Deferred Prosecution Agreements in AML Enforcement
A deferred prosecution agreement (DPA) is a settlement mechanism that allows financial institutions to resolve serious anti-money laundering (AML) violations without facing criminal prosecution or conviction. Instead of trial, the bank admits to misconduct, pays a fine, and commits to specified compliance improvements. If the institution adheres to the agreement over a defined period (typically two to five years), the charges are dismissed. The DPA sits between a civil settlement and a criminal plea—it carries substantial financial and operational costs, imposes invasive monitoring, and damages the firm’s reputation, but it avoids the more severe penalties of a criminal conviction.
Why the US Department of Justice Offers DPAs for AML Cases
The US DOJ and FinCEN (Financial Crimes Enforcement Network) have increasingly used DPAs to resolve major AML compliance failures by large banks. Rather than prosecuting a bank criminally and seeking a conviction, which could jeopardize the bank’s operating licenses or destabilize the financial system, regulators use DPAs to achieve three outcomes simultaneously: accountability, remediation, and deterrence.
A criminal conviction of a major bank carries systemic risks. Regulatory bodies (the Federal Reserve, the Federal Deposit Insurance Corporation, and the Securities and Exchange Commission) could be forced to revoke operating licenses or restrict business lines, potentially harming depositors and other counterparties. A DPA allows the government to extract significant penalties and force comprehensive remediation without triggering a financial crisis.
The DPA framework also aligns with the notion that organizational change—not punishment of the institution itself—is the goal. When senior executives knowingly tolerate AML control failures to maximize profits, criminal charges against individuals are often pursued separately. The DPA against the institution focuses on preventing future violations by installing robust controls and oversight.
Typical Structure and Conditions
A standard DPA in an AML case includes several interlocking components.
Monetary penalty: The bank pays a fine, often in the hundreds of millions of dollars. These penalties are calibrated to the severity of violations, the duration of non-compliance, the volume of suspicious transactions that went undetected, and the bank’s prior history. For example, a bank that failed to file suspicious activity reports (SARs) on high-value transactions moving through shell companies to sanctioned jurisdictions faces steeper penalties than one with an isolated compliance gap.
Admission of facts: The bank must formally admit, in writing, to the facts underlying the AML violations. This is not a plea to a criminal charge (the prosecution is deferred, not dropped), but it is a public record and powerful evidence if the bank is later sued by customers or counterparties harmed by the violations.
Compliance monitor: An independent, court-appointed (or prosecutor-appointed) compliance monitor—typically a retired banking executive or law firm specializing in AML—is embedded in the bank. The monitor has broad authority to audit AML functions, interview staff, and access internal communications. The monitor reports directly to the DOJ or relevant prosecutor, not to the bank’s board. This arrangement can last two to five years, or longer if remediation is slow.
Enhanced AML program: The DPA mandates specific improvements to the bank’s AML controls. These typically include:
- Written AML policies detailing customer due diligence (CDD) and enhanced due diligence (EDD) procedures
- Regular AML training for all employees, with particular focus on front-line staff and management
- Independent testing and auditing of AML controls, often by an external firm not previously involved
- Upgraded sanctions screening systems and tuning protocols
- Specific reporting lines for AML compliance to senior management and the board
Non-prosecution language: The agreement specifies that if the bank fully complies with all terms for the agreed-upon period, the criminal charges will be dismissed. However, the agreement typically reserves the right for prosecutors to pursue charges if material new violations emerge or if the bank materially breaches its compliance obligations.
Key Differences from Consent Orders and Criminal Pleas
A DPA is distinct from a civil consent order issued by banking regulators (the Federal Reserve, the OCC, or state banking authorities). A consent order is an administrative agreement between the bank and a regulator; it does not involve the criminal justice system. A bank can settle a civil AML violation with a consent order without admitting to criminal conduct. However, the bank must still remediate the violations, and regulators can use consent orders to constrain the bank’s activities or limit dividend payments.
A DPA differs from a guilty plea in that the bank does not formally admit to criminal guilt and is not “convicted” of a crime. This distinction matters for operating licenses, international correspondent relationships, and reputational considerations. A conviction can trigger mandatory reporting to regulators and certain counterparties, potentially requiring the bank to exit markets or renegotiate correspondent banking relationships. A DPA, while harmful to reputation, does not carry these formal legal consequences if the bank successfully completes the agreement.
That said, the practical distinction is smaller than it appears. A DPA’s requirement that the bank admit to factual misconduct is often just as damaging to reputation as a conviction. The public nature of the agreement and the implicit acknowledgment of wrongdoing mean customers, competitors, and counterparties treat it as evidence of serious management failure.
