnett, Awash in Cash, Drug Cartels Rely on Big Banks to Launder Profits, NPR: Parallels (Mar. 20, 2014, 3:39 pm), http://www.npr.org/blogs/parallels/2014/03/2
0/291934724/awash-in-cash-drug-cartels-rely-on-big-banks-to-launder-profits (on file with the Columbia Law Review) (describing money laundering scandals involving Wachovia Bank and Bank of America). Also in 2012, the money transfer company MoneyGram entered into a deferred prosecution agreement with the DOJ, in which it acknowledged responsi­bility for its deficient AML controls. Press Release, U.S. Dep’t of Justice, Moneygram International Inc. Admits Anti-Money Laundering and Wire Fraud Violations, Forfeits $100 Million in Deferred Prosecution (Nov. 9, 2012), http://www.justice.gov/opa/pr/mo
neygram-international-inc-admits-anti-money-laundering-and-wire-fraud-violations-forfeits [http://perma.cc/83H7-AUXW] (criticizing Moneygram, in press statement, for “know­ingly turn[ing] a blind eye to scam artists and money launderers”).

In another significant case, the British bank Standard Chartered entered into (and extended) a deferred prosecution agreement in con­nection with billions of dollars of transactions on behalf of prohibited foreign entities, 17 Deferred Prosecution Agreement, United States v. Standard Chartered Bank, No. 1:12-cr-00262 (D.D.C. Dec. 10, 2012); Chad Bray, Standard Chartered Agrees to 3-Year Extension of Nonprosecution Agreements, N.Y. Times: Dealbook (Dec. 10, 2014, 4:53 am), http://dealbook.nytimes.com/2014/12/10/standard-chartered-extends-deferred-prosecut
ion-agreements-for-3-years/?_r=0 [http://perma.cc/B3ZW-QR2E].
including Iranian banks and corporations. 18 Jessica Silver-Greenberg, Regulator Says British Bank Helped Iran Hide Deals, N.Y. Times (Aug. 6, 2012), http://www.nytimes.com/2012/08/07/business/standard-chart
ered-bank-accused-of-hiding-transactions-with-iranians.html (on file with the Columbia Law Review).
And just this year, in 2015, several global banks have come under investigation for possible involvement in laundering funds that were associated with the bribery of FIFA officials. 19 Christopher M. Matthews & Rachel Louise Ensign, U.S. Authorities Probe Banks’ Handling of FIFA Funds, Wall St. J. (July 23, 2015, 6:42 pm), http://www.wsj.com/
articles/u-s-authorities-probe-banks-handling-of-fifa-funds-1437682616 (on file with the Columbia Law Review).
The DOJ also, this year, opened an investiga­tion into Deutsche Bank for its possible involvement in laundering funds on behalf of some of its Russian clients, possibly to “skirt U.S. sanctions law.” 20 See Keri Geiger & Greg Farrell, DOJ Said to Probe Deutsche Bank on Russia Mirror Trades, Bloomberg (Aug. 3, 2015, 2:23 pm), http://www.bloomberg.com/news/arti
cles/2015-08-03/deutsche-bank-said-to-be-probed-by-doj-on-russia-mirror-trades [http://p
erma.cc/37UD-S5J2].

These cases, and others like them, beg the question of what is miss­ing from the AML regime. To be sure, there is no shortage of rules re­quiring financial institutions to monitor and report suspicious transac­tions. According to some regulators, like Lawsky, the problem is one of enforcement—that regulators lack the resources to monitor banks’ com­pliance with these regulatory requirements and, as a consequence, sys­tems remain faulty or inadequate, or worse, bank managers choose to be willfully blind to obvious red flags. 21 See Lawsky, supra note 4 (discussing potential problems with existing transac­tion monitoring and filtering systems).

In theory, placing responsibility squarely on financial-firm executives could go a long way in compensating for these resource limitations by better incentivizing banks to self-monitor and enforce the AML regime. For one, increased liability could motivate financial-firm managers to invest greater resources, energy, and attention to the institution’s AML compliance and to remain alert to the ways in which the institution re­mains vulnerable to money laundering. And, of course, direct liability removes the incentives (to the extent they exist) for executives to remain willfully blind to questionable financial activity. 22 As Lawsky suggested with his proposal, the government does not have the resour­ces to com­prehensively and proactively monitor compliance with AML laws. Ian McKendry, Lawsky AML Proposal May Scare Off Compliance Talent, Industry Warns, Am. Banker (Mar. 9, 2015), http://www.americanbanker.com/news/law-regulation/lawsky-aml-propos
al-may-scare-off-compliance-talent-industry-warns-1073134-1.html (on file with the Columbia Law Review). These regulatory gaps inhibit regulators’ ability to detect financial misconduct, like fraud, in complex and innovative financial environments. See Christina Parajon Skinner, Whistleblowers and Financial Innovation, 94 N.C. L. Rev. (forthcoming 2016) (manuscript at 6–16) (on file with the Columbia Law Review). For this reason, complemen­tarity style su­pervision can be an effective way to reduce certain kinds of financial miscon­duct by im­proving the compliance function of banks on an industry-wide basis. Christina Parajon Skinner, Misconduct Risk, 94 Fordham L. Rev. (forthcoming 2016) (manuscript at 44–54) (on file with the Columbia Law Review).

