Remarks as prepared for delivery
Thank you very much for that kind introduction. It is a pleasure to be here at the SIFMA (Securities Industry and Financial Markets Association) Compliance and Legal Society New York Regional Seminar. It is always wonderful to be back in New York.
For the past year and a half, I have had the pleasure of leading the Justice Department’s Criminal Division, which includes more than 600 attorneys from 17 sections and offices. Every day, our lawyers investigate and bring criminal cases, develop criminal law and sentencing policies, and promote the rule of law and law enforcement cooperation throughout the world. The Criminal Division – together with our partners in various United States Attorneys’ Offices – frequently prosecutes cases that have national and global significance.
Among the sections that I oversee are two sections that bring a very significant share of the country’s corporate prosecutions. The Criminal Division’s Fraud Section plays a unique and essential role in the department’s fight against sophisticated economic crime, bringing complex securities and commodities fraud cases, health care fraud prosecutions and Foreign Corrupt Practices Act (FCPA) cases.
I also oversee the Asset Forfeiture and Money Laundering Section – known as AFMLS – which pursues prosecutions against institutions and individuals engaged in money laundering, Bank Secrecy Act violations and sanctions violations.
Many of the cases brought by these two sections touch upon SIFMA members, the broker-dealers, banks and asset managers in the global financial markets. I understand that SIFMA members serve clients with $16 trillion in assets – that’s equivalent to the gross domestic product of the United States – and manage more than $62 trillion in assets for individual and institutional clients.
In many ways, your institutions serve as the caretakers of our global economy. And no role can be more critical than that of compliance and legal professionals in the securities and finance industry.
The health of the global economy depends on both creating access for a wide range of participants and preventing abuse and corruption. To accomplish these goals, as you well know, institutions must maintain robust, effective compliance programs that account for international business realities.
Internal Compliance Officers Perform a Critical Function
You are often the first line of defense against money laundering and other financial crimes. Prosecutors cannot be everywhere, and by the time the Criminal Division gets involved, it’s usually too late to stop criminal activity. Well before a grand jury subpoena is served or a witness is interviewed, compliance officers like you can and do step in and stop issues from becoming problems down the road.
As much as full-throated compliance programs are essential to preventing fraud and corruption, the quality and effectiveness of a compliance program is also an important factor that prosecutors consider in determining whether to bring charges against a business entity that has engaged in some form of criminal conduct.
In this after the fact review, the department looks closely at whether compliance programs are simply “paper programs,” or whether the institution and its culture actually support compliance. We look at pre-existing programs, as well as what remedial measures a company took after discovering misconduct – including efforts to implement or improve a compliance program.
Criminal Division’s Compliance Counsel
Over the past twenty years or so, the very notion of “compliance” has been evolving rapidly. Most companies, and maybe especially in the financial sector, have placed more and more emphasis on building strong compliance structures. Programs have become more sophisticated and more industry and company-specific.
Companies increasingly have tailored compliance programs that make sense not just for their industries but also for their business lines, their risk factors, their geographic regions and the nature of their work force, to name a few.
Unfortunately, a surprising number of companies still lack rigorous compliance programs. And even more companies have what appear to be good structures on paper, but fail in practice to devote adequate resources and management attention to compliance.
Still other companies fail to consider obvious risks, even in important parts of their businesses. For example, at least one bank in our recent F/X cases chose not to have its compliance program address certain clear risks in its F/X business because that market was largely unregulated by the SEC (U.S. Securities and Exchange Commission) or CFTC (U.S. Commodity Futures Trading Commission).
To be sure, it’s important for institutions to be mindful of regulatory priorities and guidance in devising and carrying out a tailored, risk-based compliance program. But a narrow, cramped view of compliance – that it requires only adherence to specific regulations – ultimately will inure to the company’s detriment. It ended up costing that bank a guilty plea and many millions of dollars in fines, when it turned out that its traders were colluding with others to manipulate the foreign exchange markets.
