Deputy Attorney General Rosenstein Delivers Remarks at the Clearing House’s 2017 Annual Conference

Remarks as prepared for delivery

Thank you, Greg, for that introduction.  It is a pleasure to be here with so many distinguished business leaders, government officials, lawyers, journalists, scholars, and policy experts.

When I studied management, marketing and finance at an undergraduate business school more than 30 years ago, I expected to put those skills to use in corporate America. Law school took me in a different direction, but understanding the business world is still important.

As a white-collar crime prosecutor, it is helpful to know how business works. First of all, it is necessary to comprehend transactions in order to recognize when they are fraudulent. Second, familiarity with the business world sometimes enables me to discern an exculpatory explanation for conduct that otherwise may appear suspicious.

In my current job, business skills are useful for a more practical reason.  The Deputy Attorney General is responsible for managing an organization of 115,000 employees and tens of thousands of contractors.  I sometimes feel like I have more in common with a chief operating officer than a litigator. 

The Department of Justice is not a business, and its mission differs in key respects.  But many of the issues we confront are familiar to anyone who works in a large corporation. 

We strategize about how to improve organizational efficiency.  We recruit the best people, train them, and monitor their progress.  We constantly strive to better manage our budget and do more with less.

One of my most important duties is to protect our brand—to safeguard the integrity and defend the reputation of the Department of Justice by following the rule of law.

And we are always adapting to confront new challenges.

When I started my first supervisory job in 2001, one of the most popular management books was “Who Moved My Cheese?”  If you are about my age, you probably are familiar with it.  It is a fable about how to manage change.

The story involves two men who live in a maze.  There is a place in the maze where they can always find cheese, which represents success.

One day, the cheese stops showing up in the usual spot.  In the face of this new challenge, one of the men decides to adapt and venture through the maze looking for more cheese.  The other man sticks with his old routine and refuses to change.  

The adaptable man learns that the cheese is always moving.  So he constantly monitors his cheese supply and explores the maze to prevent complacency from setting in. 

The complacent man goes hungry.

That simple lesson about evolving to meet demands in a changing environment is relevant to one of the greatest threats facing both the government and the private sector today: cybercrime.

Recent events highlight the substantial threat that cybercriminals pose to public entities and private businesses.  We are currently dealing with one of the largest breaches ever of a private company holding sensitive financial data.  Public reports indicate that as many as 145 million people may have been affected.  

Unfortunately, we know more breaches will happen.  One report puts the risk of suffering a material data breach at better than one in four—and the odds continue to rise.  Another report predicts that the annual cost of global cybercrime will double from $3 trillion in 2015 to $6 trillion in 2021.

Cyber criminals know that much of a company’s capital is contained in its networks and the information flowing through its systems.  Nowhere is that more true than with banks and other financial institutions.

While banks and financial institutions are working hard to protect themselves against data breaches, cybercriminals are developing new lines of attack.  In the last few years, we have witnessed a significant increase in criminals using ransomware.

Since January 1, 2016, we have experienced an average of more than 4,000 ransomware attacks each day.  That represents a 300% increase since 2015.  The total amount of ransom payments approaches $1 billion annually. 

Attacks used to be indiscriminate, scattershot attempts to squeeze a few hundred dollars from anyone who happened to be affected.  Today, the attacks are concerted efforts by sophisticated individuals, criminal enterprises, or nation-states that can target a range of businesses and critical infrastructure.

Earlier this year, the “WannaCry” ransomware spread across the globe, targeting computers by encrypting data and demanding ransom payments in Bitcoins.  More than 230,000 computers in 150 countries were affected.  In Britain, “WannaCry” crippled the nation’s health service.

Ransomware also affected a Ukrainian state power company, a major international shipping company, and a prominent law firm in the United States.

The challenge is evolving.  The cheese, so to speak, is always moving.

We cannot be complacent, especially with banks and other systemically important financial institutions.  Consider the damage that would result if a cyber-criminal were able to “lock up” the core processing systems of a bank.  The bank could not make entries, pay checks or debits, respond to margin calls, or receive cash.

I know all of you are working to prevent that from happening.  

The Department of Justice, like any good business, is also doing its part to keep up with the threat.

Earlier this year, we indicted two officers of the Russian state security service.  We charged them for stealing information from at least 500 million email accounts and conducting economic espionage, among other crimes.

We also worked with foreign authorities to arrest the alleged creator of the Kelihos botnet and dismantle the network of thousands of infected computers.  For several years, the network was used to steal login credentials, install ransomware, and distribute hundreds of millions of spam e-mails.  Last month, Spain’s highest court granted our request to extradite the suspect to the United States.

Our government cannot combat these perils alone.  Public-private partnerships are critical to our success.

I sometimes hear stories about business executives who do not feel comfortable reporting cyber incidents to law enforcement. 

I want to assure you that the Department of Justice can provide substantial benefits to companies that are victims of cyber intrusions and attacks.  We can help you understand what happened. We also can share contextual information about related incidents, thereby enabling you to create meaningful defenses in case the intruders return. 