But in practice, there are significant challenges to individual liability regimes. 23 Perhaps because of these significant hurdles, individual liability has, to date, been a scantly used tool in the AML context. See Elkan Abramowitz & Jonathan Sack, Bank Secrecy Act Prosecutions: Why Few Individuals Are Charged, N.Y. L.J. (Sept. 2, 2014), http://www.newyorklawjournal.com/id=1202668542243/Bank-Secrecy-Act-Why-Few-Indivi
duals-Are-Charged (on file with the Columbia Law Review) (“[I]n essence, the BSA imposes obligations on organizations to take certain actions, rather than prohibiting individuals from taking certain actions.”). When announcing a 2014 Deferred Prosecution Agreement with J.P. Morgan, the U.S. Attorney for the Southern District of New York, Preet Bharara, made clear that “‘[t]he BSA is a law that requires financial institutions—as institutions—to establish and maintain effective [AML] programs and to know their customers . . . . To­day’s charges have been filed because, in this regard, JPMorgan—as an institution—failed and failed miserably.’” Matthew Schwartz, Why Banks, Not Executives, Are Prosecuted, Corp. Counsel (Apr. 27, 2015), http://www.corpcounsel.com/id=1202724641665/Why-Banks-Not-Executives-Are-Prosecuted (on file with the Columbia Law Review). He further stated, “‘Institutions, not just individuals, have an obligation to follow the law and to police them­selves.’” Id.
Part II discusses three existing models for individual liability for firm compliance and exposes the difficulties of expanding these mod­els to the AML context.

II. The State of Liability

This Part turns to the various paths that regulators or shareholders could take to increase financial firm executives’ liability for the compli­ance function of the firm. Such a path has several conceptual virtues from the perspective of social and economic welfare: Liability can moti­vate executives to expend a greater proportion of their limited resources on the development and maintenance of a robust, innovative, and agile compliance function. In doing so, liability should, in theory, more closely align these managers’ interests in AML compliance with those of the firm in reducing the reputational and financial losses associated with AML failures. From an economic perspective, then, executive liability could likely force a firm’s key decisionmakers—its managers—to more fully in­ternalize the costs of an institution’s AML failures.

Starting from this premise—that more individual responsibility is, in theory, desirable—this Part explores three existing models for executive liability in the compliance arena. In doing so, Part II illustrates that, in practice, there are significant costs and challenges that would accompany increased individual liability for AML compliance.

A. Control Certification

One seemingly straightforward way to increase executive responsibil­ity for AML controls is to require these managers to certify their ade­quacy. Indeed, a control certification regime was precisely what Lawsky had in mind. In his remarks at Columbia Law School in February 2015, Lawsky specifically explained that “since we [DFS] cannot simultaneously audit every institution, we are also considering making senior executives personally attest to the adequacy and robustness of those systems.” 24 Lawsky, supra note 4. Lawsky’s proposal reflects a similar piece of legislation in­troduced, but rejected, in the U.S. House of Representatives in 2012. See Holding Individuals Accountable and Deterring Money Laundering Act, H.R. 3317, 113th Cong. 3 (2013) (introduced in House).

