United States Court of Appeals Affirms Sentence of Defendant in EBRD-Related FCPA Prosecution

On November 8, the United States Court of Appeals for the Third Circuit affirmed the sentence of Dmitrij Harder, who had pleaded guilty in 2016 to two counts of violating the Foreign Corrupt Practices Act (FCPA).  At the time of his guilty plea, Harder, the former owner and president of Chestnut Consulting Group Inc. and Chestnut Consulting Group Co. (the Chestnut Group), admitted that between 2007 and 2009, he engaged in a scheme to pay approximately $3.5 million in bribes to an official of the European Bank for Reconstruction and Development (EBRD), to corruptly influence the official’s actions on applications for EBRD financing submitted by the Chestnut Group’s clients and to influence the official to direct business to the Chestnut Group.

Prior to Harder’s sentence, the Probation Office in the United States District Court for the Eastern District of Pennsylvania calculated an advisory range, under the United States Sentencing Guidelines, of 87-108 months’ imprisonment.  At the sentencing hearing, government prosecutors moved for a downward departure, pursuant to section 5K1.1 of the Sentencing Guidelines, in recognition of Harder’s cooperation and testimony during a related corruption trial in England that secured convictions against his former clients. The district court granted the government’s request for downward departure, which resulted in a Guidelines range of 57-71 months’ imprisonment.

Harder sought, but did not receive, an additional downward departure on three grounds that he advanced: (1) the proposed sentence was substantially greater than the average sentence for individual FCPA defendants; (2) “the bribes that he paid did not result in a loss to any victim; and (3) the two projects for which he corruptly sought financing proved successful and highly beneficial to the Eastern Siberia region.”  At sentencing, even after Harder’s counsel “continued to argue that Harder’s actions were less culpable due to the allegedly positive outcome,” the district court remained unpersuaded and sentenced Harder to 60 months’ incarceration (a sentence within the Guidelines range) and approximately $2 million in financial penalties.

On appeal, Harder alleged two procedural errors:

  1. Mitigation: Harder argued that the district court denied him a fundamentally fair sentencing hearing when it refused to hear or consider counsel’s argument in mitigation of offense severity. On this issue, the Third Circuit panel noted that “the record clearly reflects that the district court afforded meaningful consideration to Harder’s mitigation argument,” which it indicated is all that a sentencing court must give to a defendant’s sentencing arguments. It concluded that “the district court did not err by declining to grant Harder’s downward variance on the grounds that his conduct was allegedly less harmful than that of other FCPA defendants.”
  2. Unwarranted Disparity: Harder argued that the district court refused to comply with the statutory obligation to avoid unwarranted sentencing disparities.  On this issue, the panel rejected Harder’s argument, stating that “Harder does not challenge the calculation of his Guidelines range but simply objects to the district court’s refusal to grant a downward variance.”

Note: The decision in this case is not included among published Third Circuit opinions, probably because Harder’s issues on appeal were neither issues of first impression nor arguments that the court considered meritorious enough to warrant detailed analysis.  Three observations are still in order.

First, it should be noted that the sentencing court gave Harder credit for cooperation with the authorities (in the form of a downward departure) due to his testimony in a non-U.S. judicial proceeding.  The language of Guidelines section 5K1.1 states that a federal court may grant a departure from a Guidelines sentence “[u]pon motion of the government stating that the defendant has provided substantial assistance in the investigation or prosecution of another person who has committed an offense.”  Although it might seem that this basis for departure would pertain only to U.S. investigations and prosecutions, neither the text nor the Guidelines commentary thereon contain any limiting language to that effect.

The fact that the government was willing to file a section 5K1.1 motion for Harder’s assistance in a foreign trial indicates that the Justice Department is willing to construe section 5K1.1 expansively, at least in cases where the defendant may be able to render substantial assistance in a foreign prosecution.  It is noteworthy that in its successful prosecution of the EBRD banker whom Harder bribed, Andrey Ryjenko, the United Kingdom Crown Prosecution Service did not mention Harder by name, but credited “effective cross-border partnerships between a number of jurisdictions, including the United States” for making Ryjenko’s conviction possible.

Second, Harden’s argument regarding unwarranted disparity in FCPA sentencings was critically deficient in two respects.  One is the failure to raise the additional issue that the Third Circuit had identified: i.e., challenging the sentencing court’s calculation of the Guidelines range as well as raising the variance issue.  There is no guarantee that the Third Circuit would have found any greater merit in that additional issue, but its absence from the appeal clearly played a role in the panel’s reasoning.

