Remarks as Prepared for Delivery
Kiernan thank you for the warm introduction and thank you to ACAMS for asking me to join you for the 26th Annual International AML and Anti-Financial Crime Conference.
It is a pleasure to join this group of compliance professionals at such a pivotal time in the digital age, and for our financial industry.
With the rise in ransomware attacks, Russian sanctions, and cybercrime, and along with the implementation of the newly enacted NDAA and its sweeping regulatory changes, the importance of your work—the work of dedicated anti-money laundering professionals who are on the front lines of protecting the U.S. financial system—has never been more critical.
The health of the global economy depends on both creating access for a wide range of participants and preventing abuse and corruption. To accomplish these goals, your institutions must maintain robust, effective anti-money laundering and other compliance programs that account for international business realities and the rapid development of digital assets.
I have been fortunate in my career to have served as a prosecutor, as a defense attorney, and to work as a chief compliance officer of a Fortune 500 company. The detection and prevention of criminal conduct has been a constant across these three roles.
My experience as a chief compliance officer gave me valuable insight into the important role a compliance program plays in preventing crime.
It’s fair to say that we will be rigorous in our assessments, particularly when there are repeat or notable compliance failures. But I also want to emphasize the strong incentives that you have to assist in preventing the occurrence and recurrence of crime.
Many of you serve as compliance officers. Our Corporate Enforcement Policy — which applies across the Criminal Division and is codified in the Justice Manual — provides incentives for businesses to be proactive by voluntarily self-disclosing misconduct when it occurs, and by fully cooperating and remediating as appropriate in order to prevent further misconduct.
These incentives are designed to foster the types of ethical corporate behavior that benefit all of us.
Similarly, the benefits of a robust compliance program are clear from both a corporate governance and enforcement perspective. Strong compliance programs align corporate policies with law, rules, and regulations.
The Department is committed to rewarding responsible companies and financial institutions that promote ethical corporate culture and invest in effective compliance programs.
We will use independent compliance monitors as a tool to evaluate and test a company’s compliance program and internal controls.
But we will also appropriately recognize companies who have established effective controls and implemented effective compliance programs.
We are transparent about the methods we will use to evaluate the effectiveness of corporate compliance programs; the Criminal Division’s Evaluation of Corporate Compliance Programs, or ECCP, guidance is publicly available on our website as a resource to you and to the public.
We also want to see that Chief Compliance Officers have true independence, authority, and stature within the company. In order to further empower Chief Compliance Officers, I am pleased to announce today that, for all of our corporate resolutions (including guilty pleas, deferred prosecution agreements, and non-prosecution agreements), I have asked my team to consider requiring both the Chief Executive Officer and the Chief Compliance Officer to certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law (based on the nature of the legal violation that gave rise to the resolution, as relevant), and is functioning effectively.
In certain resolutions, we will also require additional certification language. When a company is required to provide annual self-reports on the state of their compliance programs, we will consider requiring the CEO and the CCO to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete.
By taking this step, we are ensuring that Chief Compliance Officers receive all relevant compliance-related information and can voice any concerns they may have prior to certification.
I have been in your CCO role. I know the resource challenges. The challenges you have to accessing data. The relationship challenges. The siloing of your function.
Today’s announcement is not punitive in nature. No, it is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has a ethical and compliance focused environment.
Now, this morning I will also share with you how the Criminal Division and the Department of Justice is working on all fronts to address today’s most pressing issues.
As many of you are aware, on March 2, the Attorney General announced the launch of Task Force KleptoCapture—an interagency law enforcement task force dedicated to enforcing sanctions, export restrictions, and economic countermeasures that our government has imposed in relation to the Russian invasion of Ukraine.
For the compliance professionals in this room, let me be clear that our mission extends well beyond seizing mega-yachts of Russian oligarchs.
The Task Force will combat unlawful efforts to undermine sanctions, including prosecuting those who try to evade KYC and AML measures. The Task Force will also target efforts to use cryptocurrency to evade sanctions and launder proceeds of foreign corruption.