Certification requirements have been used to this end before. Congress added a similar certification requirement in the Sarbanes-Oxley Act of 2002 (SOX), which responded to the Enron and WorldCom cor­porate accounting scandals in the early 2000s. 25 Sarbanes-Oxley Act of 2002, Pub. L. No. 107–204, 116 Stat. 745 (codified as amended in scattered statutes of 15, 18, 28 & 29 U.S.C.); 17 C.F.R. § 228 et seq., Certification and Disclosure of Companies’ Quarterly and Annual Reports, U.S. Sec. Exch. Comm’n, http://www.sec.gov/rules/final/33-8124.htm [http://perma.cc/AHC4-7KDE] (U.S. Securities Exchange Commission implementing regulation). To address those failures, SOX imposed, among other things, a requirement that corporate CEOs and CFOs certify that there are no material misstatements in their firm’s financial statements. 26 See Sarbanes-Oxley Act § 302; Tim J. Leech, Sarbanes-Oxley 302 and 304, A White Paper Proposing Practical, Cost Effective Compliance Strategies 5, 8–10 (2003), https://www.
sec.gov/rules/proposed/s74002/card941503.pdf [http://perma.cc/7CZ2-VUNS] (describ­ing disclosure require­ments imposed on executives and auditors).
Closely related, SOX section 404 imposes require­ments related to the “controls” in place to avoid financial misreporting. 27 Id. at 11. In particular, section 404 requires management each year to provide an “internal control report” that (1) states management’s responsibility for “establishing and maintaining an adequate internal control structure and procedures for financial reporting” and (2) provides an assessment “of the effectiveness of the internal control structure and procedures . . . for financial reporting.” 28 Daniel O’Connor, Marko S. Zatylny & Kait Michaud, SEC Broadens Corporate Officer Liability Exposure, Bloomberg (Oct. 2, 2014), http://www.bna.com/sec-broadens-corporate-n17179895631 [http://perma.cc/7A6C-BTYA] (detailing disclosure requirements under new regulatory scheme); see also 18 U.S.C. § 1350 (2012) (setting out penalties for knowing and willful violations at maximum of ten or twenty years imprisonment, respectively).

Today it remains unclear, however, whether the SOX certification re­gime has served its intended purpose of restoring public confidence in the accuracy of corporate financial statements. 29 See Morrison & Foerster, Client Alert SEC Requires CEO and CFO Certification of Quarterly and Annual Reports (2002), http://www.mofo.com/resources/publications/
2002/09/sec-requires-ceo-and-cfo-certification-of-quarte__ [http://perma.cc/CTN7-WAJD]
noting “legislative purpose behind Section 302 is to ensure that a company’s CEO and CFO take a proactive role in the accuracy, quality and reliability of a company’s SEC peri­odic reports”).
After all, as some com­mentators point out, “The recent global financial crisis, unequivocally the most damaging wave of unreliable financial reporting in world his­tory, materialized more than five years after the hugely expensive Sarbanes-Oxley Act was enacted.” 30 Tim Leech & Lauren Leech, Preventing the Next Wave of Unreliable Financial Reporting: Why Congress Should Amend Section 404 of the Sarbanes-Oxley Act, 8 Int’l J. Disclosure & Governance 295, 296 (2011). These commentators have criticized SOX’s “control-centric” approach, which overlooks the more critical prob­lem of risk assessment and risk management. 31 Id. at 297. As such, one concern with an AML certification approach is whether the additional costs (SOX’s section 404 costs firms billions for compliance each year) could be justified in light of certification’s questionable ability to reduce com­pliance failures. 32 See id. at 311 (noting there has been insufficient effort to conduct a rigorous cost-benefit analysis concerning section 404).

B. Agency Enforcement

A second path to increasing individual liability is through agency en­forcement action. The Treasury Department has, for example, very re­cently begun to pursue cases against individuals for violation of the Bank Secrecy Act. Agency interpretation of the BSA to include individual liabil­ity could thus be seen as an alternative to legislative or regulatory adop­tion of an affirmative certification requirement.

The challenge with agency action, however, lies in whether courts will uphold such federal agency interpretation. Indeed, this very ques­tion—whether individuals are liable for BSA violations—is currently be­ing litigated in the federal courts in United States Department of Treasury v. Haider. 33 No. 15-cv-1518 (D. Minn. filed Dec. 18, 2014). That case involves an agency action brought by Treasury, against the former Chief Compliance Officer of MoneyGram Inc., International, and is the first nonconsensual enforcement action brought under the BSA. 34 Thomas E. Haider’s Memorandum of Law in Support of His Motion to Dismiss the Complaint 1, Haider, No. 15-cv-1518 (D. Minn. May 5, 2015), ECF No. 38. Treasury charged Thomas Haider with, among other things, will­fully failing to maintain a comprehensive AML program in violation of 31 U.S.C. § 5218(h). 35 Complaint ¶ 16–22, United States Treasury v. Haider, No. 14-cv-9987 (S.D.N.Y. Dec. 18, 2014), ECF No. 1. For context, MoneyGram itself entered into a deferred prosecu­tion agree­ment in November 2012, acknowledging responsibility for aiding and abetting wire fraud and failing to maintain an effective AML program. Felony Information as to Moneygram Int’l, Inc., United States v. MoneyGram Int’l, Inc. No. 1:12-cr-291 (M.D. Pa. Nov. 9, 2012), ECF No. 1; Deferred Prosecution Agreement as to Moneygram Int’l, Inc., Moneygram, No. 1:12-cr-291 (M.D. Pa. Nov. 9, 2012), ECF No. 3.