The other is that Harder might have had greater success with his argument had he been able to show significant disparities between his sentence and the sentences of other co-defendants in the case.  Unfortunately for Harder, there were apparently only two other people prosecuted in connection with the bribery, and both were prosecuted in the United Kingdom.  The banker whom Harder bribed, Ryjenko, was sentenced after his London trial in June 2017 to six years’ imprisonment, and Ryjenko’s sister, Tatyana Sanderson, had been declared unfit to stand trial but pleaded guilty to laundering Ryjenko’s bribe payments through accounts in her name and received a suspended sentence of two years’ imprisonment in September 2018.   While reference to those facts would have taken the Third Circuit well outside the record of Harder’s appeal, it might have provided a further basis for the Third Circuit to conclude that Harder had not been the victim of unwarranted disparity in his sentence.

Third, it seems plain that Harder should never have raised the argument, at sentencing or on appeal, that he should be given favorable consideration for a further variance because his bribery of Ryjenko made people in Eastern Siberia more prosperous.  Apart from the fact that the FCPA contains no “bribery creates positive externalities” defense, on a more fundamental level courts are unlikely ever to reward a defendant for criminal conduct that arguably benefited third parties who did not participate in the crime itself.  A defendant who robs Peter to pay Paul should not be able to claim that he deserves leniency because Paul was genuinely deserving of and benefited from the money.

Cathay Pacific Reports Sustained Cyberattacks That Led to Major Data Breach

On November 12, Hong Kong-based airline Cathay Pacific publicly disclosed that the data breach it had first reported on October 24 was the result of a sustained series of cyberattacks that began in March 2018 and continued even after May 2018.  In its October 24 statement, Cathay Pacific had announced only that “as part of its ongoing IT security processes, it has discovered unauthorised access to some of its information system containing  passenger data of up to 9.4 million people.  Upon discovery, the company took immediate action to investigate and contain the event.”

Subsequently, Cathay Pacific prepared and issued the November 12 statement, in advance of a November 14 joint meeting of the Hong Kong Legislative Council’s (LegCo’s) Panel on Constitutional Affairs, Panel on Information Technology and Broadcasting, and Panel on Security.  In that statement, Cathay Pacific described a substantially longer timeline for both the attacks and the response than its October 24 statement had indicated.  That timeline began in March 2018,

when Cathay first detected suspicious activity on its network and took immediate action to understand the incident and to contain it. Cathay did this with the assistance of a leading global cybersecurity firm. During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention. . . . Even as the number of successful attacks diminished, we remained concerned that new attacks could be mounted.

The November 12 statement also included details about who was affected by the breach, what information was accessed, and how it conducted its internal investigation.  It explained that the investigation had  three objectives: (i) investigation, containment, and remediation; (ii) confirming which data had been accessed and whether it could be read by the attacker(s); and (iii) determining the types of personal data that pertain to each affected passenger and notification.  “Once we met these objectives,” Cathay Pacific explained, “we notified affected passengers and relevant authorities.”

Cathay Pacific also sought to anticipate criticism about the delay in its disclosure of the full extent of the attacks and breach.  It stated that

the nature of this attack involved a number of complex systems that took significant time to analyse. An enormous amount of work was involved in the investigation, which was highly technical. The process by which the stolen data could be identified, processed, and linked to a specific passenger also contributed to the length of time involved between initial discovery and public disclosure.

With regard to its investigation, Cathay Pacific also stated that “our foremost objective and primary motivation has been to support our affected passengers by providing accurate and meaningful information to them. . . . The investigation was complex, longer than what we would have wished and we would have liked to have been able to provide this information sooner.”

Note:  At the conclusion of its November 12 statement, Cathay Pacific acknowledged “that there [are] many lessons that we can and will learn from this event.”  There are at least two lessons that other companies, from senior management to information-security and compliance officers, can learn from Cathay Pacific’s experience — though those lessons may not necessarily be the ones that Cathay Pacific had in mind.

First, senior management needs to understand how sustained cyberattacks on their information systems can be.  Media reports sometimes seem fixated on the word “sustained” in describing cyberattacks, such as the June 2017 cyberattack on the United Kingdom Parliament.  It should be noted that that attack reportedly lasted on the order of only 24 hours, but included a peak intensity of approximately 200,000 attempts over a number of hours on a single day.  The Cathay Pacific attack, by contrast, lasted for approximately three months.  Although that attack might seem like a “black swan” event, its success over multiple months makes it highly likely that those or other cyberattackers will emulate the concept of multiple-day or week attacks against other companies and government agencies.

