Introduction

High-profile resolutions punctuated a summer and early fall busy with money laundering enforcement and rulemaking. In October, TD Bank resolved money laundering and Bank Secrecy Act (BSA) violations, agreeing to penalties totaling more than $3 billion. Ecuador's former Comptroller General Carlos Ramón Polit Faggioni was sentenced in connection to the Odebrecht scandal and Mozambique's former Finance Minister Manuel Chang was convicted for his role in a $2 billion fraud involving loans for supposed maritime projects. Caroline Ellison, former cryptocurrency executive at FTX, received a significantly reduced sentence of two years in recognition of her extensive cooperation. 

The Financial Crimes Enforcement Network (FinCEN) has been particularly active with anti-money laundering and countering the financing of terrorism (AML/CFT) related rulemakings. In June, it published a proposed rule aimed at strengthening and modernizing AML/CFT compliance programs. Then in August, FinCEN issued two new final rules: one imposing AML/CFT compliance program requirements on certain investment advisers and one imposing reporting obligations on parties involved in non-financed real estate transactions. In a blow to FinCEN, in December, a district court judge issued a nationwide injunction preventing enforcement of the Corporate Transparency Act (CTA). 

Internationally, the Financial Action Task Force (FATF) delivered an encouraging assessment of India's AML efforts, noting the country's implementation of effective frameworks and coordination between agencies and with foreign partners. FATF also updated its list of Jurisdictions Under Increased Monitoring to include Algeria, Angola, Côte d'Ivoire, and Lebanon and to remove Senegal. And finally, a U.K. Court of Appeal issued an interpretation of a money laundering statute that could make it more difficult to mount a defense to money laundering charges in the U.K. 

As we head into the next administration, there is a lot of uncertainty regarding the future of AML/CFT enforcement and regulation in the coming years. Some have speculated that the administration will seek to roll back new regulations, including the investment advisor rule and real estate reporting rule discussed in more detail below. This edition of Money Laundering Enforcement Trends highlights our picks for the most important developments of the past quarter as we wait to see what the new year will bring.

TD Bank Agrees to $3 Billion in Penalties for Money Laundering and BSA Violations; Former Employee is Arrested and Charged for His Role in Facilitating Money Laundering

In October, TD Bank, N.A., the tenth largest bank in the U.S., and its parent company TD Bank US Holding Company (together, TD Bank), pleaded guilty to BSA violations and conspiracy to commit money laundering and announced a coordinated settlement involving FinCEN, the Board of Governors of the Federal Reserve Board (FRB), and the Office of the Comptroller of the Currency (OCC), with penalties totaling over $3 billion. TD Bank becomes the largest U.S. bank in history to plead guilty to BSA program failures and the first U.S. bank to plead guilty to conspiracy to commit money laundering.
 
According to the DOJ, for nearly a decade, TD Bank failed to update its AML compliance program to address known risks, allowing suspicious transactions to go unreported. One critical failure was the bank's intentional exclusion of several transaction types — such as domestic automated clearinghouse (ACH) transactions and check activity, among others — from its monitoring systems. This led to 92 percent of the bank's total transaction volume going unmonitored between January 1, 2018, and April 12, 2024, enabling employees to facilitate a criminal network's laundering of tens of millions of dollars. As part of the plea agreement, TD Bank will forfeit $450 million and pay a criminal fine of $1.4 billion, totaling over $1.8 billion in penalties to the Department of Justice (DOJ).
 
In a parallel enforcement action, FinCEN imposed a record-breaking $1.3 billion penalty, the largest ever assessed under the BSA. FinCEN said that their investigation revealed systemic failures in TD Bank's ability to detect and report suspicious activity, including transactions tied to serious criminal activity such as narcotics trafficking, terrorist financing, and human trafficking. According to FinCEN, TD Bank's willful failure to meet its AML obligations not only created critical vulnerabilities within the U.S. financial system but also allowed significant backlogs of potentially suspicious activity to persist, depriving law enforcement of crucial information needed for investigations.
 
In addition to the financial penalties, TD Bank has committed to implement significant compliance reforms with FinCEN. Under the DOJ agreement, the bank will retain an Independent Compliance Monitor for three years to oversee the remediation and enhancement of its AML program. FinCEN also required TD Bank to engage an independent consultant to conduct a "SAR lookback" — a historical review of suspicious activity reports (SARs) that were missed due to control gaps — and perform a comprehensive end-to-end review of the bank's AML program.

The OCC's Cease-and-Desist Order, which includes a $450 million civil penalty, also imposes significant requirements on TD Bank, including an asset cap, certain business restrictions (e.g., prohibitions on opening new branches, entering new markets, and offering new products and services without the OCC's non-objection), an independent AML compliance program assessment, comprehensive remediation, a SAR lookback, and a requirement that the board of directors submit a certification to the OCC prior to declaring or paying dividends, engaging in share repurchases, or making any other capital distribution.