In May 2015, Haider moved to dismiss that claim, arguing that the BSA does not support individual liability. 36 Defendant Thomas E. Haider’s Motion to Dismiss the Complaint, Haider, No. 15-cv-1518 (D. Minn. May 5, 2015), ECF No. 36. Haider pointed out that the BSA’s statutory provisions with respect to AML controls refer to the obli­gations of “financial institutions,” and “nowhere indicat[e] that individ­ual officers and employees can be held liable for an institu­tion’s failure to establish a comprehensive AML program.” 37 Thomas E. Haider’s Memorandum of Law in Support of His Motion to Dismiss the Complaint, supra note 34, at 13–14. Haider leveled several other arguments. For example, he also refers the court to sections of the USA Patriot Act, which amended the BSA. There again, the relevant statu­tory provisions refer to the requirements imposed on institutions, not individuals, which view the legislative history also supports. Id. at 15–16. He also argues that the relevant Treasury Regulations, implementing the BSA, are to the same effect: 31 C.F.R. § 1010.820(a) pro­vides for individual liability for record keeping, bulk cash smuggling, and structuring viola­tions, but it does not set out individual liability for failure to set up sufficient AML con­trols. Motion to Dismiss, supra, at 19–20. The motions were argued in October 2015, and the court has taken the matter under advisement. 38 See Minute Entry, Haider, No. 15-cv-1518 (S.D.N.Y. Oct. 23, 2015), ECD No. 58 (text-only entry noting hearing held on October 23 regarding motion to dismiss).

The Haider case has thus injected some uncertainty over whether agencies, like Treasury, will be successful in pushing for a more expansive understanding of the BSA, which includes individual (in additional to in­stitutional) liability. Moreover, even if the judge in Haider dis­misses the motion, it remains unclear whether other federal courts would agree with that court’s holding, leaving the agency enforcement route un­stable (and in some jurisdictions, possibly quite constrained). 39 But cf. Press Release, SEC, Investment Advisory Firm’s Former President Charged with Stealing Client Funds (June 15, 2015), http://www.sec.gov/news/pressrelease/2015-120.html [http://perma.cc/JU9L-R7J3] (announcing SEC was charging chief compliance officer of firm, individually, under Investment Advisers Act for compliance failures).

C. Shareholder Suits

State corporate law provides a third avenue to executive liability for compliance failure. Over the past two decades, Delaware law has ex­panded corporate executives’ fiduciary duties into the compliance space. 40 See Stephen M. Bainbridge, Caremark and Enterprise Risk Management, 34 J. Corp. L. 967, 979 (2009) (noting this standard is “widely followed in the Delaware Chancery Court and in other states”). On this score, the Delaware Chancery Court’s decision in Caremark was foundational. 41 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996) (concluding corporate directors have fiduciary “duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is ade­quate, exists, and that failure to do so under some circumstances may . . . render a director liable for losses caused by non-compliance”); see also Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362, 369–70 (Del. 2006) (approving Caremark standard and conceptu­alizing director oversight liability as extension of “fiduciary duty . . . of loyalty”); Miller v. McDonald (In re World Health Alternatives, Inc.) 369 B.R. 805 (Bankr. Del. 2007) (extend­ing Caremark claims to officers). There, the court concluded that the duty of care includes some responsibility on the part of corporate directors for firm “oversight.” 42 Caremark, 698 A.2d at 971 (creating “demanding test of liability” under which “lack of good faith [must be] evidenced by sustained or systematic failure of a director to exer­cise reasonable oversight”); see also In re SAIC Inc. Derivative Litig., 948 F. Supp. 2d 366 (S.D.N.Y. 2013) (synthesizing recent cases “clarif[ying] the relationship among good faith, loyalty, and Caremark claims”). Specifically, the Caremark court held that directors have breached their fi­duciary duties to the firm in cases of “a sustained or systemic failure . . . to exercise oversight—such as an utter failure to attempt to assure a reason­able information and reporting system exists.” 43 Caremark, 698 A.2d at 971.