For that reason, senior management needs to plan for the possibility that it will need to spend significant sums to supplement their company’s human and technological resources, and remediate hardware and software damage, in the event of a major cyberattack that lasts for an extended period.  As one point of comparison, in March 2018 the City of Atlanta experienced a major ransomware attack that not only caused significant damage to various information resources, but required the City to engage in emergency contract hires of security consultants and crisis-communication experts.  The bill for response and remediation reportedly increased from $2.7 million in April 2018 to $17 million by August 2018.

Second, in their first reports of a major cyberattack or data breach, companies need to choose their words carefully in describing the attack or breach.  In 2018, investors, the media, and the general public can be quick to react adversely to any reports that a company that suffered a data breach did not publicly disclose that breach until well after the event.  While a company must always take steps to see that the nature and timing of such disclosures comply with applicable state laws or national legislation, it must also anticipate that its first statements about the breach will set the tone for immediate and later responses by the media and the investing community.

In Cathay Pacific’s case, its October 24 explanation of the reasons for delaying disclosure – the need to determine the true extent of the damage and to remediate effectively — was not unreasonable on its face, and the company did include specific information about how people who thought they might be affected could contact the airline.  The greater problem appears to have been the wording of that statement.  Though surely not intended to mislead the public, the statements in the lead paragraph that it “discovered unauthorised access to some of its information system” and “took immediate action to investigate and contain the event” could easily be read to mean that the attack was a one-time event of brief duration.  That, coupled with the seven-month delay in disclosing the breach, likely added momentum to the “avalanche of criticism” that the October 24 statement triggered.

Three more specific lessons from this case, for other companies that suffer data breaches in the future, are simple:

  • When you’re ready to make your first statement about the breach, be as concise, and as accurate, as you can without compromising any ongoing internal investigation or remedial efforts. In that critical first disclosure, a company doesn’t need to explain the precise details of attack vectors or of the information-technology defense mechanisms and techniques it used.  It does need to be clearly understood when it describes the general nature and duration of the attack.  In the case of the UK Parliament attack, Parliamentary authorities provided general but prompt information during the weekend that the attack was underway, and were specific and accurate about the attack’s duration and intensity reasonably soon after the attack had ended.
  • Have someone outside the crisis-response team read the draft statement. It’s easy for people operating 24/7 in a crisis-response mode to make the assumption that they’ve said what needs to be said.  But it takes no effort to have someone from outside the team read the draft statements, as well as any draft questions and answers that corporate or government spokespersons propose to use with the media, with a layperson’s eye, and tell the crisis-response team where the public or the media might misunderstand or misconstrue any statements.
  • As with any other corporate crisis response, provide followup details when you can, but only when you’re confident you can provide accurate data. In the case of the UK Parliament attack, less than a month after the attack Parliament provided a concise but specific accounting of the extent of the attack, how many accounts were compromised, and what Parliament had done to respond.

In today’s LegCo joint panel meeting, Cathay Pacific’s representatives are likely to face pointed and critical questioning about its response to the cyberattacks and the timing of its disclosures.  With luck, it will already have learned enough lessons from its experience to date to provide responses that reduce the duration and intensity of that criticism.

European Commission Takes Action Against Luxembourg and Malta for Inadequate Compliance with 4th AML Directive

On November 8, the European Commission took significant actions against two European Union (EU) Member States to underscore the importance of compliance with the 4th Anti-Money Laundering (AML) Directive, Directive 2015/849.  That Directive, according to the Commission,

“reinforces the previously existing rules by:

  • “strengthening the risk assessment obligation for banks, lawyers, and accountants;
  • “setting clear transparency requirements about beneficial ownership for companies and trusts;
  • “facilitating cooperation and exchange of information between Financial Intelligence Units from different Member States to identify and follow suspicious transfers of money to prevent and detect money laundering or terrorist financing;
  • “establishing a coherent policy towards non-EU countries that have deficient anti-money laundering and counter-terrorist financing rules;
  • “reinforcing the sanctioning powers of competent authorities.”

First, the Commission decided to refer Luxembourg to the EU Court of Justice for transposing only part of that Directive into their national law.  The Commission also proposed that the Court of Justice charge “a lump sum and daily penalties until Luxembourg takes the necessary action.”