So, while the days when the compliance department in a Wall Street bank was housed in a dusty backroom across the river in Hoboken may be gone, there is still a lot of work to be done.
I believe that the Criminal Division has gotten much better at evaluating compliance programs over the years. We understand that there is no “one size fits all” compliance program. We understand that there are vast differences in the quality and effectiveness of programs, even among similar companies. We have gotten better at suggesting tailored reforms to compliance programs when we resolve a corporate matter.
But we are prosecutors, not compliance professionals. So, as you may be aware from press coverage, the Criminal Division has hired a compliance counsel to work in the Fraud Section. While it’s too early to talk about specifics – her first day in the office is tomorrow – I can tell you generally what we’re thinking about.
We want to get the benefit of the expertise of someone with significant high-level compliance experience across a variety of industries, which this person has. Our goal is to have someone who can provide what I’ll call a “reality check.”
First, the compliance counsel will help us assess a company’s program, as well as test the validity of its claims about its program, such as whether the compliance program truly is thoughtfully designed and sufficiently resourced to address the company’s compliance risks, or essentially window dressing.
Second, she will help guide Fraud Section prosecutors when they are seeking remedial compliance measures as part of a resolution with a company, whether by prosecution or otherwise. We don’t want to impose unrealistic, unnecessary or unduly burdensome requirements on companies. At the same time, we want to make sure that appropriate compliance enhancements are included when they are needed.
We understand that no compliance program is foolproof. We also appreciate that the challenges of implementing an effective compliance program are compounded by the ever-increasing cross-border nature of business and of criminal activity.
Many banks and financial institutions operate all over the world. They are creating products and delivering services not only here in the United States but overseas and are operating across many different legal regimes and cultures.
For this reason, we have chosen a compliance counsel who has the experience and expertise to examine a compliance program on a more global and a more granular level.
I want to correct one impression that has been expressed elsewhere. Some have suggested that our retention of a compliance counsel is an indication that the department is moving toward recognizing or instituting a “compliance defense.” That is not the case.
Rather, the Criminal Division will continue to review companies’ compliance programs as one of the many factors to be considered when deciding whether to criminally charge a company or how to resolve criminal charges. Our hiring of a compliance counsel should be an indication to companies about just how seriously we take compliance.
Hallmarks of an Effective Compliance Program
You’re likely wondering what metrics this compliance counsel will use to assess a particular program. And I’ll talk about that in a moment, but first I want to put your mind at ease about something.
The vast majority of compliance violations do not result in criminal prosecution. Rather, the Criminal Division pursues charges when the offending conduct is intentional and particularly egregious or pervasive.
We’re not interested in prosecuting mistakes or accidents, or bad business judgments. And we are not looking to prosecute compliance professionals. To the contrary, we view you as the good guys and as our allies. And we want to make sure that when we review a pre-existing compliance program, or suggest remedial measures, that we get it right.
So, what will the compliance counsel do? She will help us evaluate each compliance program on a case-by-case basis – just as the department always has – but with a more expert eye, and she will work with our prosecutors to assess:
- Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
- Do the people who are responsible for compliance have stature within the company? Do compliance teams get adequate funding and access to necessary resources? Of course, we won’t expect that a smaller company has the same compliance resources as a Fortune-50 company.
- Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
- Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?
- Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if a U.S.-based entity acquires or merges with another business, especially a foreign one.
- Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations. Is discipline even handed? The department does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences. Such action sends the wrong message – to other employees, to the market and to the government – about the institution’s commitment to compliance.
- Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance? This means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.
In the anti-money laundering and sanctions contexts, in particular, effective compliance requires more. In those cases, our prosecutors ask:
- What does the institution’s “know your customer” policy look like? This seems basic, but an institution must ensure that its anti-money laundering, sanctions and other compliance policies and practices are tailored to identify and mitigate the risks posed by its unique portfolio of customers, and that those customers are providing complete and accurate information.
- If a financial institution operates in the U.S. – whether it is a U.S.-based bank or a U.S. branch or component of a foreign bank – s it complying with U.S. laws? This may sound straightforward in principle, but we have seen that it is all too often not implemented in practice.