Later, in Stone v. Ritter, the Delaware Supreme Court elaborated on the Caremark duty in the context of legal violations that cause the firm loss. 44 Stone v. Ritter, 911 A.2d 362 (Del. 2006). That case involved a $50 million fine imposed on AmSouth Bancorporation for violations of the BSA. 45 Id. at 365. Shareholders brought a deriva­tive suit alleging that the directors had breached their fiduciary duty to ensure the firm maintained a program of compliance with the BSA. 46 Stone v. Ritter, No. Civ.A 1570-N, 2006 WL 302558, at *1 (Del. Ch. Jan. 26, 2006). The court confirmed, consistent with Caremark, that “[w]here di­rectors fail to act in the face of a known duty to act . . . they breach their duty of loyalty by failing to discharge that fi­duciary obligation in good faith.” 47 Stone, 911 A.2d at 370. Together, Caremark and Stone (and their progeny) have opened the door to share­holder suits for AML fail­ures that lead to significant penalties and fines. 48 See, e.g., Miller, 369 B.R. at 805.

That being said, this aperture may be more hypothetical than real. The Stone court narrowed, in some ways, the scope of possible Caremark claims by adding a bad-faith standard: Directors (and officers) will only be held liable under Caremark if they “utterly failed to implement any reporting or information systems or controls,” or having done so, “consciously failed to monitor or oversee its operations.” 49 Stone, 911 A.2d at 370. And indeed, Caremark itself made plain that a failure-to-monitor claim is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” 50 698 A.2d at 967; see also In re Citigroup Inc. Shareholder Deriv. Litig., 964 A.2d 106, 123–24 (Del. Ch. 2009) (declining to extend Caremark to board’s failure to monitor excessive risk-taking of employees).

D. Liability Externalities

Even setting aside the various challenges that attend the existing lia­bility models, significant externalities would likely arise from an ex­panded liability framework. In particular, increasing individual liability would be quite likely to prompt financial institutions to take more than the socially optimal level of care. Already, the regulatory regime is sub­stantial and complex. There are currently as many as thirty different lists of sanctioned or high-risk parties from various jurisdictions with over 30,000 names of entities and individuals, 51 Luc Meurant, Financial Crime Compliance: The Case for an Industrywide Approach, Am. Banker (Aug. 18, 2014), http://www.americanbanker.com/bankthink/fina
ncial-crime-compliance-the-case-for-an-industrywide-approach-1069406-1.html (on file with the Columbia Law Review).
making compliance “one of the most difficult and costly challenges confronting banks” today. 52 Id.

To avoid mistake, oversight, and accompanying regulatory scrutiny, banks have adopted “derisking” strategies. 53 See, e.g., Amber D. Scott, If Banks Can’t Solve the Derisking Dilemma, Maybe the Government Will, Am. Banker (Apr. 20, 2015), http://www.americanbanker.com/ban
kthink/if-banks-cant-solve-the-derisking-dilemma-maybe-the-government-will-1073858-1.html (on file with the Columbia Law Review) (discussing tension between regulators imposing sig­nificant requirements for AML compliance and, at the same time, urging banks not to “de­risk”).
Derisking involves the shed­ding of entire business types or client bases that could potentially draw heightened regulatory scrutiny—like online lenders and money services businesses. 54 Ian McKendry, Banks Face No-Win Scenario on AML ‘De-Risking,’ Am. Banker (Nov. 17, 2014), http://www.americanbanker.com/news/regulation-reform/banks-face-no-win-scenario-on-aml-de-risking-1071271-1.html (on file with the Columbia Law Review) [here­inafter McKendry, No-Win Scenario]. As Julie Copeland, general counsel for J.P. Morgan, told the American Banker, “[F]inancial institutions [can’t] take their own risk of not mak­ing that determination to de-risk” given the impact of enforcement actions on an institu­tion, its reputation, and its shareholders. Id. In short, rather than run the risk of banking a potentially illicit client (but failing to catch the problem), banks refuse to deal with certain clients at all. 55 See id. (explaining de-risking). Naturally, this blanket ap­proach has left numerous legitimate businesses and clients without access to bank­ing services. 56 See, e.g., Amber D. Scott, Who Wins the Derisking Shell Game? Bad Guys, Mostly, Am. Banker (Mar. 31, 2015), http://www.americanbanker.com/bankthink/who-wins-the-de-risking-shell-game-bad-guys-mostly-1073512-1.html (on file with the Columbia Law Review) (“The unintended consequences of the derisking phenomenon include strained remittance corridors and frustration for legal businesses struggling to get by without reliable banking services.”); Sheila Tendy, De-Risking Threatens Religious Access to Banking Services, Am. Banker (Jan. 27, 2015), http://www.americanbanker.com/bankthink/de-risking-threatens-religious-access-to-banking-services-1072363-1.html (on file with the Columbia Law Review) (explaining faith-based organizations within United States have been affected by account closures). For some, this has meant an inability to access much-needed remittances from abroad. 57 See Lanier Saperstein & Geoffrey Sant, Account Closed: How Bank ‘De-Risking’ Hurts Legitimate Customers, Wall St. J. (Aug. 12, 2015, 6:38 pm), http://www.wsj.com/articles/ac
count-closed-how-bank-de-risking-hurts-legitimate-customers-1439419093 (on file with the Columbia Law Review) (illustrating effect of derisking on remittances and money transfers to certain high-risk countries).
In other cases, it may mean that ille­gitimate actors will simply funnel illicit funds to smaller banks that are ill-equipped to detect the source for some time. 58 McKendry, No-Win Scenario, supra note 54 (quoting Bank Secrecy Act officer at Wells Fargo); see also Scott, supra note 53 (noting significant burdens felt by “community banks and credit unions” in providing ser­vices while following regulations).