Among the requirements in the FRB's resolution are the creation of an office in the U.S. dedicated to remediating the deficiencies identified in the order, the relocation of parts of the AML compliance program to the U.S., an independent review of its AML compliance program, a certification that sufficient resources and attention are allocated to correcting the bank's AML deficiencies prior to issuing any dividends or capital distributions, and an independent review of the firm's board of directors and management to assure adequate oversight of the U.S. operations, in addition to a $123.5 million fine.

On December 11, the DOJ announced that it had arrested and charged Leonardo Ayala, a former employee of TD Bank in Florida, with one count of conspiracy to commit money laundering. According to the DOJ, Ayala accepted bribes to issue dozens of debit cards for accounts opened by his co-worker in the names of shell companies. "Those accounts were then allegedly used to launder millions of dollars in narcotics proceeds through cash withdrawals at ATMs in Colombia," the DOJ wrote. 

In First Collaborative Agreement with CABGC, FinCEN focuses on Casino's "Fundamentally Unsound" AML Program

In October, FinCEN issued a $900,000 civil money penalty against Lake Elsinore Hotel and Casino (Lake Elsinore) for violating the BSA and its implementing regulations. Lake Elsinore, a mid-sized "card club" offering tabletop games like poker, admitted that it failed to develop and implement numerous BSA requirements including key internal controls, independent testing and training, procedures for detecting and reporting suspicious transactions, and assigning personnel responsible for day-to-day compliance. In discussing the resolution, FinCEN director Andrea Gacki emphasized, "Lake Elsinore operated for years without the most basic AML controls." 

Among the failings cited in the consent order was the fact that a so-called "Title 31 Compliance Committee" Lake Elsinore outlined in its AML program was never established as articulated and no meetings were documented. Compliance responsibilities were instead assigned to the club's general manager and chief operations officer (COO), neither of whom had sufficient compliance experience. Furthermore, Lake Elsinore did not file any SARs from September 2014 until after a 2017 examination by the California Department of Justice Bureau of Gambling Control (CABGC). 

The consent order described Lake Elsinore's AML program as "fundamentally unsound" and its shortcomings reflective of "an insufficient investment in compliance." However, FinCEN credited Lake Elsinore with effective remediation during the investigation, as well as full cooperation. FinCEN agreed to suspend $50,000 of the civil penalty pending Lake Elsinore's compliance with an independent AML program review and adoption of its recommendations. Although Lake Elsinore is a relatively modest operation, Gacki urged that this enforcement should serve as a reminder of compliance obligations for "all financial institutions — regardless of their type or size."

Two FinCEN Final Rules Establish New Requirements for Investment Advisor and Real Estate Industries 

In recent months, FinCEN issued two new regulations designed to bolster AML obligations on the investment advisor and real estate industries:

• In August, FinCEN issued the final residential real estate reporting rule (Real Estate Rule). As covered in our prior issue, this rule requires those involved in the settlement and closing of certain non-financed (i.e., all cash) residential real estate transfers to report information about the transfer and the beneficial owners of transferee entities and transferee trusts. The Real Estate Rule will become effective on December 1, 2025, and will require "reporting persons" to report to FinCEN information about the reporting person, the transferee, the transferor, the real property involved in the sale, and the payments made. The Rule includes a waterfall of people typically involved in real estate closings to be used to identify the reporting person, but the reporting person can agree with any other person in the reporting chain to designate that person as the reporting person. The reporting person must report beneficial ownership information (BOI) about each transferee entity and transferee trust involved in the transaction, with the definition of beneficial ownership coming directly from CTA regulations, covered here. Failure to report transaction information under the Real Estate Rule can result in civil and criminal penalties.  
• On the same day as the Real Estate Rule, FinCEN also issued a final rule imposing on certain investment advisors AML compliance program obligations consistent with those imposed on other financial institutions (the Final IA Rule). The Final IA Rule will apply to Securities and Exchange Commission (SEC)-registered investment advisers (RIAs) and exempted reporting advisers (ERAs). In the Final IA Rule, FinCEN narrowed the definition proposed in its Notice of Proposed Rulemaking (NPRM) (covered here) and excluded RIAs that were required to register with the SEC for being a mid-sized adviser, multi-state adviser, or pension consultant, as well as those that are not required to report assets under management (AUM). In addition, for those investment advisers that have their principal place of business and are headquartered outside the U.S., the Rule will only apply to (i) those advisory activities that take place within the U.S., including through involvement of U.S. personnel or a U.S. branch, office, or agency, or (ii) those advisory services that are provided to a U.S. person either personally or through a foreign-located private fund. The Rule does not apply to state-registered investment advisers or foreign private advisers and family offices. Starting January 1, 2026, all investment advisors covered by the Rule will have to develop AML policies, procedures, and controls, identify an AML compliance officer, conduct regular trainings, and implement independent assessments. Covered investment advisors will also have to file SARs and currency transaction reports (CTRs). 