Second, the Commission adopted an opinion requiring the Maltese anti-money laundering supervisor, the Financial Intelligence Analysis Unit (FIAU), to continue taking additional measures to fully comply with its obligations under the 4th AML Directive.  Previously, on July 11, 2018, the European Banking Authority (EBA) investigated and concluded that the FIAU was breaching Union law.  It determined, per the Commission, “that Malta failed to correctly supervise financial institutions and ensure their compliance with anti-money laundering rules.”  In particular, the Commission called upon the FIAU to take a number of measures, including:

  • “Improving its methodology to assess money laundering and terrorist financing risks;
  • “Enhancing its monitoring and supervisory strategy by aligning resources with the risk of money laundering posed by certain institutions;
  • “Ensuring that the authority is able to react in an appropriate time when a weakness is identified, including by revising its sanctioning procedures;
  • “Ensuring that its decision-making is properly reasoned and documented;
  • “Adopting systematic and detailed record-keeping processes for offsite inspections.”

Note:  The Commission’s actions in these two cases are not unique; it has previously referred Romania and Ireland to the Court of Justice, and taken other actions against 18 other Member States, regarding transposition measures for the 4th AML Directive.  In light of the continuing surge of AML enforcement activity in the European Union, however, the Commission needs to continue to assert its AML oversight authority with vigor, even as it sorts out what additional authority it may seek to exert even greater supervision and control over European financial institutions.

In addition, the Commission doubtless has its eye on the 5th AML Directive, which entered into force on July 9, 2018 and which Member States will have to transpose into national legislation by January 10, 2020.  Given its experience with many Member States’ delays in fully transposing the 4th Directive, the Commission should be concerned about Member States’ ability to transpose the latest Directive into national law in just over 15 months’ time.

On Moral Development in Military and Corporate Leadership

On Veterans Day, it is always appropriate to pay respect to the veterans of all generations, for their valor and for the sacrifices they make in the cause of freedom.  But it is worth taking a moment to recognize veterans also for the ethical and moral leadership they show in serving their country.   At every level and in every branch of the military – from the lowest-ranking enlisted man or woman to the Chairman of the Joint Chiefs of Staff – men and women routinely make decisions with ethical and moral consequences.

Some of those decisions, in combat situations, have to be made in fractions of a second and may have instant life-or-death consequences.  Other decisions, away from the battlefield, may be more deliberate, but may have significant consequences for the men and women whom those decisions affect — not least in shaping the ability of those men and women to make decisions that are militarily sound and morally defensible.  Over the past two decades, military leaders in the United States and other countries, such as the United Kingdom, have placed increasing emphasis on recognizing that the propriety of the use of military force has moral and ethical dimensions, and have committed to incorporating that recognition into the training of officers and enlisted men and women.

As one example of that commitment, a publication by the Lejeune Leadership Institute at Marine Corps University, Leadership, Ethics and Law of War Discussion Guide for Marines (Guide), identifies four stages of moral development in military leaders:

  1. Compliance: This stage involves the most basic level of behavior: i.e., learning to “compl[y] with critical orders quickly and unfailingly,” and with the broader set of rules, standards, and beliefs within a military organization. As the Guide warned, “Obedience at its pinnacle guarantees order, function, and accomplishment, but as an end-state it is dangerous. Those who stop developing at the obedience level run a risk of becoming unthinking, blind followers.”
  2. Moral Understanding: This stage addresses the concept of moral understanding, which “implies that we make numerous and complex value judgments about the foundational principles that underlie established rules and standards. These judgments precede ethical decisions, which in turn precede ethical conduct, which itself precedes ethical leadership.” Moral understanding, in this analysis, involves two challenges for leaders: (1) clarifying their expectations to their subordinates; and (2) ensuring that those expectations are in constant agreement with the mission and overall organizational principles.”
  3. Moral Maturity: This stage addresses the concept of moral maturity. Moral maturity “is not an end-state, rather, it is the product of continuous evaluation. A moral leader assesses his own beliefs; how those beliefs are manifest in his actions and the actions of his unit, and how closely aligned those actions are with the expectations of his nation, service, and mission.”
  4. Moral Ambition: This last stage involves the concept of moral ambition: “the active rather than passive pursuit of virtuous behavior not only in self, but in all members within the individual’s sphere of influence.”