There is also some suggestion that customer privacy has been depri­oritized in banks’ efforts to comply with the vast AML regime. At a recent conference of AML specialists, the point was raised about whether AML compliance—shifting through transaction details and customer profiles, and potentially sharing that information with regulators—might run afoul of data privacy. 59 See Michelle Frasher, Data Privacy and AML Rules on a Transatlantic Collision Course, Am. Banker (Aug. 27, 2015), http://www.americanbanker.com/bankthink/data-privacy-an
d-aml-rules-on-a-transatlantic-collision-course-1076361-1.html (on file with the Columbia Law Review) (quoting panelist who suggested fellow panelist’s use of data “might get [him] a 5% global fine”).
The response was simply that the penalty for in­fringing on data would be far less severe than an AML breach, implying that violating the former was preferable to the latter. 60 Id. With enforcement authorities on high alert for money laundering lapses, financial institu­tions’ compliance officers are understandably concerned about avoiding regulatory investigation or action, which may prompt them to sacrifice other aspects of consumer privacy and protection. 61 See Ben DiPietro, SEC Actions Stir Concerns over Compliance Officer Liability, Wall St. J. (June 24, 2015), http://blogs.wsj.com/riskandcompliance/2015/06/24/sec-acti
ons-stir-concerns-over-compliance-officer-liability (on file with the Columbia Law Review) (dis­cussing concern liability for compliance officers will encourage them to distance them­selves from firms’ compliance policies and procedures).

It is quite possible, then, that even if the various challenges of ex­panding certification regimes, enforcement actions, or derivative suits could be overcome, the costs of doing so may be too substantial to justify. One alternative possibility, explored in Part III, is for the private market to develop standards of executive accountability, which financial institu­tions could then voluntarily adopt and self-enforce. 62 See Abramowitz & Sack, supra note 23 (describing actions HSBC took against its executives after its money laundering problems).

III. Liability as a Private Standard

This Part concludes by suggesting two ways that the private market could develop, internal to the industry, quality standards for AML com­pliance that could serve a similar, yet less costly, role as traditional forms of executive liability.

A. Compliance “Labeling”

In recent years, scholars have begun to turn their attention to the role of private regulators in certain traditionally state-regulated indus­tries. 63 See, e.g., Alexia Brunet Marks, A New Governance Regime for Food Safety Regulation, 47 Loy. U. Chi. L.J. (forthcoming 2016) (on file with the Columbia Law Review) (discussing private regulation in food-safety context). These academics and political theorists have discussed how private groups can step in to fill certain “shortcomings of the regulatory state as a global regulator.” 64 Fabrizio Cafaggi, New Foundations of Transnational Private Regulation, 38 J.L. & Soc’y 20, 23 (2011). In a transnational commercial context specifically, there is a robust and growing literature on “transnational private regula­tion” (TPR) that discusses how private groups have been successful in setting quality (or commercial) standards in various fast-changing indus­tries that deal with complex regulatory problems. 65 Fabrizio Cafaggi, Andrea Renda & Rebecca Schmidt, Transnational International Private Regulation, in 3 OECD, Regulatory Co-Operation: Case Studies 9, 11–12 (2013), http://www.keepeek.com/Digital-Asset-Management/oecd/governance/international-reg
ulatory-co-operation-case-studies-vol-3/transnational-private-regulation_9789264200524-3-e
n#page33 [http://perma.cc/E26B-4UBS] [hereinafter OECD Report on TPR] (citing “good examples of private regulation” in “markets that exhibit very fast-changing dynamics”); see also Julia Black & David Rouch, The Development of the Global Markets as Rule-Makers: Engagement and Legitimacy, 2 Law & Fin. Mkts Rev. 218, 226–27 (2008) (discussing “[m]ar­ket standards-setting in which national or transnational groups of market participants de­velop standards, guidance or codes of practice for industry participants” (emphasis omitted)). See also Yves Bonzon, Public Participation and Legitimacy in the WTO 11–12 (2014) (not­ing “non-state actors have been involved in a va­riety of ways, including advocacy, participa­tion in the decision-making process of intergov­ernmental organizations, public-private part­nerships and private initiatives”).
The theory behind TPR is that industry-specific private interest groups create norms or guidelines, which are in turn adopted and internalized by industry ac­tors, becoming the de facto transnational standard. 66 Cafaggi, supra note 64, at 32–38.