Part of that compliance is sharing information about potentially suspicious activity with other branches or offices. For example, if a foreign branch of a U.S. bank identifies suspicious activity related to an account held by a customer that also maintains an account with the bank in the U.S., compliance personnel in the U.S. should be alerted to the suspicious activity.
In our view, to effectuate these practices, financial institutions with a U.S. presence should give U.S. senior management a material role in implementing and maintaining a bank’s overall compliance framework.
- Is the company or financial institution candid with regulators? When we investigate companies, we look closely at the information the companies provided to regulators about the violation. We look at whether the companies were forthcoming, or not.
The vast majority of financial institutions file Suspicious Activity Reports when they suspect that an account is connected to nefarious activity. But, in appropriate cases, we encourage those institutions to consider whether to take more action: specifically, to alert law enforcement authorities about the problem, who may be able to seize the funds, initiate an investigation, or take other proactive steps.
Some banks take more action by closing the suspicious account, but sometimes that may just prompt the criminals to move the illicit funds elsewhere. So, we encourage you to speak with regulators and law enforcement about particularly suspicious activity.
These are just some of the elements of a strong compliance program. When the Criminal Division evaluates a company’s compliance policy during an investigation, we look not only at how the policy reads on paper, but also at the messages conveyed to employees, including through in-person meetings, emails, telephone calls and compensation. We look at whether, as a whole, a company tolerated compliance failures year after year because the alternative would have meant a reduction in revenues or profits.
Effective Compliance Programs in a Global Economy
The department appreciates that the global economy, and the international nature of the banking and financial services industries, present a daunting compliance challenge, and often institutions must bridge a cultural, as well as a geographic, divide. But such challenges do not justify non-compliance.
Overall, we expect institutions to take compliance risk as seriously as they take other business-related risks. Although compliance may not be a profit center, investment in compliance will pay off. And it’s the right thing to do.
The importance of global financial institutions having effective compliance programs – particularly policies that facilitate or mandate information sharing between foreign and domestic branches or components – is evidenced by the global resolution reached in March with Commerzbank AG, a global financial institution based on Frankfurt, Germany, and its New York branch Commerz New York.
The bank agreed to pay $642 million in total financial penalties and enter into a deferred prosecution agreement for violating the International Emergency Economic Powers Act and the Bank Secrecy Act.
According to the resolution documents, for six years Commerzbank knowingly and willfully moved approximately $263 million through the U.S. financial system on behalf of sanctioned entities in Iran and Sudan.
Commerzbank’s senior management was warned about the payments and internal auditors “raised concerns,” but those concerns were not shared with their U.S. counterparts. Instead, Commerzbank intentionally hid from its New York branch that it was processing payments on behalf of Sudanese and Iranian clients. So the bank ignored warnings from the internal managers charged with ensuring compliance, then concealed the transactions from its own branch office.
Commerzbank’s international presence surely made compliance more difficult. But we expect the left hand to ensure that it knows what the right hand is doing.
Brief Note on Transparency
Obviously, Commerzbank committed willful, egregious compliance violations. And I want you to know as many specifics as we can share, because one of my priorities has been to ensure that the Criminal Division is as transparent as possible about its decision-making.
While we are limited in the information we can disclose to the public about matters in which we decline to prosecute, when we file charges, secure a guilty plea or enter into a deferred prosecution or non-prosecution agreement, the Criminal Division will place in the public record detailed information explaining the rationale for the particular resolution whenever possible.
We want you to understand our expectations, and we want you – and your management – also to be able to see clearly not only what a devastating effect an inattention to compliance can have, but also the positive effect that a true dedication to compliance can have on the outcome of a matter.
I encourage you all to take the opportunity – both today and once you return to your respective offices – to reflect on whether your institutions truly have effective compliance policies and practices to prevent or mitigate financial crime. The integrity and viability of the global financial system require that you do. Thank you again for having me here and I look forward to your questions.