FinCEN's Proposed Rule Formalizes Risk Assessment Requirement for Financial Institutions, Establishes Other Compliance Requirements

In June 2024, FinCEN published an NPRM (the Proposed Rule) to promote "effectiveness, efficiency, innovation, and flexibility" in connection with financial institutions' AML/CFT programs pursuant to the Anti-Money Laundering Act of 2020 (AMLA). Among the most notable requirements in the Proposed Rule include:

• A requirement that financial institutions "establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs," including establishing a mandatory risk assessment process. While conducting AML/CFT risk assessments is standard practice for many financial institutions, under the Proposed Rule, financial institutions that do not conduct risk assessments or that informally assess risk would need to establish a formal process to conduct risk assessments on a periodic basis that consider FinCEN's AML/CFT priorities, past reports filed by the financial institution pursuant to the BSA and its implementing regulations (e.g., SARs and CTRs), and the financial institution's unique risk profile. 
• A requirement that AML/CFT programs be carried out by "persons in the United States." The proposal is based on a statutory requirement from the AMLA. FinCEN sought feedback on challenges with this proposed requirement, including how it would require changes to financial institutions' non-U.S. AML/CFT operations, what duties are appropriate for non-U.S. persons to perform, and how to define "persons in the United States." 
• A requirement that the board of directors or board-equivalent approve and oversee the AML/CFT program. Currently, only certain financial institutions (e.g., banks without a federal functional regulator, mutual funds) have board-level approval requirements. Other financial institutions have senior management-level approval requirements (e.g., broker dealers, insurance companies, and dealers in precious metals) while others such as money services businesses (MSBs) and casinos have no specified board or senior management approval requirements. The Proposed Rule underscores that the new oversight requirement contemplates measures such "as governance mechanisms, escalation and reporting lines, to ensure that the board (or equivalent) can properly oversee whether AML/CFT programs are operating in an effective, risk-based, and reasonably designed manner." 

New DOJ Whistleblower Program Will Be Run Through MLARS

This year, the DOJ has continued its efforts to encourage the voluntary disclosure of misconduct, including with respect to money laundering, launching several whistleblower programs, including an award-driven program administered by the Criminal Division's Money Laundering and Asset Recovery Section (MLARS), as well as programs specific to individual U.S. Attorney's Offices (USAOs) that provide non-prosecution opportunities. 

On August 1, 2024, the DOJ launched the Corporate Whistleblower Awards Pilot Program (Pilot Program), which will be administered by MLARS, as previously reported. According to the DOJ's guidance, the Pilot Program is designed to be a three-year initiative, under which whistleblowers may receive an award, at the DOJ's discretion, in exchange for providing "information about criminal misconduct... that leads to forfeiture exceeding $1,000,000 in net proceeds." To receive an award under the Pilot Program, there are additional requirements, including:

• The whistleblower must be an individual and must not be disqualified by criteria outlined in the guidance, such as qualifying for an award under another whistleblower or qui tam program, being associated with the DOJ or another law enforcement organization, being a foreign government official, "knowingly and willfully" providing false or fraudulent information, withholding material information, or interfering with or obstructing the DOJ's investigation, or obtaining the information provided from an individual who would be disqualified under the Pilot Program.
• The whistleblower must provide "original" information in writing. Though there are multiple caveats, "original" information includes information that is "derived from the individual's independent knowledge or independent analysis;" otherwise "non-public and previously not known to the [DOJ]," and "materially adds to the information the [DOJ] already possesses," if the DOJ already has knowledge about the relevant matter. If the individual previously reported the information through a company's internal reporting process, and that company reported related information to the DOJ, the individual's information can still be considered "original" if the individual also reports through the Pilot Program within 120 days of submitting the internal report.
• The information provided must relate to certain types of misconduct. Money laundering is included in the list of relevant violations.
• Reporters must not have "meaningfully participated in the criminal activity they reported." However, individuals remain eligible if they only had a "minimal role in the report scheme" and "could be described as 'plainly among the least culpable of those involved in the conduct of a group.'" In these cases, the DOJ will separately evaluate whether the reporter is eligible for a non-prosecution agreement under the DOJ's Pilot Program on Voluntary Self-Disclosures for Individuals.
• Finally, whistleblowers must provide "truthful and complete information," including as to their own role in the misconduct.

Depending on the DOJ's consideration of several factors outlined in the Pilot Program, eligible whistleblowers may receive "[a]n award of up to 30% of the first $100 million in net proceeds forfeited" and "[a]n award of up to 5% of any net proceeds forfeited between $100 million and $500 million."