A few examples illustrate this phenomenon. In the financial context, private bodies have been successful in setting standards for commercial transactions. So, for example, when the International Chamber of Commerce “issues policy documents and standard contract forms” that are then adopted, nearly universally, by the international business com­munity, that institution has effectively accomplished a harmonized, trans­national standard. 67 See Anne Peters, Till Förster & Lucy Koechlin, Towards Non-State Actors as Effective, Legitimate, and Accountable Standard Setters, in Non-State Actors as Standard Setters 492, 500 (Anne Peters et al. eds., 2009) (describing private groups dedicated to creating soft-law norms, which, once internalized by private market actors, become de facto transna­tional law or practice in field); see also OECD Report on TPR, supra note 65, at 15 (noting TPR is generally limited to voluntary standards, drawn from private law). Similarly, in the over-the-counter derivatives market, the International Swaps and Derivatives Association (ISDA) has been in­strumental in standardizing swaps contracts. Several commentators have remarked on ISDA as an example of “efficiency-enhancing private indus­try self-regulation in today’s financial markets.” 68 Saule Omarova, Wall Street as Community of Fate: Toward Financial Industry Self-Regulation, 159 U. Pa. L. Rev. 411, 444 (2011); see also Gabriel V. Rauterberg & Andrew Verstein, Assessing Transnational Private Regulation of the OTC Derivatives Market: ISDA, the BBA, and the Future of Financial Reform, 54 Va. J. Int’l L. 9, 13 (2013) (identifying ISDA as “critical in generating the infrastructure that has ordered transactions in the OTC derivatives markets for much of the last two decades—an infrastructure that provides the multiple economic benefits of liquidity, certainty, and reduced transaction costs”).

Outside of the financial services industry, private groups have been instrumental in setting standards for quality. In the food-safety context, for example, private bodies have created specialized food labels that re­flect certain heightened food quality standards, like sustainably farmed, non-GMO, organic, or cage-free. 69 See, e.g., Kosher Certification as a Model of Private Regulation, Nat’l Ctr. for Policy Analysis (Oct. 2, 2013), http://www.ncpa.org/sub/dpd/index.php?Article_ID=23659
[http://perma.cc/JL9Q-8N4U] (discussing Kosher private labeling); A.C. Gallo, Three-Month Update on GMO Labeling, Whole Foods: Whole Story (June 18, 2013), http://
www.wholefoodsmarket.com/blog/three-month-update-gmo-labeling [http://perma.cc/B
Y8R-C4SM] (noting products in Whole Foods stores “must be labeled to indicate whether they contain genetically modified organisms (GMOs)” and labels should be “based on standards created by multiple stakeholders”).
Such privately created standards for food quality have, in many cases, created a race to the top among food suppliers and grocery store chains (like Whole Foods), and thus prompt­ed business in this industry to compete for consumers on the ba­sis of these extra-regulatory quality standards. 70 See Marks, supra note 63, at 25–26.

Private groups could play a similar role in setting quality standards for AML compliance. Certain industry self-regulatory organizations are already well positioned to develop such compliance quality standards, which could be adopted on an industry-wide basis. In the United States, the Financial Industry Regulatory Authority (FINRA) is a private organ­ization that regulates financial firms. 71 See Firms We Regulate, FINRA, http://www.finra.org/about/firms-we-regulate [http://perma.cc/RKH8-QT8J] (last visited Nov. 6, 2015) (providing list of firms regu­lated by FINRA); What We Do, FINRA, http://www.finra.org/about/what-we-do [http://p
erma.cc/5Q3B-LC9T] (last visited Oct. 31, 2015) (“FINRA’s mission is to safeguard the in­vesting public against fraud and bad practices. We pursue that mission by writing and en­forcing rules and regulations for every single brokerage firm and broker in the United States.”).
The SEC oversees FINRA, techni­cally, but on a day-to-day basis FINRA is largely autonomous. And FINRA already addresses money laundering in its Rule 3310, which sets mini­mum standards for a firm’s AML compliance program. 72 See FINRA, Rule 3310, Anti-Money Laundering Compliance Program, http://fin
ra.complinet.com/en/display/display_main.html?rbid=2403&element_id=8656 [http://p
erma.cc/YQM4-74HJ] (last visited Nov. 6, 2015) (requiring firms to develop internal pro­grams against money laundering and to conduct independent testing of said programs).
As such, FINRA could, for example, amend that AML rule to require or recommend that institutions adopt internal forms of executive liability for AML compli­ance. Indeed, FINRA already seems headed down this path: In 2014, it fined and suspended the Global AML Compliance Officer of Brown Brothers Harriman & Co. in connection with that firm’s “substantial anti-money laundering compliance failures.” 73 Press Release, FINRA, FINRA Fines Brown Brothers Harriman a Record $8 Million for Substantial Anti-Money Laundering Compliance Failures (Feb. 5, 2014), https://www.fi
nra.org/newsroom/2014/finra-fines-brown-brothers-harriman-record-8-million-substantial-
anti-money-laundering [https://perma.cc/TY5E-46NE].