Corporate leaders and managers who are confident that their companies already reflect a “culture of compliance” would still do well to compare their own leadership and actions against each of these four stages.  If they see subordinates who are locked into a “whatever it takes” mentality in pursuing the company’s business objectives, it is highly likely that those subordinates are communicating that same mentality to their staff members, and that those staff members in turn are expected simply to comply without question.  Such a situation requires prompt and decisive action to communicate that “whatever it takes” is a path that can lead only to harming the company (not to mention corrective action and even termination).

Even if corporate leaders and managers do not have such a situation, they still need to make sure they are being clear in communicating their expectations to subordinates, particularly with regard to properly reconciling ends and means in the day-to-day conduct of business.  As indicated above, corporate leaders will embody moral understanding to the extent that they not only communicate their expectations clearly, but that they reflect on those expectations and challenge themselves to see that their expectations agree with the company’s mission and overall principles (including codes of ethics and compliance standards).  With sustained effort, those reflections can translate into moral maturity as leaders continuously evaluate not only their own beliefs, but also the extent to which their own and their subordinates’ actions on the job demonstrate commitment to those beliefs and align with the expectations of their company’s top leadership and board and of regulators.

If corporate leaders can accomplish all of those tasks, they may be fortunate enough to achieve moral ambition.  As the Guide explains, there are no guarantees of doing so, “for it demands reflection, willingness, courage, and constancy of purpose.”  But because “moral ambition makes day-to-day leadership an agent of profound change,” it is a goal for which corporate leaders – no less than military leaders – ought to strive.

MoneyGram Agrees to Extend Deferred Prosecution Agreement, Settle FTC Allegations, Forfeit $125 Million for Anti-Money Laundering and Anti-Fraud Compliance Failures

On November 8, federal authorities in the United States took two coordinated actions pertaining to MoneyGram, a global money services business headquartered in Dallas, and its reported failure to comply with prior anti-money laundering and anti-fraud related obligations.

First, the U.S. Department of Justice announced that MoneyGram “agreed to extend its deferred prosecution agreement and forfeit $125 million due to significant weaknesses in MoneyGram’s anti-fraud and anti-money laundering (AML) program resulting in MoneyGram’s breach of its 2012 deferred prosecution agreement (DPA).”  In addition to the monetary payment and extension of the DPA for an additional 30 months, MoneyGram agreed to enhance its anti-fraud and AML compliance programs.

The DPA dates back to 2012, when MoneyGram agreed to forfeit $100 million and admitted to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program.  According to court documents related to the DPA and a criminal information filed in the Middle District of Pennsylvania, MoneyGram “was involved in mass marketing and consumer fraud phishing schemes, perpetrated by corrupt MoneyGram agents and others, that defrauded tens of thousands of victims in the United States.  MoneyGram also failed to maintain an effective anti-money laundering program in violation of the Bank Secrecy Act.”

The Justice Department’s 2012 release about the DPA further stated:

Despite thousands of complaints by customers who were victims of fraud, MoneyGram failed to terminate agents that it knew were involved in scams.  As early as 2003, MoneyGram’s fraud department would identify specific MoneyGram agents believed to be involved in fraud schemes and recommended termination of those agents to senior management.  These termination recommendations were rarely accepted because they were not approved by executives in the sales department and, as a result, fraudulent activity grew from 1,575 reported instances of fraud by customers in the United States and Canada in 2004 to 19,614 reported instances in 2008.  Cumulatively, from 2004 through 2009, MoneyGram customers reported instances of fraud totaling at least $100 million.

As part of the DPA, MoneyGram had agreed to enhanced compliance obligations and structural changes to prevent a repeat of the conduct charged in the information, including:

  • “Creation of an independent compliance and ethics committee of the board of directors with direct oversight of the chief compliance officer and the compliance program;
  • “Adoption of a worldwide anti-fraud and anti-money laundering standard to ensure all MoneyGram agents throughout the world will, at a minimum, be required to adhere to U.S. anti-fraud and anti-money laundering standards;
  • “Adoption of a bonus system which rates all executives on success in meeting compliance obligations, with failure making the executive ineligible for any bonus for that year; and
  • “Adoption of enhanced due diligence for agents deemed to be high risk or operating in a high-risk area.”