I urge financial institutions and companies to spend time designing, implementing, and updating their compliance and AML programs to ensure they are effectively detecting and preventing sanctions violations and KYC evasions.
As the Attorney General stated, “we will leave no stone unturned in our efforts to investigate, arrest, and prosecute those whose criminal acts enable the Russian government to continue this unjust war.” Another priority of this Justice Department is to disrupt and deter cyber threats, which loom over nearly every aspect of our personal and professional lives. It is our collective mission to keep our country strong and our financial system safe. To that end, we recognize and value our work in partnership with financial crime compliance professionals.
Specifically, the Department recognizes that we must keep pace with the threat actors who exploit innovations as fast as the marketplace produces them. We are experiencing an explosion of ransomware and the abuse of cryptocurrency.
Today, the FBI is investigating more than 100 different ransomware variants, and prosecutors and law enforcement are targeting dozens of ransomware groups estimated to have caused billions of dollars in damage to victims.
As we all know, ransomware is a serious threat to our public safety and national and economic security. It has been used to attack critical infrastructure, government facilities, and even health care facilities during the COVID-19 pandemic, taking advantage of the global crisis.
The Criminal Division and the Department of Justice have taken important steps against ransomware actors from disrupting ransomware infrastructure, to arresting those responsible and bringing them to justice, and even to seizing and returning ransomware payments.
For example, in May 2021, the Colonial Pipeline Company was a victim of a ransomware attack by the group DarkSide. The attack had clear national security implications: Colonial Pipeline provides gasoline to the eastern seaboard of the United States. Because of the attack, the company paid a ransom of more than $4 million.
After Colonial Pipeline’s quick notification to law enforcement, the Department used a federal warrant to seize most of the ransom payment.
The Criminal Division, working in partnership with the National Security Division and U.S. Attorneys’ Offices, is devoting resources to deterring cybercrime, including ransomware, through arrest, incarceration, infrastructure disruption, and forfeiture whenever possible, and working in collaboration with other agencies as well as the private sector to better protect against such attacks and respond quickly and meaningfully when they do occur.
And we will continue to invest in these efforts going forward to respond to this threat.
Following the money remains one of the most basic, yet powerful, tools we have.
Ransom payments are the fuel that propels the digital extortion engine, and the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.
And when it comes to tackling the issue of ransomware and the ecosystem that lets it flourish – I want to be clear on a single message here: we need reporting from victims to address this threat, and in specifically to prevent additional victims. We know those victims – oftentimes your clients – face reputational risks, they face operational risks, ultimately though, we are seeing lives and livelihoods risked.
Given the stakes, we need that engagement from victim companies, and we need it early. We will continue to strengthen our capacity to dismantle the financial ecosystem that enables these criminal actors to flourish, and, quite frankly, to profit from what they’re doing.
We’re doing that by drawing on our cryptocurrency experts, our cyber prosecutors, and our money laundering expertise across the Department and centralizing and building on the expertise that we already have.
To that end, on October 6, 2021, the Department announced the formation of the Criminal Division’s National Cryptocurrency Enforcement Team, known as the NCET.
NCET’s mission is to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors.
The Criminal Division has been at the forefront of investigating and prosecuting crimes involving digital currencies since their inception.
Importantly, the NCET draws and builds upon the established expertise across the Criminal Division to deter, disrupt, investigate, and prosecute criminal misuse of cryptocurrency, as well as to recover the illicit proceeds of those crimes whenever possible.
The NCET combines the expertise of the Criminal Division’s Money Laundering and Asset Recovery Section (MLARS), Computer Crime and Intellectual Property Section (CCIPS) and other sections in the Division, including our Fraud Section, with experts detailed from U.S. Attorneys’ Offices from around the country.
Tracing and recovery of assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups, will be an integral part of this effort.
Because cryptocurrency is used in a wide variety of criminal activity: from being the primary demand mechanism for ransomware payments, to money laundering and the operation of illegal or unregistered money services businesses, to being the preferred means of exchange of value on “dark markets” for illegal drugs, weapons, malware and other hacking tools.