Crypto-Focused Enforcement Remained a Priority Under the Biden Administration

Two major cryptocurrency enforcement actions illustrate U.S. enforcement authorities' focus on cryptocurrency-related crimes in recent years. For example:

• In July 2024, crypto derivatives platform HDR Global Trading Limited, also known as BitMEX, pleaded guilty to violating the BSA and agreed to pay a $100 million penalty. DOJ alleged that BitMEX, even after claiming that it had left the U.S. market, targeted and served U.S. customers, and therefore was required to register with the Commodity Futures Trading Commission (CFTC) and establish and maintain an adequate AML program. The Information notes that, among other things, from 2015 to 2020, BitMEX willfully failed to establish and implement an adequate AML program, specifically noting BitMEX "did not adopt or implement formal policies, procedures, and internal controls for AML; independent compliance testing for AML; and training for appropriate personnel in AML." Furthermore, because BitMEX did not have an adequate know your customer (KYC) program, DOJ alleged that it failed to collect and analyze KYC information or monitor transactions for money laundering or sanctions violations. In addition, from approximately 2014 to 2020, BitMEX did not file any SARs. According to the Information, BitMEX also made false statements to a foreign bank to open an account that BitMEX could "surreptitiously use for its operations" including over $100 million in wire transfers in U.S. dollars to support BitMEX's business activities. Four senior BitMEX executives have also been charged.
• In September 2024, DOJ announced charges against Russian nationals for alleged cybercrimes and cryptocurrency-based money laundering. Sergey Sergeevich Ivanov, known online as Taleon, was indicted on one count of conspiracy to commit bank fraud and one count of conspiracy to commit money laundering. Ivanov allegedly operated money laundering services that facilitated over $1.15 billion in transactions over nearly two decades, catering to cybercriminals. These services enabled funds from ransomware payments, fraud schemes, and darknet transactions to be processed. His operations supported notorious "carding" (the unlawful acquisition of and trade in stolen credit and debit card information for fraudulent purposes) sites such as Rescator and Joker's Stash. In the same indictment, Timur Kamilevich Shakhmametov was charged with one count of conspiracy to commit bank fraud, one count of conspiracy to commit access device fraud, and one count of conspiracy to commit money laundering for his role in running Joker's Stash, one of the largest carding markets in history. This platform, which allegedly facilitated the sale of stolen payment card data, processed millions of dollars annually and accepted cryptocurrency as a primary means of payment. The DOJ alleged that Shakhmametov's use of cryptocurrency enabled the rapid laundering of profits gained from carding activities, making it easier for cybercriminals to move and obscure their proceeds on a global scale. 
   
  In parallel, the DOJ charged Cryptex, a Russia-based cryptocurrency exchange, with operating an unlicensed money transmitting business, by processing over $1 billion in transactions that facilitated illicit activities, including funds sent to U.S.-sanctioned entities. Cryptex operated without implementing KYC protocols, allowing users to register and transact anonymously. This lack of compliance enabled individuals worldwide, including those in the U.S., to use the platform for illicit activities. By operating an unlicensed money transmitting business that impacted the U.S. financial systems and violated U.S. laws, Cryptex fell under DOJ's jurisdiction, prompting enforcement actions that led to the seizure of domains associated with Cryptex.net and Cryptex.one, as well as their servers and proceeds, disrupting its operations. Cryptex allegedly facilitated more than 37,500 bitcoin transactions, valued at approximately $1.4 billion at the time the transactions were made, with 31 percent originating from addresses linked to criminal conduct. According to DOJ's press release, these transactions often stemmed from fraud proceeds and ransomware payments, and a significant portion was directed to entities sanctioned by the U.S., emphasizing Cryptex's role as a hub for laundering illicit crypto assets. 
   
  FinCEN also issued an order identifying PM2BTC — a virtual currency exchange associated with Ivanov — as being of "primary money laundering concern" and the Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned Ivanov and Cryptex. These enforcement actions were part of a coordinated effort involving the DOJ, the Department of State – which has issued a reward of up to $11 million for information leading to the arrest and/or conviction of Ivanov, Shakhmametov, and others involved in the operation of money laundering services – and foreign authorities, including Dutch law enforcement, Europol, and the U.K. National Crime Agency, among others.

Editors: Ann Sultan, Ian A. Herbert, Leah Moushey, William P. Barry, Kirby D. Behre

Contributors: Alexandra Beaulieu, Katie Cantone-Hardy, Annie Cho, Facundo Galeano, Julia M. Herring, Brittany Huamani, Franco Jofré, Peter Kentz, Aditi Patil, FeiFei Ren, Rebecca Tweedie

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.