Despite MoneyGram’s agreement to a five-year monitorship – an exceptionally long duration for a corporate monitorship – the Justice Department’s 2018 release about the DPA extension stated that according to the joint motion that it and MoneyGram filed to extend and amend the DPA,

MoneyGram breached its 2012 DPA.  During the course of the DPA, MoneyGram experienced significant weaknesses in its AML and anti-fraud program, inadequately disclosed these weaknesses to the government, and failed to complete all of the DPA’s required enhanced compliance undertakings.  As a result of its failures, MoneyGram processed at least $125 million in additional consumer fraud transactions between April 2015 and October 2016.

As part of the amendment to and extension of the DPA, MoneyGram agreed to additional enhanced compliance obligations.  These included creating policies or procedures

  • “to block certain reported fraud receivers and senders from using MoneyGram’s money transfer system within two days of receiving a complaint identifying those individuals;
  • “to require individuals worldwide to provide government-issued identification to send or receive money transfers;
  • “to monitor all money transfers originating in the United States in its anti-fraud program; and
  • “to terminate, discipline, or restrict agents processing a high volume of transactions related to reported fraud receivers and senders.”

Second, the Federal Trade Commission (FTC) announced that MoneyGram agreed to pay $125 million to settle allegations that it failed to take steps required under a 2009 FTC order “to crack down on fraudulent money transfers that cost U.S. consumers millions of dollars.”  The FTC alleged “that MoneyGram failed to implement the comprehensive fraud prevention program mandated by the 2009 order, which requires the company to promptly investigate, restrict, suspend, and terminate high-fraud agents.”

In particular, the FTC alleged that MoneyGram’s failures included:

  • Noncompliance of MoneyGram’s standards for taking disciplinary actions with the 2009 order, “because those standards required agents to have unreasonably high fraud rates before they could be suspended or terminated[.]”
  • Frequent failure “to promptly conduct the required reviews or to suspend or terminate agents, particularly those from larger locations with high levels of fraud.”
  • Failure to “place any restrictions on one large chain agent until approximately mid-2013, even though the chain was the subject of more fraud complaints than any other MoneyGram agent worldwide. Some of the chain’s locations had fraud rates as high as 50 percent of the money transfer activity. When it did take disciplinary action, MoneyGram focused on lower-volume, ‘mom and pop’ agents with high levels of fraud, while treating large chain agents differently[.]”
  • “MoneyGram’s computerized monitoring system, aimed at blocking known fraudsters from using its service, malfunctioned for an 18-month period in 2015 and 2016. During that time, MoneyGram failed to block individuals that the company knew or should have known were using its service for fraud or to obtain fraud-induced money transfers.”
  • Failure “to properly vet its agents and by not providing appropriate training on how to detect and prevent consumer fraud for all its agents, including locations with high fraud rates.”
  • Failure, in some cases, to record the complaints that it received about fraud-induced money transfers and to share that information with the FTC.

In addition to the $125 million payment, MoneyGram agreed with the FTC to “an expanded and modified order that will supersede the 2009 order and apply to money transfers worldwide. The modified order requires, among other things, that the company block the money transfers of known fraudsters and provide refunds to fraud victims in circumstances where its agents fail to comply with applicable policies and procedures. In addition, the modified order includes enhanced due diligence, investigative, and disciplinary requirements.”

Note: In a November 8 MoneyGram press release, MoneyGram Chairman and Chief Executive Officer Alex Holmes stated that “we have taken significant steps to improve our compliance program and have remediated many of the issues noted in the agreements.”  Those reported steps include investment of invested more than $100 million since 2012 in compliance technology, agent oversight, and training programs; implementation of “new, industry-leading consumer verification standards” that prevented approximately $1.5 billion in fraudulent transactions; and engagement of “a leading global consulting firm to support the company’s efforts to enhance its compliance program.”

The fact remains that the information set forth in the amended and extended DPA and the modified FTC order, and public documents related to both actions, indicates an unusually broad range of compliance failures by MoneyGram – the more unusual because the failures relate to specific commitments to which MoneyGram had acceded in 2009 with the FTC and agreed in 2012 with the Justice Department.  Moreover, the list of those failures is likely to be particularly frustrating to law enforcement authorities in the United States and in multiple countries.  As one point of reference, in 2010 the International Mass-Marketing Fraud Working Group (which I once co-chaired), in a threat assessment on mass-marketing fraud, identified the critical role of money-transfer systems such as MoneyGram in receiving funds from mass-marketing fraud victims.  The fact that MoneyGram, over the next eight years, displayed such substantial compliance failures makes it all the more important that it uses the next 30 months to demonstrate to the Justice Department that it is wholeheartedly committed to a culture of compliance.