We are grateful that people in the financial services industry sometimes contact our Department with new ideas for increased collaboration.  The Department of Justice takes those ideas seriously.  We are constantly looking for new ways to partner with financial institutions to help stop cybercrime, and we are continually working to increase the flow of information so our corporate partners can better protect themselves.

The federal government also is uniquely situated to coordinate with other agencies and authorities in pursuing international diplomacy, economic sanctions, and intelligence operations.  Those strategies can target the sources of the problem, rather than merely the symptoms.

That is especially true today, because many cyberattacks are directed by foreign governments.  When you are up against the military or intelligence services of a foreign nation-state, you should have the federal government in your corner.

A company’s willingness to self-report and remediate problems also informs the Department’s evaluation of the company when its conduct is at issue.

One of the most powerful tools the Department has at its disposal is the ability to punish wrongdoers through criminal prosecution.  That is an important tool in the fight against cybercriminals. 

It also is a key part of deterring corporate crime.

There is a story about a career criminal who tells his father that he has decided to change his ways. 

The father asks, “Son, have you seen the light?” 

The criminal responds, “No, but I have felt the heat.”

In my more than 27 years with the Department of Justice, including years spent as a white-collar prosecutor in Maryland and in the Tax Division at Main Justice, I have seen the deterrent effect that meaningful punishment can have on white collar criminals. 

Corporate criminals tend to be rational actors.  They will alter their behavior if they believe that there will be consequences.

We must keep in mind that deterrence requires a reasonable prospect of adverse consequences, not just a theoretical threat. Rules that are not enforced are not an effective deterrent. If we want to prevent corporate crime, we need to persuade people that we are serious about enforcing the rules.

Our government is committed to preventing corporate crime.

Rooting out wrongdoers levels the playing field for competitors and protects honest American workers and businesses.  Law-abiding people should not have to choose between being cheated and becoming corrupt themselves.  We have a duty to protect people who build their businesses, and their bank accounts, through lawful activities.

We are also dedicated to protecting our society—including our financial system—from violent crime and terrorism.  To do that, we will not only pursue violent criminals and terrorists, but also the financial institutions that turn a blind eye to illegal activity.

The U.N. Office of Drugs and Crimes estimates that as much as $2 trillion in criminal proceeds was laundered last year.  Many criminal networks use financial institutions to carry out their illicit activities. 

Third-party money launderers can be difficult to capture.  As a result, launderers can sell their services to the next criminal actor, and thereby perpetuate more crime.

To stop violent criminals and terrorists, the Department must stop the illegal flow of money.  This is why the Department is pursuing institutions that violate the anti-money laundering laws, the tax laws, the securities laws, the Foreign Corrupt Practices Act, and the Bank Secrecy Act with renewed vigor—and increased sophistication.

Today, when we prosecute a criminal enterprise, prosecutors and agents ask how the conspirators were able to move illegal proceeds through the financial system.  Were the criminals just lucky, or did a financial institution fail to implement an effective anti-money laundering program?

In our investigations, we often look at which companies processed the payments, which banks held the relevant accounts, and whether any automated alerts or Suspicious Activity Reports were filed in connection with the movement of funds. We also ask who served as the financial advisors, the tax preparers, and the accountants.

Most institutions are committed to fulfilling their legal obligations to avoid doing business with criminals.

But when we find institutions that fail to live up to their responsibilities, the Department will take appropriate action. 

In January, a Fortune 500 company forfeited $586 million and entered into a deferred prosecution agreement for failing to maintain an effective anti-money laundering program.  The company’s services were used to funnel hundreds of millions of dollars to overseas fraudsters targeting American victims. Several corporate agents were involved, and the company failed to respond appropriately.

Last summer, small businesses in Atlanta were charged with laundering $40 million on behalf of Mexican drug cartels.  The Department has brought similar actions against an array of businesses, ranging from large banks to a local perfume dealer.

The Department is also doing its part to prevent laundering in cryptocurrencies.  In July, the Department indicted a Russian national and the Bitcoin exchange he operated for its role in laundering criminal proceeds from syndicates around the world.

We are committed to ensuring that financial institutions do not become safe harbors for criminals.

Criminal networks are not the only ones looking take advantage of the United States’ deep and stable markets.  We have seen large-scale corruption by foreign government officials who steal from their people and extort money from businesses. We use the term “kleptocracy” to describe that sort of rampant abuse of public trust.  The laundering of kleptocracy proceeds into the U.S. financial system undermines confidence in our markets and poses risks to our financial institutions and American businesses.

To attack this problem, several years ago, the Department established the Kleptocracy Asset Recovery Initiative, a unit staffed with seasoned prosecutors and dedicated FBI agents. 

Through the initiative, the Department of Justice has seized or restrained $3.5 billion worth of corruption proceeds. In June, we took steps to recover and forfeit more than $1.7 billion allegedly misappropriated from an overseas sovereign wealth fund and laundered into the United States. It was the largest single action brought under the initiative. Last summer, the Department convicted two foreign officials for laundering foreign bribery proceeded through the united state. 