Notable DPA Settlements
HSBC (2012): HSBC agreed to a DPA related to failures in AML controls that allowed the bank to process transactions linked to sanctioned countries and high-risk jurisdictions. The settlement included a $1.9 billion penalty, a compliance monitor, and a five-year remediation period. The case was landmark in signaling that even large, globally significant banks were not immune from criminal prosecution.
Standard Chartered Bank (2012): Standard Chartered agreed to a DPA (later supplemented by a civil settlement) related to its handling of transactions for Iranian customers and other sanctions violations. The penalty was $300 million, and the bank was required to hire a compliance monitor and substantially overhaul its sanctions screening and customer risk assessment processes.
Deutsche Bank (2015): Deutsche Bank agreed to a DPA for violations related to inadequate AML controls, particularly in its private banking division, which processed transactions for customers in high-risk jurisdictions. The settlement included a compliance monitor and required enhancements to the bank’s customer due diligence procedures.
Impact on the Bank’s Business and Reputation
The immediate financial impact of a DPA includes the penalty itself, which can be substantial. But the costs compound.
Compliance monitoring is expensive: Embedding an independent monitor inside the bank requires the institution to provide office space, IT access, and staff support. The monitor also charges fees for its own work, often six figures per year or more, and the bank must pay external auditors to conduct testing on the monitor’s behalf. Over a multi-year DPA, these costs can add hundreds of millions of dollars.
Operational burden: Enhanced AML controls often mean slower customer onboarding, higher false-positive rates in transaction monitoring, and more conservative sanctions screening tuning. This reduces profitability in affected business lines and can cause customers to migrate to competitors with less stringent controls.
Reputational damage is severe and persistent. Counterparties—especially other banks in the correspondent banking network and institutional clients—become more cautious about transacting with a bank that has admitted to AML failures. Regulatory agencies and supervisors increase their scrutiny. Investors may discount the stock because of the compliance costs and heightened regulatory risk.
Personnel turnover is common. Compliance and risk management staff, particularly those who were involved in the failed processes, often depart. AML specialists and legal counsel sought after allegations of misconduct emerge are likely to be “tainted” by association. The bank must rebuild its compliance infrastructure with new talent.
Conditions for Dismissal and Breach
The DPA specifies conditions under which the charges will be dismissed, typically:
- Full compliance with all remediation requirements and timelines
- No material violations of similar AML statutes during the agreement period
- Full cooperation with the monitor and prosecutors in conducting audits and investigations
If the bank breaches the DPA—for instance, by failing to implement a required control, or by committing another significant AML violation—prosecutors can move to rescind the deferral and proceed with criminal prosecution. This is a powerful enforcement tool. Once a DPA is in place and a monitor is embedded, the bank faces intense pressure to comply because the threat of criminal prosecution is active.
In practice, breaches are rare because the reputational and operational burden of a DPA is so severe that banks are highly motivated to comply and exit the agreement successfully.
The Broader Regulatory Context
DPAs in AML cases are part of a broader shift toward corporate criminal accountability for financial institutions. The DOJ, FinCEN, and the Treasury Department’s Office of Foreign Assets Control (OFAC) have pursued increasingly aggressive enforcement, arguing that large banks must maintain robust controls or face serious consequences.
At the same time, DPAs are pragmatic compromises. Prosecutors recognize that a bank’s failure to detect suspicious transactions—even egregious ones—often reflects systemic compliance gaps rather than intentional criminality by senior management. By using DPAs, regulators can force change without destabilizing the financial system.
This enforcement stance has had a deterrent effect. Banks have invested heavily in AML infrastructure, sanctions screening technology, and compliance staffing since the early 2010s. The cost of compliance has risen substantially, but so has the sophistication of controls.
See also
Closely related
- Sanctions Screening False Positive Management — The operational challenge of tuning transaction monitoring systems to catch real threats
- Anti-Money Laundering — The regulatory framework underlying AML enforcement
- Know Your Customer — Customer due diligence requirements that underpin AML compliance
- Suspicious Activity Report — The reporting mechanism that AML failures often involve
Wider context
- Regulatory Risk — The broader exposure firms face to enforcement action
- Reputational Risk — The lasting damage from public enforcement settlements
- Federal Reserve — A primary banking regulator that coordinates on AML enforcement
- Securities and Exchange Commission — Enforcer on AML violations by broker-dealers and investment advisers