But even beyond these reactive (enforcement-oriented) FINRA ac­tions, that organization could also work to develop compliance quality “labels” that would reflect the robustness of an institution’s AML compli­ance—including whether that institution has policies in place for hold­ing top management liable for compliance failures. If, for example, a financial institution committed to clawing back executive compensation or removing an executive from office completely in the event of an AML failure, that institution could become eligible for an AML quality label, which might be featured on the institution’s website and shared with its investors. A private labeling system could force banks to start competing on this type of compliance quality dimension, which could, in turn, achieve results that are similar to traditional liability models but with fewer costs and externalities.

B. Corporate “Compliance” Responsibility

Similarly, corporations could be motivated to adopt internal liability rules by the forces of international business transactions. The corporate policy changes brought about by the Corporate Social Responsibility (CSR) movement provide an example of how this could be done.

CSR principles, commonly referred to as the “Ruggie Principles,” are a set of soft norms concerning the human rights obligations and so­cial responsibilities of transnational corporations. These rules are em­bodied in the U.N.’s Guiding Principles on Business and Human Rights, which were the product of an effort spearheaded by the United Nation’s Secretary-General’s Special Representative for Business and Human Rights, John Ruggie. 74 See Office of the High Comm’r, United Nations Human Rights, Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework (2011), http://www.ohchr.org/documents/publications/Guidingprinc
iplesBusinesshr_en.pdf [http://perma.cc/XHN9-RVV9].
In the past few years, many large multinational corporations have voluntarily adopted the Ruggie Principles. 75 See, e.g., Chevron, Human Rights, http://www.chevron.com/globalissues/huma
nrights/ [http://perma.cc/7TFT-V9JG] (last updated May 2015) (“For 2014–2015, Chevron is serving as the lead corporate pillar representative on the steering committee for the Voluntary Principles on Security and Human Rights initiative [of a global oil and gas in­dustry association].”).
With increasing adoption and advertisement, consumers have become more aware of the Ruggie Principles and begun to view those principles as desirable contractual terms. 76 Cafaggi, supra note 64, at 37–38 (describing importance of consumers in CSR movement). Ruggie Principles have thus become a point of contention and negotiation, as retailers along a supply chain may push for Ruggie commitments as a condition of their business. 77 See id. at 37 (“Within CSR, the leaders are often retailers . . . .”); John Gerard Ruggie, Business and Human Rights: The Evolving International Agenda, 101 Am. J. Int’l L. 819, 835–37 (2007) (describing how companies’ “voluntary initiatives have expanded rapidly in recent years”). Cafaggi also points out how forces of private international con­tract have generated regulatory change in the context of food safety, “where the specific endorsement of the supply-chain approach demonstrates the regulatory function of (bilateral and mul­tilateral) contracts often in the network form.” Cafaggi, supra note 64, at 37.

Ruggie Principles have, in a way, become a type of human rights “la­beling” that businesses can adopt to increase their competitive position in the market. Thus, similar to a privately created compliance label, con­sumers of financial services and investors could likewise demand finan­cial institutions voluntarily adopt certain compliance principles, like ex­ecutive liability terms featured prominently in employment contracts. Consumers could also call for firms to make certain representations about liability or accountability in their disclosure statements or public offering memoranda.

Conclusion

This Essay has discussed the problem of money laundering in global financial institutions. It pointed out that despite the significant amount of regulatory effort to combat money laundering, serious compliance breaches continue to surface. It then addressed one proposal for improv­ing institutional compliance: executive liability. To that end, the Essay considered the potential challenges and costs of increasing liability for financial firms’ top executives. The Essay then offered a way of incor­porating executive liability into the global AML regime through private labeling, rather than through the formal, often encumbered, processes of domestic lawmaking or regulation.