Those enforcement actions show that the Department is serious about stopping the illegal flow of money.  However, increased enforcement sometimes brings increased concerns from private industry.

One concern is about multiple law enforcement and regulatory agencies pursuing a single entity for the same or substantially similar conduct. Some refer to this as the “piling on” problem.

When a company engages in wrongdoing, we should enforce the law and punish the wrongdoer.  That is fair and just. 

But repeated punishment for the same conduct has the potential to undermine the spirit of fair play and the rule of law.  Multiple punishments can also deprive a company, as well as its employees, customers, and investors, of the benefits of certainty and finality ordinarily available through a full and final settlement.

This is why the Department is committed to making a concerted effort to apportion penalties among both international and domestic agencies, where appropriate.

Last December, the Department entered into a plea agreement with a global construction conglomerate and a Brazilian petrochemical company for violations of the Foreign Corrupt Practices Act.  Under the terms of the plea agreement, which represented the largest-ever global foreign bribery resolution, the United States credited both companies for the amounts they paid to foreign law enforcement and regulatory agencies.

Similarly, the Antitrust Division is coordinating more frequently with an ever-growing number of foreign antitrust regulators.  And similar patterns are emerging in offshore tax enforcement.

The Department is mindful of “piling on” concerns when it pursues parallel enforcement actions with domestic enforcement agencies, some of which are represented in the room today, as well as when multiple Department components are investigating the same conduct.  We are considering proposals to improve coordination in those situations and to help avoid duplicative and unwarranted payments.

The Department also is considering proposals to increase coordination among federal, state and local agencies.

In short, the Department of Justice is committed to ensuring that all defendants are treated fairly. 

That does not mean that we will never pursue what others may perceive to be overlapping fines or penalties.

There may be situations where the penalties in a foreign country are not an adequate substitute for those imposed by U.S. authorities, or where the punishment by another enforcement authority does not make all victims whole, including the U.S. government and taxpayers. 

We do not want to encourage companies to “forum-shop” in a way that allows them to avoid the full consequences of their misconduct.  Nor do we want to incentivize companies to hide their conduct from U.S regulators, and instead self-disclose to more lenient foreign officials.

The Department will use all lawful tools to ensure that wrongdoers do not escape justice.  While we will pursue fair apportionment of penalties, we will also do what is necessary to ensure that businesses that avail themselves of the U.S. marketplace understand that they must follow our laws.

The Department is committed to promoting the rule of law.  But enforcement is not a complete solution. There is no substitute for a culture of compliance.  Legendary banker J.P. Morgan explained it well in a conversation he had with prominent corporate lawyer Samuel Untermeyer.

Untermeyer asked, “Is not commercial credit based primarily upon money or property?”

Morgan replied, “No, sir; the first thing is character.”

Untermeyer questioned, “Before money or property?”

Morgan answered, “Before money or anything else.  Money cannot buy it.”

Financial institutions and their leaders must always consider character.  Integrity should be part of your brand, as it is of ours. 

That requires you to encourage employees to do the right thing themselves, and to report suspicious conduct by others. 

One of the best ways a corporation can act with integrity and protect its brand is through developing and faithfully executing a strong corporate compliance policy.

Financial institutions should take compliance risk as seriously as they do other types of business risk, such as liquidity risk or credit risk. 

I spoke earlier about the need for people to adapt in a changing environment. Adaptability is also an important component of organizations. Business organizations should always plan for unexpected events. It sounds like a paradox. But the point is captured by Donald Rumsfeld’s famous remark that there are known-knowns, known-unknowns, and unknown-unknowns. Your goal should be to shrink the unknown category as much as possible, but always recognize that it exists.  Assume that you will need to respond to crises, with very little notice.

Many companies deserve great credit for taking the initiative to develop robust corporate compliance programs that anticipate problems and reduce the scope of unknown risk.  The sophistication of compliance measures and tools that we see today regularly exceeds the measures that were in place ten years ago.

But some of the Department’s recent cases show that not all institutions are successful in establishing a culture of compliance. 

Culture is about more than written rules and annual training sessions. Culture involves the way people think and speak about their responsibilities. In an organization with an ethical culture, the leaders consistently model corporate values, employees incorporate those values into their conduct, and violations are promptly addressed.

When the Department of Justice evaluates a company’s compliance policy, we not only look at what the policy says. We look at how it works in practice.  In other words, we evaluate whether the institution inculcated an ethical culture of compliance with employees at all levels.

For compliance to work, it must be more than a box-checking exercise.  A corporation should enforce the rules it advertises.

And we should enforce the laws.  The Department’s rhetoric gets a lot of attention.  But enforcement is what deters violations. 

Let me conclude with this commitment: We regard you as partners in achieving our mission to prevent crime, enforce the rule of law, and maintain a stable business climate.

Your leadership in managing law-abiding enterprises sets the standard for others to follow. 

Thank you very much.