The NCET will foster the development of expertise in cryptocurrency and blockchain technologies across all aspects of the Department’s work.
The team is led by its first Director, Eun Young Choi, a seasoned computer crimes prosecutor and a leader in the field, and now has more than a dozen attorneys.
Several members of the NCET team were essential to the record-breaking Bitfinex seizure, announced by the Department as the largest ever financial seizure in the Department’s history as part of the Bitfinex arrests.
This seizure of over $3.6 billion in stolen bitcoin — and the money laundering and conspiracy charges along with it — demonstrates that even in cyberspace, we at the Department are able to use a tried-and-true investigative technique: following the money, both on and off the blockchain.
The Bitfinex arrests and the financial seizure show that cryptocurrency is not a safe haven for criminals.
In an unsuccessful and futile effort to maintain digital anonymity, the defendants in this case allegedly laundered stolen funds through a labyrinth of cryptocurrency transactions.
The charged defendants are alleged to have conspired to launder the proceeds of 119,754 bitcoin that were stolen from Bitfinex’s platform after a hacker breached Bitfinex’s systems and initiated more than 2,000 unauthorized transactions.
As the criminal complaint alleges, the charged defendants employed numerous sophisticated laundering techniques including using fictitious identities to set up online accounts; utilizing computer programs to automate transactions, a laundering technique that allows for many transactions to take place in a short period of time; depositing the stolen funds into accounts at a variety of virtual currency exchanges and darknet markets and then withdrawing the funds, which obfuscates the trail of the transaction history by breaking up the fund flow; converting bitcoin to other forms of virtual currency, including anonymity-enhanced virtual currency (AEC), in a practice known as “chain hopping”; and using U.S.-based business accounts to legitimize their banking activity.
Through our investigative efforts the Department once again demonstrated that we could follow cryptocurrency through the blockchain, and that we will not allow cryptocurrency to be a safe haven for money laundering or a zone of lawlessness within our financial system.
This is where our work with financial compliance professionals and the crypto industry becomes vital to our collective success.
As I recently noted at the ABA White Collar Institute, cryptocurrency immediately conjures sophisticated notions of blockchain, cybersecurity, and encryption, but the compliance message is the same: Responsible corporate citizens must establish a culture of compliance.
For many companies in the cryptocurrency industry, this starts with meeting legal obligations, including developing an effective anti-money laundering program, conducting appropriate KYC and transaction monitoring, and filing reports to comply with the Bank Secrecy Act.
This work will grow as your industry continues to pursue innovative approaches to detecting crime and providing information to the government. Companies in this space are often in the best position to detect emerging threats.
Cryptocurrency is cutting edge, but companies can adopt innovative methods to quickly and efficiently identify threats, new criminal typologies, and new criminal actors, and then provide that information to the government so we can identify criminal actors, prevent harm to victims, and locate proceeds of crime.
This is an opportunity for American industry to lead in an area of new technology and create a thriving financial sector that protects U.S. consumers, investors, and businesses; mitigates risks; and promotes a safe and secure financial sector.
My message to the audience is this: Governments around the world are intensifying their focus on regulating virtual currency in response to the role it has already played in financing crime, including sanctions evasion, fraud, human and drug trafficking, and terrorist financing.
For financial institutions and anti-financial crime professionals, it is critical to proactively contemplate the compliance measures to be taken in association with virtual currency and crypto assets.
You must be proactive and forward-leaning in your compliance programs to successfully mitigate risk.
What is clear - - cryptocurrency is not going away.
With new technology emerging in payment processing, this will bring new challenges for anti-money laundering professionals, law enforcement, and regulatory agencies.
I strongly encourage the representatives of banks, cryptocurrency focused businesses and other financial institutions participating in this conference to take the opportunity – both during the next few days and once you return to your respective offices – to reflect on whether your institutions have effective anti-money laundering programs and other compliance policies and practices to prevent or mitigate financial crime in this rapidly evolving world of regulation and technology.
The integrity and viability of the global financial system require that you do so.